Description
Existing documentation URL(s)
https://developers.cloudflare.com/waf/tools/ip-access-rules/
https://developers.cloudflare.com/waf/tools/ip-access-rules/actions/
What changes are you suggesting?
The docs currently say:
From https://developers.cloudflare.com/waf/tools/ip-access-rules/actions/:
Allow: Excludes visitors from all security checks, including Browser Integrity Check, Under Attack mode, and the WAF. Use this option when a trusted visitor is being blocked by Cloudflare's default security features. The Allow action takes precedence over the Block action. Note that allowing a given country code will not bypass WAF managed rules (previous and new versions).
From https://developers.cloudflare.com/waf/tools/ip-access-rules/:
Warning
- Allowing an IP, ASN, or country will bypass any configured custom rules, rate limiting rules, and firewall rules (deprecated).
- Allowing a country will not bypass WAF Managed Rules or WAF managed rules (previous version).
It is not stated explicitly that IP-based Allow actions will bypass WAF Managed rules. The negative case (Country-based rules NOT bypassing WAF managed rules) is explained explicitly, but it's left to the reader to assume that WAF Managed Rules are included in "Excludes visitors from all security checks, including ... the WAF"
Additional information
Suggesting edit per customer request in Support Case 01538797