--- title: Cloudflare Network Firewall description: Cloudflare Network Firewall (formerly Magic Firewall) is a firewall-as-a-service (FWaaS) delivered from the Cloudflare global network to protect office networks and cloud infrastructure with advanced, scalable protection. With Cloudflare Network Firewall, you can apply filter rules on a variety of criteria, such as protocol and packet length, to filter unwanted traffic before it reaches your network. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare Network Firewall Filter and block unwanted traffic at Cloudflare's global network, before it reaches your infrastructure. Enterprise-only Cloudflare Network Firewall (formerly Magic Firewall) is a firewall-as-a-service (FWaaS) delivered from the Cloudflare global network to protect office networks and cloud infrastructure with advanced, scalable protection. With Cloudflare Network Firewall, you can apply filter rules on a variety of criteria, such as protocol and packet length, to filter unwanted traffic before it reaches your network. Rules are written using the [Cloudflare Rules language](https://developers.cloudflare.com/ruleset-engine/rules-language/), which is inspired by Wireshark syntax, a widely used packet analysis filter language and the same syntax used across our other products. With this syntax, you can craft powerful rules to precisely allow or deny any traffic in or out of your network. Cloudflare Network Firewall is available with the purchase of [Magic Transit](https://developers.cloudflare.com/magic-transit/) or [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/). --- ## Features ### Intrusion Detection System (IDS) Actively monitor for a wide range of known threat signatures in your traffic, expanding your security coverage beyond packet-filtering rules to detect sophisticated attacks such as ransomware, data exfiltration, and network scanning. [ Use Intrusion Detection System (IDS) ](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/enable-ids/) --- ## Related products **[Cloudflare Magic Transit](https://developers.cloudflare.com/magic-transit/)** Secure your network from incoming Internet traffic, and improve performance at Cloudflare scale. **[Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/)** Improve security and performance for your entire corporate networking, reducing cost and operation complexity. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}}]} ``` --- --- title: Plans description: If you are a Magic Transit or Cloudflare WAN user, you are automatically provided with a standard list of Cloudflare Network Firewall (formerly Magic Firewall) features. For additional features available for purchase, refer to the list of advanced features below. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/plans.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Plans If you are a [Magic Transit](https://developers.cloudflare.com/magic-transit/) or [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/) user, you are automatically provided with a standard list of Cloudflare Network Firewall (formerly Magic Firewall) features. For additional features available for purchase, refer to the list of advanced features below. ## Standard features * Filtering rules based on protocol, port, IP addresses, packet length, and bit field match. * Fast propagation of rule changes in less than a minute. * Single dashboard to manage firewall and network configuration. * Programmable API for automated deployment and management — compatible with infrastructure-as-code platforms like [Terraform](https://developers.cloudflare.com/terraform/). * Traffic analytics per rule in the dashboard and using the [GraphQL API](https://developers.cloudflare.com/analytics/graphql-api/). * Integration with [Cloudflare WAN network-as-a-service](https://developers.cloudflare.com/cloudflare-wan/). * Included DDoS protection with [Magic Transit](https://developers.cloudflare.com/magic-transit/). ## Advanced features All standard features are included with the purchase of the advanced features below: * Customizable IP lists. * Managed threat intelligence IP lists (Anonymizer, Botnet, Malware, Open Proxies, VPNs). * Geoblocking based on user location by country. * Block or allow packets based on Autonomous System Number (ASN). * Packet captures on demand for network troubleshooting. * [Protocol validation rules](https://developers.cloudflare.com/cloudflare-network-firewall/about/protocol-validation-rules/) to inspect traffic validity and enforce a positive security model. * [Secure Web Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) filtering for outbound Internet traffic (network and HTTP policies). The Secure Web Gateway supports all TCP and UDP ports, as well as traffic sourced from RFC 1918 address space. Gateway will proxy BYOIP traffic to egress via the default Cloudflare IPs or your assigned [dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). * Intrusion Detection System (IDS). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/plans/","name":"Plans"}}]} ``` --- --- title: About description: Review the content below to learn more about concepts related to Cloudflare Network Firewall (formerly Magic Firewall). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/about/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # About Review the content below to learn more about concepts related to Cloudflare Network Firewall (formerly Magic Firewall). Important When using Cloudflare Network Firewall alongside other Cloudflare services that proxy traffic (for example, CDN and Spectrum), be aware of the following: * Firewall rules that block traffic based on source IP address may not work as intended because rules are evaluated after Cloudflare terminates the incoming TCP connections. * You must allow [Cloudflare IP addresses ↗](https://www.cloudflare.com/ips/). * When using Cloudflare Network Firewall, fragmented packets are reassembled into complete packets before they are inspected. As a result, you cannot create firewall rules for fragments. * [ Analytics ](https://developers.cloudflare.com/cloudflare-network-firewall/about/analytics/) * [ IDS ](https://developers.cloudflare.com/cloudflare-network-firewall/about/ids/) * [ List types ](https://developers.cloudflare.com/cloudflare-network-firewall/about/list-types/) * [ Protocol validation rules ](https://developers.cloudflare.com/cloudflare-network-firewall/about/protocol-validation-rules/) * [ Ruleset logic ](https://developers.cloudflare.com/cloudflare-network-firewall/about/ruleset-logic/) * [ Traffic types ](https://developers.cloudflare.com/cloudflare-network-firewall/about/traffic-types/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/about/","name":"About"}}]} ``` --- --- title: Analytics description: Use the GraphQL Analytics API to view data for requests passing through Cloudflare's network. For more information about using the GraphQL Analytics API and getting started, refer to GraphQL Analytics API. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/about/analytics.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Analytics ## GraphQL Analytics Use the GraphQL Analytics API to view data for requests passing through Cloudflare's network. For more information about using the GraphQL Analytics API and getting started, refer to [GraphQL Analytics API](https://developers.cloudflare.com/analytics/graphql-api/tutorials/querying-network-firewall-samples/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/about/","name":"About"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/about/analytics/","name":"Analytics"}}]} ``` --- --- title: IDS description: Cloudflare's Intrusion Detection System (IDS) is a Cloudflare Advanced Network Firewall (formerly Magic Firewall) feature you can use to actively monitor for a wide range of known threat signatures in your traffic. An IDS expands the security coverage of a firewall to analyze traffic against a broader threat database, detecting a variety of sophisticated attacks such as ransomware, data exfiltration, and network scanning based on signatures or “fingerprints” in network traffic. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/about/ids.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # IDS Cloudflare's Intrusion Detection System (IDS) is a Cloudflare Advanced Network Firewall (formerly Magic Firewall) feature you can use to actively monitor for a wide range of known threat signatures in your traffic. An IDS expands the security coverage of a firewall to analyze traffic against a broader threat database, detecting a variety of sophisticated attacks such as ransomware, data exfiltration, and network scanning based on signatures or “fingerprints” in network traffic. With Cloudflare's global anycast network, you get: * Cloudflare's entire global network capacity is now the capacity of your IDS. * Built in redundancy and failover. Every server runs Cloudflare's IDS software, and traffic is automatically attracted to the closest network location to its source. * Continuous deployment for improvements to Cloudflare's IDS capabilities. Refer to [Enable IDS](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/enable-ids/) for more information on enabling IDS and creating new rulesets. After IDS is enabled, your traffic will be scanned to find malicious traffic. The detections are logged to destinations that can be configured from the dashboard. Refer to [Use Logpush with IDS](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/use-logpush-with-ids/) for instructions on configuring a destination to receive the detections. Additionally, all traffic that is analyzed can be accessed via [network analytics](https://developers.cloudflare.com/analytics/network-analytics/). Refer to [GraphQL Analytics](https://developers.cloudflare.com/cloudflare-network-firewall/tutorials/graphql-analytics/) to query the analytics data. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/about/","name":"About"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/about/ids/","name":"IDS"}}]} ``` --- --- title: List types description: Cloudflare handles millions of HTTP requests each second and blocks billions of cyber threats each day. Cloudflare uses that data to detect malicious actors on the Internet and turns that information into a list of known malicious IP addresses. Cloudflare also integrates with a number of third-party vendors to augment the coverage. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/about/list-types.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # List types ## Threat intelligence Cloudflare handles millions of HTTP requests each second and blocks billions of cyber threats each day. Cloudflare uses that data to detect malicious actors on the Internet and turns that information into a list of known malicious IP addresses. Cloudflare also integrates with a number of third-party vendors to augment the coverage. The threat intelligence feed categories are described in [Managed IP Lists](https://developers.cloudflare.com/waf/tools/lists/managed-lists/#managed-ip-lists). All of these lists are compatible with Cloudflare Network Firewall (formerly Magic Firewall). ## IP lists Use [IP lists](https://developers.cloudflare.com/waf/tools/lists/custom-lists/#ip-lists) to group services in networks, like web servers, or for lists of known bad IP addresses to make managing good network endpoints easier. IP lists are helpful for users with very expansive firewall rules with many IP lists. By default, you can add up to 10,000 IPs across all lists. Refer to [Use an IP list](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/add-policies/#use-an-ip-list) to check an example of how to use an IP list. ## Geo-blocking Geo-blocking enables you to selectively allow or block traffic to any country. Refer to [Block a country](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/add-policies/#block-a-country) to check an example of how to block a country. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/about/","name":"About"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/about/list-types/","name":"List types"}}]} ``` --- --- title: Protocol validation rules description: Cloudflare Network Firewall (formerly Magic Firewall) supports Session Initiation Protocol (SIP) to inspect traffic validity and enforce a positive security model. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/about/protocol-validation-rules.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Protocol validation rules Cloudflare Network Firewall (formerly Magic Firewall) supports [Session Initiation Protocol (SIP) ↗](https://datatracker.ietf.org/doc/html/rfc2543) to inspect traffic validity and enforce a positive security model. You can use the `sip` field when creating a rule to determine if packets are valid SIP Layer 7 (L7) protocol. Refer to [Cloudflare Network Firewall fields](https://developers.cloudflare.com/cloudflare-network-firewall/reference/network-firewall-fields/), specifically the `sip` field, for more information on this topic. Contact your account manager if you need Cloudflare Network Firewall to support additional protocols. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/about/","name":"About"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/about/protocol-validation-rules/","name":"Protocol validation rules"}}]} ``` --- --- title: Ruleset logic description: Cloudflare Network Firewall (formerly Magic Firewall) rules are performed after Cloudflare's DDoS mitigations have been applied. The two systems are independent, and therefore, permitting traffic inside Cloudflare Network Firewall does not allow it within our DDoS mitigations. Traffic can still be blocked by DDoS mitigations that are applied first in the flow through Cloudflare's systems. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/about/ruleset-logic.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Ruleset logic Cloudflare Network Firewall (formerly Magic Firewall) rules are performed after Cloudflare's DDoS mitigations have been applied. The two systems are independent, and therefore, permitting traffic inside Cloudflare Network Firewall does not allow it within our DDoS mitigations. Traffic can still be blocked by DDoS mitigations that are applied first in the flow through Cloudflare's systems. By default, Cloudflare Network Firewall permits all traffic until explicitly blocked by a rule. If no rules are configured, all traffic is permitted after Cloudflare's DDoS mitigations have been applied. ## Security policy You have two options for configuring a security policy: * Enforce a positive security model and only permit required traffic and block everything else. * Begin with a minimal ruleset to block specific traffic and, by default, everything else is permitted. Traffic is matched in order of the configured rules. As soon as traffic is matched by an enabled rule, it is no longer validated against the later rules, and traffic will pass through disabled rules. In the dashboard under **Cloudflare Network Firewall**, rule order begins from the top and flows down your list of rules. For example, permitting all TCP traffic in a rule #4 would mean all TCP traffic is permitted. A rule #5 to block traffic for IP address `x.x.x.x` would not be checked. For best practices when configuring your security policy, refer to [Best practices](https://developers.cloudflare.com/cloudflare-network-firewall/best-practices/). ## Cloudflare Network Firewall rules and Magic Transit endpoint health checks Cloudflare-sourced traffic is also subject to the Cloudflare Network Firewall rules you configure. If you block all ICMP traffic, you will also block Cloudflare's [endpoint health checks](https://developers.cloudflare.com/magic-transit/reference/tunnel-health-checks/#endpoint-health-checks). When blocking ICMP traffic, ensure your rules first allow ICMP sourced from Cloudflare public IPs to your prefix endpoint IPs before applying a block ICMP rule. For a list of Cloudflare's public IPs, refer to [IP Ranges ↗](https://www.cloudflare.com/ips/). ## Cloudflare Network Firewall phases Cloudflare Network Firewall processes traffic in two phases: in the first phase, Cloudflare Network Firewall matches packets against rules in the Custom phase. In the second phase, Cloudflare Network Firewall matches packets against rules in the Managed phase. ### Custom phase ruleset The Cloudflare Network Firewall Custom phase is a set of rules defined by the user. The expression, order, and actions of those rules can be customized by the user. Additionally, users can add a rule in this custom phase to override the behavior of a rule in the Managed phase. ### Managed phase ruleset Managed phase rulesets are updated and maintained by Cloudflare, and Cloudflare creates these rules based on best practices, known malicious patterns, and other criteria. Cloudflare maintains the expressions and order of execution for rules in the Managed phase. Rules can be enabled, disabled, or made to log matching packets. Refer to [Enable managed rulesets](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/enable-managed-rulesets/) for more information. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/about/","name":"About"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/about/ruleset-logic/","name":"Ruleset logic"}}]} ``` --- --- title: Traffic types description: Cloudflare Network Firewall (formerly Magic Firewall) enables you to allow or block traffic on a variety of packet characteristics, such as source and destination IP, source and destination port, protocol, packet length, and bit field match. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/about/traffic-types.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Traffic types Cloudflare Network Firewall (formerly Magic Firewall) enables you to allow or block traffic on a variety of packet characteristics, such as source and destination IP, source and destination port, protocol, packet length, and bit field match. Cloudflare Network Firewall supports layers three and four — network and transport — protocols such as TCP, UDP, and ICMP. Any type of layer three or four protocols can go through Cloudflare Network Firewall and then be matched on those protocols. To view the list of available fields, refer to [Cloudflare Network Firewall fields](https://developers.cloudflare.com/cloudflare-network-firewall/reference/network-firewall-fields/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/about/","name":"About"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/about/traffic-types/","name":"Traffic types"}}]} ``` --- --- title: Packet captures description: Cloudflare supports two types of packet captures (PCAPs): full and sample. A packet capture records raw network traffic data so you can inspect it offline in tools like Wireshark. Full packet captures are the default. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/packet-captures/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Packet captures Cloudflare supports two types of packet captures (PCAPs): **full** and **sample**. A packet capture records raw network traffic data so you can inspect it offline in tools like Wireshark. Full packet captures are the default. Note Both capture types have a maximum runtime of 300 seconds. Refer to [Packet capture limits](https://developers.cloudflare.com/cloudflare-network-firewall/packet-captures/collect-pcaps/#packet-capture-limits) for the full list of limits. ## Sample packet captures Use sample packet captures when you want to inspect recent traffic quickly. Packet captures query historical traffic that has already passed through Cloudflare's network — not new traffic — so they complete immediately after you start them. You can view sample captures in the Cloudflare dashboard. They only include the first 160 bytes of each packet, which is useful for capturing packet headers but will not provide detailed packet data. Cloudflare collects this data across all of its data centers and assembles it into a PCAP file, giving you a global view of traffic across the network. Use full packet captures instead if you need complete packet payloads, or if the traffic you want to capture occurs infrequently. ## Full packet captures Full packet captures actively monitor Cloudflare's network for new traffic that matches filters you configure. Unlike sample captures, they capture packets that arrive after the capture starts, not historical data. Full captures include the complete packet data, not just headers. The matching packet data is saved directly to a cloud storage bucket that you own and configure. You cannot view it in the Cloudflare dashboard. You can download the resulting PCAP file and analyze it in Wireshark or another packet capture tool. Before starting a full packet capture, make sure you have a cloud storage bucket set up and configured. Refer to the articles in this section for setup instructions. * [ PCAPs bucket setup ](https://developers.cloudflare.com/cloudflare-network-firewall/packet-captures/pcaps-bucket-setup/) * [ Collect PCAPs ](https://developers.cloudflare.com/cloudflare-network-firewall/packet-captures/collect-pcaps/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/packet-captures/","name":"Packet captures"}}]} ``` --- --- title: Collect PCAPs description: After a packet capture is requested and the capture is collected, the output is contained within one or more files in PCAP file format. Before starting a full type packet capture, you must first follow instructions for configuring a bucket. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/packet-captures/collect-pcaps.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Collect PCAPs After a packet capture is requested and the capture is collected, the output is contained within one or more files in PCAP file format. Before starting a `full` type packet capture, you must first follow instructions for [configuring a bucket](https://developers.cloudflare.com/cloudflare-network-firewall/packet-captures/pcaps-bucket-setup/). Note Packet captures are available for Cloudflare Advanced Network Firewall users. For access, contact your account team. ## Send a packet capture request Currently, when a packet capture is requested, packets flowing at Cloudflare's global network through the Magic Transit system are captured. The default API field for this is `"system": "magic-transit"`, both for the request and response. Note For help determining which data center to select for a packet capture, visit [https://cloudflare.com/cdn-cgi/trace ↗](https://cloudflare.com/cdn-cgi/trace) and refer to the `colo` field. Note some data centers can be regional such as `ORD` while other names may be more specific like `ord02`. Either of these names can be used for this same field. ### Packet capture limits **Sample and full** * `packet_limit`: The minimum value is `1` packet and maximum value is `10000` packets. **Sample** * `time_limit`: The minimum value is `1` seconds and maximum value is `300` seconds. **Full** * `time_limit`: The minimum value is `1` seconds and maximum value is `86400` seconds. * `byte_limit`: The minimum value is `1` byte and maximum value is `1000000000` bytes. * [ Dashboard ](#tab-panel-3406) * [ API ](#tab-panel-3407) 1. In the Cloudflare dashboard, go to [Network health ↗](https://dash.cloudflare.com/?to=/:account/networking-insights/health). 2. Select **Diagnostics**, then select **Start a capture**. 3. Choose the type of capture you want to perform, and select **Next**. 4. Fill out the required fields to begin the capture and then select **Start**. The main **Packet captures** page displays a list of captures. The PCAPs API needs both `system` and `type` to be specified to start a capture. A PCAP's `system` is the product or logical subsystem where packets are captured, and a PCAP's `type` is how the captured packets are built into a PCAP file. Currently, you can only send one collect request per minute for sample PCAPs, and you can only have one running or pending full PCAP at a time. Full PCAP For full PCAP requests, refer to the required parameters listed at [Create full PCAP requests](https://developers.cloudflare.com/api/resources/magic%5Ftransit/subresources/pcaps/methods/create/). Note that full packet captures require two more parameters than sample packets. The full PCAP request endpoint also contains optional fields you can use to limit the amount of packets captured. Both full and sample packet requests contain an optional `filter_v1` parameter you can use to filter packets by IPv4 Source address, for example. For a full list of the filter options, refer to the parameter lists above. Leave `filter_v1` empty to collect all packets without any filtering. Full PCAP example request ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ "filter_v1": {}, "time_limit": 300, "packet_limit": 10000, "byte_limit": 100000000, "type": "full", "colo": "ORD", "system": "magic-transit", "destination_conf": "${BUCKET}" }' ``` While the collection is in progress, the response returns the `status` field as `pending`. You must wait for the PCAP collection to complete before downloading the file. When the PCAP is ready to download, the status changes to `success`. Full PCAP example response ``` { "result": { "id": "7d7c88382f0b4d5daa9587aa45a1a877", "submitted": "2022-06-02T18:38:22.269047Z", "filter_v1": {}, "time_limit": 300, "status": "pending", "type": "full", "system": "magic-transit", "packet_limit": 10000, "byte_limit": 100000000, "colo": "ORD", "destination_conf": "gs://" // Ensure you use a bucket that you created and registered in the Cloudflare dashboard }, "success": true, "errors": [], "messages": [] } ``` Sample PCAP To create a sample PCAP request, send a JSON body with the required parameter listed at [Create sample PCAP request](https://developers.cloudflare.com/api/resources/magic%5Ftransit/subresources/pcaps/methods/create/). Leave `filter_v1` to collect all packets without any filtering. Sample PCAP example request ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ "filter_v1": { "source_address": "1.2.3.4", "source_port": 123, "destination_address": "5.6.7.8", "destination_port": 80, "protocol": 6 }, "time_limit": 300, "packet_limit": 10000, "type": "simple", "system": "magic-transit" }' ``` The response is a JSON body that contains the details of the job running to build the packet capture. The response contains a unique identifier for the packet capture request along with the details sent in the request. Sample PCAP example response ``` { "result": { "id": "6d1f0aac13cd40e3900d29f5dd0e8a2b", "submitted": "2021-12-20T17:29:20.641845Z", "filter_v1": { "source_address": "1.2.3.4", "source_port": 123, "destination_address": "5.6.7.8", "destination_port": 80, "protocol": 6 }, "time_limit": 60, "status": "pending", "packets_remaining": 0, "type": "simple", "system": "magic-transit" }, "success": true, "errors": [], "messages": [] } ``` ## Check packet capture status * [ Dashboard ](#tab-panel-3400) * [ API ](#tab-panel-3401) 1. In the Cloudflare dashboard, go to [Network health ↗](https://dash.cloudflare.com/?to=/:account/networking-insights/health). 2. Select **Diagnostics**. 3. Locate your capture under **Network packet captures**. To check the status of a running job, send a request to the endpoint and specify the PCAP identifier. The PCAP identifier is received in the response of a collect request as shown in the previous step. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/{pcap_id} \ --header 'X-Auth-Email: ' \ --header 'X-Auth-Key: ' ``` The response will be similar to the one received when requesting a PCAP collection. Sample PCAP example result ``` { "result": { "id": "6d1f0aac13cd40e3900d29f5dd0e8a2b", "submitted": "2021-12-20T17:29:20.641845Z", "filter_v1": { "source_address": "1.2.3.4", "source_port": 123, "destination_address": "5.6.7.8", "destination_port": 80, "protocol": 6 }, "time_limit": 120, "status": "success", "packets_remaining": 0, "type": "simple", "system": "magic-transit" }, "success": true, "errors": [], "messages": [] } ``` The capture status displays one of the following options: * **Complete:** The capture request is done and ready for download. * **In progress:** The capture request was captured but still processing. * **Failure:** The capture failed. If this occurs, verify your ownership information. ## Download packet captures After your request finishes processing, you can download your packet captures. * [ Dashboard ](#tab-panel-3402) * [ API ](#tab-panel-3403) 1. In the Cloudflare dashboard, go to [Network health ↗](https://dash.cloudflare.com/?to=/:account/networking-insights/health). 2. Select **Diagnostics**. 3. Locate your packet capture you want to download, and select **Download**. Packet captures are available to download when the **Status** displays **Success**. For more information on how to process multiple saved capture files into a single output file, refer to [Wireshark's mergecap documentation ↗](https://www.wireshark.org/docs/man-pages/mergecap.html). **Full PCAPs** To obtain full PCAPs, download the files from the bucket specified in `destination_conf` after the PCAP's status is `success`. You may find multiple files named `pcap_.pcap` per capture as captures can occur across multiple machines. **Sample PCAPs** Once the sample PCAP collection is complete, you can download the PCAP by specifying the PCAP identifier used earlier. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/{pcap_id}/download \ --header 'X-Auth-Email: ' \ --header 'X-Auth-Key: ' \ --output download.pcap ``` ## List packet captures * [ Dashboard ](#tab-panel-3404) * [ API ](#tab-panel-3405) 1. In the Cloudflare dashboard, go to [Network health ↗](https://dash.cloudflare.com/?to=/:account/networking-insights/health). 2. Select **Diagnostics** \> **Network packet captures**. The list of packet captures associated with your account displays. To view a list of sent requests, use the following command: List request example ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " ``` The response returns an array that includes up to 50 sent requests, which includes completed and ongoing requests. List response example ``` { "result": [ { "id": "43adab5adeca4dab9c51f4b7f70f2ec3", "submitted": "2021-12-15T03:04:09.277394Z", "filter_v1": {}, "time_limit": 120, "status": "success", "packets_remaining": 0, "type": "simple", "system": "magic-transit" } ], "success": true, "errors": [], "messages": [] } ``` ## Best practices Due to the nature of Cloudflare network, your traffic may traverse various physical machines within a single Cloudflare location. * Multiple PCAP Files: A single full PCAP capture may produce many small PCAP files, as a capture is taken for each physical server your traffic traverses in a Cloudflare location. * You can get more granular by applying packet-specific filters like protocol, port (and more) to target the traffic you need. * Merging for Analysis: To view the traffic as a single flow, you can use a tool like mergecap to combine the individual files into one larger file for analysis in Wireshark. Refer to the [Wireshark mergecap documentation ↗](https://www.wireshark.org/docs/wsug%5Fhtml%5Fchunked/AppToolsmergecap.html) for instructions. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/packet-captures/","name":"Packet captures"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/packet-captures/collect-pcaps/","name":"Collect PCAPs"}}]} ``` --- --- title: PCAPs bucket setup description: Before you can begin a full packet capture, you must first configure a bucket that Cloudflare can use to upload your files. Setting up a bucket is not required for sample packet captures. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/packet-captures/pcaps-bucket-setup.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # PCAPs bucket setup Before you can begin a full packet capture, you must first configure a bucket that Cloudflare can use to upload your files. Setting up a bucket is not required for sample packet captures. You can configure an Amazon S3 or Google Cloud Platform bucket to use as a target. You can also [use R2](#r2) as a target using the API. ## Set up a bucket Learn how to set up a bucket for use with full packet captures. * [ Dashboard ](#tab-panel-3408) * [ API ](#tab-panel-3409) 1. In the Cloudflare dashboard, go to [Network health ↗](https://dash.cloudflare.com/?to=/:account/networking-insights/health). 2. Select the **Diagnostics** tab > **Buckets**. 3. Select **Add a bucket**. 4. Under **Bucket configuration**, select a bucket service and select **Next**. 5. Enter the information related to your bucket for your service provider. 6. When you are done, select **Next**. The **Prove ownership** step of the **Bucket configuration** displays. Before you can begin using a bucket, you must first enable destinations. Refer to the [Amazon S3](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/aws-s3/#create-and-get-access-to-an-s3-bucket) or [Google Cloud Storage](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/google-cloud-storage/#create-and-get-access-to-a-gcs-bucket) documentation and follow the steps for those specific services. Next, validate the bucket and confirm ownership. ## Validate a bucket After the initial bucket set up, you need to confirm you own the bucket via an ownership challenge. After you validate your bucket, you can begin using it to collect full packet captures. * [ Dashboard ](#tab-panel-3410) * [ API ](#tab-panel-3411) 1. From the **Prove ownership** step of the **Bucket configuration**, locate the **Ownership token** field. 2. In the **Ownership token** field, enter the ownership token for your service provider. 3. When you are done, select **Create**. The **Packet captures** page displays. The **Buckets** tab displays a list of the buckets associated with your account. Refer to the **Status** column to see the status of your bucket configuration. The `bucket` field should be the URI of the bucket. For Amazon S3, the `bucket` field is in the form `s3:///?region=`, and for Google Cloud Storage the form is `gs:///`. Ownership challenge request example ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ "destination_conf": "'${bucket}'" }' ``` The response has a `"filename"` parameter which contains the content of the `ownership-challenge` text. Find the file in your bucket and copy the contents of the file. Ownership challenge response example ``` { "result": { "id": "cc20c2d6c62e11ecbe646b173af3b6b9", "status": "pending", "submitted": "2022-04-22T18:54:13.397413Z", "validated": "", "destination_conf": "gs://bucket-test", // Ensure you use a bucket that you created and registered in the Cloudflare dashboard. "filename": "ownership-challenge-1234.txt" }, "success": true, "errors": [], "messages": [] } ``` Validate the bucket by inserting the copied text in the `ownership_text` below: Bucket validation example ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership/validate \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ "destination_conf": "'${bucket}'", "ownership_challenge": "'${ownership_text}'" }' ``` Bucket validation response ``` { "result": { "id": "cc20c2d6c62e11ecbe646b173af3b6b9", "status": "success", "submitted": "2022-04-22T18:54:13.397413Z", "validated": "2022-04-27T14:54:46.440548Z", "destination_conf": "gs://", // Ensure you use a bucket that you created and registered in the Cloudflare dashboard "filename": "ownership-challenge-1234.txt" }, "success": true, "errors": [], "messages": [] } ``` If the `status` shows `success`, the bucket is configured and ready to use. The bucket status displays one of the following options: * **Success:** The bucket is fully verified and ready to use. * **Pending:** The challenge response was initiated but is pending verification. Bucket verification can take five to ten minutes to finish processing. * **Failed:** The bucket could not be validated. If this occurs, verify your ownership information. ## List configured buckets View a list of all buckets configured on your account. * [ Dashboard ](#tab-panel-3412) * [ API ](#tab-panel-3413) 1. In the Cloudflare dashboard, go to [Network health ↗](https://dash.cloudflare.com/?to=/:account/networking-insights/health). 2. In **Diagnostics**, select **Buckets**. The list of buckets associated with your account displays. Bucket list request example ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " ``` Bucket list response example ``` { "result": [ { "id": "9a993aa6c58711ec89d3037647342e63", "status": "success", "submitted": "2022-04-26T16:58:24.550762Z", "validated": "2022-04-26T17:01:18.426458Z", "destination_conf": "s3://test-bucket?region=us-east-1", "filename": "ownership-challenge-1234.txt" } ], "success": true, "errors": [], "messages": [] } ``` To learn how to collect packet captures, refer to [Collect packet captures](https://developers.cloudflare.com/cloudflare-network-firewall/packet-captures/collect-pcaps/). ## R2 To start collecting packet captures with R2, you first need to configure it properly. For all the required details, refer to the [Cloudflare R2](https://developers.cloudflare.com/r2/) documentation. ### Create bucket and API token 1. In the Cloudflare dashboard, go to the **R2** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/r2/overview) 2. Select **Create bucket**. 3. Give your bucket a name > **Create bucket**. 4. Go to the R2 Overview page, and select **Manage R2 API Tokens**. 5. Select **Create API Token**. 6. In **Permissions**, choose **Object Read & Write**. Make sure you also select **Apply to specific buckets only**, and select the bucket you have created for PCAPs from the drop-down menu. 7. Select **Create API Token**. 8. Make sure you copy the **Secret Access Key** and **Access Key ID** values, as you will need them for the next step. ### Create initial request Create your initial request to R2: Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ "destination_conf": "r2://?account-id=&access-key-id=&secret-access-key=" }' ``` The [response](https://developers.cloudflare.com/api/resources/magic%5Ftransit/subresources/pcaps/subresources/ownership/methods/create/) has a `"filename"` parameter with the name of a file that Cloudflare wrote to your R2 bucket. You need to download it for the next step. Example: ``` { "errors": [], "messages": [], "result": { "destination_conf": "", "filename": "ownership-challenge-9883874ecac311ec8475433579a6bf5f.txt", "id": "9883874ecac311ec8475433579a6bf5f", "status": "success", "submitted": "2020-01-01T08:00:00Z", "validated": "2020-01-01T08:00:00Z" }, "success": true } ``` ### Validate bucket ownership Refer to the [Validate a bucket](#validate-a-bucket) API instructions for more details on the entire process to [validate your R2 bucket](https://developers.cloudflare.com/api/resources/magic%5Ftransit/subresources/pcaps/subresources/ownership/methods/validate/). When specifying the R2 destination for this validation, exclude the secret and access keys from the URL. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/packet-captures/","name":"Packet captures"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/packet-captures/pcaps-bucket-setup/","name":"PCAPs bucket setup"}}]} ``` --- --- title: Best practices description: By default, Cloudflare Network Firewall (formerly Magic Firewall) permits all ingress traffic that has passed through Cloudflare's core DDoS mitigations. To proactively mitigate attacks and minimize your attack surface and leakage of attack traffic into your environment, we recommend implementing your Cloudflare Network Firewall rules using the following guidelines. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/best-practices/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Best practices By default, Cloudflare Network Firewall (formerly Magic Firewall) permits all ingress traffic that has passed through Cloudflare's core DDoS mitigations. To proactively mitigate attacks and minimize your attack surface and leakage of attack traffic into your environment, we recommend implementing your Cloudflare Network Firewall rules using the following guidelines. The best approach is to replicate your current ingress perimeter firewall rules in Network Firewall. If you are unable to export your current perimeter firewall rules, contact your Implementation Manager for help translating the rules into Cloudflare Network Firewall rules. * [ Minimal ruleset ](https://developers.cloudflare.com/cloudflare-network-firewall/best-practices/minimal-ruleset/) * [ Extended ruleset ](https://developers.cloudflare.com/cloudflare-network-firewall/best-practices/extended-ruleset/) * [ Magic Transit egress ](https://developers.cloudflare.com/cloudflare-network-firewall/best-practices/magic-transit-egress/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/best-practices/","name":"Best practices"}}]} ``` --- --- title: Extended ruleset description: If you are unable to export your current perimeter firewall rules, consider identifying categories of systems or user groups that reside on your Magic Transit prefixes. For example: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/best-practices/extended-ruleset.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Extended ruleset If you are unable to export your current perimeter firewall rules, consider identifying categories of systems or user groups that reside on your Magic Transit prefixes. For example: * [Endpoints (user devices)](#endpoints-user-devices) * [Internal routers](#internal-routerfirewall-ip-addresses) * [Web servers](#web-servers) * [Non-web servers](#non-web-servers) For each item above, consider the requirements in terms of their permitted Internet access. For example, permit what is required for legitimate traffic and block the rest. ## Create lists to use Cloudflare Network Firewall rules For more information on lists, refer to [Use rule lists](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/use-rules-list/). You can also create a list from the dashboard from **Configurations** \> **Lists** on your **Account Home**. ## Endpoints (User devices) Endpoint devices do not operate as servers, which means: * They receive traffic from standard common ports — for example `80` or `443` — towards their ephemeral ports, above `32768` in modern operating systems (above `1025` in older Windows Server 2003 and Windows XP). * Connections flow outwards, not inwards, and therefore do not receive TCP SYN or ACK packets. * They typically only need client TCP and UDP, with no requirement for ingress ICMP. For example, you can create a list for the combination of generic client TCP and client UDP that allows external pings or traceroutes and a catchall rule for all other protocols and traffic. Create a list named **Endpoints** and specify the list of endpoints or user IP addresses to reference within the rules. Note Rule 10 in the example ruleset below is acting as a catch-all to block all traffic not permitted in rules 1-3 towards your list of Endpoint IP addresses. If you want to permit other traffic to these destination IP addresses, the new rule must be added before rule 10. ### Suggested rules **Rule ID**: 1**Description**: Endpoints (clients) will receive traffic destined for ephemeral ports. Blocks inbound SYN-only traffic. (meaning SYN-ACKs are permitted)**Match**: `ip.proto eq "tcp" and ip.dst in $endpoints and tcp.dstport in {32768..60999} and not (tcp.flags.syn and not tcp.flags.ack)` **Action**: Allow **Rule ID**: 2**Description**: Endpoints (clients) will receive traffic destined for ephemeral ports**Match**: `ip.proto eq "udp" and ip.dst in $endpoints and udp.dstport in {32768..60999}` **Action**: Allow **Rule ID**: 3**Description**: Permits ICMP traffic to destination IP addresses in `$endpoints` list with ICMP Types: * Type 0 = Echo Reply * Type 3 = Destination Unreachable * Type 11 = Time Exceeded **Match**: `ip.proto eq "icmp" and ip.dst in $endpoints and (icmp.type eq 0 or icmp.type eq 3 or icmp.type eq 11)` **Action**: Allow **Rule ID**: 10**Description**: Otherwise deny all traffic to IP's in `$endpoints` list**Match**: `ip.dst in $endpoints` **Action**: Block ## Internal router/Firewall IP addresses Follow the best practices for internal routers or firewall interface IP addresses on your MT prefixes below. 1. Create [an IP list](https://developers.cloudflare.com/waf/tools/lists/custom-lists/#ip-lists), **Internal routers** for example, with your IP addresses. 2. Block ICMP if it is not needed. 3. Permit GRE/ESP as needed if the devices have GRE/IPsec tunnels via the Internet. ### Suggested rules **Rule ID**: 1**Description**: Permit limited ICMP traffic inbound, including: * Type 0 - Echo Reply * Type 3 - Destination Unreachable * Type 8 - Echo * Type 11 - Time Exceeded **Match**: `ip.proto eq "icmp" and ip.dst in $internal_routers and ( (icmp.type eq 0 or icmp.type eq 3) or (icmp.type eq 11) or (icmp.type eq 8) )` **Action**: Allow **Rule ID**: 2**Description**: Block all other traffic destined to these IP addresses**Match**: `ip.dst in $internal_routers` **Action**: Block ## Web Servers Web servers require careful consideration of necessary traffic flows. Traffic for the **web server** functionality is required in addition to traffic flows where the web server is acting as a client. Where possible, permit the required destination IP addresses and ports for web servers and block everything else. Additional services, for example NTP/DNS, may be required along with the ports for the web traffic. The following is an example of suggested rules, but you should only make changes based on your specific requirements. For example, if you are not proxied by Cloudflare Layer 7 protection and you expect traffic sourced from the web towards your web servers: 1. Create [an IP list](https://developers.cloudflare.com/waf/tools/lists/custom-lists/#ip-lists), **web servers** for example, to list IP addresses for your web servers. 2. Permit traffic for the web server traffic inbound from the Internet. 3. Permit traffic for the infrastructure or client traffic flows from the Internet, for example DNS and NTP. 4. Block all other traffic destined for the web server IP addresses. ### Suggested rules **Rule ID**: 1**Description**: Allows inbound HTTP/S traffic from the Internet with SYN-only or ACK-only flag (not SYN/ACKs)**Match**: `ip.proto eq "tcp" and tcp.srcport in {32768..60999} and ip.dst in $web_servers and tcp.dstport in {80 443} and not (tcp.flags.syn and tcp.flags.ack)` **Action**: Allow **Rule ID**: 2**Description**: Allows UDP replies for DNS and NTP to web servers**Match**: `ip.dst in $web_servers and ip.proto eq "udp" and udp.srcport in {53 123} and udp.dstport in {1024..65535}` **Action**: Allow if necessary but Disable if under attack **Rule ID**: 3**Description**: Catch-all to block all other traffic destined for web server IP addresses**Match**: `ip.dst in $web_servers` **Action**: Block Alternatively, if you have Cloudflare Layer 7 protection, the Cloudflare Public IP addresses can be permitted as the source IP addresses to the destination IP addresses for the HTTP/HTTPS inbound traffic. This recommendation effectively replaces Rule 1 in the example above. For a list of Cloudflare's IP addresses, refer to [Cloudflare's IP addresses ↗](https://www.cloudflare.com/ips/). ### Suggested rules for Cloudflare proxied traffic **Description**: Allow inbound HTTP/S traffic from Cloudflare with SYN or ACK**Match**: `ip.proto eq "tcp" and ip.dst in $web_servers and tcp.dstport in {80 443} and not (tcp.flags.syn and tcp.flags.ack) and ip.src in {173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22}` **Action**: Allow ## Non-web servers Restrict the source based on whether the server is expecting traffic from the general Internet or from only specific users. 1. Apply rules based on source IP or ports if possible. 2. Restrict permitted destination ports to only those that are required. 3. Block incoming SYN to the closed ports. ### Suggested rules * `IP Destination Address { non-web server } and TCP dst port in \ — Permit` * `IP Destination Address { non-web server } and UDP dst port in \ — Permit` * `IP Destination Address { web server } — Block` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/best-practices/","name":"Best practices"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/best-practices/extended-ruleset/","name":"Extended ruleset"}}]} ``` --- --- title: Magic Transit egress description: The suggestions in the Minimal ruleset and Extended ruleset are recommendations for ingress traffic. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/best-practices/magic-transit-egress.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Magic Transit egress The suggestions in the [Minimal ruleset](https://developers.cloudflare.com/cloudflare-network-firewall/best-practices/minimal-ruleset/) and [Extended ruleset](https://developers.cloudflare.com/cloudflare-network-firewall/best-practices/extended-ruleset/) are recommendations for ingress traffic. For Magic Transit egress traffic, consider the following information: * The Cloudflare Network Firewall (formerly Magic Firewall) rules will apply to both Magic Transit ingress and egress traffic passing via Cloudflare. * Network Firewall is not stateful for your Magic Transit egress traffic. * Network Firewall is not stateful in both directions after DDoS mitigations. * If you have a Network Firewall "default drop" catchall rule for ingress traffic, you will need to add an earlier rule to permit traffic sourced from your Magic Transit prefix with the destination as **any** to allow outbound egress traffic. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/best-practices/","name":"Best practices"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/best-practices/magic-transit-egress/","name":"Magic Transit egress"}}]} ``` --- --- title: Minimal ruleset description: The suggested minimal ruleset blocks some known common vectors for DDoS attacks and permits all other ESP, TCP, UDP, GRE and ICMP traffic. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/best-practices/minimal-ruleset.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Minimal ruleset The suggested minimal ruleset blocks some known common vectors for DDoS attacks and permits all other ESP, TCP, UDP, GRE and ICMP traffic. This is a suggested list and not an exhaustive list. Review your environment and add more rules as necessary. ## Recommended rules **Rule ID**: 1 **Description**: Single rule that blocks all traffic with UDP source ports which are used in attacks or invalid in Magic Transit ingress. **Match**: `(udp.srcport in {1900 11211 389 111 19 1194 3702 10001 20800 161 162 137 27005 520 0})` **Action**: Block **Rule ID**: 2 **Description**: Blocks TCP traffic with source port `0` and common ports used in TCP SYN/ACK reflection attacks. **Match**: `(tcp.srcport in {21 0 3306})` **Action**: Block **Rule ID**: 3 **Description**: Blocks HOPOPT (protocol 0) or else blocks if protocol not in `{ESP, TCP, UDP, GRE, ICMP}`. Note that this is only an example. Permit the relevant protocols for your environment. **Match**: `(ip.proto eq "hopopt") or (not ip.proto in {"esp" "tcp" "udp" "gre" "icmp"})` **Action**: Block The recommended rules are part of the managed rules. ## Traffic and port types The information below covers traffic type, how the port is used, and reasons for blocking the port. | Traffic | Port use | Reason to block | | ---------------------------- | ----------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | | UDP source port 0 | Reserved port. Should not be used by applications. | Invalid as a legitimate traffic source port. Commonly used in DDoS attacks. | | UDP source port 1900 | Simple Service Discovery Protocol (SSDP). Allows universal plug and play devices to send and receive information. | [SSDP DDoS attacks ↗](https://www.cloudflare.com/learning/ddos/ssdp-ddos-attack/) exploit Universal Plug and Play protocols. | | UDP source port 11211 | Memcached. A database caching system designed to speed up websites and networks. | [Memcached DDoS Attacks ↗](https://www.cloudflare.com/learning/ddos/memcached-ddos-attack/). | | UDP source port 389 | Connection-less Lightweight Directory Access Protocol (CLDAP). | [Used in reflection attacks ↗](https://blog.cloudflare.com/reflections-on-reflections/). | | UDP source port 111 | SunRPC | Common attack vector. [Used in reflection attacks ↗](https://blog.cloudflare.com/reflections-on-reflections/). | | UDP source port 19 | CHARGEN | [Amplification attack vector ↗](https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/). | | UDP source port 1194 | OpenVPN | Unless this is an authorized VPN in your environment, this common VPN should be blocked. | | UDP source port 3702 | Web Services Dynamic Discovery Multicast discovery protocol (WS-Discovery) | Vulnerable to exploiting for DDoS attacks. | | UDP source port 10001 | Ubiquiti UniFi discovery protocol | Ubiquiti devices were exploited and used to conduct DDoS attacks on this port. | | UDP source port 20800 | Call of Duty | [Commonly used in attacks ↗](https://blog.cloudflare.com/reflections-on-reflections/). | | UDP source ports 161 and 162 | SNMP | Vulnerable to exploiting for DDoS attacks. | | UDP source port 137 | NetBIOS | NetBIOS allows file sharing over networks. If configured improperly, can expose file systems. | | UDP source port 27005 | SRCDS | Used in [amplication attacks ↗](https://blog.cloudflare.com/reflections-on-reflections/). | | UDP source port 520 | Routing Information Protocol (RIP) | Internal routing protocol. Not required on Internet WAN access. | | TCP source port 0 | Reserved port. Should not be used by applications. | Commonly used in DDoS attacks. Invalid as a legitimate traffic source port. | | TCP source port 0 | FTP | Commonly used for attacks. | | TCP source port 3306 | MYSQL open source database | Used as attack vector in DDoS attacks. | ## Other common traffic to consider The list below is a common list of traffic types you should also consider blocking or restricting inbound. * SFTP, TFTP * SSH, Telnet * RDP * RCP * SMCP * NTP * Common vector for reflection attacks. Consider using [Cloudflare Gateway](https://developers.cloudflare.com/web3/), [1.1.1.1's DNS over HTTPS (DoH)](https://developers.cloudflare.com/1.1.1.1/), or an internal DNS service if possible. Consider restricting your firewall rules to only allow the source and destination of DNS traffic. * MS-SQL * Common vector and [increasingly used as vector for DDoS attacks ↗](https://blog.cloudflare.com/ddos-attack-trends-for-2021-q4/). Block if unused or consider restricting only to the required source IP addresses. * HTTP and HTTPS * If you only have servers on your Magic Transit prefixes, consider blocking ingress traffic on TCP source ports 80 and 443 from outside. If you have endpoints on your Magic Transit prefixes, you can allow traffic on the source ports but consider creating a disabled rule you can activate to respond to reflection attacks as needed. If relevant to your environment, consider blocking based on geolocation data, which blocks traffic based on the country or user when an end user's IP address is registered in the geolocation database. If you are interested in participating in the beta for [Session Initiation Protocol (SIP) Validation ↗](https://blog.cloudflare.com/programmable-packet-filtering-with-magic-firewall/), contact your Implementation Manager. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/best-practices/","name":"Best practices"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/best-practices/minimal-ruleset/","name":"Minimal ruleset"}}]} ``` --- --- title: Tutorials description: View tutorials to help you get started with Cloudflare Network Firewall (formerly Magic Firewall). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/tutorials/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Tutorials View tutorials to help you get started with Cloudflare Network Firewall (formerly Magic Firewall). | Name | Last Updated | Difficulty | | --------------------------------------------------------------------------------------------------------------- | ----------------- | ---------- | | [GraphQL Analytics](https://developers.cloudflare.com/cloudflare-network-firewall/tutorials/graphql-analytics/) | about 4 years ago | Medium | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/tutorials/","name":"Tutorials"}}]} ``` --- --- title: GraphQL Analytics description: Use the GraphQL Analytics API to review data for Cloudflare Network Firewall network traffic related to rules matching your traffic. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ GraphQL ](https://developers.cloudflare.com/search/?tags=GraphQL) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/tutorials/graphql-analytics.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # GraphQL Analytics **Last reviewed:** about 4 years ago Use the GraphQL Analytics API to review data for Cloudflare Network Firewall (formerly Magic Firewall) network traffic related to rules matching your traffic. This contains both rules you configured in the Network Firewall dashboard, and the rules managed by Cloudflare as a part of [Network Firewall Managed rules](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/enable-managed-rulesets/) and [Network Firewall IDS](https://developers.cloudflare.com/cloudflare-network-firewall/about/ids/) features. Before you begin, you must have an [API token](https://developers.cloudflare.com/analytics/graphql-api/getting-started/authentication/). For additional help getting started with GraphQL Analytics, refer to [GraphQL Analytics API](https://developers.cloudflare.com/analytics/graphql-api/). ## Obtain Cloudflare Account ID To construct a Network Firewall GraphQL query for an object, you will need a Cloudflare Account ID ### Obtain your Cloudflare Account ID 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account. 2. The URL in your browser's address bar should show `https://dash.cloudflare.com/` followed by a hex string. The hex string is your Cloudflare Account ID. ### Obtain the rule ID for a firewall rule To construct queries to gather analytics for a particular rule, you need the rule ID for each firewall rule. 1. In the Cloudflare dashboard, go to the [Firewall Policies ↗](https://dash.cloudflare.com/?to=/:account/network-security/magic%5Ffirewall) page. 2. In the **Custom policies** tab, locate the rule you need the rule ID for from the list and select the three dots > **Edit**. 3. Locate the **ID** and select the copy button. 4. Select **Cancel** to return to the **Firewall Policies** page. ## Explore GraphQL schema with Cloudflare Network Firewall query example In this section, you will run a test query to retrieve a five minute count of all configured Network Firewall rules within five minute intervals. You can copy and paste the code below into GraphiQL. For additional information about the Analytics schema, refer to [Explore the Analytics schema with GraphiQL](https://developers.cloudflare.com/analytics/graphql-api/getting-started/explore-graphql-schema/). ``` query MagicFirewallExample($accountTag: string!, $start: Time, $end: Time) { viewer { accounts(filter: { accountTag: $accountTag }) { magicFirewallSamplesAdaptiveGroups( filter: { datetime_geq: $start, datetime_leq: $end } limit: 2 orderBy: [datetimeFiveMinute_DESC] ) { sum { bits packets } dimensions { datetimeFiveMinute ruleId } } } } } ``` [Run in GraphQL API Explorer](https://graphql.cloudflare.com/explorer?query=I4VwpgTgngBAsgQwOYEsDGAxFEwHcEA2BAogB4IC2ADgWABQAkCaaA9iAHYAuAKsgFwwAzlwgoOSAIQAaGAxEIIXQTxQUwshmA4ATFWrABKGAG8AUDBgA3FHkimLlmMzacuQugDMUBLpEEmzizs3HxIgkzBbmEwAL7G5k5OFMjoWDj4RADKlDRgQgCCOghUXChWYADiEOxUHo5Jlt6+-qYwxX5l6gD6SGDAEQpKsh1gXWDdtANy2jpxDY0EaijKMABMC0msEDqQAEJQggDao+NYFXDiIH7dACLEWQDCALqbMAlvlkIgFA6NjQAjFZCT5OKjMADWYxB-0ssVBOgMHCEKFYyL+sMspwM5zAlw41zAoMsEBAtAAkjpQfD-jSnHT4bEgA&variables=N4IghgxhD2CuB2AXAKmA5iAXCAggYTwHkBVAOWQH0BJAERABoQBnRMAJ0SxACYAGbgGwBaXgBYRAZmS9emAKxzMARm4AtBiACm8ACZc+gkeN5TeA+YpXqAvkA) ## Example queries for Cloudflare Network Firewall ### Obtain analytics for a specific rule Use the example below to display the total number of packets and bits for the top ten suspected malicious traffic streams within the last hour. After receiving the results, you can sort by packet rates with a five minute average. Note Cloudflare analytics are case sensitive for paths and URIs. Make sure that filters or queries use the correct case. For each stream, display the: * Source and destination IP addresses * Ingress Cloudflare data centers that received it * Total traffic volume in bits and packets received within the hour * Actions taken by the firewall rule ``` query MagicFirewallObtainRules( $accountId: string! $ruleId: string $start: Time $end: Time ) { viewer { accounts(filter: { accountTag: $accountId }) { magicFirewallNetworkAnalyticsAdaptiveGroups( filter: { ruleId: $ruleId, datetime_geq: $start, datetime_leq: $end } limit: 10 orderBy: [avg_packetRateFiveMinutes_DESC] ) { sum { bits packets } dimensions { coloCity ipDestinationAddress ipSourceAddress outcome } } } } } ``` [Run in GraphQL API Explorer](https://graphql.cloudflare.com/explorer?query=I4VwpgTgngBAsgQwOYEsDGAxFEwHcEA2BA8gEYAuCKAdgEogFgDOAFAFAwwAkCaaA9iGrkAkgBMAXDCbkINJAEIO3CAzDipMudSTKuMhBHJSAKigC2YPWGqSYZy2wCUMAN7KAbijyQ3yzrwCQuSsAGYoBOSQUq4wgYLCJshSPHwJomIwAL4u7pz5MObI6Fg4+EQAcmDkuPwQANYAgtSEUOToTI1iCAAO7R5gAOIQgj2s-gUw4ZHRbjCqjBoqauIANDDdUe2WAPpIYMApBkbrm9UWYDuMh9w2mVkTBQQWKMYwAIwADI-5dWKQACEoFIANoIDxIHY9Xj1aq0BBRLADOA0EBRJg7AAiAFEAMoAYQAuj9cj9OEwQOY-JNJqRXkwyfloWhYSFGQ8aZwxBdqEwUPxedTOZwBAR+PjXlBGZwUD1Mcx2i12gKumIcEwGcKZT1cYIIGgwKr1ZqtYJyAJHMKOZNrZxrQ8skA&variables=N4IghgxhD2CuB2AXAkgExALhAJQKIAUAZAQQGFcB9AdWQBUAJC5AERABoQAnWAGwFM0mHARLlqdRi3YgAzojCdEQgEwAGZQDYAtKoAsOgMy1VqjAFYzGAIzKAWtL7x0WNZp37VR1RvOWb9gF8gA) ### Obtain IDS analytics Use the example below to display the total number of packets and bits for the top 10 traffic streams that Network Firewall IDS has detected in the last hour. By setting `verdict` to `drop` and `outcome` as `pass`, we are filtering for traffic that was marked as a detection (i.e. verdict was drop) but was not dropped (for example, outcome was `pass`). This is because currently, Network Firewall IDS only detects malicious traffic but does not drop the traffic. For each stream, display the: * Source and destination IP addresses. * Ingress Cloudflare data centers that received it. * Total traffic volume in bits and packets received within the hour. ``` query MagicFirewallObtainIDS($accountTag: string!, $start: Time, $end: Time) { viewer { accounts(filter: { accountTag: $accountTag }) { magicIDPSNetworkAnalyticsAdaptiveGroups( filter: { datetime_geq: $start datetime_leq: $end verdict: drop outcome: pass } limit: 10 orderBy: [avg_packetRateFiveMinutes_DESC] ) { sum { bits packets } dimensions { coloCity ipDestinationAddress ipSourceAddress } } } } } ``` [Run in GraphQL API Explorer](https://graphql.cloudflare.com/explorer?query=I4VwpgTgngBAsgQwOYEsDGAxFEwHcEA2BA8gEYAuCKAdgJIAiAygBQAkCaaA9iNeQCrIAXDADO5CDSQBCADQxW4hBHIj+KALZh5rMNQAmazWACUMAN4AoGDABuKPJAvWbMDt17lRzAGYoC5JAi5m6cPHyCSCLsYZ6RMAC+ZlaurhrI6AwACowAcmDkuFwQANYAgtSEUOToomX6CAAONbZgAOIQPI3eLqk2fgFBzn19DYE1WgD6SGDA0UoqvSMwYwXGkwSz0Xr6SyOtEProqiudjXt9POTcWiKNCKKiFzYJzzAEmignAIwADG-FfSQABCUBEAG0ELYkJN7mgSgUAEoIQJYVpwGggQKiSb0ACijAAwgBdC7JN6iEAaYbLGykL5PWk2OEIrxvV60o5aaiiFBcHk02ncAhcQlfKBvGwoRr0MDiGgovnUer6HCPSUwaWMHgQNBgFVqxnLDl9E0vFyvBJAA&variables=N4IghgxhD2CuB2AXAKmA5iAXCAggYTwHkBVAOWQH0BJAERABoQBnRMAJ0SxACYAGbgGwBaXgBYRAZmS9emAKxzMARm4AtBiACm8ACZc+gkeN5TeA+YpXqAvkA) Alternatively, to inspect all traffic that was analyzed, but grouped into malicious traffic and other traffic, the example below can be used. The response will contain two entries for each five minute timestamp. `verdict` will be set to `drop` for malicious traffic, and `verdict` will be set to `pass` for traffic that did not match any of the IDS rules. ``` query MagicFirewallTraffic($accountTag: string!, $start: Time, $end: Time) { viewer { accounts(filter: { accountTag: $accountTag }) { magicIDPSNetworkAnalyticsAdaptiveGroups( filter: { datetime_geq: $start, datetime_leq: $end } limit: 10 orderBy: [avg_packetRateFiveMinutes_DESC] ) { sum { bits packets } dimensions { coloCity ipDestinationAddress ipSourceAddress verdict } } } } } ``` [Run in GraphQL API Explorer](https://graphql.cloudflare.com/explorer?query=I4VwpgTgngBAsgQwOYEsDGAxFEwHcEA2BAKhAgGbnoAUAJAmmgPYgB2ALscgFwwDO7CClZIAhABoYtAQgjtexFAFswk2mFYATBcrABKGAG8AUDBgA3FHkhHTZmA2Zt2falQLtIvQw8YsOXEi89H7OgTAAvgYm9vZKyOgAkgAiAAoAygByYOy4TBAA1gCCrIRQ7Oh8RZoIAA4V5mAA4hAsta52sWbunhDeMDWeFSoA+khgwMEycpKDObojBBPBGpqRnV0EyijyMACMAAwbsfmakABCULwA2gjmSCO1DAU5AEoInliNcMIgnnwjZIAUXSAGEALrHGDRKFmPggJS2LpdABGOz4sPsTzQLxcmIimM0ulYfBQTBJSOR9mYBCYoJ2UExZhQtWSYAEwg+ZNY1U0OD4GKp9hZ6RYEDQYF5-MFQoskCJaHY+KhBNiqvWESAA&variables=N4IghgxhD2CuB2AXAKmA5iAXCAggYTwHkBVAOWQH0BJAERABoQBnRMAJ0SxACYAGbgGwBaXgBYRAZmS9emAKxzMARm4AtBiACm8ACZc+gkeN5TeA+YpXqAvkA) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/tutorials/graphql-analytics/","name":"GraphQL Analytics"}}]} ``` --- --- title: Changelog description: We are updating naming related to some of our Networking products to better clarify their place in the Zero Trust and Secure Access Service Edge (SASE) journey. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/changelog.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Changelog [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/cloudflare-network-firewall.xml) ## 2026-02-17 **Cloudflare One Product Name Updates** We are updating naming related to some of our Networking products to better clarify their place in the Zero Trust and Secure Access Service Edge (SASE) journey. We are retiring some older brand names in favor of names that describe exactly what the products do within your network. We are doing this to help customers build better, clearer mental models for comprehensive SASE architecture delivered on Cloudflare. #### What's changing * **Magic WAN** → **Cloudflare WAN** * **Magic WAN IPsec** → **Cloudflare IPsec** * **Magic WAN GRE** → **Cloudflare GRE** * **Magic WAN Connector** → **Cloudflare One Appliance** * **Magic Firewall** → **Cloudflare Network Firewall** * **Magic Network Monitoring** → **Network Flow** * **Magic Cloud Networking** → **Cloudflare One Multi-cloud Networking** **No action is required by you** — all functionality, existing configurations, and billing will remain exactly the same. For more information, visit the [Cloudflare One documentation](https://developers.cloudflare.com/cloudflare-one/). ## 2026-01-15 **Network Services navigation update** The Network Services menu structure in Cloudflare's dashboard has been updated to reflect solutions and capabilities instead of product names. This will make it easier for you to find what you need and better reflects how our services work together. Your existing configurations will remain the same, and you will have access to all of the same features and functionality. The changes visible in your dashboard may vary based on the products you use. Overall, changes relate to [Magic Transit ↗](https://developers.cloudflare.com/magic-transit/), [Magic WAN ↗](https://developers.cloudflare.com/magic-wan/), and [Magic Firewall ↗](https://developers.cloudflare.com/cloudflare-network-firewall/). **Summary of changes:** * A new **Overview** page provides access to the most common tasks across Magic Transit and Magic WAN. * Product names have been removed from top-level navigation. * Magic Transit and Magic WAN configuration is now organized under **Routes** and **Connectors**. For example, you will find IP Prefixes under **Routes**, and your GRE/IPsec Tunnels under **Connectors.** * Magic Firewall policies are now called **Firewall Policies.** * Magic WAN Connectors and Connector On-Ramps are now referenced in the dashboard as **Appliances** and **Appliance profiles.** They can be found under **Connectors > Appliances.** * Network analytics, network health, and real-time analytics are now available under **Insights.** * Packet Captures are found under **Insights > Diagnostics.** * You can manage your Sites from **Insights > Network health.** * You can find Magic Network Monitoring under **Insights > Network flow**. If you would like to provide feedback, complete [this form ↗](https://forms.gle/htWyjRsTjw1usdis5). You can also find these details in the January 7, 2026 email titled **\[FYI\] Upcoming Network Services Dashboard Navigation Update**. ![Networking Navigation](https://developers.cloudflare.com/_astro/networking-overview-and-navigation.CeMgEFaZ_Z20HKl.webp) ## 2025-03-13 **Cloudflare IP Ranges List** Magic Firewall now supports a new managed list of Cloudflare IP ranges. This list is available as an option when creating a Magic Firewall policy based on IP source/destination addresses. When selecting "is in list" or "is not in list", the option "**Cloudflare IP Ranges**" will appear in the dropdown menu. This list is based on the IPs listed in the Cloudflare [IP ranges ↗](https://www.cloudflare.com/en-gb/ips/). Updates to this managed list are applied automatically. ![Cloudflare IPs Managed List](https://developers.cloudflare.com/_astro/cloudflare-ips.DetyOndL_10JG5B.webp) Note: IP Lists require a Cloudflare Advanced Network Firewall subscription. For more details about Cloudflare Network Firewall plans, refer to [Plans](https://developers.cloudflare.com/cloudflare-network-firewall/plans). ## 2024-10-02 **Search for custom rules using rule name and/or ID** The Magic Firewall dashboard now allows you to search custom rules using the rule name and/or ID. 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com) and select your account. 2. Go to **Analytics & Logs** \> **Network Analytics**. 3. Select **Magic Firewall**. 4. Add a filter for **Rule ID**. ![Search for firewall rules with rule IDs](https://developers.cloudflare.com/_astro/search-with-rule-id.DJgzqgKk_2jJ9x8.webp) Additionally, the rule ID URL link has been added to Network Analytics. ## 2024-09-12 **New UI improvements** The dashboard now displays the order number of custom rules, and improved drag and drop functionality. You can also preview rules on a side panel without leaving the current page. ## 2024-08-16 **Cloudflare Network Firewall Analytics Rule Log Enhancement** Customers who create a rule in a disabled mode will see the rule as **Log (rule disabled)**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/changelog/","name":"Changelog"}}]} ``` --- --- title: Add custom policies description: By default, you can create a maximum of 200 policies. We recommend you create lists of IP addresses to reference within policies to streamline policy management. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/how-to/add-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Add custom policies By default, you can create a maximum of 200 policies. We recommend you create lists of IP addresses to reference within policies to streamline policy management. ## Add a policy 1. In the [Cloudflare One ↗](https://one.dash.cloudflare.com) dashboard, go to **Firewall policies** \> **Custom policies**. 2. Select **Add a policy**. 3. Fill out the information for your new policy. All existing policies apply to IPv4\. You can use a managed [IP list ↗](https://www.cloudflare.com/en-gb/ips/) when populating the **Value**. 4. When you are done, select **Add new policy**. ## Create a disabled policy When you add a new policy, the policy is **Enabled** by default. To create a **Disabled** policy, follow the steps in [Add a policy](#add-a-policy) above and toggle **Enabled** to off. When a policy is in the disabled state, the policy will not perform the action until is set to **Enabled**. To disable an existing policy, from the **Custom policies** tab, set the **Enabled** toggle to off. ## Update a policy 1. In the [Cloudflare One ↗](https://one.dash.cloudflare.com) dashboard, go to **Firewall policies** \> **Custom policies**. 2. Locate the policy you want to edit and select the three dots > **Edit**. 3. Update the policy with your changes and select **Save**. ## Delete an existing policy 1. Locate the policy you want to delete in the list. 2. From the end of the row, select **Delete**. 3. Select **Delete** again to confirm the deletion. ## API Below, you can find examples of how to use the API to perform certain actions. Warning The examples on this page all use the `https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets` endpoint. This endpoint is intended to create policies from scratch and **might overwrite existing policies**. If you have a ruleset already deployed, consider using the `https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{ruleset_id}/rules` endpoint instead. Refer to [Add a rule to a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/add-rule/) and [Create an account ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/create/) for more information. ### Skip action The example below blocks all TCP ports, but allows one port (`8080`) by using the skip action. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "Example ruleset", "kind": "root", "phase": "magic_transit", "description": "Example ruleset description", "rules": [ { "action": "skip", "action_parameters": { "ruleset": "current" }, "expression": "tcp.dstport in { 8080 } ", "description": "Allow port 8080" }, { "action": "block", "expression": "tcp.dstport in { 1..65535 }", "description": "Block all TCP ports" } ] }' ``` ### Block a country The example below blocks all packets with a source or destination IP address coming from Brazil by using its 2-letter country code in [ISO 3166-1 Alpha 2 ↗](https://www.iso.org/obp/ui/#search/code/) format. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "Example ruleset", "kind": "root", "phase": "magic_transit", "description": "Example ruleset description", "rules": [ { "action": "block", "expression": "ip.src.country == \"BR\"", "description": "Block traffic from Brazil" } ] }' ``` ### Use an IP list Cloudflare Network Firewall supports [using lists in expressions](https://developers.cloudflare.com/waf/tools/lists/use-in-expressions/) for the `ip.src` and `ip.dst` fields. The supported lists are: * `$cf.anonymizer` \- Anonymizer proxies * `$cf.botnetcc` \- Botnet command and control channel * `$cf.malware` \- Sources of malware * `$` \- The name of an account-level IP list Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "Example ruleset", "kind": "root", "phase": "magic_transit", "description": "Example ruleset description", "rules": [ { "action": "block", "expression": "ip.src in $cf.anonymizer", "description": "Block traffic from anonymizer proxies" } ] }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/how-to/","name":"How to"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/how-to/add-policies/","name":"Add custom policies"}}]} ``` --- --- title: Create Rate Limiting policies (beta) description: Rate limiting policies (beta) allow you to manage incoming traffic to your network for specific locations. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/how-to/create-rate-limiting-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Create Rate Limiting policies (beta) Rate limiting policies (beta) allow you to manage incoming traffic to your network for specific locations. This guide will teach you how to create a policy for when incoming packets match, and in cases where your rate exceeds a certain value (in packets or bits). Note For Cloudflare Advanced Network Firewall customers, rate limiting (beta) is available by request through the account team. ## Add a policy To add a policy: 1. In the Cloudflare dashboard, go to the [Firewall Policies ↗](https://dash.cloudflare.com/?to=/:account/network-security/magic%5Ffirewall) page. 2. Select the **Rate limiting** tab, then select **Add a policy**. 3. Fill out the information for your new policy: * Select the **Field**: At the moment, you can only choose a [colo name ↗](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/cloudflare-network-firewall/). * Select the **Operator**: Choose among **equals** or **is in**. * Select the **Value**. 4. When you are done, select **Save policy**. ## Edit an existing policy To edit a policy: 1. In the Cloudflare dashboard, go to the [Firewall Policies ↗](https://dash.cloudflare.com/?to=/:account/network-security/magic%5Ffirewall) page. 2. Select the **Rate limiting** tab. 3. Locate the policy you want to edit in the list and select **Edit**. 4. Edit the policy with your changes and select **Edit policy**. ## Delete an existing policy To delete an existing policy: 1. In the Cloudflare dashboard, go to the [Firewall Policies ↗](https://dash.cloudflare.com/?to=/:account/network-security/magic%5Ffirewall) page. 2. Select the **Rate limiting** tab. 3. Locate the policy you want to delete from the list. 4. Selet the three dots, then select **Remove**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/how-to/","name":"How to"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/how-to/create-rate-limiting-policies/","name":"Create Rate Limiting policies (beta)"}}]} ``` --- --- title: Enable IDS description: Cloudflare's IDS takes advantage of the threat intelligence powered by our global network and extends the capabilities of the Cloudflare Firewall to monitor and protect your network from malicious actors. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/how-to/enable-ids.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Enable IDS Cloudflare's IDS takes advantage of the threat intelligence powered by our global network and extends the capabilities of the Cloudflare Firewall to monitor and protect your network from malicious actors. You can enable IDS through the dashboard or via the API. Note This feature is available for Cloudflare Advanced Network Firewall users. For access, contact your account team. * [ Dashboard ](#tab-panel-3398) * [ API ](#tab-panel-3399) 1. In the Cloudflare dashboard, go to the [Firewall Policies ↗](https://dash.cloudflare.com/?to=/:account/network-security/magic%5Ffirewall) page. 2. Select **IDS** and turn on **IDS**. To start using IDS via the API, first create a new ruleset in the `magic-transit-ids-managed` phase with a rule which is enabled. 1. Follow instructions in the [Rulesets Engine Page](https://developers.cloudflare.com/ruleset-engine/basic-operations/view-rulesets/) to view all rulesets for your account. You must see a ruleset with phase `magic-transit-ids-managed` and kind `managed`. If not, please contact your account team. The managed ruleset ID will be used in the next step. 2. Create a new root ruleset with a single rule in the `magic_transit_ids_managed` phase by running: Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "IDS Execute ruleset", "description": "Ruleset to enable IDS", "kind": "root", "phase": "magic_transit_ids_managed", "rules": [ { "enabled": true, "expression": "true", "action": "execute", "description": "enable ids", "action_parameters": { "id": "${managed_ruleset_id}" } } ] }' ``` With this ruleset added, IDS will start inspecting packets and report any anomalous traffic. Next, you can [configure Logpush](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/use-logpush-with-ids/) to start receiving details about the anomalous traffic. 1. Use the rule created in the previous step to enable or disable IDS. The Rulesets API documentation describes [how to patch a rule](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update-rule/). For example, the following patch request to set the `enabled` field to `false` will disable IDS. The ruleset and rule ID from the ruleset created in the previous step are used below. Terminal window ``` curl --request PATCH \ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{root_ruleset_id}/rules/{rule_id} \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "enabled": false, "expression": "true", "action": "execute", "action_parameters": { "id": "${managed_ruleset_id}" } }' ``` Similarly, sending a patch request with the `enabled` field set to `true` will enable IDS. ## IDS rules IDS rules are run on a subset of packets. IDS also supports the current flows: * Cloudflare WAN to Cloudflare WAN. * Magic Transit ingress traffic (when egress traffic is handled through direct server return). * Magic Transit ingress and egress traffic when Magic Transit has the [Egress option enabled](https://developers.cloudflare.com/reference-architecture/architectures/magic-transit/#magic-transit-with-egress-option-enabled). ## Next steps You must configure Logpush to log detected risks. Refer to [Configure a Logpush destination](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/use-logpush-with-ids/) for more information. Additionally, all traffic that is analyzed can be accessed via [network analytics](https://developers.cloudflare.com/analytics/network-analytics/). Refer to [GraphQL Analytics](https://developers.cloudflare.com/cloudflare-network-firewall/tutorials/graphql-analytics/) to query the analytics data. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/how-to/","name":"How to"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/how-to/enable-ids/","name":"Enable IDS"}}]} ``` --- --- title: Enable Managed Rulesets description: With managed rulesets, you can quickly deploy rules maintained by Cloudflare, and you can use Cloudflare Network Firewall (formerly Magic Firewall) to control which rules are enabled. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/how-to/enable-managed-rulesets.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Enable Managed Rulesets With [managed rulesets](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/), you can quickly deploy rules maintained by Cloudflare, and you can use Cloudflare Network Firewall (formerly Magic Firewall) to control which rules are enabled. Note: Before you can begin using managed rulesets with Cloudflare Network Firewall, your account must first be entitled to use managed rulesets. Contact your account team for access. To enable or disable a rule, you can specify which properties should be overridden. The overrides occur in the Managed phase, root kind ruleset. Currently, you can only have one rule in the root ruleset, but a single rule can contain multiple overrides. You have multiple options for enabling rules: * Select an individual rule and enable it. * Enable multiple rules by enabling by category in the `magic-transit-phase`. * Enable an entire ruleset. ## API ### 1\. Create a Managed phase Managed kind ruleset To create a managed ruleset, you must first build a request with the following: * `managed_ruleset_id`: The ID of the Managed phase Managed kind ruleset that contains the rule you want to enable. * `managed_rule_id`: The ID of the rule you want to enable. Additionally, you need the properties you want to override. The properties you can override include: * `enabled`: This value can be set to `true` or `false`. When set to `true`, the rule matches packets and applies the rule's default action if the action is not overridden. When set to `false`, the rule is disabled and does not match any packets. * `action`: The value can be set to `log` so the rule only produces logs instead of applying the rule's default action. The `enabled` and `action` properties for a rule are set in the Managed phase Managed kind ruleset. All rules in the Managed phase are currently disabled by default. The example below contains a request for a Managed phase Managed Kind ruleset. Example request - Create a Managed phase Managed Kind ruleset ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "execute ruleset", "description": "Ruleset containing execute rules", "kind": "root", "phase": "magic_transit_managed", "rules": [ { "expression": "true", "action": "execute", "description": "Enable one rule ", "action_parameters": { "id": "", "version": "latest", "overrides": { "rules": [ { "id": "", "enabled": true, "action": "log" } ] } } } ] }' ``` ### 2\. Patch a Managed phase Managed kind ruleset To ensure a root kind ruleset only contains one rule, patch the rule to enable new managed rules. Building off the example from the previous step, the example below enables a category to select multiple rules instead of a single rule. The category will be set to `log` mode, which means the rule can produce logs but will not accept or drop packets. Example request - Patch a Managed phase Managed kind ruleset ``` curl --request PATCH \ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{root_kind_ruleset}/rules/{root_kind_rule} \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "expression": "true", "action": "execute", "action_parameters": { "id": "", "version": "latest", "overrides": { "rules": [ { "id": "", "enabled": true } ], "categories": [ { "category": "simple", "enabled": true, "action": "log" } ] } } }' ``` ### 3\. Enable all rules To enable the complete ruleset or enable all rules, send the request below. Example request to enable all rules ``` curl --request PATCH \ https://api.cloudflare.com/client/v4/accounts/{account_id}{account_id}/rulesets/{root_kind_ruleset}/rules/{root_kind_rule} \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "expression": "true", "action": "execute", "action_parameters": { "id": "", "version": "latest", "overrides": { "enabled": true } } }' ``` ### 4\. Delete a ruleset To delete a ruleset, refer to [Delete a rule in a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/delete-rule/). ## Cloudflare dashboard You can also use the dashboard to enable managed rulesets. 1. In the Cloudflare dashboard, go to the [Firewall Policies ↗](https://dash.cloudflare.com/?to=/:account/network-security/magic%5Ffirewall/managed) page. 2. In the **Managed rulesets** tab, select **Deploy managed ruleset**. 3. The page will refresh and show you rulesets configured by Cloudflare that are available to your account. Choose the ruleset you want with **Manage**. If the ruleset you want is not displayed, contact your account manager to get a list of all Network Firewall Managed rulesets. 4. Under **Ruleset configuration**, configure the **Ruleset action** from the drop-down menu. Cloudflare recommends you change this setting to **Log** to evaluate how the ruleset impacts your traffic before deciding on an action. For more information, refer to [Override a managed ruleset](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/). 5. Still under **Ruleset configuration**, choose _Enabled_ from the dropdown-menu for the **Ruleset status**. This will apply an override to the default status of all the rules in the ruleset. 6. Select **Save** to deploy the Network Firewall Managed ruleset with no rule-level overrides. ### Add rule-level overrides Applying a rule-level override allows you to customize the behavior of the managed ruleset. If you implemented Cloudflare's above recommendation for the ruleset configuration, the rules will be set to a **Log** action and an **Enabled** status. On the other hand, if you did not apply Cloudflare's recommendation in the previous step, the ruleset is implemented with all its defaults applied. To add rule-level overrides in the dashboard: 1. In the Cloudflare dashboard, go to the [Firewall Policies ↗](https://dash.cloudflare.com/?to=/:account/network-security/magic%5Ffirewall/managed) page. 2. In the **Managed rulesets** tab, locate the Network Firewall managed ruleset you want to add rule-overrides to and select **Manage**. 3. Select **Browse rules**. 4. In the rule you need to change, select an **Action** from the drop-down to change its action, or use the toggle to disable or enable the rule. 5. Select **Next**. 6. Select **Save**. The Cloudflare dashboard should now show you the rule-level override you have set. ### Delete Network Firewall managed ruleset 1. In the Cloudflare dashboard, go to the [Firewall Policies ↗](https://dash.cloudflare.com/?to=/:account/network-security/magic%5Ffirewall/managed) page. 2. In the **Managed rulesets** tab, locate the Network Firewall managed ruleset you want to delete and select **Manage**. 3. Select **Delete deployment**. Your Cloudflare Network Firewall managed ruleset is now deleted. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/how-to/","name":"How to"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/how-to/enable-managed-rulesets/","name":"Enable Managed Rulesets"}}]} ``` --- --- title: Enable user roles description: You can determine which users have, or do not have, configuration edit access for Magic products, including Magic Transit, Cloudflare WAN (formerly Magic WAN), and Cloudflare Network Firewall. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/how-to/enable-roles.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Enable user roles You can determine which users have, or do not have, configuration edit access for Magic products, including Magic Transit, Cloudflare WAN (formerly Magic WAN), and Cloudflare Network Firewall. For example, if multiple teams manage different Cloudflare products on the same account, you can provide select users with edit access and other users with read-only access. ## Assign permissions 1. Go to the **Members** page. [ Go to **Members** ](https://dash.cloudflare.com/?to=/:account/members) 2. Under **Members**, enter an existing user's name and select **Search**. 3. Expand the menu at the end of the user row. 4. From the list, locate **Network Services (Magic)**. 5. Select one of two options: * **Network Services (Magic)** \- Enables users to view and edit Magic configurations. * **Network Services (Magic, Read-Only)** \- Enables users to view but not modify Magic configurations. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/how-to/","name":"How to"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/how-to/enable-roles/","name":"Enable user roles"}}]} ``` --- --- title: Filter different views description: You can utilize different Log filters to only view specific data from Cloudflare Network Firewall (formerly Magic Firewall). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/how-to/filter-views.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Filter different views You can utilize different [Log filters](https://developers.cloudflare.com/logs/logpush/logpush-job/filters/) to only view specific data from Cloudflare Network Firewall (formerly Magic Firewall). ## Filter by enabled or disabled rules Use the filter examples below to filter your Network Firewall traffic to display events for enabled or disabled rules. The example below only displays fields relevant to Network Firewall, and the filter only displays events for disabled rules. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ ... "output_options": { "field_names": ["ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol","IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict"], }, "filter": "{\"where\":{\"or\":[{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"!eq\",\"value\":\"\"},{\"key\":\"Outcome\",\"operator\":\"eq\",\"value\":\"pass\"},{\"key\":\"Verdict\",\"operator\":\"eq\",\"value\":\"drop\"}]}]}}" }' ``` The example below only displays fields relevant to Network Firewall, and the filter only displays events for enabled rules. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ ... "output_options": { "field_names": ["ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol","IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict"], }, "filter": "{\"where\":{\"or\":[{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"!eq\",\"value\":\"\"},{\"or\":[{\"key\":\"Outcome\",\"operator\":\"eq\",\"value\":\"drop\"},{\"key\":\"Verdict\",\"operator\":\"eq\",\"value\":\"pass\"}]}]}]}}" }' ``` ## Filter by allowed or blocked traffic Use the filter examples below to filter your Network Firewall traffic to display events for allowed or blocked traffic. The example below only displays fields relevant to Network Firewall, and the filter only displays events where no explicit action was taken, for example, a packet "fell through" Network Firewall. This example does not have any rules applied. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ ... "output_options": { "field_names": ["ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol","IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict"], }, "filter": "{\"where\":{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"eq\",\"value\":\"\"}]}}" }' ``` The example below only displays fields relevant to Network Firewall, and the filter only displays events where explicit action was taken. The example includes both enabled and disabled Network Firewall rules. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ ... "output_options": { "field_names": ["ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol","IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict"], }, "filter": "{\"where\":{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"!eq\",\"value\":\"\"}]}}" }' ``` ## Filter by relevant fields to Network Firewall Use the examples below to filter out fields that are not relevant to traffic flowing through Network Firewall. The example below only includes Network Firewall events. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ ... "output_options": { "field_names": ["ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol","IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict"], }, "filter": "{\"where\":{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"}}" }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/how-to/","name":"How to"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/how-to/filter-views/","name":"Filter different views"}}]} ``` --- --- title: Form expressions description: Rules are written as using the Cloudflare Rules language - a domain-specific language (DSL) intended to mimic Wireshark semantics. For more information, refer to the Rules language documentation. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/how-to/form-expressions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Form expressions Rules are written as using the Cloudflare Rules language - a domain-specific language (DSL) intended to mimic Wireshark semantics. For more information, refer to the [Rules language](https://developers.cloudflare.com/ruleset-engine/rules-language/) documentation. To start with a simple case, review below how you would match a source IP: ``` ip.src == 192.0.2.0 ``` Expressions can be more complex by joining multiple clauses via a logical operator: ``` ip.src == 192.0.2.1 && (tcp.flags.push || tcp.flags.reset) ``` ## Capabilities You can use Cloudflare Network Firewall (formerly Magic Firewall) to skip or block packets based on source or destination IP, source or destination port, protocol, packet length, or bit field match. ## Restrictions Wirefilter comparisons support CIDR notation, but only inside sets. For example: ``` ip.src == 192.0.2.0/24 # bad ip.src in { 192.0.2.0/24 } # good ``` Expressions have a complexity limit that is easily reached when many joined or nested clauses are in the expression. Here's an example: ``` (tcp.dstport == 1000 || tcp.dstport == 1001) && (tcp.dstport == 1002 || tcp.dstport == 1003) && (tcp.dstport == 1004 || tcp.dstport == 1005) && (tcp.dstport == 1006 || tcp.dstport == 1007) && (tcp.dstport == 1008 || tcp.dstport == 1009) && (tcp.dstport == 1010 || tcp.dstport == 1011) && (tcp.dstport == 1012 || tcp.dstport == 1013) && (tcp.dstport == 1014 || tcp.dstport == 1015) && (tcp.dstport == 1016 || tcp.dstport == 1017) ``` If the limit is reached, the response will have a `400` status code and an error message of `ruleset exceeds complexity constraints`. Split the expression into multiple rules and try again. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/how-to/","name":"How to"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/how-to/form-expressions/","name":"Form expressions"}}]} ``` --- --- title: Use Logpush with IDS description: You can use Logpush with Cloudflare Network Firewall (formerly Magic Firewall) IDS to log detected risks: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/how-to/use-logpush-with-ids.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Use Logpush with IDS You can use Logpush with Cloudflare Network Firewall (formerly Magic Firewall) IDS to log detected risks: 1. Consult the [Logpush Destination docs](https://developers.cloudflare.com/logs/logpush/logpush-job/api-configuration/#destination) to learn about what destinations Logpush supports. The documentation will also instruct you on how to correctly format the destination URL for Logpush. 2. Follow the [Manage Lopush with cURL](https://developers.cloudflare.com/logs/logpush/examples/example-logpush-curl/) tutorial to validate your Logpush destination and define a Logpush job. ## Notes on using Logpush with IDS * Magic IDS is an account-scoped dataset. This means the string `/zone/` in the Cloudflare API URLs in the tutorial should be replaced with `/account/`. * Consult the [Magic IDS Detection fields doc](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/magic%5Fids%5Fdetections/) to know what fields you want configured for the job. * When creating the Logpush job, the dataset field should equal `magic_ids_detections`. * Timestamps by default are unixnano. Consult the [Logpush Options docs](https://developers.cloudflare.com/logs/logpush/logpush-job/api-configuration/#options) to learn what format you can choose that will be compatible with your destination and/or expectations. Note that all options must be added _after_ all fields you want from the Logpush job, akin to URL parameters. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/how-to/","name":"How to"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/how-to/use-logpush-with-ids/","name":"Use Logpush with IDS"}}]} ``` --- --- title: Use IP lists description: IP lists are a part of Cloudflare's custom lists. Custom lists contain one or more items of the same type — IP addresses, hostnames or ASNs — that you can reference in rule expressions. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/how-to/use-rules-list.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Use IP lists [IP lists](https://developers.cloudflare.com/waf/tools/lists/custom-lists/#ip-lists) are a part of Cloudflare's custom lists. Custom lists contain one or more items of the same type — IP addresses, hostnames or ASNs — that you can reference in rule expressions. IP lists are defined at the account level and can be used to match against `ip.src` and `ip.dst` fields. Currently, Cloudflare Network Firewall (formerly Magic Firewall) only supports IPv4 addresses in these lists, not IPv6. To use this feature: ## 1\. Create a [new IP list](https://developers.cloudflare.com/api/resources/rules/subresources/lists/methods/create/). For example: Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rules/lists \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ "name": "iplist", "description": "This contains IPs that should be allowed.", "kind": "ip" }' ``` ## 2\. Add IPs to the list Next, [create list items](https://developers.cloudflare.com/api/resources/rules/subresources/lists/subresources/items/methods/create/). This will add elements to the current list. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rules/lists/{list_id}/items \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '[ {"ip":"10.0.0.1"}, {"ip":"10.10.0.0/24"} ]' ``` ## 3\. Use the list in a rule Finally, add a Network Firewall rule referencing the list into an existing ruleset: Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{ruleset_id}/rules \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "action": "skip", "action_parameters": { "ruleset": "current" }, "expression": "ip.src in $iplist", "description": "Allowed IPs from iplist", "enabled": true }' ``` ## Managed lists Note Available for customers with a Cloudflare Network Firewall Advanced plan. You can create rules with managed lists. Managed IP Lists are [lists of IP addresses](https://developers.cloudflare.com/waf/tools/lists/managed-lists/#managed-ip-lists) maintained by Cloudflare and updated frequently. You can access these managed lists when you create rules with either _IP destination address_ or _IP source address_ in the **Field** dropdown, and _is in list_ or _is not in list_ in the **Operator** dropdown. For example: | Field | Operator | Value | | ------------------------ | ------------ | ------------- | | _IP destination address_ | _is in list_ | _Anonymizers_ | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/how-to/","name":"How to"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/how-to/use-rules-list/","name":"Use IP lists"}}]} ``` --- --- title: Cloudflare Network Firewall fields description: cf.colo.name String image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/reference/network-firewall-fields.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare Network Firewall fields Note Some Cloudflare Network Firewall (formerly Magic Firewall) fields are available only to customers who purchased Cloudflare Network Firewall's advanced features. Refer to [Cloudflare Network Firewall plans](https://developers.cloudflare.com/cloudflare-network-firewall/plans/) for more information. ## `cf.colo.name` `cf.colo.name` ` String ` The data center that is handling this traffic. Example value: `sfo06` --- ## `cf.colo.region` `cf.colo.region` ` String ` Region of the data center that is handling this traffic. Example value: `WNAM` --- ## `icmp` `icmp` ` String ` The raw ICMP packet as a list of bytes. It should be used in conjunction with the bit\_slice function when other structured fields are lacking. --- ## `icmp.type` `icmp.type` ` Number ` The [ICMP type ↗](https://en.wikipedia.org/wiki/Internet%5FControl%5FMessage%5FProtocol#header%5Ftype). Only applies to ICMP packets. Example value: `8` --- ## `icmp.code` `icmp.code` ` Number ` The [ICMP code ↗](https://en.wikipedia.org/wiki/Internet%5FControl%5FMessage%5FProtocol#header%5Fcode). Only applies to ICMP packets. Example value: `2` --- ## `ip` `ip` ` String ` The raw IP packet as a list of bytes. It should be used in conjunction with the bit\_slice function when other structured fields are lacking. --- ## `ip.dst` `ip.dst` ` IP address ` The destination address as specified in the IP packet. Example value: `192.0.2.2` --- ## `ip.dst.country` `ip.dst.country` ` String ` Represents the 2-letter country code associated with the server IP address in [ISO 3166-1 Alpha 2 ↗](https://www.iso.org/obp/ui/#search/code/) format. Example value: `GB` For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2 ↗](https://en.wikipedia.org/wiki/ISO%5F3166-1%5Falpha-2) on Wikipedia. --- ## `ip.src.country` `ip.src.country` ` String ` Represents the 2-letter country code associated with the client IP address in [ISO 3166-1 Alpha 2 ↗](https://www.iso.org/obp/ui/#search/code/) format. Example value: `GB` For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2 ↗](https://en.wikipedia.org/wiki/ISO%5F3166-1%5Falpha-2) on Wikipedia. For Cloudflare Network Firewall, the `ip.geoip.country` field (which is deprecated) will match on either source or destination address. The `ip.geoip.country` field is still available for new and existing rules, but you should use the `ip.src.country` and/or `ip.dst.country` fields instead. --- ## `ip.hdr_len` `ip.hdr_len` ` Number ` The length of the IPv4 header in bytes. Example value: `5` --- ## `ip.len` `ip.len` ` Number ` The length of the packet including the header. Example value: `60` --- ## `ip.opt.type` `ip.opt.type` ` Number ` The first byte of [IP options field ↗](https://en.wikipedia.org/wiki/IPv4#Options), if the options field is set. Example value: `25` --- ## `ip.proto` `ip.proto` ` String ` The transport layer for the packet, if it can be determined. Example values: `icmp`, `tcp` --- ## `ip.src` `ip.src` ` IP address ` The source address of the IP Packet. --- ## `ip.src.country` `ip.src.country` ` String ` Represents the 2-letter country code associated with the client IP address in [ISO 3166-1 Alpha 2 ↗](https://www.iso.org/obp/ui/#search/code/) format. Example value: `GB` For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2 ↗](https://en.wikipedia.org/wiki/ISO%5F3166-1%5Falpha-2) on Wikipedia. --- ## `ip.ttl` `ip.ttl` ` Number ` The time-to-live of the IP Packet. Example values: `54` --- ## `sip` `sip` ` Boolean ` Determines if packets are valid L7 protocol [SIP ↗](https://datatracker.ietf.org/doc/html/rfc2543). Requires UDP packets to operate. Use a guard clause as shown below to ensure the packet is UDP (wirefilter): `ip.proto == "udp"` --- ## `ip.src.asnum` `ip.src.asnum` ` Number ` Autonomous System (AS) number associated with the source IP address. Example values: `13335` --- ## `ip.dst.asnum` `ip.dst.asnum` ` Number ` Autonomous System (AS) number associated with the destination IP address. Example value: `15169` --- ## `tcp` `tcp` ` String ` The raw TCP packet as a list of bytes. It should be used in conjunction with the bit\_slice function when other structured fields are lacking. --- ## `tcp.flags` `tcp.flags` ` Number ` The numeric value of the TCP flags byte. --- ## `tcp.flags.ack` `tcp.flags.ack` ` Boolean ` TCP acknowledgment flag. --- ## `tcp.flags.cwr` `tcp.flags.cwr` ` Boolean ` TCP congestion window reduced flag. --- ## `tcp.flags.ecn` `tcp.flags.ecn` ` Boolean ` TCP ECN-Echo flag. --- ## `tcp.flags.fin` `tcp.flags.fin` ` Boolean ` TCP flag indicating this is the last packet from sender. --- ## `tcp.flags.push` `tcp.flags.push` ` Boolean ` TCP push flag. --- ## `tcp.flags.reset` `tcp.flags.reset` ` Boolean ` TCP reset flag. --- ## `tcp.flags.syn` `tcp.flags.syn` ` Boolean ` TCP synchronize flag. --- ## `tcp.flags.urg` `tcp.flags.urg` ` Boolean ` TCP urgent flag. --- ## `tcp.srcport` `tcp.srcport` ` Number ` Source port number of the IP packet. Only applies to TCP packets. --- ## `tcp.dstport` `tcp.dstport` ` Number ` Destination port number of the IP packet. Only applies to TCP packets. --- ## `udp` `udp` ` String ` The raw UDP packet as a list of bytes. It should be used in conjunction with the bit\_slice function when other structured fields are lacking. --- ## `udp.dstport` `udp.dstport` ` Number ` Destination port number of the IP packet. Only applies to UDP packets. --- ## `udp.srcport` `udp.srcport` ` Number ` Source port number of the IP packet. Only applies to UDP packets. --- _GeoIP is the registered trademark of MaxMind, Inc._ ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/reference/network-firewall-fields/","name":"Cloudflare Network Firewall fields"}}]} ``` --- --- title: Cloudflare Network Firewall functions image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/reference/network-firewall-functions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare Network Firewall functions ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/reference/network-firewall-functions/","name":"Cloudflare Network Firewall functions"}}]} ``` --- --- title: Diagnose traffic decisions description: When traffic is unexpectedly blocked, multiple Cloudflare systems could be responsible. This guide walks you through identifying what is blocking your traffic and how to resolve it. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-network-firewall/troubleshooting/diagnose-traffic-decisions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Diagnose traffic decisions When traffic is unexpectedly blocked, multiple Cloudflare systems could be responsible. This guide walks you through identifying what is blocking your traffic and how to resolve it. Traffic passing through Cloudflare's network is evaluated by several independent security systems in the following sequence: 1. Network-layer DDoS protection: This layer manages DDoS rulesets. 2. Advanced TCP protection: Cloudflare carries a stateful TCP inspection known as ([flowtrackd ↗](https://blog.cloudflare.com/announcing-flowtrackd/)). 3. Network Firewall: Your custom and managed firewall rules. Each system operates independently. Traffic blocked by an earlier system never reaches later systems for evaluation. Warning Creating an allow rule in Network Firewall does **not** bypass DDoS protection. If traffic is blocked by Advanced TCP Protection or DDoS managed rules, you must configure bypasses in those systems separately. To diagnose blocked traffic, use [Network Analytics](https://developers.cloudflare.com/analytics/network-analytics/) to identify which system is blocking the traffic and why. If Network Analytics does not provide enough information, you can use packet captures for deeper analysis. ## Quick triage checklist Before making changes, gather the following information: * What traffic is affected? Check source IP, destination IP, ports, and protocols. * When did the issue start? * Were any configuration changes made recently? * Is this affecting all traffic or specific flows? * Check [Cloudflare Status ↗](https://www.cloudflarestatus.com/) for any ongoing incidents ## Filter dropped traffic 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/). 2. Under **Protect & Connect**, go to **Insights** \> **Network analytics**. 3. In the **All Traffic** tab, select **Add filter**. 4. Configure the filter: * Select **Action** \> **equals** \> **Drop** * Select **Apply**. 5. Filter the time range to when the issue occurred. 6. Add additional filters if you know the affected traffic characteristics (such as Source IP, Destination IP, and more). 7. To identify the blocking system: In the **Packet Summary** graph, select the the three dots > **Mitigation system**. This tells you which Cloudflare system blocked the traffic. ### If the mitigation system displays DDoS Managed Ruleset If the mitigation system displays DDoS Managed Ruleset, this means that traffic was blocked by DDoS Managed Ruleset. Note the **Rule ID** and **Rule Name** fields to identify which specific rule triggered. 1. At the top of **Network analytics**, select **DDoS managed rules**. 2. Make sure to include any relevant filters to identify the traffic and to narrow down the time range to the relevant issue timing. 3. In the **Packets summary** graph, select the three dots, then choose **Rule**. The dashboard will show you the rules that were acting on your traffic. 4. To resolve: Adjust the DDoS managed rule sensitivity or [create an override](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/network-overrides/) for the affected traffic pattern. ### If the mitigation system displays TCP Protection If the mitigation system displays TCP Protection, it means that traffic was blocked by [TCP Protection](https://developers.cloudflare.com/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/). Refer to [Mitigation Reason](https://developers.cloudflare.com/ddos-protection/advanced-ddos-systems/concepts/#mitigation-reasons) field to understand why it displays TCP Protection. **To resolve**, create an [Advanced TCP Protection allowlist](https://developers.cloudflare.com/ddos-protection/advanced-ddos-systems/how-to/add-prefix-allowlist/) or [filter](https://developers.cloudflare.com/ddos-protection/advanced-ddos-systems/how-to/create-filter/) to bypass protection for the affected traffic. ### If the mitigation system displays Firewall Policy If your traffic was blocked by your Network Firewall configuration: 1. At the top of **Network analytics**, select the **Firewall** tab. 2. Make sure to include any relevant filters to identify the traffic and to narrow down the time range to the relevant issue timing. 3. In the **Packets summary** graph, select the three dots, then choose **Rule**. The dashboard will show you the rules that were acting on your traffic. 4. Review your [Network Firewall policies](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/add-policies/) and adjust the rule order or expressions as needed. ## Use packet captures for deeper analysis If you cannot identify the issue from Network Analytics, use [packet captures](https://developers.cloudflare.com/cloudflare-network-firewall/packet-captures/) to inspect the actual traffic: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/). 2. Under **Protect & Connect**, go to **Insights** \> **Network health**. 3. Go to **Diagnostics**, and configure a packet capture filter matching the affected traffic. Note that the packet capture (pcap) might be empty because packets were dropped. 4. Analyze the captured packets to understand traffic characteristics. 5. Compare against your rule configurations. ## Common scenarios | Scenario | Symptoms | Likely cause | Recommended action | | ---------------------------- | --------------------------------------- | --------------------------------------- | ---------------------------------------------------- | | Partner traffic blocked | Specific source IP blocked | DDoS or ATP sensitivity | Allowlist partner IP ranges in both systems | | New rule not working | Traffic still passes | Rule order (earlier rule matches first) | Adjust rule priority or refine the matching criteria | | Traffic blocked after change | Sudden drops after configuration change | Rule misconfiguration | Review recent changes and revert to the last version | ## Related resources * [Network Analytics](https://developers.cloudflare.com/analytics/network-analytics/) * [Advanced TCP Protection](https://developers.cloudflare.com/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) * [Network Firewall rule configuration](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/add-policies/) * [Packet captures](https://developers.cloudflare.com/cloudflare-network-firewall/packet-captures/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-network-firewall/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-network-firewall/troubleshooting/diagnose-traffic-decisions/","name":"Diagnose traffic decisions"}}]} ```