Firewall rule doesn't work properly

Zero Trust Access
1

I have turned on Browser Integrity Check. Pls refer to

Refer1
Refer11035×203 25.7 KB

I have created a firewall rule to bypass this Browser Integrity Check based on user agent string and full URI. Pls refer to

Refer2
Refer21048×462 57.8 KB

I am using Java to call API. From my test, if I don’t add user agent header, I get the follow http 403 which is correct:

java.io.IOException: Server returned HTTP response code: 403 for URL: https://www.xxxxxxx/send/notification/general
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at MarketplacePush.push(MarketplacePush.java:129)
at MarketplacePush.run(MarketplacePush.java:63)
at MarketplacePush.main(MarketplacePush.java:23)

After I added user agent in header, the calling API is successful, even the user agent value isn’t “something.to.protect.10293847”, Example “123” also able to call the API.

Here is my Java code

URL url = new URL(“https://www.xxxxxxxxx/send/notification/general”);

l_httpURLConnection.setRequestProperty(“User-Agent”, “123”);

What’s wrong ? Appreciate for any help !

2

It sounds like without the User Agent, it triggers Browser Integrity Check, but if you put just about anything in the User Agent, it doesn’t trigger Browser Integrity Check.

Then it sounds like Cloudflare sees that the UAS isn’t empty, and it isn’t suspicious, so it lets it through.

This doesn’t sound like a Firewall Rule issue. But if you want to restrict access to that URL, I suggest you change the User Agent check to be a NOT equal, then set an Action to Block.

3

Your suggestion is working

1 Like
4

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.