Trouble Understanding `cf.threat_score`

Hey there, folks!

So, when using cf.threat_score in WAF custom rules, I encountered behavior that I couldn’t understand.

Basically, the simplified WAF rules are as follows:

#1 (cf.threat_score ge 15) - then Block
#2 (cf.threat_score gt 0) - then Managed Challenge

and global Security Level set to Essentially Off.

As I understand it, the rules above should work like this: block requests with a threat score >= 15, and challenge requests with a threat score > 0.

But the strangest thing happened. After the challenge page was displayed, I got “Sorry, you have been blocked” and HTTP status code 403. Here, I can guess that my IP reputation should be at (0, 15) or I’ll get a straight block.

By disabling either of the two rules, I got a challenge pass and a straight pass (no challenge), respectively.

By looking at the Firewall Events corresponding to the Ray ID, I found that the BLOCK was issued by rule #1.

Why? The challenge page should indicate that rule #2 was matched instead of #1. Does this indicate that Managed Challenge will calculate a new cf.threat_score and then use it for the next request? But I tried to increase the value of #1 to 100 and still encountered the same problem, I don’t think my IP reputation can be as high as 100.

I really don’t know what I’m missing. I’m hoping someone in the community can help me.

Is 15 > 0? If you want to challenge requests less than 15 lt is an available operator.

Right now a rule acting on a score of 16 matches both rules.

#1 (cf.threat_score ge 15) - then Block
#2 (cf.threat_score gt 0 and cf.threat_score lt 15) - then Managed Challenge

Still no luck. And according to Actions reference - Cloudflare Ruleset Engine docs, block or Managed Challenge stops rule evaluation, so it shouldn’t match both rules I guess.

After some searching on the dashboard, I found out it was an old rule that caused the problem. It blocked the challenge script from returning the challenge result with POST.
:flushed: :flushed: :flushed:

1 Like