The Force portal allows you to create, edit, subscribe to, and unsubscribe from your own whitelists. This feature is intended to help you manage your infrastructure and to maintain connections to third-party systems that you do not control.
It is common for a single IP address to host many websites or services. If one of those websites or services is compromised, that IP address might end up on one of our shunlists. You might be using a legitimate, non-compromised service hosted on that same IP address. By whitelisting that IP, you would continue to have access to the service you need to use. The risk that comes with the whitelist is that our services would no longer protect your network from the compromised portion hosted on that same IP address.
You can whitelist individual IP addresses or ranges of addresses using CIDR notation. Force limits the CIDR range on whitelists to /15 (IPv4)1. This is done because, once whitelisted, our service will be unable to protect you from any IP address in the range you provided. We strongly recommend whitelisting the smallest possible range of addresses to allow your systems and applications to function correctly.
Provider whitelisting
We do not support or recommend whitelists for cloud service or web hosting providers. (E.g. Amazon, Google, Azure.) In addition to hosting their own services, these providers host a variety of systems that they do not directly manage, many of which are in turn managed by intermediaries for other third parties. Any security weakness along this chain can expose risk to your own network.
Risk Analysis
Network availability and threat shunning can come into conflict, requiring trade-offs to be made. If our services were to override your whitelist choices and shun addresses that were flagged as a threat, you might lose access to critical services. You might already be protected from that threat through other aspects of your network policy. Because we do not have full knowledge of your network configuration, we are not in a position to make the choice to override your whitelists. So, we choose to respect your whitelists. This is why we recommend limiting whitelisting only those addresses you deem critical to the functioning of your network.
Footnotes
1. An IPv4 CIDR of /15 contains 131,072 addresses. Each increment halves the number of addresses in the range. /32 is a single IP address.