PayPal IPN not working CF Firewall

Hi,

I am running a website which is blocked for rest of the world, except Canada and India.

I have added PayPal ASNs to CloudFlare firewall so that PayPal may post IPN to my WooCommerce based website.

But PayPal is failing to send IPNs to my website. As an additional measure, I have tried to add User Agent filter as well but even that is not working.

Here are my filter expressions:

Rule 1

(ip.geoip.asnum in {2635 1449 17012 59065 206753}) or (http.user_agent contains "PayPal IPN")

Rule 2

(not ip.geoip.country in {"CA" "IN"})

Any ideas?

May I ask have you tried looking here :search:

If I understood correctly, as an example if the requests are comming from for example USA ( not Canada), they are being blocked by your 2nd rule as far as the 1st rule is allowing the request(s) to pass.

You would have to modify and combine your current rule to block requests comming from Canada or India while also exclude the requests comming from PayPal IPN IP Addresses as well.

Remove both and create combined Firewall Rule like below example (hopefully I am good at first sight, if not, will correct in the meantime):

Block all requests except from Canada and India, but allow PayPal IPN IP addresses and PayPal IPN User-agent:

(not ip.geoip.country in {"CA" "IN"}) or (not ip.src in {66.211.170.66 173.0.81.1 173.0.81.0/24 173.0.81.33 173.0.81.65 173.0.81.140 64.4.240.0/21 64.4.248.0/22 66.211.168.0/22 173.0.80.0/20 91.243.72.0/23} and not http.user_agent contains "PayPal IPN") or (not ip.geoip.asnum in {2635 1449 17012 59065 206753})

Action: Block

From above, instead of using AND for User-agent, you could go with OR in case if the PayPal IPN does not contain the PayPal IPN (also from the specified IP address) string in the User-agent from the comming request.

Suggestion: I would make a Firewall Rule above all with the action Allow for your own origin host / server IP address, just in case (as far as WordPress cron-jobs, WooCommerce too, etc. depending where the server is being located/hosted - if outside ot Canada or India, for example USA, Germany, France …)

Thank you so much for the response.

As suggest, I have combined the conditions into two rules as per the following expressions.
The action of first expression is Allow and priority is 50.

(http.request.full_uri contains "https://test.domain.com") or (http.request.full_uri contains "https://www.domain.com/wc-api/WC_Gateway_Paypal") or (ip.src in {1xx.xxx.xxx.xx1 list of allowed IP addresses including server IP}) or (ip.geoip.asnum in {2635 1449 17012 59065 206753}) or (ip.geoip.country in {"CA" "IN"})

The second rule with action Block and priority 100

(not ip.geoip.country in {"CA" "IN"})

As expected, test.domain.com is working throughout the world and domain.com is only working in Canada and India. But PayPal IPN is still not working.

Am I missing something?

@fritexvz Thank you for pointing me to the right direction.

There was some delay from Cloudflare in applying the firewall rules. Earlier, the rules were applied within seconds but this time it took almost an hour.

But anyway, the issue has been resolved and PayPal IPN is working now.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.