Magic Firewall fields
cf.colo.name
Section titled “cf.colo.name”cf.colo.name String
The data center that is handling this traffic.
Example value: sfo06
cf.colo.region
Section titled “cf.colo.region”cf.colo.region String
Region of the data center that is handling this traffic.
Example value: WNAM
icmp String
The raw ICMP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
icmp.type
Section titled “icmp.type”icmp.type Number
The ICMP type ↗. Only applies to ICMP packets.
Example value: 8
icmp.code
Section titled “icmp.code”icmp.code Number
The ICMP code ↗. Only applies to ICMP packets.
Example value: 2
ip String
The raw IP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
ip.dst
Section titled “ip.dst”ip.dst IP address
The destination address as specified in the IP packet.
Example value: 192.0.2.2
ip.dst.country
Section titled “ip.dst.country”ip.dst.country String
Represents the 2-letter country code associated with the server IP address in ISO 3166-1 Alpha 2 ↗ format.
Example value: GB
For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 ↗ on Wikipedia.
ip.src.country
Section titled “ip.src.country”ip.src.country String
Represents the 2-letter country code associated with the client IP address in ISO 3166-1 Alpha 2 ↗ format.
Example value: GB
For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 ↗ on Wikipedia.
For Magic Firewall, the ip.geoip.country field (which is deprecated) will match on either source or destination address. The ip.geoip.country field is still available for new and existing rules, but you should use the ip.src.country and/or ip.dst.country fields instead.
ip.hdr_len
Section titled “ip.hdr_len”ip.hdr_len Number
The length of the IPv4 header in bytes.
Example value: 5
ip.len
Section titled “ip.len”ip.len Number
The length of the packet including the header.
Example value: 60
ip.opt.type
Section titled “ip.opt.type”ip.opt.type Number
The first byte of IP options field ↗, if the options field is set.
Example value: 25
ip.proto
Section titled “ip.proto”ip.proto String
The transport layer for the packet, if it can be determined.
Example values: icmp, tcp
ip.src
Section titled “ip.src”ip.src IP address
The source address of the IP Packet.
ip.src.country
Section titled “ip.src.country”ip.src.country String
Represents the 2-letter country code associated with the client IP address in ISO 3166-1 Alpha 2 ↗ format.
Example value: GB
For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 ↗ on Wikipedia.
ip.ttl
Section titled “ip.ttl”ip.ttl Number
The time-to-live of the IP Packet.
Example values: 54
sip Boolean
Determines if packets are valid L7 protocol SIP ↗. Requires UDP packets to operate.
Use a guard clause as shown below to ensure the packet is UDP (wirefilter):
ip.proto == "udp"
tcp String
The raw TCP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
tcp.flags
Section titled “tcp.flags”tcp.flags Number
The numeric value of the TCP flags byte.
tcp.flags.ack
Section titled “tcp.flags.ack”tcp.flags.ack Boolean
TCP acknowledgment flag.
tcp.flags.cwr
Section titled “tcp.flags.cwr”tcp.flags.cwr Boolean
TCP congestion window reduced flag.
tcp.flags.ecn
Section titled “tcp.flags.ecn”tcp.flags.ecn Boolean
TCP ECN-Echo flag.
tcp.flags.fin
Section titled “tcp.flags.fin”tcp.flags.fin Boolean
TCP flag indicating this is the last packet from sender.
tcp.flags.push
Section titled “tcp.flags.push”tcp.flags.push Boolean
TCP push flag.
tcp.flags.reset
Section titled “tcp.flags.reset”tcp.flags.reset Boolean
TCP reset flag.
tcp.flags.syn
Section titled “tcp.flags.syn”tcp.flags.syn Boolean
TCP synchronize flag.
tcp.flags.urg
Section titled “tcp.flags.urg”tcp.flags.urg Boolean
TCP urgent flag.
tcp.srcport
Section titled “tcp.srcport”tcp.srcport Number
Source port number of the IP packet. Only applies to TCP packets.
tcp.dstport
Section titled “tcp.dstport”tcp.dstport Number
Destination port number of the IP packet. Only applies to TCP packets.
udp String
The raw UDP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
udp.dstport
Section titled “udp.dstport”udp.dstport Number
Destination port number of the IP packet. Only applies to UDP packets.
udp.srcport
Section titled “udp.srcport”udp.srcport Number
Source port number of the IP packet. Only applies to UDP packets.
GeoIP is the registered trademark of MaxMind, Inc.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark