CodeWallDocs
How-to Guides

Configure Server Access

How to allowlist CodeWall's infrastructure so it can reach your targets.

If your target is behind a firewall, WAF, or IP allowlist, you'll need to grant CodeWall access.

Allowlist before testing

For complete and accurate results, configure your firewall and WAF before launching a test. If CodeWall's traffic is blocked, the test will still run but may produce fewer findings and take significantly longer.

CodeWall IP ranges

CodeWall's testing infrastructure operates from the following IP ranges:

# IPv4
185.X.X.X/24
185.X.X.X/24

# IPv6
2a06:XXXX::/48

Contact support@codewall.ai for the current IP list.

Firewall configuration

Add CodeWall's IP ranges to your firewall allowlist:

AWS Security Groups

  1. Navigate to EC2 > Security Groups
  2. Select the security group for your target
  3. Add inbound rules allowing traffic from CodeWall's IPs on the relevant ports (typically 80, 443)

Cloudflare

  1. Go to Security > WAF > Tools
  2. Create an IP Access Rule for CodeWall's ranges with action Allow

Other providers

Add CodeWall's IPs to your provider's allowlist. The specifics vary — consult your provider's documentation.

WAF considerations

Web Application Firewalls may block CodeWall's testing traffic. Options:

  1. Allowlist CodeWall's IPs in your WAF rules — recommended for production testing
  2. Disable WAF for the test account's traffic (if possible) — provides the most complete results
  3. Leave WAF active — CodeWall will test against the WAF, which is realistic but may reduce finding count

Impact of WAF blocking test traffic

When a WAF actively blocks CodeWall's testing traffic:

  • Reduced finding count — exploit payloads are blocked before reaching the application, so vulnerabilities behind the WAF may not be discovered
  • Slower scans — rate limiting and request blocking cause retries and longer test duration
  • Incomplete coverage — entire attack classes (e.g. SQL injection, XSS) may be untested if the WAF blocks those payload patterns

CodeWall detects WAFs during reconnaissance and will display a warning on the test detail page if one is found.

Rate limiting

If your application has rate limiting:

  • Allowlist CodeWall's IPs from rate limits, or
  • Configure a higher rate limit threshold for testing IPs
  • If you can't adjust rate limits, CodeWall will automatically pace requests, but testing will take longer

DNS and hosts

If your target uses a private DNS or is accessible via a specific hostname:

  • Ensure the hostname resolves to a publicly accessible IP, or
  • Contact support to configure custom DNS resolution for your test

Verifying access

After configuring access, verify that CodeWall can reach your target:

  1. Create a new test with your target URL
  2. CodeWall runs a pre-flight connectivity check before starting
  3. If the check fails, review the error message and adjust your configuration

Provide Target Context

How to supply additional context to improve CodeWall's testing coverage and accuracy.

Set Execution Options

Configure pentest mode, scheduling, stop conditions, compliance, and AI guidance.

On this page

CodeWall IP rangesFirewall configurationAWS Security GroupsCloudflareOther providersWAF considerationsImpact of WAF blocking test trafficRate limitingDNS and hostsVerifying access