I’ve been using Cloudflare’s Access for a couple weeks now. My website was being visited daily by a bot requesting certain URLs. The bot was being blocked by a Firewall rule targeting a specific User Agent. As soon as I created an Access rule that included (among others) the URLs this bot was probing, the visits stopped, so I thought Access was doing its job before Firewall.
However, today another bot managed to be blocked by Cloudflare’s Firewall (because of another User-Agent rule) while requesting URLs that also fell within the Access rule I mentioned above.
Which of course left me confused. Did Access failed to stop the bot and request authentication? Or is the Firewall rule supposed to act first? Or it doesn’t matter?
EDIT: Since topic is closed for replies, I’m posting the answer given by CF support:
…the IP firewall rules run before the Access policies, so if you have firewall block/challenge rule will still challenge a client, however a whitelist rule should not bypass Access authentication.