Add custom policies

By default, you can create a maximum of 200 policies. We recommend you create lists of IP addresses to reference within policies to streamline policy management.

Add a policy

1. In the Cloudflare One ↗ dashboard, go to Firewall policies > Custom policies.
2. Select Add a policy.
3. Fill out the information for your new policy. All existing policies apply to IPv4. You can use a managed IP list ↗ when populating the Value.
4. When you are done, select Add new policy.

Create a disabled policy

When you add a new policy, the policy is Enabled by default.

To create a Disabled policy, follow the steps in Add a policy above and toggle Enabled to off. When a policy is in the disabled state, the policy will not perform the action until is set to Enabled.

To disable an existing policy, from the Custom policies tab, set the Enabled toggle to off.

Update a policy

1. In the Cloudflare One ↗ dashboard, go to Firewall policies > Custom policies.
2. Locate the policy you want to edit and select the three dots > Edit.
3. Update the policy with your changes and select Save.

Delete an existing policy

1. Locate the policy you want to delete in the list.
2. From the end of the row, select Delete.
3. Select Delete again to confirm the deletion.

API

Below, you can find examples of how to use the API to perform certain actions.

Warning

The examples on this page all use the https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets endpoint. This endpoint is intended to create policies from scratch and might overwrite existing policies.

If you have a ruleset already deployed, consider using the https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{ruleset_id}/rules endpoint instead.

Refer to Add a rule to a ruleset and Create an account ruleset for more information.

Skip action

The example below blocks all TCP ports, but allows one port (8080) by using the skip action.

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
  "name": "Example ruleset",
  "kind": "root",
  "phase": "magic_transit",
  "description": "Example ruleset description",
  "rules": [
    {
      "action": "skip",
      "action_parameters": { "ruleset": "current" },
      "expression": "tcp.dstport in { 8080 } ",
      "description": "Allow port 8080"
    },
    {
      "action": "block",
      "expression": "tcp.dstport in { 1..65535 }",
      "description": "Block all TCP ports"
    }
  ]
}'

Block a country

The example below blocks all packets with a source or destination IP address coming from Brazil by using its 2-letter country code in ISO 3166-1 Alpha 2 ↗ format.

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
  "name": "Example ruleset",
  "kind": "root",
  "phase": "magic_transit",
  "description": "Example ruleset description",
  "rules": [
    {
      "action": "block",
      "expression": "ip.src.country == \"BR\"",
      "description": "Block traffic from Brazil"
    }
  ]
}'

Use an IP list

Magic Firewall supports using lists in expressions for the ip.src and ip.dst fields. The supported lists are:

• $cf.anonymizer - Anonymizer proxies
• $cf.botnetcc - Botnet command and control channel
• $cf.malware - Sources of malware
• $<IP_LIST_NAME> - The name of an account-level IP list

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
  "name": "Example ruleset",
  "kind": "root",
  "phase": "magic_transit",
  "description": "Example ruleset description",
  "rules": [
    {
      "action": "block",
      "expression": "ip.src in $cf.anonymizer",
      "description": "Block traffic from anonymizer proxies"
    }
  ]
}'