WAF not blocking access to admin page of our website

Trying to use WAF custom rule to block access to the /admin section of our website except when browsing to it from our office (with external IP of a.b.c.d), tried a few custom rules and none of them work.

(not ip.src in $cambridgehq and http.request.uri.path in {“/admin”})

(http.request.uri.path contains “/admin/” and ip.src ne a.b.c.d)

(not ip.src in {a.b.c.d} and http.request.uri contains “/admin”)

What am I missing here?!

Thanks in advance for any pointers

Are the relevant DNS records proxied (and not set to “DNS only”)?

Does your IP list include all the IPs from your office (some people forget they have IPv6).

I’d ask for the URL, but you probably don’t want that public!


Yes, there are A records in DNS for .domain.com and www.domain.com - both are proxied by Cloudflare.
We only have one outbound IP address from our on-premise firewall, and that is represented by a.b.c.d in my example above

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.