Skip to content

Phases

The Web Application Firewall provides the following phases where you can create rulesets and rules:

  • http_request_firewall_custom
  • http_ratelimit
  • http_request_firewall_managed

These phases exist both at the account level and at the zone level. Considering the available phases and the two different levels, rules will be evaluated in the following order:

WAF featureScopePhaseRuleset kindLocation in the dashboard
Custom rulesets
Accounthttp_request_firewall_customcustom (create)
root (deploy)
Account Home > WAF > Custom rulesets
Custom rulesZonehttp_request_firewall_customzoneYour zone > Security > WAF > Custom rules
Rate limiting rulesetsAccounthttp_ratelimitrootAccount Home > WAF > Rate limiting rulesets
Rate limiting rulesZonehttp_ratelimitzoneYour zone > Security > WAF > Rate limiting rules
WAF managed rulesetsAccounthttp_request_firewall_managedrootAccount Home > WAF > Managed rulesets
WAF Managed RulesZonehttp_request_firewall_managedzoneYour zone > Security > WAF > Managed rules

To learn more about phases, refer to Phases in the Ruleset Engine documentation.