Possible to bypass Managed rules (new)


There are issues w/ accessing my site from certain IPs. I defined a FW rule to explicitly “allow” these IPs, but they are still blocked by “Managed rules(new)”. The log does not explain why “Managed rules” block these IPs. Is there a way I can bypass “Managed rules(new)”?


I’d give it a try with IP Access Rules :thinking:

Which plan are you using?

If not, then we have to wait for it …

Currently, there is no way to bypass it or a workaround as for a zone with a Free plan when we inspect for the Firewall Events, it would show “unknown rule id or could not find ruleset” and no option to add some exception for Managed WAF Rule. For a higher paid plans such as Pro, the WAF has got an option to add an exception or skip that detection.

Last response from Cloudflare support which I’ve got was as follows:

As an update, our engineering team is looking to rollout the WAF for everyone in Q4 this year. This would allow the free tier users to make use of the override feature in our WAF ruleset to bypass the rules.

1 Like

Thanks for the information. “IP Access Rules” does not work. Will use different IPs for now.

I face a quite similar issue like in one of the linked topics, trying to evict Wordpress’ wp-config.php from OPcache via opcache-gui, being blocked by:

  • Ruleset: Cloudflare Managed Log4J Ruleset
  • Rule: Wordpress - Broken Access Control, File Inclusion

Not sure what Log4J (Java logging library) has to do with it, but the rule likely applies due to ?invalidate=/path/to/wp-config.php query string, i.e. wp-config.php within the URI, which seems to be the only condition for the block. Without the ability to override managed rules by e.g. explicitly allowing specific requests (like in my case https://domain.org/foo/opcache.php?invalidate=/path/to/wp-config.php with /foo being authentication-protected), this breaks quite some feature, I bet. Looking forward for free plan support doing so.