WAF rules not working

I setup two rules to 1) Allow the ip to access a URI, and 2) Deny All Else if not in IP range.
From firewall events, the error displays after the second rule is triggered and always records an IPv6 address. (don’t know if that matters, since I’m adding IPv4 addresses in the rules ONLY, as you can see from screenshot below). I’ve also updated the certificate level from Flexible to Full, as this can cause issues as well. Do I still need to imply the correct subnet mask, or can an incorrect subnet mask cause errors?

  1. Full is still not secure, it should be Full Strict
  2. If you have a blocking rule, you probably do not even need a whitelisting rule

What exactly is not working?

It sounds like your rule isn’t doing what you expect because you are accessing the URI via IPv6, which will obviously never match and IPv4 pattern.

You can confirm your IPv6 connectivity to see if that is a possible cause.

If your issue is that your requests are blocked with an IPv6 address, then it’s quite obvious that they will be blocked, because you have specifically instructed Cloudflare to do so, by exclusively whitelisting that 157 IPv4 address. Though that should be pretty self-evident.

You’ll need to whitelist your IPv6 address in that case as well, or the entire ASN.

1 Like

It only works if I add the IPv6 address, not IPv4. (Even when I type the host IPv4 address, only IPv6.

Well, as I mentioned, if you send a request from an IPv6 address, you naturally have to whitelist that address.

What is the actual issue? Are you saying you are sending such a request and don’t know why it does not work?

1 Like

Not sure why it only recognizes IPv6 and bypassing IPv4? Is there a setting in WAF that checks for either or, or is precedence given to devices with IPv6?

It doesn’t do that, but if you send a request from an IPv6 address, then any configuration for IPv4 will obviously not fire.

You need to check which addresses you are actually using and whitelist them, not just any random address.

Also, you probably do not need two rules.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.