Firewall rules actions
The action of a firewall rule tells Cloudflare how to handle HTTP requests that have matched the rule expression.
Supported actions
The table below lists the actions available in firewall rules. These actions are listed in order of precedence. If the same request matches two different rules which have the same priority, precedence determines the action to take.
For example, the Allow action takes precedence over the Block action. In a case where a request matches a rule with the Allow action and another with the Block action, precedence resolves the tie, and Cloudflare allows the request.
There are two exceptions to this behavior: the Log and Bypass actions. Unlike other actions, Log and Bypass do not terminate further evaluation within firewall rules. This means that if a request matches two different rules and one of those rules specifies the Log or Bypass action, the second action will be triggered instead, even though Log/Bypass has precedence.
Action | Description | Order of precedence |
---|---|---|
Log API value: log |
| 1 |
Bypass API value: bypass |
| 2 |
Allow API value: allow |
| 3 |
Interactive Challenge API value: challenge |
| 4 |
Managed Challenge (Recommended) API value: managed_challenge |
| 5 |
JS Challenge API value: js_challenge |
| 6 |
Block API value: block | Matching requests are denied access to the site. | 7 |
Notes about challenge actions
When you configure a firewall rule with one of the challenge actions — Managed Challenge, JS Challenge, or Interactive Challenge — and a request matches the rule, one of two things can happen:
- The request is blocked if the visitor fails the challenge
- The request is allowed if the visitor passes the challenge
In this last case, no further firewall rules will be processed. This means that the action of any later rules with a challenge or Block action also matching the request will not be applied, and the request will be allowed.