Skip to content
Cloudflare Docs

Create a rule

Create an Advanced TCP Protection rule

To create a SYN flood rule or an out-of-state TCP rule:

  1. In the Cloudflare dashboard, go to the L3/4 DDoS protection page.

    Go to L3/4 DDoS protection
  2. Go to Advanced Protection > Advanced TCP Protection.

  3. Depending on the rule you are creating, do one of the following:

    • Under SYN Flood Protection, select Create SYN flood rule.
    • Under Out-of-state TCP Protection, select Create out-of-state TCP rule.
  4. In Mode, select a mode for the rule.

  5. Under Set scope, select a scope for the rule. If you choose to apply the rule to a subset of incoming packets, select a region or a data center.

  6. Under Sensitivity, define the burst sensitivity and rate sensitivity of the rule (by default, Medium). The sensitivity levels are based on the initially configured thresholds for your specific case.

  7. Select Deploy.

Create an Advanced DNS Protection rule

  1. In the Cloudflare dashboard, go to the L3/4 DDoS protection page.

    Go to L3/4 DDoS protection
  2. Go to Advanced Protection > General settings.

  3. Add the prefixes you wish to onboard. Advanced DNS Protection will only be applied to the prefixes you onboard. If you already onboarded the desired prefixes when you configured Advanced TCP Protection, you do not need to take any other action.

  4. Go to Advanced DNS Protection.

  5. Select Create Advanced DNS Protection rule.

  6. In Mode, select a mode for the rule.

  7. Under Set scope, select a scope to determine the range of packets that will be affected by the rule.

  8. Under Sensitivity, define the burst sensitivity, rate sensitivity, and profile sensitivity to determine when to initiate mitigation. 9. Select Deploy.