Increase WAF Filter Expression Size Above 4096 bytes

This is a feedback request to increase the WAF filter expression size above 4096 bytes.

4096 bytes is not enough for many use cases.

I want to block thousands of ASNs and with the FREE plan, I can only create 5 rules in WAF.

If each rule can only have an expression size of 4096 bytes, taking into account that each ASN has an avg. length of 6 bytes, I can only add up to 3413 ASNs, if I use the 5 rules, just for that.

Taking into account that usually, there are other rules that need to be used, it will make it difficult.

Either increase the field size or increase the number of WAF rules on the FREE version (to 10).

I’d rather suggest using the the IP Access Rules for blocking the ASNs because it can be applied for each Website at once under the same CF account and also you block them before they enter your gate with it, rather than allowing them to enter and then using other methods to block them, while using Firewall Rules for other things per zone/domain, etc.

Furthermore, IP Access Rules can hold up to 50k entries (or just ASNs as if you need) and that’s pretty a lot of.

4096 is fairly enough to block a lot of stuff and paths, user-agents, file extensions, ports, etc. separated into 4-5 rules on a Free plan.

We can always upgrade to a Pro plan if we want a better WAF and other security stuff included alongside other features as well.

The main problem I’m having if I set up the ASN rules under the “IP Access Rule” section is that based on the Traffic Sequence evaluation, IP Access Rules go before WAF.

If I am setting a WAF rule to allow “Known Bots”, the ASN rule under the “IP Access Rule” will have more priority and will make the WAF rule not work.

Any workarounds for this use case?

Right, and that’s what it’s it meant to, blocking them there, just like on a chain before input in iptables on the origin host. Why allowing “bad ASNs” getting in, then filtering them out with some other methods and techniques or software, while others are already waiting at your network gate, which all together is creating a total blockage of your network.

Yeah, if that’s the case, I can’t use “IP Access Rule” to block ASNs.

And so I’ll need to use WAF Rules, and there I have the limitation of 5 rules & 4096 bytes per rule.

It’s a pity because 50K entries is more than enough (using the IP Access Rule with ASNs), but 3413 entries, which will be more like 2.5K entries, because I will be using other firewall rules, is not enough.

Is this going to be implemented in the near future?


1 Like