Skip to content
Cloudflare Docs
Docs DirectoryAPIsSDKs

Create a rule

Create an Advanced DNS Protection rule

  1. In the Cloudflare dashboard, go to the L3/4 DDoS protection page.

    Go to DDoS Managed Rules

  2. Go to Advanced Protection > Advanced DNS Protection.

  3. Select Create Advanced DNS Protection rule.

  4. In Mode, select a mode for the rule.

  5. Under Set scope, select a scope to determine the range of packets that will be affected by the rule.

  6. Under Sensitivity, define the burst sensitivity, rate sensitivity, and profile sensitivity to determine when to initiate mitigation. 9. Select Deploy.

Create an Advanced TCP Protection rule

To create a SYN flood rule or an out-of-state TCP rule:

  1. In the Cloudflare dashboard, go to the L3/4 DDoS protection page.

    Go to DDoS Managed Rules

  2. Go to Advanced Protection > Advanced TCP Protection.

  3. Depending on the rule you are creating, do one of the following:

    • Under SYN Flood Protection, select Create SYN flood rule.
    • Under Out-of-state TCP Protection, select Create out-of-state TCP rule.

  4. In Mode, select a mode for the rule.

  5. Under Set scope, select a scope for the rule. If you choose to apply the rule to a subset of incoming packets, select a region or a data center.

  6. Under Sensitivity, define the burst sensitivity and rate sensitivity of the rule (by default, Medium). The sensitivity levels are based on the initially configured thresholds for your specific case.

  7. Select Deploy.

Create a Programmable Flow Protection rule

To create a Programmable Flow Protection rule:

  1. In the Cloudflare dashboard, go to the L3/4 DDoS protection page.

    Go to DDoS Managed Rules

  2. Go to Advanced Protection > Programmable Flow Protection.

  3. In General Settings, select a program. The chosen program must have a status of success, indicating it has successfully compiled and passed verification. This field is required.

  4. In General Settings, select a mode for the rule. This field is required.

  5. Under Set scope, optionally select a scope for the rule. If you choose to apply the rule to a subset of incoming packets, select a region or a data center. The default scope setting is global.

  6. Under Set scope, optionally select a packet filter expression. If you choose to apply a rule to a subset of incoming packets, select the IP and UDP characteristics to filter on. The default setting applies a rule to all UDP packets.

  7. Select Deploy.