diff --git a/src/assets/images/waf/custom-rules/custom-rules-tab.png b/src/assets/images/waf/custom-rules/custom-rules-tab.png deleted file mode 100644 index 69f8bc93eaa049a..000000000000000 Binary files a/src/assets/images/waf/custom-rules/custom-rules-tab.png and /dev/null differ diff --git a/src/content/docs/waf/reference/legacy/firewall-rules-upgrade.mdx b/src/content/docs/waf/reference/legacy/firewall-rules-upgrade.mdx index 54c5f4ce435a1c8..7178756c1533439 100644 --- a/src/content/docs/waf/reference/legacy/firewall-rules-upgrade.mdx +++ b/src/content/docs/waf/reference/legacy/firewall-rules-upgrade.mdx @@ -6,13 +6,14 @@ sidebar: label: Firewall rules upgrade --- -Cloudflare upgraded existing [firewall rules](/firewall/) into [WAF custom rules](/waf/custom-rules/). With custom rules, you get the same level of protection and a few additional features. Custom rules are available in the Cloudflare dashboard at **Security** > **WAF** > **Custom rules**. +Cloudflare upgraded existing [firewall rules](/firewall/) into [custom rules](/waf/custom-rules/). With custom rules, you get the same level of protection and a few additional features. Custom rules are available in the Cloudflare dashboard in the following location: -:::caution[Deprecation notice] +- Old dashboard: **Security** > **WAF** > **Custom rules**. +- New security dashboard: **Security** > **Security rules**. -**Cloudflare Firewall Rules is now deprecated.** The Firewall Rules API and Filters API, as well as the `cloudflare_firewall_rule` and `cloudflare_filter` Terraform resources, will only be available until 2025-06-15. If you have any automation based on these APIs and resources, you must migrate to the new APIs and resources before 2025-06-15 to avoid any issues. +:::caution[Deprecation notice] -On 2025-06-15, the APIs and resources mentioned above will stop working. Any remaining active firewall rules will be disabled, and the **Firewall rules** tab in the dashboard will be removed. +**Cloudflare Firewall Rules is now deprecated.** The Firewall Rules API and Filters API, as well as the `cloudflare_firewall_rule` and `cloudflare_filter` Terraform resources, are no longer supported since 2025-06-15. If you have any automation based on these APIs and resources, you must migrate to the new APIs and resources to avoid any issues. If you have not upgraded to WAF custom rules yet, you may have some invalid configuration that prevents the upgrade from happening. In this case, contact your account team to get help with the upgrade to WAF custom rules. @@ -38,8 +39,7 @@ The default block response is a Cloudflare standard HTML page. If you need to se To define a custom response for a single rule, go to **Security** > **WAF** > [**Custom rules**](https://dash.cloudflare.com/?to=/:account/:zone/security/waf/custom-rules), edit the custom rule, and fill in the block-related options. :::note - -Custom block response configurations will not be returned by the Firewall Rules API. You must use the [Rulesets API](/waf/custom-rules/create-api/#example-b) to manage this new feature. +Custom block response configurations are not returned by the Firewall Rules API. You must use the [Rulesets API](/waf/custom-rules/create-api/#example-b) to manage this new feature. ::: ### Different error page for blocked requests @@ -104,7 +104,7 @@ For the custom rules converted from your existing firewall rules, Cloudflare wil ### Logs and events -Events logged by custom rules are shown in [Security Events](/waf/analytics/security-events/), available at **Security** > **Events**, with `Custom Rules` as their source. +Events logged by custom rules are shown in [Security Events](/waf/analytics/security-events/) with `Custom Rules` as their source. You may still find events generated by Firewall Rules in the Security Events page when you select a time frame including the days when the transition to custom rules occurred. Similarly, you may still find events with both _Skip_ and _Allow_ actions in the same view during the transition period. @@ -112,23 +112,21 @@ You may still find events generated by Firewall Rules in the Security Events pag The preferred API for managing WAF custom rules is the [Rulesets API](/waf/custom-rules/create-api/). The Rulesets API is used on all recent Cloudflare security products to provide a uniform user experience when interacting with our API. For more information on migrating to the Rulesets API, refer to [Relevant changes for API users](#relevant-changes-for-api-users). -The Firewall Rules API and Filters API will still work until 2025-06-15. There will be a single list of rules for both firewall rules and WAF custom rules, and this list contains WAF custom rules. Thanks to an internal conversion process, the Firewall Rules API and Filters API will return firewall rules/filters converted from these WAF custom rules. +The Firewall Rules