How do I manage the HIGH or LOW setting threshold for the WAF?

To manage the threshold for the WAF settings:

1. Log into your Cloudflare account.

2. Visit the Firewall app.

3. Click on the Web Application Firewall tab

4. Scroll down to: Package: OWASP ModSecurity Core Rule Set

5. Select the threshold from the Sensitivity dropdown.

The OWASP Mod Security ruleset ​can sometimes be difficult with API traffic and typically a more detailed tuning is needed to obtain the correct configuration for your application. Cloudflare provides two sensitivity settings for the OWASP rule set: High and Low. Actions are trigged based on a threat score mechanism applied to rules trigged. A sensitivity setting of Low will trigged events that score only above 60 and High will trigger any events that score above 25.

We also provide 3 actions against a triggered WAF event: Simulate, Challenge and Block. A summary of the actions can be found below:

Simulate: Logs the event and does not block or challenge the visitor (you can still decide to set to a block or challenge after review of the event).
Block: Block will block visitors from that IP from accessing the site.
Challenge: Will display a challenge (captcha) page before the visitor can enter the site.

We recommend beginning in 'Simulate' mode to weed out any false positive so you can eventually turn the ruleset to a level that blocks malicious requests while legitimate traffic continues to your origin unaffected.

Still not finding what you need?

The CloudFlare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk