WAF - Why was the Google-bot blocked?

I created a firewall rule and the Google-bot is being blocked. Why?

Events artsgallery.pro Ivangorshkovgmail.coms Account Cloudflare – Brave2195×1430 252 KB

Good question. From the icon next to the Rule ID, it looks like you’ve changed the rule. What did you change?

I think the old rule was in action during the 5 minutes after I had changed the rule. I will look.

Still I do not understand why was this rule triggered and the visitor blocked?! I think WAF is not working correctly.

Events russianpaintings.pro Ivangorshkovgmail.coms Account Cloudflare – Brave1920×1292 105 KB

WAF russianpaintings.pro Ivangorshkovgmail.coms Account Cloudflare – Brave2308×1119 198 KB

That one’s blocked because it’s RU, and the path doesn’t contain yandex.

So, how to create rule for RU that it is not blocked if the path contain /yandex.zen or /yandex.zen/ or user-agent is Admin108 (any URI), but otherwise block all RU?

I want to create one rule with multiple parameters, but I can’t understand the logic behind how WAF works: OR, AND…

I need:

1. All requests from RU are blocked, except for requests from user-agent Admin111 containing any URI.
2. All requests from RU are blocked, except for requests containing the /yandex.zen URI, containing any user-agent.
3. All requests from RU are blocked, except for requests containing the /yandex.zen/ URI, containing any user-agent.
   Can this be combined into one rule?

Yes. Since /yandex.zen/ contains /yandex.zen, you can drop item 3. And since both item 1. and 2. have ip.geoip.country eq "RU", you should use parenthesis to combine the two exceptions, and avoid that one negates the other. This can only be done in the Expression Editor:

(ip.geoip.country eq "RU" and not (http.user_agent contains "Admin111" or http.request.uri.path contains "/yandex.zen"))

Thank you, but is it ok now? Only the Expression Editor is shown:

WAF russianpaintings.pro Ivangorshkovgmail.coms Account Cloudflare – Brave2311×1548 213 KB

And when I click the Use expression builder on this page, then:

22276×1513 152 KB

I think the question is not solved for me at the moment…

Seams it is working at least for now. Thank you.

It should be.

Once you make use of any feature in the Expression Editor that is not supported by the Expression Builder, such as the parentheses grouping two conditions, or the use of certain functions such as lower() etc., you cannot go back to the Expression Builder for that rule, otherwise it will discard the whole content of the rule and you need to set it again.

Seams that the rule is not working for me. I am testing from the mobile with the RU IP-address and I am not being blocked by this rule:

WAF oilpaintings.pro Ivangorshkovgmail.coms Account Cloudflare – Brave1920×997 85.5 KB

Should it really work in this format? Any Cloudflrare support here?

1. Cloudflare uses the MaxMind database for geolocation. Using their tool, is the IP you are testing showing as coming from Russia?
2. Do you have other WAF Custom Rules or any IP Access Rules with action set to Allow/Skip?

Here are the screenshots made just now (07:20 PM) of Events for this rule. It stopped blocking just after I applied the combined rule you shown. As you can see on the first screenshot - it is more than 3 hours since the last time the rule was triggered.
My mobile address is 5.141.103.212 and AS12389 - this is not mentioned in any other rules.
If you provide your Telegram address or contact me at @RPG_Support I will provide more screenshots.

Events oilpaintings.pro Ivangorshkovgmail.coms Account Cloudflare – Brave1920×1425 167 KB

WAF oilpaintings.pro Ivangorshkovgmail.coms Account Cloudflare – Brave1920×1394 134 KB

Can you please paste here the expression of your rule that is not working? It seems you’ve added other paths and didn’t notice at first. No screenshot, please, please paste as code the expression of the rule only.

Sure:

(ip.geoip.country eq "UA") or (http.user_agent eq "Barkrowler") or (ip.geoip.country eq "CN") or (ip.geoip.country eq "BY") or (ip.geoip.country eq "PL") or (ip.geoip.country eq "RU" and not (http.user_agent contains "Admin108" or http.request.uri.path contains "/yandex.zen" or http.request.uri.path contains "/videos.xml" or http.request.uri.path contains "/images.xml" or http.request.uri.path contains "/rss" or http.request.uri.path contains "/8-global.xml" or http.request.uri.path contains "/9-global-videos.xml"))

When I suggested you joined two conditions with parentheses, you then added other conditions with the “or not” operator, in fact creating a negation of a negation. Remove every “not” from within the parentheses.

As for the other rules, disable them all, to test if this rule, after you fix it, works as intended, with your mobile phone being blocked as expected.

If it does work, then enable one of these other rules, test again. If it works in combination with the one you just fixed, disable it and enable another of your rules. Test again, repeat this process until all 4 rules have been tested.

I think I got the proper result now with this. Thank you!

(ip.geoip.country eq "UA") or (http.user_agent eq "Barkrowler") or (ip.geoip.country eq "CN") or (ip.geoip.country eq "BY") or (ip.geoip.country eq "PL") or (ip.geoip.country eq "RU" and not (http.user_agent contains "Admin108" or http.request.uri.path contains "/yandex.zen" or http.request.uri.path contains "/videos.xml" or http.request.uri.path contains "/images.xml" or http.request.uri.path contains "/rss" or http.request.uri.path contains "/8-global.xml" or http.request.uri.path contains "/9-global-videos.xml"))

A post was split to a new topic: Mobile browsers showing endless interactive challenge