In the Firewall, Is it possible to allow 1 ip address from a blocked country


I would like to block a complete country from accessing our website, but i would like to allow 1 IP address to access the site.

is it possible to order the firewall settings to allow that IP address first.

From what I understand of their implementation, an IP allow overrides a country block because an IP has a high degree of specificity and a country doesn’t.

In normal firewalls, order matters. For example:


In this example, a request from would be allowed but one from would be blocked.


In this second example, and would be blocked because a matching block rule would be found and applied before the firewall ever sees the Allow.

Unfortunately, the CF firewall doesn’t have this level of verbosity, but I’m willing to bet the back end system does, and they order it logically so allows happen before blocks. That’s how I would structure it. If a CF employee could chime in to confirm or explain the actual logic happening in the CF implementation, that’d be a help.

1 Like

I reread some of the documentation. It’s confirmed.

allowlist: allowlisting a visitor excludes them from all security checks (Browser Integrity Check, I’m Under Attack Mode, the WAF, etc). This is useful if a trusted visitor is blocked by security features. Whitelists take precedence over blocks. allowlisting a country code does not prevent the request from bypassing the WAF.


Hope this helps.

Exactly what i was looking for. thanks for confirming it.

Much appreciated!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.