Custom Firewall & Page Rules Not working

I’ve created a route for an external webhook service to call (POST) when certain events are triggered (/api/example).

I added 2 firewall rules for this route (Bypass & Allow) as it generally got blocked, yet Cloudflare blocks the requests anyway.

Looking over the logs you can clearly see the requests coming in 3s (Allow, Bypass, then Manged Challenge). So CF allows and bypasses the requests first, and then blocks it claiming “Service Firewall: Managed”, specifically “Bot Fight Mode for Definite Bots”.

I even tried adding a custom Page rule for this route to bypass CF security and WAF altogether. Still getting blocked.

There are 3 different custom rules/exceptions in total, so I’m not sure why CF keeps blocking the requests. Shouldn’t this route be exempt from any security (given Page Rule)? Or am I missing the CF hierarchy of rules vs managed firewalls?

I need to whitelist that route and there’s no static range of IP addresses I can add.

Bot Fight Mode maybe?
Does anything change if you temporary disable it or lower (configure) it a bit (if possible, depending on a plan you are using)?

Also, from the screenshot, it’s the empty user-agent value.

May I ask what is the Page rules order and does this specifically which you have added actually get triggered despite the other ones (before it maybe on the list)?

In terms of Firewall Rules, could be the same question if so.

In case if needed for a bit of help here:

As from above picture, Managed WAF Rules comes the last and this is why the request get’s challenged I believe, despite Allow / Bypass on Firewall Rules.
While, in terms of Page Rules, where you have set to disable security options and WAF, it comes first I believe, and thereafter the Page Rules - could be I am wrong about it.

More about it can be read here:

Have you tried adding your origin host / server IP address to the both IP Access Rules and Firewall Rules with the action Allow? Does anything change?

  • I see Hetzner, so I would suggest adding both IPv4 and IPv6

EDIT: Now I reread, and figured out you stated range and no static IP? And if you allow Hetzner ASN (maybe that would actually be to much IPs as far as Hetzner has got some really annoying crawlers/bots too), or is this just for testing purpose?

How does your Firewall Rule look like? Does it contain /api/that-something with the Allow action (again, is it first, above all the others or)?

It is unclear to me why the Page Rule doesn’t make WAF/security rules redundant since all CF docs point to this idea.

This is what the Allow/Bypass firewall looks like (just a path & POST request type).

Also added the ASN to the whitelist (Tools). Did not do any good other than not even showing up in logs aftewards.

Ok. Managed to whitelist the ASN somehow (maybe it just needed a few minutes). And it worked.

Found another post which says “bot fight” takes priority over any Firewall Rule. So it’s useless to build custom exceptions.

Which is strange because I also found some CF documentation which says you can build exceptions “Exempt API traffic”.

Is the documentation wrong? I assume CF just wants to upsell the Enterprise plan which offers bot rule customization.

But why won’t the Page Rule disable all security measures for that route? It’s literally #1 in the list of rules so it should trigger in any case. Or do Page Rules get invoked only after WAF/Bots Fight?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.