Cloudflare Web Application Firewall Review

A scalable multi-cloud holistic security solution with a valuable OWASP security feature


What is our primary use case?

As the name suggests, it's a web application firewall. You use it almost like a firewall in front of a web application. It helps filter out the bad traffic or the Layer 7 malicious traffic.

What is most valuable?

Cloudflare provides packaged OWASP rulesets and Cloudflared managed rulesets. Cloudflare provides weekly scheduled rule updates or emergency rule updates. Both rulesets seem very accurate, does not generate much false positives. Before the deployment, I was concerned about how many false positives I have to deal with daily. Very glad the WAF rulesets works out of box, and requires very little tuning or maintenance. 

What needs improvement?

Their documentation could be better. They don't have documentation that explains everything well. They have documentation for everything you're looking for, but they lack a single piece of documentation to tie everything together. As a new user or beginner, it took us a little bit of time to figure out how to put all these things in place. I wish they had easier introduction documents written to help us transition into it. It takes a little bit of effort for a new user to figure out how to do this.

I have asked them for some additional features. I want to be able to quickly find out the rules that I have modified because there are thousands of rules. It took a little bit of effort to figure out which rules I have modified. A feature like that will make it easier for me to track down the changes.

For how long have I used the solution?

I have been using CloudFlare WAF for a few months.

What do I think about the stability of the solution?

CloudFlare WAF is a stable solution. Once you figure out how to set it up and get it running, it's beautiful. 

What do I think about the scalability of the solution?

Scalability is wonderful. It's very easy to scale, and this is the primary reason for selecting it. After all, the software is a service. There's no problem when it comes to scaling.

How are customer service and technical support?

Tech support is solid. No issues there.

How was the initial setup?

The initial setup is a little bit tricky because of poor documentation. Their modeling steers you more towards the enterprise tier. When you pay for the enterprise tier, you can have engineers work directly with you to guide you and help you set it up. But if you just try to do it by yourself, that's when you'll face some difficulty.

What about the implementation team?

We implemented this solution by ourselves.

What's my experience with pricing, setup cost, and licensing?

We pay $210 per month for CloudFlare WAF.

What other advice do I have?

I would tell potential users that once you figured out that initial part, it's straightforward. I would suggest that they look at what they need and compare the costs and management costs. There are various WAFs out there, but it really comes down to comparing the cost and how much effort it takes to deploy it and manage them.

On a scale from one to ten, I would give CloudFlare WAF a solid eight.

Which deployment model are you using for this solution?

Public Cloud

Which version of this solution are you currently using?

Latest Version
**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More Cloudflare Web Application Firewall reviews from users
...who compared it with AWS WAF
Find out what your peers are saying about Cloudflare, Microsoft, Indusface and others in Web Application Firewall (WAF). Updated: May 2021.
509,641 professionals have used our research since 2012.
Add a Comment
Guest