# Firewall # Lockdowns ## List Zone Lockdown rules `firewall.lockdowns.list(LockdownListParams**kwargs) -> SyncV4PagePaginationArray[Lockdown]` **get** `/zones/{zone_id}/firewall/lockdowns` Fetches Zone Lockdown rules. You can filter the results using several optional parameters. ### Parameters - `zone_id: str` Defines an identifier. - `created_on: Optional[Union[str, datetime]]` The timestamp of when the rule was created. - `description: Optional[str]` A string to search for in the description of existing rules. - `description_search: Optional[str]` A string to search for in the description of existing rules. - `ip: Optional[str]` A single IP address to search for in existing rules. - `ip_range_search: Optional[str]` A single IP address range to search for in existing rules. - `ip_search: Optional[str]` A single IP address to search for in existing rules. - `modified_on: Optional[Union[str, datetime]]` The timestamp of when the rule was last modified. - `page: Optional[float]` Page number of paginated results. - `per_page: Optional[float]` The maximum number of results per page. You can only set the value to `1` or to a multiple of 5 such as `5`, `10`, `15`, or `20`. - `priority: Optional[float]` The priority of the rule to control the processing order. A lower number indicates higher priority. If not provided, any rules with a configured priority will be processed before rules without a priority. - `uri_search: Optional[str]` A single URI to search for in the list of URLs of existing rules. ### Returns - `class Lockdown: …` - `id: str` The unique identifier of the Zone Lockdown rule. - `configurations: Configuration` A list of IP addresses or CIDR ranges that will be allowed to access the URLs specified in the Zone Lockdown rule. You can include any number of `ip` or `ip_range` configurations. - `class LockdownIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the Zone Lockdown rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class LockdownCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the Zone Lockdown rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24`. - `created_on: datetime` The timestamp of when the rule was created. - `description: str` An informative summary of the rule. - `modified_on: datetime` The timestamp of when the rule was last modified. - `paused: bool` When true, indicates that the rule is currently paused. - `urls: List[LockdownURL]` The URLs to include in the rule definition. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.firewall.lockdowns.list( zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "372e67954025e0ba6aaa6d586b9e0b59", "configurations": [ { "target": "ip", "value": "198.51.100.4" } ], "created_on": "2014-01-01T05:20:00.12345Z", "description": "Restrict access to these endpoints to requests from a known IP address", "modified_on": "2014-01-01T05:20:00.12345Z", "paused": false, "urls": [ "api.mysite.com/some/endpoint*" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a Zone Lockdown rule `firewall.lockdowns.get(strlock_downs_id, LockdownGetParams**kwargs) -> Lockdown` **get** `/zones/{zone_id}/firewall/lockdowns/{lock_downs_id}` Fetches the details of a Zone Lockdown rule. ### Parameters - `zone_id: str` Defines an identifier. - `lock_downs_id: str` The unique identifier of the Zone Lockdown rule. ### Returns - `class Lockdown: …` - `id: str` The unique identifier of the Zone Lockdown rule. - `configurations: Configuration` A list of IP addresses or CIDR ranges that will be allowed to access the URLs specified in the Zone Lockdown rule. You can include any number of `ip` or `ip_range` configurations. - `class LockdownIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the Zone Lockdown rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class LockdownCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the Zone Lockdown rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24`. - `created_on: datetime` The timestamp of when the rule was created. - `description: str` An informative summary of the rule. - `modified_on: datetime` The timestamp of when the rule was last modified. - `paused: bool` When true, indicates that the rule is currently paused. - `urls: List[LockdownURL]` The URLs to include in the rule definition. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) lockdown = client.firewall.lockdowns.get( lock_downs_id="372e67954025e0ba6aaa6d586b9e0b59", zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(lockdown.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "372e67954025e0ba6aaa6d586b9e0b59", "configurations": [ { "target": "ip", "value": "198.51.100.4" } ], "created_on": "2014-01-01T05:20:00.12345Z", "description": "Restrict access to these endpoints to requests from a known IP address", "modified_on": "2014-01-01T05:20:00.12345Z", "paused": false, "urls": [ "api.mysite.com/some/endpoint*" ] }, "success": true } ``` ## Create a Zone Lockdown rule `firewall.lockdowns.create(LockdownCreateParams**kwargs) -> Lockdown` **post** `/zones/{zone_id}/firewall/lockdowns` Creates a new Zone Lockdown rule. ### Parameters - `zone_id: str` Defines an identifier. - `configurations: ConfigurationParam` A list of IP addresses or CIDR ranges that will be allowed to access the URLs specified in the Zone Lockdown rule. You can include any number of `ip` or `ip_range` configurations. - `class LockdownIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the Zone Lockdown rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class LockdownCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the Zone Lockdown rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24`. - `urls: SequenceNotStr[OverrideURL]` The URLs to include in the current WAF override. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns. - `description: Optional[str]` An informative summary of the rule. This value is sanitized and any tags will be removed. - `paused: Optional[bool]` When true, indicates that the rule is currently paused. - `priority: Optional[float]` The priority of the rule to control the processing order. A lower number indicates higher priority. If not provided, any rules with a configured priority will be processed before rules without a priority. ### Returns - `class Lockdown: …` - `id: str` The unique identifier of the Zone Lockdown rule. - `configurations: Configuration` A list of IP addresses or CIDR ranges that will be allowed to access the URLs specified in the Zone Lockdown rule. You can include any number of `ip` or `ip_range` configurations. - `class LockdownIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the Zone Lockdown rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class LockdownCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the Zone Lockdown rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24`. - `created_on: datetime` The timestamp of when the rule was created. - `description: str` An informative summary of the rule. - `modified_on: datetime` The timestamp of when the rule was last modified. - `paused: bool` When true, indicates that the rule is currently paused. - `urls: List[LockdownURL]` The URLs to include in the rule definition. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) lockdown = client.firewall.lockdowns.create( zone_id="023e105f4ecef8ad9ca31a8372d0c353", configurations=[{}], urls=["shop.example.com/*"], ) print(lockdown.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "372e67954025e0ba6aaa6d586b9e0b59", "configurations": [ { "target": "ip", "value": "198.51.100.4" } ], "created_on": "2014-01-01T05:20:00.12345Z", "description": "Restrict access to these endpoints to requests from a known IP address", "modified_on": "2014-01-01T05:20:00.12345Z", "paused": false, "urls": [ "api.mysite.com/some/endpoint*" ] }, "success": true } ``` ## Update a Zone Lockdown rule `firewall.lockdowns.update(strlock_downs_id, LockdownUpdateParams**kwargs) -> Lockdown` **put** `/zones/{zone_id}/firewall/lockdowns/{lock_downs_id}` Updates an existing Zone Lockdown rule. ### Parameters - `zone_id: str` Defines an identifier. - `lock_downs_id: str` The unique identifier of the Zone Lockdown rule. - `configurations: ConfigurationParam` A list of IP addresses or CIDR ranges that will be allowed to access the URLs specified in the Zone Lockdown rule. You can include any number of `ip` or `ip_range` configurations. - `class LockdownIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the Zone Lockdown rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class LockdownCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the Zone Lockdown rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24`. - `urls: SequenceNotStr[OverrideURL]` The URLs to include in the current WAF override. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns. ### Returns - `class Lockdown: …` - `id: str` The unique identifier of the Zone Lockdown rule. - `configurations: Configuration` A list of IP addresses or CIDR ranges that will be allowed to access the URLs specified in the Zone Lockdown rule. You can include any number of `ip` or `ip_range` configurations. - `class LockdownIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the Zone Lockdown rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class LockdownCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the Zone Lockdown rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24`. - `created_on: datetime` The timestamp of when the rule was created. - `description: str` An informative summary of the rule. - `modified_on: datetime` The timestamp of when the rule was last modified. - `paused: bool` When true, indicates that the rule is currently paused. - `urls: List[LockdownURL]` The URLs to include in the rule definition. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) lockdown = client.firewall.lockdowns.update( lock_downs_id="372e67954025e0ba6aaa6d586b9e0b59", zone_id="023e105f4ecef8ad9ca31a8372d0c353", configurations=[{}], urls=["shop.example.com/*"], ) print(lockdown.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "372e67954025e0ba6aaa6d586b9e0b59", "configurations": [ { "target": "ip", "value": "198.51.100.4" } ], "created_on": "2014-01-01T05:20:00.12345Z", "description": "Restrict access to these endpoints to requests from a known IP address", "modified_on": "2014-01-01T05:20:00.12345Z", "paused": false, "urls": [ "api.mysite.com/some/endpoint*" ] }, "success": true } ``` ## Delete a Zone Lockdown rule `firewall.lockdowns.delete(strlock_downs_id, LockdownDeleteParams**kwargs) -> LockdownDeleteResponse` **delete** `/zones/{zone_id}/firewall/lockdowns/{lock_downs_id}` Deletes an existing Zone Lockdown rule. ### Parameters - `zone_id: str` Defines an identifier. - `lock_downs_id: str` The unique identifier of the Zone Lockdown rule. ### Returns - `class LockdownDeleteResponse: …` - `id: Optional[str]` The unique identifier of the Zone Lockdown rule. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) lockdown = client.firewall.lockdowns.delete( lock_downs_id="372e67954025e0ba6aaa6d586b9e0b59", zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(lockdown.id) ``` #### Response ```json { "result": { "id": "372e67954025e0ba6aaa6d586b9e0b59" } } ``` ## Domain Types ### Configuration - `List[ConfigurationItem]` A list of IP addresses or CIDR ranges that will be allowed to access the URLs specified in the Zone Lockdown rule. You can include any number of `ip` or `ip_range` configurations. - `class LockdownIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the Zone Lockdown rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class LockdownCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the Zone Lockdown rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24`. ### Lockdown - `class Lockdown: …` - `id: str` The unique identifier of the Zone Lockdown rule. - `configurations: Configuration` A list of IP addresses or CIDR ranges that will be allowed to access the URLs specified in the Zone Lockdown rule. You can include any number of `ip` or `ip_range` configurations. - `class LockdownIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the Zone Lockdown rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class LockdownCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the Zone Lockdown rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24`. - `created_on: datetime` The timestamp of when the rule was created. - `description: str` An informative summary of the rule. - `modified_on: datetime` The timestamp of when the rule was last modified. - `paused: bool` When true, indicates that the rule is currently paused. - `urls: List[LockdownURL]` The URLs to include in the rule definition. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns. ### Lockdown CIDR Configuration - `class LockdownCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the Zone Lockdown rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24`. ### Lockdown IP Configuration - `class LockdownIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the Zone Lockdown rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. ### Lockdown URL - `str` ### Lockdown Delete Response - `class LockdownDeleteResponse: …` - `id: Optional[str]` The unique identifier of the Zone Lockdown rule. # Rules ## List firewall rules `firewall.rules.list(RuleListParams**kwargs) -> SyncV4PagePaginationArray[FirewallRule]` **get** `/zones/{zone_id}/firewall/rules` Fetches firewall rules in a zone. You can filter the results using several optional parameters. ### Parameters - `zone_id: str` Defines an identifier. - `id: Optional[str]` The unique identifier of the firewall rule. - `action: Optional[str]` The action to search for. Must be an exact match. - `description: Optional[str]` A case-insensitive string to find in the description. - `page: Optional[float]` Page number of paginated results. - `paused: Optional[bool]` When true, indicates that the firewall rule is currently paused. - `per_page: Optional[float]` Number of firewall rules per page. ### Returns - `class FirewallRule: …` - `id: Optional[str]` The unique identifier of the firewall rule. - `action: Optional[Action]` The action to apply to a matched request. The `log` action is only available on an Enterprise plan. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `"allow"` - `"log"` - `"bypass"` - `description: Optional[str]` An informative summary of the firewall rule. - `filter: Optional[Filter]` - `class FirewallFilter: …` - `id: Optional[str]` The unique identifier of the filter. - `description: Optional[str]` An informative summary of the filter. - `expression: Optional[str]` The filter expression. For more information, refer to [Expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). - `paused: Optional[bool]` When true, indicates that the filter is currently paused. - `ref: Optional[str]` A short reference tag. Allows you to select related filters. - `class DeletedFilter: …` - `id: str` The unique identifier of the filter. - `deleted: bool` When true, indicates that the firewall rule was deleted. - `paused: Optional[bool]` When true, indicates that the firewall rule is currently paused. - `priority: Optional[float]` The priority of the rule. Optional value used to define the processing order. A lower number indicates a higher priority. If not provided, rules with a defined priority will be processed before rules without a priority. - `products: Optional[List[Product]]` - `"zoneLockdown"` - `"uaBlock"` - `"bic"` - `"hot"` - `"securityLevel"` - `"rateLimit"` - `"waf"` - `ref: Optional[str]` A short reference tag. Allows you to select related firewall rules. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.firewall.rules.list( zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "372e67954025e0ba6aaa6d586b9e0b60", "action": "block", "description": "Blocks traffic identified during investigation for MIR-31", "filter": { "id": "372e67954025e0ba6aaa6d586b9e0b61", "description": "Restrict access from these browsers on this address range.", "expression": "(http.request.uri.path ~ \".*wp-login.php\" or http.request.uri.path ~ \".*xmlrpc.php\") and ip.addr ne 172.16.22.155", "paused": false, "ref": "FIL-100" }, "paused": false, "priority": 50, "products": [ "waf" ], "ref": "MIR-31" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a firewall rule `firewall.rules.get(strrule_id, RuleGetParams**kwargs) -> FirewallRule` **get** `/zones/{zone_id}/firewall/rules/{rule_id}` Fetches the details of a firewall rule. ### Parameters - `zone_id: str` Defines an identifier. - `rule_id: str` The unique identifier of the firewall rule. ### Returns - `class FirewallRule: …` - `id: Optional[str]` The unique identifier of the firewall rule. - `action: Optional[Action]` The action to apply to a matched request. The `log` action is only available on an Enterprise plan. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `"allow"` - `"log"` - `"bypass"` - `description: Optional[str]` An informative summary of the firewall rule. - `filter: Optional[Filter]` - `class FirewallFilter: …` - `id: Optional[str]` The unique identifier of the filter. - `description: Optional[str]` An informative summary of the filter. - `expression: Optional[str]` The filter expression. For more information, refer to [Expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). - `paused: Optional[bool]` When true, indicates that the filter is currently paused. - `ref: Optional[str]` A short reference tag. Allows you to select related filters. - `class DeletedFilter: …` - `id: str` The unique identifier of the filter. - `deleted: bool` When true, indicates that the firewall rule was deleted. - `paused: Optional[bool]` When true, indicates that the firewall rule is currently paused. - `priority: Optional[float]` The priority of the rule. Optional value used to define the processing order. A lower number indicates a higher priority. If not provided, rules with a defined priority will be processed before rules without a priority. - `products: Optional[List[Product]]` - `"zoneLockdown"` - `"uaBlock"` - `"bic"` - `"hot"` - `"securityLevel"` - `"rateLimit"` - `"waf"` - `ref: Optional[str]` A short reference tag. Allows you to select related firewall rules. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) firewall_rule = client.firewall.rules.get( rule_id="372e67954025e0ba6aaa6d586b9e0b60", zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(firewall_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "372e67954025e0ba6aaa6d586b9e0b60", "action": "block", "description": "Blocks traffic identified during investigation for MIR-31", "filter": { "id": "372e67954025e0ba6aaa6d586b9e0b61", "description": "Restrict access from these browsers on this address range.", "expression": "(http.request.uri.path ~ \".*wp-login.php\" or http.request.uri.path ~ \".*xmlrpc.php\") and ip.addr ne 172.16.22.155", "paused": false, "ref": "FIL-100" }, "paused": false, "priority": 50, "products": [ "waf" ], "ref": "MIR-31" }, "success": true } ``` ## Create firewall rules `firewall.rules.create(RuleCreateParams**kwargs) -> SyncSinglePage[FirewallRule]` **post** `/zones/{zone_id}/firewall/rules` Create one or more firewall rules. ### Parameters - `zone_id: str` Defines an identifier. - `action: Action` The action to perform when the threshold of matched traffic within the configured period is exceeded. - `mode: Optional[Literal["simulate", "ban", "challenge", 2 more]]` The action to perform. - `"simulate"` - `"ban"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `response: Optional[ActionResponse]` A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object. - `body: Optional[str]` The response body to return. The value must conform to the configured content type. - `content_type: Optional[str]` The content type of the body. Must be one of the following: `text/plain`, `text/xml`, or `application/json`. - `timeout: Optional[float]` The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. Notes: If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value. - `filter: FirewallFilterParam` - `id: Optional[str]` The unique identifier of the filter. - `description: Optional[str]` An informative summary of the filter. - `expression: Optional[str]` The filter expression. For more information, refer to [Expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). - `paused: Optional[bool]` When true, indicates that the filter is currently paused. - `ref: Optional[str]` A short reference tag. Allows you to select related filters. ### Returns - `class FirewallRule: …` - `id: Optional[str]` The unique identifier of the firewall rule. - `action: Optional[Action]` The action to apply to a matched request. The `log` action is only available on an Enterprise plan. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `"allow"` - `"log"` - `"bypass"` - `description: Optional[str]` An informative summary of the firewall rule. - `filter: Optional[Filter]` - `class FirewallFilter: …` - `id: Optional[str]` The unique identifier of the filter. - `description: Optional[str]` An informative summary of the filter. - `expression: Optional[str]` The filter expression. For more information, refer to [Expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). - `paused: Optional[bool]` When true, indicates that the filter is currently paused. - `ref: Optional[str]` A short reference tag. Allows you to select related filters. - `class DeletedFilter: …` - `id: str` The unique identifier of the filter. - `deleted: bool` When true, indicates that the firewall rule was deleted. - `paused: Optional[bool]` When true, indicates that the firewall rule is currently paused. - `priority: Optional[float]` The priority of the rule. Optional value used to define the processing order. A lower number indicates a higher priority. If not provided, rules with a defined priority will be processed before rules without a priority. - `products: Optional[List[Product]]` - `"zoneLockdown"` - `"uaBlock"` - `"bic"` - `"hot"` - `"securityLevel"` - `"rateLimit"` - `"waf"` - `ref: Optional[str]` A short reference tag. Allows you to select related firewall rules. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.firewall.rules.create( zone_id="023e105f4ecef8ad9ca31a8372d0c353", action={}, filter={}, ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "372e67954025e0ba6aaa6d586b9e0b60", "action": "block", "description": "Blocks traffic identified during investigation for MIR-31", "filter": { "id": "372e67954025e0ba6aaa6d586b9e0b61", "description": "Restrict access from these browsers on this address range.", "expression": "(http.request.uri.path ~ \".*wp-login.php\" or http.request.uri.path ~ \".*xmlrpc.php\") and ip.addr ne 172.16.22.155", "paused": false, "ref": "FIL-100" }, "paused": false, "priority": 50, "products": [ "waf" ], "ref": "MIR-31" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Update a firewall rule `firewall.rules.update(strrule_id, RuleUpdateParams**kwargs) -> FirewallRule` **put** `/zones/{zone_id}/firewall/rules/{rule_id}` Updates an existing firewall rule. ### Parameters - `zone_id: str` Defines an identifier. - `rule_id: str` The unique identifier of the firewall rule. - `action: Action` The action to perform when the threshold of matched traffic within the configured period is exceeded. - `mode: Optional[Literal["simulate", "ban", "challenge", 2 more]]` The action to perform. - `"simulate"` - `"ban"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `response: Optional[ActionResponse]` A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object. - `body: Optional[str]` The response body to return. The value must conform to the configured content type. - `content_type: Optional[str]` The content type of the body. Must be one of the following: `text/plain`, `text/xml`, or `application/json`. - `timeout: Optional[float]` The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. Notes: If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value. - `filter: FirewallFilterParam` - `id: Optional[str]` The unique identifier of the filter. - `description: Optional[str]` An informative summary of the filter. - `expression: Optional[str]` The filter expression. For more information, refer to [Expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). - `paused: Optional[bool]` When true, indicates that the filter is currently paused. - `ref: Optional[str]` A short reference tag. Allows you to select related filters. ### Returns - `class FirewallRule: …` - `id: Optional[str]` The unique identifier of the firewall rule. - `action: Optional[Action]` The action to apply to a matched request. The `log` action is only available on an Enterprise plan. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `"allow"` - `"log"` - `"bypass"` - `description: Optional[str]` An informative summary of the firewall rule. - `filter: Optional[Filter]` - `class FirewallFilter: …` - `id: Optional[str]` The unique identifier of the filter. - `description: Optional[str]` An informative summary of the filter. - `expression: Optional[str]` The filter expression. For more information, refer to [Expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). - `paused: Optional[bool]` When true, indicates that the filter is currently paused. - `ref: Optional[str]` A short reference tag. Allows you to select related filters. - `class DeletedFilter: …` - `id: str` The unique identifier of the filter. - `deleted: bool` When true, indicates that the firewall rule was deleted. - `paused: Optional[bool]` When true, indicates that the firewall rule is currently paused. - `priority: Optional[float]` The priority of the rule. Optional value used to define the processing order. A lower number indicates a higher priority. If not provided, rules with a defined priority will be processed before rules without a priority. - `products: Optional[List[Product]]` - `"zoneLockdown"` - `"uaBlock"` - `"bic"` - `"hot"` - `"securityLevel"` - `"rateLimit"` - `"waf"` - `ref: Optional[str]` A short reference tag. Allows you to select related firewall rules. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) firewall_rule = client.firewall.rules.update( rule_id="372e67954025e0ba6aaa6d586b9e0b60", zone_id="023e105f4ecef8ad9ca31a8372d0c353", action={}, filter={}, ) print(firewall_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "372e67954025e0ba6aaa6d586b9e0b60", "action": "block", "description": "Blocks traffic identified during investigation for MIR-31", "filter": { "id": "372e67954025e0ba6aaa6d586b9e0b61", "description": "Restrict access from these browsers on this address range.", "expression": "(http.request.uri.path ~ \".*wp-login.php\" or http.request.uri.path ~ \".*xmlrpc.php\") and ip.addr ne 172.16.22.155", "paused": false, "ref": "FIL-100" }, "paused": false, "priority": 50, "products": [ "waf" ], "ref": "MIR-31" }, "success": true } ``` ## Update priority of a firewall rule `firewall.rules.edit(strrule_id, RuleEditParams**kwargs) -> SyncSinglePage[FirewallRule]` **patch** `/zones/{zone_id}/firewall/rules/{rule_id}` Updates the priority of an existing firewall rule. ### Parameters - `zone_id: str` Defines an identifier. - `rule_id: str` The unique identifier of the firewall rule. ### Returns - `class FirewallRule: …` - `id: Optional[str]` The unique identifier of the firewall rule. - `action: Optional[Action]` The action to apply to a matched request. The `log` action is only available on an Enterprise plan. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `"allow"` - `"log"` - `"bypass"` - `description: Optional[str]` An informative summary of the firewall rule. - `filter: Optional[Filter]` - `class FirewallFilter: …` - `id: Optional[str]` The unique identifier of the filter. - `description: Optional[str]` An informative summary of the filter. - `expression: Optional[str]` The filter expression. For more information, refer to [Expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). - `paused: Optional[bool]` When true, indicates that the filter is currently paused. - `ref: Optional[str]` A short reference tag. Allows you to select related filters. - `class DeletedFilter: …` - `id: str` The unique identifier of the filter. - `deleted: bool` When true, indicates that the firewall rule was deleted. - `paused: Optional[bool]` When true, indicates that the firewall rule is currently paused. - `priority: Optional[float]` The priority of the rule. Optional value used to define the processing order. A lower number indicates a higher priority. If not provided, rules with a defined priority will be processed before rules without a priority. - `products: Optional[List[Product]]` - `"zoneLockdown"` - `"uaBlock"` - `"bic"` - `"hot"` - `"securityLevel"` - `"rateLimit"` - `"waf"` - `ref: Optional[str]` A short reference tag. Allows you to select related firewall rules. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.firewall.rules.edit( rule_id="372e67954025e0ba6aaa6d586b9e0b60", zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "372e67954025e0ba6aaa6d586b9e0b60", "action": "block", "description": "Blocks traffic identified during investigation for MIR-31", "filter": { "id": "372e67954025e0ba6aaa6d586b9e0b61", "description": "Restrict access from these browsers on this address range.", "expression": "(http.request.uri.path ~ \".*wp-login.php\" or http.request.uri.path ~ \".*xmlrpc.php\") and ip.addr ne 172.16.22.155", "paused": false, "ref": "FIL-100" }, "paused": false, "priority": 50, "products": [ "waf" ], "ref": "MIR-31" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Delete a firewall rule `firewall.rules.delete(strrule_id, RuleDeleteParams**kwargs) -> FirewallRule` **delete** `/zones/{zone_id}/firewall/rules/{rule_id}` Deletes an existing firewall rule. ### Parameters - `zone_id: str` Defines an identifier. - `rule_id: str` The unique identifier of the firewall rule. ### Returns - `class FirewallRule: …` - `id: Optional[str]` The unique identifier of the firewall rule. - `action: Optional[Action]` The action to apply to a matched request. The `log` action is only available on an Enterprise plan. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `"allow"` - `"log"` - `"bypass"` - `description: Optional[str]` An informative summary of the firewall rule. - `filter: Optional[Filter]` - `class FirewallFilter: …` - `id: Optional[str]` The unique identifier of the filter. - `description: Optional[str]` An informative summary of the filter. - `expression: Optional[str]` The filter expression. For more information, refer to [Expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). - `paused: Optional[bool]` When true, indicates that the filter is currently paused. - `ref: Optional[str]` A short reference tag. Allows you to select related filters. - `class DeletedFilter: …` - `id: str` The unique identifier of the filter. - `deleted: bool` When true, indicates that the firewall rule was deleted. - `paused: Optional[bool]` When true, indicates that the firewall rule is currently paused. - `priority: Optional[float]` The priority of the rule. Optional value used to define the processing order. A lower number indicates a higher priority. If not provided, rules with a defined priority will be processed before rules without a priority. - `products: Optional[List[Product]]` - `"zoneLockdown"` - `"uaBlock"` - `"bic"` - `"hot"` - `"securityLevel"` - `"rateLimit"` - `"waf"` - `ref: Optional[str]` A short reference tag. Allows you to select related firewall rules. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) firewall_rule = client.firewall.rules.delete( rule_id="372e67954025e0ba6aaa6d586b9e0b60", zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(firewall_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "372e67954025e0ba6aaa6d586b9e0b60", "action": "block", "description": "Blocks traffic identified during investigation for MIR-31", "filter": { "id": "372e67954025e0ba6aaa6d586b9e0b61", "description": "Restrict access from these browsers on this address range.", "expression": "(http.request.uri.path ~ \".*wp-login.php\" or http.request.uri.path ~ \".*xmlrpc.php\") and ip.addr ne 172.16.22.155", "paused": false, "ref": "FIL-100" }, "paused": false, "priority": 50, "products": [ "waf" ], "ref": "MIR-31" }, "success": true } ``` ## Update firewall rules `firewall.rules.bulk_update(RuleBulkUpdateParams**kwargs) -> SyncSinglePage[FirewallRule]` **put** `/zones/{zone_id}/firewall/rules` Updates one or more existing firewall rules. ### Parameters - `zone_id: str` Defines an identifier. - `body: object` ### Returns - `class FirewallRule: …` - `id: Optional[str]` The unique identifier of the firewall rule. - `action: Optional[Action]` The action to apply to a matched request. The `log` action is only available on an Enterprise plan. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `"allow"` - `"log"` - `"bypass"` - `description: Optional[str]` An informative summary of the firewall rule. - `filter: Optional[Filter]` - `class FirewallFilter: …` - `id: Optional[str]` The unique identifier of the filter. - `description: Optional[str]` An informative summary of the filter. - `expression: Optional[str]` The filter expression. For more information, refer to [Expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). - `paused: Optional[bool]` When true, indicates that the filter is currently paused. - `ref: Optional[str]` A short reference tag. Allows you to select related filters. - `class DeletedFilter: …` - `id: str` The unique identifier of the filter. - `deleted: bool` When true, indicates that the firewall rule was deleted. - `paused: Optional[bool]` When true, indicates that the firewall rule is currently paused. - `priority: Optional[float]` The priority of the rule. Optional value used to define the processing order. A lower number indicates a higher priority. If not provided, rules with a defined priority will be processed before rules without a priority. - `products: Optional[List[Product]]` - `"zoneLockdown"` - `"uaBlock"` - `"bic"` - `"hot"` - `"securityLevel"` - `"rateLimit"` - `"waf"` - `ref: Optional[str]` A short reference tag. Allows you to select related firewall rules. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.firewall.rules.bulk_update( zone_id="023e105f4ecef8ad9ca31a8372d0c353", body={}, ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "372e67954025e0ba6aaa6d586b9e0b60", "action": "block", "description": "Blocks traffic identified during investigation for MIR-31", "filter": { "id": "372e67954025e0ba6aaa6d586b9e0b61", "description": "Restrict access from these browsers on this address range.", "expression": "(http.request.uri.path ~ \".*wp-login.php\" or http.request.uri.path ~ \".*xmlrpc.php\") and ip.addr ne 172.16.22.155", "paused": false, "ref": "FIL-100" }, "paused": false, "priority": 50, "products": [ "waf" ], "ref": "MIR-31" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Update priority of firewall rules `firewall.rules.bulk_edit(RuleBulkEditParams**kwargs) -> SyncSinglePage[FirewallRule]` **patch** `/zones/{zone_id}/firewall/rules` Updates the priority of existing firewall rules. ### Parameters - `zone_id: str` Defines an identifier. - `body: object` ### Returns - `class FirewallRule: …` - `id: Optional[str]` The unique identifier of the firewall rule. - `action: Optional[Action]` The action to apply to a matched request. The `log` action is only available on an Enterprise plan. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `"allow"` - `"log"` - `"bypass"` - `description: Optional[str]` An informative summary of the firewall rule. - `filter: Optional[Filter]` - `class FirewallFilter: …` - `id: Optional[str]` The unique identifier of the filter. - `description: Optional[str]` An informative summary of the filter. - `expression: Optional[str]` The filter expression. For more information, refer to [Expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). - `paused: Optional[bool]` When true, indicates that the filter is currently paused. - `ref: Optional[str]` A short reference tag. Allows you to select related filters. - `class DeletedFilter: …` - `id: str` The unique identifier of the filter. - `deleted: bool` When true, indicates that the firewall rule was deleted. - `paused: Optional[bool]` When true, indicates that the firewall rule is currently paused. - `priority: Optional[float]` The priority of the rule. Optional value used to define the processing order. A lower number indicates a higher priority. If not provided, rules with a defined priority will be processed before rules without a priority. - `products: Optional[List[Product]]` - `"zoneLockdown"` - `"uaBlock"` - `"bic"` - `"hot"` - `"securityLevel"` - `"rateLimit"` - `"waf"` - `ref: Optional[str]` A short reference tag. Allows you to select related firewall rules. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.firewall.rules.bulk_edit( zone_id="023e105f4ecef8ad9ca31a8372d0c353", body={}, ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "372e67954025e0ba6aaa6d586b9e0b60", "action": "block", "description": "Blocks traffic identified during investigation for MIR-31", "filter": { "id": "372e67954025e0ba6aaa6d586b9e0b61", "description": "Restrict access from these browsers on this address range.", "expression": "(http.request.uri.path ~ \".*wp-login.php\" or http.request.uri.path ~ \".*xmlrpc.php\") and ip.addr ne 172.16.22.155", "paused": false, "ref": "FIL-100" }, "paused": false, "priority": 50, "products": [ "waf" ], "ref": "MIR-31" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Delete firewall rules `firewall.rules.bulk_delete(RuleBulkDeleteParams**kwargs) -> SyncSinglePage[FirewallRule]` **delete** `/zones/{zone_id}/firewall/rules` Deletes existing firewall rules. ### Parameters - `zone_id: str` Defines an identifier. ### Returns - `class FirewallRule: …` - `id: Optional[str]` The unique identifier of the firewall rule. - `action: Optional[Action]` The action to apply to a matched request. The `log` action is only available on an Enterprise plan. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `"allow"` - `"log"` - `"bypass"` - `description: Optional[str]` An informative summary of the firewall rule. - `filter: Optional[Filter]` - `class FirewallFilter: …` - `id: Optional[str]` The unique identifier of the filter. - `description: Optional[str]` An informative summary of the filter. - `expression: Optional[str]` The filter expression. For more information, refer to [Expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). - `paused: Optional[bool]` When true, indicates that the filter is currently paused. - `ref: Optional[str]` A short reference tag. Allows you to select related filters. - `class DeletedFilter: …` - `id: str` The unique identifier of the filter. - `deleted: bool` When true, indicates that the firewall rule was deleted. - `paused: Optional[bool]` When true, indicates that the firewall rule is currently paused. - `priority: Optional[float]` The priority of the rule. Optional value used to define the processing order. A lower number indicates a higher priority. If not provided, rules with a defined priority will be processed before rules without a priority. - `products: Optional[List[Product]]` - `"zoneLockdown"` - `"uaBlock"` - `"bic"` - `"hot"` - `"securityLevel"` - `"rateLimit"` - `"waf"` - `ref: Optional[str]` A short reference tag. Allows you to select related firewall rules. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.firewall.rules.bulk_delete( zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "372e67954025e0ba6aaa6d586b9e0b60", "action": "block", "description": "Blocks traffic identified during investigation for MIR-31", "filter": { "id": "372e67954025e0ba6aaa6d586b9e0b61", "description": "Restrict access from these browsers on this address range.", "expression": "(http.request.uri.path ~ \".*wp-login.php\" or http.request.uri.path ~ \".*xmlrpc.php\") and ip.addr ne 172.16.22.155", "paused": false, "ref": "FIL-100" }, "paused": false, "priority": 50, "products": [ "waf" ], "ref": "MIR-31" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Deleted Filter - `class DeletedFilter: …` - `id: str` The unique identifier of the filter. - `deleted: bool` When true, indicates that the firewall rule was deleted. ### Firewall Rule - `class FirewallRule: …` - `id: Optional[str]` The unique identifier of the firewall rule. - `action: Optional[Action]` The action to apply to a matched request. The `log` action is only available on an Enterprise plan. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `"allow"` - `"log"` - `"bypass"` - `description: Optional[str]` An informative summary of the firewall rule. - `filter: Optional[Filter]` - `class FirewallFilter: …` - `id: Optional[str]` The unique identifier of the filter. - `description: Optional[str]` An informative summary of the filter. - `expression: Optional[str]` The filter expression. For more information, refer to [Expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). - `paused: Optional[bool]` When true, indicates that the filter is currently paused. - `ref: Optional[str]` A short reference tag. Allows you to select related filters. - `class DeletedFilter: …` - `id: str` The unique identifier of the filter. - `deleted: bool` When true, indicates that the firewall rule was deleted. - `paused: Optional[bool]` When true, indicates that the firewall rule is currently paused. - `priority: Optional[float]` The priority of the rule. Optional value used to define the processing order. A lower number indicates a higher priority. If not provided, rules with a defined priority will be processed before rules without a priority. - `products: Optional[List[Product]]` - `"zoneLockdown"` - `"uaBlock"` - `"bic"` - `"hot"` - `"securityLevel"` - `"rateLimit"` - `"waf"` - `ref: Optional[str]` A short reference tag. Allows you to select related firewall rules. ### Product - `Literal["zoneLockdown", "uaBlock", "bic", 4 more]` A list of products to bypass for a request when using the `bypass` action. - `"zoneLockdown"` - `"uaBlock"` - `"bic"` - `"hot"` - `"securityLevel"` - `"rateLimit"` - `"waf"` # Access Rules ## List IP Access rules `firewall.access_rules.list(AccessRuleListParams**kwargs) -> SyncV4PagePaginationArray[AccessRuleListResponse]` **get** `/{accounts_or_zones}/{account_or_zone_id}/firewall/access_rules/rules` Fetches IP Access rules of an account or zone. These rules apply to all the zones in the account or zone. You can filter the results using several optional parameters. ### Parameters - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `configuration: Optional[Configuration]` - `target: Optional[Literal["ip", "ip_range", "asn", "country"]]` Defines the target to search in existing rules. - `"ip"` - `"ip_range"` - `"asn"` - `"country"` - `value: Optional[str]` Defines the target value to search for in existing rules: an IP address, an IP address range, or a country code, depending on the provided `configuration.target`. Notes: You can search for a single IPv4 address, an IP address range with a subnet of '/16' or '/24', or a two-letter ISO-3166-1 alpha-2 country code. - `direction: Optional[Literal["asc", "desc"]]` Defines the direction used to sort returned rules. - `"asc"` - `"desc"` - `match: Optional[Literal["any", "all"]]` Defines the search requirements. When set to `all`, all the search requirements must match. When set to `any`, only one of the search requirements has to match. - `"any"` - `"all"` - `mode: Optional[Literal["block", "challenge", "whitelist", 2 more]]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `notes: Optional[str]` Defines the string to search for in the notes of existing IP Access rules. Notes: For example, the string 'attack' would match IP Access rules with notes 'Attack 26/02' and 'Attack 27/02'. The search is case insensitive. - `order: Optional[Literal["configuration.target", "configuration.value", "mode"]]` Defines the field used to sort returned rules. - `"configuration.target"` - `"configuration.value"` - `"mode"` - `page: Optional[float]` Defines the requested page within paginated list of results. - `per_page: Optional[float]` Defines the maximum number of results requested. ### Returns - `class AccessRuleListResponse: …` - `id: str` The unique identifier of the IP Access rule. - `allowed_modes: List[Literal["block", "challenge", "whitelist", 2 more]]` The available actions that a rule can apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `configuration: Configuration` The rule configuration. - `class AccessRuleIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class IPV6Configuration: …` - `target: Optional[Literal["ip6"]]` The configuration target. You must set the target to `ip6` when specifying an IPv6 address in the rule. - `"ip6"` - `value: Optional[str]` The IPv6 address to match. - `class AccessRuleCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24` for IPv4 ranges, and prefix lengths `/32`, `/48`, and `/64` for IPv6 ranges. - `class ASNConfiguration: …` - `target: Optional[Literal["asn"]]` The configuration target. You must set the target to `asn` when specifying an Autonomous System Number (ASN) in the rule. - `"asn"` - `value: Optional[str]` The AS number to match. - `class CountryConfiguration: …` - `target: Optional[Literal["country"]]` The configuration target. You must set the target to `country` when specifying a country code in the rule. - `"country"` - `value: Optional[str]` The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to [IP Access rules: Parameters](https://developers.cloudflare.com/waf/tools/ip-access-rules/parameters/#country). - `mode: Literal["block", "challenge", "whitelist", 2 more]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `created_on: Optional[datetime]` The timestamp of when the rule was created. - `modified_on: Optional[datetime]` The timestamp of when the rule was last modified. - `notes: Optional[str]` An informative summary of the rule, typically used as a reminder or explanation. - `scope: Optional[Scope]` All zones owned by the user will have the rule applied. - `id: Optional[str]` Defines an identifier. - `email: Optional[str]` The contact email address of the user. - `type: Optional[Literal["user", "organization"]]` Defines the scope of the rule. - `"user"` - `"organization"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.firewall.access_rules.list( account_id="account_id", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "92f17202ed8bd63d69a66b86a49a8f6b", "allowed_modes": [ "whitelist", "block", "challenge", "js_challenge", "managed_challenge" ], "configuration": { "target": "ip", "value": "198.51.100.4" }, "mode": "challenge", "created_on": "2014-01-01T05:20:00.12345Z", "modified_on": "2014-01-01T05:20:00.12345Z", "notes": "This rule is enabled because of an event that occurred on date X.", "scope": { "id": "023e105f4ecef8ad9ca31a8372d0c353", "email": "user@example.com", "type": "user" } } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get an IP Access rule `firewall.access_rules.get(strrule_id, AccessRuleGetParams**kwargs) -> AccessRuleGetResponse` **get** `/{accounts_or_zones}/{account_or_zone_id}/firewall/access_rules/rules/{rule_id}` Fetches the details of an IP Access rule defined. ### Parameters - `rule_id: str` Unique identifier for a rule. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class AccessRuleGetResponse: …` - `id: str` The unique identifier of the IP Access rule. - `allowed_modes: List[Literal["block", "challenge", "whitelist", 2 more]]` The available actions that a rule can apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `configuration: Configuration` The rule configuration. - `class AccessRuleIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class IPV6Configuration: …` - `target: Optional[Literal["ip6"]]` The configuration target. You must set the target to `ip6` when specifying an IPv6 address in the rule. - `"ip6"` - `value: Optional[str]` The IPv6 address to match. - `class AccessRuleCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24` for IPv4 ranges, and prefix lengths `/32`, `/48`, and `/64` for IPv6 ranges. - `class ASNConfiguration: …` - `target: Optional[Literal["asn"]]` The configuration target. You must set the target to `asn` when specifying an Autonomous System Number (ASN) in the rule. - `"asn"` - `value: Optional[str]` The AS number to match. - `class CountryConfiguration: …` - `target: Optional[Literal["country"]]` The configuration target. You must set the target to `country` when specifying a country code in the rule. - `"country"` - `value: Optional[str]` The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to [IP Access rules: Parameters](https://developers.cloudflare.com/waf/tools/ip-access-rules/parameters/#country). - `mode: Literal["block", "challenge", "whitelist", 2 more]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `created_on: Optional[datetime]` The timestamp of when the rule was created. - `modified_on: Optional[datetime]` The timestamp of when the rule was last modified. - `notes: Optional[str]` An informative summary of the rule, typically used as a reminder or explanation. - `scope: Optional[Scope]` All zones owned by the user will have the rule applied. - `id: Optional[str]` Defines an identifier. - `email: Optional[str]` The contact email address of the user. - `type: Optional[Literal["user", "organization"]]` Defines the scope of the rule. - `"user"` - `"organization"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) access_rule = client.firewall.access_rules.get( rule_id="023e105f4ecef8ad9ca31a8372d0c353", account_id="account_id", ) print(access_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "92f17202ed8bd63d69a66b86a49a8f6b", "allowed_modes": [ "whitelist", "block", "challenge", "js_challenge", "managed_challenge" ], "configuration": { "target": "ip", "value": "198.51.100.4" }, "mode": "challenge", "created_on": "2014-01-01T05:20:00.12345Z", "modified_on": "2014-01-01T05:20:00.12345Z", "notes": "This rule is enabled because of an event that occurred on date X.", "scope": { "id": "023e105f4ecef8ad9ca31a8372d0c353", "email": "user@example.com", "type": "user" } }, "success": true } ``` ## Create an IP Access rule `firewall.access_rules.create(AccessRuleCreateParams**kwargs) -> AccessRuleCreateResponse` **post** `/{accounts_or_zones}/{account_or_zone_id}/firewall/access_rules/rules` Creates a new IP Access rule for an account or zone. The rule will apply to all zones in the account or zone. Note: To create an IP Access rule that applies to a single zone, refer to the [IP Access rules for a zone](#ip-access-rules-for-a-zone) endpoints. ### Parameters - `configuration: Configuration` The rule configuration. - `class AccessRuleIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class IPV6Configuration: …` - `target: Optional[Literal["ip6"]]` The configuration target. You must set the target to `ip6` when specifying an IPv6 address in the rule. - `"ip6"` - `value: Optional[str]` The IPv6 address to match. - `class AccessRuleCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24` for IPv4 ranges, and prefix lengths `/32`, `/48`, and `/64` for IPv6 ranges. - `class ASNConfiguration: …` - `target: Optional[Literal["asn"]]` The configuration target. You must set the target to `asn` when specifying an Autonomous System Number (ASN) in the rule. - `"asn"` - `value: Optional[str]` The AS number to match. - `class CountryConfiguration: …` - `target: Optional[Literal["country"]]` The configuration target. You must set the target to `country` when specifying a country code in the rule. - `"country"` - `value: Optional[str]` The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to [IP Access rules: Parameters](https://developers.cloudflare.com/waf/tools/ip-access-rules/parameters/#country). - `mode: Literal["block", "challenge", "whitelist", 2 more]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `notes: Optional[str]` An informative summary of the rule, typically used as a reminder or explanation. ### Returns - `class AccessRuleCreateResponse: …` - `id: str` The unique identifier of the IP Access rule. - `allowed_modes: List[Literal["block", "challenge", "whitelist", 2 more]]` The available actions that a rule can apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `configuration: Configuration` The rule configuration. - `class AccessRuleIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class IPV6Configuration: …` - `target: Optional[Literal["ip6"]]` The configuration target. You must set the target to `ip6` when specifying an IPv6 address in the rule. - `"ip6"` - `value: Optional[str]` The IPv6 address to match. - `class AccessRuleCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24` for IPv4 ranges, and prefix lengths `/32`, `/48`, and `/64` for IPv6 ranges. - `class ASNConfiguration: …` - `target: Optional[Literal["asn"]]` The configuration target. You must set the target to `asn` when specifying an Autonomous System Number (ASN) in the rule. - `"asn"` - `value: Optional[str]` The AS number to match. - `class CountryConfiguration: …` - `target: Optional[Literal["country"]]` The configuration target. You must set the target to `country` when specifying a country code in the rule. - `"country"` - `value: Optional[str]` The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to [IP Access rules: Parameters](https://developers.cloudflare.com/waf/tools/ip-access-rules/parameters/#country). - `mode: Literal["block", "challenge", "whitelist", 2 more]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `created_on: Optional[datetime]` The timestamp of when the rule was created. - `modified_on: Optional[datetime]` The timestamp of when the rule was last modified. - `notes: Optional[str]` An informative summary of the rule, typically used as a reminder or explanation. - `scope: Optional[Scope]` All zones owned by the user will have the rule applied. - `id: Optional[str]` Defines an identifier. - `email: Optional[str]` The contact email address of the user. - `type: Optional[Literal["user", "organization"]]` Defines the scope of the rule. - `"user"` - `"organization"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) access_rule = client.firewall.access_rules.create( configuration={}, mode="challenge", account_id="account_id", ) print(access_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "92f17202ed8bd63d69a66b86a49a8f6b", "allowed_modes": [ "whitelist", "block", "challenge", "js_challenge", "managed_challenge" ], "configuration": { "target": "ip", "value": "198.51.100.4" }, "mode": "challenge", "created_on": "2014-01-01T05:20:00.12345Z", "modified_on": "2014-01-01T05:20:00.12345Z", "notes": "This rule is enabled because of an event that occurred on date X.", "scope": { "id": "023e105f4ecef8ad9ca31a8372d0c353", "email": "user@example.com", "type": "user" } }, "success": true } ``` ## Update an IP Access rule `firewall.access_rules.edit(strrule_id, AccessRuleEditParams**kwargs) -> AccessRuleEditResponse` **patch** `/{accounts_or_zones}/{account_or_zone_id}/firewall/access_rules/rules/{rule_id}` Updates an IP Access rule defined. Note: This operation will affect all zones in the account or zone. ### Parameters - `rule_id: str` Unique identifier for a rule. - `configuration: Configuration` The rule configuration. - `class AccessRuleIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class IPV6Configuration: …` - `target: Optional[Literal["ip6"]]` The configuration target. You must set the target to `ip6` when specifying an IPv6 address in the rule. - `"ip6"` - `value: Optional[str]` The IPv6 address to match. - `class AccessRuleCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24` for IPv4 ranges, and prefix lengths `/32`, `/48`, and `/64` for IPv6 ranges. - `class ASNConfiguration: …` - `target: Optional[Literal["asn"]]` The configuration target. You must set the target to `asn` when specifying an Autonomous System Number (ASN) in the rule. - `"asn"` - `value: Optional[str]` The AS number to match. - `class CountryConfiguration: …` - `target: Optional[Literal["country"]]` The configuration target. You must set the target to `country` when specifying a country code in the rule. - `"country"` - `value: Optional[str]` The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to [IP Access rules: Parameters](https://developers.cloudflare.com/waf/tools/ip-access-rules/parameters/#country). - `mode: Literal["block", "challenge", "whitelist", 2 more]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `notes: Optional[str]` An informative summary of the rule, typically used as a reminder or explanation. ### Returns - `class AccessRuleEditResponse: …` - `id: str` The unique identifier of the IP Access rule. - `allowed_modes: List[Literal["block", "challenge", "whitelist", 2 more]]` The available actions that a rule can apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `configuration: Configuration` The rule configuration. - `class AccessRuleIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class IPV6Configuration: …` - `target: Optional[Literal["ip6"]]` The configuration target. You must set the target to `ip6` when specifying an IPv6 address in the rule. - `"ip6"` - `value: Optional[str]` The IPv6 address to match. - `class AccessRuleCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24` for IPv4 ranges, and prefix lengths `/32`, `/48`, and `/64` for IPv6 ranges. - `class ASNConfiguration: …` - `target: Optional[Literal["asn"]]` The configuration target. You must set the target to `asn` when specifying an Autonomous System Number (ASN) in the rule. - `"asn"` - `value: Optional[str]` The AS number to match. - `class CountryConfiguration: …` - `target: Optional[Literal["country"]]` The configuration target. You must set the target to `country` when specifying a country code in the rule. - `"country"` - `value: Optional[str]` The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to [IP Access rules: Parameters](https://developers.cloudflare.com/waf/tools/ip-access-rules/parameters/#country). - `mode: Literal["block", "challenge", "whitelist", 2 more]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `created_on: Optional[datetime]` The timestamp of when the rule was created. - `modified_on: Optional[datetime]` The timestamp of when the rule was last modified. - `notes: Optional[str]` An informative summary of the rule, typically used as a reminder or explanation. - `scope: Optional[Scope]` All zones owned by the user will have the rule applied. - `id: Optional[str]` Defines an identifier. - `email: Optional[str]` The contact email address of the user. - `type: Optional[Literal["user", "organization"]]` Defines the scope of the rule. - `"user"` - `"organization"` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.firewall.access_rules.edit( rule_id="023e105f4ecef8ad9ca31a8372d0c353", configuration={}, mode="challenge", account_id="account_id", ) print(response.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "92f17202ed8bd63d69a66b86a49a8f6b", "allowed_modes": [ "whitelist", "block", "challenge", "js_challenge", "managed_challenge" ], "configuration": { "target": "ip", "value": "198.51.100.4" }, "mode": "challenge", "created_on": "2014-01-01T05:20:00.12345Z", "modified_on": "2014-01-01T05:20:00.12345Z", "notes": "This rule is enabled because of an event that occurred on date X.", "scope": { "id": "023e105f4ecef8ad9ca31a8372d0c353", "email": "user@example.com", "type": "user" } }, "success": true } ``` ## Delete an IP Access rule `firewall.access_rules.delete(strrule_id, AccessRuleDeleteParams**kwargs) -> AccessRuleDeleteResponse` **delete** `/{accounts_or_zones}/{account_or_zone_id}/firewall/access_rules/rules/{rule_id}` Deletes an existing IP Access rule defined. Note: This operation will affect all zones in the account or zone. ### Parameters - `rule_id: str` Unique identifier for a rule. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `class AccessRuleDeleteResponse: …` - `id: str` Defines an identifier. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) access_rule = client.firewall.access_rules.delete( rule_id="023e105f4ecef8ad9ca31a8372d0c353", account_id="account_id", ) print(access_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "023e105f4ecef8ad9ca31a8372d0c353" }, "success": true } ``` ## Domain Types ### Access Rule CIDR Configuration - `class AccessRuleCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24` for IPv4 ranges, and prefix lengths `/32`, `/48`, and `/64` for IPv6 ranges. ### Access Rule IP Configuration - `class AccessRuleIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. ### ASN Configuration - `class ASNConfiguration: …` - `target: Optional[Literal["asn"]]` The configuration target. You must set the target to `asn` when specifying an Autonomous System Number (ASN) in the rule. - `"asn"` - `value: Optional[str]` The AS number to match. ### Country Configuration - `class CountryConfiguration: …` - `target: Optional[Literal["country"]]` The configuration target. You must set the target to `country` when specifying a country code in the rule. - `"country"` - `value: Optional[str]` The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to [IP Access rules: Parameters](https://developers.cloudflare.com/waf/tools/ip-access-rules/parameters/#country). ### IPV6 Configuration - `class IPV6Configuration: …` - `target: Optional[Literal["ip6"]]` The configuration target. You must set the target to `ip6` when specifying an IPv6 address in the rule. - `"ip6"` - `value: Optional[str]` The IPv6 address to match. ### Access Rule List Response - `class AccessRuleListResponse: …` - `id: str` The unique identifier of the IP Access rule. - `allowed_modes: List[Literal["block", "challenge", "whitelist", 2 more]]` The available actions that a rule can apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `configuration: Configuration` The rule configuration. - `class AccessRuleIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class IPV6Configuration: …` - `target: Optional[Literal["ip6"]]` The configuration target. You must set the target to `ip6` when specifying an IPv6 address in the rule. - `"ip6"` - `value: Optional[str]` The IPv6 address to match. - `class AccessRuleCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24` for IPv4 ranges, and prefix lengths `/32`, `/48`, and `/64` for IPv6 ranges. - `class ASNConfiguration: …` - `target: Optional[Literal["asn"]]` The configuration target. You must set the target to `asn` when specifying an Autonomous System Number (ASN) in the rule. - `"asn"` - `value: Optional[str]` The AS number to match. - `class CountryConfiguration: …` - `target: Optional[Literal["country"]]` The configuration target. You must set the target to `country` when specifying a country code in the rule. - `"country"` - `value: Optional[str]` The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to [IP Access rules: Parameters](https://developers.cloudflare.com/waf/tools/ip-access-rules/parameters/#country). - `mode: Literal["block", "challenge", "whitelist", 2 more]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `created_on: Optional[datetime]` The timestamp of when the rule was created. - `modified_on: Optional[datetime]` The timestamp of when the rule was last modified. - `notes: Optional[str]` An informative summary of the rule, typically used as a reminder or explanation. - `scope: Optional[Scope]` All zones owned by the user will have the rule applied. - `id: Optional[str]` Defines an identifier. - `email: Optional[str]` The contact email address of the user. - `type: Optional[Literal["user", "organization"]]` Defines the scope of the rule. - `"user"` - `"organization"` ### Access Rule Get Response - `class AccessRuleGetResponse: …` - `id: str` The unique identifier of the IP Access rule. - `allowed_modes: List[Literal["block", "challenge", "whitelist", 2 more]]` The available actions that a rule can apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `configuration: Configuration` The rule configuration. - `class AccessRuleIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class IPV6Configuration: …` - `target: Optional[Literal["ip6"]]` The configuration target. You must set the target to `ip6` when specifying an IPv6 address in the rule. - `"ip6"` - `value: Optional[str]` The IPv6 address to match. - `class AccessRuleCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24` for IPv4 ranges, and prefix lengths `/32`, `/48`, and `/64` for IPv6 ranges. - `class ASNConfiguration: …` - `target: Optional[Literal["asn"]]` The configuration target. You must set the target to `asn` when specifying an Autonomous System Number (ASN) in the rule. - `"asn"` - `value: Optional[str]` The AS number to match. - `class CountryConfiguration: …` - `target: Optional[Literal["country"]]` The configuration target. You must set the target to `country` when specifying a country code in the rule. - `"country"` - `value: Optional[str]` The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to [IP Access rules: Parameters](https://developers.cloudflare.com/waf/tools/ip-access-rules/parameters/#country). - `mode: Literal["block", "challenge", "whitelist", 2 more]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `created_on: Optional[datetime]` The timestamp of when the rule was created. - `modified_on: Optional[datetime]` The timestamp of when the rule was last modified. - `notes: Optional[str]` An informative summary of the rule, typically used as a reminder or explanation. - `scope: Optional[Scope]` All zones owned by the user will have the rule applied. - `id: Optional[str]` Defines an identifier. - `email: Optional[str]` The contact email address of the user. - `type: Optional[Literal["user", "organization"]]` Defines the scope of the rule. - `"user"` - `"organization"` ### Access Rule Create Response - `class AccessRuleCreateResponse: …` - `id: str` The unique identifier of the IP Access rule. - `allowed_modes: List[Literal["block", "challenge", "whitelist", 2 more]]` The available actions that a rule can apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `configuration: Configuration` The rule configuration. - `class AccessRuleIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class IPV6Configuration: …` - `target: Optional[Literal["ip6"]]` The configuration target. You must set the target to `ip6` when specifying an IPv6 address in the rule. - `"ip6"` - `value: Optional[str]` The IPv6 address to match. - `class AccessRuleCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24` for IPv4 ranges, and prefix lengths `/32`, `/48`, and `/64` for IPv6 ranges. - `class ASNConfiguration: …` - `target: Optional[Literal["asn"]]` The configuration target. You must set the target to `asn` when specifying an