Block HTTPS traffic to external without host header

You can allow/block specific networks by using site-path routing in WAF.

Scott_Klassen I don't see where I can specify to reject traffic without host headers in WAF settings. Can you point me in the right direction?

9.3X added access control to Site Path Routing:

Access control: If selected, you can allow or block specific client networks for the Virtual
Webserver. Clients only get access when their IPs are listed in the Allowed networks list.
IPs in the Denied networks list will be blocked. If both lists are empty no one will be able to
connect to the Virtual Webserver. If you want to block only specific networks, allow Any
and select or add Denied networks. If you want to allow specific networks only, you need
to select or add Allowed networks and leave Denied networks empty.

The other method would be a blackhole DNAT. It's exactly the same as a regular DNAT, with two differences. "For traffic from", place a host definition for a single IP to be blocked or a network definition for a netblock. "Change the destination to", put a host definition for an address that does NOT exist on your network. If your network is 192.168.2.0/24, use 192.168.3.1, as an example. As the host doesn't exist, the traffic will go down a "blackhole". :)