Skip to content

Clarify if IP Access Rule (IP-based) bypasses WAF Managed Rules #22828

Open
@cf-bzhuang

Description

@cf-bzhuang

Existing documentation URL(s)

https://developers.cloudflare.com/waf/tools/ip-access-rules/
https://developers.cloudflare.com/waf/tools/ip-access-rules/actions/

What changes are you suggesting?

The docs currently say:

From https://developers.cloudflare.com/waf/tools/ip-access-rules/actions/:

Allow: Excludes visitors from all security checks, including Browser Integrity Check, Under Attack mode, and the WAF. Use this option when a trusted visitor is being blocked by Cloudflare's default security features. The Allow action takes precedence over the Block action. Note that allowing a given country code will not bypass WAF managed rules (previous and new versions).

From https://developers.cloudflare.com/waf/tools/ip-access-rules/:

Warning

It is not stated explicitly that IP-based Allow actions will bypass WAF Managed rules. The negative case (Country-based rules NOT bypassing WAF managed rules) is explained explicitly, but it's left to the reader to assume that WAF Managed Rules are included in "Excludes visitors from all security checks, including ... the WAF"

Additional information

Suggesting edit per customer request in Support Case 01538797

Metadata

Metadata

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions