The action of a firewall rule tells Cloudflare how to handle HTTP requests that have matched the rule expression.
Supported actions
The table below lists the actions available in firewall rules. These actions are listed in order of precedence. If the same request matches two different rules which have the same priority, precedence determines the action to take.
For example, the Allow action takes precedence over the Block action. In a case where a request matches a rule with the Allow action and another with the Block action, precedence resolves the tie, and Cloudflare allows the request.
There are two exceptions to this behavior: the Log and Bypass actions. Unlike other actions, Log and Bypass do not terminate further evaluation within firewall rules. This means that if a request matches two different rules and one of those rules specifies the Log or Bypass action, the second action will be triggered instead, even though Log/Bypass has precedence.
Action
Description
Order of precedence
Log
API value:
log
Records matching requests in the Cloudflare Logs.
Only available for Enterprise plans.
Recommended for validating rules before committing to a more severe
action.
1
Bypass
API value:
bypass
Allows user to dynamically disable Cloudflare security features for
a request.
Available to all plans.
Matching requests exempt from evaluation by a user-defined list
containing one or more of the following Cloudflare security
features:
Currently, you cannot bypass Bot Fight Mode. For more
information on this product, refer to
Cloudflare bot solutions.
You cannot bypass the new
WAF managed rules using this
action, only the previous version of WAF managed rules. To skip
one or more managed rules in the new WAF for specific requests,
Requests which match the Bypass action are still subject to
evaluation (and thus a challenge or block) within Firewall Rules,
based on the order of execution.
2
Allow
API value:
allow
Matching requests are exempt from Bypass, Block,
and challenge actions triggered by other firewall rules.
The scope of the Allow action is limited to firewall rules;
matching requests are not exempt from action by
other Cloudflare security products such as Bot Fight Mode, IP Access
Rules, and WAF Managed Rules.
Matched requests will be mitigated if they are part of a DDoS
attack.
3
Interactive Challenge
API value:
challenge
This option is not recommended. Instead, choose
Managed Challenge (Recommended), which issues
interactive challenges to visitors only when necessary.
The client that made the request must pass an interactive challenge.
If successful, Cloudflare accepts the matched request; otherwise, it
is blocked.
Helps reduce the lifetimes of human time spent solving interactive
challenges across the Internet.
Depending on the characteristics of a request, Cloudflare will
dynamically choose the appropriate type of challenge from the
following actions based on specific criteria:
Show a non-interactive challenge page (similar to the current JS
Challenge).
Show an interactive challenge (such as requiring the visitor to
click a button or to perform a task).
When you configure a firewall rule with one of the challenge actions — Managed Challenge, JS Challenge, or Interactive Challenge — and a request matches the rule, one of two things can happen:
The request is blocked if the visitor fails the challenge
The request is allowed if the visitor passes the challenge
In this last case, no further firewall rules will be processed. This means that the action of any later rules with a challenge or Block action also matching the request will not be applied, and the request will be allowed.
