Cloudflare Web Application Firewall Reviews

I use Cloudflare as a reverse proxy in front of our web part. It is crucial for hiding all traffic with Cloudflare's standard WAF.

For us, the key feature of Cloudflare is DDoS protection and IP hiding, especially since we are a crypto company. We also use rate limiting, particularly for our APIs. Furthermore, we utilize Cloudflare's CDN (cache) functionality, which is not related to security, so I initially skipped mentioning it.

The rate limiting functionality could be enhanced, as we find it somewhat limited.

I have used Cloudflare for approximately two years across different companies.

I have not engaged Cloudflare's technical support, so I cannot comment on it. However, their documentation is comprehensive and reliable.

Neutral

I previously experimented with Azure WAF. In comparison, I find Cloudflare to be easier to implement and more affordable.

The learning curve was steep initially, however, the actual implementation only took about half a day. I first conducted trials with unimportant domains, which took two to three days, before finalizing the setup for our real domain in half a day.

We were a team of three: one responsible for development, another for DevOps, and the third for security.

Cloudflare is cheaper compared to Azure WAF, which I have considered before.

I have previously experimented with Azure WAF.

On a scale from one to ten, I would rate Cloudflare WAF as an eight. I would suggest making the rate limiter functionality better.

The main use cases for Cloudflare Web Application Firewall (WAF) are to protect organizations from attacks by bad actors and hackers. We have a process for this, where we first whitelist employees and third-party clusters to prevent attacks. 

Then, we divide WAF into three main sections: WAF Protect score, WAF score, and threat score. We also make adjustments based on the specific needs of each organization. These are the general steps at a high level. 

Cloudflare WAF is a comprehensive system with many aspects and in-depth documentation that can be tailored to specific client requirements. 

The use cases vary depending on the client, whether they are retail or banking sectors, as each has different needs and requirements. We maintain the WAF configurations based on these specific needs.

There are many incidents we handle daily. We have a large client. We implemented rate limiting and deployed a worker in correlation with the WAF to protect their API endpoints regarding pricing and inventory. 

We successfully mitigated a bot attack with that combination of measures for our customer recently. It is one of the successful mitigation.

Cloudflare is very flexible.

Cloudflare has many features, but the custom rules are the best tool. There are many fields you can use to protect an organization.

There is also a very good system in the managed toolset, with different parts. One is the Cloudflare Managed Ruleset, which protects the application from malicious signatures. 

The second is the OWASP ModSecurity Core Rule Set, which protects from the top ten vulnerabilities and zero-day attacks. 

The third is the anomaly detection checks and credential checks, which identify potential threats like leaked credentials.

There are many other important sections in Cloudflare WAF, like IP access rules, zone lockdown, and user agent blocking. 

Another important feature is rate limiting, which limits specific requests to prevent attacks like brute force attacks on URLs.

These are some of the important features of Cloudflare WAF.

Account-level features would be a very good option. Some clients want to implement the same checks on multiple zones (URLs or websites). Cloudflare recently introduced account-level features, but it's not widely used by clients yet. We are working with Cloudflare on different aspects of zone-level implementation. If account-level features are implemented for certain use cases, it would be a big improvement.

So, pushing more awareness around account-level features would be a plus.

I have been using it for three years now. 

It is a stable product. I would rate the stability a ten out of ten. 

It is a technical process, but for us, it is very easy. We have standards and internal scripts that we use for deployment. It is a very easy process on our side because we have been working on it for three years. But for new users, it might require some learning.

I would rate my experience with the initial setup a nine out of ten, with ten being very easy. Cloudflare WAF is only for public URLs, so it is only for public cloud.

Deploying the WAF itself is a click of a button, but implementing it with a company's or client's specific requirements takes time. The process varies from company to company and client to client, but implementation is very simple.

WAF doesn't directly affect bandwidth costs. It saves costs on protection. However, with the correct setup, it's difficult to determine if it saves costs overall due to the fixed enterprise plan fee. 

The caching system can save bandwidth by caching static content, but WAF itself isn't a major factor in cost savings. There are many other factors involved.

