Issue with WAF Rule Updates Not Reflecting for same connection After IP Blocklist Changes
Hi everyone, I'm encountering an issue with Cloudflare's WAF rules not being applied after updating the IP blocklist via the Cloudflare API.
When I update the blocklist, requests from the blocked IPs are still reaching my service, even though the blocklist has been updated.
If I use the Connection: close header or stop and restart the client, the traffic gets blocked as expected. However, this approach isn't feasible in production, as I need the blocklist updates to take effect immediately without requiring the client to restart or close connections.
Details:
I'm updating the IP blocklist via the Cloudflare API, but the changes aren't reflected in requests from the same connection.
It seems like Cloudflare is reusing the same connection, which causes the updated WAF rules to not apply until a new connection is established.
Has anyone encountered this issue before? Is there a way to force Cloudflare to apply the updated WAF rules to existing connections, or a way to ensure that the IP blocklist is enforced without waiting for connection resets?
1 Reply
theoretically, it is working correct because already connection are passed security measurements even though you have updated the WAF. as you know it's a security wall if a connection passes from the wall, it doesn't care if the connection is already valid or not as it doesn't look its back. for your specific case I think you need a long running task which inspect security checks on passed connections. at the end, you should wait for a CF employee to answer you for assurance.