cloudflare · pedrosousa · Sep 19, 2025 · Sep 19, 2025 · Sep 19, 2025
@@ -10,9 +10,9 @@ An IP Access rule can perform one of the following actions:
 
 - **Block**: Prevents a visitor from visiting your site.
 
-- **Allow**: Excludes visitors from all security checks, including [Browser Integrity Check](/waf/tools/browser-integrity-check/), [Under Attack mode](/fundamentals/reference/under-attack-mode/), and the WAF. Use this option when a trusted visitor is being blocked by Cloudflare's default security features. The _Allow_ action takes precedence over the _Block_ action. Note that allowing a given country code will not bypass WAF managed rules (previous and new versions).
+- **Allow**: Excludes visitors from all security checks, including [Browser Integrity Check](/waf/tools/browser-integrity-check/), [Under Attack mode](/fundamentals/reference/under-attack-mode/), and the WAF. Use this option when a trusted visitor is being blocked by Cloudflare's default security features. The _Allow_ action takes precedence over the _Block_ action.<br/>Allowing a given country code will not bypass WAF managed rules (previous and new versions). Refer to [Important remarks about allowing/blocking by country](/waf/tools/ip-access-rules/#important-remarks-about-allowingblocking-by-country) for more information.
 
-- **Managed Challenge**: Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge from a list of possible actions. For more information, refer to [Cloudflare Challenges](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended).
+- **Managed Challenge**: Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge from a list of possible actions. For more information, refer to [Interstitial Challenge Pages](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended).
 
 - **JavaScript Challenge**: Presents the [Under Attack mode](/fundamentals/reference/under-attack-mode/) interstitial page to visitors. The visitor or client must support JavaScript. Useful for blocking DDoS attacks with minimal impact to legitimate visitors.
 

@@ -8,6 +8,10 @@ sidebar:
 
 import { TabItem, Tabs, Steps } from "~/components";
 
+:::tip[Recommendation: Use custom rules instead]
+Cloudflare recommends that you create [custom rules](/waf/custom-rules/) instead of IP Access rules to perform IP-based or geography-based blocking (geoblocking).
+:::
+
 <Tabs syncKey="dashNewNav"> <TabItem label="Old dashboard">
 
 <Steps>

@@ -9,25 +9,35 @@ import { GlossaryTooltip, Render } from "~/components";
 
 <Render file="survey" product="waf" />
 
-Use IP Access rules to <GlossaryTooltip term="allowlist">allowlist</GlossaryTooltip>, block, and challenge traffic based on the visitor's IP address, country, or Autonomous System Number (ASN).
+Use IP Access rules to <GlossaryTooltip term="allowlist">allowlist</GlossaryTooltip>, block, and challenge traffic based on the visitor's IP address, Autonomous System Number (ASN), or country.
 
 IP Access rules are commonly used to block or challenge suspected malicious traffic. Another common use of IP Access rules is to allow services that regularly access your site, such as APIs, crawlers, and payment providers.
 
 :::caution
 
-- Allowing an IP or ASN will bypass any configured [custom rules](/waf/custom-rules/), [rate limiting rules](/waf/rate-limiting-rules/), [WAF Managed Rules](/waf/managed-rules/), and firewall rules (deprecated).
-- Allowing a country will:
-  - Bypass any configured [custom rules](/waf/custom-rules/), [rate limiting rules](/waf/rate-limiting-rules/), and firewall rules (deprecated).
-  - Not bypass [WAF Managed Rules](/waf/managed-rules/) or [WAF managed rules (previous version)](/waf/reference/legacy/old-waf-managed-rules/).
+Allowing an IP or ASN will bypass any configured [custom rules](/waf/custom-rules/), [rate limiting rules](/waf/rate-limiting-rules/), [WAF Managed Rules](/waf/managed-rules/), and firewall rules (deprecated).
+
+For important notes about allowing or blocking traffic by country, refer to [Important remarks about allowing/blocking by country](#important-remarks-about-allowingblocking-by-country).
 
 :::
 
+## Important remarks about allowing/blocking by country
+
+Block by country is only available on Enterprise plans.
+
+IP addresses globally allowed by Cloudflare will override an IP Access rule country block, but they will not override a country block via [custom rules](/waf/custom-rules/).
+
+Allowing a country will:
+
+- Bypass any configured [custom rules](/waf/custom-rules/), [rate limiting rules](/waf/rate-limiting-rules/), and firewall rules (deprecated).
+- Not bypass [WAF Managed Rules](/waf/managed-rules/) or [WAF managed rules (previous version)](/waf/reference/legacy/old-waf-managed-rules/).
+
 ## Recommendation: Use custom rules instead
 
 Cloudflare recommends that you create [custom rules](/waf/custom-rules/) instead of IP Access rules to perform IP-based or geography-based blocking (geoblocking):
 
-- For IP-based blocking, use an [IP list](/waf/tools/lists/custom-lists/#ip-lists) in the custom rule expression.
-- For geoblocking, use fields such as _AS Num_, _Country_, and _Continent_ in the custom rule expression.
+- For IP-based blocking, use an [IP list](/waf/tools/lists/custom-lists/#ip-lists) in the custom rule expression. Refer to [Allow traffic from IP addresses in allowlist only](/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist/) for an example.
+- For geoblocking, use fields such as _AS Num_, _Country_, and _Continent_ in the custom rule expression. Refer to [Block traffic from specific countries](/waf/custom-rules/use-cases/block-traffic-from-specific-countries/) for an example.
 
 ---
 

@@ -6,7 +6,7 @@ sidebar:
   label: Parameters
 ---
 
-An IP Access rule will apply a certain action to incoming traffic based on the visitor's IP address, IP range, country, or Autonomous System Number (ASN).
+An IP Access rule will apply a certain action to incoming traffic based on the visitor's IP address, IP range, Autonomous System Number (ASN), or country.
 
 ## IP address
 
@@ -26,6 +26,12 @@ An IP Access rule will apply a certain action to incoming traffic based on the v
 | IPv6 `/48` range  | `2001:db8::/48`  | `2001:db8::`   | `2001:db8:0000:ffff:ffff:ffff:ffff:ffff` |      1,208,925,819,614,629,174,706,176 |
 | IPv6 `/32` range  | `2001:db8::/32`  | `2001:db8::`   | `2001:db8:ffff:ffff:ffff:ffff:ffff:ffff` | 79,228,162,514,264,337,593,543,950,336 |
 
+## Autonomous System Number (ASN)
+
+| Type | Example value |
+| ---- | ------------- |
+| ASN  | `AS13335`     |
+
 ## Country
 
 Specify a country using two-letter [ISO-3166-1 alpha-2 codes](https://www.iso.org/iso-3166-country-codes.html). Additionally, the Cloudflare dashboard accepts country names. For example:
@@ -39,15 +45,10 @@ Cloudflare uses the following special country alpha-2 codes that are not part of
 - `T1`: [Tor exit nodes](/network/onion-routing/) (country name: `Tor`)
 - `XX`: Unknown/reserved
 
-:::note[Notes about country blocking]
+:::note[Notes]
 
-- Block by country is only available on Enterprise plans.
-- IP addresses globally allowed by Cloudflare will override an IP Access rule country block, but they will not override a country block via [WAF custom rules](/waf/custom-rules/).
+Country block is only available on Enterprise plans.
 
-:::
+IP addresses globally allowed by Cloudflare will override a country block via IP Access rules, but they will not override a country block via [custom rules](/waf/custom-rules/).
 
-## Autonomous System Number (ASN)
-
-| Type | Example value |
-| ---- | ------------- |
-| ASN  | `AS13335`     |
+:::