WAF phases
The Web Application Firewall provides the following phases where you can create rulesets and rules:
http_request_firewall_customhttp_ratelimithttp_request_firewall_managed
These phases exist both at the account level and at the zone level. Considering the available phases and the two different levels, rules will be evaluated in the following order:
| WAF feature | Scope | Phase | Ruleset kind | Location in the dashboard |
|---|---|---|---|---|
| Custom rulesets |
Account | http_request_firewall_custom |
custom (create)root (deploy) |
Account Home > WAF > Custom rulesets |
| Custom rules | Zone | http_request_firewall_custom |
zone |
Your zone > Security > WAF > Custom rules |
| Rate limiting rules | Account | http_ratelimit |
root |
Account Home > WAF > Rate limiting rulesets |
| Rate limiting rules | Zone | http_ratelimit |
zone |
Your zone > Security > WAF > Rate limiting rules |
| WAF Managed Rules | Account | http_request_firewall_managed |
root |
Account Home > WAF > Managed rulesets |
| WAF Managed Rules | Zone | http_request_firewall_managed |
zone |
Your zone > Security > WAF > Managed rules |
To learn more about phases, refer to Phases in the Ruleset Engine documentation.