--- title: Add policies description: Add policies in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/add-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Add policies A root ruleset is the top-level container that holds all your firewall policies. You can check for an existing root ruleset from the dashboard or via the [Account rulesets API](https://developers.cloudflare.com/api/resources/rulesets/methods/list/). If you are a new Magic Transit customer, you may not have a root ruleset created for your account. To view examples for root rulesets, review the [Cloudflare Network Firewall Terraform documentation ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/magic%5Ffirewall%5Fruleset). By default, you can create a maximum of 200 policies. Contact your account team to request a higher limit if needed. We recommend you create lists of IP addresses to reference within policies to streamline policy management. ## Add a policy 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. Select **Add a policy**. 3. Fill out the information for your new policy. All existing policies apply to IPv4 traffic only. You can use a [Managed IP List](https://developers.cloudflare.com/waf/tools/lists/managed-lists/#managed-ip-lists) when populating the **Value**. 4. When you are done, select **Add new policy**. ## Create a disabled policy When you add a new policy, the policy is **Enabled** by default. To create a **Disabled** policy, follow the steps in [Add a policy](#add-a-policy) above and toggle **Enabled** to off. When a policy is in the disabled state, the policy will not perform the action until it is set to **Enabled**. To disable an existing policy, from the **Custom policies** tab, set the **Enabled** toggle to off. ## Update a policy 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. Locate the policy you want to edit and select the three dots > **Edit**. 3. Update the policy with your changes and select **Save**. ## Delete an existing policy 1. Locate the policy you want to delete in the list. 2. From the end of the row, select **Delete**. 3. Select **Delete** again to confirm the deletion. ## API Below, you can find examples of how to use the API to perform certain actions. Warning The examples on this page all use the `https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets` endpoint. This endpoint creates policies from scratch and **will replace all existing policies in the ruleset**. If you have a ruleset already deployed, consider using the `https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{ruleset_id}/rules` endpoint instead. Refer to [Add a rule to a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/add-rule/) and [Create an account ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/create/) for more information. ### Skip action A skip action tells the firewall to stop evaluating the current ruleset for matching traffic, effectively allowing it through. Rules in a ruleset evaluate in order from top to bottom. In the example below, the skip rule must appear before the block rule so that matching traffic (port `8080`) is allowed through before the catch-all block applies. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "Example ruleset", "kind": "root", "phase": "magic_transit", "description": "Example ruleset description", "rules": [ { "action": "skip", "action_parameters": { "ruleset": "current" }, "expression": "tcp.dstport in { 8080 } ", "description": "Allow port 8080" }, { "action": "block", "expression": "tcp.dstport in { 1..65535 }", "description": "Block all TCP ports" } ] }' ``` Explain Code ### Block a country The example below blocks all packets with a source or destination IP address coming from Brazil by using its 2-letter country code in [ISO 3166-1 Alpha 2 ↗](https://www.iso.org/obp/ui/#search/code/) format. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "Example ruleset", "kind": "root", "phase": "magic_transit", "description": "Example ruleset description", "rules": [ { "action": "block", "expression": "ip.src.country == \"BR\"", "description": "Block traffic from Brazil" } ] }' ``` Explain Code ### Use an IP list Cloudflare Network Firewall supports [using lists in expressions](https://developers.cloudflare.com/waf/tools/lists/use-in-expressions/) for the `ip.src` and `ip.dst` fields. The supported lists are: * `$cf.anonymizer` \- Anonymizer proxies * `$cf.botnetcc` \- Botnet command and control channel * `$cf.malware` \- Sources of malware * `$` \- The name of an account-level IP list Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "Example ruleset", "kind": "root", "phase": "magic_transit", "description": "Example ruleset description", "rules": [ { "action": "block", "expression": "ip.src in $cf.anonymizer", "description": "Block traffic from anonymizer proxies" } ] }' ``` Explain Code ## Next steps Refer to [Form expressions](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/form-expressions/) for more information on how to write rule expressions. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/add-policies/","name":"Add policies"}}]} ```