Create a rule

Create an Advanced TCP Protection rule

In the Cloudflare dashboard, go to the L3/4 DDoS protection page.
Go to DDoS Managed Rules
Go to Advanced Protection > Advanced TCP Protection.
Depending on the rule you are creating, do one of the following:
- Under SYN Flood Protection, select Create SYN flood rule.
- Under Out-of-state TCP Protection, select Create out-of-state TCP rule.
In Mode, select a mode for the rule.
Under Set scope, select a scope for the rule. If you choose to apply the rule to a subset of incoming packets, select a region or a data center.
Under Sensitivity, define the burst sensitivity and rate sensitivity of the rule (by default, Medium). The sensitivity levels are based on the initially configured thresholds for your specific case.
Select Deploy.

In the Cloudflare dashboard, go to the L3/4 DDoS protection page.
Go to DDoS Managed Rules
Go to Advanced Protection > General settings.
Add the prefixes you wish to onboard. Advanced DNS Protection will only be applied to the prefixes you onboard. If you already onboarded the desired prefixes when you configured Advanced TCP Protection, you do not need to take any other action.

Currently, the list of onboarded prefixes is shared with Advanced TCP Protection. Any onboarded prefixes will be subject to both Advanced TCP Protection and Advanced DNS Protection, assuming that your account team has done the initial configuration of both systems. However, you can leave Advanced TCP Protection in monitoring mode.
Go to Advanced DNS Protection.
Select Create Advanced DNS Protection rule.
In Mode, select a mode for the rule.
Under Set scope, select a scope to determine the range of packets that will be affected by the rule.
Under Sensitivity, define the burst sensitivity, rate sensitivity, and profile sensitivity to determine when to initiate mitigation. 9. Select Deploy.