Configuring IP Access Rules

Learn to utilize IP Access Rules to restrict, challenge, or whitelist traffic to your site.


IP Access Rules are commonly used to block or challenge suspected malicious traffic.  Another common use of IP Access Rules is to whitelist services that regularly access your site (APIs, crawlers, payment providers, etc).  IP Access Rules allow whitelist, block, and challenge actions for traffic based on the visitor's IP address, country, or AS number.

There are four configurable actions for an IP Access Rule:

  • Whitelist: Excludes visitors from all security checks (Browser Integrity Check, I'm Under Attack Mode, the WAF, etc). This is useful if a trusted visitor is blocked by Cloudflare's default security features. Whitelist takes precedence over block.
Whitelisting a country code does not bypass Cloudflare's WAF.
Requests containing certain attack patterns in the User-Agent field are checked before being processed by the general firewall pipeline. Therefore, such requests are blocked before any whitelisting logic takes place. Firewall events downloaded from the API show rule_id as security_level and action as drop when this behavior occurs.
  • JavaScript Challenge: Presents the I'm Under Attack Mode interstitial page to visitors. Requires a visitor's browser or client to support JavaScript. Useful for blocking DDoS attacks with minimal impact to legitimate visitors.

  • Challenge: Requires the visitor to complete a CAPTCHA before visiting your site. Prevents bots from accessing the site.

  • Block: Prevents a visitor from visiting your site.

Add an IP Access Rule

To create an IP Access Rule, follow these steps:

  1. Log in to your Cloudflare account.

  2. Select your domain.

  3. Click the Firewall app.

  4. Click on the Tools tab.

  5. Under IP Access Rules, enter the following details:

  6. Enter the Value as an IP, IP range, or two-letter country code.

  7. Select an Action.

  8. Select whether the rule applies to This website or All websites in the account.

  9. (Optional) add a Note (i.e. Payment Gateway).

  10. Click Add.

Types of Access Rules

There are several types of Access Rules:

Type Example Value
IPv4 address.
IPv4 /24 range
IPv4 /16 range
IPv6 address. 2001:db8::
IPv6 address range. 2001:db8::/48, 2001:db8::/64
Country (by name or code) US, germany, tor, CN
ASN AS13335

Address Range Examples

CIDR (larger number = smaller block) Start of range (example) End of range (example) Number of addresses
/64 2001:db8:: 2001:db8:0000:0000:ffff:ffff:ffff:ffff 18,446,744,073,709,551,616
/48 2001:db8:: 2001:db8:0000:ffff:ffff:ffff:ffff:ffff 1,208,925,819,614,629,174,706,176
/32 2001:db8:: 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff 79,228,162,514,264,337,593,543,950,336
/24 256
/16 65,536


Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk