Firewall is blocking some legitimate traffic to our API servers
I've been watching the firewall events for our domain, and some traffic that I think is legitimate (based on the user agent) is being blocked. The traffic in question is from China, which may explain it. Is the best option to simply lower the security level with a configuration rule? It's already on Low.
14 Replies
It'll tell you the matched service/service blocking it. If it's because of IP Reputation/Security Level, then that would be your best option. You can just change it globally via Security -> Settings
The reason is
badHost, which I think is IP reputation?BadHost The value BadHost indicates that a bad host header or no host header was used in the requesthttps://developers.cloudflare.com/logs/reference/glossary/#badhost
Ah, interesting
I did Google "Cloudflare firewall badhost" but that didn't come up
As for Security Level, it just challenges people with specific Threat Scores:
https://developers.cloudflare.com/waf/tools/security-level/
Low is greater then 24, Essentially off is greater then 49
China's firewall is a bit interesting, maybe that's interfering?
The SNI (part of TLS) is matching up (hence why it can even know its to your site), but the host header isn't equal or set at all. I don't think you can disable that protection at all? Not sure though
Wait, hang on.
The rule is
badScore but the class is badHost
Is there a difference?Is it a block or a managed challenge?
A managed challenge
Sounds like that's IP Reputation
Ah, I see
So lowering security is the way to go.
If the host header doesn't align it's always a block as far as I know, I didn't even think those made it to your security events
If it's blocking real users
I mean there's a small chance that someone's impersonating a user agent, but it's a read-only API server so I don't imagine lowering the firewall will harm much (especially with Cloudflare's caching 😁 )
Yea probably not, I have all my zones on Essentially off personally, don't see any blocks like that. It looks like badHost is a type of IP Class - probably meaning the entire ASN has been marked because of the quantity of malicious requests/etc coming out of it
That would make sense
Well I'll try and see what happens
Thanks for the help!