Exclude Zero Trust Go client requests from firewall rules

Scenarios:

  1. Employees have a higher threat score due to their IP. Employees can’t log in to any of our protected zones because the cloudflared request is challenged by Cloudflare.
  2. Firewall rules used to mitigate DDoS attacks conflict with the requests made by the Go Client library during authentication.

We have faced (2) in the past; however, today, I woke up to an employee who couldn’t access their remote work environment due to their IP having a higher threat score (dynamic IPs).

Ultimately we can create a firewall rule bypass based on the Host (if it’s from an access zone) and user agent; however, it would be ideal if this was handled by Cloudflare natively IMHO since it would save time and a firewall rule.

Add one more: the Go client might also create a low bot score which can affect their connectivity if the domain has bot management enabled with a firewall rule targeting low bot scores.

1 Like