Paypal IPN isssue, how to allow Paypal IPN

Answer these questions to help the Community help you with Security questions.

What is the domain name?

Have you searched for an answer?
Yes, all are very old answers

Please share your search results url:

When you tested your domain, what were the results?

Describe the issue you are having:

What error message or number are you receiving?

What steps have you taken to resolve the issue?

Was the site working with SSL prior to adding it to Cloudflare?

What are the steps to reproduce the error:

Have you tried from another browser and/or incognito mode?

Please attach a screenshot of the error:

Why is this happening? Do you have Super Bot Fight Mode configure?

Can you check the Security Events and find any entries with User Agent Contains “PayPal” and see why is it being blocked?

If it’s being blocked by a WAF rule, PayPal is a Know Bot. You can create a rule allowing Known Bots, or if you want you can create a rule Bypass for Known Bots with UA containing PayPal to be more specific.

Another option I used before PayPal was accepted into Known Bots was to create an IP list and use that in a WAF rules:

1 Like

Hi, thanks for your reply.
I have no Super Bot Fight Mode configuration.
I didnt configure any WAF rule. but suddenly stop Paypal IPN in my website.

would you please confirm me, where I create an IP list and use that in a WAF rules. I have checked that there is no allow option in WAF rules. CF change their UI and your list is older version may be.

so would you please check and write for new version of CF. Thanks

The most important question is if you managed to identify why the PayPal IPN is not reaching your server. Without knowing what’s blocking it, it’s hard to create rules to allow it.

The following are examples of rules you can use as templates once you have identified what needs to be done.

Regarding my list, it is current and uses the current UI. Log into Cloudflare, go to Configurations | Lists and create a list with the IP addresses. You can then use a list in a WAF rule, for example:

Note these addresses are only used by PayPal.

Another option, seeing PayPal is a Known Bot ( Cloudflare Radar) is to use that, for example:

Note these are only allowing a known bot with UA containing PayPal. You might have another rule for Known Bots, so make sure to customise it to your needs.

1 Like

Thanks for your reply, I will apply this and hope to solve the issue.

Solely meant as constructive feedback, nothing more, - but that list sighs after some tidying up:

The duplicates does however seem very consistent with the ones posted in e.g.:

That being said, -

In addition (or as an alternative) to that, you can also use PayPal’s AS numbers to attempt to approve their access:

Until now, I don’t believe having seen PayPal’s IPN requests originating from other AS numbers than AS 17012.

PayPal currently has the following AS numbers that are visible in the global routing table:

1449
17012
22510
23250
59065
395313

PayPal also have the following AS numbers, but these are not currently visible in the global routing table:

21893
26444
206753

With AS 1449 being given the name "PAYPAL-CORP", it sounds like that one may be useless, and only for their corporate offices.

AS 59065 seems to be from their operations in China and Singapore, and several of the others are held by them, as a result of their acquisition of Braintree.

If you choose to decide to go more “lenient” from the security protocol, based on AS numbers (perhaps for less (recurring) maintenance), I would personally be tempted with starting to allow AS 17012 alone, and see how that goes.

Based on the above Custom Rule, you could also mix the Known Bots and AS numbers validation, … like this:

Personally, I would likely also add even further Hostname, or URI related fields to verify that PayPal is only extraordinarily allowed on e.g. https://paypal-ipn.example.com, or within addresses starting with https://example.com/paypal-payments/, or something similar, depending on the place where you have the IPN scripts.

1 Like

Hi
Thanks for your reply with PayPal IPN information.

PayPal sent me a failed message with the below URI & instructions:

Quote

Please check your server that handles PayPal Instant Payment Notifications (IPN). IPNs sent to the following URL(s) are failing:

[type or paste code here](https://aircraftflightmanuals.com/wc-api/WC_Gateway_Paypal/)]

Unquote

Would you please give me an idea of what happened?

another thing: what location of CF can I put the mentioned rules, Please help

97b931821230ac6e5ef2e5c4237ee070a094bc3c_2_690x497

Thanks

The rules from the other screenshot I mentioned, can be added/modified/deleted here:

https://dash.cloudflare.com/?to=/:account/:zone/security/waf/custom-rules

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.