How to add Catcher24 IPs to the Cloudflare allowlist

To ensure Catcher24 can successfully scan your targets without being blocked by Cloudflare's security features, you must create a WAF Custom Rule to allow our scanning engines.

Step-by-step guide

1. Log in to your Cloudflare dashboard and select your domain.

2. Navigate to Security > Security rules.

3. Click + Create rule > Custom rules

4. Name the rule: e.g., "Allow Catcher24 Scanners".

5. Configure the "If incoming requests match..." section:

   • Field: Select IP Source Address.

   • Operator: Select is in.

   • Value: Enter the Catcher24 IP ranges listed in this help article (type the first one, press Enter, then type the second).

6. Configure the "Then take action..." section:

   • Choose action: Select Skip.

   • WAF components to skip: Check the boxes for WAF components to skip. Click the More components to skip option and check all extra boxes as well.

7. The rule will look like this:

   

8. Click Deploy.

Note: Using the "Skip" action is preferred over "Allow" because "Allow" only bypasses the firewall, whereas "Skip" prevents Cloudflare from presenting CAPTCHAs or JavaScript challenges that can block automated scanners.

⚠️ Important Note: Cloudflare Validation Checks

Even with the Catcher24 IPs added to your allowlist, Cloudflare performs certain Validation Checks that run before your custom rules are evaluated. These checks cannot be disabled or bypassed by an allowlist.

According to Cloudflare's documentation, this component blocks:

• Malformed HTTP requests.

• Specific attack patterns in HTTP headers (e.g., Shellshock attacks).

• Requests that trigger "sanity checks" early in Cloudflare's infrastructure.

How this affects your scans: Because these checks happen at the Cloudflare edge, before the request reaches your "Allow/Skip" rule, some specific scan probes sent by Catcher24 may still be blocked.

• Scans that lose connection or fail.

• Limited scan results on Cloudflare targets.

• Blocked Probes: You may see scan logs indicating that certain connection attempts or specific exploit payloads failed, even though the IP is whitelisted.

This is standard Cloudflare behavior and generally means Cloudflare is doing its job to protect your application from malformed traffic, even from authorized scanners.

Suggestions for mitigating interference

If you have already added the Catcher24 IPs to your allowlist but continue to see scan errors or incomplete results, the behavior is likely due to Cloudflare's mandatory validation checks which cannot be bypassed by standard allowlisting.

Because these checks cannot be disabled directly on your main domain, we recommend one of the following approaches:

1. Create a dedicated subdomain

This is the most effective workaround for production environments.

• Setup: Create a specific subdomain (e.g., catcher-scan.yourdomain.com) and point its DNS to the same backend IP as your main website.

• Configuration: On this specific subdomain, you can safely lower Cloudflare's security settings without affecting your main site users.

  • Disable "Browser Integrity Check".

  • Disable "Always Use HTTPS" (if necessary for specific HTTP probes).

  • Disable "Bot Fight Mode" or "Super Bot Fight Mode".

• Action: Add this subdomain as your target in the Catcher dashboard.

2. Scan a staging environment

If you have a staging or development environment that mirrors your production code, use that as your primary scan target.

• Benefit: Staging environments often have relaxed WAF configurations or can be configured to bypass Cloudflare entirely (e.g., restricted by IP access only), allowing Catcher24 to scan the application logic without WAF interference.

3. Cloudflare Enterprise options

If you are on a Cloudflare Enterprise plan, you may have access to advanced settings that are not available on standard plans.

• Enterprise Features: Enterprise support can sometimes offer higher-level configuration options, such as custom "Host Header" modification or classifying specific scanner IPs as trusted traffic to bypass mandatory validation checks. Please contact your Cloudflare account manager if this applies to you.