Cloudflare Docs
Edit this page on GitHub
Set theme to dark (⇧+D)

Firewall events

The descriptions below detail the fields available for firewall_events.

ActionThe code of the first-class action the Cloudflare Firewall took on this request.
Possible actions are unknown | allow | block | challenge | jschallenge | log | connectionclose | challengesolved | challengefailed | challengebypassed | jschallengesolved | jschallengefailed | jschallengebypassed | bypass | managedchallenge | managedchallengeskipped | managedchallengenoninteractivesolved | managedchallengeinteractivesolved | managedchallengebypassed.
ClientASNThe ASN number of the
ClientASNDescriptionThe ASN of the visitor as string.string
ClientCountryCountry from which request originated.string
ClientIPThe visitor’s IP address (IPv4 or IPv6).string
ClientIPClassThe classification of the visitor’s IP address, possible values are: unknown | badHost | searchEngine | allowlist | monitoringService | noRecord | scan | tor.string
ClientRefererHostThe referer host.string
ClientRefererPathThe referer path requested by visitor.string
ClientRefererQueryThe referer query-string was requested by the visitor.string
ClientRefererSchemeThe referer URL scheme requested by the visitor.string
ClientRequestHostThe HTTP hostname requested by the visitor.string
ClientRequestMethodThe HTTP method used by the visitor.string
ClientRequestPathThe path requested by visitor.string
ClientRequestProtocolThe version of HTTP protocol requested by the visitor.string
ClientRequestQueryThe query-string was requested by the visitor.string
ClientRequestSchemeThe URL scheme requested by the visitor.string
ClientRequestUserAgentVisitor’s user-agent string.string
DatetimeThe date and time the event occurred at the or string
DescriptionThe description of the rule triggered by this request.string
EdgeColoCodeThe airport code of the Cloudflare datacenter that served this request.string
EdgeResponseStatusHTTP response status code returned to
KindThe kind of event, currently only possible values are: firewall.string
LeakedCredentialCheckResultResult of the check for leaked credentials.string
MatchIndexRules match index in the chain. The last matching rule will have MatchIndex 0. If another rule matched before the last one, it will have MatchIndex 1. The same applies to any other matching rules, which will have a MatchIndex value of 2, 3, and so
MetadataAdditional product-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by Cloudflare security product and can change over time.object
OriginResponseStatusHTTP origin response status code returned to
OriginatorRayIDThe RayID of the request that issued the challenge/jschallenge.string
RayIDThe RayID of the request.string
RefThe user-defined identifier for the rule triggered by this request. Use refs to label your rules individually alongside the Cloudflare-provided RuleID. You can set refs via the Rulesets API for some security products.string
RuleIDThe Cloudflare security product-specific RuleID triggered by this request.string
SourceThe Cloudflare security product triggered by this request.
Possible sources are unknown | asn | country | ip | iprange | securitylevel | zonelockdown | waf | firewallrules | uablock | ratelimit | bic | hot | l7ddos | validation | botfight | apishield | botmanagement | dlp | firewallmanaged | firewallcustom | apishieldschemavalidation | apishieldtokenvalidation | apishieldsequencemitigation.