Today, I received an email from Google Ads Policy manager that I had ads that were impacted by Google Ads policy: Destination not working. I’d seen this issue before, but thought I had fixed it — apparently, not.
The email I received:
Going into Google Ad manager provided the following unhelpful message:
Review and fix ads that violate ads policy to update the status of your campaign.
- Destination not working
I clicked on the offending link in Ad manager, but it displayed the page correctly. Thanks Google. Fortunately, the email had the useful nugget of information: “HTTP error: 403.” A 403 error means that the web server refused to display the page. For this domain, Cloudflare sits between the user and the actual web server, so it was Cloudflare refusing the request. Ah-ha!
Cloudflare’s Web Application Firewall
This domain for this particular website uses Cloudflare DNS with the Web Application Firewall (WAF) enabled. The WAF has one important rule: Block Not North America.
Block Not North America
(ip.geoip.continent ne "NA")This rule works great and does exactly what you think it should — only allows IPs geolocated in North America to view the website. All non-North American IP addresses receive a “Sorry, you have been blocked” page. This method has it’s own issues, but that’s an article for another day. So, what’s the deal?
Google Verifies Ad URLs from a Global Pool of IP Addresses
Google, although headquartered in the United States, operates globally. They want to make sure that everyone can see your ad anywhere in the world, even if you are geo-locating only to your local city. So, leveraging their global resources, Google Ads sometimes attempt to verify your URL from anywhere in their worldwide pool of IP addresses.
This behavior was easy to verify in Cloudflare. Go to the domain, open the Security menu, then select Events. Filter for User agent equals AdsBot-Google and voilà – blocked traffic.
Ok, so Google is being blocked. Now what?
Add a WAF Allow Rule for Google Ads Bot
The resolution is easy. but not particularly secure: create a Cloudflare WAF firewall rule that allows the Google Ads bot user-agent. Allow rules are evaluated before Block rules, so they allow Google Ad bot requests to find their destination.
WAF Allow Rule
(http.user_agent contains "AdsBot-Google" and http.request.method eq "GET" and ip.geoip.asnum in {15169})This isn’t a perfect solution as it allows any Google controlled IP addresses to pass through to the website. However, this solution is enough to get your Google Ads back into an approved state. Make sure to add further refinements to manage your domain’s threat vectors.
Appeal Disapproved Ads
Go into Google Ads, hover over the status error, and click Fix It. Then wait and hope🙏
