Firewall rules client certificate authentication


I have the rule below configured so that I can enforce client certificate authentication against some of my hosts. Up until a few weeks ago, this rule was working flawlessly. Now, with the rule as below, my connections get blocked unless they are from whitelisted IPs (IP-address-1 and IP-address-2). I’m testing from multiple clients, all with the appropriate client cert installed. Cloudflare definitely requests the certificate from the client.

If I toggle the client cert to “On”, it sometimes seems to start working again for a little while. However it always reverts to not working again.

( in {“proxied-hostname” “proxied-hostname” “proxied-hostname”} and not cf.tls_client_auth.cert_verified and not ip.src in {IP-address-1 IP-address-2})

The action for the above rule is “Block”.


Did you mean the IP whitelisting is not working or the client certificate request is not working?

Hi there @FlippityFloppity,

Just PMd you. A HAR file demonstrating the issue may help us get a better idea of what is going on here. Send that back to me in the PM for further analysis.