WAF Firewall rules issue?

Hi guys,

Maybe someone here could give me a hand on a security issue.

We’ve been receiving weird direct traffic coming from Indonesia and would like to block/challenge them according to a set of rules. I did the same in the past for US traffic, but the same set of rules does not seem to do the trick for Indonesia. I see very few challenges and many visits still coming through.These are the rules:

(ip.geoip.country eq “ID” and http.request.uri contains “listings”) or (ip.geoip.country eq “ID” and http.request.full_uri eq “https://mywebsite.com/”) or (http.request.uri contains “imagens-whatsapp” and ip.geoip.country eq “ID”) or (http.request.uri contains “dicas” and ip.geoip.country eq “ID”) or (http.request.uri contains “procurando” and ip.geoip.country eq “ID”) or (http.request.uri contains “frases” and ip.geoip.country eq “ID”) or (http.request.uri contains “contato” and ip.geoip.country eq “ID”) or (http.request.uri contains “videos” and ip.geoip.country eq “ID”) or (http.request.uri contains “status” and ip.geoip.country eq “ID”) or (http.request.uri eq “whatsapp” and ip.geoip.country eq “ID”)

Thank you in advance!

A reason why you are not using IP access rules?

https://dash.cloudflare.com/?to=/:account/:zone/security/waf/tools

Also, make sure requests go through Cloudflare.

Hi Sandro,

So we do also receive legitimate traffic from Indonesia, but on some specific pages. I figured IP access rules do not give me the option to pick those pages? Am I wrong?

Thank you!

So you only want to challenge requests from Indonesia for certain paths?

Hi Sandro,

Exactly

All right, in that case I’d try that.

ip.geoip.country eq "ID" and (http.request.uri.path in {"/" "/whatsapp"} or http.request.uri contains "listings" or http.request.uri contains "imagens-whatsapp" or http.request.uri contains "dicas" or http.request.uri contains "procurando" or http.request.uri contains "frases" or http.request.uri contains "contato" or http.request.uri contains "videos" or http.request.uri contains "status")

Note, I changed whatsapp to /whatsapp.

Though, you are challenging the root path. Do you really have other paths which you specifically do not want to challenge?

To make it easier then, we would like to block all visits to pages with the path /listings/, but also the homepage

I would simply use the originally mentioned IP access rules.

I don’t see a way to use IP access rules and include exceptions to certain paths… Am I missing something?

That’s the point, I am not sure why you need to set up exceptions if you want to challenge the root path anyhow.

But again, if you still want to do that, simply check out my previous response.

I might have mistaken the code of homepage for the root path, but what I really wanted to do is block all Indonesia traffic from any pages containing “listings”

What’s unclear about the posted expression?

I don’t want to challenge the root path, that was accidental, I was trying to challenge visits to the homepage. But lets forget about that to make it more simple

What if I wanted to block all Indonesia traffic from all pages containing “listings”?

Or else block all Indonesia traffic except to the pages containing “7in” and “in” ?

But that’s what I meant. The posted expression will do that, simply adjust it to the mentioned paths.

I tried that but it only challenged 3 out of 400 visits from Indonesia to those pages on the last 24 hours

I chose “Managed challenge” by the way

Managed challenge does not necessarily challenge it. What expression did you use?

Should I try another action type?

The expression is the one you wrote:

ip.geoip.country eq “ID” and (http.request.uri.path in {"/" “/whatsapp”} or http.request.uri contains “listings” or http.request.uri contains “imagens-whatsapp” or http.request.uri contains “dicas” or http.request.uri contains “procurando” or http.request.uri contains “frases” or http.request.uri contains “contato” or http.request.uri contains “videos” or http.request.uri contains “status”)

That expression will apply to all the requests in question. How did you establish that it did not?