How to set your Cloudflare firewall to simulate firewall event actions

This is a high level guide of how to set your firewall in Cloudflare to simulate firewall event actions. This means that the firewall will only take note and log events and the action it would have taken. This is very useful when you want to customise the Web Application Firewall around your organisation’s business processes, so that you can identify and continue to allow legitimate requests to pass. You can view this process, as looking for “false negatives”, and working backwards to customise them to your business. Typically, these would be the options you would have within the firewall.

  • Simulate: Logs the event and does not block or challenge the visitor (you can still decide to set to a block or challenge after review of the event).
  • Block: Block will block visitors from that IP from accessing the site. 
  • Challenge: Will display a challenge (captcha) page before the visitor can enter the site.

How to set your Cloudflare to simulate firewall events

Step 1 – Go to the “Firewall” tab

Step 2 – Click on the “Web Application Firewall” sub tab

Step 3 – Make sure your Web Application Firewall is set to Off

As we are simulating firewall events, let’s first make sure your Web Application Firewall is set to Off. This is set to “Off” by default, so you can customise and switch it on when you are ready.

Step 4 – Let’s review your Web Application Firewall settings and set to Simulate

Step 4.1 – Review your “Package: Cloudflare Rule Set”

Let’s review your “Package: Cloudflare Rule Set”. You will be able to review when you click on the “Rule Details” link. It’ll expand and give you a list of the rule groups you can switch on/ off. If you get stuck and can’t find it, copy this link below and put in your domain here. https://www.cloudflare.com/a/firewall/YOURDOMAIN.com/waf#

Step 4.2 – Review “Package: Cloudflare Rule Set” Rule Details

You should now see a set of Cloudflare Rule Sets that you can switch on and off. 
Cloudflare Flash, Cloudflare Php, Cloudflare Specials and Cloudflare WordPress will be the rules are set to on by default. 

Step 4.3 – Explore the ruleset groups to deep dive and configure

You can click on the group name to configure each ruleset group further. You will want to do this depending on your organisation’s business needs. 
The goal here is to customise the settings so that you can get the highest possible security settings while not compromising on your normal required business operations. This is where the “Simulate” function will come in handy.

Step 4.4 – Configure your Cloudflare settings for your rulesets

Depending on your business again, you can configure your Cloudflare settings. I will use Cloudflare Flash ruleset as an example.
Once you click the Cloudflare ruleset, you will see a list of rules and options on how to configure it.
Then you can change the mode from “Default” to a preferred option. There is some details on what this “Default Mode” is in the column next to “Mode”.
For the purpose of this exercise, we will then set the Mode to “Simulate”.
Here are what the options mean:
  • Simulate: Logs the event and does not block or challenge the visitor (you can still decide to set to a block or challenge after review of the event).
  • Block: Block will block visitors from that IP from accessing the site. 
  • Challenge: Will display a challenge (captcha) page before the visitor can enter the site.
  • Disable: Will simply turn off this particular rule
Continue to do the same with the other rules and rulesets that are available. Some of these rule and rulesets you will already know how you want to configure it based on your business needs. Others, you may really want to set to simulate to make sure.

Step 5 – Review the OWASP ruleset package as well

Next, review the “Package: OWASP ModSecurity Core Rule Set” and configure it accordingly. For starting off, you can start with the simulate mode to get things started.

What is OWASP?

This package consists of rulesets derived from the OWASP ModSecurity Core Rule Set. These provide an easily pluggable set of generic attack detection rules that provide a base level of protection for any web application. The OWASP rules operate in scoring threshold mode: each match against a rule increases the threat score of that request. Once a request exceeds a configurable sensitivity threshold (off, low, or high), the action is taken. This action can be simulate (create a log entry but do not block the request), challenge (present the user with an in-browser challenge page, and log), or block (reject the request and log). Individual rule groups within the OWASP package can be enabled or disabled in “rule details”, after which rules can be managed at the individual rule level through the advanced option.

Step 6 – When you are ready, switch your Web Application Firewall is set to On

Step 7 – Review the Web Application Firewall results

Under the “Traffic” tab. You can scroll down until you see the “Firewall Events” section. This is where you will find the simulated, challenged firewall events.

Step 8 – Review and update settings

Keep iterating and reviewing settings until you are comfortable.
]]>