I have some Page Rules running on specific URLs. Those rules set the WAF to Off.
URL: domain.tld/abc/page*
Rule: Web Application Firewall Off
Note: I don’t need WAF to work at all on the page above.
Lately, Cloudflare notified me that I can upgrade and deploy the new managed firewall rules. When I did this, I got all Firewall Rules grouped under the “Managed Rules” tab. So now, all Page Rules that I have already set are grouped under one Ruleset (set to SKIP), and the already existing WAF rules (Cloudflare Manager Ruleset & Cloudflare OWASP Core Ruleset) are also under their own Rulesets (See attached screenshot).
With this new update, I have Cloudflare OWASP Core Ruleset blocking the URL domain.tld/abc/page*, which should have been skipped already because its page rule falls under the first Ruleset in the attached screenshot.
It looks like, after this update, the sequence of events is no longer as before. Any advice on how to tackle this issue?