diff --git a/public/__redirects b/public/__redirects
index ee0b4b347135af..765ac0a71a3d47 100644
--- a/public/__redirects
+++ b/public/__redirects
@@ -1281,7 +1281,7 @@
/support/account-management-billing/billing-cloudflare-add-on-services/ /billing/usage-based-billing/ 301
/support/cloudflare-client-api/ /fundamentals/api/ 301
/support/firewall/learn-more/understanding-cloudflare-tor-support-and-onion-routing/ /network/onion-routing/ 301
-/support/firewall/managed-rules-web-application-firewall-waf/migrating-from-waf-managed-rules-to-waf-managed-rulesets/ /waf/reference/migration-guides/waf-managed-rules-migration/ 301
+/support/firewall/managed-rules-web-application-firewall-waf/migrating-from-waf-managed-rules-to-waf-managed-rulesets/ /waf/reference/legacy/old-waf-managed-rules/upgrade/ 301
/support/firewall/tools/understanding-cloudflare-zone-lockdown/ /waf/tools/zone-lockdown/ 301
/support/firewall/tools/understanding-cloudflare-user-agent-blocking/ /waf/tools/user-agent-blocking/ 301
/support/more-dashboard-apps/cloudflare-apps/installing-cloudflare-apps/ /workers/ 301
@@ -1492,6 +1492,10 @@
/waf/analytics/security-events/additional-information/ /waf/tools/validation-checks/ 301
/waf/reference/cloudflare-challenges/ /cloudflare-challenges/ 301
/waf/tools/challenge-passage/ /cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage 301
+/waf/reference/migration-guides/ /waf/reference/legacy/ 301
+/waf/reference/migration-guides/old-rate-limiting-deprecation/ /waf/reference/legacy/old-rate-limiting/upgrade/ 301
+/waf/reference/migration-guides/waf-managed-rules-migration/ /waf/reference/legacy/old-waf-managed-rules/upgrade/ 301
+/waf/reference/migration-guides/firewall-rules-to-custom-rules/ /waf/reference/legacy/firewall-rules-upgrade/ 301
# waiting-room
/waiting-room/how-to/mobile-traffic/ /waiting-room/how-to/json-response/ 301
diff --git a/src/assets/images/waf/reference/rate-limiting-both-versions.png b/src/assets/images/waf/reference/rate-limiting-both-versions.png
deleted file mode 100644
index d63b2e93b10f8f..00000000000000
Binary files a/src/assets/images/waf/reference/rate-limiting-both-versions.png and /dev/null differ
diff --git a/src/assets/images/waf/reference/rate-limiting-compare-creation-page.png b/src/assets/images/waf/reference/rate-limiting-compare-creation-page.png
deleted file mode 100644
index 34e1c3428297ef..00000000000000
Binary files a/src/assets/images/waf/reference/rate-limiting-compare-creation-page.png and /dev/null differ
diff --git a/src/assets/images/waf/reference/rate-limiting-rules-upgrade-ui.png b/src/assets/images/waf/reference/rate-limiting-rules-upgrade-ui.png
new file mode 100644
index 00000000000000..f1d44dc3eacdd2
Binary files /dev/null and b/src/assets/images/waf/reference/rate-limiting-rules-upgrade-ui.png differ
diff --git a/src/content/docs/bots/troubleshooting/frequently-asked-questions.mdx b/src/content/docs/bots/troubleshooting/frequently-asked-questions.mdx
index 8d7c6935dc6d72..3ac181ae5ce05f 100644
--- a/src/content/docs/bots/troubleshooting/frequently-asked-questions.mdx
+++ b/src/content/docs/bots/troubleshooting/frequently-asked-questions.mdx
@@ -37,7 +37,7 @@ Yandex updates their bots very frequently, you may see more false positives whil
- Create an [exception](/waf/managed-rules/waf-exceptions/) to temporarily skip the managed rule with ID when a request is coming from the **Yandex IP** and the user-agent contains **Yandex.**
- Create a [WAF custom rule with the _Skip_ action](/waf/custom-rules/skip/) to temporarily bypass WAF Managed Rules when a request is coming from the **Yandex IP** and the user-agent contains **Yandex.**
-If you are using the legacy WAF managed rules ([now deprecated](/waf/reference/migration-guides/waf-managed-rules-migration/)), disable the WAF managed rule with ID `100203` temporarily.
+If you are using the [legacy WAF managed rules](/waf/reference/legacy/old-waf-managed-rules/), disable the WAF managed rule with ID `100203` temporarily.
**Solution:**
diff --git a/src/content/docs/rules/reference/page-rules-migration.mdx b/src/content/docs/rules/reference/page-rules-migration.mdx
index ce2b68023c752b..20a9076c69612e 100644
--- a/src/content/docs/rules/reference/page-rules-migration.mdx
+++ b/src/content/docs/rules/reference/page-rules-migration.mdx
@@ -729,7 +729,7 @@ This setting turned off a subset of Cloudflare security features: Email Obfuscat
4. If your tests succeed, delete the existing Page Rule.
:::caution
-If you are still using WAF managed rules (previous version) or Rate Limiting (previous version), consider migrating to the new versions of these products. It is not possible to turn off these older products using modern Rules features. Refer to the [WAF's migration guides](/waf/reference/migration-guides/) for more information.
+If you are still using [WAF managed rules (previous version)](/waf/reference/legacy/old-waf-managed-rules/) or [Rate Limiting (previous version)](/waf/reference/legacy/old-rate-limiting/), consider upgrading to the new versions of these products. It is not possible to turn off these older products using modern Rules features.
:::
diff --git a/src/content/docs/security-center/security-insights/index.mdx b/src/content/docs/security-center/security-insights/index.mdx
index b52adbb7ed5a37..2b7ee231a411d5 100644
--- a/src/content/docs/security-center/security-insights/index.mdx
+++ b/src/content/docs/security-center/security-insights/index.mdx
@@ -32,7 +32,7 @@ Listed below are the specific insights currently available:
| [Increased errors detected on API endpoints](/api-shield/management-and-monitoring/endpoint-labels/) | Investigate changes, abuse, or successful attacks that may have led to this increase in errors. |
| [Increased latency detected on API endpoints](/api-shield/management-and-monitoring/endpoint-labels/) | Investigate changes, abuse, or successful attacks that may have led to this increase in response latency. |
| [Managed Rules not deployed](/waf/managed-rules/reference/cloudflare-managed-ruleset/) | No managed rules deployed on a WAF protected domain. |
-| [Migrate to new Managed Rules](/waf/reference/migration-guides/waf-managed-rules-migration/) | Migration to new Managed Rules system required for optimal protection. |
+| [Upgrade to new Managed Rules](/waf/reference/legacy/old-waf-managed-rules/upgrade/) | Upgrade to new Managed Rules system required for optimal protection. |
| [Mixed-authentication API endpoints detected](/api-shield/management-and-monitoring/endpoint-labels/#managed-labels) | Not all of the successful requests against API endpoints carried session identifiers. |
| [New API endpoints detected](/api-shield/security/api-discovery/) | API Discovery detects new API endpoints in your zone's traffic. |
| [New CASB integrations found](/cloudflare-one/applications/casb/casb-integrations/) | New CASB integrations have been found. |
diff --git a/src/content/docs/version-management/index.mdx b/src/content/docs/version-management/index.mdx
index eef46aae30f60e..e419b3a2ad5210 100644
--- a/src/content/docs/version-management/index.mdx
+++ b/src/content/docs/version-management/index.mdx
@@ -43,7 +43,7 @@ To use Version Management, the following must all be true:
* Your zone is on an Enterprise plan.
* Your zone is in an [active](/dns/zone-setups/reference/domain-status/) state.
* Your zone uses [WAF managed rules](/waf/managed-rules/).
-* Your zone has migrated to use [Custom Rules](/waf/reference/migration-guides/firewall-rules-to-custom-rules/) instead of Firewall Rules (deprecated).
+* Your zone has migrated to use [custom rules](/waf/custom-rules/) instead of Firewall Rules (deprecated).
* Your account uses the [new WAF](https://blog.cloudflare.com/new-cloudflare-waf/) (if not, contact your account team).
* Your user account must have a Super Administrator or Administrator [role](/fundamentals/manage-members/roles/). **Zone Versioning** roles cannot create new versions.
* Your user account must have an API Key provisioned (if not, [view your API Key](/fundamentals/api/get-started/keys/#view-your-global-api-key)).
diff --git a/src/content/docs/waf/custom-rules/index.mdx b/src/content/docs/waf/custom-rules/index.mdx
index cb31cbf289eb30..5b8ae7245e0c77 100644
--- a/src/content/docs/waf/custom-rules/index.mdx
+++ b/src/content/docs/waf/custom-rules/index.mdx
@@ -11,9 +11,9 @@ import { Render, FeatureTable } from "~/components";
Custom rules are evaluated in order, and some actions like _Block_ will stop the evaluation of other rules. For more details on actions and their behavior, refer to the [actions reference](/ruleset-engine/rules-language/actions/).
-:::note[Did you migrate from Cloudflare Firewall Rules?]
+:::note[Did you upgrade from Cloudflare Firewall Rules?]
-Refer to the [migration guide](/waf/reference/migration-guides/firewall-rules-to-custom-rules/#main-differences) to learn more about the differences between firewall rules and custom rules.
+Refer to the [upgrade guide](/waf/reference/legacy/firewall-rules-upgrade/#main-differences) to learn more about the differences between firewall rules and custom rules.
:::
To define sets of custom rules that apply to more than one zone, use [custom rulesets](/waf/account/custom-rulesets/), which require an Enterprise plan with a paid add-on.
diff --git a/src/content/docs/waf/rate-limiting-rules/best-practices.mdx b/src/content/docs/waf/rate-limiting-rules/best-practices.mdx
index 5622f24d0bd5cb..0ee6c406c0906c 100644
--- a/src/content/docs/waf/rate-limiting-rules/best-practices.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/best-practices.mdx
@@ -1,11 +1,9 @@
---
-title: Best practices
+title: Rate limiting practices
pcx_content_type: configuration
sidebar:
order: 21
-head:
- - tag: title
- content: Rate limiting best practices
+ label: Best practices
---
import { Render } from "~/components";
diff --git a/src/content/docs/waf/reference/migration-guides/firewall-rules-to-custom-rules.mdx b/src/content/docs/waf/reference/legacy/firewall-rules-upgrade.mdx
similarity index 93%
rename from src/content/docs/waf/reference/migration-guides/firewall-rules-to-custom-rules.mdx
rename to src/content/docs/waf/reference/legacy/firewall-rules-upgrade.mdx
index f6baabf090c8a3..54c5f4ce435a1c 100644
--- a/src/content/docs/waf/reference/migration-guides/firewall-rules-to-custom-rules.mdx
+++ b/src/content/docs/waf/reference/legacy/firewall-rules-upgrade.mdx
@@ -1,11 +1,12 @@
---
-title: Firewall Rules to WAF custom rules migration
+title: Firewall rules upgrade
pcx_content_type: reference
sidebar:
- order: 2
+ order: 5
+ label: Firewall rules upgrade
---
-Cloudflare converted existing [firewall rules](/firewall/) into [WAF custom rules](/waf/custom-rules/). With custom rules, you get the same level of protection and a few additional features. Custom rules are available in the Cloudflare dashboard at **Security** > **WAF** > **Custom rules**.
+Cloudflare upgraded existing [firewall rules](/firewall/) into [WAF custom rules](/waf/custom-rules/). With custom rules, you get the same level of protection and a few additional features. Custom rules are available in the Cloudflare dashboard at **Security** > **WAF** > **Custom rules**.
:::caution[Deprecation notice]
@@ -13,7 +14,7 @@ Cloudflare converted existing [firewall rules](/firewall/) into [WAF custom rule
On 2025-06-15, the APIs and resources mentioned above will stop working. Any remaining active firewall rules will be disabled, and the **Firewall rules** tab in the dashboard will be removed.
-If you have not migrated to WAF custom rules yet, you may have some invalid configuration that prevents the migration from happening. In this case, contact your account team to get help with the migration to WAF custom rules.
+If you have not upgraded to WAF custom rules yet, you may have some invalid configuration that prevents the upgrade from happening. In this case, contact your account team to get help with the upgrade to WAF custom rules.
:::
@@ -76,7 +77,6 @@ With the _Skip_ action you can do the following:
You can also select whether you want to log events matching the custom rule with the _Skip_ action or not. This is especially useful when creating a positive security model to avoid logging large amounts of legitimate traffic.
:::note
-
The Firewall Rules API does not support the _Skip_ action. When you create a custom rule with _Skip_ action, it is translated to _Allow_ and _Bypass_ in the Firewall Rules API. You must use the [Rulesets API](/waf/custom-rules/skip/api-examples/) to fully use the new _Skip_ action functionality.
:::
@@ -99,7 +99,6 @@ In contrast, if you create two custom rules where both rules match an incoming r
The request would be blocked, since custom rules are evaluated in order and the _Block_ action will stop the evaluation of other rules.
:::note
-
For the custom rules converted from your existing firewall rules, Cloudflare will preserve your current order of execution.
:::
@@ -127,7 +126,7 @@ For users that still have access to both products, the **Firewall rules** tab wi
## Relevant changes for API users
-**The [Firewall Rules API](/firewall/api/cf-firewall-rules/) and the associated [Cloudflare Filters API](/firewall/api/cf-filters/) are now deprecated.** These APIs will stop working on 2025-06-15. You must migrate any automation based on the Firewall Rules API or Cloudflare Filters API to the [Rulesets API](/waf/custom-rules/create-api/) before this date to prevent any issues. Rule IDs are different between firewall rules and custom rules, which may affect automated processes dealing with specific rule IDs.
+**The [Firewall Rules API](/firewall/api/cf-firewall-rules/) and the associated [Cloudflare Filters API](/firewall/api/cf-filters/) are now deprecated.** These APIs will stop working on 2025-06-15. You must manually update any automation based on the Firewall Rules API or Cloudflare Filters API to the [Rulesets API](/waf/custom-rules/create-api/) before this date to prevent any issues. Rule IDs are different between firewall rules and custom rules, which may affect automated processes dealing with specific rule IDs.
For the time being, all three APIs will be available (Firewall Rules API, Filters API, and Rulesets API). Cloudflare will internally convert your [Firewall Rules API](/firewall/api/cf-firewall-rules/) and [Filters API](/firewall/api/cf-filters/) calls into the corresponding [Rulesets API](/waf/custom-rules/create-api/) calls. The converted API calls between the Firewall Rules API/Filters API and the Rulesets API appear in audit logs as generated by Cloudflare and not by the actual user making the requests. There will be a single list of rules for both firewall rules and WAF custom rules.
@@ -142,7 +141,7 @@ Refer to the WAF documentation for [examples of managing WAF custom rules using
- [`cloudflare_firewall_rule`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/firewall_rule)
- [`cloudflare_filter`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/filter)
-These resources will stop working on 2025-06-15. If you are currently using these resources to manage your Firewall Rules configuration, you must manually migrate any Terraform configuration to [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) resources before this date to prevent any issues.
+These resources will stop working on 2025-06-15. If you are currently using these resources to manage your Firewall Rules configuration, you must manually update any Terraform configuration to [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) resources before this date to prevent any issues.
For the time being, all three Terraform resources will be available (`cloudflare_firewall_rule`, `cloudflare_filter`, and `cloudflare_ruleset`). There will be a single list of rules for both firewall rules and WAF custom rules.
diff --git a/src/content/docs/waf/reference/legacy/index.mdx b/src/content/docs/waf/reference/legacy/index.mdx
index 674eebd85e86b4..23d4516d5eb787 100644
--- a/src/content/docs/waf/reference/legacy/index.mdx
+++ b/src/content/docs/waf/reference/legacy/index.mdx
@@ -5,12 +5,12 @@ sidebar:
order: 5
group:
hideIndex: true
-description: Documentation for deprecated WAF features.
+description: Documentation for legacy WAF features.
noindex: true
---
import { DirectoryListing } from "~/components";
-Refer to the following pages for more information on legacy features that have been deprecated:
+Refer to the following pages for more information on legacy WAF features:
diff --git a/src/content/docs/waf/reference/legacy/link-firewall-rules.mdx b/src/content/docs/waf/reference/legacy/link-firewall-rules.mdx
new file mode 100644
index 00000000000000..1f6169760f11d5
--- /dev/null
+++ b/src/content/docs/waf/reference/legacy/link-firewall-rules.mdx
@@ -0,0 +1,7 @@
+---
+pcx_content_type: navigation
+title: Firewall rules
+external_link: /firewall/
+sidebar:
+ order: 4
+---
diff --git a/src/content/docs/waf/reference/legacy/old-rate-limiting/index.mdx b/src/content/docs/waf/reference/legacy/old-rate-limiting/index.mdx
index ff47be9441a7f3..a42decf81020b0 100644
--- a/src/content/docs/waf/reference/legacy/old-rate-limiting/index.mdx
+++ b/src/content/docs/waf/reference/legacy/old-rate-limiting/index.mdx
@@ -4,9 +4,6 @@ source: https://support.cloudflare.com/hc/en-us/articles/115001635128-Configurin
title: Rate Limiting (previous version)
sidebar:
order: 3
- group:
- badge:
- text: Deprecated
noindex: true
---
@@ -14,9 +11,9 @@ Cloudflare Rate Limiting automatically identifies and mitigates excessive reques
:::caution
-The information in this page refers to the previous version of rate limiting rules (now deprecated), which are billed based on usage.
+The information in this page refers to the previous version of rate limiting rules, which are billed based on usage.
-To benefit from unmetered rate limiting, rewrite your current rules in the [new version of rate limiting rules](/waf/rate-limiting-rules/). For more information, refer to the [migration guide](/waf/reference/migration-guides/old-rate-limiting-deprecation/).
