When you define a Firewall Rule with the Action = Allow, what exactly is allowed?
I ask because we have a block on a specific ASN.
We have also defined a Firewall Rule which says
(http.user_agent eq “Site24x7”) Then Allow
But if an http request comes in with the user agent = “Site24x7” and it is from an IP address within the ASN set that we have blocked, the ASN block will block the request, in spite of the user agent Allow rule.
Seems ASN blocks take priority over Firewall Rules that say Allow. Is that right?
Currently, I believe the different rules fire in the following order:
IP Access Rules
User Agent Blocking
which probably explains the behaviour you are seeing.
Based on the documentation, it seems that the Allow action is mostly useful to allow users within a defined pattern to bypass other Firewall Rules (that need to be placed after the Allow rule), but not other Firewall features.
Allow - Matching requests are allowed to access the site, as long as no other Cloudflare Firewall features block the request, such as IP Firewall or Access Rules
In your case you could replace the IP Access Rule with a Firewall Rule to block the specific ASN, and either exclude the matching User Agent in the rule itself, or create a separate firewall rule with the Allow action and place it before the FR that blocks the ASN.
(ip.geoip.asnum eq 12345 and http.user_agent ne "Site24x7")
This topic was automatically closed after 31 days. New replies are no longer allowed.