PUT /accounts/{account_id}/gateway/rules/{rule_id}
Updates a configured Zero Trust Gateway rule.
Servers
- https://api.cloudflare.com/client/v4
Path parameters
| Name | Type | Required | Description |
|---|---|---|---|
account_id |
String | Yes | |
rule_id |
String | Yes |
Request headers
| Name | Type | Required | Description |
|---|---|---|---|
Content-Type |
String | Yes |
The media type of the request body.
Default value: "application/json" |
Request body fields
| Name | Type | Required | Description |
|---|---|---|---|
filters[] |
Array | No |
The protocol or layer to evaluate the traffic, identity, and device posture expressions. |
traffic |
String | No |
The wirefilter expression used for traffic matching. |
expiration |
Object | No |
The expiration time stamp and default duration of a DNS policy. Takes
precedence over the policy's This does not apply to HTTP or network policies. |
expiration.expired |
Boolean | No |
Whether the policy has expired. |
expiration.duration |
Integer | No |
The default duration a policy will be active in minutes. Must be set in order to use the |
expiration.expires_at |
String | Yes |
The time stamp at which the policy will expire and cease to be applied. Must adhere to RFC 3339 and include a UTC offset. Non-zero offsets are accepted but will be converted to the equivalent value with offset zero (UTC+00:00) and will be returned as time stamps with offset zero denoted by a trailing 'Z'. Policies with an expiration do not consider the timezone of
clients they are applied to, and expire "globally" at the point
given by their |
name |
String | Yes |
The name of the rule. |
action |
String | Yes |
The action to preform when the associated traffic, identity, and device posture expressions are either absent or evaluate to Possible values:
|
description |
String | No |
The description of the rule. |
enabled |
Boolean | No |
True if the rule is enabled. Default value: false |
schedule |
Object | No |
The schedule for activating DNS policies. This does not apply to HTTP or network policies. |
schedule.mon |
String | No |
The time intervals when the rule will be active on Mondays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Mondays. |
schedule.sun |
String | No |
The time intervals when the rule will be active on Sundays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Sundays. |
schedule.time_zone |
String | No |
The time zone the rule will be evaluated against. If a valid time zone city name is provided, Gateway will always use the current time at that time zone. If this parameter is omitted, then Gateway will use the time zone inferred from the user's source IP to evaluate the rule. If Gateway cannot determine the time zone from the IP, we will fall back to the time zone of the user's connected data center. |
schedule.fri |
String | No |
The time intervals when the rule will be active on Fridays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Fridays. |
schedule.thu |
String | No |
The time intervals when the rule will be active on Thursdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Thursdays. |
schedule.tue |
String | No |
The time intervals when the rule will be active on Tuesdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Tuesdays. |
schedule.sat |
String | No |
The time intervals when the rule will be active on Saturdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Saturdays. |
schedule.wed |
String | No |
The time intervals when the rule will be active on Wednesdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Wednesdays. |
identity |
String | No |
The wirefilter expression used for identity matching. |
precedence |
Integer | No |
Precedence sets the order of your rules. Lower values indicate higher precedence. At each processing phase, applicable rules are evaluated in ascending order of this value. |
device_posture |
String | No |
The wirefilter expression used for device posture check matching. |
rule_settings |
Object | No |
Additional settings that modify the rule's action. |
rule_settings.untrusted_cert |
Object | No |
Configure behavior when an upstream cert is invalid or an SSL error occurs. |
rule_settings.untrusted_cert.action |
String | No |
The action performed when an untrusted certificate is seen. The default action is an error with HTTP code 526. Possible values:
|
rule_settings.block_page_enabled |
Boolean | No |
Enable the custom block page. Default value: false |
rule_settings.insecure_disable_dnssec_validation |
Boolean | No |
INSECURE - disable DNSSEC validation (for Allow actions). Default value: false |
rule_settings.resolve_dns_internally |
Object | No |
Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Cannot be set when 'dns_resolvers' are specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action is set to 'resolve'. |
rule_settings.resolve_dns_internally.fallback |
String | No |
The fallback behavior to apply when the internal DNS response code is different from 'NOERROR' or when the response data only contains CNAME records for 'A' or 'AAAA' queries. Possible values:
Default value: "none" |
rule_settings.resolve_dns_internally.view_id |
String | No |
The internal DNS view identifier that's passed to the internal DNS service. |
rule_settings.payload_log |
Object | No |
Configure DLP payload logging. |
rule_settings.payload_log.enabled |
Boolean | No |
Set to true to enable DLP payload logging for this rule. Default value: false |
rule_settings.resolve_dns_through_cloudflare |
Boolean | No |
Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot be set when 'dns_resolvers' are specified or 'resolve_dns_internally' is set. Only valid when a rule's action is set to 'resolve'. Default value: false |
rule_settings.bypass_parent_rule |
Boolean | No |
Set by children MSP accounts to bypass their parent's rules. |
rule_settings.egress |
Object | No |
Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. |
rule_settings.egress.ipv4_fallback |
String | No |
The fallback IPv4 address to be used for egress in the event of an error egressing with the primary IPv4. Can be '0.0.0.0' to indicate local egress via WARP IPs. |
rule_settings.egress.ipv4 |
String | No |
The IPv4 address to be used for egress. |
rule_settings.egress.ipv6 |
String | No |
The IPv6 range to be used for egress. |
rule_settings.ignore_cname_category_matches |
Boolean | No |
Set to true, to ignore the category matches at CNAME domains in a response. If unchecked, the categories in this rule will be checked against all the CNAME domain categories in a response. Default value: false |
rule_settings.add_headers |
Object | No |
Add custom headers to allowed requests, in the form of key-value pairs. Keys are header names, pointing to an array with its header value(s). |
rule_settings.override_ips[] |
Array | No |
Override matching DNS queries with an IP or set of IPs. |
rule_settings.audit_ssh |
Object | No |
Settings for the Audit SSH action. |
rule_settings.audit_ssh.command_logging |
Boolean | No |
Enable to turn on SSH command logging. Default value: false |
rule_settings.override_host |
String | No |
Override matching DNS queries with a hostname. |
rule_settings.block_page |
Object | No |
Custom block page settings. If missing/null, blocking will use the the account settings. |
rule_settings.block_page.target_uri |
String | Yes |
URI to which the user will be redirected |
rule_settings.block_page.include_context |
Boolean | No |
If true, context information will be passed as query parameters Default value: false |
rule_settings.dns_resolvers |
Object | No |
Add your own custom resolvers to route queries that match the resolver policy. Cannot be used when 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' are set. DNS queries will route to the address closest to their origin. Only valid when a rule's action is set to 'resolve'. |
rule_settings.dns_resolvers.ipv4[] |
Array | No | |
rule_settings.dns_resolvers.ipv4[].vnet_id |
String | No |
Optionally specify a virtual network for this resolver. Uses default virtual network id if omitted. |
rule_settings.dns_resolvers.ipv4[].port |
Integer | No |
A port number to use for upstream resolver. Defaults to 53 if unspecified. |
rule_settings.dns_resolvers.ipv4[].ip |
String | Yes |
IPv4 address of upstream resolver. |
rule_settings.dns_resolvers.ipv4[].route_through_private_network |
Boolean | No |
Whether to connect to this resolver over a private network. Must be set when vnet_id is set. |
rule_settings.dns_resolvers.ipv6[] |
Array | No | |
rule_settings.dns_resolvers.ipv6[].vnet_id |
String | No |
Optionally specify a virtual network for this resolver. Uses default virtual network id if omitted. |
rule_settings.dns_resolvers.ipv6[].port |
Integer | No |
A port number to use for upstream resolver. Defaults to 53 if unspecified. |
rule_settings.dns_resolvers.ipv6[].ip |
String | Yes |
IPv6 address of upstream resolver. |
rule_settings.dns_resolvers.ipv6[].route_through_private_network |
Boolean | No |
Whether to connect to this resolver over a private network. Must be set when vnet_id is set. |
rule_settings.notification_settings |
Object | No |
Configure a notification to display on the user's device when this rule is matched. |
rule_settings.notification_settings.msg |
String | No |
Customize the message shown in the notification. |
rule_settings.notification_settings.include_context |
Boolean | No |
If true, context information will be passed as query parameters |
