BIC triggering NL IP on firewall rule

I’m from the Netherlands and I have a BIC triggering while I have a firewall rule applied for a managed challenge that doesn’t seem to work on a client domain

Expression Preview (I cloaked the IP’s)
(not in {“NL” “BE”}) or (not ip.src in {xx.1xx.1x.215 xxx.211.xx5.235 xx.xx.xx.150})

I can’t figure out why. It seems that whatever I do, the country is not working. I disabled BIC for the domain and even then it still triggers the BIC.

Are IP’s from the Netherlands flagged correctly as NL with CF and does a managed challenge incorporate a BIC by default?

It’ll tell you what country it has associated to the IP address in the firewall event log when they encounter a challenge.

It says Netherlands, but still I get a BIC as so do other customers from the Netherlands

There might be some confusion as to what they’re receiving - BIC is a flat-out block for bad User-Agents, not a challenge page (like the captcha or checking your browser).

Do you see them in the firewall event log?

Don’t forget that Firewall Rules also has an option to Bypass → BIC. You may consider putting a Bypass for those countries and IP addresses above a Managed Challenge rule.

1 Like

yes, I see myself in the firewall log (im from the Netherlands) as so do other dutch ip’s from locals around the shop (local service).

that was the first thing I did but even with bypassing the BIC, it still shows that integrity check. Thats why I thought, has Cloudflare list the right IP ranges to NL, and within the Managed Challenge they include a BIC by default so whatever BIC I bypass from the settings has no influence.

Update: I tested “Continent is not in Europe”. This does work, however, to make it valuable I would rather have it like intended with “Country is not in NL or BE”. But like I wrote this doesn’t work since my IP, which is 100% coming from the Netherlands, is flagged as a non-Netherlands IP by Cloudflare. Even though the Log says Netherlands.

Super weird. Can any CF admin take a look at it?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.