[BUG] Managed rules (new) still apply when downgrade from PRO to FREE

I was on a PRO plan. I used the WAF Managed Rules (new). I downgraded to the FREE plan. But I still see that these rules are being applied in my WAF, when they shouldn’t. Is this a known BUG? If so, when is it going to be fixed? It has been like this for at least 2-3 months.

Could you share the Ruleset / Rule ID here with us please? :thinking:

May I ask if you’re using Cloudflare Free plan for that domain(s)? :thinking:
If it is the same WAF rule on your Free plan, then the only way to bypass it if it’s Cloudflare’s issue, is as follows from below steps which I write, unfortunately since we cannot exclude specific Managed WAF rules on a Free plan yet.

Currently, there is no way to bypass it or a workaround as for a zone with a Free plan when we inspect for the Firewall Events, it would show “unknown rule id or could not find ruleset” or that a request is being challenged or blocked via “rule XYZ” and no option to add some exception for Managed WAF Rule. For a higher paid plans such as Pro, the WAF has got an option to add an exception or skip that detection.

Last response from Cloudflare support which I’ve got was as follows:

As an update, our engineering team is looking to rollout the WAF for everyone in Q4 this year. This would allow the free tier users to make use of the override feature in our WAF ruleset to bypass the rules.

More about it:

This is expected behavior; security features that are enabled once you purchase a plan are kept even after you downgrade your account.

You don’t see analytics and all that but the feature will remain enabled.

1 Like

Ok, I see - I don’t think that should be the default behaviour to be honest. If the plan has changed, the features associated with that plan should change as well.

that sounds like it would be the standard on any other company but in this case, CF is nice and lets everybody keeps the security features they once had enabled.

If it’s problematic, let me know and I will try to create a support case to have the feature(s) disabled.

There should be an option to disable this with the self-serve platform and without the need of opening a ticket I believe. Just give the user the option to keep it enabled or not.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.