How to set your Cloudflare firewall to simulate firewall event actions

This is a high level guide of how to set your firewall in Cloudflare to simulate firewall event actions. This means that the firewall will only take note and log events and the action it would have taken.
This is very useful when you want to customise the Web Application Firewall around your organisation’s business processes, so that you can identify and continue to allow legitimate requests to pass.
You can view this process, as looking for “false negatives”, and working backwards to customise them to your business.
Typically, these would be the options you would have within the firewall.

  • Simulate: Logs the event and does not block or challenge the visitor (you can still decide to set to a block or challenge after review of the event).
  • Block: Block will block visitors from that IP from accessing the site. 
  • Challenge: Will display a challenge (captcha) page before the visitor can enter the site.

How to set your Cloudflare to simulate firewall events

Step 1 – Go to the “Firewall” tab

Step 2 – Click on the “Web Application Firewall” sub tab

Step 3 – Make sure your Web Application Firewall is set to Off

As we are simulating firewall events, let’s first make sure your Web Application Firewall is set to Off. This is set to “Off” by default, so you can customise and switch it on when you are ready.

Step 4 – Let’s review your Web Application Firewall settings and set to Simulate

Step 4.1 – Review your “Package: Cloudflare Rule Set”

Let’s review your “Package: Cloudflare Rule Set”. You will be able to review when you click on the “Rule Details” link. It’ll expand and give you a list of the rule groups you can switch on/ off.
If you get stuck and can’t find it, copy this link below and put in your domain here.

Step 4.2 – Review “Package: Cloudflare Rule Set” Rule Details

You should now see a set of Cloudflare Rule Sets that you can switch on and off. 
Cloudflare Flash, Cloudflare Php, Cloudflare Specials and Cloudflare WordPress will be the rules are set to on by default. 

Step 4.3 – Explore the ruleset groups to deep dive and configure

You can click on the group name to configure each ruleset group further. You will want to do this depending on your organisation’s business needs. 
The goal here is to customise the settings so that you can get the highest possible security settings while not compromising on your normal required business operations. This is where the “Simulate” function will come in handy.

Step 4.4 – Configure your Cloudflare settings for your rulesets

Depending on your business again, you can configure your Cloudflare settings. I will use Cloudflare Flash ruleset as an example.
Once you click the Cloudflare ruleset, you will see a list of rules and options on how to configure it.
Then you can change the mode from “Default” to a preferred option. There is some details on what this “Default Mode” is in the column next to “Mode”.
For the purpose of this exercise, we will then set the Mode to “Simulate”.
Here are what the options mean:
  • Simulate: Logs the event and does not block or challenge the visitor (you can still decide to set to a block or challenge after review of the event).
  • Block: Block will block visitors from that IP from accessing the site. 
  • Challenge: Will display a challenge (captcha) page before the visitor can enter the site.
  • Disable: Will simply turn off this particular rule
Continue to do the same with the other rules and rulesets that are available. Some of these rule and rulesets you will already know how you want to configure it based on your business needs. Others, you may really want to set to simulate to make sure.

Step 5 – Review the OWASP ruleset package as well

Next, review the “Package: OWASP ModSecurity Core Rule Set” and configure it accordingly. For starting off, you can start with the simulate mode to get things started.

What is OWASP?

This package consists of rulesets derived from the OWASP ModSecurity Core Rule Set. These provide an easily pluggable set of generic attack detection rules that provide a base level of protection for any web application.
The OWASP rules operate in scoring threshold mode: each match against a rule increases the threat score of that request. Once a request exceeds a configurable sensitivity threshold (off, low, or high), the action is taken. This action can be simulate (create a log entry but do not block the request), challenge (present the user with an in-browser challenge page, and log), or block (reject the request and log).
Individual rule groups within the OWASP package can be enabled or disabled in “rule details”, after which rules can be managed at the individual rule level through the advanced option.

