Greek IPv6 IPs randomly blocked by GeoIP WAF rules, last week it didn’t even recognise the country in the events list, said ‘Unknown’
What steps have you taken to resolve the issue?
Disabled the GeoIP rules.
What are the steps to reproduce the issue?
Create a WAF rule that blocks traffic from non EU Continent or non Greece Country.
Access a domain’s website via a Greek IPv6 IP a few times. Some requests will be blocked.
Can you show screenshots of the rules that produce the skip and the block from your screenshot, and also the detail of those events from the event log.
This also occured to another domain that has the same rules but for ‘Country- Greece’, instead of ‘Continent - Europe’. The rules haven’t changed in months. Last week I also saw listing the country as ‘Unknown’ in the Events log for the same IPv6 range (OTENET-GR Athens - Greece), but was too busy to report it back then.
On the events page in the dashboard, does it show the name of the custom rule that blocked? (The json just shows "ruleId": "ddf0d29e1e3945789e54fbd7b0abdff0" so I can’t tell from that).
OK, it’s a bit odd. If I’m missing something, someone else will point out. There was another post today that was similar so I’ll see if I can get it checked.
Your screenshot of the rule shows 2 conditions. Since the condition Greece passes the request, the block is likely because the specific request matched the second request.
These rules have been working for months without dropping any legit requests. Either the rule parsing has changed and I need to update my rules, or something is wrong with the GeoIP service CF uses on their WAF.
