Managed Challenges to specific countries without impacting Search Engines

I’m based in Australia, running Cloudflare with WordPress.

We want to find a way to issue a Managed Challenge to connections from almost all countries outside of Australia. The only exceptions are an IP whitelist (which I’ve created already) and allowing known good bots to crawl the site (thinking Googlebot and the like).

I’ve tried many combinations of And/Or statements in the WAF and I’m not able to find one that works. I thought I could use something like this for a Managed Challenge:
(ip.geoip.country ne "AU" and not cf.client.bot and not ip.src in $ip_whitelist)

The above results in Australian users getting a Managed challenge.

Any ideas?

Your current rule will match anyone that…

  • is not in Australia
  • is not a ‘known good’ bot
  • is not coming from a whitelisted IP address

Or at least, outside of some quirk, that’s how I’m reading it - do you have a screenshot of one of the entries in the firewall activity log that’s matching an Australian user?

Feel free to censor the IP/ASN/website name.

1 Like

Thanks for your reply!

This is the rule:

It looks like it’s not blocking Australian connections anymore, but it is blocking some web crawlers - it’s 2am here so I’ll monitor it during our business hours and see if it causes any issues.

Side question - If a rule condition is met, does Cloudflare WAF continue down the list to find further rules or does it stop at that rule?

If a rule condition is met, does Cloudflare WAF continue down the list to find further rules or does it stop at that rule?

Depends on your action - it’s described here: https://developers.cloudflare.com/firewall/cf-firewall-rules/actions/ along with their order of precedence.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.