Enabling WAF

We haven’t tried to enabling WAF and the thing is that, our platform is operational under this domain. However, we’re planning to enable the WAF in the next coming days. What are things need to consider and how it would affect in our platform?

WAF may produce false positives. You need to constantly monitor the firewall events for few days to see if there’s legitimate traffic blocked by WAF.

1 Like

There’s no way that we can identify which part of our platform will be affected when enabling this WAF?

No one knows how your platform works. You need to tune it by yourself.

By the way, you may try to set all the WAF rule to logging mode so that you can analyze the logs later, while not affecting your users.

But since there’s thousands of WAF rules in Cloudflare, it’s impossible to turn each rule to logging mode one by one. Use this bash script instead:

_CFAPIEMAIL=Your Email

_CFAPIKEY=Your API Key

_CFAPIZONEID=Your ZoneID

 

curl -s -H "X-Auth-Email: $_CFAPIEMAIL" -H "X-Auth-Key: $_CFAPIKEY" -H "Content-Type: application/json" "https://api.cloudflare.com/client/v4/zones/$_CFAPIZONEID/firewall/waf/packages" | jq -r '.result[]|select(.name == "CloudFlare").id' | \

  while read packageID; do

    for i in $(eval echo "{1..$(curl  -s -H "X-Auth-Email: $_CFAPIEMAIL" -H "X-Auth-Key: $_CFAPIKEY" -H "Content-Type: application/json" "https://api.cloudflare.com/client/v4/zones/$_CFAPIZONEID/firewall/waf/packages/$packageID/rules?per_page=100" | jq -r '.result_info.total_pages')}"); do

      curl -s -H "X-Auth-Email: $_CFAPIEMAIL" -H "X-Auth-Key: $_CFAPIKEY" -H "Content-Type: application/json" "https://api.cloudflare.com/client/v4/zones/$_CFAPIZONEID/firewall/waf/packages/$packageID/rules?per_page=100&page=$i" | jq -r '.result[]|select(.default_mode == "block" or .default_mode == "challenge").id' | \

      while read wafID; do

        curl -s -H "X-Auth-Email: $_CFAPIEMAIL" -H "X-Auth-Key: $_CFAPIKEY" -H "Content-Type: application/json" "https://api.cloudflare.com/client/v4/zones/$_CFAPIZONEID/firewall/waf/packages/$packageID/rules/$wafID" -X PATCH --data '{"mode":"simulate"}' | jq

      done

    done

  done
1 Like

If in case that we experiencing false positive, then we identified that rule blocking our actions and need to turn it off. It will take effect immediately?

Usually within seconds.

1 Like

Is there a way that I can simulate or test a certain rule before deploying it?

Yes:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.