IP Access Rules, then WAF Rules

What is the name of the domain?

unimportant.example

What is the issue you’re encountering

Just trying to understand the security flow.

What are the steps to reproduce the issue?

this page (IP Access rules · Cloudflare Web Application Firewall (WAF) docs) states that if an IP Access rule is set to Allow, then WAF rules are skipped. But then it says deprecated. Does it mean that Allow will continue to the WAF rules?

What about Managed Challenge in IP Access Rules? I assume that if Managed Challenge fails, everything stops. But do WAF rules still apply if Managed Challenge passes?

Only the old “Firewall Rules” is deprecated, since they’ve been replaced with “Custom Rules.”

2 Likes

i see, it’s just saying “firewall rules” are deprecated, not the warning notice.

so would i be correct in assuming that IP Access Rules “Managed Challenge” (say, for All websites) will still continue to the WAF Custom Rules, if the challenge is passed?

for example, a request can pass the IP Access Rules challenge for a certain ASN, but still be blocked by a WAF Custom rule for a specific IP from that AS?

i ended up testing this and leaving my results here, maybe helpful to others.

ip access rules results, if a host matches:

  • block - host is blocked, no waf checks.
  • allow - host is allowed, no waf checks.
  • challenge - if host fails, it’s blocked, no waf checks. if host passes, waf is checked, after cache rules and bot checks are done.
1 Like

The “Allow” action in IP Access Rules is marked as deprecated, which means its behaviour might change or be phased out in the future. Currently, “Allow” bypasses WAF rules, but future updates may alter this.
For the “Managed Challenge,” if the challenge fails, access is blocked entirely. If the challenge passes, traffic proceeds, and WAF rules will still apply as usual.

Citation please?