From 9e60d2b388db6f345de102333d6897098b54c167 Mon Sep 17 00:00:00 2001
From: tobicf <149098761+tobicf@users.noreply.github.com>
Date: Fri, 19 Dec 2025 08:56:22 -0600
Subject: [PATCH] [WAF] Update Zone Lockdown page (#27204)
* Also updates custom rules use cases
---------
Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
---
.../allow-traffic-from-ips-in-allowlist.mdx | 33 ++++++++-----
.../use-cases/site-admin-only-known-ips.mdx | 17 +++++--
src/content/docs/waf/tools/zone-lockdown.mdx | 49 ++++++++++++++++---
3 files changed, 76 insertions(+), 23 deletions(-)
diff --git a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist.mdx b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist.mdx
index 52d3d7670d..a9240e2796 100644
--- a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist.mdx
@@ -8,26 +8,37 @@ head:
import { Steps } from "~/components";
-This example skips WAF rules for requests from IP addresses in an allowlist (defined using an [IP list](/waf/tools/lists/custom-lists/#ip-lists)).
+This example blocks incoming requests from IP addresses that are not present in an allowlist (defined using an [IP list](/waf/tools/lists/custom-lists/#ip-lists)).
1. [Create an IP list](/waf/tools/lists/create-dashboard/) with the IP addresses for which you want to allow access.
For example, create an IP list named `allowed_ips` with one or more IP addresses. For more information on the accepted IP address formats, refer to [IP lists](/waf/tools/lists/custom-lists/#ip-lists).
-2. [Create a custom rule](/waf/custom-rules/create-dashboard/) skipping all rules for any request from the IPs in the list you created (`allowed_ips` in the current example).
- - **Expression**: `(ip.src in $allowed_ips)`
- - **Action**: _Skip:_
- - _All remaining custom rules_
- - _Skip phases_:
- - _All rate limiting rules_
- - _All Super Bot Fight Mode rules_
- - _All managed rules_
+2. [Create a custom rule](/waf/custom-rules/create-dashboard/) blocking any requests from IPs not present in the list you created (`allowed_ips` in the current example).
+ - **When incoming requests match**:
+
+ | Field | Operator | Value |
+ | ----------------- | -------------- | ------------- |
+ | IP Source Address | is not in list | `allowed_ips` |
+
+ If you are using the Expression Editor:
+ `(not ip.src in $allowed_ips)`
+
+ - **Action**: _Block_
+
+3. (Optional) Update your expression with any extra filters, like blocking non-allowlisted IPs only for specific URI paths:
+
+ | Field | Operator | Value | |
+ | ----------------- | -------------- | ------------- | --- |
+ | IP Source Address | is not in list | `allowed_ips` | And |
+ | URI Path | wildcard | `/admin/*` | |
+
+ If you are using the Expression Editor:
+ `(not ip.src in $allowed_ips and http.request.uri.path wildcard "/admin/*")`
-Make sure the new rule appears before any other custom rules in the rules list.
-
## Other resources
- [Use case: Require known IP addresses in site admin area](/waf/custom-rules/use-cases/site-admin-only-known-ips/)
diff --git a/src/content/docs/waf/custom-rules/use-cases/site-admin-only-known-ips.mdx b/src/content/docs/waf/custom-rules/use-cases/site-admin-only-known-ips.mdx
index 48af7d5d09..5cfdf876bf 100644
--- a/src/content/docs/waf/custom-rules/use-cases/site-admin-only-known-ips.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/site-admin-only-known-ips.mdx
@@ -3,15 +3,22 @@ pcx_content_type: configuration
title: Require known IP addresses in site admin area
---
-If an attack compromises the administrative area of your website, the consequences can be severe. With custom rules, you can protect your site’s admin area by blocking requests for access to admin paths that do not come from a known IP address.
+If an attack compromises the administrative area of your website, the consequences can be severe. With custom rules, you can protect your site's admin area by blocking requests for access to admin paths that do not come from a known IP address.
-This example custom rule limits access to the WordPress admin area, `/wp-admin/`, by blocking requests that do not originate from a specified set of IP addresses:
+This example [custom rule](/waf/custom-rules/create-dashboard/) limits access to the WordPress admin area, `/wp-admin/`, by blocking requests that do not originate from a specified set of IP addresses:
+
+- **When incoming requests match**:
+
+ | Field | Operator | Value | |
+ | ----------------- | --------- | ------------------------------ | --- |
+ | IP Source Address | is not in | `10.20.30.40` `192.168.1.0/24` | And |
+ | URI Path | wildcard | `/wp-admin/*` | |
+
+ If you are using the Expression Editor:
+ `(not ip.src in {10.20.30.40 192.168.1.0/24} and http.request.uri.path wildcard "/wp-admin/*")`
-- **Expression**: `(not ip.src in {10.20.30.40 192.168.1.0/24} and starts_with(lower(http.request.uri.path), "/wp-admin"))`
- **Action**: _Block_
-To prevent attackers from successfully using a permutation of `/wp-admin/` such as `/wP-AdMiN/`, the expression uses the [`lower()`](/ruleset-engine/rules-language/functions/#lower) transformation function to convert the URI path to lowercase.
-
## Other resources
- [Use case: Allow traffic from IP addresses in allowlist only](/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist/)
diff --git a/src/content/docs/waf/tools/zone-lockdown.mdx b/src/content/docs/waf/tools/zone-lockdown.mdx
index 391188bb4a..bb924ee787 100644
--- a/src/content/docs/waf/tools/zone-lockdown.mdx
+++ b/src/content/docs/waf/tools/zone-lockdown.mdx
@@ -21,13 +21,12 @@ All IP addresses not specified in the zone lockdown rule will not have access to
:::note
-Cloudflare recommends that you create [custom rules](/waf/custom-rules/) instead of zone lockdown rules to block requests from IP addresses not present in an allowlist of IPs and CIDR ranges.
+Cloudflare recommends that you use [custom rules](/waf/custom-rules/) instead of zone lockdown rules to block requests from IP addresses not present in an allowlist of IPs and CIDR ranges.
-For example, a custom rule equivalent to the zone lockdown [example rule](#example-rule) provided in this page could have the following configuration:
+For examples of using custom rules for this purpose, refer to the following use cases:
-- **Description**: `Block all traffic to staging and wiki unless it comes from HQ or branch offices`
-- **Expression**: `((http.host eq "staging.example.com") or (http.host eq "example.com" and starts_with(http.request.uri.path, "/wiki/")) and not ip.src in {192.0.2.0/24 2001:DB8::/64 203.0.133.1}`
-- **Action**: _Block_
+- [Allow traffic from IP addresses in allowlist only](/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist/)
+- [Require known IP addresses in site admin area](/waf/custom-rules/use-cases/site-admin-only-known-ips/)
:::
@@ -66,16 +65,19 @@ The number of available zone lockdown rules depends on your Cloudflare plan.
:::note
-Zone Lockdown is only available in the new security dashboard if you have configured at least one zone lockdown rule. Cloudflare recommends that you use [custom rules](/waf/custom-rules/) instead of zone lockdown rules.
+Zone Lockdown is only available in the [new security dashboard](/security/) if you have configured at least one zone lockdown rule.
:::
+**If you have access to Zone Lockdown rules**
+
1. In the Cloudflare dashboard, go to the **Security rules** page.
-2. Select **Create rule** > **Zone lockdown rules**.
+2. Select **Create rule** > **Zone lockdown rules**.
+ If this option is not available, refer to the instructions below.
3. Enter a descriptive name for the rule in **Name**.
@@ -89,6 +91,22 @@ Zone Lockdown is only available in the new security dashboard if you have config
+**If you do not have access to Zone Lockdown rules**
+
+Create a [custom rule](/waf/custom-rules/create-dashboard/) to perform zone lockdown:
+
+
+
+1. In the Cloudflare dashboard, go to the **Security rules** page.
+
+
+
+2. Select **Templates**, and then select the template **Allow only specified IP addresses**.
+
+3. Fill in the required fields and select **Deploy**.
+
+
+
Issue a `POST` request for the [Create a Zone Lockdown rule](/api/resources/firewall/subresources/lockdowns/methods/create/) operation similar to the following:
@@ -146,6 +164,23 @@ The following example rule will only allow visitors connecting from a company’
This example would not protect an internal wiki located on a different directory path such as `example.com/internal/wiki`.
+:::note
+
+A [custom rule](/waf/custom-rules/create-dashboard/) with an equivalent behavior would have the following configuration:
+
+**Description**:
+`Block all traffic to staging and wiki unless it comes from HQ or branch offices`
+
+**Expression**:
+
+```txt
+((http.host eq "staging.example.com") or (http.host eq "example.com" and http.request.uri.path wildcard "/wiki/*")) and not ip.src in {192.0.2.0/24 2001:DB8::/64 203.0.133.1}
+```
+
+**Action**: _Block_
+
+:::
+
## Access denied example
A visitor from an unauthorized IP will get the following error when there is a match for a zone lockdown rule: