IP Passed Through WAF

Cloudflare have been doing a great job providing my news publication it’s WAF. Thank you.

Just now, I found that an IP address was able to pass right by one of my WAF rules for RSS feeds. This is the first time I have ever detected such a direct traffic hit beyond my WAF rules.

This IP address was able to visit and hit the following URL on my news publication


Local Log (WordFence) below

As you will see. I have this url well protected by cloudflare WAF rules (All others in the same rule work perfectly

In this instance, I would like to ask this question.

  1. How could of this IP passed right through the WAF?
  2. Can C/F WAF stop running for a few million seconds from time to time?

Additional details.

  1. I dont have this IP allowlisted anywhere in c/f
  2. I cant see this as being a direct host to IP hit

How did he get in?

The user agent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36 OPR/

From the above shared screenshot, I’d suggest you to replace the “equals” with “contains”, then it would work as expected :wink:

You can change it and make sure it’s only one, if URI Path contains feed → if the “feed” is anything related to the RSS feed which you’d like this bot or scraper to block access to anykind of the feed on your Website. Would match article/feed, /commets/feed/, /feed/, /rss-feed/ and all other options which contain “feed” term.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.