Firewall Rule Seems to Not Work On Some Requests


I have created a simple firewall rule to Javascript Challenge older versions of Chrome.

My rule is (http.user_agent contains “Chrome/” and not http.request.uri.path contains “/static/” and not http.user_agent contains “Chrome/1” and not http.user_agent contains “Chrome/9” and not http.user_agent contains “Chrome/8”)

This seems to be working for most requests,…

But I am still seeing requests get through that are not challenged.

The last user agents being:

Mozilla/5.0 (Linux; Android 8.0; Pixel 2 Build/OPD3.170816.012) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.6306.1020 Mobile Safari/537.36
Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.1940.1868 Mobile Safari/537.36

When I change my Chrome user agent manually to this user agent, I am presented with a challenge.

I have checked to make sure these requests are not bypassing Cloudflare, and that is not the case.

How are these ips getting past the Firewall and making requests to my page that should be firewalled with the above rule?

  • Do you have a sample URL?
  • Any other rules configured?
  • Do these requests show up in the event log?

I don’t have a sample url, but the website is

There are many other rules configured and there are no requests shown in the event log.

I went through every rules ( I have a few setup to not log) and IP access rule…

This is happening for like about 10 percent of the requests seem to get through, maybe a little more from various ISP’s

The last two being:


Is your server configured to only accept connections from Cloudflare? If not, these might be direct requests.

It is not firewalled to only accept Cloudflare connections, but I log all connections that are direct.

There are no direct connections happening…

There is also another version with a Cloudflare separate account, but there is nothing there either.

It looks like all of the requests bypassing the javascript challenge have the wording “Mobile” in them.

Are challenges not presented to Mobile users? When I spoofed my user agent with this on Mobile Desktop, I was presented a challenge and denied access for an out-of-date browser.

Unless you have an exception, Cloudflare will apply the rule to all requests.

I just ran a request with the user agent you posted and it got challenged

$ curl -I -H 'User-agent: Mozilla/5.0 (Linux; Android 8.0; Pixel 2 Build/OPD3.170816.012) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.6306.1020 Mobile Safari/537.36'
HTTP/2 403

If you change the rule’s status, it can take a few seconds until it is working in all datacentres, but apart from that it really probably is a direct request.

Ya, I get it too…

These requests should pick up too. There is lots of them and they are all requesting the same pages - but some seem to miss or have a “pre authorized challenge” and are bypassing having to take the challenge again.

I have that setting turned off to use other websites Challenges, but that’s all I can think of.

If I find something, I’ll post here. But I looked for over an hour and it keeps happening to multiple ISP"s for it to be a weird rule in my settings

If they passed the challenge before, they’ll certainly be “pre-authorised” for the period you indicated for your account. Such requests won’t be re-challenged until that expired.

But generally, the challenge seems to work, unless you have one of the mentioned exceptions.

Not preauthorized by my website. These are new requests…

I was being flooded with Cloud IPS and this week have setup good detection using CLoudflare and now they have shifted to these like virus out of date browsers that are ISP’s from the USA now.

They should be picking up with that challenge rule… Hopefully I can find something.

New request again got through:

IP: 17.241.75.x
agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.6105.1361 Mobile Safari/537.36

Logs = Nothing. Got through no problem.

Is it possible for a browser to bypass the Bot Detection, and then keep bouncing around ips with a proxy ? Would each proxy not have to request the challenge again? I don’t see why they would use such out of date user agents then. That scenario, it should still log. Something is weird I think.

They’ll be either whitеlisted by a previous rule or connect directly.

What’s the actual IP address from the last request?

You wrote 17.241

LOL, that must be cloudflare doing that.
107 142 172 15
Hopefully that works?

What do you mean?

The address can be posted

Whoa, no. I got something weird back when you posted. Cloudflare must do that for security…

Can you look things up or something? I can Spell It Out.

Or are you saying there is a new request from 107?

107 - 142 - 172 - 15
one zero seven dot one four two dot one seven two dot one five :laughing:

All right, can you post a screenshot of