API and Filters API are no longer supported since 2025-06-15. There is now a single list of rules for both firewall rules and WAF custom rules, and this list contains WAF custom rules. Thanks to an internal conversion process, the Firewall Rules API and Filters API return firewall rules/filters converted from these WAF custom rules until the APIs sunset date. -If you are using Terraform, the preferred way of configuring WAF custom rules is using [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) resources configured with the `http_request_firewall_custom` phase. For more information on updating your Terraform configuration, refer to [Relevant changes for Terraform users](#relevant-changes-for-terraform-users). +If you are using Terraform, you must update your configuration to use [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) resources with the `http_request_firewall_custom` phase to manage custom rules. For more information on updating your Terraform configuration, refer to [Relevant changes for Terraform users](#relevant-changes-for-terraform-users). ## Relevant changes for dashboard users -**The Firewall Rules tab in the Cloudflare dashboard is now deprecated**. Firewall rules are displayed as WAF custom rules in the Cloudflare dashboard at **Security** > **WAF** > **Custom rules**. +**The Firewall Rules tab in the Cloudflare dashboard is now deprecated**. Firewall rules are displayed as [custom rules](/waf/custom-rules/) in the Cloudflare dashboard. -![The Custom rules tab, available in the Cloudflare dashboard under Security > WAF.](~/assets/images/waf/custom-rules/custom-rules-tab.png) - -For users that still have access to both products, the **Firewall rules** tab will only be available until 2025-06-15. +For users that have access to both products, the **Firewall rules** tab is only available in the old dashboard in **Security** > **WAF**. ## Relevant changes for API users -**The [Firewall Rules API](/firewall/api/cf-firewall-rules/) and the associated [Cloudflare Filters API](/firewall/api/cf-filters/) are now deprecated.** These APIs will stop working on 2025-06-15. You must manually update any automation based on the Firewall Rules API or Cloudflare Filters API to the [Rulesets API](/waf/custom-rules/create-api/) before this date to prevent any issues. Rule IDs are different between firewall rules and custom rules, which may affect automated processes dealing with specific rule IDs. +**The [Firewall Rules API](/firewall/api/cf-firewall-rules/) and the associated [Cloudflare Filters API](/firewall/api/cf-filters/) are now deprecated.** These APIs are no longer supported since 2025-06-15. You must manually update any automation based on the Firewall Rules API or Cloudflare Filters API to the [Rulesets API](/waf/custom-rules/create-api/) to prevent any issues. Rule IDs are different between firewall rules and custom rules, which may affect automated processes dealing with specific rule IDs. -For the time being, all three APIs will be available (Firewall Rules API, Filters API, and Rulesets API). Cloudflare will internally convert your [Firewall Rules API](/firewall/api/cf-firewall-rules/) and [Filters API](/firewall/api/cf-filters/) calls into the corresponding [Rulesets API](/waf/custom-rules/create-api/) calls. The converted API calls between the Firewall Rules API/Filters API and the Rulesets API appear in audit logs as generated by Cloudflare and not by the actual user making the requests. There will be a single list of rules for both firewall rules and WAF custom rules. +Before the APIs sunset date, Cloudflare will internally convert your [Firewall Rules API](/firewall/api/cf-firewall-rules/) and [Filters API](/firewall/api/cf-filters/) calls into the corresponding [Rulesets API](/waf/custom-rules/create-api/) calls. The converted API calls between the Firewall Rules API/Filters API and the Rulesets API appear in audit logs as generated by Cloudflare and not by the actual user making the requests. There will be a single list of rules for both firewall rules and WAF custom rules. Some new features of WAF custom rules, like custom responses for blocked requests and the _Skip_ action, are not supported in the Firewall Rules API. To take advantage of these features, Cloudflare recommends that you use the custom rules page in the Cloudflare dashboard or the Rulesets API. @@ -141,9 +139,9 @@ Refer to the WAF documentation for [examples of managing WAF custom rules using - [`cloudflare_firewall_rule`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/firewall_rule) - [`cloudflare_filter`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/filter) -These resources will stop working on 2025-06-15. If you are currently using these resources to manage your Firewall Rules configuration, you must manually update any Terraform configuration to [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) resources before this date to prevent any issues. +These resources are no longer supported since 2025-06-15. If you are using these resources to manage your Firewall Rules configuration, you must manually update any Terraform configuration to [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) resources to prevent any issues. -For the time being, all three Terraform resources will be available (`cloudflare_firewall_rule`, `cloudflare_filter`, and `cloudflare_ruleset`). There will be a single list of rules for both firewall rules and WAF custom rules. +There will be a single list of rules for both firewall rules and WAF custom rules. Some new features of WAF custom rules are not supported in the deprecated Terraform resources. To take advantage of these features, Cloudflare recommends that you use the `cloudflare_ruleset` resource. @@ -215,7 +213,6 @@ The recommended steps for replacing your firewall rules (and filters) configurat :::caution You must remove firewall rules and filters from Terraform state before deleting their configuration from `.tf` configuration files to prevent issues. ::: - 1. Run the following command to find all resources related to firewall rules and filters: ```sh diff --git a/src/content/docs/waf/reference/legacy/old-rate-limiting/upgrade.mdx b/src/content/docs/waf/reference/legacy/old-rate-limiting/upgrade.mdx index 668ef4ca07c898e..a0103884dfb3f5e 100644 --- a/src/content/docs/waf/reference/legacy/old-rate-limiting/upgrade.mdx +++ b/src/content/docs/waf/reference/legacy/old-rate-limiting/upgrade.mdx @@ -18,7 +18,7 @@ The Cloudflare dashboard will now show all your rate limiting rules in a single **The [Rate Limiting API](/api/resources/rate_limits/) and the [`cloudflare_rate_limit`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/rate_limit) Terraform resource for the previous version of rate limiting rules are now deprecated.** -This API and Terraform resource will only be available until 2025-06-15. After this date you will need to use the [Rulesets API](/ruleset-engine/rulesets-api/) and the [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) Terraform resource to configure rate limiting rules. +This API and Terraform resource are no longer supported since 2025-06-15. You must use the [Rulesets API](/ruleset-engine/rulesets-api/) and the [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) Terraform resource to configure rate limiting rules. ::: @@ -60,18 +60,17 @@ For more details on the differences between old and new rate limiting rules, ref ### Relevant changes in the dashboard If you had access to the previous version of Cloudflare Rate Limiting, you will now find all rate limiting rules in the same list in **Security** > **WAF** > **Rate limiting rules**. - -If you are using the new [application security dashboard](/security/) (currently in beta), all the rate limiting rules for your zone will be available at **Security** > **Security rules**. - -Rate limiting rules created in the previous version will be tagged with `Previous version` in the Cloudflare dashboard. +Rate limiting rules created in the previous version are tagged with `Previous version` in the Cloudflare dashboard. ![Rate limiting rules user interface showing two rules created in the previous version.](~/assets/images/waf/reference/rate-limiting-rules-upgrade-ui.png) +If you are using the new [application security dashboard](/security/) (currently in beta), only the rate limiting rules that have been upgraded to the new version will be shown at **Security** > **Security rules**. + If you edit a rule with this tag in the dashboard, you will no longer be able to edit the rule using the API and Terraform resource for the previous version of rate limiting rules. In this case, you will need to start using the [Rulesets API](/ruleset-engine/rulesets-api/) or the [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) Terraform resource for this purpose. Refer to [Relevant changes for API users](#relevant-changes-for-api-users) and [Relevant changes for Terraform users](#relevant-changes-for-terraform-users) for more information. ### Relevant changes for API users -**The previous Rate Limiting API is deprecated.** You will not be able to invoke any operations of this API after 2025-06-15. You must update any automation based on the [previous Rate Limiting API](/api/resources/rate_limits/) to the [Rulesets API](/waf/rate-limiting-rules/create-api/) before this date to prevent any issues. +**The previous Rate Limiting API is deprecated.** The API is no longer supported since 2025-06-15. You must update any automation based on the [previous Rate Limiting API](/api/resources/rate_limits/) to the [Rulesets API](/waf/rate-limiting-rules/create-api/) to prevent any issues. The new rate limiting rules are based on the [Ruleset Engine](/ruleset-engine/). To configure these rate limiting rules via the API you must use the [Rulesets API](/ruleset-engine/rulesets-api/). Since rate limiting rules created in the previous version were upgraded to the new version, this API will also return these rules created in the new version. @@ -81,7 +80,7 @@ Until the API sunset date, you can use the [previous Rate Limiting API](/api/res ### Relevant changes for Terraform users -**The `cloudflare_rate_limit` Terraform resource is deprecated.** You will not be able to perform configuration updates via Terraform using this resource after 2025-06-15. You must manually update your rate limiting configuration in Terraform from [`cloudflare_rate_limit`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/rate_limit) resources to [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) resources before the sunset date to prevent any issues. +**The `cloudflare_rate_limit` Terraform resource is deprecated.** The resource is no longer supported since 2025-06-15. You must manually update your rate limiting configuration in Terraform from [`cloudflare_rate_limit`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/rate_limit) resources to [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) resources to prevent any issues. The new rate limiting rules are based on the [Ruleset Engine](/ruleset-engine/). To configure these rate limiting rules with Terraform you must use the `cloudflare_ruleset` Terraform resource. @@ -155,7 +154,6 @@ The recommended steps for replacing your old rate limiting configuration in Terr :::caution[Important] You must remove rate limiting rules configured through the `cloudflare_rate_limit` resource from Terraform state before deleting their configuration from `.tf` configuration files to prevent issues. ::: - 1. Run the following command to find all resources related to rate limiting rules (previous version): ```sh diff --git a/src/content/docs/waf/reference/legacy/old-waf-managed-rules/upgrade.mdx b/src/content/docs/waf/reference/legacy/old-waf-managed-rules/upgrade.mdx index 201967d7b8d9cac..ce9cbae60ab62ec 100644 --- a/src/content/docs/waf/reference/legacy/old-waf-managed-rules/upgrade.mdx +++ b/src/content/docs/waf/reference/legacy/old-waf-managed-rules/upgrade.mdx @@ -9,13 +9,13 @@ import { GlossaryTooltip } from "~/components"; On 2022-05-04, Cloudflare started the upgrade from the [previous version of WAF managed rules](/waf/reference/legacy/old-waf-managed-rules/) to the new [WAF Managed Rules](/waf/managed-rules/), allowing a first set of eligible zones to migrate. Currently, all zones can upgrade to WAF Managed Rules, including partner accounts. -You can start the upgrade process for a zone in the Cloudflare dashboard or via API. Currently, this process is always started by you. **The upgrade is irreversible** — once you upgrade to the new WAF Managed Rules, you cannot go back to using WAF managed rules. +Cloudflare is gradually upgrading all zones to the new version of WAF Managed Rules. You can also start the upgrade process manually for a zone in the Cloudflare dashboard or via API. **The upgrade is irreversible** — once you upgrade to the new WAF Managed Rules, you cannot go back to the previous version. Once the upgrade finishes, the **Managed rules** tab in the Cloudflare dashboard (available in **Security** > **WAF** > **Managed rules**) will display a new interface, and the WAF managed rules APIs will stop working. :::caution[Deprecation notice] -**The APIs and Terraform resources related to the previous version of WAF managed rules are deprecated.** The [APIs for managing the previous version of WAF managed rules](#api-changes) will stop working on 2025-06-15. The same applies to [Terraform resources](#terraform-changes) related to the previous version of WAF managed rules. You must migrate before this date to avoid any issues. +**The APIs and Terraform resources related to the previous version of WAF managed rules are deprecated.** The [APIs for managing the previous version of WAF managed rules](#api-changes) are no longer supported since 2025-06-15. The same applies to [Terraform resources](#terraform-changes) related to the previous version of WAF managed rules. You must migrate your configuration to avoid any issues. Refer to [Possible upgrade errors](#possible-upgrade-errors) if you are having issues upgrading. @@ -30,7 +30,6 @@ The new version of WAF Managed Rules provides the following benefits over the pr - **Updated Managed Rulesets** – The Cloudflare OWASP Core Ruleset, one of WAF's Managed Rulesets, is based on the latest version of the OWASP Core Ruleset (v3.x), which adds paranoia levels and improves false positives rates compared to the version used in WAF managed rules (2.x). You also have more control over the sensitivity score, with a clear indication of how much each rule contributes to the score and what was the total