Firewall events
The descriptions below detail the fields available for firewall_events.
| Field | Value | Type |
|---|---|---|
| Action | The code of the first-class action the Cloudflare Firewall took on this request. Possible actions are unknown | allow | block | challenge | jschallenge | log | connectionclose | challengesolved | challengefailed | challengebypassed | jschallengesolved | jschallengefailed | jschallengebypassed | bypass | managedchallenge | managedchallengeskipped | managedchallengenoninteractivesolved | managedchallengeinteractivesolved | managedchallengebypassed |
string |
| ClientASN | The ASN number of the visitor | int |
| ClientASNDescription | The ASN of the visitor as string | string |
| ClientCountry | Country from which request originated | string |
| ClientIP | The visitor’s IP address (IPv4 or IPv6) | string |
| ClientIPClass | The classification of the visitor’s IP address, possible values are: unknown | badHost | searchEngine | allowlist | monitoringService | noRecord | scan | tor | string |
| ClientRefererHost | The referer host | string |
| ClientRefererPath | The referer path requested by visitor | string |
| ClientRefererQuery | The referer query-string was requested by the visitor | string |
| ClientRefererScheme | The referer URL scheme requested by the visitor | string |
| ClientRequestHost | The HTTP hostname requested by the visitor | string |
| ClientRequestMethod | The HTTP method used by the visitor | string |
| ClientRequestPath | The path requested by visitor | string |
| ClientRequestProtocol | The version of HTTP protocol requested by the visitor | string |
| ClientRequestQuery | The query-string was requested by the visitor | string |
| ClientRequestScheme | The URL scheme requested by the visitor | string |
| ClientRequestUserAgent | Visitor’s user-agent string | string |
| Datetime | The date and time the event occurred at the edge | int or string |
| EdgeColoCode | The airport code of the Cloudflare datacenter that served this request | string |
| EdgeResponseStatus | HTTP response status code returned to browser | int |
| Kind | The kind of event, currently only possible values are: firewall | string |
| MatchIndex | Rules match index in the chain | int |
| Metadata | Additional product-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by Cloudflare security product and can change over time | object |
| OriginResponseStatus | HTTP origin response status code returned to browser | int |
| OriginatorRayID | The RayID of the request that issued the challenge/jschallenge | string |
| RayID | The RayID of the request | string |
| RuleID | The Cloudflare security product-specific RuleID triggered by this request | string |
| Source | The Cloudflare security product triggered by this request. Possible sources are unknown | asn | country | ip | iprange | securitylevel | zonelockdown | waf | firewallrules | uablock | ratelimit | bic | hot | l7ddos | validation | botfight | apishield | botmanagement | dlp | firewallmanaged | firewallcustom |
string |