Enable Managed Rulesets
With managed rulesets, you can quickly deploy rules maintained by Cloudflare, and you can use Magic Firewall to control which rules are enabled.
To enable or disable a rule, you can specify which properties should be overridden. The overrides occur in the Managed phase, root kind ruleset. Currently, you can only have one rule in the root ruleset, but a single rule can contain multiple overrides.
You have multiple options for enabling rules:
- Select an individual rule and enable it.
- Enable multiple rules by enabling by category in the
magic-transit-phase. - Enable an entire ruleset.
To create a managed ruleset, you must first build a request with the following:
managed_ruleset_id: The ID of the Managed phase Managed kind ruleset that contains the rule you want to enable.managed_rule_id: The ID of the rule you want to enable.
Additionally, you need the properties you want to override. The properties you can override include:
enabled: This value can be set totrueorfalse. When set totrue, the rule matches packets and applies the rule’s default action if the action is not overridden. When set tofalse, the rule is disabled and does not match any packets.action: The value can be set tologso the rule only produces logs instead of applying the rule’s default action.
The enabled and action properties for a rule are set in the Managed phase Managed kind ruleset. All rules in the Managed phase are currently disabled by default.
The example below contains a request for a Managed phase Managed Kind ruleset.
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{ "name": "execute ruleset", "description": "Ruleset containing execute rules", "kind": "root", "phase": "magic_transit_managed", "rules": [ { "expression": "true", "action": "execute", "description": "Enable one rule ", "action_parameters": { "id": "<MANAGED_RULESET_ID>", "version": "latest", "overrides": { "rules": [ { "id": "<MANAGED_RULE_ID>", "enabled": true, "action": "log" } ] } } } ]}'To ensure a root kind ruleset only contains one rule, patch the rule to enable new managed rules.
Building off the example from the previous step, the example below enables a category to select multiple rules instead of a single rule. The category will be set to log mode, which means the rule can produce logs but will not accept or drop packets.
curl --request PATCH \https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{root_kind_ruleset}/rules/{root_kind_rule} \--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{ "expression": "true", "action": "execute", "action_parameters": { "id": "<MANAGED_RULESET_ID>", "version": "latest", "overrides": { "rules": [ { "id": "<MANAGED_RULE_ID>", "enabled": true } ], "categories": [ { "category": "simple", "enabled": true, "action": "log" } ] } }}'To enable the complete ruleset or enable all rules, send the request below.
curl --request PATCH \https://api.cloudflare.com/client/v4/accounts/{account_id}{account_id}/rulesets/{root_kind_ruleset}/rules/{root_kind_rule} \--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{ "expression": "true", "action": "execute", "action_parameters": { "id": "<MANAGED_RULESET_ID>", "version": "latest", "overrides": { "enabled": true } }}'To delete a ruleset, refer to Delete a rule in a ruleset.
You can also use the dashboard to enable managed rulesets.
- Log in to the Cloudflare dashboard ↗, and select your account.
- Go to Magic Firewall > Managed rules.
- Select Deploy managed ruleset.
- The page will refresh and show you rulesets configured by Cloudflare that are available to your account. Choose the ruleset you want with Select ruleset. If you do not see the ruleset you want, contact your account manager to get a list of all Magic Firewall Managed rulesets.
- Under Ruleset configuration, configure the Ruleset action from the drop-down menu. Cloudflare recommends you change this setting to Log to evaluate how the ruleset impacts your traffic before deciding on an action. For more information, refer to Override a managed ruleset.
- Still under Ruleset configuration, choose Enabled from the dropdown-menu for the Ruleset status. This will apply an override to the default status of all the rules in the ruleset.
- Select Deploy to deploy the Magic Firewall Managed ruleset with no rule-level overrides.
Applying a rule-level override allows you to customize the behavior of the managed ruleset. If you implemented Cloudflare’s above recommendation for the ruleset configuration, the rules will be set to a Log action and an Enabled status.
On the other hand, if you did not apply Cloudflare’s recommendation in the previous step, the ruleset is implemented with all its defaults applied.
To add rule-level overrides in the dashboard:
- Log in to the Cloudflare dashboard ↗, and select your account.
- Go to Magic Firewall > Managed rules.
- In front of Magic Firewall Managed ruleset, select Manage.
- Select Browse rules.
- In the rule you need to change, select an Action from the drop-down to change its action, or use the toggle to disable or enable the rule.
- Select Next.
- Select Save.
The Cloudflare dashboard should now show you the rule-level override you have set.
- Log in to the Cloudflare dashboard ↗, and select your account.
- Go to Magic Firewall > Managed rules.
- Select Manage.
- Select Delete deployment.
Your Magic Firewall managed ruleset is now deleted.