Skip to content
Visit Firewall on GitHub
Set theme to dark (⇧+D)



Actions tell Cloudflare how to handle HTTP requests that have matched a firewall rule expression.

Supported actions

The table below lists the actions available in Firewall Rules. These actions are listed in order of precedence. If the same request matches two different rules which have the same priority, precedence determines the action to take.

For example, the Allow action takes precedence over the Block action. In a case where a request matches a rule with the Allow action and another with the Block action, precedence resolves the tie, and Cloudflare allows the request.

There are two exceptions to this behavior: the Log and Bypass actions. Unlike other actions, Log and Bypass do not terminate further evaluation within Firewall Rules. This means that if a request matches two different rules and one of those rules specifies the Log or Bypass action, the second action will be triggered instead, even though Log/Bypass has precedence.

ActionDescriptionOrder of Precedence
  • Records matching requests in the Cloudflare Logs
  • Only available for Enterprise plans
  • Recommended for validating rules before committing to a more severe action
  • Allows user to dynamically disable Cloudflare security features for a request
  • Available to all plans
  • Matching requests exempt from evaluation by a user-defined list containing one or more of the following Cloudflare Firewall products/features:
    • User-agent Blocking
    • Browser Integrity Check
    • Hotlinking Protection
    • Security Level (IP Reputation)
    • Rate Limiting
    • Zone Lockdown (PRO, BIZ, ENT)
    • WAF Managed Rules (PRO, BIZ, ENT)
  • Requests which match the Bypass action are still subject to evaluation (and thus a challenge or block) within Firewall Rules, based on the order of execution.
  • Matching requests are exempt from challenge and block actions triggered by other Firewall Rules content.
  • The scope of the Allow action is limited to Firewall Rules; matching requests are not exempt from action by other Cloudflare Firewall products, such as IP Access Rules, WAF, etc.
  • Matched requests will be mitigated if they are part of a DDoS attack.
Challenge (Captcha)
  • Useful for ensuring that the visitor accessing the site is human, not automated
  • The client that made the request must pass a Captcha Challenge.
  • If successful, Cloudflare accepts the matched request; otherwise, it is blocked.
JS Challenge
  • Useful for ensuring that bots and spam cannot access the requested resource; browsers, however, are free to satisfy the challenge automatically.
  • The client that made the request must pass a Cloudflare JavaScript Challenge before proceeding.
  • If successful, Cloudflare accepts the matched request; otherwise, it is blocked.
BlockMatching requests are denied access to the site.6

Choosing actions in the Rule Builder

Choosing an action in the Cloudflare Expression Builder is simple. After naming a rule and building your expression, pick the appropriate option from the Choose an action drop-down list. In this example, the chosen action is Block:

Create Firewall Rule page

For more on building firewall rules in the Firewall App, see Create, edit, and delete rules.