Cloudflare Docs

Cloudflare Docs

Overview
Concepts
WAF ML
Uploaded content scanning
Custom rules
Create custom rules in the dashboard
Create custom rules via API
Configure a rule with the Skip action
API examples
Skip options
Manage custom rules in the dashboard
Firewall rules
Rate limiting rules
Determining the rate
Create in the dashboard for a zone
Create rate limiting rules via API
Rate limiting parameters
Common use cases
Managed Rulesets
Deploy in the dashboard for a zone
Deploy in the dashboard for an account
Deploy via API
Ruleset reference
Cloudflare Managed Ruleset
Cloudflare OWASP Core Ruleset
Cloudflare Exposed Credentials Check
Defining WAF exceptions
Define WAF exceptions in the dashboard
Define WAF exceptions via API
Log the payload of matched rules
Configure payload logging in the dashboard
View the payload content in the dashboard
Configure payload logging via API
Command-line operations
Generate a key pair
Decrypt the payload content
Custom rulesets
Use the dashboard
Use the API
Additional tools
IP Access rules
Create a rule
Parameters
Actions
Automated exposed credentials check
How exposed credentials checks work
Configure exposed credentials checks via API
Test your exposed credentials checks configuration
Monitor exposed credentials events
Analytics
Free plan
Paid plans
Additional information
Reference
Alerts
Phases
Changelog
Scheduled changes
2022-09-20 – Emergency
2022-09-12
2022-09-05
2022-08-30
2022-08-22
2022-08-15
2022-08-01
2022-07-25
2022-07-18
2022-07-06
2022-07-05
2022-06-20
2022-06-10 – Emergency
2022-06-07 – Emergency
2022-06-06
2022-06-04 – Emergency
2022-06-03 – Emergency
2022-05-30
2022-05-16
2022-05-10 – Emergency
2022-05-09
2022-04-25
2022-04-20
2022-04-11
2022-04-04 – Emergency
2022-03-31 – Emergency
2022-03-29 – Emergency
2022-03-14
2022-03-07
2022-02-28
2022-02-21
2022-02-14
2022-01-24
2021-12-16 – Emergency
2021-12-14 – Emergency
2021-12-10 – Emergency
2021-11-01
2021-10-25
2021-10-19
2021-10-04
2021-09-06
2021-09-01 – Emergency
2021-08-31
2021-08-23
2021-08-16
2021-07-26
2021-07-19
2021-07-01 – Emergency
2021-06-21
2021-06-14
2021-06-07
2021-06-01
2021-04-21 – Emergency
2021-04-19
2021-03-22
2021-03-08
2021-03-06 – Emergency
2021-03-05 – Emergency
2021-03-01
2020-12-14
2020-12-02
2020-11-16
2020-11-05 – Emergency
2020-11-04 – Emergency
2020-10-19
2020-10-12
2020-10-05
2020-09-28
2020-09-21
2020-09-15
2020-09-07
2020-08-24
2020-09-01
2020-07-27
2020-08-03
2020-07-20
2020-07-07 – Emergency
2020-07-13
2020-06-22
2020-06-15
2020-06-08
2020-05-25
2020-05-11
2020-05-04
2020-04-27
2020-04-20
2020-04-06
2020-03-30
2020-03-23
2020-03-12
2020-03-09
2020-03-02 – Emergency
2020-02-17
2020-02-10
2020-01-27
2020-01-20
2020-01-16 – Emergency
2019-12-16
2019-11-25 – Emergency
2019-11-12
2019-11-07 – Emergency
2019-11-04
2019-10-27 – Emergency
2019-10-23 – Emergency
2019-10-21
2019-10-17 – Emergency
2019-10-14
2019-10-07
2019-09-30
2019-09-26 – Emergency
2019-09-16
Historical

IP Access rules

Use IP Access rules to allowlist, block, and challenge traffic based on the visitor’s IP address, country, or Autonomous System Number (ASN).

IP Access rules are commonly used to block or challenge suspected malicious traffic. Another common use of IP Access rules is to allow services that regularly access your site, such as APIs, crawlers, and payment providers.

You can create IP Access rules in the Cloudflare dashboard or via API.

Availability

IP Access rules are available to all customers.

Each Cloudflare account can have a maximum of 50,000 rules. If you are an Enterprise customer and need more rules, contact your account team.

Block by country is only available on the Enterprise plan. Other customers may perform country blocking using firewall rules.

Important remarks

Allowing a country code does not bypass WAF Managed Rulesets or WAF managed rules (previous version).
By design, IP Access rules configured to Allow traffic do not show up in Firewall Analytics.
Requests containing certain attack patterns in the User-Agent field are checked before being processed by the general firewall pipeline. Therefore, such requests are blocked before any allowlist logic takes place. When this occurs, firewall events downloaded from the API show rule_id as security_level and action as drop.
Cloudflare supports use of fail2ban to block IPs on your server. However, to prevent fail2ban from inadvertently blocking Cloudflare IPs and causing errors for some visitors, ensure you restore original visitor IP in your origin server logs. For details, refer to Restoring original visitor IPs.

To learn more about protection options provided by Cloudflare to protect your website against malicious traffic and bad actors, refer to Secure your website.