Firewall Rules doesn't bypass other security rules

Firewall Rules has the option to me to create a bypass rule for WAF, but it doesn’t work.

WAF is blocking some POST requests to /wp-json/, which breaks Gutenberg editor. What i need is to bypass requests from users that have a login cookie.

I tried that, but it doesn’t work. Then i thought it might be a cookie issue (maybe CF doesn’t see the cookie?), and i tried bypassing the IP… and it didn’t work either.

So my question is: does this bypass rule even work? Is this a bug?

In this case, that would be the only way for me to fix the problem. I can’t disable the Rule ID, because it is blocking legit attacks. And my employees use dynamic IPs, so i can’t bypass in the Tools tab, either.

In the WordPress managed ruleset, hae you toggled WP0004 to be ON? I believe that’s the default setting. Which Rule ID is blocking this? One from Cloudflare?

The URL being blocked is in /wp-json path – Rule ID 100008A. Since it’s a public URL, i can’t disable the rule. The right way would be to bypass only for specific users (by cookie, for example).

This options are available via Firewall Rules (to bypass WAF by cookie), but it doesn’t work. Even if i bypass by any other criteria: IP, path, etc.

Why is this bypass option available if it doesn’t work? Is this a bug?

Right now the only other options would be:

  • Disable the Rule → can’t do, because it’s a public url and it blocks legit attacks;
  • Disable WAF for the path using a Page Rule → can’t do for the same reason;
  • Bypass the IP in the tools section → doesn’t solve the problem because the IPs are dynamic.

Hi, PM for WAF - thank you for reporting this. This should work unless you are on our new WAF engine, in which case you should see a “WAF Exception” option in the WAF UI to be used instead. Nonetheless, could you please open a ticket with support and send me an email with the support ticket ID (mst at cloudflare com). I will then look into this.

2 Likes

Just sent you the email with the ticket ID. Thanks! :smiley: