When using Cloudflare Network Firewall alongside other Cloudflare services that proxy traffic (for example, CDN and Spectrum), be aware of the following:
- Firewall rules that block traffic based on source IP address may not work as intended because rules are evaluated after Cloudflare terminates the incoming TCP connections.
- You must allow Cloudflare IP addresses ↗.
- When using Cloudflare Network Firewall, fragmented packets are reassembled into complete packets before they are inspected. As a result, you cannot create firewall rules for fragments.