Cloudflare WAF + Cloudflare Zero Trust - WARP+ Clients

Hi - I’ve setup several applications published via Zero Trust with relevant Auth in place etc.
All working well. eg. app1.domain.com → requires auth. Redirects to domain.cloudflareaccess.com for auth and then onto app.

On the WAF side - I’ve set up geo-blocking, eg. app1.domain.com only accessible from some countries else block.
All working well.

WAF rules take priority and those accessing from outside an allowed country will see the blocked message.

For those coming in via WARP+ using it within a blocked country - is there anyway to tell the WAF to allow this? WARP+ connects to the closest node and that could be outside an allowed country IP range and so trying to access an app is in-turn blocked.

Any way to resolve this?

Thanks

If you setup geo-location rules they don’t apply for the nodes but the users behind them.

If you’re using WARP and you visit a website that’s proxied by CF, the website gets your real IP, not the IP of the node you’re connected to.

Thanks for clarifying this.

If you setup geo-location rules they don’t apply for the nodes but the users behind them.
This means that the WAF will still block them as they could in from an IP in a country thats not allowed.
Any way of allowing this passed the WAF given they are connected to WARP+ ? They’ll still get auth via Zero Trust.

I haven’t seen any WAF rules for Zero Trust WARP users.
The only way I tried that is by running a cloudflared tunnel with the real origin IP added to that tunnel, also adding the hostname to the domain fallback, and running a DNS to point the hostname to the origin IP without routing it through CF. That way, normal users go through CF, your team members go through the tunnel. The tunnel server must be whitelisted at the origin server.

1 Like

Thanks, This means needing to run seperate DNS. Not ideal but will give it a go. Thanks for the pointer.

Figured this out by the way. If you have device posture enabled - Warp becomes a condition for published apps. Meaning it a simple rule in Zero Trust can be setup to allow them if connected.

No need WAF rules.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.