Inconsistent Firewall Rule Application/Order of Operations

Hello Community,

I understand the application of firewall rules to process Firewall Rules ahead of WAF Rules, yet it appears that there is a race condition between the.

I’ve setup the following rule to ALLOW: (http.request.uri.path eq “/salesforce/webhook_callback.json” and ip.geoip.asnum eq 14340)

The rule seems to be applying correctly about 90% of the time, but perhaps there is a race condition in play because the WAF is tagging these connections the other 10%. The following picture should provide some additional context.

I appreciate any guidance the community might provide.

The Allow action in a Firewall Rule will not bypass CF security features except other Firewall Rules that have a lower priority/position. So it seems that what you are seeing is that only 10% of the requests allowed to bypass other firewall rules are matched by one or more WAF rule.

You can whitelist an ASN (or IP, IP range) at Firewall > Tools > IP Access Rule, but there’s no way to specify an URL with that method, so the whitelisting would apply to any request coming from that ASN.

Allow - Matching requests are allowed to access the site, as long as no other Cloudflare Firewall features block the request, such as IP Firewall or Access Rules

1 Like

Thanks for the clarification. I misunderstood the “Firewall Rules” as preceding the WAF rules by processing order and superseding the WAF with “ALLOW” actions. Thanks again.

1 Like