--- title: Add custom policies description: Add custom policies to the Network Firewall. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-network-firewall/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Geolocation ](https://developers.cloudflare.com/search/?tags=Geolocation) # Add custom policies By default, you can create a maximum of 200 policies. We recommend you create lists of IP addresses to reference within policies to streamline policy management. ## Add a policy 1. In the [Cloudflare One ↗](https://one.dash.cloudflare.com) dashboard, go to **Firewall policies** \> **Custom policies**. 2. Select **Add a policy**. 3. Fill out the information for your new policy. All existing policies apply to IPv4\. You can use a managed [IP list ↗](https://www.cloudflare.com/en-gb/ips/) when populating the **Value**. 4. When you are done, select **Add new policy**. ## Create a disabled policy When you add a new policy, the policy is **Enabled** by default. To create a **Disabled** policy, follow the steps in [Add a policy](#add-a-policy) above and toggle **Enabled** to off. When a policy is in the disabled state, the policy will not perform the action until is set to **Enabled**. To disable an existing policy, from the **Custom policies** tab, set the **Enabled** toggle to off. ## Update a policy 1. In the [Cloudflare One ↗](https://one.dash.cloudflare.com) dashboard, go to **Firewall policies** \> **Custom policies**. 2. Locate the policy you want to edit and select the three dots > **Edit**. 3. Update the policy with your changes and select **Save**. ## Delete an existing policy 1. Locate the policy you want to delete in the list. 2. From the end of the row, select **Delete**. 3. Select **Delete** again to confirm the deletion. ## API Below, you can find examples of how to use the API to perform certain actions. Warning The examples on this page all use the `https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets` endpoint. This endpoint is intended to create policies from scratch and **might overwrite existing policies**. If you have a ruleset already deployed, consider using the `https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{ruleset_id}/rules` endpoint instead. Refer to [Add a rule to a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/add-rule/) and [Create an account ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/create/) for more information. ### Skip action The example below blocks all TCP ports, but allows one port (`8080`) by using the skip action. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "Example ruleset", "kind": "root", "phase": "magic_transit", "description": "Example ruleset description", "rules": [ { "action": "skip", "action_parameters": { "ruleset": "current" }, "expression": "tcp.dstport in { 8080 } ", "description": "Allow port 8080" }, { "action": "block", "expression": "tcp.dstport in { 1..65535 }", "description": "Block all TCP ports" } ] }' ``` ### Block a country The example below blocks all packets with a source or destination IP address coming from Brazil by using its 2-letter country code in [ISO 3166-1 Alpha 2 ↗](https://www.iso.org/obp/ui/#search/code/) format. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "Example ruleset", "kind": "root", "phase": "magic_transit", "description": "Example ruleset description", "rules": [ { "action": "block", "expression": "ip.src.country == \"BR\"", "description": "Block traffic from Brazil" } ] }' ``` ### Use an IP list Cloudflare Network Firewall supports [using lists in expressions](https://developers.cloudflare.com/waf/tools/lists/use-in-expressions/) for the `ip.src` and `ip.dst` fields. The supported lists are: * `$cf.anonymizer` \- Anonymizer proxies * `$cf.botnetcc` \- Botnet command and control channel * `$cf.malware` \- Sources of malware * `$` \- The name of an account-level IP list Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "Example ruleset", "kind": "root", "phase": "magic_transit", "description": "Example ruleset description", "rules": [ { "action": "block", "expression": "ip.src in $cf.anonymizer", "description": "Block traffic from anonymizer proxies" } ] }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/how-to/","name":"How to"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/how-to/add-policies/","name":"Add custom policies"}}]} ```