Firewall not working (properly)

Based on my experience and recent firewall logs, “IP Access Rules” should take precedence over “Firewall Rules”. That is, if a request matches a blocked ASN or IP address range, it should be blocked right away and not matched against any “firewall rules”. This has changed since about 2 days ago: requests from blocked AS’s that would have been blocked by “IP Access Rules” were now being blocked by “Firewall Rules” (that managed to catch them).

In another zone, which is covered by the same (global) ASN-based “IP Access Rules”, but doesn’t have “Firewall Rules”, I noticed a request from a blocked ASN that was let through. More worryingly, when I created a test “Firewall rule” for this zone, the rule didn’t even work.

Is anyone else having similar issues?

That’s contrary to @alexcf’s confirmation in the following thread. Not that I’m saying you’re wrong. Maybe something really has changed.

Sorry, just configured an IP access rule to block my own ASN and it worked as expected. Same for firewall rules.

Last but not least, I created an access and a firewall rule and it appears the access rule fired first.

2 Likes

Sorry, just configured an IP access rule to block my own ASN and it worked as expected. Same for firewall rules.

This is what my “Firewall Event Log” looks like. Every request you see (except the one that has been completely pixelated) should have been blocked by an ASN-based access rule. (What does an “Unknown” rule ID mean by the way?)


When I made my post I also created a test firewall rule that should’ve blocked myself (ip.geoip.asnum ne 8075). That rule still isn’t working. (There was an IP access rule that whitelisted my own address. See details below.)

I just found out that once an IP access rule whitelists a request, it would override any firewall rules that would’ve blocked it. You can test this using the following procedure.

  1. Using a test zone, create a firewall rule that would block yourself (like ip.geoip.asnum ne 0).
  2. Visit the site and you should get an “Error 1020” page.
  3. Create an IP access rule that whitelists your own IP address.
  4. Visit the site and it should work normally.
1 Like

I am afraid I can only repeat what I wrote earlier. I set up two rules and got blocked by the IP access rule, once I removed that rule I still got blocked, this time by the firewall rule though.

As for your second scenario, that seems to bea completely different issue. Right?

Unfortunately I wasn’t able to reproduce it, either. But as you can see, the firewall event log clearly says some of the recent requests were blocked by firewall rules instead of ASN-based IP access rules. Those with an “Unknown” “Rule ID” were also in fact from a blocked AS.

Contacting support might be the best course of action at this point.

Well, could someone from Cloudflare at least tell me what those “Unknowns” mean?

Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button.

I did. Got a boilerplate/automatic response with grossly irrelevant suggestions. Not sure if I’ll ever get a reply from a human; I’ll see what I can share here if I do.

Post the ticket #. The mods usually check in on unresolved tickets.

I read the automatic response again and it says I had to make another reply to actually “reach a Cloudflare Technical Support Engineer”. If I don’t hear back within a few days I may post the ticket number here.

1 Like

Post the ticket number nonetheless.

1 Like

No. It’s now being handled by a support engineer. I’ll see what I can share publicly when the ticket is closed.

1 Like

I really love these polite responses :roll_eyes:.

Posting that number would have been for a Cloudflare staff member. Its not like I collect them to access your bank account and wire you the $10 million dollars from the Bill Gates foundation you became eligible for.

The only “thanks” in this entire thread is from the link @sdayman posted :roll_eyes:.

Well I certainly appreciate the feedback and suggestions from every participant, and not just in this thread. I understand that my previous response could be interpreted as tactless or rude and for that I’d like to apologize. I don’t see much of a point in disclosing the ticket number here since I’m not having any trouble with the support experience itself. Again, I’ll share anything I deem appropriate when I get a satisfactory answer from support.


Update: There was a defect which Cloudflare has supposedly fixed but refused to elaborate on.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.