score of a triggered request. - **Better rule browsing and configuration** – Deploy Managed Rulesets with a single click to get immediate protection. Override the behavior of entire rulesets, or customize a single rule. Apply overrides to all rules with a specific tag to adjust rules applicable to a given software or attack vector. You can deploy configurations like the following: - - Deploy the Cloudflare Managed Ruleset across all my zones. - Deploy the Cloudflare OWASP Core Ruleset on all traffic that does not contain `/api/*` in the path. - Disable Managed Rulesets across my account for traffic coming from my IP. @@ -147,12 +146,10 @@ In phase 2 all zones are eligible for upgrade. The exact upgrade procedure varie In phase 1 the upgrade became available to a subset of eligible zones, which had to meet the following requirements: - The zone has: - - WAF disabled, or - WAF enabled and only the Cloudflare Managed Ruleset is enabled (the OWASP ModSecurity Core Rule Set must be disabled). - The zone has no [firewall rules](/firewall/cf-dashboard/) or [Page Rules](/rules/page-rules/) bypassing, enabling, or disabling WAF managed rules: - - Firewall rules configured with _Bypass_ > _WAF Managed Rules_. - Page Rules configured with _Disable Security_. - Page Rules configured with _Web Application Firewall: Off_ or _Web Application Firewall: On._ @@ -274,7 +271,7 @@ The upgrade process can take up to an hour. During this period you may observe s The returned configuration in the example above, which would match the existing configuration for the previous WAF version, contains: - A rule that executes the Cloudflare Managed Ruleset (ruleset ID efb7b8c949ac4650a09736fc376e9aee). -- A single override for the rule `Apache Struts - Open Redirect - CVE:CVE-2013-2248` (rule ID 23ee7cebe6e8443e99ecf932ab579455) in the same ruleset, setting the action to `log` and disabling the rule. +- A single override for the rule `Apache Struts - Open Redirect - CVE:CVE-2013-2248` (rule ID `23ee7cebe6e8443e99ecf932ab579455`) in the same ruleset, setting the action to `log` and disabling the rule. 3. (Optional, for Enterprise customers only) If you are upgrading an Enterprise zone to WAF Managed Rules, you can enter validation mode before finishing the upgrade. In this mode, both WAF implementations will be enabled. Use the [Update a zone entry point ruleset](/api/resources/rulesets/subresources/phases/methods/update/) operation, making sure you include the `waf_migration=validation&phase_two=1` query string parameters: @@ -448,21 +445,21 @@ The recommended steps for replacing your old WAF managed rules configuration in 3. Import the `cloudflare_ruleset` resource you previously identified into Terraform state using the `terraform import` command. For example: -```sh -terraform import cloudflare_ruleset.terraform_managed_resource_3c0b456bc2aa443089c5f40f45f51b31 zone//3c0b456bc2aa443089c5f40f45f51b31 -``` + ```sh + terraform import cloudflare_ruleset.terraform_managed_resource_3c0b456bc2aa443089c5f40f45f51b31 zone//3c0b456bc2aa443089c5f40f45f51b31 + ``` -```txt output - cloudflare_ruleset.terraform_managed_resource_3c0b456bc2aa443089c5f40f45f51b31: Importing from ID "zone//3c0b456bc2aa443089c5f40f45f51b31"... - cloudflare_ruleset.terraform_managed_resource_3c0b456bc2aa443089c5f40f45f51b31: Import prepared! - Prepared cloudflare_ruleset for import - cloudflare_ruleset.terraform_managed_resource_3c0b456bc2aa443089c5f40f45f51b31: Refreshing state... [id=3c0b456bc2aa443089c5f40f45f51b31] + ```txt output + cloudflare_ruleset.terraform_managed_resource_3c0b456bc2aa443089c5f40f45f51b31: Importing from ID "zone//3c0b456bc2aa443089c5f40f45f51b31"... + cloudflare_ruleset.terraform_managed_resource_3c0b456bc2aa443089c5f40f45f51b31: Import prepared! + Prepared cloudflare_ruleset for import + cloudflare_ruleset.terraform_managed_resource_3c0b456bc2aa443089c5f40f45f51b31: Refreshing state... [id=3c0b456bc2aa443089c5f40f45f51b31] - Import successful! + Import successful! - The resources that were imported are shown above. These resources are now in - your Terraform state and will henceforth be managed by Terraform. -``` + The resources that were imported are shown above. These resources are now in + your Terraform state and will henceforth be managed by Terraform. + ``` 4. Run `terraform plan` to validate that Terraform now checks the state of the new `cloudflare_ruleset` resource, in addition to other existing resources already managed by Terraform. For example: @@ -484,7 +481,6 @@ terraform import cloudflare_ruleset.terraform_managed_resource_3c0b456bc2aa44308 :::caution You must remove WAF packages, groups, and rules from Terraform state before deleting their configuration from `.tf` configuration files to prevent issues. ::: - 1. Run the following command to find all resources related to the previous version of WAF managed rules: ```sh