Field Name

Field Definition

Compliance & Security Posture Implications

Created On (Primary Time)

Timestamp when the firewall rule was created.

Establishes evidence of when protective controls were implemented and whether they existed during the audit period.

Last Modified On

Timestamp when the firewall rule was last updated.

Helps auditors confirm timely updates, change control discipline, and responsiveness to emerging threats.

Action

The action applied to requests matching the filter expression (for example: block, allow, challenge).

Demonstrates enforcement strength and whether rule behavior aligns with least-privilege access and secure defaults.

Rule Paused

Boolean indicating whether the firewall rule is currently not active.

Indicates if protective controls are disabled, which may create exposure or require justification to auditors.

Filter Paused

Boolean indicating whether the associated filter is paused.

Shows whether the underlying match logic is active; paused filters can accidentally weaken security posture.

Rule Description

Human-readable description of the firewall rule.

Provides context and rationale, improving auditability and clarity of intent behind custom security controls.

Rule ID

Cloudflare-generated unique identifier of the firewall rule.

Ensures traceability between Cloudflare configuration, audit evidence, and change management artifacts.

Filter ID

Cloudflare-generated unique identifier of the filter used by the rule.

Supports clear lineage between the rule and the expression logic evaluated for each request.

Filter Expression

The match criteria written in Cloudflare’s Rules language (evaluated against each request).

Shows the exact logic defining protection boundaries; critical for confirming least-privilege filtering and secure behavior.

Reference

User-defined external identifier/tag for the rule, unique within a ruleset.

Enables organizations to group, categorize, and trace controls to internal policies or ticketing systems.

Objective

Example Rule Expression

Action

Security Posture Benefit

Lock down admin UI to corporate/VPN ranges

http.request.uri.path starts_with "/admin" and ip.src not in $office_ips

Block

Enforces least-privileged network access to sensitive interfaces.

Strict country allowlist for back office

http.request.uri.path starts_with "/backoffice" and ip.geoip.country not in {"US","CA","GB"}

Block

Reduces geographic exposure for internal tools and administrative systems.

Health check passthrough

ip.src in $healthcheck_ips

Skip

Avoids false positives while documenting controlled monitoring access.

Objective

Example Rule Expression

Action

Security Posture Benefit

Enforce allowed HTTP method on login

http.request.uri.path eq "/login" and http.request.method ne "POST"

Block

Blocks unapproved request methods often used for brute-force or reconnaissance attacks.

Geo-hardening for login endpoints

http.request.uri.path in {"/login","/reset-password"} and ip.geoip.country in {"CN","RU","KP"}

Managed Challenge

Adds friction for high-risk geographies without blocking legitimate users.

User-agent hygiene controls

http.request.uri.path in {"/login","/cart","/checkout"} and (lower(http.user_agent) contains "curl" or lower(http.user_agent) contains "python-requests")

Managed Challenge

Reduces bot traffic and commodity exploit scripts.

Threat-score throttling on login

http.request.uri.path eq "/login" and cf.threat_score gt 10

Managed Challenge

Uses Cloudflare’s behavioral scoring to slow automated attack patterns.

Objective

Example Rule Expression

Action

Security Posture Benefit

Require session/cookie for private API routes

http.request.uri.path starts_with "/api/private" and not any(lower(k) eq "session" for {k,v} in http.request.cookies)

Block

Ensures API traffic is authenticated before reaching sensitive backend services.

Host-header pinning

http.host ne "app.example.com"

Block

Prevents origin routing abuse and virtual-host bypass attacks.

Objective

Example Rule Expression

Action

Security Posture Benefit

Block basic SQL/JS injection probes

lower(http.request.uri.query) contains "union select" or lower(http.request.uri.query) contains "<script"

Block

Provides early rejection of common exploit payloads and reduces attack noise.

Block unused platform probes

http.request.uri.path in {"/wp-login.php","/xmlrpc.php","/wp-admin/"}

Block

Reduces bot traffic against platforms not deployed in your environment.

Objective

Example Rule Expression

Action

Security Posture Benefit

Enforce HTTPS at the edge

not ssl

Block

Ensures unencrypted traffic is rejected before reaching the origin.

Block all non-HTTP(S) ports except 80/443

cf.edge.server_port ne 80 and cf.edge.server_port ne 443

Block

Demonstrates explicit perimeter hardening and port restriction.

Allow additional ports only when required (and scoped)

cf.edge.server_port in {8443, 9443} and ip.src not in $office_ips

Block

Documents tightly controlled exceptions that support operational needs while maintaining security boundaries.