About Cloudflare Firewall Rules

Flexibility and control

Cloudflare Firewall Rules is a flexible and intuitive framework for filtering HTTP requests. It gives you fine-grained control over which requests reach your applications.

Firewall Rules complements existing Cloudflare tools by allowing you to create rules that combine a variety of techniques. For example, rather than managing 3 independent rules in 3 different places, you can easily create a single firewall rule that blocks traffic to a URI when the request comes from a particular IP and the user-agent matches a specific string or a pattern. Once you are satisfied with the rule, you can deploy it yourself, immediately.

Fundamentally, Firewall Rules gives you the power to proactively inspect incoming site traffic and automatically respond to threats. You define expressions that tell Cloudflare what to look for and specify the appropriate action to take when those criteria are satisfied.

It is a simple concept, but like the Wireshark Display Filter language that inspired our own expression language, the Firewall Rules language is a powerful tool that allows organizations to rapidly adapt to a constantly evolving threat landscape.

Working with Firewall Rules

To configure Firewall Rules from the the Cloudflare dashboard, use the Firewall Rules tab in the Firewall app. For more, see Manage rules in the Cloudflare dashboard.

To configure Firewall Rules with the Cloudflare API, use the Firewall Rules API. Use the Cloudflare Filters API to manage expressions.

You can also manage Firewall Rules through Terraform. For more, see Getting Started with Terraform.

The Firewall Rules tab

The Firewall Rules tab gives you a snapshot of recent activity and allows you to manage firewall rules in a single convenient location.

firewall rules introduction 1

The Expression Builder

Both the Create Firewall and Edit Firewall pages include the visual Expression Builder (outlined below, in orange), which is an excellent tool to start with.

firewall rules introduction 2

The Expression Editor

Advanced users will appreciate the Expression Editor, which trades the visual simplicity of the builder for the power of the Cloudflare Firewall Rules language. It offers access to advanced features, such as grouping symbols, for constructing highly sophisticated, targeted rules.

firewall rules introduction 3

Power users, particularly those who develop large numbers of firewall rules, and developers can use the Cloudflare API to programmatically manage Firewall Rules (see Manage rules via the API).

Entitlements

Cloudflare Firewall Rules is available to all customers. Keep in mind that the number of firewall rules you can have active on your account is based on your Cloudflare plan. The table below outlines the entitlements and features available with each plan.

Cloudflare plan
FeatureFreeProBusinessEnterprise
Active rules5201001000
Supported actionsAll except LogAll except LogAll except LogAll
Regular expression supportNoNoYesYes
Number of Rules Lists1101010

Get started

Unless you are already an advanced user, we recommend you first learn about the Expressions and Actions topics and then move on to the Create, edit, and delete rules topic. Those eager to dive straight into the technical details should see Firewall Rules language.