Firewall Operator


There all,
Can someone please explain the usage of these Firewall Operators.


does not equal:

is in:

is not in:



The “equal” ones are looking for exact matches or not exactly something. This needs to be precise.
Is In (or not in) are for lists, like Countries: (US FR DE MX).


What is the the firewall operator to block all countries except Ghana. And also permit Google Bots?


NOT Ghana and NOT bots get blocked.


Thanks, it worked. But how I have blocked GTMATRIX, how do I exclude or permit this like the “known bots”?


On Dashboard > Firewall > Tools > IP Access Rules, you can add GTMetrix servers IPs and set them to “whitelist”.

1 Like



How do I get Gtmatrix IPs please? I used the reply IP from ping Gtmarix and did not work.


They appear to list them here:


Have you got that setup working? I am asking, because access and firewall rules are AFAIK still somewhat separate entities and do not affect each other. So whitelisting in an access rules would not necessarily skip a firewall rule. But @alexcf should hopefully be able to shed light here :slight_smile:

1 Like

Why not add: AND UserAgent DoesNotContain GTmetrix to the Firewall Rule?

Yes, someone could spoof that, but I’ve not seen rampant use of that.


I use it with a similiar setup except I’m not blocking, but JS-challenging countries other than (list). So I have a Firewall Rule:

If country not in {US, BR etc}
and not “known bots”

Which stopped GTMetrix until I set the IP rule with a whitelist action.


Thanks for the clarification, the interaction between all the rule engines is still a mystery to me :smile:


You’re not alone in this. :smile: I’m glad I have a couple of testing domains I can use to check things before implementing.

1 Like

The rules are confusing honestly. I whitelisted a dev support IP via tools, and by server resources hit the roof. I blocked her IP, and every became normal. Still cannot understand why.


The security engines are still somewhat work in progress, but AFAIK Cloudflare does plan to consolidate them in the coming months (possibly Q2 or Q3)


I need this help pls, how can I permanently block all kinds of bots from reaching my websites using CloudFlare.
Getting sick of their activities.


Define “all kind of bots”? Also Google for example?

It is difficult to target all bots, you would need a pattern.

1 Like

Here are the “known bots” that are allowed. If you use the rule I posted above, anything else not originating from Ghana will be blocked.

I also posted an exception to let GTmetrix through. If you want to block some of those Known Bots, you’ll need to add to the rule to exclude them. I expect that all the ones on that list respect robots.txt, so that would be another option for letting bots know you don’t want your site crawled.

So, as @sandro suggested, let us know which bots are still hitting your site and we’ll try to help you block them.


Thats a good point, actually. Considering you block everything except for one country you should be already somewhat on the safe side. Assuming there is not a large share of automated traffic coming from that country.

1 Like