Page Rules WAF Off doesn't work
Hi friends, I have a zone on the Enterprise Plan, and previously we had some WAF Managed Rules. I recently migrated the zone to the new WAF, and the migration assistant had a few "generated from pagerule" entries that corresponded with some Page Rules I have that skip the WAF.
I erroneously believed these exceptions were not necessary because traffic hits Page Rules first before the WAF, and if a pagerule exists to skip the WAF, then ostensibly traffic would never hit the WAF downstream. So I removed the exceptions and carried on...
However this apparently isn't the case, and has been known for a while since the new WAF release (see https://community.cloudflare.com/t/bypass-waf-rule-inbound-anomaly-score-exceeded/278826/2)
My question remains: in order to skip the WAF, is the best practice here on out to skip in the WAF and the relevant page rules are now deprecated, or is it the other way around but the WAF exceptions are a temprary mitigation until this long-standing misunderestanding is fixed?
12 Replies
Hey there, thanks for the response. What does this mean for pagerules that turn off WAF?
First let's both operate under the common understanding that traffic hits pagerules first, then WAF later down the line:
I can then have a page rule where the setting is WAF: off:
But this didn't seem to be respected, and I had to recreate a WAF managed rule that the migration wizard had that I originally deleted.
So does that mean the pagerules WAF off setting is deprecated?
Page rules turning off WAF isnt supported in the new version, as mentioned you should use custom rules or waf exceptions
It's unlikely that functionality will be added to page rules given that page rules are on their way towards being deprecated in future and replaced with the new types of rules https://blog.cloudflare.com/future-of-page-rules/
The Cloudflare Blog
The future of Page Rules
Learn about four new products that will eventually replace Page Rules by putting more power into the hands of users.
Appreciate the response! I didn't realize Page Rules was also on its way out. Has a EOL been announced yet?
No
This line from the blog is still accurate
Page Rules is not going away yet, but we do anticipate being able to formally begin the end-of-life process soon.There is a replacement in other Rules products for every page rule feature, for waf bypass this is the two mentioned here (custom rules and managed rule exceptions), some of the other Rules products are still in beta so it makes sense that page rules are still around
Got it, so I would assume it's safe to remove the relevant pagerules after the equivalent WAF rules are made? and eventually need to assess all other pagerules and find a new home for them once they're all out of 
thank you, appreciate the context and the heads up!
thank you, appreciate the context and the heads up!so I would assume it's safe to remove the relevant pagerules after the equivalent WAF rules are made?Yes
and eventually need to assess all other pagerules and find a new home for them once they're all out of beta.Eventually yes, though I suspect the details of deprecation process when that happens may make things easier. It's not required to worry about at the moment
clean up the depped WAF skip pagerules then and will await future notices, thanks again!