Enterprise domains have access to additional Cloudflare Firewall analytics and filtering. Learn how firewall analytics can help you identify security enhancements for your site.
About firewall analytics
Enterprise customers benefit from additional firewall analytics within the Overview tab of the Firewall app of their Enterprise domains. Firewall analytics allow management and visualization of threats and help customers to tailor their security configurations.
Firewall events are listed in the Firewall app under the Overview tab. Firewall analytics allow filtering and excluding; whereas non-Enterprise domains can only search for a specific IP Address, Ray ID, or Rule ID.
Firewall analytics provide the following data for a predefined duration of 30 minutes to up to 72 hours:
- Events by action provides the count of firewall activity per action (Block, Log/Simulate, JS Challenge, Challenge, etc) taken on traffic during the analytics report duration
- Events by service lists the firewall activity per Cloudflare security feature (WAF, Firewall Rules, Access Rules, Hotlink Protection, Rate Limits, etc).
- Top events by source provides details of the traffic flagged or actioned by a Cloudflare security feature (IP addresses, User Agents, Paths, Countries, Hosts, ASNs, HTTP Methods, etc).
- Activity log summarizes firewall events by date to show the action taken and the Cloudflare security feature applied.
- Denial-of-service attacks mitigated counts automatically mitigated Layer 4 attacks blocked by Cloudflare over the last 72 hours.
Filter firewall analytics
To narrow the scope of firewall analytics, you can apply multiple filters and exclusions.
Modifying the duration, filters, or exclusions affects the analytics data displayed on the entire page including the Activity Log and all graphs, except for the Denial-of-service attacks mitigated graph.
Adjust the scope of analytics by either clicking on Add filter under Firewall Events or clicking the Filter or Exclude buttons that appear when hovering over analytics data legend.
When applying filters:
- You cannot use wildcards.
- You do not need quotation marks around field values.
- If entering ASN numbers, leave out the AS prefix. For example instead of AS1423, just enter 1423.
For further details on firewall analytics, read our blog post introducing the new firewall tab and analytics.
Share firewall analytics filters
When you add a filter and specify a duration (time window) in firewall analytics, the Cloudflare dashboard URL changes to reflect the parameters included in your filtering. You can share that URL with other users so that they can analyze the same information that you see.
Export activity log data
You can export a set of up to 500 raw events from the Activity log section of firewall analytics by clicking the Export button. The data is in JSON format.
This option is useful when you need to combine and analyze Cloudflare data with your own stored in a separate system or database, such as a security information and event management system (SIEM).
The data you export will reflect any filters you have applied.
Select visible columns in the activity log
You can configure which columns to display in the Activity log section of firewall analytics by clicking the Edit columns button. This gives you flexibility depending on the type of analysis that you need to perform.
An example use case for this option is when you're trying diagnose a bot related issue. You may want to see the user-agent and the source country.
Another example is when you'd like to identify a DDoS attack. You may want to see IP addresses, ASSNs, path, and other attributes.
Print or download PDF firewall analytics report
You can print or download a snapshot report from your Firewall Events analytics dashboard by clicking the three-dots icon (...) and selecting Print report.
Note that any filters you have applied will reflect in the printed or downloaded report.
Your web browser's printing interface will present you with options for printing or downloading to PDF.