Enable Managed Rulesets

With managed rulesets, you can quickly deploy pre-built firewall rules maintained by Cloudflare. You use Cloudflare Network Firewall to control which managed rules are enabled.

In addition to enabling managed rulesets, you can also add and enable custom policies. Refer to add policies.

Note

Before you can use managed rulesets with Cloudflare Network Firewall, your account must have managed rulesets enabled. Contact your account team to request access.

To enable or disable a rule, you specify which properties should be overridden. Overrides are configured in the root ruleset of the Managed phase (the top-level ruleset that controls which managed rules are active). This root ruleset can contain only one rule, but that single rule can include multiple overrides for different managed rules.

Cloudflare recommends starting with the action set to log to evaluate impact before switching to block.

You have multiple options for enabling rules:

• Select an individual rule and enable it.
• Enable multiple rules by enabling by category in the magic-transit-phase.
• Enable an entire ruleset.

API

1. Create a Managed phase Managed kind ruleset

To create a managed ruleset, you must first build a request with the following:

• managed_ruleset_id: The ID of the Managed phase Managed kind ruleset that contains the rule you want to enable. To find this ID, list available managed rulesets using GET /accounts/{account_id}/rulesets?kind=managed&phase=magic_transit_managed.
• managed_rule_id: The ID of the rule you want to enable.

Additionally, you need the properties you want to override. The properties you can override include:

• enabled: This value can be set to true or false. When set to true, the rule matches packets and applies the rule's default action if the action is not overridden. When set to false, the rule is disabled and does not match any packets.
• action: The value can be set to log so the rule only produces logs instead of applying the rule's default action.

The enabled and action properties for a rule are set in the Managed phase Managed kind ruleset. All rules in the Managed phase are currently disabled by default.

The example below contains a request for a Managed phase Managed Kind ruleset.

Example request - Create a Managed phase Managed Kind ruleset

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
  "name": "execute ruleset",
  "description": "Ruleset containing execute rules",
  "kind": "root",
  "phase": "magic_transit_managed",
  "rules": [
    {
      "expression": "true",
      "action": "execute",
      "description": "Enable one rule ",
      "action_parameters": {
        "id": "<MANAGED_RULESET_ID>",
        "version": "latest",
        "overrides": {
          "rules": [
            {
              "id": "<MANAGED_RULE_ID>",
              "enabled": true,
              "action": "log"
            }
          ]
        }
      }
    }
  ]
}'

2. Patch a Managed phase Managed kind ruleset

Because the root ruleset can only contain one rule, you must PATCH that existing rule (rather than adding new rules) when you want to enable additional managed rules.

Building off the example from the previous step, the example below enables a category to select multiple rules instead of a single rule. The category will be set to log mode, which means the rule can produce logs but will not accept or drop packets.

Example request - Patch a Managed phase Managed kind ruleset

curl --request PATCH \
https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{root_kind_ruleset}/rules/{root_kind_rule} \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
  "expression": "true",
  "action": "execute",
  "action_parameters": {
    "id": "<MANAGED_RULESET_ID>",
    "version": "latest",
    "overrides": {
      "rules": [
        {
          "id": "<MANAGED_RULE_ID>",
          "enabled": true
        }
      ],
      "categories": [
        {
          "category": "simple",
          "enabled": true,
          "action": "log"
        }
      ]
    }
  }
}'

3. Enable all rules

To enable the complete ruleset or enable all rules, send the request below.

Example request to enable all rules

curl --request PATCH \
https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{root_kind_ruleset}/rules/{root_kind_rule} \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
  "expression": "true",
  "action": "execute",
  "action_parameters": {
    "id": "<MANAGED_RULESET_ID>",
    "version": "latest",
    "overrides": {
      "enabled": true
    }
  }
}'

4. Delete a ruleset

To delete a ruleset, refer to Delete a rule in a ruleset.

Cloudflare One dashboard

Enable rules

You can also use the dashboard to enable managed rulesets:

1. Log in to the Cloudflare dashboard ↗, and go to Networking > Firewall policies.
2. Select Managed rulesets. This is where the dashboard lists all your managed rules.
3. To enable a rule, turn Status on.

Edit rules

To edit a rule:

1. Log in to the Cloudflare dashboard ↗, and go to Networking > Firewall policies.
2. Select Managed rulesets. This is where the dashboard lists all your managed rules.
3. Select the three dots > Edit.
4. Make the necessary changes, then select Save.

View rules

To view basic information about your rules:

1. Log in to the Cloudflare dashboard ↗, and go to Networking > Firewall policies.
2. Select Managed rulesets. This is where the dashboard lists all your managed rules.
3. Locate your managed rule, select the three dots > View.