About Cloudflare Firewall Rules

Flexibility and control

Cloudflare Firewall Rules is a flexible and intuitive framework for filtering HTTP requests. It gives you fine-grained control over which requests reach your applications.

Cloudflare already offers a number of firewall tools that allow you to restrict access to applications. These are based on IP address, CIDR block, autonomous system number (ASN), country rules, and HTTP user-agent. Meanwhile, Zone Lockdown provides a tool for defining which IP addresses can access a given URI. And our Web Application Firewall (WAF) uses managed rulesets to offer a wide range of protection against known vulnerabilities and suspicious behavior.

Firewall Rules complements these tools by allowing you to create rules that combine these techniques. For example, rather than managing 3 independent rules in 3 different places, you can easily create a single firewall rule that blocks traffic to a URI when the request comes from a particular IP and the user-agent matches a specific string or a pattern. Once you are satisfied with the rule, you can deploy it yourself, immediately.

Fundamentally, Firewall Rules gives you the power to proactively inspect incoming site traffic and automatically respond to threats. You define expressions that tell Cloudflare what to look for and specify the appropriate action to take when those criteria are satisfied. It is a simple concept, but like the Wireshark Display Filter language that inspired our own expression language, it is extremely powerful and allows organizations to rapidly adapt to a constantly evolving threat landscape.


Working with Firewall Rules

You can configure Firewall Rules not only from the Cloudflare Firewall app and the Cloudflare API but also through Terraform (see Getting Started with Terraform). However, the Firewall Rules panel in the Firewall app provides the most intuitive interface for building, deploying, and managing firewall rules.

The Rules List

The Rules List gives you a snapshot of recent activity and allows you to manage firewall rules in a single convenient location (see image below).

firewall rules introduction 1

The Expression Builder

Both the Create Firewall and Edit Firewall panels include the visual Expression Builder (outlined below, in orange), which is an excellent tool to start with.

firewall rules introduction 2

The Expression Editor

Advanced users will appreciate the Expression Editor (shown below), which trades the visual simplicity of the builder for the raw power of the Cloudflare Firewall Rules Language. It offers access to advanced features, such as grouping symbols, for constructing highly sophisticated, targeted rules.

firewall rules introduction 3

Power users, particularly those who develop large numbers of firewall rules, and developers can use the Cloudflare API to programmatically manage Firewall Rules (see Manage rules via the API).


Entitlements

Cloudflare Firewall Rules is available to all customers. Keep in mind that the number of firewall rules you can have active on your account is based on your type of plan, as is support for the Log action and support for regular expressions. The table below outlines the entitlements and features available with each customer plan.

Customer PlanEntitlements (Active Rules)Supported ActionsRegular Expression Support?
Free5All except LogNo
Pro20All except LogNo
Business100All except LogYes
Enterprise1000AllYes

Get started

Unless you are already an advanced user, we recommend you first learn about the Expressions and Actions topics and then move on to the Create, edit, and delete rules topic. Those eager to dive straight into the technical details should see Firewall Rules language.