Firewall events
The descriptions below detail the fields available for firewall_events.
Action
Section titled “Action”Type: string
The code of the first-class action the Cloudflare Firewall took on this request.
Possible actions are unknown | allow | block | challenge | jschallenge | log | connectionclose | challengesolved | challengebypassed | jschallengesolved | jschallengebypassed | bypass | managedchallenge | managedchallengenoninteractivesolved | managedchallengeinteractivesolved | managedchallengebypassed.
ClientASN
Section titled “ClientASN”Type: int
The ASN number of the visitor.
ClientASNDescription
Section titled “ClientASNDescription”Type: string
The ASN of the visitor as string.
ClientCountry
Section titled “ClientCountry”Type: string
Country from which request originated.
ClientIP
Section titled “ClientIP”Type: string
The visitor's IP address (IPv4 or IPv6).
ClientIPClass
Section titled “ClientIPClass”Type: string
The classification of the visitor's IP address, possible values are: unknown | badHost | searchEngine | allowlist | monitoringService | noRecord | scan | tor.
ClientRefererHost
Section titled “ClientRefererHost”Type: string
The referer host.
ClientRefererPath
Section titled “ClientRefererPath”Type: string
The referer path requested by visitor.
ClientRefererQuery
Section titled “ClientRefererQuery”Type: string
The referer query-string was requested by the visitor.
ClientRefererScheme
Section titled “ClientRefererScheme”Type: string
The referer URL scheme requested by the visitor.
ClientRequestHost
Section titled “ClientRequestHost”Type: string
The HTTP hostname requested by the visitor.
ClientRequestMethod
Section titled “ClientRequestMethod”Type: string
The HTTP method used by the visitor.
ClientRequestPath
Section titled “ClientRequestPath”Type: string
The path requested by visitor.
ClientRequestProtocol
Section titled “ClientRequestProtocol”Type: string
The version of HTTP protocol requested by the visitor.
ClientRequestQuery
Section titled “ClientRequestQuery”Type: string
The query-string was requested by the visitor.
ClientRequestScheme
Section titled “ClientRequestScheme”Type: string
The URL scheme requested by the visitor.
ClientRequestUserAgent
Section titled “ClientRequestUserAgent”Type: string
Visitor's user-agent string.
ContentScanObjResults
Section titled “ContentScanObjResults”Type: array[string]
List of content scan results.
ContentScanObjSizes
Section titled “ContentScanObjSizes”Type: array[int]
List of content object sizes.
ContentScanObjTypes
Section titled “ContentScanObjTypes”Type: array[string]
List of content types.
Datetime
Section titled “Datetime”Type: int or string
The date and time the event occurred at the edge.
Description
Section titled “Description”Type: string
The description of the rule triggered by this request.
EdgeColoCode
Section titled “EdgeColoCode”Type: string
The airport code of the Cloudflare data center that served this request.
EdgeResponseStatus
Section titled “EdgeResponseStatus”Type: int
HTTP response status code returned to browser.
Type: string
The kind of event, currently only possible values are: firewall.
LeakedCredentialCheckResult
Section titled “LeakedCredentialCheckResult”Type: string
Result of the check for leaked credentials.
Possible results are: password_leaked | username_and_password_leaked | username_password_similar | username_leaked | clean.
MatchIndex
Section titled “MatchIndex”Type: int
Rules match index in the chain. The last matching rule will have MatchIndex 0. If another rule matched before the last one, it will have MatchIndex 1. The same applies to any other matching rules, which will have a MatchIndex value of 2, 3, and so on.
Metadata
Section titled “Metadata”Type: object
Additional product-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by Cloudflare security product and can change over time.
OriginResponseStatus
Section titled “OriginResponseStatus”Type: int
HTTP origin response status code returned to browser.
OriginatorRayID
Section titled “OriginatorRayID”Type: string
The RayID of the request that issued the challenge/jschallenge.
Type: string
The RayID of the request.
Type: string
The user-defined identifier for the rule triggered by this request. Use refs to label your rules individually alongside the Cloudflare-provided RuleID. You can set refs via the Rulesets API for some security products.
RuleID
Section titled “RuleID”Type: string
The Cloudflare security product-specific RuleID triggered by this request.
Source
Section titled “Source”Type: string
The Cloudflare security product triggered by this request.
Possible sources are unknown | asn | country | ip | iprange | securitylevel | zonelockdown | waf | firewallrules | uablock | ratelimit | bic | hot | l7ddos | validation | botfight | apishield | botmanagement | dlp | firewallmanaged | firewallcustom | apishieldschemavalidation | apishieldtokenvalidation | apishieldsequencemitigation.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark