WAF rules being bypassed

I’m having an issue whereby traffic seems to be bypassing my WAF configuration.

I have the following rules:

  1. SKIP - A bunch of source IPs, mostly IPv4 /32’s and a single IPv6 /64
  2. BLOCK - Wordpress lockdown, block some endpoints if the source IP isn’t an IPv4 /32 or an IPv6 /64
  3. BLOCK - Block some bad countries
  4. Managed Challenge - Challenge requests if the continent is not Africa
  5. SKIP - If the continent is Africa or not Africa, SKIP the traffic and log the result (ie a catch-all rule to log traffic)

All rules have the logging enabled, but I’m still receiving traffic from non-African countries which are attempting to log into my Wordpress instance and being blocked by my security plugin. The source IPs are taken from the TrueClientIP header so the requests are definitely coming through Cloudflare, but I cannot find any WAF logs for this traffic to determine why it’s not being challenged or blocked by the WAF.

Any ideas? Anything I can try?

Turns out requests were arriving on a completely unrelated Host header. Fixed that, and the problem has gone away.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.