IP Access rules
Use IP Access rules to allowlist, block, and challenge traffic based on the visitor’s IP address, country, or Autonomous System Number (ASN).
IP Access rules are commonly used to block or challenge suspected malicious traffic. Another common use of IP Access rules is to allow services that regularly access your site, such as APIs, crawlers, and payment providers.
IP Access rules are available to all customers.
Each Cloudflare account can have a maximum of 50,000 rules. If you are an Enterprise customer and need more rules, contact your account team.
Allowing a country code does not bypass Cloudflare’s WAF.
Requests containing certain attack patterns in the
User-Agentfield are checked before being processed by the general firewall pipeline. Therefore, such requests are blocked before any allowlist logic takes place. When this occurs, firewall events downloaded from the API show
security_leveland action as
Cloudflare supports use of
fail2banto block IPs on your server. However, to prevent
fail2banfrom inadvertently blocking Cloudflare IPs and causing errors for some visitors, ensure you restore original visitor IP in your origin server logs. For details, refer to .