Country block not working as expected

user85512 · March 3, 2025, 9:39am

What is the name of the domain?

What is the issue you’re encountering

Custom WAF rule Continent does not equal Europe blocking IPs from Germany and UK

What is the current SSL/TLS setting?

Full (strict)

What are the steps to reproduce the issue?

Set a custom WAF rule with this expression (ip.geoip.continent ne “EU” and not cf.client.bot)

This should block traffic outside of Europe if it is not a known good bot. But if you check my screenshot attached you will see it is blocking traffic from Europe. IPs Cloudflare identifies as from Germany and UK for example are being blocked?

Why is this?

Screenshot of the error

sjr · March 3, 2025, 12:08pm

Can you show the detail for one of those requests in the log, by clicking on date, that was blocked when it shouldn’t.

engineering25 · March 4, 2025, 2:46am

I’m also seeing this happening on multiple accounts/domains. Here’s a recent example, rule just blocks based on continent not being North America, ip’s belonging to the United States are getting impacted.

user85512 · March 4, 2025, 10:57am

Screenshot attached of one of those incorrect blocks.

mfamphlett · March 5, 2025, 6:26pm

I’ve just noticed this same issue with a similar rule:

Block all outside EU: (ip.geoip.continent ne "EU")

It seems to randomly be blocking some connections from within the EU, even from the same IP and within the same session.

paul32 · March 5, 2025, 6:35pm

Is that really incorrect as its a VPN?

Its better blocked than not

user85512 · March 5, 2025, 7:27pm

That example shown in my screenshot is my client accessing their website. I don’t believe they are using a VPN.

But even if it is the IP is identified as from the UK so the rule should let it through anyway.

paul32 · March 5, 2025, 8:40pm

A&S Recruitment lets me in from the UK - using AS51809 BRSK

And lets me in when using a VPN in UK - using AS39351 31173 Services AB

And lets me in when using a VPN in Switzerland - using AS9009 M247 Europe SRL

And in Germany, Estonia, Cyprus, and Peru - using AS212238 Datacamp in Peru

So looks like two issues - randomly blocking Europe and not blocking out of Europe

sroberts · March 6, 2025, 11:18am

Hey folks!

Thanks for raising this. I’ve located the issue, and a fix should be available within the next couple of working days.

paul32 · March 7, 2025, 10:41am

I’ve just raised a new issue as I’m now seeing Germany and Netherlands passing a simple “Not in UK then block” rule
When testing “not in then block” the countries arent blocked
When testing “in then block” the countries get blocked

sroberts · March 7, 2025, 10:58am

Hey @paul32, can you share the rule and URL you’re using?

paul32 · March 7, 2025, 1:23pm

It was a redirect rule that was just:

I have added some more bits to it now to work around the country identification issues

URL is https://www.ffsystems.co and the redirect rule should redirect anyone outside the UK to a non-existent URL - I have found this to be much more effective than blocking

paul32 · March 7, 2025, 1:55pm

And now 162.39.56.164 AS7029 WINDSTREAM in Pennsylvania now passes the “is in UK” test !!

system · March 9, 2025, 1:55pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
WAF rule to block traffic not from particular continents incorrectly being applied Security Center	6	50	March 6, 2025
Country blocking not working again Security	3	25	March 8, 2025
Country: Uncategorized. WAF rule blocks General	7	130	February 22, 2025
Waf not working for English speaking countries Security Center	5	384	January 19, 2024
WAF IP continent rule allowing only North/South America blocking US IP address Security	5	44	February 19, 2025