Priority/Order: Managed Rules vs Firewall Rules vs Tools

Hi guys,

I would like to know the priority set for the different firewall mechanisms to understand the order in which they are processed.

  • Managed Rules
    • Customer Requested Rules
    • Cloudflare Managed Ruleset
    • Package: OWASP ModSecurity Core Rule Set
  • Firewall Rules
  • Tools
    • IP Access Rules
    • User Agent Blocking
    • Zone Lockdown

I searched the Website, Learning Center, Support Center, Blog and Community, but I didn’t find this information.

Could you please clarify? Thanks in advance!


Hi @dmz,

Not 100% on this, maybe someone else (@alexcf, @cloonan, @cs-cf) can verify, but this is what I believe:

IP Access Rules
Firewall Rules
Zone Lockdown
User Agent Blocking

Not entirely sure where the various Managed Rules come in order!


Hi @domjh,

Thank you very much for the quick response! :slight_smile:

I’ll just wait a bit before marking this answer as a solution in case any of the mentioned users rectify the information.

1 Like

No worries, of course! I hope they will (and if not, will nag!) :slightly_smiling_face:

Personally, I think this should be published somewhere and kept up to date… either here or on support… @cloonan, any plans / chance of this?


This is pretty much spot on :slight_smile: - Managed Rules happen in the WAF. The Cloudflare Managed Rulesets run before OWASP, then after that comes Cloudflare Workers.


Thank you @domjh and @alexcf for all the clarifications!

1 Like