Will a Firewall Rule override a Managed Rule?

We would like to write a Firewall Rule that describes a special situation. A specific Host or a specific IP address or a combination of a few different attributes. We will give this firewall rule the action Allow.

Our question is this… When the Firewall Rule is triggered with the action Allow, will it override one of Cloudflare’s Managed Rules that is set to Block?

In other words, if both a Managed Rule fires that indicates Block and a Firewall Rule fires and indicates Allow for the same request, which will win? Will the request be Blocked or Allowed?

Similarly, will a Firewall Rule that says Allow override a Rate Limiting Rule that says Block? In my experience, it appears that this is so.

I can tell that an IP Block or Whitelist will always win no matter what other rules might indicate.

Can you prioritize the different types of rules? Here is my guess:

Highest Priority
IP Access Rule
Page Rule
Firewall Rule
Cloudlfare Managed Rule (WAF)
Rate Limiting Rule
Lowest Priority

Is this documented anywhere?

Hi @rongordon,

I have been pushing for this to be documented somewhere official for a while!

For now, the best we have is:

1 Like

Also, this might help:

Although it does seem to be slightly different to the one in the post linked to above!

@alexcf are you able to clarify, please!

2 Likes

A Firewall Rule with Allow action will not whitelist the URL for any other Clouflare feature. Allow will only avoid other challenge/block actions in other firewall rules EDIT: …but only IF the firewall rules are properly prioritized, with the Allow rule coming before the challenge/block rule.

Allow - Matching requests are allowed to access the site, as long as no other Cloudflare Firewall features block the request, such as IP Firewall or Access Rules

From:

1 Like

OK. Understood. A Firewall Rule with the action Allow will override other lower priority Firewall Rules that might match and have the action Block. Would like to get clarification on the following additional situations:

One…
Our experience indicates that a Firewall Rule with Allow will override a Rate Limiting Rule that might other fire with the Action Block. Can you confirm that this is the case? Seems that requests that come into Cloudflare that are matched by a Firewall Rule that says Allow are never counted by matching Rate Limiting Rules. Maybe such requests, once matched by a Firewall Rule that has the action Match, never even go through the Rate Limiting Rule logic?

Two…
Will a Page Rule with the setting Web Application Firewall = OFF override a Managed Rule that is enabled and fires with the action Block?

Thank you!

We have a new feature coming in the next couple of weeks which will allow you to bypass what you need. Lookout for the “Bypass” in the dropdown menu.

NOTE: I re-read this and I thought you said the entirety of Managed Rules, not a single rule. This capability will only low you to turn off a feature (i.e. Managed Rules, and/or Rate Limiting etc…) based on your criteria. If you know what the false positive is, you could craft a very strategic Firewall Rule to do your bypass.

2 Likes

This topic was automatically closed after 31 days. New replies are no longer allowed.