When you define a Firewall Rule with the Action = Allow, what exactly is allowed?
I ask because we have a block on a specific ASN.
We have also defined a Firewall Rule which says
(http.user_agent eq “Site24x7”) Then Allow
But if an http request comes in with the user agent = “Site24x7” and it is from an IP address within the ASN set that we have blocked, the ASN block will block the request, in spite of the user agent Allow rule.
Seems ASN blocks take priority over Firewall Rules that say Allow. Is that right?
Based on the documentation, it seems that the Allow action is mostly useful to allow users within a defined pattern to bypass other Firewall Rules (that need to be placed after the Allow rule), but not other Firewall features.
Allow - Matching requests are allowed to access the site, as long as no other Cloudflare Firewall features block the request, such as IP Firewall or Access Rules
Source:
In your case you could replace the IP Access Rule with a Firewall Rule to block the specific ASN, and either exclude the matching User Agent in the rule itself, or create a separate firewall rule with the Allow action and place it before the FR that blocks the ASN.
(ip.geoip.asnum eq 12345 and http.user_agent ne "Site24x7")