Skip to content
Cloudflare API
Start here
API Reference

Firewall

FirewallLockdowns

List Zone Lockdown rules
GET/zones/{zone_id}/firewall/lockdowns
Get a Zone Lockdown rule
GET/zones/{zone_id}/firewall/lockdowns/{lock_downs_id}
Create a Zone Lockdown rule
POST/zones/{zone_id}/firewall/lockdowns
Update a Zone Lockdown rule
PUT/zones/{zone_id}/firewall/lockdowns/{lock_downs_id}
Delete a Zone Lockdown rule
DELETE/zones/{zone_id}/firewall/lockdowns/{lock_downs_id}
ModelsExpand Collapse
Configuration = array of LockdownIPConfiguration { target, value } or LockdownCIDRConfiguration { target, value }

A list of IP addresses or CIDR ranges that will be allowed to access the URLs specified in the Zone Lockdown rule. You can include any number of ip or ip_range configurations.

One of the following:
LockdownIPConfiguration = object { target, value }
target: optional "ip"

The configuration target. You must set the target to ip when specifying an IP address in the Zone Lockdown rule.

value: optional string

The IP address to match. This address will be compared to the IP address of incoming requests.

LockdownCIDRConfiguration = object { target, value }
target: optional "ip_range"

The configuration target. You must set the target to ip_range when specifying an IP address range in the Zone Lockdown rule.

value: optional string

The IP address range to match. You can only use prefix lengths /16 and /24.

Lockdown = object { id, configurations, created_on, 4 more }
id: string

The unique identifier of the Zone Lockdown rule.

maxLength32
configurations: Configuration { , }

A list of IP addresses or CIDR ranges that will be allowed to access the URLs specified in the Zone Lockdown rule. You can include any number of ip or ip_range configurations.

created_on: string

The timestamp of when the rule was created.

formatdate-time
description: string

An informative summary of the rule.

maxLength1024
modified_on: string

The timestamp of when the rule was last modified.

formatdate-time
paused: boolean

When true, indicates that the rule is currently paused.

urls: array of LockdownURL

The URLs to include in the rule definition. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns.

LockdownCIDRConfiguration = object { target, value }
target: optional "ip_range"

The configuration target. You must set the target to ip_range when specifying an IP address range in the Zone Lockdown rule.

value: optional string

The IP address range to match. You can only use prefix lengths /16 and /24.

LockdownIPConfiguration = object { target, value }
target: optional "ip"

The configuration target. You must set the target to ip when specifying an IP address in the Zone Lockdown rule.

value: optional string

The IP address to match. This address will be compared to the IP address of incoming requests.

LockdownURL = string
LockdownDeleteResponse = object { id }
id: optional string

The unique identifier of the Zone Lockdown rule.

maxLength32

FirewallRules

List firewall rules
Deprecated
GET/zones/{zone_id}/firewall/rules
Get a firewall rule
Deprecated
GET/zones/{zone_id}/firewall/rules/{rule_id}
Create firewall rules
Deprecated
POST/zones/{zone_id}/firewall/rules
Update a firewall rule
Deprecated
PUT/zones/{zone_id}/firewall/rules/{rule_id}
Update priority of a firewall rule
Deprecated
PATCH/zones/{zone_id}/firewall/rules/{rule_id}
Delete a firewall rule
Deprecated
DELETE/zones/{zone_id}/firewall/rules/{rule_id}
Update firewall rules
Deprecated
PUT/zones/{zone_id}/firewall/rules
Update priority of firewall rules
Deprecated
PATCH/zones/{zone_id}/firewall/rules
Delete firewall rules
Deprecated
DELETE/zones/{zone_id}/firewall/rules
ModelsExpand Collapse
DeletedFilter = object { id, deleted }
id: string

The unique identifier of the filter.

maxLength32
minLength32
deleted: boolean

When true, indicates that the firewall rule was deleted.

FirewallRule = object { id, action, description, 5 more }
id: optional string

The unique identifier of the firewall rule.

maxLength32
action: optional Action

The action to apply to a matched request. The log action is only available on an Enterprise plan.

description: optional string

An informative summary of the firewall rule.

maxLength500
filter: optional FirewallFilter { id, description, expression, 2 more } or DeletedFilter { id, deleted }
One of the following:
FirewallFilter = object { id, description, expression, 2 more }
id: optional string

The unique identifier of the filter.

maxLength32
minLength32
description: optional string

An informative summary of the filter.

maxLength500
expression: optional string

The filter expression. For more information, refer to Expressions.

paused: optional boolean

When true, indicates that the filter is currently paused.

ref: optional string

A short reference tag. Allows you to select related filters.

maxLength50
DeletedFilter = object { id, deleted }
id: string

The unique identifier of the filter.

maxLength32
minLength32
deleted: boolean

When true, indicates that the firewall rule was deleted.

paused: optional boolean

When true, indicates that the firewall rule is currently paused.

priority: optional number

The priority of the rule. Optional value used to define the processing order. A lower number indicates a higher priority. If not provided, rules with a defined priority will be processed before rules without a priority.

maximum2147483647
minimum0
products: optional array of Product
One of the following:
"zoneLockdown"
"uaBlock"
"bic"
"hot"
"securityLevel"
"rateLimit"
"waf"
ref: optional string

A short reference tag. Allows you to select related firewall rules.

maxLength50
Product = "zoneLockdown" or "uaBlock" or "bic" or 4 more

A list of products to bypass for a request when using the bypass action.

One of the following:
"zoneLockdown"
"uaBlock"
"bic"
"hot"
"securityLevel"
"rateLimit"
"waf"

FirewallAccess Rules

List IP Access rules
GET/{accounts_or_zones}/{account_or_zone_id}/firewall/access_rules/rules
Get an IP Access rule
GET/{accounts_or_zones}/{account_or_zone_id}/firewall/access_rules/rules/{rule_id}
Create an IP Access rule
POST/{accounts_or_zones}/{account_or_zone_id}/firewall/access_rules/rules
Update an IP Access rule
PATCH/{accounts_or_zones}/{account_or_zone_id}/firewall/access_rules/rules/{rule_id}
Delete an IP Access rule
DELETE/{accounts_or_zones}/{account_or_zone_id}/firewall/access_rules/rules/{rule_id}
ModelsExpand Collapse
AccessRuleCIDRConfiguration = object { target, value }
target: optional "ip_range"

The configuration target. You must set the target to ip_range when specifying an IP address range in the rule.

value: optional string

The IP address range to match. You can only use prefix lengths /16 and /24 for IPv4 ranges, and prefix lengths /32, /48, and /64 for IPv6 ranges.

AccessRuleIPConfiguration = object { target, value }
target: optional "ip"

The configuration target. You must set the target to ip when specifying an IP address in the rule.

value: optional string

The IP address to match. This address will be compared to the IP address of incoming requests.

ASNConfiguration = object { target, value }
target: optional "asn"

The configuration target. You must set the target to asn when specifying an Autonomous System Number (ASN) in the rule.

value: optional string

The AS number to match.

CountryConfiguration = object { target, value }
target: optional "country"

The configuration target. You must set the target to country when specifying a country code in the rule.

value: optional string

The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to IP Access rules: Parameters.

IPV6Configuration = object { target, value }
target: optional "ip6"

The configuration target. You must set the target to ip6 when specifying an IPv6 address in the rule.

value: optional string

The IPv6 address to match.

AccessRuleListResponse = object { id, allowed_modes, configuration, 5 more }
id: string

The unique identifier of the IP Access rule.

maxLength32
allowed_modes: array of "block" or "challenge" or "whitelist" or 2 more

The available actions that a rule can apply to a matched request.

One of the following:
"block"
"challenge"
"whitelist"
"js_challenge"
"managed_challenge"
configuration: AccessRuleIPConfiguration { target, value } or IPV6Configuration { target, value } or AccessRuleCIDRConfiguration { target, value } or 2 more

The rule configuration.

One of the following:
AccessRuleIPConfiguration = object { target, value }
target: optional "ip"

The configuration target. You must set the target to ip when specifying an IP address in the rule.

value: optional string

The IP address to match. This address will be compared to the IP address of incoming requests.

IPV6Configuration = object { target, value }
target: optional "ip6"

The configuration target. You must set the target to ip6 when specifying an IPv6 address in the rule.

value: optional string

The IPv6 address to match.

AccessRuleCIDRConfiguration = object { target, value }
target: optional "ip_range"

The configuration target. You must set the target to ip_range when specifying an IP address range in the rule.

value: optional string

The IP address range to match. You can only use prefix lengths /16 and /24 for IPv4 ranges, and prefix lengths /32, /48, and /64 for IPv6 ranges.

ASNConfiguration = object { target, value }
target: optional "asn"

The configuration target. You must set the target to asn when specifying an Autonomous System Number (ASN) in the rule.

value: optional string

The AS number to match.

CountryConfiguration = object { target, value }
target: optional "country"

The configuration target. You must set the target to country when specifying a country code in the rule.

value: optional string

The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to IP Access rules: Parameters.

mode: "block" or "challenge" or "whitelist" or 2 more

The action to apply to a matched request.

One of the following:
"block"
"challenge"
"whitelist"
"js_challenge"
"managed_challenge"
created_on: optional string

The timestamp of when the rule was created.

formatdate-time
modified_on: optional string

The timestamp of when the rule was last modified.

formatdate-time
notes: optional string

An informative summary of the rule, typically used as a reminder or explanation.

scope: optional object { id, email, type }

All zones owned by the user will have the rule applied.

id: optional string

Defines an identifier.

maxLength32
email: optional string

The contact email address of the user.

maxLength90
type: optional "user" or "organization"

Defines the scope of the rule.

One of the following:
"user"
"organization"
AccessRuleGetResponse = object { id, allowed_modes, configuration, 5 more }
id: string

The unique identifier of the IP Access rule.

maxLength32
allowed_modes: array of "block" or "challenge" or "whitelist" or 2 more

The available actions that a rule can apply to a matched request.

One of the following:
"block"
"challenge"
"whitelist"
"js_challenge"
"managed_challenge"
configuration: AccessRuleIPConfiguration { target, value } or IPV6Configuration { target, value } or AccessRuleCIDRConfiguration { target, value } or 2 more

The rule configuration.

One of the following:
AccessRuleIPConfiguration = object { target, value }
target: optional "ip"

The configuration target. You must set the target to ip when specifying an IP address in the rule.

value: optional string

The IP address to match. This address will be compared to the IP address of incoming requests.

IPV6Configuration = object { target, value }
target: optional "ip6"

The configuration target. You must set the target to ip6 when specifying an IPv6 address in the rule.

value: optional string

The IPv6 address to match.

AccessRuleCIDRConfiguration = object { target, value }
target: optional "ip_range"

The configuration target. You must set the target to ip_range when specifying an IP address range in the rule.

value: optional string

The IP address range to match. You can only use prefix lengths /16 and /24 for IPv4 ranges, and prefix lengths /32, /48, and /64 for IPv6 ranges.

ASNConfiguration = object { target, value }
target: optional "asn"

The configuration target. You must set the target to asn when specifying an Autonomous System Number (ASN) in the rule.

value: optional string

The AS number to match.

CountryConfiguration = object { target, value }
target: optional "country"

The configuration target. You must set the target to country when specifying a country code in the rule.

value: optional string

The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to IP Access rules: Parameters.

mode: "block" or "challenge" or "whitelist" or 2 more

The action to apply to a matched request.

One of the following:
"block"
"challenge"
"whitelist"
"js_challenge"
"managed_challenge"
created_on: optional string

The timestamp of when the rule was created.

formatdate-time
modified_on: optional string

The timestamp of when the rule was last modified.

formatdate-time
notes: optional string

An informative summary of the rule, typically used as a reminder or explanation.

scope: optional object { id, email, type }

All zones owned by the user will have the rule applied.

id: optional string

Defines an identifier.

maxLength32
email: optional string

The contact email address of the user.

maxLength90
type: optional "user" or "organization"

Defines the scope of the rule.

One of the following:
"user"
"organization"
AccessRuleCreateResponse = object { id, allowed_modes, configuration, 5 more }
id: string

The unique identifier of the IP Access rule.

maxLength32
allowed_modes: array of "block" or "challenge" or "whitelist" or 2 more

The available actions that a rule can apply to a matched request.

One of the following:
"block"
"challenge"
"whitelist"
"js_challenge"
"managed_challenge"
configuration: AccessRuleIPConfiguration { target, value } or IPV6Configuration { target, value } or AccessRuleCIDRConfiguration { target, value } or 2 more

The rule configuration.

One of the following:
AccessRuleIPConfiguration = object { target, value }
target: optional "ip"

The configuration target. You must set the target to ip when specifying an IP address in the rule.

value: optional string

The IP address to match. This address will be compared to the IP address of incoming requests.

IPV6Configuration = object { target, value }
target: optional "ip6"

The configuration target. You must set the target to ip6 when specifying an IPv6 address in the rule.

value: optional string

The IPv6 address to match.

AccessRuleCIDRConfiguration = object { target, value }
target: optional "ip_range"

The configuration target. You must set the target to ip_range when specifying an IP address range in the rule.

value: optional string

The IP address range to match. You can only use prefix lengths /16 and /24 for IPv4 ranges, and prefix lengths /32, /48, and /64 for IPv6 ranges.

ASNConfiguration = object { target, value }
target: optional "asn"

The configuration target. You must set the target to asn when specifying an Autonomous System Number (ASN) in the rule.

value: optional string

The AS number to match.

CountryConfiguration = object { target, value }
target: optional "country"

The configuration target. You must set the target to country when specifying a country code in the rule.

value: optional string

The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to IP Access rules: Parameters.

mode: "block" or "challenge" or "whitelist" or 2 more

The action to apply to a matched request.

One of the following:
"block"
"challenge"
"whitelist"
"js_challenge"
"managed_challenge"
created_on: optional string

The timestamp of when the rule was created.

formatdate-time
modified_on: optional string

The timestamp of when the rule was last modified.

formatdate-time
notes: optional string

An informative summary of the rule, typically used as a reminder or explanation.

scope: optional object { id, email, type }

All zones owned by the user will have the rule applied.

id: optional string

Defines an identifier.

maxLength32
email: optional string

The contact email address of the user.

maxLength90
type: optional "user" or "organization"

Defines the scope of the rule.

One of the following:
"user"
"organization"
AccessRuleEditResponse = object { id, allowed_modes, configuration, 5 more }
id: string

The unique identifier of the IP Access rule.

maxLength32
allowed_modes: array of "block" or "challenge" or "whitelist" or 2 more

The available actions that a rule can apply to a matched request.

One of the following:
"block"
"challenge"
"whitelist"
"js_challenge"
"managed_challenge"
configuration: AccessRuleIPConfiguration { target, value } or IPV6Configuration { target, value } or AccessRuleCIDRConfiguration { target, value } or 2 more

The rule configuration.

One of the following:
AccessRuleIPConfiguration = object { target, value }
target: optional "ip"

The configuration target. You must set the target to ip when specifying an IP address in the rule.

value: optional string

The IP address to match. This address will be compared to the IP address of incoming requests.

IPV6Configuration = object { target, value }
target: optional "ip6"

The configuration target. You must set the target to ip6 when specifying an IPv6 address in the rule.

value: optional string

The IPv6 address to match.

AccessRuleCIDRConfiguration = object { target, value }
target: optional "ip_range"

The configuration target. You must set the target to ip_range when specifying an IP address range in the rule.

value: optional string

The IP address range to match. You can only use prefix lengths /16 and /24 for IPv4 ranges, and prefix lengths /32, /48, and /64 for IPv6 ranges.

ASNConfiguration = object { target, value }
target: optional "asn"

The configuration target. You must set the target to asn when specifying an Autonomous System Number (ASN) in the rule.

value: optional string

The AS number to match.

CountryConfiguration = object { target, value }
target: optional "country"

The configuration target. You must set the target to country when specifying a country code in the rule.

value: optional string

The two-letter ISO-3166-1 alpha-2 code to match. For more information, refer to IP Access rules: Parameters.

mode: "block" or "challenge" or "whitelist" or 2 more

The action to apply to a matched request.

One of the following:
"block"
"challenge"
"whitelist"
"js_challenge"
"managed_challenge"
created_on: optional string

The timestamp of when the rule was created.

formatdate-time
modified_on: optional string

The timestamp of when the rule was last modified.

formatdate-time
notes: optional string

An informative summary of the rule, typically used as a reminder or explanation.

scope: optional object { id, email, type }

All zones owned by the user will have the rule applied.

id: optional string

Defines an identifier.

maxLength32
email: optional string

The contact email address of the user.

maxLength90
type: optional "user" or "organization"

Defines the scope of the rule.

One of the following:
"user"
"organization"
AccessRuleDeleteResponse = object { id }
id: string

Defines an identifier.

maxLength32

FirewallUA Rules

List User Agent Blocking rules
GET/zones/{zone_id}/firewall/ua_rules
Get a User Agent Blocking rule
GET/zones/{zone_id}/firewall/ua_rules/{ua_rule_id}
Create a User Agent Blocking rule
POST/zones/{zone_id}/firewall/ua_rules
Update a User Agent Blocking rule
PUT/zones/{zone_id}/firewall/ua_rules/{ua_rule_id}
Delete a User Agent Blocking rule
DELETE/zones/{zone_id}/firewall/ua_rules/{ua_rule_id}
ModelsExpand Collapse
UARuleListResponse = object { id, configuration, description, 2 more }
id: optional string

The unique identifier of the User Agent Blocking rule.

maxLength32
configuration: optional object { target, value }

The configuration object for the current rule.

target: optional string

The configuration target for this rule. You must set the target to ua for User Agent Blocking rules.

value: optional string

The exact user agent string to match. This value will be compared to the received User-Agent HTTP header value.

description: optional string

An informative summary of the rule.

maxLength1024
mode: optional "block" or "challenge" or "js_challenge" or "managed_challenge"

The action to apply to a matched request.

maxLength12
One of the following:
"block"
"challenge"
"js_challenge"
"managed_challenge"
paused: optional boolean

When true, indicates that the rule is currently paused.

UARuleGetResponse = object { id, configuration, description, 2 more }
id: optional string

The unique identifier of the User Agent Blocking rule.

maxLength32
configuration: optional object { target, value }

The configuration object for the current rule.

target: optional string

The configuration target for this rule. You must set the target to ua for User Agent Blocking rules.

value: optional string

The exact user agent string to match. This value will be compared to the received User-Agent HTTP header value.

description: optional string

An informative summary of the rule.

maxLength1024
mode: optional "block" or "challenge" or "js_challenge" or "managed_challenge"

The action to apply to a matched request.

maxLength12
One of the following:
"block"
"challenge"
"js_challenge"
"managed_challenge"
paused: optional boolean

When true, indicates that the rule is currently paused.

UARuleCreateResponse = object { id, configuration, description, 2 more }
id: optional string

The unique identifier of the User Agent Blocking rule.

maxLength32
configuration: optional object { target, value }

The configuration object for the current rule.

target: optional string

The configuration target for this rule. You must set the target to ua for User Agent Blocking rules.

value: optional string

The exact user agent string to match. This value will be compared to the received User-Agent HTTP header value.

description: optional string

An informative summary of the rule.

maxLength1024
mode: optional "block" or "challenge" or "js_challenge" or "managed_challenge"

The action to apply to a matched request.

maxLength12
One of the following:
"block"
"challenge"
"js_challenge"
"managed_challenge"
paused: optional boolean

When true, indicates that the rule is currently paused.

UARuleUpdateResponse = object { id, configuration, description, 2 more }
id: optional string

The unique identifier of the User Agent Blocking rule.

maxLength32
configuration: optional object { target, value }

The configuration object for the current rule.

target: optional string

The configuration target for this rule. You must set the target to ua for User Agent Blocking rules.

value: optional string

The exact user agent string to match. This value will be compared to the received User-Agent HTTP header value.

description: optional string

An informative summary of the rule.

maxLength1024
mode: optional "block" or "challenge" or "js_challenge" or "managed_challenge"

The action to apply to a matched request.

maxLength12
One of the following:
"block"
"challenge"
"js_challenge"
"managed_challenge"
paused: optional boolean

When true, indicates that the rule is currently paused.

UARuleDeleteResponse = object { id, configuration, description, 2 more }
id: optional string

The unique identifier of the User Agent Blocking rule.

maxLength32
configuration: optional object { target, value }

The configuration object for the current rule.

target: optional string

The configuration target for this rule. You must set the target to ua for User Agent Blocking rules.

value: optional string

The exact user agent string to match. This value will be compared to the received User-Agent HTTP header value.

description: optional string

An informative summary of the rule.

maxLength1024
mode: optional "block" or "challenge" or "js_challenge" or "managed_challenge"

The action to apply to a matched request.

maxLength12
One of the following:
"block"
"challenge"
"js_challenge"
"managed_challenge"
paused: optional boolean

When true, indicates that the rule is currently paused.

FirewallWAF

FirewallWAFOverrides

List WAF overrides
Deprecated
GET/zones/{zone_id}/firewall/waf/overrides
Get a WAF override
Deprecated
GET/zones/{zone_id}/firewall/waf/overrides/{overrides_id}
Create a WAF override
Deprecated
POST/zones/{zone_id}/firewall/waf/overrides
Update WAF override
Deprecated
PUT/zones/{zone_id}/firewall/waf/overrides/{overrides_id}
Delete a WAF override
Deprecated
DELETE/zones/{zone_id}/firewall/waf/overrides/{overrides_id}
ModelsExpand Collapse
Override = object { id, description, groups, 5 more }
id: optional string

The unique identifier of the WAF override.

maxLength32
description: optional string

An informative summary of the current URI-based WAF override.

maxLength1024
groups: optional map[unknown]

An object that allows you to enable or disable WAF rule groups for the current WAF override. Each key of this object must be the ID of a WAF rule group, and each value must be a valid WAF action (usually default or disable). When creating a new URI-based WAF override, you must provide a groups object or a rules object.

paused: optional boolean

When true, indicates that the rule is currently paused.

priority: optional number

The relative priority of the current URI-based WAF override when multiple overrides match a single URL. A lower number indicates higher priority. Higher priority overrides may overwrite values set by lower priority overrides.

maximum1000000000
minimum-1000000000
rewrite_action: optional RewriteAction { block, challenge, default, 2 more }

Specifies that, when a WAF rule matches, its configured action will be replaced by the action configured in this object.

rules: optional WAFRule { , , , 2 more }

An object that allows you to override the action of specific WAF rules. Each key of this object must be the ID of a WAF rule, and each value must be a valid WAF action. Unless you are disabling a rule, ensure that you also enable the rule group that this WAF rule belongs to. When creating a new URI-based WAF override, you must provide a groups object or a rules object.

urls: optional array of OverrideURL

The URLs to include in the current WAF override. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns.

OverrideURL = string
RewriteAction = object { block, challenge, default, 2 more }

Specifies that, when a WAF rule matches, its configured action will be replaced by the action configured in this object.

block: optional "challenge" or "block" or "simulate" or 2 more

The WAF rule action to apply.

One of the following:
"challenge"
"block"
"simulate"
"disable"
"default"
challenge: optional "challenge" or "block" or "simulate" or 2 more

The WAF rule action to apply.

One of the following:
"challenge"
"block"
"simulate"
"disable"
"default"
default: optional "challenge" or "block" or "simulate" or 2 more

The WAF rule action to apply.

One of the following:
"challenge"
"block"
"simulate"
"disable"
"default"
disable: optional "challenge" or "block" or "simulate" or 2 more

The WAF rule action to apply.

One of the following:
"challenge"
"block"
"simulate"
"disable"
"default"
simulate: optional "challenge" or "block" or "simulate" or 2 more

The WAF rule action to apply.

One of the following:
"challenge"
"block"
"simulate"
"disable"
"default"
WAFRule = map["challenge" or "block" or "simulate" or 2 more]

An object that allows you to override the action of specific WAF rules. Each key of this object must be the ID of a WAF rule, and each value must be a valid WAF action. Unless you are disabling a rule, ensure that you also enable the rule group that this WAF rule belongs to. When creating a new URI-based WAF override, you must provide a groups object or a rules object.

One of the following:
"challenge"
"block"
"simulate"
"disable"
"default"
OverrideDeleteResponse = object { id }
id: optional string

The unique identifier of the WAF override.

maxLength32

FirewallWAFPackages

List WAF packages
Deprecated
GET/zones/{zone_id}/firewall/waf/packages
Get a WAF package
Deprecated
GET/zones/{zone_id}/firewall/waf/packages/{package_id}
ModelsExpand Collapse
PackageListResponse = unknown
PackageGetResponse = object { errors, messages, result, success } or object { result }
One of the following:
FirewallAPIResponseSingle = object { errors, messages, result, success }
errors: array of ResponseInfo { code, message, documentation_url, source }
code: number
minimum1000
message: string
documentation_url: optional string
source: optional object { pointer }
pointer: optional string
messages: array of ResponseInfo { code, message, documentation_url, source }
code: number
minimum1000
message: string
documentation_url: optional string
source: optional object { pointer }
pointer: optional string
result: unknown or string
One of the following:
unknown
string
success: true

Defines whether the API call was successful.

Result = object { result }
result: optional unknown

FirewallWAFPackagesGroups

List WAF rule groups
Deprecated
GET/zones/{zone_id}/firewall/waf/packages/{package_id}/groups
Get a WAF rule group
Deprecated
GET/zones/{zone_id}/firewall/waf/packages/{package_id}/groups/{group_id}
Update a WAF rule group
Deprecated
PATCH/zones/{zone_id}/firewall/waf/packages/{package_id}/groups/{group_id}
ModelsExpand Collapse
Group = object { id, description, mode, 5 more }
id: string

Defines the unique identifier of the rule group.

maxLength32
description: string

Defines an informative summary of what the rule group does.

mode: "on" or "off"

Defines the state of the rules contained in the rule group. When on, the rules in the group are configurable/usable.

One of the following:
"on"
"off"
name: string

Defines the name of the rule group.

rules_count: number

Defines the number of rules in the current rule group.

allowed_modes: optional array of "on" or "off"

Defines the available states for the rule group.

One of the following:
"on"
"off"
modified_rules_count: optional number

Defines the number of rules within the group that have been modified from their default configuration.

package_id: optional string

Defines the unique identifier of a WAF package.

maxLength32
GroupGetResponse = unknown or string
One of the following:
unknown
string
GroupEditResponse = unknown or string
One of the following:
unknown
string

FirewallWAFPackagesRules

List WAF rules
Deprecated
GET/zones/{zone_id}/firewall/waf/packages/{package_id}/rules
Get a WAF rule
Deprecated
GET/zones/{zone_id}/firewall/waf/packages/{package_id}/rules/{rule_id}
Update a WAF rule
Deprecated
PATCH/zones/{zone_id}/firewall/waf/packages/{package_id}/rules/{rule_id}
ModelsExpand Collapse
AllowedModesAnomaly = "on" or "off"

Defines the mode anomaly. When set to on, the current WAF rule will be used when evaluating the request. Applies to anomaly detection WAF rules.

One of the following:
"on"
"off"
WAFRuleGroup = object { id, name }

Defines the rule group to which the current WAF rule belongs.

id: optional string

Defines the unique identifier of the rule group.

maxLength32
name: optional string

Defines the name of the rule group.

RuleListResponse = object { id, allowed_modes, description, 4 more } or object { id, allowed_modes, default_mode, 5 more } or object { id, allowed_modes, description, 4 more }

When triggered, anomaly detection WAF rules contribute to an overall threat score that will determine if a request is considered malicious. You can configure the total scoring threshold through the 'sensitivity' property of the WAF package.

One of the following:
WAFManagedRulesAnomalyRule = object { id, allowed_modes, description, 4 more }

When triggered, anomaly detection WAF rules contribute to an overall threat score that will determine if a request is considered malicious. You can configure the total scoring threshold through the 'sensitivity' property of the WAF package.

id: string

Defines the unique identifier of the WAF rule.

maxLength32
allowed_modes: array of AllowedModesAnomaly

Defines the available modes for the current WAF rule. Applies to anomaly detection WAF rules.

One of the following:
"on"
"off"
description: string

Defines the public description of the WAF rule.

group: WAFRuleGroup { id, name }

Defines the rule group to which the current WAF rule belongs.

mode: AllowedModesAnomaly

Defines the mode anomaly. When set to on, the current WAF rule will be used when evaluating the request. Applies to anomaly detection WAF rules.

package_id: string

Defines the unique identifier of a WAF package.

maxLength32
priority: string

Defines the order in which the individual WAF rule is executed within its rule group.

WAFManagedRulesTraditionalDenyRule = object { id, allowed_modes, default_mode, 5 more }

When triggered, traditional WAF rules cause the firewall to immediately act upon the request based on the configuration of the rule. A 'deny' rule will immediately respond to the request based on the configured rule action/mode (for example, 'block') and no other rules will be processed.

id: string

Defines the unique identifier of the WAF rule.

maxLength32
allowed_modes: array of "default" or "disable" or "simulate" or 2 more

Defines the list of possible actions of the WAF rule when it is triggered.

One of the following:
"default"
"disable"
"simulate"
"block"
"challenge"
default_mode: "disable" or "simulate" or "block" or "challenge"

Defines the default action/mode of a rule.

One of the following:
"disable"
"simulate"
"block"
"challenge"
description: string

Defines the public description of the WAF rule.

group: WAFRuleGroup { id, name }

Defines the rule group to which the current WAF rule belongs.

mode: "default" or "disable" or "simulate" or 2 more

Defines the action that the current WAF rule will perform when triggered. Applies to traditional (deny) WAF rules.

One of the following:
"default"
"disable"
"simulate"
"block"
"challenge"
package_id: string

Defines the unique identifier of a WAF package.

maxLength32
priority: string

Defines the order in which the individual WAF rule is executed within its rule group.

WAFManagedRulesTraditionalAllowRule = object { id, allowed_modes, description, 4 more }

When triggered, traditional WAF rules cause the firewall to immediately act on the request based on the rule configuration. An 'allow' rule will immediately allow the request and no other rules will be processed.

id: string

Defines the unique identifier of the WAF rule.

maxLength32
allowed_modes: array of "on" or "off"

Defines the available modes for the current WAF rule.

One of the following:
"on"
"off"
description: string

Defines the public description of the WAF rule.

group: WAFRuleGroup { id, name }

Defines the rule group to which the current WAF rule belongs.

mode: "on" or "off"

When set to on, the current rule will be used when evaluating the request. Applies to traditional (allow) WAF rules.

One of the following:
"on"
"off"
package_id: string

Defines the unique identifier of a WAF package.

maxLength32
priority: string

Defines the order in which the individual WAF rule is executed within its rule group.

RuleGetResponse = unknown or string
One of the following:
unknown
string
RuleEditResponse = object { id, allowed_modes, description, 4 more } or object { id, allowed_modes, default_mode, 5 more } or object { id, allowed_modes, description, 4 more }

When triggered, anomaly detection WAF rules contribute to an overall threat score that will determine if a request is considered malicious. You can configure the total scoring threshold through the 'sensitivity' property of the WAF package.

One of the following:
WAFManagedRulesAnomalyRule = object { id, allowed_modes, description, 4 more }

When triggered, anomaly detection WAF rules contribute to an overall threat score that will determine if a request is considered malicious. You can configure the total scoring threshold through the 'sensitivity' property of the WAF package.

id: string

Defines the unique identifier of the WAF rule.

maxLength32
allowed_modes: array of AllowedModesAnomaly

Defines the available modes for the current WAF rule. Applies to anomaly detection WAF rules.

One of the following:
"on"
"off"
description: string

Defines the public description of the WAF rule.

group: WAFRuleGroup { id, name }

Defines the rule group to which the current WAF rule belongs.

mode: AllowedModesAnomaly

Defines the mode anomaly. When set to on, the current WAF rule will be used when evaluating the request. Applies to anomaly detection WAF rules.

package_id: string

Defines the unique identifier of a WAF package.

maxLength32
priority: string

Defines the order in which the individual WAF rule is executed within its rule group.

WAFManagedRulesTraditionalDenyRule = object { id, allowed_modes, default_mode, 5 more }

When triggered, traditional WAF rules cause the firewall to immediately act upon the request based on the configuration of the rule. A 'deny' rule will immediately respond to the request based on the configured rule action/mode (for example, 'block') and no other rules will be processed.

id: string

Defines the unique identifier of the WAF rule.

maxLength32
allowed_modes: array of "default" or "disable" or "simulate" or 2 more

Defines the list of possible actions of the WAF rule when it is triggered.

One of the following:
"default"
"disable"
"simulate"
"block"
"challenge"
default_mode: "disable" or "simulate" or "block" or "challenge"

Defines the default action/mode of a rule.

One of the following:
"disable"
"simulate"
"block"
"challenge"
description: string

Defines the public description of the WAF rule.

group: WAFRuleGroup { id, name }

Defines the rule group to which the current WAF rule belongs.

mode: "default" or "disable" or "simulate" or 2 more

Defines the action that the current WAF rule will perform when triggered. Applies to traditional (deny) WAF rules.

One of the following:
"default"
"disable"
"simulate"
"block"
"challenge"
package_id: string

Defines the unique identifier of a WAF package.

maxLength32
priority: string

Defines the order in which the individual WAF rule is executed within its rule group.

WAFManagedRulesTraditionalAllowRule = object { id, allowed_modes, description, 4 more }

When triggered, traditional WAF rules cause the firewall to immediately act on the request based on the rule configuration. An 'allow' rule will immediately allow the request and no other rules will be processed.

id: string

Defines the unique identifier of the WAF rule.

maxLength32
allowed_modes: array of "on" or "off"

Defines the available modes for the current WAF rule.

One of the following:
"on"
"off"
description: string

Defines the public description of the WAF rule.

group: WAFRuleGroup { id, name }

Defines the rule group to which the current WAF rule belongs.

mode: "on" or "off"

When set to on, the current rule will be used when evaluating the request. Applies to traditional (allow) WAF rules.

One of the following:
"on"
"off"
package_id: string

Defines the unique identifier of a WAF package.

maxLength32
priority: string

Defines the order in which the individual WAF rule is executed within its rule group.