Cloudflare Web Application Firewall Reviews

Our use case of this solution is to secure our web applications hosted on Cloudflare. I'm a security operations analyst and we are customers of Cloudflare. 

This solution does a good job of preventing web application attacks, SQL injections, and cross-site scripting attacks. We know it's doing a good job because we've tested it. 

The reporting could be improved if it were more granular. Fortigate Firewall, for example, shows all the events at a glance with different fields on a table; you can scroll through for patterns and look at all events. That's not possible with CloudFlare where I need to analyze a report that summarizes all the data. It requires exporting the report as a CSV file, analyzing it in Excel, and then going into CloudFlare to carry out a deeper analysis. If I could do that high-level analysis from the web console and then drill down specific events, it would be a great feature that would improve this product. 

I've been using this solution for seven months. 

The solution is stable, we haven't had any downtime. 

The solution is easily scalable. 

I previously used Imperva Web Application Firewall. For tracking metrics, I think CloudFlare does a better job with its graphs and the user interface. Its web console presents those metrics in an easily readable manner and it does that better than Incapsula or Imperva. I think Imperva speaks more to security, and preventing attacks and is more focused on details about the attacks. CloudFlare does more because it shows your availability metrics, traffic metrics, and security metrics. In terms of the user interface, I'd say that CloudFlare does a better job in reporting.

There is some maintenance required when it comes to updates and we periodically have to review the rules sets which require going into the list of rules and finding those connected to that particular view and then enabling them in your environment. We have three admins working on this product. We use the solution on a daily basis. 

If you're going to be reporting heavily and want to leverage the reporting features to measure the performance of your websites, then CloudFlare does that very well.

I rate this solution eight out of 10. 

We use the solution to protect web applications.

The solution is easy to use.

Sometimes, it is challenging to access our applications using the solution. They should work on this particular area. Also, its availability needs improvement.

We have been using the solution for two years.

We encounter stability issues regarding the solution's availability to access applications.

We have 200 solution users in our organization. We use it extensively and plan to increase the usage.

We contact our service provider for any technical issues with the solution.

The solution's deployment takes two to three days to complete.

Our service provider helps us install the solution.

The solution is expensive. We purchase a yearly based license for it.

I recommend the solution to others and rate it a six out of ten.

We primarily use the solution as an application firewall.

In general, it's a very good product.

The solution is very stable. The performance is great.

The product offers very good scalability.

The pricing is very reasonable.

The installation is very straightforward. It's quite simple.

Technical support has a very fast response time and they are helpful.

We never had any issues with the analytics, dashboards, or monitoring.

I can't recall dealing with features that were not sufficient. It's very good.

It would be ideal if the solution offered better log integration and more integration with different platforms.

I've been using the solution for about a year and a half at this point. It's been a while. 

The performance of the solution is very good. It's very stable. The product doesn't crash or freeze. There are no bugs or glitches. It's reliable. 

The solution can scale quite well. If a company needs to expand the product, it can do so with relative ease.

I am unsure as to if the company plans to increase usage, as I used it primarily at my previous organization. I've since moved on.

Technical support is very good. They are very helpful and responsive. We've been quite satisfied with the level of support they provide to our organization.

The initial setup is very straightforward. It's not complex or overly difficult. We found it quite simple to execute. A company should be able to handle the process easily.

We only required two individuals for deployment and maintenance. They were a manager and an admin.

I'm pretty satisfied with the solution in terms of the pricing. It's reasonable. I have no complaints.

Before the organizations chose this solution, it's my understanding that it did not evaluate any other options.

We always have the latest version of the solution. As a cloud deployment, it's always updating to the latest version. 

We're a Cloudflare partner.

I'd rate the product at a nine out of ten overall. We've been quite pleased with the overall capabilities of the solution.

I would recommend the solution to other users and companies.

We have multiple customers using the solution for a WAF. It's also a firewall. Unlike others, where you have to purchase multiple solutions, Cloudflare has everything under one solution. It handles load balancing, CDN, order routing, DDoS protection, and more under one solution. 

We like that everything is covered under one solution instead of having to buy multiple solutions and put them together. 

We like that there's load balancing, firewall capabilities, DDoS protection, et cetera, all covered by Cloudflare. 

Cloudflare has multiple caller sites and many PoPs. Whenever a user tries to get a webpage or any application, all the pages will be scanned with the nearest location data center or on a near-based, performing locally in the data center only. Other vendors have different services in different data centers. In Cloudflare, every data center has all the services. 

Currently, Cloudflare is growing. They are exploding their data centers, which is great for clients. Previously it was 25, and now it's 28 or 30. 

They are good at managing rules. 

The WAF is working fine.