+Cloudflare is upgrading all rate limiting rules to the [new version of rate limiting rules](/waf/rate-limiting-rules/). For more information on what changed in the new version, refer to the [upgrade guide](/waf/reference/legacy/old-rate-limiting/upgrade/).
:::
diff --git a/src/content/docs/waf/reference/legacy/old-rate-limiting/upgrade.mdx b/src/content/docs/waf/reference/legacy/old-rate-limiting/upgrade.mdx
new file mode 100644
index 00000000000000..668ef4ca07c898
--- /dev/null
+++ b/src/content/docs/waf/reference/legacy/old-rate-limiting/upgrade.mdx
@@ -0,0 +1,218 @@
+---
+title: Rate limiting (previous version) upgrade
+pcx_content_type: reference
+sidebar:
+ order: 3
+ label: Rate limiting upgrade
+head:
+ - tag: title
+ content: Rate limiting (previous version) upgrade
+description: Guide on upgrading rate limiting rules from the previous version to the new version.
+---
+
+Cloudflare is upgrading all rate limiting rules created in the [previous version](/waf/reference/legacy/old-rate-limiting/) to the [new version of rate limiting rules](/waf/rate-limiting-rules/).
+
+The Cloudflare dashboard will now show all your rate limiting rules in a single list.
+
+:::caution[Deprecation notice]
+
+**The [Rate Limiting API](/api/resources/rate_limits/) and the [`cloudflare_rate_limit`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/rate_limit) Terraform resource for the previous version of rate limiting rules are now deprecated.**
+
+This API and Terraform resource will only be available until 2025-06-15. After this date you will need to use the [Rulesets API](/ruleset-engine/rulesets-api/) and the [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) Terraform resource to configure rate limiting rules.
+
+:::
+
+## Main differences
+
+- **Billing model:** The previous version of Rate Limiting was billed based on usage and it was available as an add-on on all plans, while the new version is included in Cloudflare plans. For Enterprise plans, Rate Limiting is priced based on total contracted HTTP traffic. The new rate limiting rules offer all the capabilities available on the previous version of rate limiting along with several additional features.
+
+- **Advanced scope expressions:** The previous version of Rate Limiting allowed you to scope the rules based on a single path and method of the request. In the new version, you can write rules similar to [WAF custom rules](/waf/custom-rules/), combining multiple parameters of the HTTP request.
+
+- **Separate counting and mitigation expressions:** In the new version of Rate Limiting, counting and mitigation expressions are separate (for Business and Enterprise customers). The counting expression defines which requests are used to compute the rate. The mitigation expression defines which requests are mitigated once the threshold has been reached. Using these separate expressions, you can track the rate of requests on a specific path such as `/login` and, when an IP exceeds the threshold, block every request from the same IP addressed at your domain.
+
+- **Additional counting dimensions (Advanced Rate Limiting only):** Like in the previous version of Rate Limiting, customers with the new Rate Limiting get IP-based rate limiting, where Cloudflare counts requests based on the source IP address of incoming requests. In addition to IP-based rate limiting, customers with the new Rate Limiting who subscribe to Advanced Rate Limiting can group requests based on other characteristics, such as the value of API keys, cookies, session headers, ASN, query parameters, or a specific JSON body field. Refer to [Rate limiting best practices](/waf/rate-limiting-rules/best-practices/) for examples.
+
+- **Number of rules per plan**: Besides the exact features per Cloudflare plan, the number of rules per plan is different in the new version of Rate Limiting (for information on the new version limits, refer to [Rate limiting rules](/waf/rate-limiting-rules/#availability)):
+
+ | Product | Free | Pro | Business | Enterprise with RL add-on,
or equivalent plan |
+ | -------------------------------- | :--: | :-: | :------: | :------------------------------------------------: |
+ | Rate Limiting (previous version) | 1 | 10 | 15 | 100 |
+ | Rate Limiting (new version) | 1 | 2 | 5 | 100 |
+
+ Enterprise customers must have application security on their contract to get access to rate limiting rules.
+
+ Refer to [Important remarks about the upgrade](#important-remarks-about-the-upgrade) for details on how Cloudflare will adjust your rules quota, if needed, after the upgrade.
+
+For more details on the differences between old and new rate limiting rules, refer to [our blog post](https://blog.cloudflare.com/unmetered-ratelimiting/).
+
+## Important remarks about the upgrade
+
+- **After the upgrade, you will not be able to create or edit rate limiting rules while you are above the new rules quota for your Cloudflare plan.** The number of rate limiting rules included in your Cloudflare plan can be lower than before. If you are over the new limit, you will need to either upgrade to a plan that gives you more rules, or delete existing rules until the number of rules is less or equal to the new maximum number of rules for your plan.
+
+- **Custom timeouts will be rounded to the nearest supported timeout.** Both custom counting periods and custom mitigation timeouts will be rounded up or down to the nearest counting period and mitigation timeout supported in the new version (refer to [Availability](/waf/rate-limiting-rules/#availability) for details on the available values per plan).
+ For example, if you had a rate limiting rule with a mitigation timeout of 55 seconds, this timeout will be rounded up to one minute (nearest value).
+ Enterprise customers will be able to set a custom mitigation timeout for a rule after the upgrade, but this configuration is only available via API.
+
+- **Customers on a Business plan (or higher) will have access to the [IP with NAT support](/waf/rate-limiting-rules/parameters/#use-cases-of-ip-with-nat-support) characteristic.** This characteristic is used to handle situations such as requests under NAT sharing the same IP address.
+
+---
+
+### Relevant changes in the dashboard
+
+If you had access to the previous version of Cloudflare Rate Limiting, you will now find all rate limiting rules in the same list in **Security** > **WAF** > **Rate limiting rules**.
+
+If you are using the new [application security dashboard](/security/) (currently in beta), all the rate limiting rules for your zone will be available at **Security** > **Security rules**.
+
+Rate limiting rules created in the previous version will be tagged with `Previous version` in the Cloudflare dashboard.
+
+
+
+If you edit a rule with this tag in the dashboard, you will no longer be able to edit the rule using the API and Terraform resource for the previous version of rate limiting rules. In this case, you will need to start using the [Rulesets API](/ruleset-engine/rulesets-api/) or the [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) Terraform resource for this purpose. Refer to [Relevant changes for API users](#relevant-changes-for-api-users) and [Relevant changes for Terraform users](#relevant-changes-for-terraform-users) for more information.
+
+### Relevant changes for API users
+
+**The previous Rate Limiting API is deprecated.** You will not be able to invoke any operations of this API after 2025-06-15. You must update any automation based on the [previous Rate Limiting API](/api/resources/rate_limits/) to the [Rulesets API](/waf/rate-limiting-rules/create-api/) before this date to prevent any issues.
+
+The new rate limiting rules are based on the [Ruleset Engine](/ruleset-engine/). To configure these rate limiting rules via the API you must use the [Rulesets API](/ruleset-engine/rulesets-api/). Since rate limiting rules created in the previous version were upgraded to the new version, this API will also return these rules created in the new version.
+
+The [Rulesets API](/ruleset-engine/rulesets-api/) is the only API that allows you to create, edit, and delete any rate limiting rule, regardless of the implementation version where you created the rule. The [previous Rate Limiting API](/api/resources/rate_limits/) will only work with rate limiting rules created in the previous version that you have not edited in the dashboard or modified through the new API/Terraform resource since they were upgraded to the new version.
+
+Until the API sunset date, you can use the [previous Rate Limiting API](/api/resources/rate_limits/) to create, edit, and delete rate limiting rules created in the previous version (which Cloudflare upgraded to the new version). However, if you use the Rulesets API to edit a rule created in the previous version, or if you change such a rule in the Cloudflare dashboard – including changing the rule order – you will no longer be able to manage this rule (upgraded from the previous version and then updated using the Rulesets API) using the old API operations. In this case, you will need to completely switch to the [Rulesets API](/ruleset-engine/rulesets-api/) for managing this specific rule.
+
+### Relevant changes for Terraform users
+
+**The `cloudflare_rate_limit` Terraform resource is deprecated.** You will not be able to perform configuration updates via Terraform using this resource after 2025-06-15. You must manually update your rate limiting configuration in Terraform from [`cloudflare_rate_limit`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/rate_limit) resources to [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) resources before the sunset date to prevent any issues.
+
+The new rate limiting rules are based on the [Ruleset Engine](/ruleset-engine/). To configure these rate limiting rules with Terraform you must use the `cloudflare_ruleset` Terraform resource.
+
+The [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) Terraform resource is the only resource that allows you to create, edit, and delete any rate limiting rule, regardless of the implementation version where you created the rule. The `cloudflare_rate_limit` Terraform resource will only work with rate limiting rules created in the previous version that you have not edited in the dashboard or modified through the new API/Terraform resource since they were upgraded to the new version.
+
+Until the sunset date for the `cloudflare_rate_limit` Terraform resource, you can use this resource to create, edit, and delete rate limiting rules created in the previous version (which Cloudflare upgraded to the new version). However, if you start using the `cloudflare_ruleset` Terraform resource to manage a rule created in the previous version, or if you edit such a rule in the Cloudflare dashboard – including changing the rule order – you will no longer be able to manage this rule (upgraded from the previous version and then updated using the new resource) using the old Terraform resource. In this case, you will need to completely switch to the `cloudflare_ruleset` Terraform resource for managing this specific rule.
+
+Refer to the Terraform documentation for [examples of configuring the new rate limiting rules using Terraform](/terraform/additional-configurations/rate-limiting-rules/).
+
+### Replace your configuration with cf-terraforming
+
+You can use the [`cf-terraforming`](https://github.com/cloudflare/cf-terraforming) tool to generate your new Terraform configuration for rate limiting rules created in the previous version. Then, you can import the new resources to Terraform state.
+
+The recommended steps for replacing your old rate limiting configuration in Terraform with a new ruleset configuration are the following.
+
+1. Run the following command to generate all ruleset configurations for a zone:
+
+ ```sh null {3,6}
+ cf-terraforming generate --zone --resource-type "cloudflare_ruleset"
+ ```
+
+ ```tf output {1,4}
+ resource "cloudflare_ruleset" "terraform_managed_resource_3c0b456bc2aa443089c5f40f45f51b31" {
+ kind = "zone"
+ name = "default"
+ phase = "http_ratelimit"
+ zone_id = ""
+ rules {
+ # (...)
+ }
+ # (...)
+ }
+ # (...)
+ ```
+
+2. The previous command may return additional ruleset configurations for other Cloudflare products also based on the [Ruleset Engine](/ruleset-engine/). Since you are updating your rate limiting rules configuration, keep only the Terraform resource for the `http_ratelimit` phase and save it to a `.tf` configuration file. You will need the full resource name in the next step.
+
+3. Import the `cloudflare_ruleset` resource you previously identified into Terraform state using the `terraform import` command. For example:
+
+ ```sh
+ terraform import cloudflare_ruleset.terraform_managed_resource_3c0b456bc2aa443089c5f40f45f51b31 zone//3c0b456bc2aa443089c5f40f45f51b31
+ ```
+
+ ```txt output
+ cloudflare_ruleset.terraform_managed_resource_3c0b456bc2aa443089c5f40f45f51b31: Importing from ID "zone//3c0b456bc2aa443089c5f40f45f51b31"...
+ cloudflare_ruleset.terraform_managed_resource_3c0b456bc2aa443089c5f40f45f51b31: Import prepared!
+ Prepared cloudflare_ruleset for import
+ cloudflare_ruleset.terraform_managed_resource_3c0b456bc2aa443089c5f40f45f51b31: Refreshing state... [id=3c0b456bc2aa443089c5f40f45f51b31]
+
+ Import successful!
+
+ The resources that were imported are shown above. These resources are now in
+ your Terraform state and will henceforth be managed by Terraform.
+ ```
+
+4. Run `terraform plan` to validate that Terraform now checks the state of the new `cloudflare_ruleset` resource, in addition to other existing resources already managed by Terraform. For example:
+
+ ```sh
+ terraform plan
+ ```
+
+ ```txt output
+ cloudflare_ruleset.terraform_managed_resource_3c0b456bc2aa443089c5f40f45f51b31: Refreshing state... [id=3c0b456bc2aa443089c5f40f45f51b31]
+ [...]
+ cloudflare_rate_limit.my_rate_limiting_rules: Refreshing state... [id=0580eb5d92e344ddb2374979f74c3ddf]
+ [...]
+ ```
+
+5. Remove any state related to rate limiting rules configured through the old `cloudflare_rate_limit` resource from your Terraform state:
+
+ :::caution[Important]
+ You must remove rate limiting rules configured through the `cloudflare_rate_limit` resource from Terraform state before deleting their configuration from `.tf` configuration files to prevent issues.
+ :::
+
+ 1. Run the following command to find all resources related to rate limiting rules (previous version):
+
+ ```sh
+ terraform state list | grep -E '^cloudflare_rate_limit\.'
+ ```
+
+ ```txt output
+ cloudflare_rate_limit.my_rate_limiting_rules
+ ```
+
+ 2. Run the `terraform state rm ...` command in dry-run mode to understand the impact of removing those resources without performing any changes:
+
+ ```sh
+ terraform state rm -dry-run cloudflare_rate_limit.my_rate_limiting_rules
+ ```
+
+ ```txt output
+ Would remove cloudflare_rate_limit.my_rate_limiting_rules
+ ```
+
+ 3. If the impact looks correct, run the same command without the `-dry-run` parameter to actually remove the resources from Terraform state:
+
+ ```sh
+ terraform state rm cloudflare_rate_limit.my_rate_limiting_rules
+ ```
+
+ ```txt output
+ Removed cloudflare_rate_limit.my_rate_limiting_rules
+ Successfully removed 1 resource instance(s).
+ ```
+
+6. After removing `cloudflare_rate_limit` resources from Terraform state, delete all these resources from `.tf` configuration files.
+
+7. Run `terraform plan` to verify that the resources you deleted from configuration files no longer appear. You should not have any pending changes.
+
+ ```sh
+ terraform plan
+ ```
+
+ ```txt output
+ cloudflare_ruleset.terraform_managed_resource_3c0b456bc2aa443089c5f40f45f51b31: Refreshing state... [id=3c0b456bc2aa443089c5f40f45f51b31]
+ [...]
+
+ No changes. Your infrastructure matches the configuration.
+
+ Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
+ ```
+
+For details on importing Cloudflare resources to Terraform and using the `cf-terraforming` tool, refer to the following resources:
+
+- [Import Cloudflare resources](/terraform/advanced-topics/import-cloudflare-resources/)
+- [`cf-terraforming` GitHub repository](https://github.com/cloudflare/cf-terraforming)
+
+## More resources
+
+For more information on the new rate limiting implementation, including the available features in each Cloudflare plan, refer to [Rate limiting rules](/waf/rate-limiting-rules/).
+
+Cloudflare also offers an Advanced version of Rate Limiting, which is available to Enterprise customers. For more information, refer to the [Introducing Advanced Rate Limiting](https://blog.cloudflare.com/advanced-rate-limiting/) blog post.
+
+To learn more about what you can do with the new rate limiting, refer to [Rate limiting best practices](/waf/rate-limiting-rules/best-practices/).
diff --git a/src/content/docs/waf/reference/legacy/old-waf-managed-rules/index.mdx b/src/content/docs/waf/reference/legacy/old-waf-managed-rules/index.mdx
index 0766b2b83d8030..66178b4f9b57a9 100644
--- a/src/content/docs/waf/reference/legacy/old-waf-managed-rules/index.mdx
+++ b/src/content/docs/waf/reference/legacy/old-waf-managed-rules/index.mdx
@@ -4,9 +4,6 @@ source: https://support.cloudflare.com/hc/en-us/articles/200172016-Understanding
title: WAF managed rules (previous version)
sidebar:
order: 2
- group:
- badge:
- text: Deprecated
noindex: true
---
@@ -14,8 +11,8 @@ Managed rules, a feature of Cloudflare WAF (Web Application Firewall), identifie
:::caution
-- This page contains documentation about the previous implementation of WAF Managed Rules (now deprecated). For more information on the new version, refer to [WAF Managed Rules](/waf/managed-rules/).
-- All customers with access to the previous version of WAF managed rules can [migrate to the new version](/waf/reference/migration-guides/waf-managed-rules-migration/).
+- This page contains documentation about the previous implementation of WAF Managed Rules. For more information on the new version, refer to [WAF Managed Rules](/waf/managed-rules/).
+- All customers with access to the previous version of WAF managed rules can [upgrade to the new version](/waf/reference/legacy/old-waf-managed-rules/upgrade/).
- The new WAF Managed Rules provide the [Cloudflare Free Managed Ruleset](/waf/managed-rules/) to all customers, including customers on a Free plan. Refer to the [announcement blog post](https://blog.cloudflare.com/waf-for-everyone/) for details.
:::
diff --git a/src/content/docs/waf/reference/migration-guides/waf-managed-rules-migration.mdx b/src/content/docs/waf/reference/legacy/old-waf-managed-rules/upgrade.mdx
similarity index 79%
rename from src/content/docs/waf/reference/migration-guides/waf-managed-rules-migration.mdx
rename to src/content/docs/waf/reference/legacy/old-waf-managed-rules/upgrade.mdx
index 56ec4d06d55ec7..201967d7b8d9ca 100644
--- a/src/content/docs/waf/reference/migration-guides/waf-managed-rules-migration.mdx
+++ b/src/content/docs/waf/reference/legacy/old-waf-managed-rules/upgrade.mdx
@@ -1,23 +1,23 @@
---
pcx_content_type: reference
-title: WAF Managed Rules migration
+title: WAF managed rules upgrade
sidebar:
- order: 1
+ order: 3
---
import { GlossaryTooltip } from "~/components";
-On 2022-05-04, Cloudflare started the WAF migration from the [previous version of WAF managed rules](/waf/reference/legacy/old-waf-managed-rules/) to the new [WAF Managed Rules](/waf/managed-rules/), allowing a first set of eligible zones to migrate. Currently, all zones can migrate to WAF Managed Rules, including partner accounts.
+On 2022-05-04, Cloudflare started the upgrade from the [previous version of WAF managed rules](/waf/reference/legacy/old-waf-managed-rules/) to the new [WAF Managed Rules](/waf/managed-rules/), allowing a first set of eligible zones to migrate. Currently, all zones can upgrade to WAF Managed Rules, including partner accounts.
-You can start the update process for a zone in the Cloudflare dashboard or via API. Currently, the update process is always started by you. **The migration is irreversible** — once you update to the new WAF Managed Rules, you cannot go back to using WAF managed rules.
+You can start the upgrade process for a zone in the Cloudflare dashboard or via API. Currently, this process is always started by you. **The upgrade is irreversible** — once you upgrade to the new WAF Managed Rules, you cannot go back to using WAF managed rules.
-Once the migration finishes, the **Managed rules** tab in the Cloudflare dashboard (available in **Security** > **WAF** > **Managed rules**) will display a new interface, and the WAF managed rules APIs will stop working.
+Once the upgrade finishes, the **Managed rules** tab in the Cloudflare dashboard (available in **Security** > **WAF** > **Managed rules**) will display a new interface, and the WAF managed rules APIs will stop working.
:::caution[Deprecation notice]
-**The previous version of WAF managed rules is now deprecated.** The [APIs for managing the previous version of WAF managed rules](#api-changes) will stop working on 2025-06-15. The same applies to [Terraform resources](#terraform-changes) related to the previous version of WAF managed rules. You must migrate before this date to avoid any issues.
+**The APIs and Terraform resources related to the previous version of WAF managed rules are deprecated.** The [APIs for managing the previous version of WAF managed rules](#api-changes) will stop working on 2025-06-15. The same applies to [Terraform resources](#terraform-changes) related to the previous version of WAF managed rules. You must migrate before this date to avoid any issues.
-Refer to [Possible migration errors](#possible-migration-errors) if you are having issues migrating.
+Refer to [Possible upgrade errors](#possible-upgrade-errors) if you are having issues upgrading.
:::
@@ -39,27 +39,27 @@ For more information on the benefits of WAF Managed Rules, refer to our [blog po
---
-## Migration impact
+## Upgrade impact
-You will be able to migrate all your zones that do not have URI-based WAF overrides. The same protection will apply to your zone once you move to the new WAF.
+You will be able to upgrade all your zones that do not have URI-based WAF overrides. The same protection will apply to your zone once you move to the new WAF.
-Most configuration settings from the previous version of WAF managed rules will be migrated to the new version, but some specific configurations originally defined in the OWASP ModSecurity Core Rule Set will be lost — you will have to create these configurations in the new WAF Managed Rules, if needed.
+Most configuration settings from the previous version of WAF managed rules will be upgraded to the new version, but some specific configurations originally defined in the OWASP ModSecurity Core Rule Set will be lost — you will have to create these configurations in the new WAF Managed Rules, if needed.
-For API users, the APIs for managing the previous version of WAF managed rules will stop working once you migrate. You must use the Rulesets API to manage the new WAF Managed Rules.
+For API users, the APIs for managing the previous version of WAF managed rules will stop working once you upgrade. You must use the Rulesets API to manage the new WAF Managed Rules.
-### Configurations that will be migrated
+### Configurations that will be upgraded
-The update process will create an equivalent configuration for the following settings of WAF managed rules:
+The upgrade process will create an equivalent configuration for the following settings of WAF managed rules:
- Firewall rules configured with _Bypass_ > _WAF Managed Rules_.
- Page Rules configured with _Disable Security_.
- Page Rules configured with _Web Application Firewall: Off_ or _Web Application Firewall: On_.
-The OWASP ruleset configuration will be partially migrated. Refer to the next section for details.
+The OWASP ruleset configuration will be partially upgraded. Refer to the next section for details.
-### Configurations that will be lost in the update process
+### Configurations that will be lost in the upgrade process
-The update process will partially migrate the settings of the OWASP ModSecurity Core Rule Set available in the previous version of WAF managed rules.
+The upgrade process will partially migrate the settings of the OWASP ModSecurity Core Rule Set available in the previous version of WAF managed rules.
The following OWASP settings will be migrated:
@@ -81,18 +81,18 @@ The following OWASP settings will **not** be migrated, since there is no direct
To replace these settings you will need to configure the Cloudflare OWASP Core Ruleset in WAF Managed Rules again according to your needs, namely any tag/rule overrides. For more information on configuring the new OWASP Core Ruleset, refer to [Cloudflare OWASP Core Ruleset](/waf/managed-rules/reference/owasp-core-ruleset/).
-### Configurations that will prevent you from updating
+### Configurations that will prevent you from upgrading
-If a zone has [URI-based WAF overrides](/api/resources/firewall/subresources/waf/subresources/overrides/methods/list/) (only available via API), you will not have the option to migrate to WAF Managed Rules. To update to WAF Managed Rules you must:
+If a zone has [URI-based WAF overrides](/api/resources/firewall/subresources/waf/subresources/overrides/methods/list/) (only available via API), you will not have the option to upgrade to WAF Managed Rules. To upgrade to WAF Managed Rules you must:
1. Delete any existing URI-based WAF overrides using the [Delete a WAF override](/api/resources/firewall/subresources/waf/subresources/overrides/methods/delete/) operation.
-2. Follow the update process described below.
+2. Follow the upgrade process described below.
### Cloudflare dashboard changes
-After the update process is complete, the Cloudflare dashboard will display the new WAF Managed Rules interface in **Security** > **WAF** > **Managed rules**, where you can deploy managed rulesets and adjust their configuration.
+After the upgrade process is complete, the Cloudflare dashboard will display the new WAF Managed Rules interface in **Security** > **WAF** > **Managed rules**, where you can deploy managed rulesets and adjust their configuration.
-
+
Unlike the WAF managed rules, there is no global on/off setting to enable the WAF in the new interface. Instead, you deploy each managed ruleset individually in your zone.
@@ -100,21 +100,21 @@ For more information about configuring WAF Managed Rules in the dashboard, refer
### API changes
-Once the migration is complete, the APIs for interacting with WAF managed rules **will stop working**. These APIs are the following:
+Once the upgrade is complete, the APIs for interacting with WAF managed rules **will stop working**. These APIs are the following:
- [WAF packages](/api/resources/firewall/subresources/waf/subresources/packages/methods/list/)
- [WAF rule groups](/api/resources/firewall/subresources/waf/subresources/packages/subresources/groups/methods/list/)
- [WAF rules](/api/resources/firewall/subresources/waf/subresources/packages/subresources/rules/methods/list/)
:::caution
-If you have any integrations using the WAF managed rules APIs stated above, you must update them before migrating to the new WAF Managed Rules.
+If you have any integrations using the WAF managed rules APIs stated above, you must update them before upgrading to the new WAF Managed Rules.
:::
To work with WAF Managed Rules you must use the [Rulesets API](/ruleset-engine/managed-rulesets/). For more information on deploying WAF Managed Rules via API, refer to [Deploy managed rulesets via API](/waf/managed-rules/deploy-api/).
### Terraform changes
-Once the migration is complete, the following Terraform resources for configuring WAF managed rules **will stop working**:
+Once the upgrade is complete, the following Terraform resources for configuring WAF managed rules **will stop working**:
- [`cloudflare_waf_package`](https://registry.terraform.io/providers/cloudflare/cloudflare/3.35.0/docs/resources/waf_package)
- [`cloudflare_waf_group`](https://registry.terraform.io/providers/cloudflare/cloudflare/3.35.0/docs/resources/waf_group)
@@ -131,20 +131,20 @@ To manage the configuration of the new WAF Managed Rules using Terraform, you mu
### Phase 2 (since 2022-09-19)
:::note[Update notice]
-On 2023-08-18, Cloudflare added support for migrating partner accounts to the new WAF Managed Rules.
+On 2023-08-18, Cloudflare added support for upgrading partner accounts to the new WAF Managed Rules.
:::
-In phase 2 all zones are eligible for migration. The exact migration procedure varies according to your Cloudflare plan.
+In phase 2 all zones are eligible for upgrade. The exact upgrade procedure varies according to your Cloudflare plan.
-- **Pro** and **Business** customers can update to the new WAF Managed Rules in the Cloudflare dashboard or via API. Once the new version is enabled, the previous version of WAF managed rules will be automatically disabled.
+- **Pro** and **Business** customers can upgrade to the new WAF Managed Rules in the Cloudflare dashboard or via API. Once the new version is enabled, the previous version of WAF managed rules will be automatically disabled.
-- **Enterprise** customers can enable the new WAF Managed Rules configuration while keeping the previous version of WAF managed rules enabled, allowing them to check the impact of the new WAF configuration. After reviewing the behavior of the new configuration and making any required adjustments to specific managed rules, Enterprise users can then finish the migration, which will disable the previous version of WAF managed rules.
+- **Enterprise** customers can enable the new WAF Managed Rules configuration while keeping the previous version of WAF managed rules enabled, allowing them to check the impact of the new WAF configuration. After reviewing the behavior of the new configuration and making any required adjustments to specific managed rules, Enterprise users can then finish the upgrade, which will disable the previous version of WAF managed rules.
-**Note:** Zones that have [URI-based WAF overrides](/api/resources/firewall/subresources/waf/subresources/overrides/methods/list/), which you could only manage via API, will not be able to migrate immediately to the new WAF Managed Rules. You must delete these overrides before migrating.
+**Note:** Zones that have [URI-based WAF overrides](/api/resources/firewall/subresources/waf/subresources/overrides/methods/list/), which you could only manage via API, will not be able to upgrade immediately to the new WAF Managed Rules. You must delete these overrides before migrating.
### Phase 1 (since 2022-05-04)
-In phase 1 the migration became available to a subset of eligible zones, which had to meet the following requirements:
+In phase 1 the upgrade became available to a subset of eligible zones, which had to meet the following requirements:
- The zone has:
@@ -161,9 +161,9 @@ In phase 1 the migration became available to a subset of eligible zones, which h
---
-## Starting the migration
+## Start the upgrade
-You can start the WAF update in the Cloudflare dashboard or via API.
+You can start the WAF upgrade in the Cloudflare dashboard or via API.
### Using the dashboard
@@ -173,11 +173,11 @@ You can start the WAF update in the Cloudflare dashboard or via API.
If you are an Enterprise customer, the dashboard will show the following banner:
- 
+ 
If you are a Professional/Business customer, the dashboard will show the following banner:
- 
+ 
3. In the update banner, select **Review configuration**. This banner is only displayed in eligible zones.
@@ -185,9 +185,9 @@ You can start the WAF update in the Cloudflare dashboard or via API.
5. When you are done reviewing, select **Deploy** to deploy the new WAF Managed Rules configuration.
- If you are a Professional/Business customer, Cloudflare will deploy the new WAF configuration and then disable the previous WAF version. The migration process may take a couple of minutes. When the migration finishes, the dashboard will display the new WAF Managed Rules interface in **Security** > **WAF** > **Managed rules**. To check if the migration has finished, refresh the dashboard.
+ If you are a Professional/Business customer, Cloudflare will deploy the new WAF configuration and then disable the previous WAF version. The upgrade process may take a couple of minutes. When the migration finishes, the dashboard will display the new WAF Managed Rules interface in **Security** > **WAF** > **Managed rules**. To check if the upgrade has finished, refresh the dashboard.
- If you are an Enterprise customer, both WAF implementations will be enabled simultaneously when you select Deploy, so that you can validate your new configuration. Refer to the steps in the next section for additional guidance.
+ If you are an Enterprise customer, both WAF implementations will be enabled simultaneously when you select **Deploy**, so that you can validate your new configuration. Refer to the steps in the next section for additional guidance.
#### Validate your new WAF configuration and finish the upgrade (Enterprise customers only)
@@ -195,12 +195,12 @@ If you are an Enterprise customer, after deploying your new WAF configuration bo
1. Use the current validation mode to check the behavior of the new WAF configuration in Security Events (**Security** > **Events**). For more information, refer to [Analyzing the new WAF behavior in Security Events](#analyzing-the-new-waf-behavior-in-security-events).
-2. When you are done reviewing your configuration with both WAFs enabled, select **Ready to update** in the update banner, and then select **Turn off previous version**. This operation will complete the migration and disable the previous WAF version.
+2. When you are done reviewing your configuration with both WAFs enabled, select **Ready to update** in the update banner, and then select **Turn off previous version**. This operation will complete the upgrade and disable the previous WAF version.
-When the migration finishes, the dashboard will only display the new WAF Managed Rules interface in **Security** > **WAF** > **Managed rules**. To check if the migration has finished, refresh the dashboard.
+When the upgrade finishes, the dashboard will only display the new WAF Managed Rules interface in **Security** > **WAF** > **Managed rules**. To check if the upgrade has finished, refresh the dashboard.
:::note
-The update process can take up to an hour. During this period you may observe security events from both versions of WAF managed rules.
+The upgrade process can take up to an hour. During this period you may observe security events from both versions of WAF managed rules.
:::
### Using the API
@@ -226,7 +226,7 @@ The update process can take up to an hour. During this period you may observe se
}
```
- If the response includes `"compatible": true`, this means that the zone can update to the new WAF and you can proceed with the update process. If the response includes `"compatible": false`, this means that your zone is not eligible for the update, given its current configuration. Refer to [Eligible zones](#eligible-zones) for details.
+ If the response includes `"compatible": true`, this means that the zone can update to the new WAF and you can proceed with the upgrade process. If the response includes `"compatible": false`, this means that your zone is not eligible for the upgrade, given its current configuration. Refer to [Eligible zones](#eligible-zones) for details.
2. To get the new WAF configuration corresponding to your current configuration, use the [Get new WAF configuration](#api-operations) operation:
@@ -276,7 +276,7 @@ The returned configuration in the example above, which would match the existing
- A rule that executes the Cloudflare Managed Ruleset (ruleset ID efb7b8c949ac4650a09736fc376e9aee).
- A single override for the rule `Apache Struts - Open Redirect - CVE:CVE-2013-2248` (rule ID 23ee7cebe6e8443e99ecf932ab579455) in the same ruleset, setting the action to `log` and disabling the rule.
-3. (Optional, for Enterprise customers only) If you are migrating an Enterprise zone to WAF Managed Rules, you can enter validation mode before finishing the migration. In this mode, both WAF implementations will be enabled. Use the [Update a zone entry point ruleset](/api/resources/rulesets/subresources/phases/methods/update/) operation, making sure you include the `waf_migration=validation&phase_two=1` query string parameters:
+3. (Optional, for Enterprise customers only) If you are upgrading an Enterprise zone to WAF Managed Rules, you can enter validation mode before finishing the upgrade. In this mode, both WAF implementations will be enabled. Use the [Update a zone entry point ruleset](/api/resources/rulesets/subresources/phases/methods/update/) operation, making sure you include the `waf_migration=validation&phase_two=1` query string parameters:
```bash
curl --request PUT \
@@ -310,7 +310,7 @@ The returned configuration in the example above, which would match the existing
After invoking this API endpoint, both WAF managed rules and WAF Managed Rules will be enabled. Check [sampled logs](/waf/analytics/security-events/#sampled-logs) in Security Events for any legitimate traffic getting blocked, and perform any required adjustments to the WAF Managed Rules configuration. For example, you can [add an override](/ruleset-engine/managed-rulesets/override-managed-ruleset/) for a single rule that disables it or changes its action.
-4. To finish the migration and disable WAF managed rules, set the configuration for the new WAF using the settings you obtained in step 2 and possibly adjusted in step 3. Make sure you include the `waf_migration=pending&phase_two=1` query string parameters.
+4. To finish the upgrade and disable WAF managed rules, set the configuration for the new WAF using the settings you obtained in step 2 and possibly adjusted in step 3. Make sure you include the `waf_migration=pending&phase_two=1` query string parameters.
```bash
curl --request PUT \
@@ -348,7 +348,7 @@ The returned configuration in the example above, which would match the existing
Once the provided configuration is saved and the new WAF Managed Rules are enabled, the previous version of the WAF managed rules will be automatically disabled, due to the presence of the `waf_migration=pending&phase_two=1` parameters. This will make sure that your zone stays protected by one of the WAF versions during the update process.
:::note
-Pro and Business customers, which do not have access to the validation mode described in step 3, can update the rules (and overrides) in their zone entry point ruleset without triggering the migration by omitting the `waf_migration=pending&phase_two=1` parameters. However, all the rules in their configuration must be disabled (`"enabled": false`). Only Enterprise customers can configure (enabled) rules deploying Managed Rulesets without triggering the migration.
+Pro and Business customers, which do not have access to the validation mode described in step 3, can update the rules (and overrides) in their zone entry point ruleset without triggering the upgrade by omitting the `waf_migration=pending&phase_two=1` parameters. However, all the rules in their configuration must be disabled (`"enabled": false`). Only Enterprise customers can configure (enabled) rules deploying Managed Rulesets without triggering the upgrade.
:::
---
@@ -357,7 +357,7 @@ Pro and Business customers, which do not have access to the validation mode desc
### For Enterprise customers
-If you are an Enterprise customer, use the **validation mode** of the WAF migration process to check the behavior of the new WAF Managed Rules configuration. Cloudflare enables validation mode after you deploy the new WAF configuration. In this mode, the previous WAF version is still enabled, so that you can validate the behavior of your new configuration during the migration process. The new WAF Managed Rules will run before the previous version.
+If you are an Enterprise customer, use the **validation mode** of the WAF upgrade process to check the behavior of the new WAF Managed Rules configuration. Cloudflare enables validation mode after you deploy the new WAF configuration. In this mode, the previous WAF version is still enabled, so that you can validate the behavior of your new configuration during the upgrade process. The new WAF Managed Rules will run before the previous version.
