Rules

Network Flow (formerly Magic Network Monitoring) rules monitor your network traffic for Distributed Denial of Service (DDoS) attacks targeting specific IP addresses or prefixes. When traffic exceeds a rule's threshold or matches a known DDoS attack fingerprint, you receive an alert.

Rule types

Network Flow supports three rule types:

Rule Type	Description	Availability
Dynamic threshold (recommended)	Analyzes your network's traffic patterns over time and automatically adjusts the DDoS threshold (bits or packets) based on traffic history.	API only
Static threshold	You define a fixed threshold (bits or packets) for DDoS traffic monitoring.	API and dashboard
sFlow DDoS attack	If you send sFlow data to Cloudflare, you can receive alerts when a specific DDoS attack type is detected in your traffic.	API only (sFlow data only)

Create rules in the dashboard

You can only configure static traffic threshold rules in the Cloudflare dashboard.

Invalid account settings error when trying to create a rule

If you get the following error when trying to create a rule:

Invalid account settings request body: account name format contains illegal characters or is not supported

Make sure the name for your Cloudflare account does not contain unsupported characters, like, for example, &, <, >, ", ', `.

Refer to Account name to learn how to change your account name.

To create a new rule:

1. Go to the Network flow page.

Go to Network flow

2. Select Configure Network flow.
3. In the Configure rules tab, select Add new rule.
4. Fill in the rule fields. For details on each field, refer to Static threshold rules.
5. Select Create a new rule when you are finished.

Edit rules in the dashboard

1. Go to the Network flow page.

Go to Network flow

2. Select Configure Network flow.
3. In the Configure rules tab, find the static threshold rule you want to edit, and select Edit.
4. Edit the appropriate fields. Refer to Rule configuration fields for more information on what each field does.
5. Select Save when you are finished.

Delete rules in the dashboard

1. Go to the Network flow page.

Go to Network flow

2. Select Configure Network flow.
3. In the Configure rules tab, find the static threshold rule you want to delete, and select Delete.
4. Select I understand that deleting a rule is permanent, and select Delete again.

Common settings that apply to all rule types

Rule Auto-Advertisement

Auto-Advertisement automatically activates Magic Transit when a rule triggers, routing your traffic through Cloudflare for DDoS mitigation without manual intervention.

This feature is available to Enterprise customers using Magic Transit On Demand. You can enable it for any dynamic threshold, static threshold, or sFlow DDoS attack rule.

Follow the previous steps to create or edit a rule. Then, enable Auto-Advertisement.

Rule Auto-Advertisement notifications

Webhook, PagerDuty, and email notifications are sent following an auto-advertisement attempt for all prefixes inside the flagged rule.

You will receive the status of the advertisement for each prefix with the following available statuses:

• Advertised: The prefix was successfully advertised.
• Already Advertised: The prefix was advertised prior to the auto advertisement attempt.
• Delayed: The prefix cannot currently be advertised but will attempt advertisement. After the prefix can be advertised, a new notification is sent with the updated status.
• Locked: The prefix is locked and cannot be advertised.
• Could not Advertise: Cloudflare was unable to advertise the prefix. This status can occur for multiple reasons, but usually occurs when you are not allowed to advertise a prefix.
• Error: A general error occurred during prefix advertisement.

Rule IP prefixes

Each rule must include one or more IP prefixes. All prefixes in a rule are evaluated as aggregate traffic — their combined volume is measured against the threshold.

• To alert on the combined traffic of multiple prefixes, add them to the same rule.
• To alert on individual prefix traffic, create a separate rule for each prefix.

Rule IP prefixes example

In the following example, the rule triggers when the combined packet traffic of 192.168.0.0/24 and 172.118.0.0/24 exceeds 10000 packets. If Auto-Advertisement is enabled, Cloudflare advertises both prefixes when the rule triggers.

You can also configure rule IP prefixes at scale using the API.

{
  "rules": [
    {
      "name": "Too many packets",
      "prefixes": ["192.168.0.0/24", "172.118.0.0/24"],
      "packet_threshold": 10000,
      "automatic_advertisement": true,
      "duration": "1m0s",
      "type": "threshold"
    }
  ]
}

To set a threshold for a single prefix, create a separate rule:

{
  "rules": [
    {
      "name": "Too many packets",
      "prefixes": ["172.118.0.0/24"],
      "packet_threshold": 1000,
      "automatic_advertisement": true,
      "duration": "1m0s",
      "type": "threshold"
    }
  ]
}