Cloudflare Access + WAF (without tunnel)?

cloudyweather · July 28, 2024, 10:40am

What is the name of the domain?

mytool.example.com

What is the issue you’re encountering

I’m wanting to understand whether it’s possible to use Cloudflare Access to allow an authenticated user access to a web application, where that web application is otherwise accessible via allowlisted IPs (in Cloudflare WAF).

What steps have you taken to resolve the issue?

Hi, I have an internal web application which is hosted on a subdomain. I currently use a WAF ruleset to allow users to access the application (which has its own auth) via some allowlisted IPs.

If I set up Cloudflare Access with an IdP (such as Okta) and allow users to authenticate, can I then pass this authenticated state to the Cloudflare WAF, so that those users/sessions can access bypass the firewall rules and access the application?

bujangnim · August 2, 2024, 5:05pm

Hi @cloudyweather,

Unfortunately, this wouldn’t work as there is no way to pass an authenticated state to the WAF. Do note that if you use Access, the Cloudflare Access login page would block unwanted traffic as unauthenticated users will not be able to access your site.

cscharff · August 2, 2024, 6:12pm

You can remove the WAF IP rules and manage this all through Access policies / IP Access rules.

Topic		Replies	Views
Firewall Rule Field for Access Authenticated Access	2	3544	October 22, 2020
Access Blocked After Configuring WAF and Firewall Rules on Cloudflare (Dummy Data) Security	2	154	June 12, 2024
Does Cloudflare Access bypass WAF? Access	3	1444	September 14, 2023
WAF protection for custom app (not http or https) hosted on random ports Rules	2	50	July 1, 2024
Validating Cloudflare Access using NGINX Access	7	4040	March 4, 2022

Cloudflare Access + WAF (without tunnel)?

What is the name of the domain?

What is the issue you’re encountering

What steps have you taken to resolve the issue?

Related topics