WAF incorrectly blocks countries on whitelist, why?

I am currently using the WAF to block all countries not specifically on a whitelist from accessing my domain. However, it seems WAF is blocking access even from the supposed whitelisted countries.

Here is a screenshot of the Security Overview WAF Log showing an IP in the USA was blocked even tho “US” should not have been blocked based on the “ne” WAF rule:

WAF whitelisted countries rule:
(ip.geoip.country ne “US”) or (ip.geoip.country ne “FR”) or (ip.geoip.country ne “GB”) or (ip.geoip.country ne “JP”) or (ip.geoip.country ne “IL”) or (ip.geoip.country ne “CA”) or (ip.geoip.country ne “ES”) or (ip.geoip.country ne “IT”)

How can this be fixed so only countries NOT in the list get blocked?

Thank you.

You’re using or so matching any one of those conditions will block it.

Use and, or just move it to be a list like not (ip.geoip.country in {“US”, …})

Thanks for the suggestion. I just tried to use:

(ip.geoip.country in {“US”,“FR”,“GB”,“JP”,“IL”,“CA”,“ES”,“IT”})

with an “Allow” option, and got this error trying to save the updated expression:

Filter parsing error (1:23): (ip.geoip.country in {“US”,“FR”,“GB”,“JP”,“IL”,“CA”,“ES”,“IT”}) ^^^^ invalid digit found in string while parsing with radix 16

I re-created the rule from scratch as it kept giving me an error when editing the expression, even with the correct syntax:

(ip.geoip.country in {“CA” “FR” “IL” “IT” “ES” “GB” “US” “JP”})

I then set it to “Allow”, therefore all the countries above should be allowed, and any country not matching the list should be denied, correct?

I tested by using the regular GUI, and it doesn’t put commas in there.

1 Like

:see_no_evil:


1 Like

OK, third time’s the charm.

Changed expression to:

not (ip.geoip.country in {“CA” “FR” “IL” “IT” “ES” “GB” “US” “JP”})

and set to “Block”. Hope this works better.