We find the reporting to be very granular. It's quite good. 

I'm happy with whatever features are currently on offer in Cloudflare.

The solution is stable.

It's scalable.

It is an easy-to-set-up solution. 

Technical support has been very good. 

We find the solution competitively priced. 

Finding vulnerabilities or attack patterns needs to evolve continuously. The landscape is changing. Accordingly, the rules have been changed. The Core Ruleset, is already managing that. It has been good at catching malicious activity so far. They just need to continue to invest in this aspect.

They have some limitations with third-party integrations. For example, we can't integrate with our site.  On-premises, we can't do that. You can on Azure storage, of Google Cloud, however. It works better on the cloud.

I've been using the solution for about one year. 

The solution is stable and reliable. There are no bugs or glitches. It doesn't crash or freeze. 

The solution is scalable. It is very easy.

I'm the only person working on the solution. There's one or two of us directly on the system. 

Technical support is really good. I work on multiple products, and therefore getting a response from Cloudflare is very much appreciated. The only concern we have is with Indian support. There are some limitations to Indian support. Whenever we are planning for any deployment or PoC, the Indian customers say they're having some issues getting on a call or getting Cloudflare involved. However, support, in general, is good and usually you get a response within an hour or two. 

Positive

It's very straightforward to set up everything. In a firewall, you have to build some virtual IPs and all that stuff. However, with this, you have to just onboard your application. You have just to put out your CNAME or A records. After that, you just make some application proxies, and then you have to perform that local host testing. If you want downtime, you must make configuration changes over authority with DNS, and you can onboard your application. It's straightforward. There are not too many hurdles.

The deployment is quick. Once you do the setup, you just have to enter your records and automate the certification part and it is a half-hour process.

I'd rate it a five out of five in terms of ease of setup. 

We don't require any maintenance. We just have to monitor. Whenever we are performing the login process, we are providing logs to any CS log server or any AFIM solution. That part will be taken care of by the SOC team. 

The pricing is good. We find it to be competitive. There are add-on features available as well. 

I'd rate the affordability at 4.5 out of five. 

We are a system integrator for Cloudflare.

We are not on the latest update. Our last update was two or three months back. 

This is a good product. It's reliable and scales well. For new users, you don't require too much expertise on Cloudflare. You just have to understand a WAF. Beyond that, it is very easy to deploy and very fast to implement. 

I'd rate the solution eight out of ten. 

We use Cloudflare Web Application Firewall for verification of applications from various domains. Also protecting the server from exposure by implementing the Proxy Server feature on front end i.e. on client's side. Also implemented both hosts based & Cloud based WAF. 

We are required to follow a specific and separate set of rules for web applications for DDoS attacks while working with AWS and Azure. Instead, there could be an option to duplicate the cluster to maintain the consistency of rules.

We have been using Cloudflare Web Application Firewall for three to four years.

I rate Cloudflare Web Application Firewall's stability a nine out of ten.

It is a scalable platform. Although it lacks some features. We have two to three users for it. I rate its scalability an eight out of ten.

The initial setup process is simple.

I implemented the product myself.

Cloudflare Web Application Firewall has certain limitations for rules. I rate it a seven out of ten.

I am using Cloudflare Web Application Firewall to develop web applications and mobile applications for a business belonging to the manufacturing industry which wishes to migrate its entire applications from its existing AWS system to Cloudflare.

The enterprise bundle includes a variety of features, such as a Web Application Firewall, rate limiting, CDN, DDoS protection, remote management, performance monitoring, and more. It is a really nice product.

The additional features I wish to see in the next release include rate limiting on Cloudflare Web Application Firewall and advanced DDoS protection. The current product is highly explorable and does not have many limitations. However, there are some limitations in terms of administrative privileges and the way it manages auto-alerts.

Cloudflare needs to improve its customer support for Indian customers and work on the monitoring and reporting features.

I am a reseller and a direct user. I have been working on the enterprise version of Cloudflare Web Application Firewall for the past year.

The product is stable, and we have been working with a customer who uses it for their manufacturing and connecting car applications, as well as some API-related systems. The customer was previously using AWS Web Application Firewall. However, they have now decided to switch to Cloudflare. In Cloudflare, the rate-limiting feature helps protect against attacks and mitigates brute-force attacks. The DDoS mechanism automatically defends against DDoS attacks. Cloudflare's Web Application Firewall also has 700 signatures and provides intelligence on 10 vulnerabilities. It offers IP, URI, and domain-based filtering options.

The solution is not deployed in my company, but it is used in the company of one of my customers. The customer I mentioned has around 12,000 users working on this solution. I rate the scalability a 10 out of 10.

I have experienced some difficulties with Cloudflare's support as a customer based in India. Despite the company offering 24/7 support, I feel that administrative support does not meet the expectations of its customers.

Neutral

I previously worked with an on-premise version of the F5 tool more than five years ago, and at that time, the concept of SaaS was not prevalent. Currently, the Cloudflare product is considered to be a SaaS-based product since they have CDN, which is different from my previous experience with the F5 tool. Since it has been a long time since I worked with the on-premises version, I am unable to provide a relevant comparison between the two.

I find the deployment process for Cloudflare's firewall to be very smooth. Someone with a basic understanding of networking and security will be able to implement the firewall's basic features within 15 minutes. The deployment of a new domain on Cloudflare can be completed within 15 minutes if the necessary administrative authority and support from the DNS team are available during the process. It also includes the time needed for domain registration. We are working for an ITSM organization and have multiple administrators. During the deployment phase of the solution in the organization, we have limited the number of administrators to just five to ten individuals. We also arranged a few KT sessions to help the company employees who are involved in working with this solution. As of now, they have started working on the tool.

In terms of the licensing cost perspective, it is a subscription-based pricing model. Usually, customers opt for a yearly subscription. However, I don't have a specific or exact figure on the actual cost. Cloudflare offers different types of subscriptions for businesses, enterprises, and personal users, and the pricing is negotiable. The enterprise-level subscription provides multiple options, such as the ability to enable advanced Web Application Firewall and DDoS protection. This means that customers have multiple subscription options.

To effectively use Cloudflare Web Application Firewall, it is important for a person to have an internet connection, an understanding of the internet, how the DNS works, and how websites and their administration domains function. I rate this solution a nine out of ten.

Caching is the most valuable feature of Cloudflare Web Application Firewall.

Cloudflare Web Application Firewall should improve visibility for a customer.

I have been using Cloudflare Web Application Firewall for five years.

Cloudflare Web Application Firewall is a scalable solution. More than 10,000 retail solutions and more than 50,000 online customers are using the solution in our company.

The solution's customer support is really bad. When you have some issue, you will never get an answer from customer support.

Negative

We previously worked with F5 on-premises.

The solution's pricing option needs to be more transparent for enterprise clients.

I am using the latest version of Cloudflare Web Application Firewall. Cloudflare Web Application Firewall is deployed on the cloud in our organization.

Overall, I rate Cloudflare Web Application Firewall a nine out of ten.

Our primary use is as a SaaS-based firewall solution for web applications.  

The most valuable part of the solution for us overall is exactly that it is a Software-as-a-Service product. It fits our use needs because it is configurable via API.  

There is really only one area of the product that I think needs to be improved. That is that Cloudflare should update the version of the ModSecurity core rule set that they run on. They run a pretty old version of ModSecurity from 2013 and they need to update it. That is one thing I would very much like to see in a future release.  

The main issue that we have is really a decision about how the product fits our model. We use both AWS and Azure, and they have similar products. We are trying to determine whether or not we go for a cloud-native solution per the cloud provider we are using or stick with our current model and continue to use Cloudflare. Switching to AW or Azure as a lone solution means we would go with one or the other across all cloud providers to unify our WAF approach. It might simplify how we look at the maintenance of our web application firewall.  

We have been using Cloudflare's web application firewall for twelve months.  

I am one-hundred percent convinced of the stability of the product.  

I can say I am pretty confident in the scalability of Cloudflare WAF. I believe that they are the largest WAF provider on the internet at the moment. That is probably at least in part because they are pretty scalable. It is our primary WAF product at the moment.  

As far as technical support, we have not really had any issues that require contacting them.  

The initial setup of Cloudflare WAF was very easy. It is a SaaS service so it is just online and it is really only a few clicks away to get started with it. There is no physical infrastructure to bother with so that whole component of maintenance is removed.  

There is no upfront cost for infrastructure because it is a SaaS solution. You just pay per month for the product and usage.  

We have evaluated other WAF (Web Application Firewall) solutions. In fact, that is what we are investigating now in taking a deeper look at the advantages of AWS and Azure. That evaluation is really part of my current job.  

At this stage, we have not really considered replacing Cloudflare as a solution with either of those specific solutions or other WAF products. The thing that differentiates Cloudflare WAF is that is it Software-as-a-Service. It is integrated tightly with all of Cloudflare's other services. That is probably the better way to look at it: it is an integrated part of a product suite and not really a separate solution.  

My advice to people who are considering Cloudflare WAF is to check service limits of other providers. Cloudflare does not really have a lot of service limits and that makes a difference. Also, look at the pricing and the pricing models carefully as other products seem to me to become more complicated as your demand scales. It is more straightforward with Cloudflare — or at least it seems to be in comparison to other providers.