Cloudflare Docs
Firewall
Cloudflare Docs
Firewall Rules
Search icon (depiction of a magnifying glass)
GitHub icon
Visit Firewall Rules on GitHub
Set theme to dark (⇧+D)

Firewall rules actions

The action of a firewall rule tells Cloudflare how to handle HTTP requests that have matched the rule expression.

Supported actions

The table below lists the actions available in firewall rules. These actions are listed in order of precedence. If the same request matches two different rules which have the same priority, precedence determines the action to take.

For example, the Allow action takes precedence over the Block action. In a case where a request matches a rule with the Allow action and another with the Block action, precedence resolves the tie, and Cloudflare allows the request.

There are two exceptions to this behavior: the Log and Bypass actions. Unlike other actions, Log and Bypass do not terminate further evaluation within firewall rules. This means that if a request matches two different rules and one of those rules specifies the Log or Bypass action, the second action will be triggered instead, even though Log/Bypass has precedence.

ActionDescriptionOrder of precedence
Log

API value:
log
  • Records matching requests in the Cloudflare Logs.
  • Only available for Enterprise plans.
  • Recommended for validating rules before committing to a more severe action.
1
Bypass

API value:
bypass
  • Allows user to dynamically disable Cloudflare security features for a request.
  • Available to all plans.

  • Matching requests exempt from evaluation by a user-defined list containing one or more of the following Cloudflare security features:

    • User-agent Blocking
    • Browser Integrity Check
    • Hotlinking Protection
    • Security Level (IP Reputation)
    • Rate Limiting (previous version)
    • Zone Lockdown (PRO, BIZ, ENT)
    • WAF managed rules (previous version; PRO, BIZ, ENT)

    Notes:

  • Requests which match the Bypass action are still subject to evaluation (and thus a challenge or block) within Firewall Rules, based on the order of execution.
2
Allow

API value:
allow
  • Matching requests are exempt from challenge and block actions triggered by other firewall rules content.
  • The scope of the Allow action is limited to firewall rules; matching requests are not exempt from action by other Cloudflare security products such as Bot Fight Mode, IP Access Rules, and Managed Rulesets.
  • Matched requests will be mitigated if they are part of a DDoS attack.
3
Legacy CAPTCHA

API value:
challenge
  • This option is not recommended. Instead, choose Managed Challenge (Recommended), which issues CAPTCHAs only when necessary.
  • The client that made the request must pass a CAPTCHA challenge.
  • If successful, Cloudflare accepts the matched request; otherwise, it is blocked.
  • For additional information, refer to Notes about challenge actions.
4
Managed Challenge
(Recommended)

API value:
managed_challenge
  • Helps reduce the lifetimes of human time spent solving CAPTCHAs across the Internet.
  • Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge from the following actions based on specific criteria:
    • Show a non-interactive challenge page (similar to the current JS Challenge).
    • Present an invisible proof of work challenge to the browser.
    • Show a custom interactive challenge (such as click a button).
    • Show a CAPTCHA challenge.
  • For additional information, refer to Notes about challenge actions.
5
JS Challenge

API value:
js_challenge
  • Useful for ensuring that bots and spam cannot access the requested resource; browsers, however, are free to satisfy the challenge automatically.
  • The client that made the request must pass a Cloudflare JavaScript Challenge before proceeding.
  • If successful, Cloudflare accepts the matched request; otherwise, it is blocked.
  • For additional information, refer to Notes about challenge actions.
6
Block

API value:
block		Matching requests are denied access to the site.7

Notes about challenge actions

When you configure a firewall rule with one of the challenge actions — Managed Challenge, JS Challenge, or Legacy CAPTCHA — and a request matches the rule, one of two things can happen:

  • The request is blocked if the visitor fails the challenge
  • The request is allowed if the visitor passes the challenge

In this last case, no further firewall rules will be processed. This means that the action of any later rules with a challenge or Block action also matching the request will not be applied, and the request will be allowed.