Cloudflare Docs
Edit this page on GitHub
Set theme to dark (⇧+D)

WAF phases

The Web Application Firewall provides the following phases where you can create rulesets and rules:

  • http_request_firewall_custom
  • http_ratelimit
  • http_request_firewall_managed

These phases exist both at the account level and at the zone level. Considering the available phases and the two different levels, rules will be evaluated in the following order:

WAF featureScopePhaseRuleset kindLocation in the dashboard
Custom rulesets
Accounthttp_request_firewall_customcustom (create)
root (deploy)
Account Home > WAF > Custom rulesets
Custom rulesZonehttp_request_firewall_customzoneYour zone > Security > WAF > Custom rules
Rate limiting rulesAccounthttp_ratelimitrootAccount Home > WAF > Rate limiting rulesets
Rate limiting rulesZonehttp_ratelimitzoneYour zone > Security > WAF > Rate limiting rules
WAF Managed RulesAccounthttp_request_firewall_managedrootAccount Home > WAF > Managed rulesets
WAF Managed RulesZonehttp_request_firewall_managedzoneYour zone > Security > WAF > Managed rules

To learn more about phases, refer to Phases in the Ruleset Engine documentation.