rule_settings.notification_settings.support_url |
String | No |
Optional URL to direct users to additional information. If not set, the notification will open a block page. |
rule_settings.notification_settings.enabled |
Boolean | No |
Set notification on Default value: false |
rule_settings.check_session |
Object | No |
Configure how session check behaves. |
rule_settings.check_session.enforce |
Boolean | No |
Set to true to enable session enforcement. Default value: false |
rule_settings.check_session.duration |
String | No |
Configure how fresh the session needs to be to be considered valid. |
rule_settings.biso_admin_controls |
Object | No |
Configure how browser isolation behaves. |
rule_settings.biso_admin_controls.paste |
String | No |
Configure whether pasting is enabled or not. When set with "remote_only", pasting content from the user's local clipboard into isolated pages is disabled. When absent, paste is enabled. Only applies when Possible values:
|
rule_settings.biso_admin_controls.dp |
Boolean | No |
Set to false to enable printing. Only applies when Default value: false |
rule_settings.biso_admin_controls.printing |
String | No |
Configure whether printing is enabled or not. When absent, printing is enabled. Only applies when Possible values:
|
rule_settings.biso_admin_controls.upload |
String | No |
Configure whether uploading is enabled or not. When absent, uploading is enabled. Only applies when Possible values:
|
rule_settings.biso_admin_controls.copy |
String | No |
Configure whether copy is enabled or not. When set with "remote_only", copying isolated content from the remote browser to the user's local clipboard is disabled. When absent, copy is enabled. Only applies when Possible values:
|
rule_settings.biso_admin_controls.dd |
Boolean | No |
Set to false to enable downloading. Only applies when Default value: false |
rule_settings.biso_admin_controls.du |
Boolean | No |
Set to false to enable uploading. Only applies when Default value: false |
rule_settings.biso_admin_controls.dcp |
Boolean | No |
Set to false to enable copy-pasting. Only applies when Default value: false |
rule_settings.biso_admin_controls.download |
String | No |
Configure whether downloading enabled or not. When absent, downloading is enabled. Only applies when Possible values:
|
rule_settings.biso_admin_controls.version |
String | No |
Indicates which version of the browser isolation controls should apply. Possible values:
Default value: "v1" |
rule_settings.biso_admin_controls.keyboard |
String | No |
Configure whether keyboard usage is enabled or not. When absent, keyboard usage is enabled. Only applies when Possible values:
|
rule_settings.biso_admin_controls.dk |
Boolean | No |
Set to false to enable keyboard usage. Only applies when Default value: false |
rule_settings.redirect |
Object | No |
Settings that apply to redirect rules |
rule_settings.redirect.target_uri |
String | Yes |
URI to which the user will be redirected |
rule_settings.redirect.include_context |
Boolean | No |
If true, context information will be passed as query parameters Default value: false |
rule_settings.redirect.preserve_path_and_query |
Boolean | No |
If true, the path and query parameters from the original request will be appended to target_uri Default value: false |
rule_settings.l4override |
Object | No |
Send matching traffic to the supplied destination IP address and port. |
rule_settings.l4override.port |
Integer | No |
A port number to use for TCP/UDP overrides. |
rule_settings.l4override.ip |
String | No |
IPv4 or IPv6 address. |
rule_settings.ip_categories |
Boolean | No |
Set to true to enable IPs in DNS resolver category blocks. By default categories only block based on domain names. Default value: false |
rule_settings.block_reason |
String | No |
The text describing why this block occurred, displayed on the custom block page (if enabled). |
rule_settings.quarantine |
Object | No |
Settings that apply to quarantine rules |
rule_settings.quarantine.file_types[] |
Array | No |
Types of files to sandbox. |
rule_settings.allow_child_bypass |
Boolean | No |
Set by parent MSP accounts to enable their children to bypass this rule. |
rule_settings.ip_indicator_feeds |
Boolean | No |
Set to true to include IPs in DNS resolver indicator feed blocks. By default indicator feeds only block based on domain names. Default value: false |
How to start integrating
- Add HTTP Task to your workflow definition.
- Search for the API you want to integrate with and click on the name.
- This loads the API reference documentation and prepares the Http request settings.
- Click Test request to test run your request to the API and see the API's response.