FAQ

General questions

Why does a security event display a Cloudflare IP address even though other fields match the client details?

This happens when a request goes through a Cloudflare Worker.

In this case, Cloudflare considers the client details, including its IP address, for triggering security settings. However, the IP displayed in Security Events will be a Cloudflare IP address.

Do I need to escape certain characters in expressions?

Yes, you may have to escape certain characters in expressions. The exact escaping will depend on the string syntax you use:

• If you use the raw string syntax (for example, r#"this is a string"#), you will only need to escape characters that have a special meaning in regular expressions.
• If you use the quoted string syntax (for example, "this is a string"), you need to perform additional escaping, such as escaping special characters " and \ using \" and \\, both in literal strings and in regular expressions.

For more information on string syntaxes and escaping, refer to String values and regular expressions.

Why is my regular expression pattern not working?

If you are using a regular expression, it is recommended that you test it with a tool such as Regular Expressions 101 ↗ or Rustexp ↗.

Why are some rules bypassed when I did not create an exception?

If you have SSL/TLS certificates managed by Cloudflare, every time a certificate is issued or renewed, a domain control validation (DCV) must happen. When a certificate is in pending_validation state and there are valid DCV tokens in place, some Cloudflare security features such as custom rules and WAF Managed Rules will be automatically disabled on specific DCV paths (for example, /.well-known/pki-validation/ and /.well-known/acme-challenge/).

Why is Cloudflare blocking a specific IP address?

Cloudflare may block an IP address due to various reasons:

• Web Application Firewall (WAF) mitigation actions: The Cloudflare WAF protects websites from various online threats, including malicious traffic, DDoS attacks, and common vulnerabilities. If your IP address is associated with suspicious or malicious activity, it might trigger the WAF and block requests.

• High security settings: The website owner might have set their Cloudflare security settings to a high level, making the filtering of incoming traffic stricter. In this situation, even legitimate users may get blocked or have to solve challenges.

• Excessive requests: Cloudflare may block an IP address if it detects an unusually high number of requests in a short period, in which case it will rate limiting subsequent requests. This is a protective measure against potential abuse or attacks.

• Traffic from malicious bots: Cloudflare employs bot detection mechanisms to distinguish between legitimate users and automated bots. If traffic from your IP address behaves like traffic from a malicious bot, it could get blocked.

• Blocklisted IPs: Cloudflare might block IP addresses listed on public blocklists due to their association with known malicious activities.

If your IP address is blocked, try the following:

• Check Cloudflare Security Events: Use the Security Events log to check for specific reasons your IP might be getting blocked. Look for details on the type of threat or activity that triggered the block.

• Contact the website owner: If you are a legitimate user and your IP is wrongly blocked, contact the website owner or administrator. They may be able to allowlist your IP or investigate the issue further.

• Verify your own website traffic: Check for abnormal activity. If you manage a website behind Cloudflare, ensure that your site's traffic is legitimate and not triggering security measures inadvertently.

• Check your IP reputation: Verify whether your IP address is listed on public blocklists, such as Project Honey Pot ↗. If so, take steps to address any issues that may have led to the listing.

• Adjust your security settings: If you are a website owner using Cloudflare, consider adjusting security settings to find the right balance between protection and accessibility.

Bots

How does the WAF handle traffic from known bots?

Caution about potentially blocking bots

When you create a WAF custom rule with a Block, Interactive Challenge, JS Challenge, or Managed Challenge (Recommended) action, you might unintentionally block traffic from known bots. Specifically, this might affect search engine optimization (SEO) and website monitoring when trying to enforce a mitigation action based on URI, path, host, ASN, or country.

Refer to How do I exclude certain requests from being blocked or challenged?.

Bots currently detected

Cloudflare Radar ↗ lists a sample of known bots that the WAF currently detects. When traffic comes from these bots and others not listed, the cf.client.bot field is set to true.

To submit a friendly bot to be verified, go to the Verified bots ↗ page in Cloudflare Radar and select Add a bot.

For more information on verified bots, refer to Bots.

Note

There is no functional difference between known and verified bots. However, the known bots field (cf.client.bot) is available for all customers, while the verified bots field (cf.bot_management.verified_bot) is available for Enterprise customers.