Firewall Rule Field for Access Authenticated

We have a couple of applications secured with Cloudflare Access. We love it!

Sometimes our users trigger a WAF rule. We have a small group of users (13) and they don’t enjoy completing a CAPTCHA.

Should I create a Firewall Rule to Bypass all requests to the application subdomain?

Or, could I request a new feature? Adding an “Access Authenticated” field to the Firewall Rules might be beneficial.

Thanks!

The risk here, if we did build that feature is that it assumes internal user’s behavior should be trusted. Insider threats are a serious risk and allowing them to potentially bypass WAF rules is a potential risk.

We are looking at using Access authenticated and/or Teams Managed Device status as a signal for potential ‘lists’ for use in the firewall and other portions of Cloudflare but I personally have a lot of angst about the idea I should trust my internal users.

1 Like

Thank you for the response and I agree that it isn’t a great solution. Right now I have a rule like the one below because I couldn’t think of any other way. I’d rather not use “Allow” or “Bypass” actions.

(http.host eq "app.example.com" and http.request.method eq "POST" and ip.geoip.asnum in {1 2})

We’re using an Argo Tunnel and Cloudflare Access to restrict access to this app.