Cloudflare has a few ruleset packages that are available for use in Cloudflare's Web Application Firewall (WAF). These are:
- Cloudflare Rulesets (predefined),
- OWASP Rulesets (predefined),
- Custom WAF Rules (customisable for your business)
Our article, How do I configure the WAF?, gives a good overview of the different types of rulesets that you can configure in more detail. However, for this article, we will describe how to create a Custom WAF rule.
What is a Custom WAF rule?
Custom WAF Rules, available on the Business and Enterprise plans, are rules that the Cloudflare WAF team writes specifically for a customer, based on that customer's unique requirements and/or their website's traffic patterns. This means that you can ask us to block virtually any combination of characteristics of a request.
This is to cater for situations where the attacker may be using a specific pattern or user agent and the Cloudflare WAF doesn’t have a rule in place already, that may be targeted specifically for your website's structure and not other customers. In these situations, you can create a custom rule for your web property.
Example use case:
For example, we can make a rule that blocks a request if the URL contains the word "hello", and the User-Agent contains the word "world", and only if that request's Referer doesn't contain "example.com". The possibilities are endless. For Custom rules, we will either create a rule as per your requirements, or in some cases we will review traffic patterns using logs either on our end or from your servers, and come up with the appropriate rules that would protect you from any undesired traffic.
How to create a Custom WAF rule? How to submit a Custom WAF rule request?
There are two ways to create a custom WAF rule:
1. Contact Cloudflare Support by submitting a support ticket with the relevant WAF rule information.
2. Request a custom WAF rule via the Cloudflare dashboard: In the Firewall app under the Managed Rules tab, click on Request a rule in the Web Application Firewall section.
Please note that Custom WAF rules can take up to 3 business days to be implemented fully. This is due to our staff having to build, test, and deploy the rule(s).