Skip to content
Firewall
Visit Firewall on GitHub
Set theme to dark (⇧+D)

About Cloudflare Firewall Rules

Flexibility and control

Cloudflare Firewall Rules is a flexible and intuitive framework for filtering HTTP requests. It gives you fine-grained control over which requests reach your applications.

Firewall Rules complements existing Cloudflare tools by allowing you to create rules that combine a variety of techniques. For example, rather than managing 3 independent rules in 3 different places, you can easily create a single firewall rule that blocks traffic to a URI when the request comes from a particular IP and the user-agent matches a specific string or a pattern. Once you are satisfied with the rule, you can deploy it yourself, immediately.

Fundamentally, Firewall Rules gives you the power to proactively inspect incoming site traffic and automatically respond to threats. You define expressions that tell Cloudflare what to look for and specify the appropriate action to take when those criteria are satisfied.

It is a simple concept, but like the Wireshark Display Filter language that inspired our own expression language, the Firewall Rules language is a powerful tool that allows organizations to rapidly adapt to a constantly evolving threat landscape.

Working with Firewall Rules

To configure Firewall Rules from the Cloudflare dashboard, use the Firewall Rules tab in the Firewall app. For more, see Manage rules in the Cloudflare dashboard.

To configure Firewall Rules with the Cloudflare API, use the Firewall Rules API. Use the Cloudflare Filters API to manage expressions. For more, see Manage rules via the APIs.

You can also manage Firewall Rules through Terraform. For more, see Getting Started with Terraform.

Firewall Rules tab

The Rules List gives you a snapshot of recent activity and allows you to manage firewall rules in a single convenient location (see image below).

Firewall Rules tab

Challenge Solve Rate (CSR)

The Rules List displays each rule's CSR (Challenge Solve Rate), which is the percentage of issued challenges that were solved. This metric applies to rules configured with Challenge (Captcha) or JS Challenge actions, and it is calculated as follows:

CSR = number of challenges solved / number of challenges issued

Hover over the CSR to reveal the number of issued and solved CAPTCHA challenges:

Revealing the number of issued vs. solved CAPTCHA challenges

A low CSR means that Cloudflare is issuing a low number of CAPTCHA challenges to actual humans, since these are the solved challenges.

You should aim for a low Challenge Solve Rate. Review the CSR of your CAPTCHA rules periodically and adjust them if necessary:

  • If the rate is higher than expected, for example regarding a Bot Management rule, consider relaxing the rule criteria so that you issue fewer challenges to human visitors.
  • If the rate is 0%, no CAPTCHA challenges are being solved. This means that you have no human visitors whose requests match the rule filter. Consider changing the rule action to Block.

Expression Builder

Both the Create Firewall and Edit Firewall panels include the visual Expression Builder (outlined below, in orange), which is an excellent tool to start with.

Expression Builder

Expression Editor

Advanced users will appreciate the Expression Editor (shown below), which trades the visual simplicity of the builder for the raw power of the Cloudflare Firewall Rules language. The editor also supports advanced features, such as grouping symbols, for constructing highly sophisticated, targeted rules.

Expression Editor

Firewall Rules APIs

Power users, particularly those who develop large numbers of firewall rules, can use the Cloudflare API to programmatically manage Firewall Rules (see Manage rules via the API).

Entitlements

Cloudflare Firewall Rules is available to all customers. Keep in mind that the number of firewall rules you can have active on your account is based on your type of plan, as is support for the Log action and support for regular expressions.

This table outlines the Firewall Rules features and entitlements available with each customer plan:

Cloudflare plan
FeatureFreeProBusinessEnterprise
Active rules5201001000
Supported actionsAll except LogAll except LogAll except LogAll
Regular expression supportNoNoYesYes
Number of Rules Lists1101010

Get started

Unless you are already an advanced user, review expressions and actions, which form the foundation of Firewall Rules.

To get started building your own firewall rules, see Manage Firewall Rules in the dashboard.

Those eager to dive straight into the technical details can refer to these topics: