Ruleset logic
Cloudflare Network Firewall rules are performed after Cloudflare's DDoS mitigations have been applied. The two systems are independent, and therefore, permitting traffic inside Cloudflare Network Firewall does not allow it within our DDoS mitigations. Traffic can still be blocked by DDoS mitigations that are applied first in the flow through Cloudflare's systems.
By default, Cloudflare Network Firewall policies allow all traffic until explicitly blocked by a rule. If no policy is configured, all traffic is permitted after DDoS mitigations have been applied.
You have two options for configuring a security policy:
- Enforce a positive security model, which blocks everything and creates allow rules for specific required traffic.
- Begin with a minimal ruleset to block specific traffic and, by default, everything else is permitted.
Traffic is matched in order of the configured rules. As soon as traffic is matched by an enabled rule, it is no longer validated against the later rules. Disabled rules are skipped entirely — traffic is not evaluated against them. In the dashboard under Traffic policies > Firewall policies, rule order begins from the top and flows down your list of rules.
For example, permitting all TCP traffic in a rule #4 would mean all TCP traffic is permitted. A rule #5 to block traffic for IP address x.x.x.x would not be checked.
For best practices when configuring your security policy, refer to Best practices.
Cloudflare-sourced traffic is also subject to the Cloudflare Network Firewall rules you configure. If you block all ICMP traffic, you will also block Cloudflare's endpoint health checks. When blocking ICMP traffic, ensure your rules first allow ICMP sourced from Cloudflare public IPs to your prefix endpoint IPs before applying a block ICMP rule.
For a list of Cloudflare's public IPs, refer to IP Ranges ↗.
Traffic is processed in two phases: first against your Custom rules, then against Cloudflare's Managed rules.
The Custom phase is a set of rules you define and control. You can customize the expression, order, and actions of these rules.
Cloudflare Network Firewall evaluates custom policies before managed policies in the order of precedence. Therefore, if traffic meets the conditions from a custom policy first, that is the action Cloudflare Network Firewall will take.
The actions available for a custom rule are Block or Skip (allow).
Managed phase rulesets are maintained by Cloudflare and contain rules based on best practices, known malicious patterns, and other threat intelligence.
Cloudflare maintains the expressions and order of execution for rules in the Managed phase. You can enable, disable, or set individual rules to log matching packets.
Refer to Enable managed rulesets for more information.