Priority/Order: Managed Rules vs Firewall Rules vs Tools

Hi guys,

I would like to know the priority set for the different firewall mechanisms to understand the order in which they are processed.


  • Managed Rules
    • Customer Requested Rules
    • Cloudflare Managed Ruleset
    • Package: OWASP ModSecurity Core Rule Set
  • Firewall Rules
  • Tools
    • IP Access Rules
    • User Agent Blocking
    • Zone Lockdown

I searched the Website, Learning Center, Support Center, Blog and Community, but I didn’t find this information.

Could you please clarify? Thanks in advance!

1 Like

Hi @dmz,

Not 100% on this, maybe someone else (@alexcf, @cloonan, @cscharff) can verify, but this is what I believe:

IP Access Rules
Firewall Rules
Zone Lockdown
User Agent Blocking
WAF

Not entirely sure where the various Managed Rules come in order!

1 Like

Hi @domjh,

Thank you very much for the quick response! :slight_smile:

I’ll just wait a bit before marking this answer as a solution in case any of the mentioned users rectify the information.

1 Like

No worries, of course! I hope they will (and if not, will nag!) :slightly_smiling_face:

Personally, I think this should be published somewhere and kept up to date… either here or on support… @cloonan, any plans / chance of this?

2 Likes

This is pretty much spot on :slight_smile: - Managed Rules happen in the WAF. The Cloudflare Managed Rulesets run before OWASP, then after that comes Cloudflare Workers.

5 Likes

Thank you @domjh and @alexcf for all the clarifications!

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.