Cloudflare Pro, Business, and Enterprise domains have access to Cloudflare Firewall Analytics and filtering. Learn how Firewall Analytics helps identify security enhancements for your site.

About firewall analytics

Cloudflare Pro, Business, and Enterprise customers benefit from Firewall Analytics and the Activity log of firewall events in the Firewall app under the Overview tab.  Firewall analytics allow management and visualization of threats and help customers tailor their security configurations.

Firewall Analytics allows filters and exclusions and provides the following data (Free customers see Activity log only). Free and Pro customers can choose a 24 hour time window and our Business customers can view up to 72 hours:

• Events by action provides the count of firewall activity per action (Block, Log/Simulate, JS Challenge, Challenge, etc) taken on traffic during the report duration selected.
• Events by service lists the firewall activity per Cloudflare security feature (WAF, Firewall Rules, Access Rules, Hotlink Protection, Rate Limits, etc).
• Top events by source provides details of the traffic flagged or actioned by a Cloudflare security feature (IP addresses, User Agents, Paths, Countries, Hosts, ASNs, HTTP Methods, etc).
• Activity log summarizes firewall events by date to show the action taken and the Cloudflare security feature applied.
• Denial-of-service attacks mitigated counts automatically mitigated Layer 4 attacks blocked by Cloudflare over the last 72 hours.

Firewall analytics and events may be presented from sampled data in order to improve performance. Cloudflare logs challenge success in order to provide customers the Captcha Success Rate.

A deleted Firewall rule or Rate Limiting rule would show as Rule unavailable in Firewall Analytics. You can review your Audit logs to check the changes made within your Cloudflare account.

Filter firewall analytics

To narrow the scope of Firewall Analytics, you can apply multiple filters and exclusions as well as adjust the report duration. 

Modifying the duration, filters, or exclusions affects the analytics data displayed on the entire page including the Activity Log and all graphs, except for the Denial-of-service attacks mitigated graph.  

Adjust the scope of analytics by either clicking on Add filter under Firewall Events or clicking the Filter or Exclude buttons that appear when hovering over analytics data legend.

When applying filters:

• Wildcards are not allowed.
• Quotation marks are not necessary around field values.
• If entering ASN numbers, leave out the AS prefix. For example, enter 1423 instead of AS1423.

Review the Firewall Activity log

To view WAF event details:

     1. Log in to the Cloudflare dashboard.

     2. Click the appropriate Cloudflare account.

     3. Select the proper domain.

     4. Click the Firewall app.

     5. The Overview tab lists the Activity log.

     6. Click any entry in the Firewall Activity log to expand further details. 

To search for a WAF event by IP address (or similar field):

Click + Add filter under Firewall Events at the top of the Firewall app.

1. Select IP for Action.
2. Choose equals.
3. Enter the IP address.

Alternatively, expand a Firewall event from the Activity log and click the Filter button that appears when mousing over the IP address.

Firewall Events are shown by individual event rather than by request.  For example, if a single request triggers three different Firewall features, the firewall events appear as three individual events in the Activity log.

For a description of firewall actions that may appear in the Activity Log, visit our developer documentation. Additionally, when the conn-close action appears in the Activity Log, it means the existing request is unaffected but the client is instructed to establish a new connection instead of re-using the existing connection. Connection Close mitigations are not covered by the Cloudflare DDoS alerts. DDoS notifications only alert when the mitigation is force-conn-close, block, ratelimit, and captcha.

Validation check

Cloudflare performs a Validation test for every request. The execution order of the Validation component is prior to all other firewall products (e.g. Firewall rules, WAF, etc...). Obvious malformed requests like Shellshock attacks are blocked by Validation check and classified macro and hence appear as Validation as a service without a ruleid in the firewall Activity log. Requests containing certain attack patterns in any HTTP request header are blocked before any allowlist logic occurs. Firewall events downloaded from the API show source as Validation and action as drop when this behavior occurs.

Below is an example request that is blocked by the Validation check due to a malformed user-agent.

In the downloaded JSON file, you notice the ruleId as it aims to give an indication of what was the problem, and in this case, it was a Shellshock attack.

"action": "drop", "ruleId": "sanity-shellshock", "source": "sanitycheck", "userAgent": "() { :;}; printf \\\\\"detection[%s]string\\\\\" \\\\\"TjcLLwVzBtLzvbN\\\\",

FAQs

Can we disable Validation check?

This is currently not possible to disable. The Validation tests are run early in our infrastructure before the configuration for domains has been loaded. A possible future change could be to move these protections to Cloudflare Managed Rulesets.

Share firewall analytics filters

When you add a filter and specify a duration (time window) in firewall analytics, the Cloudflare dashboard URL changes to reflect the parameters included in your filtering. You can share that URL with other users so that they can analyze the same information that you see.

https://dash.cloudflare.com/a67e14da49djdceeb9adf85449ba496eb/example.net/firewall?action=challenge&time-window=4320

Export activity log data

Business and Enterprise domains can export a set of up to 500 raw events from the Activity log section of firewall analytics by clicking the Export button. The data is in JSON format. Triggered OWASP rules appear in the UI under Additional logs, but not within an exported JSON file.

This option is useful when you need to combine and analyze Cloudflare data with your own stored in a separate system or database, such as a security information and event management system (SIEM).

The data you export will reflect any filters you have applied.

Select visible columns in the activity log

You can configure which columns to display in the Activity log section of firewall analytics by clicking the Edit columns button. This gives you flexibility depending on the type of analysis that you need to perform.

An example use case for this option is when you're trying diagnose a bot related issue. You may want to see the user-agent and the source country.

Another example is when you'd like to identify a DDoS attack. You may want to see IP addresses, ASSNs, path, and other attributes.

Print or download PDF firewall analytics report

You can print or download a snapshot report from your Firewall Events analytics dashboard by clicking Print report.

Note that any filters you have applied will reflect in the printed or downloaded report.

Your web browser's printing interface will present you with options for printing or downloading to PDF.

L4 DoS SYN attacks mitigation in Firewall Events

Enterprise domains have visibility with regard to ongoing L4 DOS SYN attacks towards them.

Enterprise customers can also use the synAvgPps1mGroups node in GraphQL to get the total attack volume for a zone over a period of time.

Limitations

Firewall Analytics currently has these limitations:

• Pagination issue in Firewall sampled events. The UI may show an inaccurate number of events per page as it tries to query in the most efficient way, but given the nature of the sampled response, pagination can't be guarateed to work all the time. The GraphQL Analytics API does not have this limitation.

Related resources

• Cloudflare Blog: Firewall tab and analytics
• What options are available for protecting a site?