Disable WAF for Cloudflare Access Authorized Zone


I have just now started testing CF Access Restriction on my Origin Server. A few pages
on the Origin are used to administer the site and have one such page has many form
data input elements along with a submit button. When I try to submit this form I am
always presented with a Google Captcha for confirming if I am human.

Now my question, since the zone is already behind CF Access, can we not have an
option to disable WAF only if access authorization is active for the accessing IP address?

I tried all related options like using Bypass to the IP range in CF Access, Adding Firewall
Rules to allow access from predefined range, Adding Allow Rules to the IP Firewall but
still, I get the Captcha.

While I know and understand having a Captcha is good security practice, my client who
wish to administer the site are having their own firewall restricting Google Domain Access
and so the Captcha coming from Goolge is not accessible through to them.

I tried to emulate this at my end using Google oAuth Access Authorization and I am still
getting the Captcha. Is there any way we can disable WAF for the zone if and only if the
IP address accessing the form is authorized by CF Access? There are general page rule
options to disable WAF for any page but no such rule like DISABLE FIREWALL for CF
ACCESS authorized access. I hope my query is clear.

I know, since the zone is behind CF Access anyway, I can simply disable WAF for the
entire zone using Page Rule, but I am not sure if this is the right approach / the only way
we can solve this proble at present. Kindly advice and suggest.


I wish to update that on a trial basis, I tried creating a specific page rule for
these particular form submission pages with Security Level - Essentially Off
but still I get the Captcha? But if I disable Security altogether in Page Rules,
I am able to avoid getting the Captcha. How to avoid having to create a Page
Rule for every such script and then disabling security (I am sure not the best
recomendation any one will suggest) for such scripts!!!

Any pointers will be most appreciated. Can @cloonan give some inputs?

Thank you.

:wave: @ganeshlohia,

If you are on the Business plan or above you can turn just the WAF off for a particular route using page rules:

You could also whitelist the IPs in question if this is a particular script. You can also look at the specific page rules being triggered and consider disabling those or as you are doing now set the level low enough not to trigger the captcha for certain paths using page rules.


It sounds like the entire zone is protected by Access, and you don’t want CAPTCHAs. Correct?

And when you say “Zone,” at Cloudflare, that means the entire domain/subdomains. Is that what you mean? Or is it just that specific area protected by Access?