WAF Geo Block blocked when It shouldn't be blocking

I have a rule in place yesterday “(ip.geoip.country ne “US”) or (ip.geoip.country ne “BR”)” This morning I went to my site and it was blocked. I checked my IP address and confirmed it was correct. However I was being blocked when I have a rule that if not US or BR then block.

Why was my BR IP being blocked? Is there something I am not understanding. In the meantime I changed to managed response.

Check the Firewall Activity Log and it’ll show you what country it’s associating with your IP.

In the event it’s wrong, follow https://support.cloudflare.com/hc/en-us/articles/200168236-Configuring-Cloudflare-IP-Geolocation#12345683

Check MaxMind’s GeoIP database and if it’s correct there but incorrect in Cloudflare, open a support ticket (or post here).

1 Like

Good point. Yes, it shows that rule blocking and my ASN is AS18881 TELEFONICA BRASIL S.A

Maxmind is correct because I use that in other software and knows I am in BR. Thanks will report.

I think your issue is probably that you’re using or rather than and in your rule.

If you are not in the US OR you are not in Brazil, block - you are not in the US, so as far as I’m aware, you will be blocked under that first condition.

Change it to (ip.geoip.country ne "US") and (ip.geopip.country ne "BR")

As an example, if your country code is GB then that rule should match on…

  • GB is not US
  • GB is not BR

However, since yours is BR

  • BR is not US
  • BR is BR

Since you match the ip.geoip.country ne "US" branch, you would be blocked.

Using and, it’d be more like…

GB does not equal US and GB does not equal BRblock
BR does not equal US and BR does equal BRallow

BR is allowed since it didn’t match both conditions to be blocked, and so would US.

This is why it’s better to use “is in” or “is not in” when doing multiple checks on the same field.

(not ip.geoip.country in {"US" "BR"})


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.