Firewall ASN Whitelist Rule in Country Rule

Does Cloudflare firewall ASN or IP whitelist rule supersede Country block rule?

Hi @alisoncf,

  1. If you create a Whitelist for ASN/IP at Firewall > Tools > IP Access Rules, yes.

  2. If you create a Firewall Rule with the Allow action AND the rule is placed with a higher priority, (before) the country block Firewall Rule, the IP will be allowed in before any other Firewall Rule is triggered.

  3. If the Firewall Rule with Allow comes after the country block rule, no.

My understanding is that if you block a country using IP Access Rules, your only option would be the number 1 above.

And of course if you are blocking a country or countries using a Firewall Rule, you can always add to the rule itself the negation to the group of IPs for which you want the rule not to apply.

(ip.geoip.country in {"FR" "DE" "VG"} and not ip.geoip.asnum in {12345 12346 12347} and not ip.src in {111.111.111.111 112.112.112.112}) etc etc

2 Likes

Hi @cbrandt

These 2 rules were created separately via API.
The block rule was added after the whitelist rule and blocked the whitelist traffic.

I deleted the whitelist rule and re added it, and as we speak, the whitelist is going over the block rule and allowing that traffic.

For some reason I didn’t realize that API rules set the priority based on added date/time.

Thank you for the detailed and quick reply.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.