Step 6 – When you are ready, switch your Web Application Firewall is set to On

Step 7 – Review the Web Application Firewall results

Under the “Traffic” tab. You can scroll down until you see the “Firewall Events” section. This is where you will find the simulated, challenged firewall events.

Step 8 – Review and update settings

Keep iterating and reviewing settings until you are comfortable.


How to set up your website to Cloudflare Enterprise plan

I wrote this guide for those who are looking to set up your website on Cloudflare Enterprise’s plan. To make it easier to make sense of the process.
Here are the steps to add new domains as Enterprise to Cloudflare below:

Adding new domains as Enterprise to Cloudflare

Step 1 – Add your site

When you would like to add a new domain to your Cloudflare account, go through the normal “Add site” process. That is, in once you log in, click on the “Add site” link in the top right.

Step 2 – Select Enterprise

You will then be presented and asked to choose your Cloudflare Plan. Here you will be shown the number of remaining Enterprise Plan slots you have remaining. Select “Enterprise Website” and then select “Continue”.

Step 3  – Change Your Nameservers to Cloudflare

You will then be presented with details on Nameservers that you can set up for Cloudflare to be your authoritative DNS nameserver. Update your name servers accordingly.

Step 4 – Check the status in your Cloudflare portal 

Check to make sure your website is set up on Cloudflare.

Step 5 – Give time for traffic to migrate to new name servers

Wait and allow up to 24 hours for changes to be processed. As per details specified on the page.
There will be no downtime when you switch your name servers. Traffic will gracefully roll from your old name servers to the new name servers without interruption. Your site will remain available throughout the switch.


How to set up Incapsula Free CDN to your website

I wanted to explore how online providers such as Incapsula can increase my performance and security on my website. So I am testing their CDN Content Delivery Network.
Here are the steps that I took to get set up with Incapsula.

Step 1 – Add your website

Step 2 – Scanning records

Incapsula will then scan your website

Step 3 – Configure your DNS Settings

This step involves changing your DNS settings.

Step 4 – Wait, Confirm that everything is setup and your website is live

Wait a few minutes and check to see if it takes effect. This can take time since DNS generally takes time to propagate. That said, CDN providers will have a system in place to ensure you don’t receive any downtime.

I waited less than 3-5 minutes, then I saw it went fully live again.  This will vary as some may or may not see any downtime at all. Please note that I was receiving some DNS errors during that time.

Step 5 – Confirmation 

You should then see no more references to “Pending DNS changes” once it is live.

Here’s a set up video I found on youtube from Incapsula on how to set this up as well.

How to set up your website on Incapsula

You should receive a welcome email. Here’s a copy of the welcome email from the Incapsula team

Welcome email from Incapsula

Hello Vu,
We are glad to notify you that we detected that the DNS changes for were performed successfully.
From this point on, your website’s traffic will start routing through Incapsula. It can take up to 48 hours for all your traffic to route through Incapsula, depending on your DNS settings.
You will start seeing your website’s analytics on Incapsula within a few hours.
We are confident that you will enjoy Incapsula’s service:
Under the “Dashboard”, you’ll find 4 different tabs:

  1. Use the “Traffic” tab to review the stats of your incoming traffic and bandwidth
  2. Use the “Security” tab to learn about the threats to your website and latest security events
  3. Use the “Performance” tab to learn what percentage of your bandwidth was cached and saved
  4. Use the “Activity Log” tab to get the details of each of the threats your website has encountered

Under the “Events”, you’ll find detailed information about your website visitors, human or bot.
Under the “Settings”, you can define site, DNS, security reports, notifications and permissions settings for your website.
The Incapsula Team

You should then see these details, it is not populated quite yet, as I have just added the site within the last 10 minutes. But worth seeing what to expect and the default settings.

Incapsula – Traffic tab

Incapsula – Security tab

Incapsula – Performance tab

Incapsula – Real time tab (not available on free plan)

Incapsula – Activity log

Incapsula – Event tab

Incapsula – Settings tab

Incapsula – General Settings

Incapsula – Security Settings

Incapsula – WAF Threat Settings

Incapsula – Notifications