It protects public-facing URLs. That is the biggest advantage.

Overall, I would rate the solution a nine out of ten. 

I'm highly satisfied. It's remarkably user-friendly, enabling me to quickly identify issues, and deploy solutions, and it offers the necessary features. This ease of use makes it efficient in resolving our problems. 

Improvements should be done according to our customer's requirements. 

I have been using Cloudflare Web Application Firewall for more than a year. 

Regarding satisfaction, I would say that typically, we don't require support for the usual setup. We can manage it without significant difficulty. However, a key challenge arises when dealing with numerous integrations with HVAC systems. Depending on the specifics, there might be some configuration mismatches, which necessitate specific support.

They offer an array of features within a single service, including comprehensive functionality for web apps. However, we sometimes struggle to find experts who can help us harness these capabilities effectively. In some instances, their support team may lack the cost-effectiveness needed to address certain challenges, leading customers to consider alternative solutions like Skylight.

As for the typical implementation time for Cloudflare WAF, it usually takes around a week. This initial setup is quite straightforward and rarely poses any issues. The complete setup, including configuration and initial testing, typically extends over a month. However, the precise duration may vary based on the account and specific requirements. Some straightforward setups can be completed within a week.

When it comes to Cloudflare, you can initiate a basic setup within a week, but a more comprehensive implementation with fine-tuned configurations may take longer, potentially up to a month. The exact timeline depends on the intricacies of your specific service and the level of detail required in the configuration for each service.

I believe the pricing is not the best, but it's reasonable and acceptable. We also use the McAfee system in parallel. In terms of pricing, it's okay - not great, but not bad either. It falls in the middle, which is acceptable.

In terms of support licensing, last time, we were searching for a solution, and we considered products from resellers rather than directly from the cloud provider. However, the pricing we encountered was exceptionally high. As a result, we are inclined to select support from the reseller.

Typically, a larger solution is preferable, not a small one. I believe it depends on the project's financial considerations. If the project can benefit from a larger solution and the revenue generated can cover the associated costs, then we opt for that. It's not solely based on the company's size; it's about the customer's business and its specific needs.

When considering the use of a web app, it's crucial to perform a comprehensive self-analysis. This analysis should focus on understanding aspects like bandwidth, connections, and content sessions. By assessing these factors, you can make informed decisions about the most suitable solution. Pricing is a significant component, as it directly impacts your service and, by extension, your business. The challenge with bandwidth is that it's not always within your control, especially when dealing with increased demands. Therefore, before choosing a web app, it's important to conduct a thorough self-analysis. Once you've identified your needs and requirements, you can seek a solution tailored to your specific circumstances. Trying to cover every possible scenario can be a daunting and costly task, so a well-informed and targeted approach is key.

I would rate the solution a nine out of ten.

The primary use case of Cloudflare Web Application Firewall involves setting up DNS zones and implementing zero trust policies.

Cloudflare Web Application Firewall has enhanced security by effectively managing and cutting off unwanted traffic.

Some of the most valuable features of Cloudflare Web Application Firewall include its DNS zone setup and the zero trust policy.

The dashboard could be more user-friendly, and a console approach like Cloudflare CLI could enhance its usability.

We have been using Cloudflare Web Application Firewall for four years.

On a scale from one to ten, the stability of Cloudflare is a nine.

The scalability of Cloudflare is a ten out of ten.

I had to contact technical support twice, and both times, my issues were resolved satisfactorily. Therefore, I rate them a ten out of ten.

Positive

The initial setup was straightforward, taking only five minutes using Terraform.

From my perspective, the price of Cloudflare Web Application Firewall is quite affordable, rating around an eight or nine.

I highly recommend Cloudflare Web Application Firewall due to its extensive knowledge base and ease of integration with Terraform.

I'd rate the solution ten out of ten.

It is used in the banking sector.

Cloudflare WAF provides protection through rules and functionalities like Cloudflare's SDRAP. Machine learning enables numerous policies that protect traffic flowing through Cloudflare's CDN and endpoints of the application. Additionally, specific protections are implemented against DDoS attacks and to block suspicious IP addresses attempting to access the sites.

