Yeah my address is in the IP whitelist. So this is a test environment that is mimicking something that I want to do in production.
In production it would be slightly different, the first rule is to block some known bots as the first rule, then the second rule is the login challenge.
In test environments, the first rule is to block everyone but the list of known IP’s, then the second is the login challenge.
If you whitelisted the address, firewall rules won’t fire.
Sorry, what do you mean by whitelist?
I am saying the first rule that blocks everything has a list of accepted IP’s.
That whitelist? Or is there another mechanism?
The question that you answered here.
Yeah, so the first rule that blocks everyone but my list of IP’s has my IP in it.
If that allows me in, no other rules fire? Is that what you are saying?
No, not the firewall rules. IP access rules
→ https://dash.cloudflare.com/?to=/:account/:zone/security/waf/tools
Oh, I didnt even see that one!
So yeah, my IP is in that list. Only in the test environment. Not in production. The list is empty in production.
If your address is listed here, it will skip firewall rules. That’s why you don’t get the challenge, but the challenge itself works.
Ok cool. That is new information! Awesome. That explains it then.
Thanks for your help!
I needed an explanation as to why this challenge wasnt firing in test. Now I know, I will apply the rule to production and check the challenge there.
IP access rules are generally more “authoritative” than firewall rules, as they can really whitelist addresses. Nonetheless, they are somewhat considered legacy and Cloudflare is planning on consolidating everything.
But yes, if you whitelist with an IP access rule, you pretty much give that address your blessing 
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.