The Firewall app allows you to whitelist, block, and challenge visitors by IP address, country, or AS number. To whitelist or block a visitor, follow these steps:
- Login to your Cloudflare account.
- Go to the Firewall app.
- Add an entry to the Access Rules and select the action.
There are four possible actions:
- Whitelist: Whitelisting a visitor excludes them from all security checks (Browser Integrity Check, I'm Under Attack Mode, the WAF, etc). This is useful if a trusted visitor is blocked by security features. Whitelists take precedence over blocks. Whitelisting a country code does not prevent the request from bypassing the WAF.
- Challenge: The challenge option requires a user to complete a CAPTCHA in order to visit your site. This will prevent bots from accessing the site, but real humans can complete the CAPTCHA to proceed (including attackers).
- Block: When a visitor is blocked, no CAPTCHA option is presented so there is no way for the visitor to access your site. The Block option is appropriate to use when you know, with a high level of certainty, that you do not want the IP address to visit your site.
Note: You can only set a rule to fully block by country code on the Enterprise plan. On Free, Pro, and Business levels, you can only set up a challenge page to visitors from the countries you decide to block. A human visitor could still enter your site from that country by passing the challenge page.
Types of access rules
There are several types of access rules that can be put in place:
|IPv4 /24 range||192.0.2.0/24|
|IPv4 /16 range||192.0.0.0/16|
|IPv6 address range.||2001:db8::/48, 2001:db8::/64|
|Country (by name or code)||US, germany, tor, CN|
Address Range Examples
|CIDR (larger number = smaller block)||Start of range (example)||End of range (example)||Number of addresses|