Cloudflare provides numerous ready-to-use policies that can be easily enabled with minimal configuration. One such policy is WAF, which includes predefined rulesets for common threats like DDoS attacks. These policies are pre-configured for immediate use, making tuning straightforward. Adjustments may be needed for specific configurations, but the majority are ready to be deployed directly.

Support can be challenging at times. Personally, I recently had an issue with costs and contacted support—they promptly resolved my problem. However, understanding features can be more complex. While much information is freely available, for specific needs, professional support might be necessary and could pose difficulties, if there isn't an in-house engineering team. Despite this, Cloudflare facilitates easy development of custom functionalities. Alternatively, engaging with dedicated communities can also yield valuable insights with the right investment of time.

I have been using Cloudflare Web Application Firewall as an integrator for one year.

Sometimes, as a software vendor, Cloudflare needs to upgrade their software, which can encounter faults but resolve such issues.

I rate the solution's stability an eight out of ten.

The solution is scalable. I rate the solution's scalability a nine out of ten. 

It's challenging to find technical expertise, for technical issues. While there is a network for sales, finding knowledgeable technical support can be difficult.

Neutral

This level of protection is essential, whether the website is an e-commerce platform or simply a gateway for customers accessing banking services. Maintaining visibility and ensuring the site is consistently up and running are critical requirements for such services.

Integration is quite easy when migrating DNS to Cloudflare, as they manage DNS implementation. Once DNS is set up, traffic redirection to their platform is straightforward. However, it's important to manage your IP addresses carefully, possibly using additional tools or configurations to ensure they are properly protected and directed.

Cloudflare leverages AI-driven solutions, with policies set using machine learning, which forms the foundation of their AI capabilities. They offer AI functionalities for developers looking to optimize or distribute their applications, such as Workers, a serverless solution enabling application deployment without the need for dedicated machines. This setup is also AI-enabled, enhancing its capabilities

Overall, I rate the solution a nine out of ten.

The primary use case for Cloudflare Web Application Firewall involves comprehensive security functionality across various access protocols. The system acts as a gateway, managing authentication, authorization pass-through, and traffic routing based on regional considerations. It encompasses web component modules and a reverse web application firewall, allowing secure authorization and authentication processes based on particular application sets.

The product has a valuable security control functionality. It monitors authorization processes to identify and address potential errors. We can view different components and prerequisites simultaneously, including time stamps, peak time, load time, etc. We only have to ensure that we have scaled all the authentication measures as per requirements.

The platform's control features related to real-time authentication and response time need improvement.

I rate Cloudflare Web Application Firewall a seven out of ten.

We use Cloudflare Web Application Firewall for verification of applications from various domains. Also protecting the server from exposure by implementing the Proxy Server feature on front end i.e. on client's side. Also implemented both hosts based & Cloud based WAF. 

We are required to follow a specific and separate set of rules for web applications for DDoS attacks while working with AWS and Azure. Instead, there could be an option to duplicate the cluster to maintain the consistency of rules.

We have been using Cloudflare Web Application Firewall for three to four years.

I rate Cloudflare Web Application Firewall's stability a nine out of ten.

It is a scalable platform. Although it lacks some features. We have two to three users for it. I rate its scalability an eight out of ten.

The initial setup process is simple.

I implemented the product myself.

Cloudflare Web Application Firewall has certain limitations for rules. I rate it a seven out of ten.

We use the solution to protect web applications.

The solution is easy to use.

Sometimes, it is challenging to access our applications using the solution. They should work on this particular area. Also, its availability needs improvement.

We have been using the solution for two years.

We encounter stability issues regarding the solution's availability to access applications.

We have 200 solution users in our organization. We use it extensively and plan to increase the usage.

We contact our service provider for any technical issues with the solution.

The solution's deployment takes two to three days to complete.

Our service provider helps us install the solution.

The solution is expensive. We purchase a yearly based license for it.

I recommend the solution to others and rate it a six out of ten.