Firewall rules client certificate authentication


I have the rule below configured so that I can enforce client certificate authentication against some of my hosts. Up until a few weeks ago, this rule was working flawlessly. Now, with the rule as below, my connections get blocked unless they are from whitelisted IPs (IP-address-1 and IP-address-2). I’m testing from multiple clients, all with the appropriate client cert installed. Cloudflare definitely requests the certificate from the client.

If I toggle the client cert to “On”, it sometimes seems to start working again for a little while. However it always reverts to not working again.

( in {“proxied-hostname” “proxied-hostname” “proxied-hostname”} and not cf.tls_client_auth.cert_verified and not ip.src in {IP-address-1 IP-address-2})

The action for the above rule is “Block”.


Did you mean the IP whitelisting is not working or the client certificate request is not working?

Hi there @FlippityFloppity,

Just PMd you. A HAR file demonstrating the issue may help us get a better idea of what is going on here. Send that back to me in the PM for further analysis.


This topic was automatically closed after 30 days. New replies are no longer allowed.