Firewall Tab

A firewall is a security system that monitors and controls network traffic based on a set of security rules. Firewalls decide whether to allow incoming and outgoing traffic to pass through.

a) Overview -> It gives Firewall Analytics. We can see report related to firewall events that are executed here in graph. Graph report is only generated in PRO plan.

In Pro plan we also get information on firewall events on basis of IP Addresses, paths, browsers, countries and so on.

b) Managed Rules -> We have WAF(Web Application Firewall) here. This option only exists in PRO PLAN. Web Application Firewall provides enhanced security through a built-in ruleset to stop a wide range of application attacks.A WAF creates a shield between a web app and the Internet; this shield can help mitigate many common attacks.A web application firewall (WAF) provides web security for online services from malicious security attacks such as SQL injection, cross-site scripting (XSS). WAF security detects and filters out threats which could degrade, compromise, or expose online applications to denial-of-service (DoS) attacks.
WAF will enable following packages -
1) Cloudflare Managed Ruleset - Cloudflare recommends that we always leave Cloudflare Specials enabled. Additionally, only enable rule groups that correspond to your technology stack. For example, if we use WordPress, enable the Cloudflare WordPress group.
If you encounter issues caused by the WAF, this guide explains how to diagnose and fix them by tuning your WAF configuration ->  https://support.cloudflare.com/hc/articles/115000223771 

2) OWASP ModSecurity Core Rule Set - There are 4 Sensitivity options related to it.
a) High → large file uploads trigger the WAF.
b) Medium
c) Low → Cloudflare recommends initially setting the WAF Sensitivity to Low and reviewing for false positives(Legitimate requests detected and filtered as malicious) before further increasing the Sensitivity.
d) Off → It will disable the entire OWASP package including all its rules
3) Customer Requested Rules - Customer Requested Rules (Custom WAF Rules) are deprecated in favor of  Firewall Rules .
4) DDoS Protection - It is enabled for default for all cloudflare plans whether it is free or pro.

c) Firewall Rules - Here we can create custom rules. Cloudflare Firewall Rules offer power and flexibility by targeting HTTP traffic and applying custom criteria to block, challenge, log, or allow certain requests.
Title
Title
Free Plan
Pro Plan
Get an option to add 5 firewall rules
Get an option to add 20 firewall rules

d) Bots - Bot Fight Mode is a simple, free product that helps detect and mitigate bot traffic on our domain.

NOTE : We can see bot-related actions by going to Firewall > Overview. Any requests challenged by this product will be labeled Bot Fight Mode in the Service field.

For FREE Plan - Simply set it to ON
For PRO Plan - We have option "Configure Super Bot Fight Mode"
For Enterprise Plan - We have option here to view a traffic breakdown and manage bots with simple controls
Title
Title
FREE PLAN
PRO PLAN
Bot Fight Mode option to just set on or off.

It is default set to off. We should enable this option if we are on free plan. This will enhance security.
Configure Super Bot Fight Mode options

Image is shown below with these options.
PRO Plan ---— We can enable javascript detections script for more enhanced security related to bots. We don't have to do anything with other options.

https://slite.com/api/files/xlkzFfaZ7i/cloudflare%20bots.jpg?apiToken=eyJhbGciOiJIUzI1NiIsImtpZCI6IjIwMjMtMDUtMDQifQ.eyJzY29wZSI6Im5vdGUtZXhwb3J0IiwibmlkIjoiUTRsWERmZTRVaCIsImlhdCI6MTc1OTc5ODczMCwiaXNzIjoiaHR0cHM6Ly9zbGl0ZS5jb20iLCJqdGkiOiJTcGRNeUdDelQ4VjJkRCIsImV4cCI6MTc2MjM5MDczMH0.3F43jnkhNuFMXHDbmLM5NANl2FculhbBkMxRfUxMhBw
e) Tools
We have 4 options here
Title
Title
Title
Title
IP Access Rules
Rate Limiting
User Agent Blocking
Zone Lockdown
Here we can add a rule to access/block/challenge or javascript challenge a website or all websites in a account on basis of country,IP,host etc.
Rate Limiting automatically identifies and mitigates excessive request rates for specific URLs or for an entire domain
We can create a rule to block or challenge a specific User Agent from accessing your zone.
Lockdown a specific URL on your zone to specific IP addresses. This is useful to protect an admin or protected area from non-specified IP addresses.
Option available in all plans
It is billable according to usage.
50 rules for pro plan.
10 rules for free plan.
3 rules fro pro plan.
Not available fro free plan.

f) Settings
We have 4 options here and all these options are available for all plans.
1) Security Level - Adjust your website’s Security Level to determine which visitors will receive a challenge page. We have several options here. Default option is medium.

2) Challenge Passage - Specify the length of time that a visitor, who has successfully completed a Captcha or JavaScript Challenge, can access your website. It can be from 5 minutes to 1 year. Default is 30 seconds.

3) Browser Integrity Check - Browser Integrity Check looks for requests with HTTP headers commonly used by spammers, bots, and crawlers such as requests with a missing or non-standard user agent. If a threat is found, Cloudflare will present a block page.
NOTE - It may sometimes block API so we disable or enable it accordingly.

4) Privacy Pass Support - Privacy Pass is a browser extension developed by the Privacy Pass Team to improve the browsing experience for your visitors. Enabling Privacy Pass will reduce the number of CAPTCHAs shown to your visitors.