Issue with WAF Rule: Whitelist Not Working as Expected – Incorrect IP Logging
I'm encountering an issue with the Web Application Firewall (WAF) rule configuration that seems to be causing incorrect IP logging behavior.
Issue Details:
I have configured a rule to whitelist IP 108.xxx.xx.xx and block all other IPs (IP != 108.xxx.xx.xx).
However, when making a request from the IP 108.xxx.xx.xx, the Cloudflare event log incorrectly shows different IPs as being blocked instead of the expected behavior, where the request should pass through as the IP is whitelisted.
I then modified the rule to block only IP 108.xxx.xx.xx (IP == 108.xxx.xx.xx), and this time, the event log correctly identifies and logs IP 108.xxx.xx.xx as being blocked, which seems to be the expected outcome.
Expected Behavior:
When I configure a rule to whitelist IP 108.xxx.xx.xx and block all other IPs, requests from 108.xxx.xx.xx should not be blocked, and the event log should reflect this correctly. The IP should not appear as blocked unless it's incorrectly matching a condition in another rule.
Current Behavior:
When whitelisting 108.xxx.xx.xx, the event log incorrectly logs other IPs being blocked, which is not the intended behavior.
When the rule is changed to block only 108.xxx.xx.xx, the event log correctly logs that IP.
Additional Notes:
I have verified that the WAF rule configuration is correct, and this seems to be an issue with how Cloudflare is handling the whitelist condition or interpreting the IP when requests come in.
Could this be related to Cloudflare’s proxying behavior or the way the CF-Connecting-IP header is being interpreted?
Request:
Please assist in investigating this issue, as I believe this may be a bug or unintended behavior in how the WAF rules are being applied in my account. Any clarification or advice on how to resolve this would be greatly appreciated.
Thank you for your help!
1 Reply
Please share your actual rules in the order you are using. Just replace the IP with a dummy IP if you want to keep it secret.