Why is this happening? Do you have Super Bot Fight Mode configure?
Can you check the Security Events and find any entries with User Agent Contains “PayPal” and see why is it being blocked?
If it’s being blocked by a WAF rule, PayPal is a Know Bot. You can create a rule allowing Known Bots, or if you want you can create a rule Bypass for Known Bots with UA containing PayPal to be more specific.
Another option I used before PayPal was accepted into Known Bots was to create an IP list and use that in a WAF rules:
Hi, thanks for your reply.
I have no Super Bot Fight Mode configuration.
I didnt configure any WAF rule. but suddenly stop Paypal IPN in my website.
would you please confirm me, where I create an IP list and use that in a WAF rules. I have checked that there is no allow option in WAF rules. CF change their UI and your list is older version may be.
so would you please check and write for new version of CF. Thanks
The most important question is if you managed to identify why the PayPal IPN is not reaching your server. Without knowing what’s blocking it, it’s hard to create rules to allow it.
The following are examples of rules you can use as templates once you have identified what needs to be done.
Regarding my list, it is current and uses the current UI. Log into Cloudflare, go to Configurations | Lists and create a list with the IP addresses. You can then use a list in a WAF rule, for example:
Note these are only allowing a known bot with UA containing PayPal. You might have another rule for Known Bots, so make sure to customise it to your needs.
The duplicates does however seem very consistent with the ones posted in e.g.:
That being said, -
In addition (or as an alternative) to that, you can also use PayPal’s AS numbers to attempt to approve their access:
Until now, I don’t believe having seen PayPal’s IPN requests originating from other AS numbers than AS 17012.
PayPal currently has the following AS numbers that are visible in the global routing table:
1449
17012
22510
23250
59065
395313
PayPal also have the following AS numbers, but these are not currently visible in the global routing table:
21893
26444
206753
With AS 1449 being given the name "PAYPAL-CORP", it sounds like that one may be useless, and only for their corporate offices.
AS 59065 seems to be from their operations in China and Singapore, and several of the others are held by them, as a result of their acquisition of Braintree.
If you choose to decide to go more “lenient” from the security protocol, based on AS numbers (perhaps for less (recurring) maintenance), I would personally be tempted with starting to allow AS 17012 alone, and see how that goes.
Based on the above Custom Rule, you could also mix the Known Bots and AS numbers validation, … like this:
Personally, I would likely also add even further Hostname, or URI related fields to verify that PayPal is only extraordinarily allowed on e.g. https://paypal-ipn.example.com, or within addresses starting with https://example.com/paypal-payments/, or something similar, depending on the place where you have the IPN scripts.
