Firewall Analytics for Enterprise Domains

Enterprise domains have access to additional Cloudflare Firewall analytics and filtering. Learn how firewall analytics can help you identify security enhancements for your site.


About firewall analytics

Enterprise customers benefit from additional firewall analytics within the Overview tab of the Firewall app of their Enterprise domains. Firewall analytics allow management and visualization of threats and help customers to tailor their security configurations.

Only Enterprise domains have access to firewall analytics.

Firewall events are listed in the Firewall app under the Overview tab.  Firewall analytics allow filtering and excluding; whereas non-Enterprise domains can only search for a specific IP Address, Ray ID, or Rule ID.

Firewall analytics provide the following data for a predefined duration of 30 minutes to up to 72 hours:

  • Events by action provides the count of firewall activity per action (Block, Log/Simulate, JS Challenge, Challenge, etc) taken on traffic during the analytics report duration
  • Events by service lists the firewall activity per Cloudflare security feature (WAF, Firewall Rules, Access Rules, Hotlink Protection, Rate Limits, etc).
  • Top events by source provides details of the traffic flagged or actioned by a Cloudflare security feature (IP addresses, User Agents, Paths, Countries, Hosts, ASNs, HTTP Methods, etc).
  • Activity log summarizes firewall events by date to show the action taken and the Cloudflare security feature applied.
  • Denial-of-service attacks mitigated counts automatically mitigated Layer 4 attacks blocked by Cloudflare over the last 72 hours.

 


Filter firewall analytics

To narrow the scope of firewall analytics, you can apply multiple filters and exclusions.

Modifying the duration, filters, or exclusions affects the analytics data displayed on the entire page including the Activity Log and all graphs, except for the Denial-of-service attacks mitigated graph.  

Adjust the scope of analytics by either clicking on Add filter under Firewall Events or clicking the Filter or Exclude buttons that appear when hovering over analytics data legend.

Screenshot of a firewall events chart.

When applying filters:

  • You cannot use wildcards.
  • You do not need quotation marks around field values.
  • If entering ASN numbers, leave out the AS prefix. For example instead of AS1423, just enter 1423.
Firewall analytics captures all Layer 7 traffic actioned or flagged by a Cloudflare security setting, including features such as Browser Integrity Check.

For further details on firewall analytics, read our blog post introducing the new firewall tab and analytics.


Share firewall analytics filters

When you add a filter and specify a duration (time window) in firewall analytics, the Cloudflare dashboard URL changes to reflect the parameters included in your filtering. You can share that URL with other users so that they can analyze the same information that you see.

https://dash.cloudflare.com/a67e14da49djdceeb9adf85449ba496eb/example.net/firewall?action=challenge&time-window=4320

Screenshot showing how the Cloudflare dashboard URL changes when a firewall analytics filter is applied.

 


Export activity log data

You can export a set of up to 500 raw events from the Activity log section of firewall analytics by clicking the Export button. The data is in JSON format.

Screenshot showing how to export data from the firewall analytics activity log.

This option is useful when you need to combine and analyze Cloudflare data with your own stored in a separate system or database, such as a security information and event management system (SIEM).

The data you export will reflect any filters you have applied.


Select visible columns in the activity log

You can configure which columns to display in the Activity log section of firewall analytics by clicking the Edit columns button. This gives you flexibility depending on the type of analysis that you need to perform.

An example use case for this option is when you're trying diagnose a bot related issue. You may want to see the user-agent and the source country.

Another example is when you'd like to identify a DDoS attack. You may want to see IP addresses, ASSNs, path, and other attributes.

Animated image showing how to edit columns to display in the firewall analytics activity log.

 

 


Print or download PDF firewall analytics report

You can print or download a snapshot report from your Firewall Events analytics dashboard by clicking the three-dots icon (...) and selecting Print report.

Note that any filters you have applied will reflect in the printed or downloaded report.

Your web browser's printing interface will present you with options for printing or downloading to PDF.

Screenshot showing how to print a firewall events snapshot report.

 

 


Related resources

 

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk