Page Rules WAF Off doesn't work

Hi friends, I have a zone on the Enterprise Plan, and previously we had some WAF Managed Rules. I recently migrated the zone to the new WAF, and the migration assistant had a few "generated from pagerule" entries that corresponded with some Page Rules I have that skip the WAF. I erroneously believed these exceptions were not necessary because traffic hits Page Rules first before the WAF, and if a pagerule exists to skip the WAF, then ostensibly traffic would never hit the WAF downstream. So I removed the exceptions and carried on... However this apparently isn't the case, and has been known for a while since the new WAF release (see https://community.cloudflare.com/t/bypass-waf-rule-inbound-anomaly-score-exceeded/278826/2) My question remains: in order to skip the WAF, is the best practice here on out to skip in the WAF and the relevant page rules are now deprecated, or is it the other way around but the WAF exceptions are a temprary mitigation until this long-standing misunderestanding is fixed?
12 Replies
lee
leeOP15mo ago
Hey there, thanks for the response. What does this mean for pagerules that turn off WAF?
lee
leeOP15mo ago
First let's both operate under the common understanding that traffic hits pagerules first, then WAF later down the line:
No description
lee
leeOP15mo ago
I can then have a page rule where the setting is WAF: off:
No description
lee
leeOP15mo ago
But this didn't seem to be respected, and I had to recreate a WAF managed rule that the migration wizard had that I originally deleted.
No description
lee
leeOP15mo ago
So does that mean the pagerules WAF off setting is deprecated?
Erisa
Erisa15mo ago
Page rules turning off WAF isnt supported in the new version, as mentioned you should use custom rules or waf exceptions
Erisa
Erisa15mo ago
It's unlikely that functionality will be added to page rules given that page rules are on their way towards being deprecated in future and replaced with the new types of rules https://blog.cloudflare.com/future-of-page-rules/
The Cloudflare Blog
The future of Page Rules
Learn about four new products that will eventually replace Page Rules by putting more power into the hands of users.
lee
leeOP15mo ago
Appreciate the response! I didn't realize Page Rules was also on its way out. Has a EOL been announced yet?
Erisa
Erisa15mo ago
No This line from the blog is still accurate
Page Rules is not going away yet, but we do anticipate being able to formally begin the end-of-life process soon.
There is a replacement in other Rules products for every page rule feature, for waf bypass this is the two mentioned here (custom rules and managed rule exceptions), some of the other Rules products are still in beta so it makes sense that page rules are still around
lee
leeOP15mo ago
Got it, so I would assume it's safe to remove the relevant pagerules after the equivalent WAF rules are made? and eventually need to assess all other pagerules and find a new home for them once they're all out of blahaj thank you, appreciate the context and the heads up!
Erisa
Erisa15mo ago
so I would assume it's safe to remove the relevant pagerules after the equivalent WAF rules are made?
Yes
and eventually need to assess all other pagerules and find a new home for them once they're all out of beta.
Eventually yes, though I suspect the details of deprecation process when that happens may make things easier. It's not required to worry about at the moment
lee
leeOP15mo ago
MeowHeartCloudflarerooBoop clean up the depped WAF skip pagerules then and will await future notices, thanks again!

Did you find this page helpful?