Cloudflare Web Application Firewall Reviews

We are using Cloudflare for two purposes. The first is for our in-house self-service platform to manage all customers, and the second is for reselling.

The integration of Cloudflare with Cloud Suite is its most valuable feature. This is where it stands out, as it can be integrated according to multiple scenarios.

The first one is the log management and reporting part. If they add logs history within the Cloudflare offering, that would be a great benefit.

There are a few features that come free with Cloudflare WAF, such as bot management. When users use it they ask for a fee. Users are not usually aware of these features in the initial phase. Users should know that these features are free for three or four months, and after that, they have to pay for them. This would help to align their expectations from the very first day.

There should be training modules that we use for our sales teams and product experts similar to Fortinet and VMware.

I have been using Cloudflare Web Application Firewall for three months.

I rate the product’s stability an eight out of ten.

Cloudflare Web Application Firewall is easy to scale. As users scale it, it integrates more features, but they may have to pay for these additional features. It is challenging to convince smaller companies that are using open-source solutions. Upon comparison, Cloudflare's features stand out over open-source solutions, but the cost element is still the factor people are most concerned about.

The technical support is good.

The initial setup of the product is simple because we have a good technical team that can manage it. We reach out to small companies if they don't have that sort of technical expertise to see if they can easily integrate it. 

Overall, I rate Cloudflare Web Application a nine out of ten.

It is used in the banking sector.

Cloudflare WAF provides protection through rules and functionalities like Cloudflare's SDRAP. Machine learning enables numerous policies that protect traffic flowing through Cloudflare's CDN and endpoints of the application. Additionally, specific protections are implemented against DDoS attacks and to block suspicious IP addresses attempting to access the sites.

Cloudflare provides numerous ready-to-use policies that can be easily enabled with minimal configuration. One such policy is WAF, which includes predefined rulesets for common threats like DDoS attacks. These policies are pre-configured for immediate use, making tuning straightforward. Adjustments may be needed for specific configurations, but the majority are ready to be deployed directly.

Support can be challenging at times. Personally, I recently had an issue with costs and contacted support—they promptly resolved my problem. However, understanding features can be more complex. While much information is freely available, for specific needs, professional support might be necessary and could pose difficulties, if there isn't an in-house engineering team. Despite this, Cloudflare facilitates easy development of custom functionalities. Alternatively, engaging with dedicated communities can also yield valuable insights with the right investment of time.

I have been using Cloudflare Web Application Firewall as an integrator for one year.

Sometimes, as a software vendor, Cloudflare needs to upgrade their software, which can encounter faults but resolve such issues.

I rate the solution's stability an eight out of ten.

The solution is scalable. I rate the solution's scalability a nine out of ten. 

It's challenging to find technical expertise, for technical issues. While there is a network for sales, finding knowledgeable technical support can be difficult.

Neutral

This level of protection is essential, whether the website is an e-commerce platform or simply a gateway for customers accessing banking services. Maintaining visibility and ensuring the site is consistently up and running are critical requirements for such services.

Integration is quite easy when migrating DNS to Cloudflare, as they manage DNS implementation. Once DNS is set up, traffic redirection to their platform is straightforward. However, it's important to manage your IP addresses carefully, possibly using additional tools or configurations to ensure they are properly protected and directed.

Cloudflare leverages AI-driven solutions, with policies set using machine learning, which forms the foundation of their AI capabilities. They offer AI functionalities for developers looking to optimize or distribute their applications, such as Workers, a serverless solution enabling application deployment without the need for dedicated machines. This setup is also AI-enabled, enhancing its capabilities

Overall, I rate the solution a nine out of ten.

I am using Cloudflare Web Application Firewall to develop web applications and mobile applications for a business belonging to the manufacturing industry which wishes to migrate its entire applications from its existing AWS system to Cloudflare.

The enterprise bundle includes a variety of features, such as a Web Application Firewall, rate limiting, CDN, DDoS protection, remote management, performance monitoring, and more. It is a really nice product.

The additional features I wish to see in the next release include rate limiting on Cloudflare Web Application Firewall and advanced DDoS protection. The current product is highly explorable and does not have many limitations. However, there are some limitations in terms of administrative privileges and the way it manages auto-alerts.

Cloudflare needs to improve its customer support for Indian customers and work on the monitoring and reporting features.

I am a reseller and a direct user. I have been working on the enterprise version of Cloudflare Web Application Firewall for the past year.

The product is stable, and we have been working with a customer who uses it for their manufacturing and connecting car applications, as well as some API-related systems. The customer was previously using AWS Web Application Firewall. However, they have now decided to switch to Cloudflare. In Cloudflare, the rate-limiting feature helps protect against attacks and mitigates brute-force attacks. The DDoS mechanism automatically defends against DDoS attacks. Cloudflare's Web Application Firewall also has 700 signatures and provides intelligence on 10 vulnerabilities. It offers IP, URI, and domain-based filtering options.

The solution is not deployed in my company, but it is used in the company of one of my customers. The customer I mentioned has around 12,000 users working on this solution. I rate the scalability a 10 out of 10.

I have experienced some difficulties with Cloudflare's support as a customer based in India. Despite the company offering 24/7 support, I feel that administrative support does not meet the expectations of its customers.

Neutral

I previously worked with an on-premise version of the F5 tool more than five years ago, and at that time, the concept of SaaS was not prevalent. Currently, the Cloudflare product is considered to be a SaaS-based product since they have CDN, which is different from my previous experience with the F5 tool. Since it has been a long time since I worked with the on-premises version, I am unable to provide a relevant comparison between the two.

I find the deployment process for Cloudflare's firewall to be very smooth. Someone with a basic understanding of networking and security will be able to implement the firewall's basic features within 15 minutes. The deployment of a new domain on Cloudflare can be completed within 15 minutes if the necessary administrative authority and support from the DNS team are available during the process. It also includes the time needed for domain registration. We are working for an ITSM organization and have multiple administrators. During the deployment phase of the solution in the organization, we have limited the number of administrators to just five to ten individuals. We also arranged a few KT sessions to help the company employees who are involved in working with this solution. As of now, they have started working on the tool.

In terms of the licensing cost perspective, it is a subscription-based pricing model. Usually, customers opt for a yearly subscription. However, I don't have a specific or exact figure on the actual cost. Cloudflare offers different types of subscriptions for businesses, enterprises, and personal users, and the pricing is negotiable. The enterprise-level subscription provides multiple options, such as the ability to enable advanced Web Application Firewall and DDoS protection. This means that customers have multiple subscription options.

To effectively use Cloudflare Web Application Firewall, it is important for a person to have an internet connection, an understanding of the internet, how the DNS works, and how websites and their administration domains function. I rate this solution a nine out of ten.

The primary use case of Cloudflare Web Application Firewall involves setting up DNS zones and implementing zero trust policies.

Cloudflare Web Application Firewall has enhanced security by effectively managing and cutting off unwanted traffic.

Some of the most valuable features of Cloudflare Web Application Firewall include its DNS zone setup and the zero trust policy.

The dashboard could be more user-friendly, and a console approach like Cloudflare CLI could enhance its usability.

We have been using Cloudflare Web Application Firewall for four years.

On a scale from one to ten, the stability of Cloudflare is a nine.

The scalability of Cloudflare is a ten out of ten.

I had to contact technical support twice, and both times, my issues were resolved satisfactorily. Therefore, I rate them a ten out of ten.

Positive

The initial setup was straightforward, taking only five minutes using Terraform.

From my perspective, the price of Cloudflare Web Application Firewall is quite affordable, rating around an eight or nine.

I highly recommend Cloudflare Web Application Firewall due to its extensive knowledge base and ease of integration with Terraform.

I'd rate the solution ten out of ten.

The main use cases for Cloudflare Web Application Firewall (WAF) are to protect organizations from attacks by bad actors and hackers. We have a process for this, where we first whitelist employees and third-party clusters to prevent attacks. 

Then, we divide WAF into three main sections: WAF Protect score, WAF score, and threat score. We also make adjustments based on the specific needs of each organization. These are the general steps at a high level. 

Cloudflare WAF is a comprehensive system with many aspects and in-depth documentation that can be tailored to specific client requirements. 

The use cases vary depending on the client, whether they are retail or banking sectors, as each has different needs and requirements. We maintain the WAF configurations based on these specific needs.

There are many incidents we handle daily. We have a large client. We implemented rate limiting and deployed a worker in correlation with the WAF to protect their API endpoints regarding pricing and inventory. 

We successfully mitigated a bot attack with that combination of measures for our customer recently. It is one of the successful mitigation.

Cloudflare is very flexible.

Cloudflare has many features, but the custom rules are the best tool. There are many fields you can use to protect an organization.

There is also a very good system in the managed toolset, with different parts. One is the Cloudflare Managed Ruleset, which protects the application from malicious signatures. 

The second is the OWASP ModSecurity Core Rule Set, which protects from the top ten vulnerabilities and zero-day attacks. 

The third is the anomaly detection checks and credential checks, which identify potential threats like leaked credentials.

There are many other important sections in Cloudflare WAF, like IP access rules, zone lockdown, and user agent blocking. 

Another important feature is rate limiting, which limits specific requests to prevent attacks like brute force attacks on URLs.

These are some of the important features of Cloudflare WAF.

Account-level features would be a very good option. Some clients want to implement the same checks on multiple zones (URLs or websites). Cloudflare recently introduced account-level features, but it's not widely used by clients yet. We are working with Cloudflare on different aspects of zone-level implementation. If account-level features are implemented for certain use cases, it would be a big improvement.

So, pushing more awareness around account-level features would be a plus.

I have been using it for three years now. 

It is a stable product. I would rate the stability a ten out of ten. 

It is a technical process, but for us, it is very easy. We have standards and internal scripts that we use for deployment. It is a very easy process on our side because we have been working on it for three years. But for new users, it might require some learning.

I would rate my experience with the initial setup a nine out of ten, with ten being very easy. Cloudflare WAF is only for public URLs, so it is only for public cloud.

Deploying the WAF itself is a click of a button, but implementing it with a company's or client's specific requirements takes time. The process varies from company to company and client to client, but implementation is very simple.

WAF doesn't directly affect bandwidth costs. It saves costs on protection. However, with the correct setup, it's difficult to determine if it saves costs overall due to the fixed enterprise plan fee. 

The caching system can save bandwidth by caching static content, but WAF itself isn't a major factor in cost savings. There are many other factors involved.

It protects public-facing URLs. That is the biggest advantage.

Overall, I would rate the solution a nine out of ten. 

We use Cloudflare Web Application Firewall for verification of applications from various domains. Also protecting the server from exposure by implementing the Proxy Server feature on front end i.e. on client's side. Also implemented both hosts based & Cloud based WAF. 

We are required to follow a specific and separate set of rules for web applications for DDoS attacks while working with AWS and Azure. Instead, there could be an option to duplicate the cluster to maintain the consistency of rules.

We have been using Cloudflare Web Application Firewall for three to four years.

I rate Cloudflare Web Application Firewall's stability a nine out of ten.

It is a scalable platform. Although it lacks some features. We have two to three users for it. I rate its scalability an eight out of ten.

The initial setup process is simple.

I implemented the product myself.

Cloudflare Web Application Firewall has certain limitations for rules. I rate it a seven out of ten.

I use Cloudflare Web Application Firewall to stop attacks on web application firewalls.

The product has improved our security posture by blocking bad actors.

The blocked logs are difficult to read at times.

I rate the solution's stability a ten out of ten.

I rate the product's scalability a ten out of ten.

I have not used technical support.

Cloudflare Web Application Firewall's deployment was easy.

The tool's ROI is pretty immediate.

We evaluated the Amazon Web Application Firewall.

I rate the product a ten out of ten.

We use the solution to protect web applications.

The solution is easy to use.

Sometimes, it is challenging to access our applications using the solution. They should work on this particular area. Also, its availability needs improvement.

We have been using the solution for two years.

We encounter stability issues regarding the solution's availability to access applications.

We have 200 solution users in our organization. We use it extensively and plan to increase the usage.

We contact our service provider for any technical issues with the solution.

The solution's deployment takes two to three days to complete.

Our service provider helps us install the solution.

The solution is expensive. We purchase a yearly based license for it.

I recommend the solution to others and rate it a six out of ten.