Firewall & WAF Allowlisting

If your application is behind a Web Application Firewall (WAF) like Cloudflare, Akamai, or AWS WAF, you must allow traffic from supaguard to prevent false failure alerts.

1. Allowlisting by User-Agent (Recommended)

The most resilient way to allowlist supaguard is by our custom User-Agent string. This allows you to scale your monitoring across all regions without managing rotating IP addresses.

Header to Allow: User-Agent: supaguard-Monitoring-Agent

Example: Nginx Configuration

if ($http_user_agent ~* "supaguard-Monitoring-Agent") {
    set $is_bot 0;
}

2. Allowlisting by Secret Header

For an extra layer of security, you can configure a custom header in your supaguard check settings and verify it on your server.

Step 1: In the supaguard IDE, add a header: X-supaguard-Secret: your-unique-token

Step 2: On your WAF/Server, only allow requests containing this secret.

3. Allowlisting by Regional IDs

supaguard uses cloud-native infrastructure where IPs can change. If you must use IP-based allowlisting, please subscribe to our Static IP list (available on Scale & Enterprise plans).

[!CAUTION] Hardcoding specific IP addresses is discouraged as it can lead to "Monitoring Blind Spots" if our cloud provider rotates a subnet.

Troubleshooting Blocks

If your check returns a 403 Forbidden or 1020 Access Denied:

1. Check your WAF logs for the supaguard-Monitoring-Agent string.
2. Verify that your Geo-Blocking rules allow traffic from the regions you have selected (e.g., India, Ireland).
3. Ensure your rate-limiting rules are adjusted for your monitoring frequency.

Related Resources

• Global Monitoring Network
• Security & Privacy