WAF Custom rules VS IP Access rules

Hello. I need to scan a website which is under cloudflare with a DAST tool - vulnerability scanner.
I want to allowlist my scanner IP. I’ve added my scanner IP to Security>>WAF>>TOOLS>>IP Access Rules.
Now, i could also add a custom waf rule, and select all WAF components to skip, if the source IP is my scanner IP.

My question is: if i add my scanner IP to “Security>>WAF>>TOOLS>>IP Access Rules”, do i still need to create a custom rule and will it give more “allowlist” features? Or is it enough to add the scanner IP to only IP Access Rules?

How does these both options to allowlist an IP compare to each other?

Hey there!

WAF Custom Rule Skip option gives you more control of which security feature you would like the IP to skip. Cloudflare recommends that you create WAF custom rules instead of IP Access rules to perform IP-based or geography-based blocking (geoblocking):

  • For IP-based blocking, use an IP List in the custom rule expression.
  • For geoblocking, use fields such as AS Num, Country, and Continent in the custom rule expression.

IP access rule’s ALLOW action don’t appear in Security Log too.