Blocking Countries Using WAF not working

I am trying to use Cloudflare WAF to block certain countries.

I initially created the following rules:

WP Login - Managed Challenge

Good Bots - Skip

Other Bots - Managed Challenge

Countries - Block
(not in {“AU” “IN” “IE” “NZ” “PH” “GB” “US” “CA”})

I changed my VPN to France and tried the URL … and it wasn’t blocked!

I thought that perhaps it was because the countries blocked was last so changed the order:

Good Bots
Other Bots
WP Login

Same problem!

I then tried IP Access Rules. However, in the docs (, it says “Block by country is only available on the Enterprise plan. Other customers may perform country blocking using firewall rules.”

Any ideas on why blocking by country isn’t working?



1 Like

With your VPN on, what do you get for loc when you visit That will tell you the country Cloudflare thinks you are.


Thanks @Cyb3r-Jak3.


So Cloudflare thinks I’m in France!

Any ideas on why my Country Block rule isn’t working?

Thanks again,


My only thought would be that your IP address is in the good bot skip rule

Excellent idea @Cyb3r-Jak3!

I disabled the good bot rule. 5 minutes later, I was still able to access the website.

I presume that disabling a rule won’t take more than 5 minutes to take effect…


I can’t see of a reason why it wouldn’t be working. Maybe another @MVP might have an idea.



Your “Good Bots” rule is not only allowing/skipping good bots, but about half the planet.

I’m not sure what is the intention of the second block of the rule. The first block sets as conditions both that it is a Known Bot, and that it comes from a set of ASNs, which shouldn’t be necessary, since the verification of a Known Bot already implies that the request comes from the ASN it belongs to.

Perhaps you are trying to limit KB to a smaller set? That could make sense.

The second block lists many IP addresses, some of them belonging to hosting companies, such as Hezne. If a VPN is based on one of these hosting companies, it would skip all further checked WAF rules. Now if you want to also use the list of IPs to limit the set of KBs, you must repeat the KB operator:


Known Bot ON
ASN is in...


Known Bot ON
IP is in...

Thanks for your help @Cyb3r-Jak3!

@cbrandt, I copied that Good Bot rule from someone who has been using it for years. And that is the extent of what I know about it!

What is a recommended rule to allow good bots access and keep the bad ones out?



1 Like

I’m sure others will have other opinions on that, but my view is that you should not allow Good Bots. Instead, you should only “not block” them when you create specific rules.

Most Cloudflare features, such as I’m Under Attack and Bot Fight Mode, already exempt Known Bots.

So you shouldn’t be worried about allowing them. Instead, you should keep in mind that when you create a rule to challenge or block requests, you may consider exempting Known Bots.

As for bad bots, if you are under current attack, meaning so many requests per second that they may cause your server to falter, you should enable Bot Fight Mode or Super Bot Fight Mode.

If not, you should focus on what you consider bad behavior, and craft rules to block it no matter whether the visitor is human or bot, good or bad.

In you specific case, your country-list rule could have “AND Known Bots OFF” to make sure good bots based on other countries could still reach your website.

And of course if you agree and remove the Good Bots rule, you should also disable the Oher Bots rule, as it would cast too broad a net and challenge pretty much everyone.

1 Like

Thanks @cbrandt

I must have misunderstood something you wrote. I disabled the Other Bots rule and changed the Block Countries rule to:

(not in {“AU” “IN” “IE” “NZ” “PH” “GB” “US” “CA”} and not

I waited 5 minutes … and the website wasn’t blocked when I set my VPN to France.

Do changes like this take more than 5 minutes to take effect?



Check your Security Events to see if the request is being Skipped.

1 Like

No firewall events found matching your filters

How about the Good Bots rule? Did you edit or disable it?

1 Like

@cbrandt both are disabled.

1 Like

Are the DNS records for your domain/subdomain proxied? :orange: ?

1 Like

No they aren’t @cbrandt, they are all DNS Only.

FYI, I exported the domains DNS Zone from cPanel and imported it into Cloudlfare.

I have 105 DNS records. I have no idea what should be proxied and what shouldn’t. So I left them all at DNS only.

Do you have some guidance? Or is there an easy to understand doc that explains this. Personally, I find the Cloudlfare docs I have read very confusing … and not designed for Cloudflare newbies like me!

Thanks very much,


1 Like

DNS Only means, well, DNS only: no WAF, no cache, no nothing. The website isn’t proxied by Cloudflare, and all Cloudflare is doing is DNS resolution.

You need to decide, based on your own configuration and needs, whether you want Cloudflare to proxy your website. Some arrangements including third-party SaaS providers may require you to keep some DNS records as DNS Only, but for the rest of us Cloudflare only makes sense if we set the domains to Proxied :orange: .

That’s a whole bunch of records. Typically you’d proxy the A, AAAA, and CNAME records for your naked domain ( and any subdomain (www, staging etc.) pointing to your origin server, while keeping other DNS records (TXT, MX etc.) as DNS Only.

When you proxy your domain, requests will first be sent to Cloudflare and from Cloudflare, if the request isn’t blocked by WAF or cached by Cloudflare, to your origin.

You may want to contact your hosting provider support team for guidance on what you can/should proxy through Cloudflare, if you’re not sure.

The following may help you with understanding how to proceed.

1 Like

Yes, multiple subdomains, test subdomains for me to experiment on, subdomains created by services I am using, etc.

Thanks very much for the suggestions and the links, I will review and be back in touch.



I proxied most of the A records. The WAF Block Countries rule now works. However, I can no longer log into wp-admin!


This page isn’t working
domainname redirected you too many times
Try clearing your cookies

Clearing cookies didn’t help!


The page isn’t redirecting properly

An error occurred during a connection to domain name

This problem can sometimes be caused by disabling or refusing to accept cookies.

I found the doc ERR_TOO_MANY_REDIRECTS (

Looked to me like an SSL/TLS issue.I verified and it says: Your SSL/TLS encryption mode is Flexible.

The website has Let’s Encrypt certificates for the primary domain and all subdomains. Should I change that SSL/TLS mode?