Update Action on a WAF Custom Rule

We’ve setup some custom rules via API that we iterate thru our enterprise list of domains to add or update these. This was created in what is currently labeled as WAF Custom Rules under Security in the control panel.


We can update the specific rules expressions with this endpoint:

with data comprised of: id (filter id), expression, and description. But can’t update the action to “block” in this method.

I can’t figure out what endpoint and how to construct it to simply change the action of this custom rule to block from js_challenge. If someone can point me to how to construct a single example from an existing rule to update the action, I can figure it all out to iterate thru my whole account. However, I’m not sure if its terminology that changed, or something else I’m missing in the documentation that can allow this.


It sounds like this API call:


p.s. My cheater method for figuring this out is to open a browser’s Dev Tools, then watch the requests as you make those changes. There’s bound to be one that goes to an API endpoint. Not always, but usually.

Thanks for your help on this. It’s a good suggestion on watching the Dev Tools. But the API call you provided isn’t the correct one I need for this. That one seems to update the Managed Rulesets by Cloudflare as I did a List Zone Rulesets and it returns just the Rulesets for Bot Fight Mode, Exposed Credential Check, Log4J Ruleset, etc etc. Not the WAF Custom Rules I’ve created.

And then under the WAF Rules API calls, that seems to be related to previous version of WAF Managed Rules.

So as I’ve created these via the API, I am pretty sure we are using “Filters” as referenced in the above API call I originally used. I am able to list these managed rules and find the Filter ID I’m trying to update. But from there, none of the other Filter API calls seems to work:

I’ve tried sending an action “block” using this update filter call, but doesn’t work. This is what it returns:
“message”: “Filter parsing error (1:1):\n\n^ expected identifier character\n”,

I’m wondering about your method of dev tools to find the API call. Can you tell me more about what you’re looking for … in network or console? I wasn’t able to see a specific API call, or may not know what to look for.


I don’t think it’s filter. I have a script that updates a Custom Rule’s Expression, and it’s a PUT to this:


It doesn’t include the Action.

I’m looking in Network. I usually have Preserve Log enabled, then clear the log before I click Save for the rule. Then look at each of the requests (usually a POST or PATCH), and their Request payloads. Mine showed a PATCH to the URL I posted earlier, with this payload:

Yeah you’re right. And thanks for the tip on finding the API call.
It seems that it requires the expression to be sent as well as the action. I was hoping to just update the action, but I’ll need to get the expression from the rule first to then replicate it in the updated call.
I’ve tested that singularly and it works. So now I’ll need to work on cycling thru all our domains in our account and getting the ruleset id, rule id, and expression. :sweat_smile:

thanks for your help

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.