Enable managed rulesets
With managed rulesets, you can quickly deploy rules maintained by Cloudflare, and you can use Magic Firewall to control which rules are enabled.
To enable or disable a rule, you can specify which properties should be overriden. The overrides occur in the Managed phase, root kind ruleset. Currently, you can only have one rule in the root ruleset, but a single rule can contain multiple overrides.
You have multiple options for enabling rules:
- Select an individual rule and enable it.
- Enable multiple rules by enabling by category in the
magic-transit-phase. - Enable an entire ruleset.
1. Create a Managed phase Managed kind ruleset
To create a managed ruleset, you must first build a request with the following:
managed_ruleset_id: The ID of the Managed phase Managed kind ruleset that contains the rule you want to enable.managed_rule_id: The ID of the rule you want to enable.
Additionally, you need the properties you want to override. The properties you can override include:
enabled: This value can be set totrueorfalse. When set totrue, the rule matches packets and applies the rule’s default action if the action is not overriden. When set tofalse, the rule is disabled and does not match any packets.action: The value can be set tologso the rule only produces logs instead of applying the rule’s default action.
The enabled and action properties for a rule are set in the Managed phase Managed kind ruleset. All rules in the Managed phase are currently disabled by default.
The example below contains a request for a Managed phase Managed Kind ruleset.
Example request - Create a Managed phase Managed Kind rulesetcurl -X POST "https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/rulesets"
-H 'X-Auth-Email: user@example.com' \
-H 'X-Auth-Key: 00000000000' \
-H "Content-Type:application/json" \
--data '{ "name": "execute ruleset", "description": "Ruleset containing execute rules", "kind": "root", "phase": "magic_transit_managed", "rules": [ { "expression": "true", "action": "execute", "description": "Enable one rule ", "action_parameters": { "id": "<MANAGED_RULESET_ID>", "version": "latest", "overrides": { "rules": [ { "id": "<MANAGED_RULE_ID>", "enabled": true, "action": "log" } ] } } } ]}'
2. Patch a Managed phase Managed kind ruleset
To ensure a root kind ruleset only contains one rule, patch the rule to enable new managed rules.
Building off the example from the previous step, the example below enables a category to select multiple rules instead of a single rule. The category will be set to log mode, which means the rule can produce logs but will not accept or drop packets.
Example request - Patch a Managed phase Managed kind rulesetcurl -X PATCH "https://api.staging.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/rulesets/<ROOT_KIND_RULESET>/rules/<ROOT_KIND_RULE>" \
-H 'X-Auth-Email: user@example.com' \
-H 'X-Auth-Key: 00000000000' \
-H "Content-Type:application/json" \
--data ' { "expression": "true", "action": "execute", "action_parameters": { "id": "<MANAGED_RULESET_ID>", "version": "latest", "overrides": { "rules": [ { "id": "<MANAGED_RULE_ID>", "enabled": true } ], "categories": [ { "category": "simple", "enabled": true } ] } }}'
3. Enable all rules
To enable the complete ruleset or enable all rules, send the request below.
Example request to enable all rulescurl -X PATCH "https://api.staging.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/rulesets/<ROOT_KIND_RULESET>/rules/<ROOT_KIND_RULE>" \
-H 'X-Auth-Email: user@example.com' \
-H 'X-Auth-Key: 00000000000' \
-H "Content-Type:application/json" \
--data ' { "expression": "true", "action": "execute", "action_parameters": { "id": "<MANAGED_RULESET_ID>", "version": "latest", "overrides": { "enabled": true } }}'
Delete a ruleset
To delete a ruleset, refer to Delete a rule in a ruleset.