Cloudflare Docs
Visit WAF on GitHub
Set theme to dark (⇧+D)

WAF phases

The Web Application Firewall provides the following phases where you can create rulesets and rules:

  • http_request_firewall_custom
  • http_ratelimit
  • http_request_firewall_managed

These phases exist both at the account level and at the zone level. Considering the available phases and the two different levels, rules will be evaluated in the following order:

WAF feature Scope Phase Ruleset kind Location in the dashboard
Custom rulesets
Account http_request_firewall_custom custom (create)
root (deploy)
Account Home > WAF > Custom rulesets
Custom rules Zone http_request_firewall_custom zone Your zone > Security > WAF > Custom rules
Rate limiting rules Account http_ratelimit root Account Home > WAF > Rate limiting rulesets
Rate limiting rules Zone http_ratelimit zone Your zone > Security > WAF > Rate limiting rules
WAF Managed Rules Account http_request_firewall_managed root Account Home > WAF > Managed rulesets
WAF Managed Rules Zone http_request_firewall_managed zone Your zone > Security > WAF > Managed rules

To learn more about phases, refer to Phases in the Ruleset Engine documentation.