This article follows on from the previous post on "How to set your Cloudflare web application firewall to simulate mode".
Ideally, you have been able to set your web application firewall (WAF) to "On" and it is now tracking events as "simulate, block, or challenge" modes.
So,
How to customise your Cloudflare firewall for your business
Step 1 - Find your Firewall Events logs
You can check your 'Firewall Events" log in the "Traffic" tab and changing settings in "Firewall" tab. This Firewall Events section will detail requests affected by both IP Firewall and Web Application Firewall (WAF) rules.
Step 2 - Check your Firewall Events logs
You should be able to see a list of firewall events. Here's a brief legend to help you make sense of what the "Action Taken" means.
- Simulate: Logs the event and does not block or challenge the visitor (you can still decide to set to a block or challenge after review of the event).
- Block: Block will block visitors from that IP from accessing the site.
- Challenge: Will display a challenge (captcha) page before the visitor can enter the site to simulate and start tracking firewall event actions it would have taken.
Step 3 - View each Firewall event details
View each firewall event for more details by clicking on the "Details" link. That way, you can find out more information and do more research as to whether or not it is a legitimate attack or not.
You might be wondering, why not block or challenge everything?
Well, depending on the nature of your business and markets, you may be still dealing with customers using very old browsers or technologies and balancing the pros and cons and the risks associated.
Step 4 - Look up the Firewall Rule Triggered
Step 4.1 Find "Rule details" under "Package: Cloudflare Rule Set"
Under the "Firewall" tab> "Web Application Firewall"> Click on "Rule details" under the "Package: Cloudflare Rule Set"
Step 4.2 Find "Advanced"
Step 4.3 Review Cloudflare Firewall rules by Rule ID
Search for the Cloudflare Firewall rule ID and search for the rule. Then review and choose your selected action mode ("Mode").