Firewall Rule - JavaScript Challenge Except CA and US

Hi there,

I have been using Cloudflare for a while but my firewall rules never seem to work as intended.

Currently I have a firewall rule states:
if (not ip.geoip.country in {“CA” “US”}) or (not cf.client.bot)
then-> JS Challenge

But it is still randomly challenge traffic from US and CA. Any idea how I should fix it?

Thanks a lot.

Hi,

When these random US/CA JS challenges happen, you should be able to see them in the Firewall > Events log. On a log row, if you click on “Details” you should be able to see which filter or rule was applied. If this was your own rule, then you should open a support ticket to let them know about this issue.

There may be other threat control mechanisms at play here, though. What Security Level you have set at Firewall > Settings? Also, even a website on the free plan is protected by WAF, but if this is your case a rule number would appear on the Details tab I mentioned earlier.

1 Like

If you’re challenging all visitors not in the us/ca or all traffic that is not bots then I’d expect you’re affecting a whole lot of traffic! Are you sure that’s what you want? Presently I see this rule as challenging everyone (bots or not) outside us/CA, and challenging everyone inside us/ca except for bots (eg Google ok, challenge average Jo).

3 Likes

Thanks for the reply.

Reviewing the event log, I found that it is the CA ip that usually gets blocked with the same filter id as the allows for US ip.

Also, the security is on medium.

Thanks for reply.

My main visitors are in these two countries so it is easier to challenge everyone else.

Can you help me figure out how to set it up properly?

I want to allow known bots from everywhere, and challenge visitors outside of US and CA. Users inside of US and CA should not be challenged without other reason.

Thank you

I want to allow known bots from everywhere, and challenge visitors outside of US and CA. Users inside of US and CA should not be challenged without other reason.

OK so if you are wanting to allow known bots from everywhere, that’ll be default behaviour unless you specify a rule otherwise - no need to complicate things by tying ourselves in knots with overly complicated logic … Effectively your rule is then just “challenge non-US/CA visitors who aren’t bots”.

So just go with:

if not ip.geoip.country in {“CA” “US”} and not cf.client.bot
then
js challenge

EDIT: Woops, changed rule that a little, sorry about that!

2 Likes

Thanks!

Heh, seeing your reply made me come back here and I saw I dun goofed, check my edit. Should be good now! Cheers.

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.