Firewall rule problem

I have the following firewall rules set:

  1. (http.host contains “followthatpage.com”) or (http.user_agent eq “StatusCake”) or (http.host contains “uptimerobot.com”) ALLOW
  2. (ip.geoip.country ne “US”) CHALLENGE

My understanding is the first rule should allow any useragent containing “StatusCake” regardless of what country to get through. But this does not seem to be the case. Can anyone help me figure out why it is being blocked?

That’s an equal operator - you should use “contains” (contains) operator for this since they most likely include other information about their crawler in the user-agent.

You are right. I was playing with the rules and set wrong by mistake. But OR doesn’t work either

(http.host contains “followthatpage.com”) or (http.user_agent contains “StatusCake”) or (http.host contains “uptimerobot.com”)

My understanding is that the http.host field should be used for a Cloudflare host under your control. Say you have an API for which you don’t want any Firewall Rules to apply, then you could use

(http.host eq "api.example.com") > Allow

Third party hosts sending requests to your zone should be identified by IP, User Agent, ASN (or, to be safer, a mix of them.)

EDIT: Also, uptimerobot is listed by Cloudflare as one of the “known bots”, so you could also use the Known-Bot operator.

Thank you! I will try some combination of those.

Where did you find a list of the known-bots?

Also, I’m not on the Enterprise plan so I don’t have some of the upper tier features if I allow bots is that only the known good bots or all bots?

The list is in that link, I just edited to included the right anchor. It includes bots that are considered “good” bots, such as Gooblebot, Bing, and other search engines and widely used crawlers. You can use the Known Bots operator along with other rules, so that, for instance:

(http.host eq "example.com" and not cf.client.bot)