| title | pcx_content_type | sidebar | ||
|---|---|---|---|---|
Managed rulesets |
concept |
|
import { Render, Tabs, TabItem, Details, APIRequest } from "~/components";
:::note This feature requires an Enterprise plan. :::
At the zone level, each WAF managed ruleset can only be deployed once. At the account level, you can deploy each managed ruleset more than once. This allows you to apply the same ruleset with different configurations to different subsets of incoming traffic across the Enterprise zones in your account.
For example, you could deploy the Cloudflare OWASP Core Ruleset multiple times with different paranoia levels and a different action (Managed Challenge action for PL3 and Log action for PL4). Higher paranoia levels enable additional rules that are more likely to produce false positives.
Details
The following example deploys the Cloudflare OWASP Core Ruleset multiple times at the account level through the following execute rules:
- First execute rule: Enable OWASP rules up to paranoia level 3 (PL3) and set the action to Managed Challenge.
- Second execute rule: Enable OWASP rules up to PL4 and set the action to Log.
This configuration gives you additional protection by enabling PL3 rules, but without blocking the requests, since higher paranoia levels are more prone to false positives.
The second rule logs any matches for PL4 rules, the most strict set of rules in the ruleset, so that it does not affect live traffic. You could use this configuration to understand which traffic would be affected by PL4 rules.
-
Deploy the Cloudflare OWASP Core Ruleset by following the dashboard instructions, customizing the ruleset behavior using these settings:
- OWASP Anomaly Score Threshold: Medium - 40 and higher
- OWASP Paranoia Level: PL3
- OWASP Action: Managed Challenge
-
Select Deploy.
-
Repeat the deployment procedure for the OWASP ruleset, but with following ruleset configuration:
- OWASP Anomaly Score Threshold: Medium - 40 and higher
- OWASP Paranoia Level: PL4
- OWASP Action: Log
Once you finish your configuration, the Deployed managed rulesets list will show two Execute rules for the Cloudflare OWASP Core Ruleset.
The following POST request for the Create an account ruleset operation creates an entry point ruleset for the http_request_firewall_managed phase at the account level. The ruleset includes two rules deploying the Cloudflare OWASP Core Ruleset twice with different configurations.
<APIRequest path="/accounts/{account_id}/rulesets" method="POST" json={{ name: "My ruleset", description: "Entry point ruleset for WAF managed rulesets (account)", kind: "root", phase: "http_request_firewall_managed", rules: [ { action: "execute", action_parameters: { id: "4814384a9e5d4991b9815dcfc25d2f1f", overrides: { categories: [ { category: "paranoia-level-4", enabled: false, }, ], rules: [ { id: "6179ae15870a4bb7b2d480d4843b323c", action: "managed_challenge", }, ], }, }, expression: 'cf.zone.plan eq "ENT"', description: "Execute OWASP ruleset at PL3 with Managed Challenge action", }, { action: "execute", action_parameters: { id: "4814384a9e5d4991b9815dcfc25d2f1f", overrides: { rules: [ { id: "6179ae15870a4bb7b2d480d4843b323c", action: "log", }, ], }, }, expression: 'cf.zone.plan eq "ENT"', description: "Execute OWASP ruleset at PL4 with Log action", }, ], }} roles="account" />
<Render file="managed-ruleset-config-options" product="waf" params={{ overridesUrl: "/waf/account/managed-rulesets/deploy-dashboard/#configure-a-managed-ruleset", }} />