Autonomous System Number (ASN) in the rule. - `"asn"` - `value: Optional[str]` The AS number to match. - `class CountryConfiguration: …` - `target: Optional[Literal["country"]]` The configuration target. You must set the target to `country` when specifying a country code in the rule. - `"country"` - `value: Optional[str]` The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to [IP Access rules: Parameters](https://developers.cloudflare.com/waf/tools/ip-access-rules/parameters/#country). - `mode: Literal["block", "challenge", "whitelist", 2 more]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `created_on: Optional[datetime]` The timestamp of when the rule was created. - `modified_on: Optional[datetime]` The timestamp of when the rule was last modified. - `notes: Optional[str]` An informative summary of the rule, typically used as a reminder or explanation. - `scope: Optional[Scope]` All zones owned by the user will have the rule applied. - `id: Optional[str]` Defines an identifier. - `email: Optional[str]` The contact email address of the user. - `type: Optional[Literal["user", "organization"]]` Defines the scope of the rule. - `"user"` - `"organization"` ### Access Rule Edit Response - `class AccessRuleEditResponse: …` - `id: str` The unique identifier of the IP Access rule. - `allowed_modes: List[Literal["block", "challenge", "whitelist", 2 more]]` The available actions that a rule can apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `configuration: Configuration` The rule configuration. - `class AccessRuleIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class IPV6Configuration: …` - `target: Optional[Literal["ip6"]]` The configuration target. You must set the target to `ip6` when specifying an IPv6 address in the rule. - `"ip6"` - `value: Optional[str]` The IPv6 address to match. - `class AccessRuleCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24` for IPv4 ranges, and prefix lengths `/32`, `/48`, and `/64` for IPv6 ranges. - `class ASNConfiguration: …` - `target: Optional[Literal["asn"]]` The configuration target. You must set the target to `asn` when specifying an Autonomous System Number (ASN) in the rule. - `"asn"` - `value: Optional[str]` The AS number to match. - `class CountryConfiguration: …` - `target: Optional[Literal["country"]]` The configuration target. You must set the target to `country` when specifying a country code in the rule. - `"country"` - `value: Optional[str]` The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to [IP Access rules: Parameters](https://developers.cloudflare.com/waf/tools/ip-access-rules/parameters/#country). - `mode: Literal["block", "challenge", "whitelist", 2 more]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `created_on: Optional[datetime]` The timestamp of when the rule was created. - `modified_on: Optional[datetime]` The timestamp of when the rule was last modified. - `notes: Optional[str]` An informative summary of the rule, typically used as a reminder or explanation. - `scope: Optional[Scope]` All zones owned by the user will have the rule applied. - `id: Optional[str]` Defines an identifier. - `email: Optional[str]` The contact email address of the user. - `type: Optional[Literal["user", "organization"]]` Defines the scope of the rule. - `"user"` - `"organization"` ### Access Rule Delete Response - `class AccessRuleDeleteResponse: …` - `id: str` Defines an identifier. # UA Rules ## List User Agent Blocking rules `firewall.ua_rules.list(UARuleListParams**kwargs) -> SyncV4PagePaginationArray[UARuleListResponse]` **get** `/zones/{zone_id}/firewall/ua_rules` Fetches User Agent Blocking rules in a zone. You can filter the results using several optional parameters. ### Parameters - `zone_id: str` Defines an identifier. - `description: Optional[str]` A string to search for in the description of existing rules. - `page: Optional[float]` Page number of paginated results. - `paused: Optional[bool]` When true, indicates that the rule is currently paused. - `per_page: Optional[float]` The maximum number of results per page. You can only set the value to `1` or to a multiple of 5 such as `5`, `10`, `15`, or `20`. - `user_agent: Optional[str]` A string to search for in the user agent values of existing rules. ### Returns - `class UARuleListResponse: …` - `id: Optional[str]` The unique identifier of the User Agent Blocking rule. - `configuration: Optional[Configuration]` The configuration object for the current rule. - `target: Optional[str]` The configuration target for this rule. You must set the target to `ua` for User Agent Blocking rules. - `value: Optional[str]` The exact user agent string to match. This value will be compared to the received `User-Agent` HTTP header value. - `description: Optional[str]` An informative summary of the rule. - `mode: Optional[Literal["block", "challenge", "js_challenge", "managed_challenge"]]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `paused: Optional[bool]` When true, indicates that the rule is currently paused. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.firewall.ua_rules.list( zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "372e67954025e0ba6aaa6d586b9e0b59", "configuration": { "target": "ua", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4" }, "description": "Prevent access from abusive clients identified by this User Agent to mitigate a DDoS attack", "mode": "js_challenge", "paused": false } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a User Agent Blocking rule `firewall.ua_rules.get(strua_rule_id, UARuleGetParams**kwargs) -> UARuleGetResponse` **get** `/zones/{zone_id}/firewall/ua_rules/{ua_rule_id}` Fetches the details of a User Agent Blocking rule. ### Parameters - `zone_id: str` Defines an identifier. - `ua_rule_id: str` The unique identifier of the User Agent Blocking rule. ### Returns - `class UARuleGetResponse: …` - `id: Optional[str]` The unique identifier of the User Agent Blocking rule. - `configuration: Optional[Configuration]` The configuration object for the current rule. - `target: Optional[str]` The configuration target for this rule. You must set the target to `ua` for User Agent Blocking rules. - `value: Optional[str]` The exact user agent string to match. This value will be compared to the received `User-Agent` HTTP header value. - `description: Optional[str]` An informative summary of the rule. - `mode: Optional[Literal["block", "challenge", "js_challenge", "managed_challenge"]]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `paused: Optional[bool]` When true, indicates that the rule is currently paused. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) ua_rule = client.firewall.ua_rules.get( ua_rule_id="372e67954025e0ba6aaa6d586b9e0b59", zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(ua_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "372e67954025e0ba6aaa6d586b9e0b59", "configuration": { "target": "ua", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4" }, "description": "Prevent access from abusive clients identified by this User Agent to mitigate a DDoS attack", "mode": "js_challenge", "paused": false }, "success": true } ``` ## Create a User Agent Blocking rule `firewall.ua_rules.create(UARuleCreateParams**kwargs) -> UARuleCreateResponse` **post** `/zones/{zone_id}/firewall/ua_rules` Creates a new User Agent Blocking rule in a zone. ### Parameters - `zone_id: str` Defines an identifier. - `configuration: Configuration` - `target: Optional[Literal["ua"]]` The configuration target. You must set the target to `ua` when specifying a user agent in the rule. - `"ua"` - `value: Optional[str]` the user agent to exactly match - `mode: Literal["block", "challenge", "whitelist", 2 more]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `description: Optional[str]` An informative summary of the rule. This value is sanitized and any tags will be removed. - `paused: Optional[bool]` When true, indicates that the rule is currently paused. ### Returns - `class UARuleCreateResponse: …` - `id: Optional[str]` The unique identifier of the User Agent Blocking rule. - `configuration: Optional[Configuration]` The configuration object for the current rule. - `target: Optional[str]` The configuration target for this rule. You must set the target to `ua` for User Agent Blocking rules. - `value: Optional[str]` The exact user agent string to match. This value will be compared to the received `User-Agent` HTTP header value. - `description: Optional[str]` An informative summary of the rule. - `mode: Optional[Literal["block", "challenge", "js_challenge", "managed_challenge"]]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `paused: Optional[bool]` When true, indicates that the rule is currently paused. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) ua_rule = client.firewall.ua_rules.create( zone_id="023e105f4ecef8ad9ca31a8372d0c353", configuration={}, mode="challenge", ) print(ua_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "372e67954025e0ba6aaa6d586b9e0b59", "configuration": { "target": "ua", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4" }, "description": "Prevent access from abusive clients identified by this User Agent to mitigate a DDoS attack", "mode": "js_challenge", "paused": false }, "success": true } ``` ## Update a User Agent Blocking rule `firewall.ua_rules.update(strua_rule_id, UARuleUpdateParams**kwargs) -> UARuleUpdateResponse` **put** `/zones/{zone_id}/firewall/ua_rules/{ua_rule_id}` Updates an existing User Agent Blocking rule. ### Parameters - `zone_id: str` Defines an identifier. - `ua_rule_id: str` The unique identifier of the User Agent Blocking rule. - `configuration: Configuration` The rule configuration. - `class AccessRuleIPConfiguration: …` - `target: Optional[Literal["ip"]]` The configuration target. You must set the target to `ip` when specifying an IP address in the rule. - `"ip"` - `value: Optional[str]` The IP address to match. This address will be compared to the IP address of incoming requests. - `class IPV6Configuration: …` - `target: Optional[Literal["ip6"]]` The configuration target. You must set the target to `ip6` when specifying an IPv6 address in the rule. - `"ip6"` - `value: Optional[str]` The IPv6 address to match. - `class AccessRuleCIDRConfiguration: …` - `target: Optional[Literal["ip_range"]]` The configuration target. You must set the target to `ip_range` when specifying an IP address range in the rule. - `"ip_range"` - `value: Optional[str]` The IP address range to match. You can only use prefix lengths `/16` and `/24` for IPv4 ranges, and prefix lengths `/32`, `/48`, and `/64` for IPv6 ranges. - `class ASNConfiguration: …` - `target: Optional[Literal["asn"]]` The configuration target. You must set the target to `asn` when specifying an Autonomous System Number (ASN) in the rule. - `"asn"` - `value: Optional[str]` The AS number to match. - `class CountryConfiguration: …` - `target: Optional[Literal["country"]]` The configuration target. You must set the target to `country` when specifying a country code in the rule. - `"country"` - `value: Optional[str]` The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to [IP Access rules: Parameters](https://developers.cloudflare.com/waf/tools/ip-access-rules/parameters/#country). - `mode: Literal["block", "challenge", "whitelist", 2 more]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"whitelist"` - `"js_challenge"` - `"managed_challenge"` - `description: Optional[str]` An informative summary of the rule. This value is sanitized and any tags will be removed. - `paused: Optional[bool]` When true, indicates that the rule is currently paused. ### Returns - `class UARuleUpdateResponse: …` - `id: Optional[str]` The unique identifier of the User Agent Blocking rule. - `configuration: Optional[Configuration]` The configuration object for the current rule. - `target: Optional[str]` The configuration target for this rule. You must set the target to `ua` for User Agent Blocking rules. - `value: Optional[str]` The exact user agent string to match. This value will be compared to the received `User-Agent` HTTP header value. - `description: Optional[str]` An informative summary of the rule. - `mode: Optional[Literal["block", "challenge", "js_challenge", "managed_challenge"]]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `paused: Optional[bool]` When true, indicates that the rule is currently paused. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) ua_rule = client.firewall.ua_rules.update( ua_rule_id="372e67954025e0ba6aaa6d586b9e0b59", zone_id="023e105f4ecef8ad9ca31a8372d0c353", configuration={}, mode="challenge", ) print(ua_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "372e67954025e0ba6aaa6d586b9e0b59", "configuration": { "target": "ua", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4" }, "description": "Prevent access from abusive clients identified by this User Agent to mitigate a DDoS attack", "mode": "js_challenge", "paused": false }, "success": true } ``` ## Delete a User Agent Blocking rule `firewall.ua_rules.delete(strua_rule_id, UARuleDeleteParams**kwargs) -> UARuleDeleteResponse` **delete** `/zones/{zone_id}/firewall/ua_rules/{ua_rule_id}` Deletes an existing User Agent Blocking rule. ### Parameters - `zone_id: str` Defines an identifier. - `ua_rule_id: str` The unique identifier of the User Agent Blocking rule. ### Returns - `class UARuleDeleteResponse: …` - `id: Optional[str]` The unique identifier of the User Agent Blocking rule. - `configuration: Optional[Configuration]` The configuration object for the current rule. - `target: Optional[str]` The configuration target for this rule. You must set the target to `ua` for User Agent Blocking rules. - `value: Optional[str]` The exact user agent string to match. This value will be compared to the received `User-Agent` HTTP header value. - `description: Optional[str]` An informative summary of the rule. - `mode: Optional[Literal["block", "challenge", "js_challenge", "managed_challenge"]]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `paused: Optional[bool]` When true, indicates that the rule is currently paused. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) ua_rule = client.firewall.ua_rules.delete( ua_rule_id="372e67954025e0ba6aaa6d586b9e0b59", zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(ua_rule.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "372e67954025e0ba6aaa6d586b9e0b59", "configuration": { "target": "ua", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4" }, "description": "Prevent access from abusive clients identified by this User Agent to mitigate a DDoS attack", "mode": "js_challenge", "paused": false }, "success": true } ``` ## Domain Types ### UA Rule List Response - `class UARuleListResponse: …` - `id: Optional[str]` The unique identifier of the User Agent Blocking rule. - `configuration: Optional[Configuration]` The configuration object for the current rule. - `target: Optional[str]` The configuration target for this rule. You must set the target to `ua` for User Agent Blocking rules. - `value: Optional[str]` The exact user agent string to match. This value will be compared to the received `User-Agent` HTTP header value. - `description: Optional[str]` An informative summary of the rule. - `mode: Optional[Literal["block", "challenge", "js_challenge", "managed_challenge"]]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `paused: Optional[bool]` When true, indicates that the rule is currently paused. ### UA Rule Get Response - `class UARuleGetResponse: …` - `id: Optional[str]` The unique identifier of the User Agent Blocking rule. - `configuration: Optional[Configuration]` The configuration object for the current rule. - `target: Optional[str]` The configuration target for this rule. You must set the target to `ua` for User Agent Blocking rules. - `value: Optional[str]` The exact user agent string to match. This value will be compared to the received `User-Agent` HTTP header value. - `description: Optional[str]` An informative summary of the rule. - `mode: Optional[Literal["block", "challenge", "js_challenge", "managed_challenge"]]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `paused: Optional[bool]` When true, indicates that the rule is currently paused. ### UA Rule Create Response - `class UARuleCreateResponse: …` - `id: Optional[str]` The unique identifier of the User Agent Blocking rule. - `configuration: Optional[Configuration]` The configuration object for the current rule. - `target: Optional[str]` The configuration target for this rule. You must set the target to `ua` for User Agent Blocking rules. - `value: Optional[str]` The exact user agent string to match. This value will be compared to the received `User-Agent` HTTP header value. - `description: Optional[str]` An informative summary of the rule. - `mode: Optional[Literal["block", "challenge", "js_challenge", "managed_challenge"]]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `paused: Optional[bool]` When true, indicates that the rule is currently paused. ### UA Rule Update Response - `class UARuleUpdateResponse: …` - `id: Optional[str]` The unique identifier of the User Agent Blocking rule. - `configuration: Optional[Configuration]` The configuration object for the current rule. - `target: Optional[str]` The configuration target for this rule. You must set the target to `ua` for User Agent Blocking rules. - `value: Optional[str]` The exact user agent string to match. This value will be compared to the received `User-Agent` HTTP header value. - `description: Optional[str]` An informative summary of the rule. - `mode: Optional[Literal["block", "challenge", "js_challenge", "managed_challenge"]]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `paused: Optional[bool]` When true, indicates that the rule is currently paused. ### UA Rule Delete Response - `class UARuleDeleteResponse: …` - `id: Optional[str]` The unique identifier of the User Agent Blocking rule. - `configuration: Optional[Configuration]` The configuration object for the current rule. - `target: Optional[str]` The configuration target for this rule. You must set the target to `ua` for User Agent Blocking rules. - `value: Optional[str]` The exact user agent string to match. This value will be compared to the received `User-Agent` HTTP header value. - `description: Optional[str]` An informative summary of the rule. - `mode: Optional[Literal["block", "challenge", "js_challenge", "managed_challenge"]]` The action to apply to a matched request. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `paused: Optional[bool]` When true, indicates that the rule is currently paused. # WAF # Overrides ## List WAF overrides `firewall.waf.overrides.list(OverrideListParams**kwargs) -> SyncV4PagePaginationArray[Override]` **get** `/zones/{zone_id}/firewall/waf/overrides` Fetches the URI-based WAF overrides in a zone. **Note:** Applies only to the [previous version of WAF managed rules](https://developers.cloudflare.com/support/firewall/managed-rules-web-application-firewall-waf/understanding-waf-managed-rules-web-application-firewall/). ### Parameters - `zone_id: str` Defines an identifier. - `page: Optional[float]` The page number of paginated results. - `per_page: Optional[float]` The number of WAF overrides per page. ### Returns - `class Override: …` - `id: Optional[str]` The unique identifier of the WAF override. - `description: Optional[str]` An informative summary of the current URI-based WAF override. - `groups: Optional[Dict[str, object]]` An object that allows you to enable or disable WAF rule groups for the current WAF override. Each key of this object must be the ID of a WAF rule group, and each value must be a valid WAF action (usually `default` or `disable`). When creating a new URI-based WAF override, you must provide a `groups` object or a `rules` object. - `paused: Optional[bool]` When true, indicates that the rule is currently paused. - `priority: Optional[float]` The relative priority of the current URI-based WAF override when multiple overrides match a single URL. A lower number indicates higher priority. Higher priority overrides may overwrite values set by lower priority overrides. - `rewrite_action: Optional[RewriteAction]` Specifies that, when a WAF rule matches, its configured action will be replaced by the action configured in this object. - `block: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `challenge: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `default: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `disable: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `simulate: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `rules: Optional[WAFRule]` An object that allows you to override the action of specific WAF rules. Each key of this object must be the ID of a WAF rule, and each value must be a valid WAF action. Unless you are disabling a rule, ensure that you also enable the rule group that this WAF rule belongs to. When creating a new URI-based WAF override, you must provide a `groups` object or a `rules` object. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `urls: Optional[List[OverrideURL]]` The URLs to include in the current WAF override. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.firewall.waf.overrides.list( zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "de677e5818985db1285d0e80225f06e5", "description": "Enable Cloudflare Magento ruleset for shop.example.com", "groups": { "ea8687e59929c1fd05ba97574ad43f77": "bar" }, "paused": true, "priority": 1, "rewrite_action": { "block": "challenge", "challenge": "challenge", "default": "challenge", "disable": "challenge", "simulate": "challenge" }, "rules": { "100015": "disable" }, "urls": [ "shop.example.com/*" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a WAF override `firewall.waf.overrides.get(stroverrides_id, OverrideGetParams**kwargs) -> Override` **get** `/zones/{zone_id}/firewall/waf/overrides/{overrides_id}` Fetches the details of a URI-based WAF override. **Note:** Applies only to the [previous version of WAF managed rules](https://developers.cloudflare.com/support/firewall/managed-rules-web-application-firewall-waf/understanding-waf-managed-rules-web-application-firewall/). ### Parameters - `zone_id: str` Defines an identifier. - `overrides_id: str` The unique identifier of the WAF override. ### Returns - `class Override: …` - `id: Optional[str]` The unique identifier of the WAF override. - `description: Optional[str]` An informative summary of the current URI-based WAF override. - `groups: Optional[Dict[str, object]]` An object that allows you to enable or disable WAF rule groups for the current WAF override. Each key of this object must be the ID of a WAF rule group, and each value must be a valid WAF action (usually `default` or `disable`). When creating a new URI-based WAF override, you must provide a `groups` object or a `rules` object. - `paused: Optional[bool]` When true, indicates that the rule is currently paused. - `priority: Optional[float]` The relative priority of the current URI-based WAF override when multiple overrides match a single URL. A lower number indicates higher priority. Higher priority overrides may overwrite values set by lower priority overrides. - `rewrite_action: Optional[RewriteAction]` Specifies that, when a WAF rule matches, its configured action will be replaced by the action configured in this object. - `block: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `challenge: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `default: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `disable: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `simulate: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `rules: Optional[WAFRule]` An object that allows you to override the action of specific WAF rules. Each key of this object must be the ID of a WAF rule, and each value must be a valid WAF action. Unless you are disabling a rule, ensure that you also enable the rule group that this WAF rule belongs to. When creating a new URI-based WAF override, you must provide a `groups` object or a `rules` object. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `urls: Optional[List[OverrideURL]]` The URLs to include in the current WAF override. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) override = client.firewall.waf.overrides.get( overrides_id="de677e5818985db1285d0e80225f06e5", zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(override.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "de677e5818985db1285d0e80225f06e5", "description": "Enable Cloudflare Magento ruleset for shop.example.com", "groups": { "ea8687e59929c1fd05ba97574ad43f77": "bar" }, "paused": true, "priority": 1, "rewrite_action": { "block": "challenge", "challenge": "challenge", "default": "challenge", "disable": "challenge", "simulate": "challenge" }, "rules": { "100015": "disable" }, "urls": [ "shop.example.com/*" ] }, "success": true } ``` ## Create a WAF override `firewall.waf.overrides.create(OverrideCreateParams**kwargs) -> Override` **post** `/zones/{zone_id}/firewall/waf/overrides` Creates a URI-based WAF override for a zone. **Note:** Applies only to the [previous version of WAF managed rules](https://developers.cloudflare.com/support/firewall/managed-rules-web-application-firewall-waf/understanding-waf-managed-rules-web-application-firewall/). ### Parameters - `zone_id: str` Defines an identifier. - `urls: SequenceNotStr[OverrideURL]` The URLs to include in the current WAF override. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns. ### Returns - `class Override: …` - `id: Optional[str]` The unique identifier of the WAF override. - `description: Optional[str]` An informative summary of the current URI-based WAF override. - `groups: Optional[Dict[str, object]]` An object that allows you to enable or disable WAF rule groups for the current WAF override. Each key of this object must be the ID of a WAF rule group, and each value must be a valid WAF action (usually `default` or `disable`). When creating a new URI-based WAF override, you must provide a `groups` object or a `rules` object. - `paused: Optional[bool]` When true, indicates that the rule is currently paused. - `priority: Optional[float]` The relative priority of the current URI-based WAF override when multiple overrides match a single URL. A lower number indicates higher priority. Higher priority overrides may overwrite values set by lower priority overrides. - `rewrite_action: Optional[RewriteAction]` Specifies that, when a WAF rule matches, its configured action will be replaced by the action configured in this object. - `block: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `challenge: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `default: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `disable: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `simulate: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `rules: Optional[WAFRule]` An object that allows you to override the action of specific WAF rules. Each key of this object must be the ID of a WAF rule, and each value must be a valid WAF action. Unless you are disabling a rule, ensure that you also enable the rule group that this WAF rule belongs to. When creating a new URI-based WAF override, you must provide a `groups` object or a `rules` object. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `urls: Optional[List[OverrideURL]]` The URLs to include in the current WAF override. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) override = client.firewall.waf.overrides.create( zone_id="023e105f4ecef8ad9ca31a8372d0c353", urls=["shop.example.com/*"], ) print(override.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "de677e5818985db1285d0e80225f06e5", "description": "Enable Cloudflare Magento ruleset for shop.example.com", "groups": { "ea8687e59929c1fd05ba97574ad43f77": "bar" }, "paused": true, "priority": 1, "rewrite_action": { "block": "challenge", "challenge": "challenge", "default": "challenge", "disable": "challenge", "simulate": "challenge" }, "rules": { "100015": "disable" }, "urls": [ "shop.example.com/*" ] }, "success": true } ``` ## Update WAF override `firewall.waf.overrides.update(stroverrides_id, OverrideUpdateParams**kwargs) -> Override` **put** `/zones/{zone_id}/firewall/waf/overrides/{overrides_id}` Updates an existing URI-based WAF override. **Note:** Applies only to the [previous version of WAF managed rules](https://developers.cloudflare.com/support/firewall/managed-rules-web-application-firewall-waf/understanding-waf-managed-rules-web-application-firewall/). ### Parameters - `zone_id: str` Defines an identifier. - `overrides_id: str` The unique identifier of the WAF override. - `id: str` Defines an identifier. - `rewrite_action: RewriteActionParam` Specifies that, when a WAF rule matches, its configured action will be replaced by the action configured in this object. - `block: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `challenge: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `default: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `disable: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `simulate: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `rules: WAFRuleParam` An object that allows you to override the action of specific WAF rules. Each key of this object must be the ID of a WAF rule, and each value must be a valid WAF action. Unless you are disabling a rule, ensure that you also enable the rule group that this WAF rule belongs to. When creating a new URI-based WAF override, you must provide a `groups` object or a `rules` object. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `urls: SequenceNotStr[OverrideURL]` The URLs to include in the current WAF override. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns. ### Returns - `class Override: …` - `id: Optional[str]` The unique identifier of the WAF override. - `description: Optional[str]` An informative summary of the current URI-based WAF override. - `groups: Optional[Dict[str, object]]` An object that allows you to enable or disable WAF rule groups for the current WAF override. Each key of this object must be the ID of a WAF rule group, and each value must be a valid WAF action (usually `default` or `disable`). When creating a new URI-based WAF override, you must provide a `groups` object or a `rules` object. - `paused: Optional[bool]` When true, indicates that the rule is currently paused. - `priority: Optional[float]` The relative priority of the current URI-based WAF override when multiple overrides match a single URL. A lower number indicates higher priority. Higher priority overrides may overwrite values set by lower priority overrides. - `rewrite_action: Optional[RewriteAction]` Specifies that, when a WAF rule matches, its configured action will be replaced by the action configured in this object. - `block: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `challenge: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `default: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `disable: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `simulate: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `rules: Optional[WAFRule]` An object that allows you to override the action of specific WAF rules. Each key of this object must be the ID of a WAF rule, and each value must be a valid WAF action. Unless you are disabling a rule, ensure that you also enable the rule group that this WAF rule belongs to. When creating a new URI-based WAF override, you must provide a `groups` object or a `rules` object. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `urls: Optional[List[OverrideURL]]` The URLs to include in the current WAF override. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) override = client.firewall.waf.overrides.update( overrides_id="de677e5818985db1285d0e80225f06e5", zone_id="023e105f4ecef8ad9ca31a8372d0c353", id="023e105f4ecef8ad9ca31a8372d0c353", rewrite_action={}, rules={ "100015": "disable" }, urls=["shop.example.com/*"], ) print(override.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "de677e5818985db1285d0e80225f06e5", "description": "Enable Cloudflare Magento ruleset for shop.example.com", "groups": { "ea8687e59929c1fd05ba97574ad43f77": "bar" }, "paused": true, "priority": 1, "rewrite_action": { "block": "challenge", "challenge": "challenge", "default": "challenge", "disable": "challenge", "simulate": "challenge" }, "rules": { "100015": "disable" }, "urls": [ "shop.example.com/*" ] }, "success": true } ``` ## Delete a WAF override `firewall.waf.overrides.delete(stroverrides_id, OverrideDeleteParams**kwargs) -> OverrideDeleteResponse` **delete** `/zones/{zone_id}/firewall/waf/overrides/{overrides_id}` Deletes an existing URI-based WAF override. **Note:** Applies only to the [previous version of WAF managed rules](https://developers.cloudflare.com/support/firewall/managed-rules-web-application-firewall-waf/understanding-waf-managed-rules-web-application-firewall/). ### Parameters - `zone_id: str` Defines an identifier. - `overrides_id: str` The unique identifier of the WAF override. ### Returns - `class OverrideDeleteResponse: …` - `id: Optional[str]` The unique identifier of the WAF override. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) override = client.firewall.waf.overrides.delete( overrides_id="de677e5818985db1285d0e80225f06e5", zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(override.id) ``` #### Response ```json { "result": { "id": "de677e5818985db1285d0e80225f06e5" } } ``` ## Domain Types ### Override - `class Override: …` - `id: Optional[str]` The unique identifier of the WAF override. - `description: Optional[str]` An informative summary of the current URI-based WAF override. - `groups: Optional[Dict[str, object]]` An object that allows you to enable or disable WAF rule groups for the current WAF override. Each key of this object must be the ID of a WAF rule group, and each value must be a valid WAF action (usually `default` or `disable`). When creating a new URI-based WAF override, you must provide a `groups` object or a `rules` object. - `paused: Optional[bool]` When true, indicates that the rule is currently paused. - `priority: Optional[float]` The relative priority of the current URI-based WAF override when multiple overrides match a single URL. A lower number indicates higher priority. Higher priority overrides may overwrite values set by lower priority overrides. - `rewrite_action: Optional[RewriteAction]` Specifies that, when a WAF rule matches, its configured action will be replaced by the action configured in this object. - `block: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `challenge: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `default: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `disable: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `simulate: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `rules: Optional[WAFRule]` An object that allows you to override the action of specific WAF rules. Each key of this object must be the ID of a WAF rule, and each value must be a valid WAF action. Unless you are disabling a rule, ensure that you also enable the rule group that this WAF rule belongs to. When creating a new URI-based WAF override, you must provide a `groups` object or a `rules` object. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `urls: Optional[List[OverrideURL]]` The URLs to include in the current WAF override. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns. ### Override URL - `str` ### Rewrite Action - `class RewriteAction: …` Specifies that, when a WAF rule matches, its configured action will be replaced by the action configured in this object. - `block: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `challenge: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `default: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `disable: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` - `simulate: Optional[Literal["challenge", "block", "simulate", 2 more]]` The WAF rule action to apply. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` ### WAF Rule - `Dict[str, Literal["challenge", "block", "simulate", 2 more]]` An object that allows you to override the action of specific WAF rules. Each key of this object must be the ID of a WAF rule, and each value must be a valid WAF action. Unless you are disabling a rule, ensure that you also enable the rule group that this WAF rule belongs to. When creating a new URI-based WAF override, you must provide a `groups` object or a `rules` object. - `"challenge"` - `"block"` - `"simulate"` - `"disable"` - `"default"` ### Override Delete Response - `class OverrideDeleteResponse: …` - `id: Optional[str]` The unique identifier of the WAF override. # Packages ## List WAF packages `firewall.waf.packages.list(PackageListParams**kwargs) -> SyncV4PagePaginationArray[object]` **get** `/zones/{zone_id}/firewall/waf/packages` Fetches WAF packages for a zone. **Note:** Applies only to the [previous version of WAF managed rules](https://developers.cloudflare.com/support/firewall/managed-rules-web-application-firewall-waf/understanding-waf-managed-rules-web-application-firewall/). ### Parameters - `zone_id: str` Defines an identifier. - `direction: Optional[Literal["asc", "desc"]]` The direction used to sort returned packages. - `"asc"` - `"desc"` - `match: Optional[Literal["any", "all"]]` When set to `all`, all the search requirements must match. When set to `any`, only one of the search requirements has to match. - `"any"` - `"all"` - `name: Optional[str]` The name of the WAF package. - `order: Optional[Literal["name"]]` The field used to sort returned packages. - `"name"` - `page: Optional[float]` The page number of paginated results. - `per_page: Optional[float]` The number of packages per page. ### Returns - `object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.firewall.waf.packages.list( zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ {} ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a WAF package `firewall.waf.packages.get(strpackage_id, PackageGetParams**kwargs) -> PackageGetResponse` **get** `/zones/{zone_id}/firewall/waf/packages/{package_id}` Fetches the details of a WAF package. **Note:** Applies only to the [previous version of WAF managed rules](https://developers.cloudflare.com/support/firewall/managed-rules-web-application-firewall-waf/understanding-waf-managed-rules-web-application-firewall/). ### Parameters - `zone_id: str` Defines an identifier. - `package_id: str` Defines a package identifier. ### Returns - `PackageGetResponse` - `class FirewallAPIResponseSingle: …` - `errors: List[ResponseInfo]` - `code: int` - `message: str` - `documentation_url: Optional[str]` - `source: Optional[Source]` - `pointer: Optional[str]` - `messages: List[ResponseInfo]` - `code: int` - `message: str` - `documentation_url: Optional[str]` - `source: Optional[Source]` - `result: Union[Optional[str], Optional[object]]` - `Optional[str]` - `Optional[object]` - `success: Literal[true]` Defines whether the API call was successful. - `true` - `class Result: …` - `result: Optional[object]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) package = client.firewall.waf.packages.get( package_id="023e105f4ecef8ad9ca31a8372d0c353", zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) print(package) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Package Get Response - `PackageGetResponse` - `class FirewallAPIResponseSingle: …` - `errors: List[ResponseInfo]` - `code: int` - `message: str` - `documentation_url: Optional[str]` - `source: Optional[Source]` - `pointer: Optional[str]` - `messages: List[ResponseInfo]` - `code: int` - `message: str` - `documentation_url: Optional[str]` - `source: Optional[Source]` - `result: Union[Optional[str], Optional[object]]` - `Optional[str]` - `Optional[object]` - `success: Literal[true]` Defines whether the API call was successful. - `true` - `class Result: …` - `result: Optional[object]` # Groups ## List WAF rule groups `firewall.waf.packages.groups.list(strpackage_id, GroupListParams**kwargs) -> SyncV4PagePaginationArray[Group]` **get** `/zones/{zone_id}/firewall/waf/packages/{package_id}/groups` Fetches the WAF rule groups in a WAF package. **Note:** Applies only to the [previous version of WAF managed rules](https://developers.cloudflare.com/support/firewall/managed-rules-web-application-firewall-waf/understanding-waf-managed-rules-web-application-firewall/). ### Parameters - `zone_id: str` Defines an identifier of a schema. - `package_id: str` Defines the unique identifier of a WAF package. - `direction: Optional[Literal["asc", "desc"]]` Defines the direction used to sort returned rule groups. - `"asc"` - `"desc"` - `match: Optional[Literal["any", "all"]]` Defines the condition for search requirements. When set to `all`, all the search requirements must match. When set to `any`, only one of the search requirements has to match. - `"any"` - `"all"` - `mode: Optional[Literal["on", "off"]]` Defines the state of the rules contained in the rule group. When `on`, the rules in the group are configurable/usable. - `"on"` - `"off"` - `name: Optional[str]` Defines the name of the rule group. - `order: Optional[Literal["mode", "rules_count"]]` Defines the field used to sort returned rule groups. - `"mode"` - `"rules_count"` - `page: Optional[float]` Defines the page number of paginated results. - `per_page: Optional[float]` Defines the number of rule groups per page. - `rules_count: Optional[float]` Defines the number of rules in the current rule group. ### Returns - `class Group: …` - `id: str` Defines the unique identifier of the rule group. - `description: Optional[str]` Defines an informative summary of what the rule group does. - `mode: Literal["on", "off"]` Defines the state of the rules contained in the rule group. When `on`, the rules in the group are configurable/usable. - `"on"` - `"off"` - `name: str` Defines the name of the rule group. - `rules_count: float` Defines the number of rules in the current rule group. - `allowed_modes: Optional[List[Literal["on", "off"]]]` Defines the available states for the rule group. - `"on"` - `"off"` - `modified_rules_count: Optional[float]` Defines the number of rules within the group that have been modified from their default configuration. - `package_id: Optional[str]` Defines the unique identifier of a WAF package. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.firewall.waf.packages.groups.list( package_id="a25a9a7e9c00afc1fb2e0245519d725b", zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "de677e5818985db1285d0e80225f06e5", "description": "Group designed to protect against IP addresses that are a threat and typically used to launch DDoS attacks", "mode": "on", "name": "Project Honey Pot", "rules_count": 10, "allowed_modes": [ "on", "off" ], "modified_rules_count": 2, "package_id": "a25a9a7e9c00afc1fb2e0245519d725b" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a WAF rule group `firewall.waf.packages.groups.get(strgroup_id, GroupGetParams**kwargs) -> GroupGetResponse` **get** `/zones/{zone_id}/firewall/waf/packages/{package_id}/groups/{group_id}` Fetches the details of a WAF rule group. **Note:** Applies only to the [previous version of WAF managed rules](https://developers.cloudflare.com/support/firewall/managed-rules-web-application-firewall-waf/understanding-waf-managed-rules-web-application-firewall/). ### Parameters - `zone_id: str` Defines an identifier of a schema. - `package_id: str` Defines the unique identifier of a WAF package. - `group_id: str` Defines the unique identifier of a WAF package. ### Returns - `Union[Optional[str], Optional[object]]` - `Optional[str]` - `Optional[object]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) group = client.firewall.waf.packages.groups.get( group_id="a25a9a7e9c00afc1fb2e0245519d725b", zone_id="023e105f4ecef8ad9ca31a8372d0c353", package_id="a25a9a7e9c00afc1fb2e0245519d725b", ) print(group) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Update a WAF rule group `firewall.waf.packages.groups.edit(strgroup_id, GroupEditParams**kwargs) -> GroupEditResponse` **patch** `/zones/{zone_id}/firewall/waf/packages/{package_id}/groups/{group_id}` Updates a WAF rule group. You can update the state (`mode` parameter) of a rule group. **Note:** Applies only to the [previous version of WAF managed rules](https://developers.cloudflare.com/support/firewall/managed-rules-web-application-firewall-waf/understanding-waf-managed-rules-web-application-firewall/). ### Parameters - `zone_id: str` Defines an identifier of a schema. - `package_id: str` Defines the unique identifier of a WAF package. - `group_id: str` Defines the unique identifier of a WAF package. - `mode: Optional[Literal["on", "off"]]` Defines the state of the rules contained in the rule group. When `on`, the rules in the group are configurable/usable. - `"on"` - `"off"` ### Returns - `Union[Optional[str], Optional[object]]` - `Optional[str]` - `Optional[object]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.firewall.waf.packages.groups.edit( group_id="a25a9a7e9c00afc1fb2e0245519d725b", zone_id="023e105f4ecef8ad9ca31a8372d0c353", package_id="a25a9a7e9c00afc1fb2e0245519d725b", ) print(response) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Group - `class Group: …` - `id: str` Defines the unique identifier of the rule group. - `description: Optional[str]` Defines an informative summary of what the rule group does. - `mode: Literal["on", "off"]` Defines the state of the rules contained in the rule group. When `on`, the rules in the group are configurable/usable. - `"on"` - `"off"` - `name: str` Defines the name of the rule group. - `rules_count: float` Defines the number of rules in the current rule group. - `allowed_modes: Optional[List[Literal["on", "off"]]]` Defines the available states for the rule group. - `"on"` - `"off"` - `modified_rules_count: Optional[float]` Defines the number of rules within the group that have been modified from their default configuration. - `package_id: Optional[str]` Defines the unique identifier of a WAF package. ### Group Get Response - `Union[Optional[str], Optional[object]]` - `Optional[str]` - `Optional[object]` ### Group Edit Response - `Union[Optional[str], Optional[object]]` - `Optional[str]` - `Optional[object]` # Rules ## List WAF rules `firewall.waf.packages.rules.list(strpackage_id, RuleListParams**kwargs) -> SyncV4PagePaginationArray[RuleListResponse]` **get** `/zones/{zone_id}/firewall/waf/packages/{package_id}/rules` Fetches WAF rules in a WAF package. **Note:** Applies only to the [previous version of WAF managed rules](https://developers.cloudflare.com/support/firewall/managed-rules-web-application-firewall-waf/understanding-waf-managed-rules-web-application-firewall/). ### Parameters - `zone_id: str` Defines an identifier of a schema. - `package_id: str` Defines the unique identifier of a WAF package. - `description: Optional[str]` Defines the public description of the WAF rule. - `direction: Optional[Literal["asc", "desc"]]` Defines the direction used to sort returned rules. - `"asc"` - `"desc"` - `group_id: Optional[str]` Defines the unique identifier of the rule group. - `match: Optional[Literal["any", "all"]]` Defines the search requirements. When set to `all`, all the search requirements must match. When set to `any`, only one of the search requirements has to match. - `"any"` - `"all"` - `mode: Optional[Literal["DIS", "CHL", "BLK", "SIM"]]` Defines the action/mode a rule has been overridden to perform. - `"DIS"` - `"CHL"` - `"BLK"` - `"SIM"` - `order: Optional[Literal["priority", "group_id", "description"]]` Defines the field used to sort returned rules. - `"priority"` - `"group_id"` - `"description"` - `page: Optional[float]` Defines the page number of paginated results. - `per_page: Optional[float]` Defines the number of rules per page. - `priority: Optional[str]` Defines the order in which the individual WAF rule is executed within its rule group. ### Returns - `RuleListResponse` When triggered, anomaly detection WAF rules contribute to an overall threat score that will determine if a request is considered malicious. You can configure the total scoring threshold through the 'sensitivity' property of the WAF package. - `class WAFManagedRulesAnomalyRule: …` When triggered, anomaly detection WAF rules contribute to an overall threat score that will determine if a request is considered malicious. You can configure the total scoring threshold through the 'sensitivity' property of the WAF package. - `id: str` Defines the unique identifier of the WAF rule. - `allowed_modes: List[AllowedModesAnomaly]` Defines the available modes for the current WAF rule. Applies to anomaly detection WAF rules. - `"on"` - `"off"` - `description: str` Defines the public description of the WAF rule. - `group: WAFRuleGroup` Defines the rule group to which the current WAF rule belongs. - `id: Optional[str]` Defines the unique identifier of the rule group. - `name: Optional[str]` Defines the name of the rule group. - `mode: AllowedModesAnomaly` Defines the mode anomaly. When set to `on`, the current WAF rule will be used when evaluating the request. Applies to anomaly detection WAF rules. - `"on"` - `"off"` - `package_id: str` Defines the unique identifier of a WAF package. - `priority: str` Defines the order in which the individual WAF rule is executed within its rule group. - `class WAFManagedRulesTraditionalDenyRule: …` When triggered, traditional WAF rules cause the firewall to immediately act upon the request based on the configuration of the rule. A 'deny' rule will immediately respond to the request based on the configured rule action/mode (for example, 'block') and no other rules will be processed. - `id: str` Defines the unique identifier of the WAF rule. - `allowed_modes: List[Literal["default", "disable", "simulate", 2 more]]` Defines the list of possible actions of the WAF rule when it is triggered. - `"default"` - `"disable"` - `"simulate"` - `"block"` - `"challenge"` - `default_mode: Literal["disable", "simulate", "block", "challenge"]` Defines the default action/mode of a rule. - `"disable"` - `"simulate"` - `"block"` - `"challenge"` - `description: str` Defines the public description of the WAF rule. - `group: WAFRuleGroup` Defines the rule group to which the current WAF rule belongs. - `mode: Literal["default", "disable", "simulate", 2 more]` Defines the action that the current WAF rule will perform when triggered. Applies to traditional (deny) WAF rules. - `"default"` - `"disable"` - `"simulate"` - `"block"` - `"challenge"` - `package_id: str` Defines the unique identifier of a WAF package. - `priority: str` Defines the order in which the individual WAF rule is executed within its rule group. - `class WAFManagedRulesTraditionalAllowRule: …` When triggered, traditional WAF rules cause the firewall to immediately act on the request based on the rule configuration. An 'allow' rule will immediately allow the request and no other rules will be processed. - `id: str` Defines the unique identifier of the WAF rule. - `allowed_modes: List[Literal["on", "off"]]` Defines the available modes for the current WAF rule. - `"on"` - `"off"` - `description: str` Defines the public description of the WAF rule. - `group: WAFRuleGroup` Defines the rule group to which the current WAF rule belongs. - `mode: Literal["on", "off"]` When set to `on`, the current rule will be used when evaluating the request. Applies to traditional (allow) WAF rules. - `"on"` - `"off"` - `package_id: str` Defines the unique identifier of a WAF package. - `priority: str` Defines the order in which the individual WAF rule is executed within its rule group. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.firewall.waf.packages.rules.list( package_id="a25a9a7e9c00afc1fb2e0245519d725b", zone_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f939de3be84e66e757adcdcb87908023", "allowed_modes": [ "on", "off" ], "description": "SQL injection prevention for SELECT statements", "group": { "id": "de677e5818985db1285d0e80225f06e5", "name": "Project Honey Pot" }, "mode": "on", "package_id": "a25a9a7e9c00afc1fb2e0245519d725b", "priority": "priority" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a WAF rule `firewall.waf.packages.rules.get(strrule_id, RuleGetParams**kwargs) -> RuleGetResponse` **get** `/zones/{zone_id}/firewall/waf/packages/{package_id}/rules/{rule_id}` Fetches the details of a WAF rule in a WAF package. **Note:** Applies only to the [previous version of WAF managed rules](https://developers.cloudflare.com/support/firewall/managed-rules-web-application-firewall-waf/understanding-waf-managed-rules-web-application-firewall/). ### Parameters - `zone_id: str` Defines an identifier of a schema. - `package_id: str` Defines the unique identifier of a WAF package. - `rule_id: str` Defines the unique identifier of a WAF package. ### Returns - `Union[Optional[str], Optional[object]]` - `Optional[str]` - `Optional[object]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) rule = client.firewall.waf.packages.rules.get( rule_id="a25a9a7e9c00afc1fb2e0245519d725b", zone_id="023e105f4ecef8ad9ca31a8372d0c353", package_id="a25a9a7e9c00afc1fb2e0245519d725b", ) print(rule) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Update a WAF rule `firewall.waf.packages.rules.edit(strrule_id, RuleEditParams**kwargs) -> RuleEditResponse` **patch** `/zones/{zone_id}/firewall/waf/packages/{package_id}/rules/{rule_id}` Updates a WAF rule. You can only update the mode/action of the rule. **Note:** Applies only to the [previous version of WAF managed rules](https://developers.cloudflare.com/support/firewall/managed-rules-web-application-firewall-waf/understanding-waf-managed-rules-web-application-firewall/). ### Parameters - `zone_id: str` Defines an identifier of a schema. - `package_id: str` Defines the unique identifier of a WAF package. - `rule_id: str` Defines the unique identifier of a WAF package. - `mode: Optional[Literal["default", "disable", "simulate", 4 more]]` Defines the mode/action of the rule when triggered. You must use a value from the `allowed_modes` array of the current rule. - `"default"` - `"disable"` - `"simulate"` - `"block"` - `"challenge"` - `"on"` - `"off"` ### Returns - `RuleEditResponse` When triggered, anomaly detection WAF rules contribute to an overall threat score that will determine if a request is considered malicious. You can configure the total scoring threshold through the 'sensitivity' property of the WAF package. - `class WAFManagedRulesAnomalyRule: …` When triggered, anomaly detection WAF rules contribute to an overall threat score that will determine if a request is considered malicious. You can configure the total scoring threshold through the 'sensitivity' property of the WAF package. - `id: str` Defines the unique identifier of the WAF rule. - `allowed_modes: List[AllowedModesAnomaly]` Defines the available modes for the current WAF rule. Applies to anomaly detection WAF rules. - `"on"` - `"off"` - `description: str` Defines the public description of the WAF rule. - `group: WAFRuleGroup` Defines the rule group to which the current WAF rule belongs. - `id: Optional[str]` Defines the unique identifier of the rule group. - `name: Optional[str]` Defines the name of the rule group. - `mode: AllowedModesAnomaly` Defines the mode anomaly. When set to `on`, the current WAF rule will be used when evaluating the request. Applies to anomaly detection WAF rules. - `"on"` - `"off"` - `package_id: str` Defines the unique identifier of a WAF package. - `priority: str` Defines the order in which the individual WAF rule is executed within its rule group. - `class WAFManagedRulesTraditionalDenyRule: …` When triggered, traditional WAF rules cause the firewall to immediately act upon the request based on the configuration of the rule. A 'deny' rule will immediately respond to the request based on the configured rule action/mode (for example, 'block') and no other rules will be processed. - `id: str` Defines the unique identifier of the WAF rule. - `allowed_modes: List[Literal["default", "disable", "simulate", 2 more]]` Defines the list of possible actions of the WAF rule when it is triggered. - `"default"` - `"disable"` - `"simulate"` - `"block"` - `"challenge"` - `default_mode: Literal["disable", "simulate", "block", "challenge"]` Defines the default action/mode of a rule. - `"disable"` - `"simulate"` - `"block"` - `"challenge"` - `description: str` Defines the public description of the WAF rule. - `group: WAFRuleGroup` Defines the rule group to which the current WAF rule belongs. - `mode: Literal["default", "disable", "simulate", 2 more]` Defines the action that the current WAF rule will perform when triggered. Applies to traditional (deny) WAF rules. - `"default"` - `"disable"` - `"simulate"` - `"block"` - `"challenge"` - `package_id: str` Defines the unique identifier of a WAF package. - `priority: str` Defines the order in which the individual WAF rule is executed within its rule group. - `class WAFManagedRulesTraditionalAllowRule: …` When triggered, traditional WAF rules cause the firewall to immediately act on the request based on the rule configuration. An 'allow' rule will immediately allow the request and no other rules will be processed. - `id: str` Defines the unique identifier of the WAF rule. - `allowed_modes: List[Literal["on", "off"]]` Defines the available modes for the current WAF rule. - `"on"` - `"off"` - `description: str` Defines the public description of the WAF rule. - `group: WAFRuleGroup` Defines the rule group to which the current WAF rule belongs. - `mode: Literal["on", "off"]` When set to `on`, the current rule will be used when evaluating the request. Applies to traditional (allow) WAF rules. - `"on"` - `"off"` - `package_id: str` Defines the unique identifier of a WAF package. - `priority: str` Defines the order in which the individual WAF rule is executed within its rule group. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.firewall.waf.packages.rules.edit( rule_id="a25a9a7e9c00afc1fb2e0245519d725b", zone_id="023e105f4ecef8ad9ca31a8372d0c353", package_id="a25a9a7e9c00afc1fb2e0245519d725b", ) print(response) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f939de3be84e66e757adcdcb87908023", "allowed_modes": [ "on", "off" ], "description": "SQL injection prevention for SELECT statements", "group": { "id": "de677e5818985db1285d0e80225f06e5", "name": "Project Honey Pot" }, "mode": "on", "package_id": "a25a9a7e9c00afc1fb2e0245519d725b", "priority": "priority" }, "success": true } ``` ## Domain Types ### Allowed Modes Anomaly - `Literal["on", "off"]` Defines the mode anomaly. When set to `on`, the current WAF rule will be used when evaluating the request. Applies to anomaly detection WAF rules. - `"on"` - `"off"` ### WAF Rule Group - `class WAFRuleGroup: …` Defines the rule group to which the current WAF rule belongs. - `id: Optional[str]` Defines the unique identifier of the rule group. - `name: Optional[str]` Defines the name of the rule group. ### Rule List Response - `RuleListResponse` When triggered, anomaly detection WAF rules contribute to an overall threat score that will determine if a request is considered malicious. You can configure the total scoring threshold through the 'sensitivity' property of the WAF package. - `class WAFManagedRulesAnomalyRule: …` When triggered, anomaly detection WAF rules contribute to an overall threat score that will determine if a request is considered malicious. You can configure the total scoring threshold through the 'sensitivity' property of the WAF package. - `id: str` Defines the unique identifier of the WAF rule. - `allowed_modes: List[AllowedModesAnomaly]` Defines the available modes for the current WAF rule. Applies to anomaly detection WAF rules. - `"on"` - `"off"` - `description: str` Defines the public description of the WAF rule. - `group: WAFRuleGroup` Defines the rule group to which the current WAF rule belongs. - `id: Optional[str]` Defines the unique identifier of the rule group. - `name: Optional[str]` Defines the name of the rule group. - `mode: AllowedModesAnomaly` Defines the mode anomaly. When set to `on`, the current WAF rule will be used when evaluating the request. Applies to anomaly detection WAF rules. - `"on"` - `"off"` - `package_id: str` Defines the unique identifier of a WAF package. - `priority: str` Defines the order in which the individual WAF rule is executed within its rule group. - `class WAFManagedRulesTraditionalDenyRule: …` When triggered, traditional WAF rules cause the firewall to immediately act upon the request based on the configuration of the rule. A 'deny' rule will immediately respond to the request based on the configured rule action/mode (for example, 'block') and no other rules will be processed. - `id: str` Defines the unique identifier of the WAF rule. - `allowed_modes: List[Literal["default", "disable", "simulate", 2 more]]` Defines the list of possible actions of the WAF rule when it is triggered. - `"default"` - `"disable"` - `"simulate"` - `"block"` - `"challenge"` - `default_mode: Literal["disable", "simulate", "block", "challenge"]` Defines the default action/mode of a rule. - `"disable"` - `"simulate"` - `"block"` - `"challenge"` - `description: str` Defines the public description of the WAF rule. - `group: WAFRuleGroup` Defines the rule group to which the current WAF rule belongs. - `mode: Literal["default", "disable", "simulate", 2 more]` Defines the action that the current WAF rule will perform when triggered. Applies to traditional (deny) WAF rules. - `"default"` - `"disable"` - `"simulate"` - `"block"` - `"challenge"` - `package_id: str` Defines the unique identifier of a WAF package. - `priority: str` Defines the order in which the individual WAF rule is executed within its rule group. - `class WAFManagedRulesTraditionalAllowRule: …` When triggered, traditional WAF rules cause the firewall to immediately act on the request based on the rule configuration. An 'allow' rule will immediately allow the request and no other rules will be processed. - `id: str` Defines the unique identifier of the WAF rule. - `allowed_modes: List[Literal["on", "off"]]` Defines the available modes for the current WAF rule. - `"on"` - `"off"` - `description: str` Defines the public description of the WAF rule. - `group: WAFRuleGroup` Defines the rule group to which the current WAF rule belongs. - `mode: Literal["on", "off"]` When set to `on`, the current rule will be used when evaluating the request. Applies to traditional (allow) WAF rules. - `"on"` - `"off"` - `package_id: str` Defines the unique identifier of a WAF package. - `priority: str` Defines the order in which the individual WAF rule is executed within its rule group. ### Rule Get Response - `Union[Optional[str], Optional[object]]` - `Optional[str]` - `Optional[object]` ### Rule Edit Response - `RuleEditResponse` When triggered, anomaly detection WAF rules contribute to an overall threat score that will determine if a request is considered malicious. You can configure the total scoring threshold through the 'sensitivity' property of the WAF package. - `class WAFManagedRulesAnomalyRule: …` When triggered, anomaly detection WAF rules contribute to an overall threat score that will determine if a request is considered malicious. You can configure the total scoring threshold through the 'sensitivity' property of the WAF package. - `id: str` Defines the unique identifier of the WAF rule. - `allowed_modes: List[AllowedModesAnomaly]` Defines the available modes for the current WAF rule. Applies to anomaly detection WAF rules. - `"on"` - `"off"` - `description: str` Defines the public description of the WAF rule. - `group: WAFRuleGroup` Defines the rule group to which the current WAF rule belongs. - `id: Optional[str]` Defines the unique identifier of the rule group. - `name: Optional[str]` Defines the name of the rule group. - `mode: AllowedModesAnomaly` Defines the mode anomaly. When set to `on`, the current WAF rule will be used when evaluating the request. Applies to anomaly detection WAF rules. - `"on"` - `"off"` - `package_id: str` Defines the unique identifier of a WAF package. - `priority: str` Defines the order in which the individual WAF rule is executed within its rule group. - `class WAFManagedRulesTraditionalDenyRule: …` When triggered, traditional WAF rules cause the firewall to immediately act upon the request based on the configuration of the rule. A 'deny' rule will immediately respond to the request based on the configured rule action/mode (for example, 'block') and no other rules will be processed. - `id: str` Defines the unique identifier of the WAF rule. - `allowed_modes: List[Literal["default", "disable", "simulate", 2 more]]` Defines the list of possible actions of the WAF rule when it is triggered. - `"default"` - `"disable"` - `"simulate"` - `"block"` - `"challenge"` - `default_mode: Literal["disable", "simulate", "block", "challenge"]` Defines the default action/mode of a rule. - `"disable"` - `"simulate"` - `"block"` - `"challenge"` - `description: str` Defines the public description of the WAF rule. - `group: WAFRuleGroup` Defines the rule group to which the current WAF rule belongs. - `mode: Literal["default", "disable", "simulate", 2 more]` Defines the action that the current WAF rule will perform when triggered. Applies to traditional (deny) WAF rules. - `"default"` - `"disable"` - `"simulate"` - `"block"` - `"challenge"` - `package_id: str` Defines the unique identifier of a WAF package. - `priority: str` Defines the order in which the individual WAF rule is executed within its rule group. - `class WAFManagedRulesTraditionalAllowRule: …` When triggered, traditional WAF rules cause the firewall to immediately act on the request based on the rule configuration. An 'allow' rule will immediately allow the request and no other rules will be processed. - `id: str` Defines the unique identifier of the WAF rule. - `allowed_modes: List[Literal["on", "off"]]` Defines the available modes for the current WAF rule. - `"on"` - `"off"` - `description: str` Defines the public description of the WAF rule. - `group: WAFRuleGroup` Defines the rule group to which the current WAF rule belongs. - `mode: Literal["on", "off"]` When set to `on`, the current rule will be used when evaluating the request. Applies to traditional (allow) WAF rules. - `"on"` - `"off"` - `package_id: str` Defines the unique identifier of a WAF package. - `priority: str` Defines the order in which the individual WAF rule is executed within its rule group.