Can a WAF rule with action “block” also block all subsequent access attempts?
Was the site working with SSL prior to adding it to Cloudflare?
Yes
What is the current SSL/TLS setting?
Strict (SSL-Only Origin Pull)
What are the steps to reproduce the issue?
I have a few WAF rules set up that, if conditions are met, trigger a “block” action. My understanding is that rejects the request and returns a 403 (or something similar) to the user and never touches the origin.
Can I additionally configure WAF rules to be more stateful? I’d like to, either temporarily or permanently, ban the IP, a subnet, or ideally the ASN that made the request. For example, if the WAF blocks a request from AS12345, I’d like to automatically block all future requests from that ASN for 24 hours, regardless of whether those subsequent requests would trigger a WAF rule.
Best I can tell this isn’t doable, but I’m new to Cloudflare. Thanks.
No, the WAF, other than for the counting field in Rate Limiting rules, is stateless so each individual request is handled by itself.
You can implement your own solution, see here for a similar question…
ASN custom lists need an Enterprise plan, so you’ll either have to dynamically update a custom WAF rule, or use a Worker + Durable object or D1 to store the ASNs.
Thanks. That’s an interesting idea, although I’m not sure it would work in my case. My WAF block rules are generally based on one of these conditions:
cf.client.bot is true
The user-agent has a wildcard match to specific strings
The country is not trusted
cf.waf.credential_check.password_leaked is true
The requesting ASN is one of several predefined ASNs
Because none of those rules are “request is to a URL or URL pattern”, I’m not sure how I can trigger a worker that would then dynamically update the WAF rule. The WAF rule itself has no option. Any suggestions on how I could configure such an auto-updating worker? Is it possible to trigger a worker based on a WAF action?
Off the top of my head you’d have a Worker that triggers on every request and checks your list of conditions. Better for this use case is probably a Snippet (needs a paid plan) as they are free and you can configure that to trigger with fields like the WAF (and then code for any extras).
Then if needed in Worker/Snippet call the Cloudflare API to update the WAF rule with your ASNs in it. Once in the list that ASN won’t trigger the Worker/Snippet again as it will be blocked by the WAF rule before they run.
Thank you. I’m on the free plan, so I’d have to consider an upgrade at some point to do that.
I appreciate the feedback and this seems to be a pretty commonly requested thing–now that I know how to search for it as I couldn’t find it before asking my question. Fingers crossed Cloudflare has on their roadmap some rudimentary support for a stateful WAF.