Whitelisting in Cloudflare will allow the scanner to detect weaknesses lying underneath the WAF, so you can execute a 'defence in depth' security strategy, and put in place measure that would prevent successful exploitation, even where the WAF fails or can be bypassed by an attacker.
Cloudflare provides two ways to whitelist security scanners:
IP Access Rules – which cannot be used to whitelist Intruder's scanning ranges.
'Firewall Rules' – which can be used and is configured in two parts, explained below.
Add an 'Allow' rule
To get started, we'll first add an 'Allow' rule for each of Intruder's scanning ranges.
1. Click 'Create a Firewall Rule', and give it a recognisable name:
2. Using the 'Field' dropdown, select 'IP Source Address'
3. Under the Operator field, select 'is in'
4. In the 'Value' field, add all of Intruder's scanning ranges and IPs. For an up-to-date list of IP ranges, please refer to this article.
5. Under 'Choose an action', select 'Allow'
6. When finished, click save.
Create WAF bypass rules
This will allow Intruder's scanners to circumvent some of Cloudflare's standard web application firewall protections.
Click on 'Create a Firewall Rule' and create another rule
Using the 'Field' dropdown, select 'IP Source Address'
Under the Operator field, select 'is in'
In the 'Value' field, add all of Intruder's scanning ranges and IPs, but make sure you rearrange the order of the IP ranges, so Cloudflare doesn't complain of duplication.
Under 'Choose an action', select Bypass and input:
WAF Managed Rules (this one is important)
Browser Integrity Check
User Agent Block
Once complete, click 'Save', and you're done!
Intruder's scanners will now be able to scan your Cloudflare-protected hosts, without scan interference.