IPv6 Range Ignored in IP Source Address, IPv4 Works File

I am trying to use a WAF rule to block access to a specific subdomain unless the source IP is either a specific IPv4 address or from an IPv6 range.

My current WAF matches the example below:

If hostname contains private.example.com and IP Source Address is not in b387:5984:61ff:5a25::/64 then Block.
The expression is (http.host contains private.example.com and not ip.src in {b387:5984:61ff:5a25::/64})

This WAF rule works in regards to IPv4. All connections are blocked except for those coming from the specified address. It does not work with IPv6, and that is my reason for reaching out.

When connections are made to the domain from an IP within the IPv6 range, they are blocked and recorded in the WAF log. The source IP address shown in the log entry matches what I’d expect and is within the range I’ve specified in the WAF rule.

I have looked around online and have seen posts here and there about others having issues but they all seemed to fix it by using an IPv6 range instead of a fixed address, which is what I wanted to do regardless.

I misread your expression at first, ignore my first reply which I have deleted. Your rule actually looks okay, and I went and tried exactly the same thing (with my own hostname and IP range of course) and it works. Is this a Custom Rule or an IP Access rule?

1 Like

This is a custom rule.