Network port support for the CIS proxy

Supported ports for proxied traffic

By default, the CIS proxy only handles traffic on specific HTTP and HTTPS ports.

Traffic on unsupported ports

The CIS proxy does not handle traffic on ports outside the supported lists. If your application uses a different port (for example, SSH on port 22), you must configure access by creating a Range application for the hostname. Range applications support traffic on all ports; however, full TCP and UDP port support is available only on the Enterprise plan.

Block traffic on other ports

To block traffic on ports other than 80 and 443, use WAF rules. To restrict traffic on nonstandard ports, choose one of the following options:

• If you are using the previous version of WAF managed rules, enable rule ID 100015 (Anomaly: Port - Non-standard port (not 80 or 443)).
• If you are using the current WAF, enable rule ID 664ed6fe (Anomaly: Port - Non-standard port (not 80 or 443)). This rule is part of the CIS Managed Ruleset and is disabled by default.

The WAF CIS Managed Ruleset includes a rule that blocks the traffic at the application layer (layer 7), preventing HTTP/HTTPS requests over nonstandard ports from reaching the origin server.

Due to the anycast network, some ports might appear open because they are used by shared services. This behavior is expected and does not mean that your application is publicly accessible.

Control traffic by port using custom rules

CIS allows you to control how traffic is handled on specific ports by using web application firewall (WAF) custom rules.

CIS evaluates incoming requests at the edge and exposes request attributes as fields that can be used in rule expressions. The cf.edge.server_port field represents the destination port on which the request is received at the CIS edge.

By using this field in custom rule expressions, you can define policies to allow, block, or challenge traffic based on the port.

cf.edge.server_port ne 80 and cf.edge.server_port ne 443

cf.edge.server_port eq 8443