Cloudflare WAF
Overview
The Cloudflare WAF integration automatically configures bypass rules in your Cloudflare Web Application Firewall so that PGP scanner traffic is not blocked during security assessments. Without this integration, Cloudflare's WAF may interfere with vulnerability scans by blocking or challenging scanner requests.
What It Does
When the integration runs, PGP creates a WAF custom rule in the http_request_firewall_custom phase of each Cloudflare zone. This rule instructs Cloudflare to skip specific security products and managed rule phases for traffic that matches PGP's scanner signatures.
Bypass Rule Identification
All rules created by PGP contain the tag (Managed by PGP) in their description. The full rule description is:
Whitelist PGP security scanner traffic (Managed by PGP)
PGP uses this tag to identify its own rules when updating or detecting existing bypass rules. If an existing rule with the (Managed by PGP) tag is found but has a different expression, PGP automatically updates it to the current expression.
Dual Bypass Modes
PGP supports two bypass modes depending on your account configuration:
Static IP Mode
When static IP is enabled for your account, the bypass rule matches only on the PGP scanner IP range:
(ip.src in {66.45.78.0/24})Dynamic Mode (Default)
When static IP is not enabled, the bypass rule matches on the IP range plus two additional identifying headers:
(ip.src in {66.45.78.0/24}) or (any(http.request.headers["chariot"][*] eq "{hash}")) or (http.user_agent eq "{useragent}") The {hash} and {useragent} values are unique to your PGP account and are automatically generated. This allows PGP to identify its traffic even when originating from non-static IP addresses.
WAF Products Skipped
The bypass rule instructs Cloudflare to skip the following WAF products for matching traffic:
WAF Phases Skipped
In addition to products, the bypass rule also skips the following managed rule phases:
Zone Filtering
By default, the integration applies bypass rules to all zones accessible by your API token. You can optionally restrict this to specific zones by providing a zone filter list.
When zones are specified, PGP performs a case-insensitive match of zone names against the provided list. Only matching zones receive bypass rules. If no zones match, the integration returns an error.
Concurrency
The integration processes zones concurrently with a limit of 10 simultaneous zone operations. Errors from individual zones are collected and reported together.
Rule Lifecycle Management
When creating or updating bypass rules, PGP follows this logic for each zone:
- Attempt to read the existing
http_request_firewall_customphase entrypoint for the zone. - If the entrypoint does not exist, create it with the new bypass rule.
- If the entrypoint exists, list all rules and search for one containing the
(Managed by PGP)tag. - If a tagged rule exists with the correct expression, no action is taken (idempotent).
- If a tagged rule exists with a different expression, update it to the current expression.
- If no tagged rule exists, create a new bypass rule.
Prerequisites
- A Cloudflare account with one or more active zones.
- A Cloudflare API token with the following permissions:
- Account > Account Rulesets > Read
- Zone > WAF > Edit
- Zone > Zone Settings > Read
Creating a Cloudflare API Token
- Log in to the Cloudflare Dashboard.
- Navigate to My Profile > API Tokens.
- Click Create Token.
- Use the Custom Token template and configure the following permissions:
- Account > Account Rulesets > Read
- Zone > WAF > Edit
- Zone > Zone Settings > Read
- Under Zone Resources, select the zones this token can access.
- Click Continue to summary, then Create Token.
- Copy the token immediately β it will not be shown again.
For more details, see the Cloudflare documentation on creating API tokens.
Setup in PGP
- In PGP, navigate to Settings > Integrations.
- Find Cloudflare WAF in the integrations list and click it.
- Enter your API Token in the token field.
- (Optional) Enter zone names in the Zones field, one per line, to restrict which zones receive bypass rules. Leave empty to apply to all zones.
- Click Save to connect the integration.
- PGP will validate your credentials by immediately executing the full integration flow (creating bypass rules across your zones). This also serves as the initial setup.
Field Reference
Troubleshooting
"Invalid API token"
The token you provided was rejected by Cloudflare. This typically means the token is incorrect, expired, or revoked. Generate a new token and try again.
"Missing cloudflare token"
No API token was provided. Ensure the API Token field is filled in before saving.
"No zones found for this account"
The token is valid but has no zone access. Edit the token in Cloudflare to grant access to at least one zone.
"No matching zones found after filtering"
You specified zone names in the Zones field, but none of them matched any zone accessible by the token. Verify that the zone names are correct and that your API token has access to those zones. Zone matching is case-insensitive.
"Failed to create entrypoint with rule"
PGP could not create the WAF custom firewall phase entrypoint for a zone. This usually indicates insufficient permissions. Ensure the token has Zone > WAF > Edit permission.
General API Errors
If you see an error like API error: (code) message, this is a Cloudflare API error. Check that your token permissions match the requirements listed under Prerequisites.
Rule Not Appearing in Cloudflare Dashboard
PGP creates rules in the http_request_firewall_custom phase. In the Cloudflare dashboard, these appear under Security > WAF > Custom rules. Look for a rule with the description containing (Managed by PGP).