Number of WAF Firewall Rules allowed on free accounts?

I received an email from Cloudflare saying “Our systems indicate that you have exceeded the number of Firewall Rules available on your current Cloudflare plan(s).”

I’m using the free plan. I have multiple domains on the account, but none of them (including the one referenced in the email) have more than 5 out of 5 allowable active WAF rules.

I do have more rules on some domains that are NOT active – is that the issue? (Is there a limit on the number of total rules, not the number of ACTIVE rules as the information on the WAF screen seems to indicate?)

If not, what am I missing/how do I fix this?


(I searched but couldn’t find anything about this.)


I’ve just had the same message

Free account only lets you create 5 active rules so it would be impossible to do this

Only thing I can see is they are now possibly counting inactive rules as well?

1 Like

Maybe. But it only referenced one of my domains – and I have others with more than 5 rules total (but most (if not all) with less than 5 active).

Do you have more than one domain? Did you get notification about this for just one of them?

1 Like

Yes, 20+ domains, almost all have 5 active plus multiple inactive, only got message about one domain

I’ve got the same issue too on the Pro plan. Only using 11 of 20 rules on a single domain so it shouldn’t have triggered anything

The new Custom Rules counts both inactive + active. You should have already been migrated if not for having more then the limit: Firewall rules are becoming custom rules · Cloudflare Web Application Firewall (WAF) docs

  • Cloudflare already migrated all zones in Free, Professional, and Business plans. However, the automated migration failed for zones with more firewall rules than the ones allowed in the zone plan. If your zone is in this situation, delete any extra firewall rules you may have. Cloudflare will try to migrate the zone again in the near future. Both your current quota and the quota included in your plan are displayed in the Cloudflare dashboard in Security > WAF > Firewall rules.

I’m guessing the email is in context to that. Did it say anything more?


Thanks @Chaika. Is the new Custom Rules count limit (inactive + active) listed somewhere?

A few of the domains have a Custom Rules tab instead of Firewall Rules, but most still have Firewall Rules. The language I’m seeing still just refers to active rules (“You have used 4 of 5 active Firewall rules.”) For the 2 sites that now show a Custom Rules tab, neither one has any rules set up yet. They say " You have used 0 out of 5 available rules.")

I didn’t get anything about migration.

This was the content from the email:


Our systems indicate that you have exceeded the number of Firewall Rules available on your current Cloudflare plan(s). The following domains are impacted:


While we understand this may have been an oversight, you must take action to maintain all of your existing Firewall Rules.

What actions can I take?

Delete WAF Firewall Rules so that the number of rules is within the allocation for your Cloudflare plan.

Upgrade your plan(s) to increase the number of Firewall Rules you can maintain for your site or application. As reminder, plans include the following number of Firewall Rules:

   Free: 5
   Pro: 20
   Business: 100
   Enterprise: 1,000

What happens if I do nothing?

Firewall Rules exceeding the quota assigned to your plan will be turned off and deleted automatically after January 31, 2024. We will select the rules with the lowest priority to be deleted. For example, if you have a domain on the Free plan with 7 Firewall Rules, the last 2 rules will be removed.

How long do I have?

You have until January 31, 2024. After this date Firewall Rules that exceed your plan limit will be removed starting with the lowest priority rules until the number of rules meets the limit of your plan.

Please note that if you choose to take action, you will need to do so for each affected domain. If you have questions, please visit the Cloudflare Community.

Nothing about migration or active vs inactive, but I’ll remove the ones beyond 5 total and see how that goes.


1 Like

Hey Community.

Support is aware of this email sent, and it is as @Chaika mentioned, related to the migration of the FW rules to Custom (FW) Rules.

We are still assessing the impact, but based on the few Pro/Biz tickets seen so far, it should not impact your current entitlements if you are within the limit.

I will update more information when I get, but please direct any new threads related to this WAF rules here.

Thank you @Chaika and all other MVPs helping out as usual.

Let’s keep Gotham cit… I mean Cloudflare Community safe Team.



Thanks @oshariff. When you have the update, would you please confirm if both the active and inactive custom rules now count toward the limit?

As mentioned a couple posts up, WAF Custom Rules count active and inactive.

I have 5 WAF rules:

And I received the following email today:

Seams, that my position is under attack by Cloudflare bots, I need reinforcements from the community or CF stuff to clarify the situation.

Do you copy?

I received the same email; I’m on a Pro plan with 5/20 rules active. I think something went wrong at Cloudflare today and they sent out this message in error?

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.