Skip to content

Firewall events

The descriptions below detail the fields available for firewall_events.

Action

Type: string

The code of the first-class action the Cloudflare Firewall took on this request.
Possible actions are unknown | allow | block | challenge | jschallenge | log | connectionclose | challengesolved | challengefailed | challengebypassed | jschallengesolved | jschallengefailed | jschallengebypassed | bypass | managedchallenge | managedchallengeskipped | managedchallengenoninteractivesolved | managedchallengeinteractivesolved | managedchallengebypassed.

ClientASN

Type: int

The ASN number of the visitor.

ClientASNDescription

Type: string

The ASN of the visitor as string.

ClientCountry

Type: string

Country from which request originated.

ClientIP

Type: string

The visitor’s IP address (IPv4 or IPv6).

ClientIPClass

Type: string

The classification of the visitor’s IP address, possible values are: unknown | badHost | searchEngine | allowlist | monitoringService | noRecord | scan | tor.

ClientRefererHost

Type: string

The referer host.

ClientRefererPath

Type: string

The referer path requested by visitor.

ClientRefererQuery

Type: string

The referer query-string was requested by the visitor.

ClientRefererScheme

Type: string

The referer URL scheme requested by the visitor.

ClientRequestHost

Type: string

The HTTP hostname requested by the visitor.

ClientRequestMethod

Type: string

The HTTP method used by the visitor.

ClientRequestPath

Type: string

The path requested by visitor.

ClientRequestProtocol

Type: string

The version of HTTP protocol requested by the visitor.

ClientRequestQuery

Type: string

The query-string was requested by the visitor.

ClientRequestScheme

Type: string

The URL scheme requested by the visitor.

ClientRequestUserAgent

Type: string

Visitor’s user-agent string.

ContentScanObjResults

Type: array[string]

List of content scan results.

ContentScanObjSizes

Type: array[int]

List of content object sizes.

ContentScanObjTypes

Type: array[string]

List of content types.

Datetime

Type: int or string

The date and time the event occurred at the edge.

Description

Type: string

The description of the rule triggered by this request.

EdgeColoCode

Type: string

The airport code of the Cloudflare datacenter that served this request.

EdgeResponseStatus

Type: int

HTTP response status code returned to browser.

Kind

Type: string

The kind of event, currently only possible values are: firewall.

LeakedCredentialCheckResult

Type: string

Result of the check for leaked credentials.

MatchIndex

Type: int

Rules match index in the chain. The last matching rule will have MatchIndex 0. If another rule matched before the last one, it will have MatchIndex 1. The same applies to any other matching rules, which will have a MatchIndex value of 2, 3, and so on.

Metadata

Type: object

Additional product-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by Cloudflare security product and can change over time.

OriginResponseStatus

Type: int

HTTP origin response status code returned to browser.

OriginatorRayID

Type: string

The RayID of the request that issued the challenge/jschallenge.

RayID

Type: string

The RayID of the request.

Ref

Type: string

The user-defined identifier for the rule triggered by this request. Use refs to label your rules individually alongside the Cloudflare-provided RuleID. You can set refs via the Rulesets API for some security products.

RuleID

Type: string

The Cloudflare security product-specific RuleID triggered by this request.

Source

Type: string

The Cloudflare security product triggered by this request.
Possible sources are unknown | asn | country | ip | iprange | securitylevel | zonelockdown | waf | firewallrules | uablock | ratelimit | bic | hot | l7ddos | validation | botfight | apishield | botmanagement | dlp | firewallmanaged | firewallcustom | apishieldschemavalidation | apishieldtokenvalidation | apishieldsequencemitigation.