Cloudflare Web Application Firewall Reviews

We use this solution to protect our websites and services.

The solution prevented several attacks, such as Log4j two years ago when it emerged as a major vulnerability. 

Cloudflare Web Application Firewall released protective rules a few hours after we discovered the potential problem and provided protection.

The firewall has rate-limiting, managed, and custom firewall rules.

Some of the features we’re using to a limited extent because they require an extra subscription. We have just the basic one. For example, advanced rate-limiting features are available, but we only use basic rate-limiting. 

We mainly use custom and managed firewall rules, which work well for us. We also use DDoS protection, which is probably one of the main features of the Cloudflare solution. DDoS protection was the initial thing we signed up for Cloudflare to protect our exposed web services and sites.

We also use Cloudflare DNS, logs, and analytics.

Cloudflare is evolving so quickly that we can't even keep up. In the past two years, they have released two major upgrades to their Web Application Firewall. 

However, the notification part could be improved. It's very much connected to Web Application Firewall, rate-limiting, and DDoS protection. 

The notification could be better configurable. Sometimes it makes too much noise. It should have better threshold handling or some setup features, which could set some thresholds because it tries to do it automatically. So, sometimes it just notifies about things that are not worth noticing and vice versa.

I have been using Cloudflare Web Application Firewall for two years. We are using the latest version of this solution.

We extensively use the solution every day. The solution is very stable; we haven’t seen any glitches.

I rate the solution’s stability a nine out of ten.

The solution is very scalable.

You can have multiple zones (domains), and manage them in Web GUI or using APIs.

They have pretty good documentation regarding APIs and in case you have a lot of zones you can automate their management via API calls/scripts, etc.

I rate the solution’s scalability a nine or ten out of ten.

The solution works 24/7 in front of our web service. I don't have to touch it every day, as it functions automatically. Once you set it up, it's done.

I login into the service daily to verify the alerts it has sent to us. Sometimes notifications are noisy, but I still look into each one to see if it's worth taking action.  The firewall itself functions around the clock.

The support is really good and helpful.

We switched to Cloudflare because DDoS and other scanning attacks were increasing in 2020. We had several DDoS attacks on our sites and needed a solution. 

We also looked at some local telecom solutions in the Baltics, but they were not well-functioning for us. Then, one of our engineers suggested that we use Cloudflare, and it was a great decision. Layer 3/4 DDoS attacks were no longer a problem after we deployed Cloudflare. In fact, DDoS attacks are on the rise worldwide, forcing us to start looking for more serious protective measures.

The initial setup is rather easy. I rate my experience with the initial setup an eight on a scale of ten, where ten is easy and one is difficult.

We have dozen of sites, and the firewall itself was deployed seamlessly. Setting up some additional configurations took some time.

While the file firewall deployed so to say "itself", we had to deal with transferring our sites and services behind it.

There were two main tasks - migrate DNS records and set up new TLS certificates as Cloudflare acts of us as a reverse proxy. There are specific TLS certificates between our sites and Cloudflare as and we cannot use for example LetsEncrypt anymore because our sites are no longer exposed directly to the internet.

So all-in-all it took around one-two months to get a dozen of domains behind Cloudflare WAF. And that's mainly not because of Cloudflare but our own organizational complexity.

We did the implementation ourselves but with the help of Cloudflare's support team. Their support is very good.

Since we are an Eastern European company, the solution is relatively expensive for us. We have to get used to it. Some features like Bot Management software we would like to use are still out of our budget. I would rate it three out of ten, where one is expensive, and ten is cheap.

There are no other expenses around the standard licensing cost. The support is included. When I get some questions, they're not charged separately.

We compared offers from two other providers as well. One was a local telecom provider and the other was Akamai.

I would definitely recommend using the solution.

Overall, I rate the solution a nine out of ten.

The primary use case of Cloudflare Web Application Firewall involves setting up DNS zones and implementing zero trust policies.

Cloudflare Web Application Firewall has enhanced security by effectively managing and cutting off unwanted traffic.

Some of the most valuable features of Cloudflare Web Application Firewall include its DNS zone setup and the zero trust policy.

The dashboard could be more user-friendly, and a console approach like Cloudflare CLI could enhance its usability.

We have been using Cloudflare Web Application Firewall for four years.

On a scale from one to ten, the stability of Cloudflare is a nine.

The scalability of Cloudflare is a ten out of ten.

I had to contact technical support twice, and both times, my issues were resolved satisfactorily. Therefore, I rate them a ten out of ten.

Positive

The initial setup was straightforward, taking only five minutes using Terraform.

From my perspective, the price of Cloudflare Web Application Firewall is quite affordable, rating around an eight or nine.

I highly recommend Cloudflare Web Application Firewall due to its extensive knowledge base and ease of integration with Terraform.

I'd rate the solution ten out of ten.

It is used in the banking sector.

Cloudflare WAF provides protection through rules and functionalities like Cloudflare's SDRAP. Machine learning enables numerous policies that protect traffic flowing through Cloudflare's CDN and endpoints of the application. Additionally, specific protections are implemented against DDoS attacks and to block suspicious IP addresses attempting to access the sites.

Cloudflare provides numerous ready-to-use policies that can be easily enabled with minimal configuration. One such policy is WAF, which includes predefined rulesets for common threats like DDoS attacks. These policies are pre-configured for immediate use, making tuning straightforward. Adjustments may be needed for specific configurations, but the majority are ready to be deployed directly.

Support can be challenging at times. Personally, I recently had an issue with costs and contacted support—they promptly resolved my problem. However, understanding features can be more complex. While much information is freely available, for specific needs, professional support might be necessary and could pose difficulties, if there isn't an in-house engineering team. Despite this, Cloudflare facilitates easy development of custom functionalities. Alternatively, engaging with dedicated communities can also yield valuable insights with the right investment of time.

I have been using Cloudflare Web Application Firewall as an integrator for one year.

Sometimes, as a software vendor, Cloudflare needs to upgrade their software, which can encounter faults but resolve such issues.

I rate the solution's stability an eight out of ten.

The solution is scalable. I rate the solution's scalability a nine out of ten. 

It's challenging to find technical expertise, for technical issues. While there is a network for sales, finding knowledgeable technical support can be difficult.

Neutral

This level of protection is essential, whether the website is an e-commerce platform or simply a gateway for customers accessing banking services. Maintaining visibility and ensuring the site is consistently up and running are critical requirements for such services.

Integration is quite easy when migrating DNS to Cloudflare, as they manage DNS implementation. Once DNS is set up, traffic redirection to their platform is straightforward. However, it's important to manage your IP addresses carefully, possibly using additional tools or configurations to ensure they are properly protected and directed.

Cloudflare leverages AI-driven solutions, with policies set using machine learning, which forms the foundation of their AI capabilities. They offer AI functionalities for developers looking to optimize or distribute their applications, such as Workers, a serverless solution enabling application deployment without the need for dedicated machines. This setup is also AI-enabled, enhancing its capabilities

Overall, I rate the solution a nine out of ten.

The primary use case for Cloudflare Web Application Firewall involves comprehensive security functionality across various access protocols. The system acts as a gateway, managing authentication, authorization pass-through, and traffic routing based on regional considerations. It encompasses web component modules and a reverse web application firewall, allowing secure authorization and authentication processes based on particular application sets.

The product has a valuable security control functionality. It monitors authorization processes to identify and address potential errors. We can view different components and prerequisites simultaneously, including time stamps, peak time, load time, etc. We only have to ensure that we have scaled all the authentication measures as per requirements.

The platform's control features related to real-time authentication and response time need improvement.

I rate Cloudflare Web Application Firewall a seven out of ten.

We use Cloudflare Web Application Firewall for verification of applications from various domains. Also protecting the server from exposure by implementing the Proxy Server feature on front end i.e. on client's side. Also implemented both hosts based & Cloud based WAF. 

We are required to follow a specific and separate set of rules for web applications for DDoS attacks while working with AWS and Azure. Instead, there could be an option to duplicate the cluster to maintain the consistency of rules.

We have been using Cloudflare Web Application Firewall for three to four years.

I rate Cloudflare Web Application Firewall's stability a nine out of ten.

It is a scalable platform. Although it lacks some features. We have two to three users for it. I rate its scalability an eight out of ten.

The initial setup process is simple.

I implemented the product myself.

Cloudflare Web Application Firewall has certain limitations for rules. I rate it a seven out of ten.

We use the solution to protect web applications.

The solution is easy to use.

Sometimes, it is challenging to access our applications using the solution. They should work on this particular area. Also, its availability needs improvement.

We have been using the solution for two years.

We encounter stability issues regarding the solution's availability to access applications.

We have 200 solution users in our organization. We use it extensively and plan to increase the usage.

We contact our service provider for any technical issues with the solution.

The solution's deployment takes two to three days to complete.

Our service provider helps us install the solution.

The solution is expensive. We purchase a yearly based license for it.

I recommend the solution to others and rate it a six out of ten.

I am using Cloudflare Web Application Firewall to develop web applications and mobile applications for a business belonging to the manufacturing industry which wishes to migrate its entire applications from its existing AWS system to Cloudflare.

The enterprise bundle includes a variety of features, such as a Web Application Firewall, rate limiting, CDN, DDoS protection, remote management, performance monitoring, and more. It is a really nice product.

The additional features I wish to see in the next release include rate limiting on Cloudflare Web Application Firewall and advanced DDoS protection. The current product is highly explorable and does not have many limitations. However, there are some limitations in terms of administrative privileges and the way it manages auto-alerts.

Cloudflare needs to improve its customer support for Indian customers and work on the monitoring and reporting features.

I am a reseller and a direct user. I have been working on the enterprise version of Cloudflare Web Application Firewall for the past year.

The product is stable, and we have been working with a customer who uses it for their manufacturing and connecting car applications, as well as some API-related systems. The customer was previously using AWS Web Application Firewall. However, they have now decided to switch to Cloudflare. In Cloudflare, the rate-limiting feature helps protect against attacks and mitigates brute-force attacks. The DDoS mechanism automatically defends against DDoS attacks. Cloudflare's Web Application Firewall also has 700 signatures and provides intelligence on 10 vulnerabilities. It offers IP, URI, and domain-based filtering options.

The solution is not deployed in my company, but it is used in the company of one of my customers. The customer I mentioned has around 12,000 users working on this solution. I rate the scalability a 10 out of 10.

I have experienced some difficulties with Cloudflare's support as a customer based in India. Despite the company offering 24/7 support, I feel that administrative support does not meet the expectations of its customers.

Neutral

I previously worked with an on-premise version of the F5 tool more than five years ago, and at that time, the concept of SaaS was not prevalent. Currently, the Cloudflare product is considered to be a SaaS-based product since they have CDN, which is different from my previous experience with the F5 tool. Since it has been a long time since I worked with the on-premises version, I am unable to provide a relevant comparison between the two.

I find the deployment process for Cloudflare's firewall to be very smooth. Someone with a basic understanding of networking and security will be able to implement the firewall's basic features within 15 minutes. The deployment of a new domain on Cloudflare can be completed within 15 minutes if the necessary administrative authority and support from the DNS team are available during the process. It also includes the time needed for domain registration. We are working for an ITSM organization and have multiple administrators. During the deployment phase of the solution in the organization, we have limited the number of administrators to just five to ten individuals. We also arranged a few KT sessions to help the company employees who are involved in working with this solution. As of now, they have started working on the tool.

In terms of the licensing cost perspective, it is a subscription-based pricing model. Usually, customers opt for a yearly subscription. However, I don't have a specific or exact figure on the actual cost. Cloudflare offers different types of subscriptions for businesses, enterprises, and personal users, and the pricing is negotiable. The enterprise-level subscription provides multiple options, such as the ability to enable advanced Web Application Firewall and DDoS protection. This means that customers have multiple subscription options.

To effectively use Cloudflare Web Application Firewall, it is important for a person to have an internet connection, an understanding of the internet, how the DNS works, and how websites and their administration domains function. I rate this solution a nine out of ten.

Our use case of this solution is to secure our web applications hosted on Cloudflare. I'm a security operations analyst and we are customers of Cloudflare. 

This solution does a good job of preventing web application attacks, SQL injections, and cross-site scripting attacks. We know it's doing a good job because we've tested it. 

The reporting could be improved if it were more granular. Fortigate Firewall, for example, shows all the events at a glance with different fields on a table; you can scroll through for patterns and look at all events. That's not possible with CloudFlare where I need to analyze a report that summarizes all the data. It requires exporting the report as a CSV file, analyzing it in Excel, and then going into CloudFlare to carry out a deeper analysis. If I could do that high-level analysis from the web console and then drill down specific events, it would be a great feature that would improve this product. 

I've been using this solution for seven months. 

The solution is stable, we haven't had any downtime. 

The solution is easily scalable. 

I previously used Imperva Web Application Firewall. For tracking metrics, I think CloudFlare does a better job with its graphs and the user interface. Its web console presents those metrics in an easily readable manner and it does that better than Incapsula or Imperva. I think Imperva speaks more to security, and preventing attacks and is more focused on details about the attacks. CloudFlare does more because it shows your availability metrics, traffic metrics, and security metrics. In terms of the user interface, I'd say that CloudFlare does a better job in reporting.

There is some maintenance required when it comes to updates and we periodically have to review the rules sets which require going into the list of rules and finding those connected to that particular view and then enabling them in your environment. We have three admins working on this product. We use the solution on a daily basis. 

If you're going to be reporting heavily and want to leverage the reporting features to measure the performance of your websites, then CloudFlare does that very well.

I rate this solution eight out of 10. 

I use Cloudflare Web Application Firewall to stop attacks on web application firewalls.

The product has improved our security posture by blocking bad actors.

The blocked logs are difficult to read at times.

I rate the solution's stability a ten out of ten.

I rate the product's scalability a ten out of ten.

I have not used technical support.

Cloudflare Web Application Firewall's deployment was easy.

The tool's ROI is pretty immediate.

We evaluated the Amazon Web Application Firewall.

I rate the product a ten out of ten.

We have multiple customers using the solution for a WAF. It's also a firewall. Unlike others, where you have to purchase multiple solutions, Cloudflare has everything under one solution. It handles load balancing, CDN, order routing, DDoS protection, and more under one solution. 

We like that everything is covered under one solution instead of having to buy multiple solutions and put them together. 

We like that there's load balancing, firewall capabilities, DDoS protection, et cetera, all covered by Cloudflare. 

Cloudflare has multiple caller sites and many PoPs. Whenever a user tries to get a webpage or any application, all the pages will be scanned with the nearest location data center or on a near-based, performing locally in the data center only. Other vendors have different services in different data centers. In Cloudflare, every data center has all the services. 

Currently, Cloudflare is growing. They are exploding their data centers, which is great for clients. Previously it was 25, and now it's 28 or 30. 

They are good at managing rules. 

The WAF is working fine.

We find the reporting to be very granular. It's quite good. 

I'm happy with whatever features are currently on offer in Cloudflare.

The solution is stable.

It's scalable.

It is an easy-to-set-up solution. 

Technical support has been very good. 

We find the solution competitively priced. 

Finding vulnerabilities or attack patterns needs to evolve continuously. The landscape is changing. Accordingly, the rules have been changed. The Core Ruleset, is already managing that. It has been good at catching malicious activity so far. They just need to continue to invest in this aspect.

They have some limitations with third-party integrations. For example, we can't integrate with our site.  On-premises, we can't do that. You can on Azure storage, of Google Cloud, however. It works better on the cloud.

I've been using the solution for about one year. 

The solution is stable and reliable. There are no bugs or glitches. It doesn't crash or freeze. 

The solution is scalable. It is very easy.

I'm the only person working on the solution. There's one or two of us directly on the system. 

Technical support is really good. I work on multiple products, and therefore getting a response from Cloudflare is very much appreciated. The only concern we have is with Indian support. There are some limitations to Indian support. Whenever we are planning for any deployment or PoC, the Indian customers say they're having some issues getting on a call or getting Cloudflare involved. However, support, in general, is good and usually you get a response within an hour or two. 

Positive

It's very straightforward to set up everything. In a firewall, you have to build some virtual IPs and all that stuff. However, with this, you have to just onboard your application. You have just to put out your CNAME or A records. After that, you just make some application proxies, and then you have to perform that local host testing. If you want downtime, you must make configuration changes over authority with DNS, and you can onboard your application. It's straightforward. There are not too many hurdles.

The deployment is quick. Once you do the setup, you just have to enter your records and automate the certification part and it is a half-hour process.

I'd rate it a five out of five in terms of ease of setup. 

We don't require any maintenance. We just have to monitor. Whenever we are performing the login process, we are providing logs to any CS log server or any AFIM solution. That part will be taken care of by the SOC team. 

The pricing is good. We find it to be competitive. There are add-on features available as well. 

I'd rate the affordability at 4.5 out of five. 

We are a system integrator for Cloudflare.

We are not on the latest update. Our last update was two or three months back. 

This is a good product. It's reliable and scales well. For new users, you don't require too much expertise on Cloudflare. You just have to understand a WAF. Beyond that, it is very easy to deploy and very fast to implement. 

I'd rate the solution eight out of ten.