Firewall or Access, which is triggered first?

I’ve been using Cloudflare’s Access for a couple weeks now. My website was being visited daily by a bot requesting certain URLs. The bot was being blocked by a Firewall rule targeting a specific User Agent. As soon as I created an Access rule that included (among others) the URLs this bot was probing, the visits stopped, so I thought Access was doing its job before Firewall.

However, today another bot managed to be blocked by Cloudflare’s Firewall (because of another User-Agent rule) while requesting URLs that also fell within the Access rule I mentioned above.

Which of course left me confused. Did Access failed to stop the bot and request authentication? Or is the Firewall rule supposed to act first? Or it doesn’t matter? :confused:

EDIT: Since topic is closed for replies, I’m posting the answer given by CF support:

…the IP firewall rules run before the Access policies, so if you have firewall block/challenge rule will still challenge a client, however a allowlist rule should not bypass Access authentication.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.