Cloudflare Web Application Firewall Review

A SaaS solution that is API configurable and a convenient part of a suite but needs updating of core rules


What is our primary use case?

Our primary use is as a SaaS-based firewall solution for web applications.  

What is most valuable?

The most valuable part of the solution for us overall is exactly that it is a Software-as-a-Service product. It fits our use needs because it is configurable via API.  

What needs improvement?

There is really only one area of the product that I think needs to be improved. That is that Cloudflare should update the version of the ModSecurity core rule set that they run on. They run a pretty old version of ModSecurity from 2013 and they need to update it. That is one thing I would very much like to see in a future release.  

The main issue that we have is really a decision about how the product fits our model. We use both AWS and Azure, and they have similar products. We are trying to determine whether or not we go for a cloud-native solution per the cloud provider we are using or stick with our current model and continue to use Cloudflare. Switching to AW or Azure as a lone solution means we would go with one or the other across all cloud providers to unify our WAF approach. It might simplify how we look at the maintenance of our web application firewall.  

For how long have I used the solution?

We have been using Cloudflare's web application firewall for twelve months.  

What do I think about the stability of the solution?

I am one-hundred percent convinced of the stability of the product.  

What do I think about the scalability of the solution?

I can say I am pretty confident in the scalability of Cloudflare WAF. I believe that they are the largest WAF provider on the internet at the moment. That is probably at least in part because they are pretty scalable. It is our primary WAF product at the moment.  

How are customer service and technical support?

As far as technical support, we have not really had any issues that require contacting them.  

How was the initial setup?

The initial setup of Cloudflare WAF was very easy. It is a SaaS service so it is just online and it is really only a few clicks away to get started with it. There is no physical infrastructure to bother with so that whole component of maintenance is removed.  

What's my experience with pricing, setup cost, and licensing?

There is no upfront cost for infrastructure because it is a SaaS solution. You just pay per month for the product and usage.  

Which other solutions did I evaluate?

We have evaluated other WAF (Web Application Firewall) solutions. In fact, that is what we are investigating now in taking a deeper look at the advantages of AWS and Azure. That evaluation is really part of my current job.  

At this stage, we have not really considered replacing Cloudflare as a solution with either of those specific solutions or other WAF products. The thing that differentiates Cloudflare WAF is that is it Software-as-a-Service. It is integrated tightly with all of Cloudflare's other services. That is probably the better way to look at it: it is an integrated part of a product suite and not really a separate solution.  

What other advice do I have?

My advice to people who are considering Cloudflare WAF is to check service limits of other providers. Cloudflare does not really have a lot of service limits and that makes a difference. Also, look at the pricing and the pricing models carefully as other products seem to me to become more complicated as your demand scales. It is more straightforward with Cloudflare — or at least it seems to be in comparison to other providers.  

Which deployment model are you using for this solution?

Public Cloud
**Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest