How can we set IP Access Rules?
The Bot Fight Mode docs (https://developers.cloudflare.com/bots/get-started/bot-fight-mode/#limitations) say
Limitations You cannot bypass or skip Bot Fight Mode using the Skip action in WAF custom rules or using Page Rules. Skip, Bypass, and Allow actions apply to rules or rulesets running on the Ruleset Engine. While Super Bot Fight Mode rules are implemented in the Ruleset Engine, Bot Fight Mode checks are not. This is why you can skip Super Bot Fight Mode, but not Bot Fight Mode. If you need to skip Bot Fight Mode, consider using Super Bot Fight Mode. Bot Fight Mode can still trigger if you have IP Access rules, but it cannot trigger if an IP Access rule matches the request. For example, the IP Access rule matches the connecting IPBut I can't find IP Access Rules anywhere in the dashboard. Those docs (https://developers.cloudflare.com/waf/tools/ip-access-rules/create/) say
IP Access Rules are only available in the new security dashboard if you have configured at least one IP access rule. Cloudflare recommends that you use custom rules instead of IP Access Rules. Log in to the Cloudflare dashboard ↗, and select your account and domain. Go to Security > Security rules. Select Create rule > IP access rules. Enter the following rule details: For IP, IP range, country name, or ASN, enter an IP address, IP range, country code/name, or Autonomous System Number (ASN). For details, refer to Parameters. For Action, select an action. For Zone, select whether the rule applies to the current website only or to all websites in the account. (Optional) Enter a note for the rule (for example, Payment Gateway). Select Create.When I follow those steps I dont see IP access rules (see screenshot). Presumably this is because I dont have an existing IP Access Rule that is "grandfathered in"? Anyone have any suggestions? Bot Fight is blocking legitimate traffic.
4 Replies
If you're on free Bot Fight Mode
BFM will be disabled if there are any IP Access rules present.So disabling it entirely does the same It's only really recommended to be enabled for attacks
. If you turned on BFM during an attack, and the attack has subsided, we recommend either disabling the feature using IP Access rules to bypass BFM, or looking at Bot Management for Enterprise, which gives you the ability to precisely customize your security threshold and create exception rules as needed.https://developers.cloudflare.com/bots/frequently-asked-questions/
Yeah, that makes sense to just create rules for the things that BFM is validly catching
Anyway, I figured out how to revert to the old dashboard and added a few ip access rules
then once i had a rule set up, i switched back to the new dashboard
it was even blocking the actual server that the domain is pointing to, for particular requests (wordpress nonsense)