Go to [sampled logs](/waf/analytics/security-events/#sampled-logs) in Security Events during validation mode and check the following:
@@ -367,9 +367,9 @@ Go to [sampled logs](/waf/analytics/security-events/#sampled-logs) in Security E
### For Business/Professional customers
-Business and Professional customers do not have access to validation mode, which means that they will be able to check the new WAF behavior after they migrate to the new WAF Managed Rules.
+Business and Professional customers do not have access to validation mode, which means that they will be able to check the new WAF behavior after they upgrade to the new WAF Managed Rules.
-In the days following the migration, check [sampled logs](/waf/analytics/security-events/#sampled-logs) in Security Events looking for any legitimate requests being blocked by WAF Managed Rules. If you identify any incorrectly blocked requests, adjust the corresponding WAF rule action to Log. For more information on changing the action of a managed ruleset rule, refer to [Configure a single rule in a managed ruleset](/waf/managed-rules/deploy-zone-dashboard/#configure-a-single-rule-in-a-managed-ruleset).
+In the days following the upgrade, check [sampled logs](/waf/analytics/security-events/#sampled-logs) in Security Events looking for any legitimate requests being blocked by WAF Managed Rules. If you identify any incorrectly blocked requests, adjust the corresponding WAF rule action to Log. For more information on changing the action of a managed ruleset rule, refer to [Configure a single rule in a managed ruleset](/waf/managed-rules/deploy-zone-dashboard/#configure-a-single-rule-in-a-managed-ruleset).
Additionally, check for requests that should have been blocked. In this situation, consider creating a [firewall rule](/firewall/cf-dashboard/create-edit-delete-rules/#create-a-firewall-rule) or a [WAF custom rule](/waf/custom-rules/create-dashboard/) to block these requests.
@@ -377,14 +377,14 @@ Additionally, check for requests that should have been blocked. In this situatio
## API operations
-Updating to the new WAF Managed Rules via API requires invoking the following API operations:
+Upgrading to the new WAF Managed Rules via API requires invoking the following API operations:
-| Name | Method + Endpoint | Description |
-| --------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Check WAF
update compatibility | `GET` `/zones//waf_migration/check?phase_two=1` | Checks if the current zone can be updated to the new WAF, given its current configuration. |
-| Get new WAF
configuration | `GET` `/zones//waf_migration/config?phase_two=1` | Obtains the new WAF Managed Rules configuration that is equivalent to the current configuration (previous version of WAF managed rules). |
-| [Update zone
entry point ruleset](/ruleset-engine/rulesets-api/update/) | `PUT` `/zones//rulesets/` `phases/http_request_firewall_managed/entrypoint?waf_migration=&phase_two=1` | Updates the configuration of the zone entry point ruleset for the `http_request_firewall_managed` phase.
Available values for the `waf_migration` query string parameter:
– `pending` / `1`: Defines the new WAF Managed Rules configuration and disables the previous version of WAF managed rules as soon as the provided configuration is saved and the new WAF is enabled.
– `validation` / `2`: (Enterprise zones only) Defines the new WAF Managed Rules configuration and enables the new WAF Managed Rules side by side with the previous version, entering validation mode. To exit validation mode and finish the migration, invoke the same API endpoint with `waf_migration=pending`. |
-| Get WAF status | `GET` `/zones//waf_migration/status` | Obtains the status of old and new WAF managed rules for a zone (enabled/disabled). The response also includes the current migration state (or mode). |
+| Name | Method + Endpoint | Description |
+| --------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Check WAF
update compatibility | `GET` `/zones//waf_migration/check?phase_two=1` | Checks if the current zone can be updated to the new WAF, given its current configuration. |
+| Get new WAF
configuration | `GET` `/zones//waf_migration/config?phase_two=1` | Obtains the new WAF Managed Rules configuration that is equivalent to the current configuration (previous version of WAF managed rules). |
+| [Update zone
entry point ruleset](/ruleset-engine/rulesets-api/update/) | `PUT` `/zones//rulesets/` `phases/http_request_firewall_managed/entrypoint?waf_migration=&phase_two=1` | Updates the configuration of the zone entry point ruleset for the `http_request_firewall_managed` phase.
Available values for the `waf_migration` query string parameter:
– `pending` / `1`: Defines the new WAF Managed Rules configuration and disables the previous version of WAF managed rules as soon as the provided configuration is saved and the new WAF is enabled.
– `validation` / `2`: (Enterprise zones only) Defines the new WAF Managed Rules configuration and enables the new WAF Managed Rules side by side with the previous version, entering validation mode. To exit validation mode and finish the upgrade, invoke the same API endpoint with `waf_migration=pending`. |
+| Get WAF status | `GET` `/zones//waf_migration/status` | Obtains the status of old and new WAF managed rules for a zone (enabled/disabled). The response also includes the current upgrade state (or mode). |
You must prepend the Cloudflare API base URL to the endpoints listed above to obtain the full endpoint:
@@ -392,7 +392,7 @@ You must prepend the Cloudflare API base URL to the endpoints listed above to ob
---
-## Possible migration errors
+## Possible upgrade errors
Contact Cloudflare Support to get help with the following errors:
@@ -420,7 +420,7 @@ Instead of using the previous resources for managing WAF packages, rule groups,
#### Replace your configuration using `cf-terraforming`
-You can use the [`cf-terraforming`](https://github.com/cloudflare/cf-terraforming) tool to generate the Terraform configuration for your new WAF Managed Rules configuration after you migrate. Then, import the new resources to Terraform state.
+You can use the [`cf-terraforming`](https://github.com/cloudflare/cf-terraforming) tool to generate the Terraform configuration for your new WAF Managed Rules configuration after you upgrade. Then, import the new resources to Terraform state.
The recommended steps for replacing your old WAF managed rules configuration in Terraform with a new ruleset-based configuration for the new WAF Managed Rules are the following:
diff --git a/src/content/docs/waf/reference/migration-guides/index.mdx b/src/content/docs/waf/reference/migration-guides/index.mdx
deleted file mode 100644
index 01509296d8d480..00000000000000
--- a/src/content/docs/waf/reference/migration-guides/index.mdx
+++ /dev/null
@@ -1,16 +0,0 @@
----
-title: Migration guides
-pcx_content_type: navigation
-sidebar:
- order: 4
- group:
- hideIndex: true
-description: Reference guides for users migrating from older Cloudflare
- features to the Cloudflare WAF.
----
-
-import { DirectoryListing } from "~/components";
-
-Refer to the following pages for more information on migrating from older features to new implementations in the Cloudflare WAF:
-
-
diff --git a/src/content/docs/waf/reference/migration-guides/old-rate-limiting-deprecation.mdx b/src/content/docs/waf/reference/migration-guides/old-rate-limiting-deprecation.mdx
deleted file mode 100644
index 1cfed918db1bee..00000000000000
--- a/src/content/docs/waf/reference/migration-guides/old-rate-limiting-deprecation.mdx
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Rate limiting (previous version) deprecation
-pcx_content_type: reference
-sidebar:
- order: 3
-head:
- - tag: title
- content: Rate limiting (previous version) deprecation notice
-description: Guide on the deprecation of rate limiting rules (previous version)
- and how to migrate to the new version.
----
-
-**The [previous version of rate limiting rules](/waf/reference/legacy/old-rate-limiting/) is now deprecated.** If you have rules in the previous version, the Cloudflare dashboard will show the configuration for both new (**A**) and old (**B**) rate limiting rules in **Security** > **WAF** > **Rate limiting rules**. The rate limiting rules interface for the previous version will only be available in the dashboard until 2025-06-15. After this date all remaining active rules will stop working.
-
-
-
-Cloudflare recommends that you create new rate limiting rules (**A**) in the Cloudflare dashboard to replace any existing rate limiting rules you may have configured in the previous version of the feature (**B**). Refer to [Migrate to the new rate limiting rules](#migrate-to-the-new-rate-limiting-rules) for details.
-
-The old and new implementation of rate limiting rules have separate rules lists, since the two implementations do not offer the same set of features. You will need to recreate your rate limiting configuration (in the previous version) using the new rate limiting rules, either using the Cloudflare dashboard, the [Rulesets API](/ruleset-engine/rulesets-api/), or a different Terraform resource ([`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset)).
-
-For more information on the new rate limiting implementation, including the available features in each Cloudflare plan, refer to [Rate limiting rules](/waf/rate-limiting-rules/) in the developer documentation.
-
-Cloudflare also offers an Advanced version of Rate Limiting, which is available to Enterprise customers. For more information, refer to the [Introducing Advanced Rate Limiting](https://blog.cloudflare.com/advanced-rate-limiting/) blog post.
-
-To learn more about what you can do with the new rate limiting, refer to [Rate limiting best practices](/waf/rate-limiting-rules/best-practices/).
-
-## Main differences
-
-- **Billing model:** The previous version of Rate Limiting was billed based on usage and it was available as an add-on on all plans, while the new version is included in Cloudflare plans. For Enterprise plans, Rate Limiting is priced based on total contracted HTTP traffic. The new rate limiting rules offer all the capabilities available on the previous version of rate limiting along with several additional features.
-
-- **Advanced scope expressions:** The previous version of Rate Limiting allowed you to scope the rules based on a single path and method of the request. In the new version, you can write rules similar to [WAF custom rules](/waf/custom-rules/), combining multiple parameters of the HTTP request.
-
-- **Separate counting and mitigation expressions:** In the new version of Rate Limiting, counting and mitigation expressions are separate (for Business and Enterprise customers). The counting expression defines which requests are used to compute the rate. The mitigation expression defines which requests are mitigated once the threshold has been reached. Using these separate expressions, you can track the rate of requests on a specific path such as `/login` and, when an IP exceeds the threshold, block every request from the same IP addressed at your domain.
-
-- **Additional counting dimensions (Advanced Rate Limiting only):** Like in the previous version of Rate Limiting, customers with the new Rate Limiting get IP-based rate limiting, where Cloudflare counts requests based on the source IP address of incoming requests. In addition to IP-based rate limiting, customers with the new Rate Limiting who subscribe to Advanced Rate Limiting can group requests based on other characteristics, such as the value of API keys, cookies, session headers, ASN, query parameters, or a specific JSON body field. Refer to [Rate limiting best practices](/waf/rate-limiting-rules/best-practices/) for examples.
-
-- **Number of rules per plan**: Besides the exact features per Cloudflare plan, the number of rules per plan is different in the new version of Rate Limiting (for information on the new version limits, refer to [Rate limiting rules](/waf/rate-limiting-rules/#availability)):
-
- | Product | Free | Pro | Business | Enterprise with RL add-on,
or equivalent plan |
- | -------------------------------- | :--: | :-: | :------: | :------------------------------------------------: |
- | Rate Limiting (previous version) | 1 | 10 | 15 | 100 |
- | Rate Limiting (new version)\* | 1 | 2 | 5 | 100 |
-
- \* Enterprise customers must have application security on their contract to get access to rate limiting rules.
-
-For more details on the differences between old and new rate limiting rules, refer to [our blog post](https://blog.cloudflare.com/unmetered-ratelimiting/).
-
-### Relevant changes in the dashboard
-
-If you had access to the previous version of Cloudflare Rate Limiting, you will find both rate limiting products, old and new, in the Cloudflare dashboard in **Security** > **WAF** > **Rate limiting rules**. The previous version (left) allows you to filter traffic for one URL. The new version (right) allows you to combine different fields, similar to the functionality of WAF custom rules.
-
-
-
-### Relevant changes for API users
-
-The new rate limiting rules are based on the [Ruleset Engine](/ruleset-engine/). To configure rate limiting rules via the API, you must use the [Rulesets API](/ruleset-engine/rulesets-api/). The Rulesets API is used on all recent Cloudflare security products to provide a uniform user experience when interacting with the Cloudflare API.
-
-**The [previous Rate Limiting API](/api/resources/rate_limits/methods/list/) is now deprecated.** You will not be able to perform any API calls after 2025-06-15.
-
-### Relevant changes for Terraform users
-
-To configure the new rate limiting rules with Terraform, you must use the [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) Terraform resource. Refer to the Terraform documentation for [examples of configuring the new rate limiting rules using Terraform](/terraform/additional-configurations/rate-limiting-rules/).
-
-**The [`cloudflare_rate_limit`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/rate_limit) Terraform resource is now deprecated.** You will not be able to perform configuration updates via Terraform using this resource after 2025-06-15.
-
-## Migrate to the new rate limiting rules
-
-Cloudflare recommends that you migrate your rules to the new system. Migration must be done manually. Since the new version of rate limiting rules is more powerful and offers additional controls, we encourage customers to reevaluate their rate limiting logic considering all the capabilities of the new Cloudflare rate limiting rules.
-
-### Free, Professional, and Business customers
-
-If you are a new customer, the Cloudflare dashboard will not show the interface for configuring the previous version of rate limiting rules.
-
-If you were using the previous version of rate limiting rules, you will have access to both products and they will both apply to your incoming traffic. You will have the same amount of rules granted in the new system as you had on September 20, 2022 or 5 rules, whichever is the largest value.
-
-The previous version of Rate Limiting was billed based on usage ($5 per million requests) while the new rate limiting rules are included in your plan and you will not have additional charges for using this feature.
-
-If you have any rules configured in the previous version of rate limiting rules, these rules will continue to run and you will still be charged based on usage. You should migrate your rules to the new system before 2025-06-15.
-
-Once you have deleted all rules from the previous version of rate limiting rules, the Cloudflare dashboard will only show the new version.
-
-### Enterprise customers
-
-Enterprise contracts that included the previous version of Cloudflare Rate Limiting were based on the good requests model, where customers were billed based on the predicted usage of the feature. If you were using the previous version of Cloudflare Rate Limiting, you will have access to both versions of the product with the same number of rules at no additional cost, and they will both apply to your incoming traffic (in this case, the new Rate Limiting will run first).
-
-You should migrate your rules to the new system before 2025-06-15. Once you have deleted all rules from the previous version of rate limiting rules, the Cloudflare dashboard will only show the new version.
-
-As an Enterprise customer, you can also upgrade to [Advanced Rate Limiting](https://blog.cloudflare.com/advanced-rate-limiting/), a more feature-rich version of the new Rate Limiting implementation. Contact your account team to learn more about Advanced Rate Limiting.
diff --git a/src/content/partials/firewall/deprecation-notice.mdx b/src/content/partials/firewall/deprecation-notice.mdx
index bd4698769a9c70..3b21abc1c73e57 100644
--- a/src/content/partials/firewall/deprecation-notice.mdx
+++ b/src/content/partials/firewall/deprecation-notice.mdx
@@ -3,5 +3,5 @@
---
:::caution[Deprecation notice]
-Cloudflare Firewall Rules has been deprecated. Cloudflare has moved existing firewall rules to [WAF custom rules](/waf/custom-rules/). For more information on this change, refer to the [migration guide](/waf/reference/migration-guides/firewall-rules-to-custom-rules/).
+Cloudflare Firewall Rules has been deprecated. Cloudflare has moved existing firewall rules to [WAF custom rules](/waf/custom-rules/). For more information on this change, refer to the [upgrade guide](/waf/reference/legacy/firewall-rules-upgrade/).
:::
diff --git a/src/content/release-notes/api-deprecations.yaml b/src/content/release-notes/api-deprecations.yaml
index 16cc5a78ef1f58..71f0e09bc1f83b 100644
--- a/src/content/release-notes/api-deprecations.yaml
+++ b/src/content/release-notes/api-deprecations.yaml
@@ -198,7 +198,7 @@ entries:
description: |-
Deprecation date: June 15, 2025
- The Firewall Rules API and the Filters API are deprecated, since Firewall Rules was deprecated in favor of [WAF custom rules](/waf/custom-rules/). Refer to [Firewall Rules to WAF custom rules migration](/waf/reference/migration-guides/firewall-rules-to-custom-rules/) for more information about this change.
+ The Firewall Rules API and the Filters API are deprecated, since Firewall Rules was deprecated in favor of [WAF custom rules](/waf/custom-rules/). Refer to [Firewall Rules upgrade](/waf/reference/legacy/firewall-rules-upgrade/) for more information about this change.
Deprecated APIs:
@@ -226,7 +226,7 @@ entries:
description: |-
Deprecation date: June 15, 2025
- The APIs for managing WAF managed rules (previous version) — namely for managing packages, rule groups, rules, and overrides — are deprecated in favor of [WAF Managed Rules](/waf/managed-rules/). Refer to [WAF Managed Rules migration](/waf/reference/migration-guides/waf-managed-rules-migration/) for more information about this change.
+ The APIs for managing WAF managed rules (previous version) — namely for managing packages, rule groups, rules, and overrides — are deprecated in favor of using the [Rulesets API](/ruleset-engine/rulesets-api/) for managing the new version of [WAF Managed Rules](/waf/managed-rules/). Refer to [WAF Managed Rules upgrade](/waf/reference/legacy/old-waf-managed-rules/upgrade/) for more information about this change.
Deprecated APIs:
@@ -252,7 +252,7 @@ entries:
description: |-
Deprecation date: June 15, 2025
- The Rate Limiting API is deprecated, since the previous version of rate limiting rules was deprecated in favor of the new [rate limiting rules](/waf/rate-limiting-rules/) based on the Ruleset Engine. Refer to [Rate limiting (previous version) deprecation notice](/waf/reference/migration-guides/old-rate-limiting-deprecation/) for more information about this change.
+ The Rate Limiting API is deprecated, in favor of using the [Rulesets API](/ruleset-engine/rulesets-api/) for managing the new [rate limiting rules](/waf/rate-limiting-rules/). Refer to [Rate limiting (previous version) upgrade](/waf/reference/legacy/old-rate-limiting/upgrade/) for more information about this change.
Deprecated API: