About Cloudflare Web Application Firewall (WAF)
The Cloudflare Web Application Firewall (Cloudflare WAF) checks incoming web requests and filters undesired traffic based on sets of rules called rulesets. The matching engine that powers the WAF rules supports the wirefilter syntax using the Rules language .
Managed Rulesets
The Cloudflare WAF includes several Managed Rulesets , provided by Cloudflare, that you can enable and configure.
When you enable these Managed Rulesets, you get immediate protection from a broad set of security rules that are regularly updated. Each of these rules has a default action that varies according to the severity of the rule.
You can override the default action or disable one or more rules included in Managed Rulesets. To customize the rules behavior you define specific configurations or overrides.
You can define a configuration that affects an entire Managed Ruleset, or configure the action and status of one or more rules in the ruleset. Rules have associated tags that allow you to search for a specific group of rules and configure them in bulk.
Custom rulesets
You can create custom rulesets with your own WAF rules that you can later deploy to a phase entry point .
Available phases
The Web Application Firewall provides the following phases where you can deploy WAF rules:
http_request_firewall_customhttp_request_firewall_managed
These phases exist both at the account level and at the zone level. Considering the available phases and the two different levels, the WAF rules are evaluated in the following order:
- Rules in the
http_request_firewall_customphase at the account level - Rules in the
http_request_firewall_customphase at the zone level - Rules in the
http_request_firewall_managedphase at account level - Rules in the
http_request_firewall_managedphase at the zone level
Deploying rulesets to phases
You can deploy the Managed Rulesets provided by WAF to the following phases:
http_request_firewall_managedphase at the account level (the phasekindisroot)http_request_firewall_managedphase at the zone level (the phasekindiszone)
To deploy your own WAF rules, create a custom ruleset and add any custom rules to this ruleset. Next, deploy the custom ruleset to a supported phase.
You can create and deploy custom rulesets to the http_request_firewall_custom phase at the account level (the phase kind is root).
To learn more about phases, refer to Phases in the Ruleset Engine documentation.
Rule execution order
Cloudflare evaluates different types of rules when processing incoming requests. The rule execution order is the following:
- Firewall rules , available in Security > WAF > Firewall rules
- Custom rules , available in Security > WAF > Custom rules
- Rate limiting rules , available in Security > WAF > Rate limiting rules
- Managed Rulesets , available in Security > WAF > Managed rules
- Cloudflare Rate Limiting (previous version), available in Security > WAF > Rate limiting rules
Next steps
To configure Managed Rulesets using the Cloudflare dashboard, refer to Deploy Managed Rulesets for a zone in the dashboard .
You can also use the Rulesets API to deploy rulesets to the available phases. Refer to the following pages for additional guidance: