Firewall rules-specify several conditions then block

#1

Hi all, I want to specify a country, allow a friendly bot, allow a list of IPs, and allow a URI string, else block. Can I do this all in one rule, or should I break it up? I am considering something like this:

(ip.geoip.country eq “XX” and not cf.client.bot and ip.src ne 111.222.333.444 and ip.src ne 555.666.777.888 and http.request.uri.query ne “kpid=*”)
Then block.

TIA

#2

That country should be blocked or allowed?

And what do you mean by URI string? The query string in the last part of your rule?

#3

That country should be blocked, unless it’s ‘good bots’, or those IPs, or that URI string.

#4

So basically you want to block all requests from one specific country, unless the request is from a recognised crawler, that list of IP addresses, or it contains that particular string in the query string?

#5

Yes, that is correct.

#6

In that case your rule looks all right, though the list of addresses can be shortened to

(not ip.src in {111.222.333.444 555.666.777.888})

Also, keep in mind the asterisk in your query string match will be taken literally. That is not a wildcard in that context, so it really has to be of the form of ?kpid=*

3 Likes
#7

Thank you Sandro, for the clarification. I know this is not rocket surgery, but this is my first one.

#8

I actually wanted the asterisk to act as a wildcard, if I use ?kpid=* it would then be a wildcard?

#9

No, if you want a wildcard you could only use contains

(not http.request.uri.query contains "kpid=")
1 Like
#10

How can I effectively log this? I see ‘log’ under actions, but I am choosing ‘block’. Should I just copy the whole rule, and make it’s end result ‘log’ instead of ‘block’? Where can I see this log?

#11

Log? Are you on an Enterprise account?

#12

Yes, this is an Enterprise account. I tried duplicating the rules under a different name, then specify ‘log’ at the end, but it errs with:
“config duplicates an already existing config (Code: 10102)”

#13

“log” wouldnt block. You need to set it to “block” and the firewall log should eventually list blocked requests.

However with an Enterprise account I believe your dedicated support agent might be the best contact in this regard. There might even be some Enterprise-only magic.

1 Like
#14

Right, I was hoping to duplicate the chain with an end result of ‘log’ instead of ‘block’. I will check with support agent. Thank you for the help, I was thrown into this without enough information.

#15

A blocked request should be automatically logged. But I’d really clarify this via the support agent. With an Enterprise account you’ll be on top of the queue so it shouldnt be long until they get back to you. Enterprise is a sort of unicorn here on the forums :smile:

1 Like
#16

Follow up, considering you are on an Enterprise plan.

In this case you can use regular expressions and the following should substitute the asterisk

not http.request.uri.query matches "kpid=.+"

This will only match requests where the query string does not contain “kpid=” with some mandatory text following. kpid= on its own with nothing following would not match either.

Though in this particular case the earlier mentioned not http.request.uri.query contains "kpid=" should still suffice.

1 Like