At Cloudflare, one of our top priorities is to make our products and services intuitive so that we can enable customers to accelerate and protect their Internet properties. We're excited to launch two improvements designed to make our Firewall easier to use and more accessible, and helping our customers better manage and visualize their threat-related data.
New Firewall Tabs for ease of access
We have re-organised our features into meaningful pages: Events, Firewall Rules, Managed Rules, Tools, and Settings. Our customers will see an Overview tab, which contains our new Firewall Analytics, detailed below.
All the features you know and love are still available, and can be found in one of the four new tabs. Here is a breakdown of their new locations.
Feature
New Location
Firewall Event Log
Events (Overview for Enterprise only)
Firewall Rules
Firewall Rules
Web Application Firewall
Managed Ruleset
IP Access Rules (IP Firewall
Tools
Rate Limiting
Tools
User Agent Blocking
Tools
Zone Lockdown
Tools
Browser Integrity Check
Settings
Challenge Passage
Settings
Privacy Pass
Settings
Security Level
Settings
If the new sub navigation has not appeared, you may need to re-login to the dashboard or clear your browser’s cookies.
New Firewall Analytics for analysing events and maintaining optimal configurations
Insights into security events are critical for monitoring the health of your web applications. Furthermore, distinguishing between actual threats from false positives is essential for maintaining an optimal security configuration. Today, we are very pleased to announce our new Firewall Analytics which will help our Enterprise customers get detailed insights into firewall events, helping them to tailor their security configurations more effectively
Our new Firewall Analytics now enables our Enterprise customers to:
visualise and analyse Firewall Events in one place to better understand their threat landscape
identify, mitigate, and review attacks more effectively
After speaking with many of our customers, we learned a lot about their processes to identify and analyse attacks and the kinds of insights they needed to improve these processes. We then translated these learnings into useful features and charts that would help answer some of the most common questions such as ‘What kinds of security events occurred in a certain time frame?’ and ‘What caused a spike in a certain type of security event?’.
Firewall Analytics and Firewall Configuration can be found together in the Firewall tab. A tight feedback loop between Firewall configuration and the resulting events allow for rapid iteration, ideal for security-focused teams.
To best demonstrate the power of Firewall Analytics, here’s a workflow that would answer a popular question our customers ask: “Why did I have a spike in threats?”. In the screenshot below, we can see a set of activity which triggered a number of ‘Blocks’ events:
To minimize the possibility of polluting our TopN statistics with event types other than ‘Block’ and get the most accurate diagnostic information, we will need to filter down to just ‘Block’ actions.
Now that only Block events are displayed, checking the Service Breakdowns will help us to identify which of our Firewall features was triggered.
From the Events breakdown, we can see that the Block events were triggered by a Country Block configured within Access Rules. Digging deeper and looking at our TopN breakdowns, we start to get a much more granular understanding of which Networks, IPs, User-Agents, Paths etc, were targeted.
Looking at our TopN breakdowns, we start to get a much more granular understanding of which Networks, IPs, User-Agents, Paths etc, were targeted.
From here, we can see that there are two specific IP addresses which were targeting my application to “/”.
To get the most detailed information, we can drill down further in the refreshed Firewall Event log, now controlled inline.
Whilst these TopNs and filters are great for clearly identifiable threats,they can also help identify false positives. Using the power of Cloudflare’s filters, it is possible to add a user-defined filter, which can be a RayID, User-Agent or IP address.
This is just one example of how the new Firewall Analytics can help expedite the process of identifying and mitigating threats. Firewall Analytics is now live for all Enterprise customers. Let us know your feedback by reaching out to your Enterprise Account Team.