Start by creating a Cloudflare account. Add your website. Use their nameservers on your domain. Wait until they validate your website.
Below assumes you have a brand new account with all the default settings, i.e. you won't have Bot Fight Mode turned on.
- On your account level (so not having entered a specific website), go to Manage Account -> Configurations -> Lists and create a new list; choose Type = IP and insert the Qualys IP ranges from Qualys website.
- Go to SSL/TLS and set your SSL/TLS encryption mode to Full. Otherwise you may start getting
ERR_TOO_MANY_REDIRECTS. - Go to Security -> WAF and create a new rule whitelisting Qualys' IP addresses. Either reuse the list created above, or manually copy the ranges from Qualys website. Using their ranges at the moment of writing, here's how your rule would look like:
- Field = IP Source Address
- Operator = is in, Value =
64.39.96.0/20,139.87.112.0/23 - or Operator = is in list, Value = the list you created
- Action = Skip
- WAF components to skip = (choose all checkboxes)
- More components to skip = (choose all checkboxes)
- Go to Security -> WAF -> Tools and whitelist Qualy's ranges there as well. Under IP Access Rules:
- IP Range =
64.39.0.0/16,139.87.0.0/16 - Action = Allow
- Zone = All websites in account
- IP Range =
- Go to Security -> Settings and set
- Security Level = Essentially Off
- Browser Integrity Check = Off