Understanding Cloudflare Firewall Analytics

Cloudflare Pro, Business, and Enterprise domains have access to Cloudflare Firewall Analytics and filtering. Learn how Firewall Analytics helps identify security enhancements for your site.

About firewall analytics

Cloudflare Pro, Business, and Enterprise customers benefit from Firewall Analytics and the Activity log of firewall events in the Firewall app under the Overview tab.  Firewall analytics allow management and visualization of threats and help customers tailor their security configurations.

Firewall Analytics allows filters and exclusions and provides the following data for a predefined duration of 30 minutes to up to 72 hours:

  • Events by action provides the count of firewall activity per action (Block, Log/Simulate, JS Challenge, Challenge, etc) taken on traffic during the report duration selected.
  • Events by service lists the firewall activity per Cloudflare security feature (WAF, Firewall Rules, Access Rules, Hotlink Protection, Rate Limits, etc).
  • Top events by source provides details of the traffic flagged or actioned by a Cloudflare security feature (IP addresses, User Agents, Paths, Countries, Hosts, ASNs, HTTP Methods, etc).
  • Activity log summarizes firewall events by date to show the action taken and the Cloudflare security feature applied.
  • Denial-of-service attacks mitigated counts automatically mitigated Layer 4 attacks blocked by Cloudflare over the last 72 hours.

Firewall analytics and events may be presented from sampled data in order to improve performance.Cloudflare logs challenge success in order to provide customers the Captcha Success Rate.

Filter firewall analytics

To narrow the scope of Firewall Analytics, you can apply multiple filters and exclusions as well as adjust the report duration. 

Modifying the duration, filters, or exclusions affects the analytics data displayed on the entire page including the Activity Log and all graphs, except for the Denial-of-service attacks mitigated graph.  

Adjust the scope of analytics by either clicking on Add filter under Firewall Events or clicking the Filter or Exclude buttons that appear when hovering over analytics data legend.

Screenshot of a firewall events chart.

To create a Firewall Rule based on the filters and exclusions you selected within firewall analytics, click Create firewall rule at the top right of the Firewall Events page under the Overview tab.

When applying filters:

  • Wildcards are not allowed.
  • Quotation marks are not necessary around field values.
  • If entering ASN numbers, leave out the AS prefix. For example, enter 1423 instead of AS1423.

Firewall analytics captures all traffic actioned or flagged by a Cloudflare security setting, including features such as Browser Integrity Check.

Review the Firewall Activity log

To view WAF event details:

     1. Log in to the Cloudflare dashboard.

     2. Click the appropriate Cloudflare account.

     3. Select the proper domain.

     4. Click the Firewall app.

     5. The Overview tab lists the Activity log.

     6. Click any entry in the Firewall Activity log to expand further details. 

To search for a WAF event by IP address (or similar field):

Click + Add filter under Firewall Events at the top of the Firewall app.

  1. Select IP for Action.
  2. Choose equals.
  3. Enter the IP address.

Alternatively, expand a Firewall event from the Activity log and click the Filter button that appears when mousing over the IP address.

Requests containing certain attack patterns in the User-Agent field are blocked before any whitelisting logic occurs. Firewall events downloaded from the API show rule_id as security_level and action as drop when this behavior occurs.

Firewall Events are shown by individual event rather than by request.  For example, if a single request triggers three different Firewall features, the firewall events appear as three individual events in the Activity log.

Share firewall analytics filters

When you add a filter and specify a duration (time window) in firewall analytics, the Cloudflare dashboard URL changes to reflect the parameters included in your filtering. You can share that URL with other users so that they can analyze the same information that you see.


Screenshot showing how the Cloudflare dashboard URL changes when a firewall analytics filter is applied.

Export activity log data

You can export a set of up to 500 raw events from the Activity log section of firewall analytics by clicking the Export button. The data is in JSON format.

Screenshot showing how to export data from the firewall analytics activity log.

This option is useful when you need to combine and analyze Cloudflare data with your own stored in a separate system or database, such as a security information and event management system (SIEM).

The data you export will reflect any filters you have applied.

Select visible columns in the activity log

You can configure which columns to display in the Activity log section of firewall analytics by clicking the Edit columns button. This gives you flexibility depending on the type of analysis that you need to perform.

An example use case for this option is when you're trying diagnose a bot related issue. You may want to see the user-agent and the source country.

Another example is when you'd like to identify a DDoS attack. You may want to see IP addresses, ASSNs, path, and other attributes.

Animated image showing how to edit columns to display in the firewall analytics activity log.

Print or download PDF firewall analytics report

You can print or download a snapshot report from your Firewall Events analytics dashboard by clicking the three-dots icon (...) and selecting Print report.

Note that any filters you have applied will reflect in the printed or downloaded report.

Your web browser's printing interface will present you with options for printing or downloading to PDF.

Screenshot showing how to print a firewall events snapshot report.

Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk