Cloudflare will allow customers to start migrating their zones from WAF managed rules to the new WAF Managed Rulesets.
Overview
On May 4, 2022, Cloudflare will start phase 1 of the WAF migration from WAF managed rules to the new WAF Managed Rulesets. You will be able to start the migration process for your eligible zones in the Cloudflare dashboard. WAF Managed Rulesets provide the following benefits:
- Improved detection performance
- Increased configuration flexibility (define custom WAF filters, configure global ruleset overrides)
- Better user experience
- Access to exposed credentials check
Currently, the migration process is always started by you in the Cloudflare dashboard. The migration is irreversible — once you migrate to the new WAF Managed Rulesets, you cannot go back to using WAF managed rules. Once you migrate a zone to the new WAF Managed Rulesets, the Managed rules tab in the Cloudflare dashboard (available in Security > WAF > Managed rules) will display a new interface, and the WAF managed rules APIs will stop working.
Migration impact
Your current managed rules configuration will be migrated to a WAF Managed Rulesets configuration, so that the same protection applies to your zone when you move to the new WAF.
Cloudflare recommends that you check the Activity log in Firewall Analytics in the days following the migration, looking for any legitimate requests being blocked by WAF Managed Rulesets. If you identify any incorrectly blocked requests, you can adjust the corresponding WAF rule action to Log. For more information on changing the action of a Managed Ruleset rule, refer to Configure a single rule in a Managed Ruleset in the WAF documentation.
Cloudflare dashboard changes
After the migration is complete, the Cloudflare dashboard will display the WAF Managed Rulesets interface in Security > WAF > Managed rules, where you can deploy Managed Rulesets and adjust their configuration.
Unlike the WAF managed rules, there is no global on/off button to enable the WAF in the new interface. Instead, you deploy each WAF Managed Ruleset individually in your zone.
For more information about configuring WAF Managed Rulesets in the dashboard, refer to Deploy Managed Rulesets for a zone in the dashboard in the developer documentation.
API changes
After the migration, the APIs for interacting with WAF managed rules will stop working. These APIs are the following:
To interact with WAF Managed Rulesets you must use the Rulesets API. For more information on deploying WAF Managed Rulesets via API, refer to Deploy rulesets via API in the developer documentation.
Eligible zones (phase 1)
The migration will occur in phases. Starting on May 4, 2022, the migration will be available to a subset of eligible zones, and it will gradually become available to all eligible zones.
During phase 1 you will be able to migrate zones that fulfill the following requirements:
- The zone has:
- WAF disabled, or
- WAF enabled and only the Cloudflare Managed Ruleset is enabled (the OWASP ModSecurity Core Rule Set must be disabled).
- The zone has no firewall rules or Page Rules bypassing, enabling, or disabling WAF managed rules:
- Firewall rules configured with Bypass > WAF Managed Rules.
- Page Rules configured with Disable Security.
- Page Rules configured with Web Application Firewall: Off or Web Application Firewall: On.
- The zone has no URI-controlled WAF overrides (only available via API).
Any zones that do not fulfill these requirements will not be able to migrate during phase 1.
In phase 2, which will occur later, all zones will be eligible for migration. This page will be updated with additional information before phase 2 starts.
Starting the migration
1. Log in to the Cloudflare dashboard, and select your account and zone.
2. Go to Security > WAF > Managed rules.
3. In the update banner, click Update now. This banner is only displayed in eligible zones.
4. In the pop-up dialog, confirm that you wish to start the migration from WAF managed rules to WAF Managed Rulesets by clicking Update. The migration is irreversible.
After confirming the operation, the migration will start.
The migration process may take a couple of minutes. When the migration finishes, the dashboard will display the new WAF Managed Rulesets interface in Security > WAF > Managed rules. To check if the migration has finished, refresh the dashboard.