Order and priority

By default, the action you specify in a rule determines the evaluation sequence for your entire ruleset. To learn more, see Actions.

However, order and priority are two options that allow you to force the evaluation sequence to follow before triggering a rule.

You can manage both order and priority via the Firewall Rules UI in the Cloudflare dashboard. Priority management is also available via the Firewall Rules API.

Note that the Firewall Rules engine processes rules in parallel. If you do not specify neither order nor priority in a large ruleset, a matching conflict is possible. To avoid any conflicts, Cloudflare strongly recommends explicitly controlling the evaluation sequence of your ruleset via one of the options discussed below.

Ordering rules

When you use the order option in the Firewall Rules UI, you are overriding the default evaluation sequence (based on the rule’s action).

Using order for your ruleset evaluation sequence is advantageous when managing under 201 rules because you can use drag and drop functionality.

Currently, Cloudflare supports the order option for up to 200 rules. This applies to the total number of active and inactive rules. Starting at 201, you must manage the execution of your rules using priority.

Prioritizing rules

Cloudflare recommends the priority option when managing a large ruleset (over 200). At that scale, it is more efficient to configure your rules programmatically via the Firewall Rules API or Terraform.

Firewall Rules does not have default priorities and does not force you to have a priority for every rule. This gives you the freedom to organize your ruleset as you deem most appropriate.

The numbering can be relatively arbitrary, as long as it makes sense for your particular situation. However, keep in mind that:

  • the evaluation sequence starts from the lowest priority number to the highest,
  • you should avoid using the number 1 as a priority as no other rule can go above it, thus making it harder to renumber your rules, and
  • rules with no priorities are evaluated last.

We recommend grouping ranges of priority numbers into meaningful categories. For example:

  • 5000-9999 - Trusted IP Addresses
  • 10000-19999 - Blocking Rules for Bad Crawlers
  • 20000-29999 - Blocking Rules for Abusive/Spam Users

The example priority numbers above are valid since you can have many more rules than the limit associated with your domain plan. That limit applies solely to active rules.