WAF phases

The Web Application Firewall provides the following phases where you can create rulesets and rules:

• http_request_firewall_custom
• http_ratelimit
• http_request_firewall_managed

These phases exist both at the account level and at the zone level. Considering the available phases and the two different levels, rules will be evaluated in the following order:

New dashboard

Security feature	Scope	Phase	Ruleset kind	Location in the dashboard
Custom rulesets	Account	http_request_firewall_custom	custom (create) root (deploy)	Go to WAF > Custom rulesets tab
Custom rules	Zone	http_request_firewall_custom	zone	Go to Security rules
Rate limiting rulesets	Account	http_ratelimit	root	Go to WAF > Rate limiting rulesets tab
Rate limiting rules	Zone	http_ratelimit	zone	Go to Security rules
Managed rulesets	Account	http_request_firewall_managed	root	Go to WAF > Managed rulesets tab
Managed rules	Zone	http_request_firewall_managed	zone	Go to Security rules

Old dashboard

Security feature	Scope	Phase	Ruleset kind	Location in the dashboard
Custom rulesets	Account	http_request_firewall_custom	custom (create) root (deploy)	Go to WAF > Custom rulesets tab
Custom rules	Zone	http_request_firewall_custom	zone	Your zone > Security > WAF > Custom rules tab
Rate limiting rulesets	Account	http_ratelimit	root	Go to WAF > Rate limiting rulesets tab
Rate limiting rules	Zone	http_ratelimit	zone	Your zone > Security > WAF > Rate limiting rules tab
Managed rulesets	Account	http_request_firewall_managed	root	Go to WAF > Managed rulesets tab
Managed rules	Zone	http_request_firewall_managed	zone	Your zone > Security > WAF > Managed rules tab

To learn more about phases, refer to Phases in the Ruleset Engine documentation.