Challenge Passage for WAF

Based on https://support.cloudflare.com/hc/en-us/articles/200170136
it seems that Challenge Passage (cookie-based duration until next challenge) does not apply to Web Application Firewall. Is this only for “Web Application Firewall” or also for “Cloudflare Managed Ruleset” and “Package: OWASP ModSecurity Core Rule Set” ?

And is there a way to bypass the WAF for users that have correctly answered the captcha recently?

One of our users had this to say about his experience posting on our forum:

Sometimes I respond to new post notification on a different device with a browser VPN, and am asked for CAPTCHA verification. Sometimes it behaves more as a “Kafka verification”, with every use of the [Preview] button resulting in a new verification request, and the post disappearing into the ether with the use of the [Submit] button. Is this a problem with my browser (Opera Version:81.0.4196.60), with the CAPTCHA service, or with ANN’s setup?

This page https://support.cloudflare.com/hc/en-us/articles/200172016
has a section about troubleshooting WAF false positive, but it’s of limited usefulness since the Activity Log does not even have a way to find false positive events (requests where a challenge was displayed and sucessfully answered). So the only option left is to disable the WAF entirely… :-/

Based on this I would like to request that

  1. WAF support Challenge Passage.
  2. Activity Log can filter by “passed challenge” or “failed challenge”

Thank you.

I believe the only option to bypass that is by setting the events to log. I wish we could control that from Firewall rules; it seems like a major inconvenience having to disable the hole just for a few exceptions.

Ideally, Log events should be monitored by the SOC. However, it’s unlikely that any non-enterprise customer has that.


I believe something like this would be the best option. Bypass should change the action to Log to prevent any potential threat from being ignored.

1 Like

But that logs both true and false positives, with no way to distinguish them. How do you know which logged events were really threats and which can be safely ignored? Manually examine each event and somehow guess?

Yeah, this is called noise and alert fatigue; you need a team to inspect all of them to determine events worth diving into and false positives.

Usually, you would export the “Log” logs to an external platform where the team can easily visualize the information and discard false positives.

Unfortunately, even if you export the Activity Log, it still doesn’t have the main information needed: did the user pass or fail the challenge.