Deploy a managed ruleset with ruleset, tag, and rule overrides

Customize the execution of managed rulesets with a combination of ruleset overrides, tag overrides, and rule overrides in your phase entry point ruleset.

Add a rule to a phase entry point ruleset to execute a managed ruleset.
Configure a ruleset override that disables all rules in the managed ruleset.
Configure a tag override that sets an action for rules with a given tag.
Configure a rule override that sets an action for the rules you want to execute.

The request below uses the Update a zone entry point ruleset operation to execute the following in a single PUT request:

Add a rule to the http_request_firewall_managed phase entry point ruleset that executes a managed ruleset.
Use category overrides to enable rules with wordpress and drupal tags and set their actions to log.
Add a rule override that enables a single rule.

Example: Execute a managed ruleset at the zone level with overrides

In this example:

"id": "<MANAGED_RULESET_ID>" defines the managed ruleset to execute for requests addressed to a zone ($ZONE_ID).
"enabled": false defines an override at the ruleset level to disable all rules in the managed ruleset.
"categories": [{"category": "wordpress", "action": "log", "enabled": true}, {"category": "drupal", "action": "log", "enabled": true}] defines an override at the tag level to enable rules tagged with wordpress or drupal and sets their action to log.
"rules": [{"id": "<RULE_ID>", "action": "block", "enabled": true}] defines an override at the rule level that enables one individual rule and sets the action to block.

Required API token permissions

At least one of the following token permissions is required:

Response Compression Write
Config Settings Write
Dynamic URL Redirects Write
Cache Settings Write
Custom Errors Write
Origin Write
Managed headers Write
Zone Transform Rules Write
Mass URL Redirects Write
Magic Firewall Write
L4 DDoS Managed Ruleset Write
HTTP DDoS Managed Ruleset Write
Sanitize Write
Transform Rules Write
Select Configuration Write
Bot Management Write
Zone WAF Write
Account WAF Write
Account Rulesets Write
Logs Write
Logs Write

curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint \
  --request PUT \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "rules": [
        {
            "action": "execute",
            "expression": "true",
            "action_parameters": {
                "id": "<MANAGED_RULESET_ID>",
                "overrides": {
                    "enabled": false,
                    "categories": [
                        {
                            "category": "wordpress",
                            "action": "log",
                            "enabled": true
                        },
                        {
                            "category": "drupal",
                            "action": "log",
                            "enabled": true
                        }
                    ],
                    "rules": [
                        {
                            "id": "<RULE_ID>",
                            "action": "block",
                            "enabled": true
                        }
                    ]
                }
            }
        }
    ]
  }'

Example: Execute a managed ruleset at the account level with overrides

In this example:

"id": "<MANAGED_RULESET_ID>" defines the managed ruleset to execute for requests addressed to example.com.
"enabled": false defines an override at the ruleset level to disable all rules in the managed ruleset.
"categories": [{"category": "wordpress", "action": "log", "enabled": true}, {"category": "drupal", "action": "log", "enabled": true}] defines an override at the tag level to enable rules tagged with wordpress or drupal and sets their action to log.
"rules": [{"id": "<RULE_ID>", "action": "block", "enabled": true}] defines an override at the rule level that enables one individual rule and sets the action to block.

Required API token permissions

At least one of the following token permissions is required:

Mass URL Redirects Write
Magic Firewall Write
L4 DDoS Managed Ruleset Write
Transform Rules Write
Select Configuration Write
Account WAF Write
Account Rulesets Write
Logs Write

curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/phases/http_request_firewall_managed/entrypoint \
  --request PUT \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "rules": [
        {
            "action": "execute",
            "expression": "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\"",
            "action_parameters": {
                "id": "<MANAGED_RULESET_ID>",
                "overrides": {
                    "enabled": false,
                    "categories": [
                        {
                            "category": "wordpress",
                            "action": "log",
                            "enabled": true
                        },
                        {
                            "category": "drupal",
                            "action": "log",
                            "enabled": true
                        }
                    ],
                    "rules": [
                        {
                            "id": "<RULE_ID>",
                            "action": "block",
                            "enabled": true
                        }
                    ]
                }
            }
        }
    ]
  }'

Was this helpful?

Community
X
Discord
YouTube
GitHub