About Cloudflare Firewall Rules
Flexibility and control
Cloudflare Firewall Rules is a flexible and intuitive framework for filtering HTTP requests. It gives you fine-grained control over which requests reach your applications.
Firewall Rules complements existing Cloudflare tools by allowing you to create rules that combine a variety of techniques. For example, rather than managing 3 independent rules in 3 different places, you can easily create a single firewall rule that blocks traffic to a URI when the request comes from a particular IP and the user-agent matches a specific string or a pattern. Once you are satisfied with the rule, you can deploy it yourself, immediately.
Fundamentally, Firewall Rules gives you the power to proactively inspect incoming site traffic and automatically respond to threats. You define expressions that tell Cloudflare what to look for and specify the appropriate action to take when those criteria are satisfied.
It is a simple concept, but like the Wireshark Display Filter language that inspired our own expression language, the Firewall Rules language is a powerful tool that allows organizations to rapidly adapt to a constantly evolving threat landscape.
Working with Firewall Rules
Firewall Rules tab
The Rules List gives you a snapshot of recent activity and allows you to manage firewall rules in a single convenient location (see image below).
Challenge Solve Rate (CSR)
The Rules List displays each rule's CSR (Challenge Solve Rate), which is the percentage of issued challenges that were solved. This metric applies to rules configured with Challenge (Captcha) or JS Challenge actions, and it is calculated as follows:
CSR = number of challenges solved / number of challenges issued
Hover over the CSR to reveal the number of issued and solved CAPTCHA challenges:
A low CSR means that Cloudflare is issuing a low number of CAPTCHA challenges to actual humans, since these are the solved challenges.
You should aim for a low Challenge Solve Rate. Review the CSR of your CAPTCHA rules periodically and adjust them if necessary:
- If the rate is higher than expected, for example regarding a Bot Management rule, consider relaxing the rule criteria so that you issue fewer challenges to human visitors.
- If the rate is 0%, no CAPTCHA challenges are being solved. This means that you have no human visitors whose requests match the rule filter. Consider changing the rule action to Block.
Both the Create Firewall and Edit Firewall panels include the visual Expression Builder (outlined below, in orange), which is an excellent tool to start with.
Advanced users will appreciate the Expression Editor (shown below), which trades the visual simplicity of the builder for the raw power of the . The editor also supports advanced features, such as grouping symbols, for constructing highly sophisticated, targeted rules.
Firewall Rules APIs
Cloudflare Firewall Rules is available to all customers. Keep in mind that the number of firewall rules you can have active on your account is based on your type of plan, as is support for the Log action and support for regular expressions.
This table outlines the Firewall Rules features and entitlements available with each customer plan:
Those eager to dive straight into the technical details can refer to these topics: