Deploy a Managed Ruleset with ruleset, tag, and rule overrides
Customize the execution of Managed Rulesets with a combination of ruleset overrides, tag overrides, and rule overrides in your phase entry point ruleset.
- Add a rule to a phase entry point ruleset to execute a Managed Ruleset.
- Configure a ruleset override that disables all rules in the Managed Ruleset.
- Configure a tag override that sets an action for rules with a given tag.
- Configure a rule override that sets an action for the rules you want to execute.
The request below uses the
Update ruleset
operation to execute the following in a single PUT request:
- Add a rule to the
http_request_firewall_managedphase entry point ruleset that executes a Managed Ruleset. - Use category overrides to enable rules with
wordpressanddrupaltags and set their actions tolog. - Add a rule override that enables a single rule.
Example: Execute a Managed Ruleset at the zone level with overrides
In this example:
"id": "<MANAGED_RULESET_ID>"adds a rule to thehttp_request_firewall_managedphase entry point ruleset to execute a Managed Ruleset for requests addressed to a zone (<ZONE_ID>)."enabled": falsedefines an override at the ruleset level to disable all rules in the Managed Ruleset."categories": [{"category": "wordpress", "action": "log", "enabled": true}, {"category": "drupal", "action": "log", "enabled": true}]defines an override at the tag level to enable rules tagged withwordpressordrupaland sets their action tolog."rules": [{"id": "<RULE_ID>", "action": "block", "enabled": true}]defines an override at the rule level that enables one individual rule and sets the action toblock.
curl -X PUT \
"https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/rulesets/phases/http_request_firewall_managed/entrypoint" \
-d '{
"rules": [
{
"action": "execute",
"expression": "true",
"action_parameters": {
"id": "<MANAGED_RULESET_ID>",
"overrides": {
"enabled": false,
"categories": [
{
"category": "wordpress",
"action": "log",
"enabled": true
},
{
"category": "drupal",
"action": "log",
"enabled": true
}
],
"rules": [
{
"id": "<RULE_ID>",
"action": "block",
"enabled": true
}
]
}
}
}
]
}'
Example: Execute a Managed Ruleset at the account level with overrides
In this example:
"id": "<MANAGED_RULESET_ID>"adds a rule to thehttp_request_firewall_managedphase entry point ruleset that executes a Managed Ruleset for requests addressed toexample.com."enabled": falsedefines an override at the ruleset level to disable all rules in the Managed Ruleset."categories": [{"category": "wordpress", "action": "log", "enabled": true}, {"category": "drupal", "action": "log", "enabled": true}]defines an override at the tag level to enable rules tagged withwordpressordrupaland sets their action tolog."rules": [{"id": "<RULE_ID>", "action": "block", "enabled": true}]defines an override at the rule level that enables one individual rule and sets the action toblock.
curl -X PUT \
"https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/rulesets/phases/http_request_firewall_managed/entrypoint" \
-d '{
"rules": [
{
"action": "execute",
"expression": "cf.zone.name eq \"example.com\"",
"action_parameters": {
"id": "<MANAGED_RULESET_ID>",
"overrides": {
"enabled": false,
"categories": [
{
"category": "wordpress",
"action": "log",
"enabled": true
},
{
"category": "drupal",
"action": "log",
"enabled": true
}
],
"rules": [
{
"id": "<RULE_ID>",
"action": "block",
"enabled": true
}
]
}
}
}
]
}'