WAF expression size exceeded the max - workaround?

Describe the issue you are having:

I am trying to allowlist 250 IPv4 IPs for my email newsletter provider using WAF security rules. The issue is with all of my allowlisted IPs combined, I exceed the value size allowed by CF.

What error message or number are you receiving?
“not a valid value for expression because the expression size 4117 exceeded the maximum allowed of 4096 (Code: 20127)”

What steps have you taken to resolve the issue?

  1. Input a range of IPs using a “/” i.e. but CF doesn’t allow more than 32 IPv4 ips with this expression.
  2. Remove as many other allowlisted as possible but can’t cut back anymore.

Is there a workaround for this limitation? Thanks! is represented by, you need to understand CIDR…

For a lot of items you can also create a custom list…

…then use “is in list” in the WAF.

Your links were very helpful.Thanks for taking the time to respond.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.