Allowlisting in Cloudflare will allow the scanner to detect weaknesses lying underneath the WAF, so you can execute a 'defence in depth' security strategy, and put in place measures that would prevent successful exploitation, even where the WAF fails or can be bypassed by an attacker.
Cloudflare's WAF provides two ways to allowlist security scanners:
'IP Access Rules' (within the Tools tab) – which cannot be used to allowlist Intruder's scanning ranges.
'Custom Rules' – which can be used and is explained below.
Adding the WAF Custom Rule
To get started, we need to browse to the WAF page and click on the Custom Rules tab
Click 'Create a Firewall Rule', and give it a recognisable name
Using the 'Field' dropdown, select 'IP Source Address' and under the Operator field, select 'is in'
In the 'Value' field, add the relevant Intruder scanning ranges and IPs.
For customers on the Essential plan, please obtain the up-to date IP range from this article.
For customers on the Cloud, Pro, Enterprise, and Vanguard plans, the IPs will vary depending on your selected scanning region. (To find these, head to Settings > Scan).
Under 'Choose an action', select 'Skip', tick all the WAF Components listed, then click the 'More components to skip' button and skip the remaining components
When finished, click 'Deploy'.
Intruder's scanners will now be able to scan your Cloudflare-protected hosts, without scan interference.
Starting from 28th February 2023, Cloudflare began a phased rollout of a new Firewall rule policy. If you configured your allowlisting before this date to use two rules (an Allow and a Bypass rule) then this should have now been converted by Cloudlflare into one Skip rule.