Hi @matt6303, great question! Thanks so much for using the plugin, this new version is much more secure and robust than the old one I put together in just a few hours. Please consider leaving a review here, now that it’s in the repo! It can help others decide on using and trusting a plugin, especially security plugins like this.
Let me start by advising against filtering ASNs… Unblocking or allowing an entire ASN is generally not recommended because ASNs represent large network operators and often contain thousands or even millions of IP addresses. Allowlisting one ASN can unintentionally permit a substantial amount of unrelated, and potentially malicious, traffic, especially when the ASN belongs to a major hosting or cloud provider.
Best practice is to allowlist specific IP addresses (or very small ranges) instead. Adding trusted IPs to the Good Bot Skip rule is the safest approach, because it explicitly exempts only those known addresses while allowing the rest of the ASN to remain subject to your Managed Challenge or Block rules. This keeps your protection layered, targeted, and much lower risk.
With that said, simply adding specific IPs within that ASN or adding the ASN itself to the Good Bots Skip rule will cause it to skip the Block rule, which will do what you want:
add_filter('fivestar_cfwaf_good_bot_expression', function($expression) {
return $expression . ' or (ip.src.asnum eq 1234)'; // Replace 1234 with your ASN
});
// or ASN list
add_filter('fivestar_cfwaf_good_bot_expression', function($expression) {
return $expression . ' or (ip.src.asnum in {26496 12345 67890})';
});
But ideally you would just add multiple IPs within that ASN:
add_filter('fivestar_cfwaf_good_bot_expression', function($expression) {
return $expression . ' or (ip.src in {192.0.2.10 198.51.100.25})';
});
As a coding example, here is how to actually remove an ASN (2468 for example) from the Block expression, and then add it to the Challenge ASN:
// Find and remove from Block rule:
add_filter('fivestar_cfwaf_block_expression', function($expression) {
if (preg_match('/ip\.src\.asnum\s+in\s+\{([^}]+)\}/', $expression, $matches)) {
$asns = preg_split('/\s+/', trim($matches[1]));
$asns = array_diff($asns, ['2468']);
$newSet = 'ip.src.asnum in {' . implode(' ', $asns) . '}';
$expression = str_replace($matches[0], $newSet, $expression);
}
return $expression;
});
// Add an ASN to the Challenge Rule
add_filter('fivestar_cfwaf_managed_challenge_expression', function($expression) {
return $expression . ' or (ip.src.asnum in {2468})';
});
Hope that help! In summary, unblocking ASNs is usually not needed or recommended, because you can open up specific IP ranges instead which is best practice, but it can be done using the examples above.
I’ve also updated our WAF Rules Filter Knowledge Base article with these examples as well.
