Cloudflare Managed Ruleset turn on

Hi, question as I tried to find the specifics on how to implement the firewall managed ruleset.

I turn on the specific rulesets for the technologies that i use it for, but then when i click on the rules that apply to that category, the option stays on default. So, for instance if there is a ruleset for cloudflare flash “Adobe Flash - Rosetta”, when i turn on this ruleset, should each of the rules in this ruleset not be enabled or blocked?

Because the mode of the rules of the specific ruleset does not change when i turn it on or off, and wonder if I should still manually enable the each rule in the ruleset.

maybe it has been mentioned before, but I could not find it that quickly,
many thanks,

1 Like

That’s a good question. My Flash group is disabled. Enabling it doesn’t change how the individual rules look in Advanced Mode. They still show as Default Mode, which is Disable. From the Support article, it looks like toggling the Group makes the rules available, but they still have default values. Now I question how effective the groups I’ve toggled actually are. In your example, the two rules in the group are Disabled by default.

@cloonan? Or maybe an @MVP knows.

2 Likes

On the groups I have enabled, the majority still show disabled, but a few show block, or another action, as the default. Maybe they just enable things that definitely won’t break stuff and leave the rest up to the user?

cc @mdemoura

2 Likes

Yeah…but for Flash, it’s just the two rules, and they’re both disabled. So toggling the group ON would essentially do nothing.

On the flip side, if you left the Flash group toggled to OFF, but went to the individual rules and toggled them to Block, would they actually Block?

2 Likes

Hi there, engineer on the Firewall Managed Rules team here.

Enabling a Managed Rules group sets all the action defaults for the rules contained in said group. If a rule is disabled by default, it will stay disabled unless the user changes the action. Additionally, if a group is disabled, all rules in that group get disabled as well.

Example:
Say you have Group A with rules Rule A1 (default block) and Rule A2 (default disabled).
If you enable Group A, only Rule A1 will execute (as Rule A2 is disabled).
If you then change the action of Rule A2 to block, both rules will execute.
If you then disable Group A, no rule will execute (even though they both have action block).

As to why some rules are disabled by default, there’s a few reasons:

  • they have been deprecated and replaced by other more effective and efficient rules (see the change log)
  • for some customers, they match on some requests which are not necessarily malicious (customer specific false positives)
  • they are not applicable to all traffic (e.g.: a rule blocking uncommon HTTP methods)

Hope that helps!

5 Likes

That’s extremely helpful. I see a nice feature that lets me know if a rule in a group has been modified. Knowing how things work now, if I see that alert, but the group is OFF, then I’ll know the modification is not active. I toggled my WordPress group to Off to see if the alert would remain.

Thank you, that clarifies,

so, by enabling a ruleset, it will set them as recommended as some of the rules are updated by other rules etc.

In the case of cloudflare flash ruleset, I suppose I can leave them disabled as per default setting and not enable any of the 2 rules?

It is not due to other features that are replacing these rulesets, for instance such as “bot fight mode”?

In our case, our website has very high bot traffic, tried to turn on bot fight mode (and obviously updated .htaccess etc etc), but had users complain that some features did not work, so switched off “bot fight mode”.
I went to the FW rules and filtered on “bot” and turned on “challenge” on all “bot” rules in CF specials /CF miscelleanous rulesets (I turned on those rulesets) as most were disabled by default.

Would that be ok, or is that not necessary because they are already superceded by other rules?

Known Bots are the good bots, like Google and Bing crawlers. You probably don’t want to challenge those.

Yes, thanks, I meant in the managed rulesets, I searched for rules with “bot” and you get 22 rules like:

100035 Anomaly:Header:User-Agent - Fake Google Bot Cloudflare Specials Disable

this rule belongs to “Cloudflare Specials” ruleset, and is disabled by default. I changed it to “challenge”, but not sure if this would be ok, as by default (and per recommendation) it is disabled and wondered if this rule is superseded or not required anymore.

I found another post Cloudflare Managed Special rules are blocking Googlebot that actually says that these rules may actually block legitimate SEO traffic…

now I am not sure if this rule has been corrected, or is actually really blocking legitimate traffic and therefore should be disabled as recommended.

Does someone know?

This topic was automatically closed after 30 days. New replies are no longer allowed.