We have multiple customers using the solution for a WAF. It's also a firewall. Unlike others, where you have to purchase multiple solutions, Cloudflare has everything under one solution. It handles load balancing, CDN, order routing, DDoS protection, and more under one solution.
Solutions Architect at Amazure Technologies Private Limited
Competitively priced with good support and very good reliability
Pros and Cons
- "We like that there's load balancing, firewall capabilities, DDoS protection, et cetera, all covered by Cloudflare."
- "They have some limitations with third-party integrations."
What is our primary use case?
What is most valuable?
We like that everything is covered under one solution instead of having to buy multiple solutions and put them together.
We like that there's load balancing, firewall capabilities, DDoS protection, et cetera, all covered by Cloudflare.
Cloudflare has multiple caller sites and many PoPs. Whenever a user tries to get a webpage or any application, all the pages will be scanned with the nearest location data center or on a near-based, performing locally in the data center only. Other vendors have different services in different data centers. In Cloudflare, every data center has all the services.
Currently, Cloudflare is growing. They are exploding their data centers, which is great for clients. Previously it was 25, and now it's 28 or 30.
They are good at managing rules.
The WAF is working fine.
We find the reporting to be very granular. It's quite good.
I'm happy with whatever features are currently on offer in Cloudflare.
The solution is stable.
It's scalable.
It is an easy-to-set-up solution.
Technical support has been very good.
We find the solution competitively priced.
What needs improvement?
Finding vulnerabilities or attack patterns needs to evolve continuously. The landscape is changing. Accordingly, the rules have been changed. The Core Ruleset, is already managing that. It has been good at catching malicious activity so far. They just need to continue to invest in this aspect.
They have some limitations with third-party integrations. For example, we can't integrate with our site. On-premises, we can't do that. You can on Azure storage, of Google Cloud, however. It works better on the cloud.
For how long have I used the solution?
I've been using the solution for about one year.
Buyer's Guide
Cloudflare Web Application Firewall
July 2025

Learn what your peers think about Cloudflare Web Application Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: July 2025.
863,776 professionals have used our research since 2012.
What do I think about the stability of the solution?
The solution is stable and reliable. There are no bugs or glitches. It doesn't crash or freeze.
What do I think about the scalability of the solution?
The solution is scalable. It is very easy.
I'm the only person working on the solution. There's one or two of us directly on the system.
How are customer service and support?
Technical support is really good. I work on multiple products, and therefore getting a response from Cloudflare is very much appreciated. The only concern we have is with Indian support. There are some limitations to Indian support. Whenever we are planning for any deployment or PoC, the Indian customers say they're having some issues getting on a call or getting Cloudflare involved. However, support, in general, is good and usually you get a response within an hour or two.
How would you rate customer service and support?
Positive
How was the initial setup?
It's very straightforward to set up everything. In a firewall, you have to build some virtual IPs and all that stuff. However, with this, you have to just onboard your application. You have just to put out your CNAME or A records. After that, you just make some application proxies, and then you have to perform that local host testing. If you want downtime, you must make configuration changes over authority with DNS, and you can onboard your application. It's straightforward. There are not too many hurdles.
The deployment is quick. Once you do the setup, you just have to enter your records and automate the certification part and it is a half-hour process.
I'd rate it a five out of five in terms of ease of setup.
We don't require any maintenance. We just have to monitor. Whenever we are performing the login process, we are providing logs to any CS log server or any AFIM solution. That part will be taken care of by the SOC team.
What's my experience with pricing, setup cost, and licensing?
The pricing is good. We find it to be competitive. There are add-on features available as well.
I'd rate the affordability at 4.5 out of five.
What other advice do I have?
We are a system integrator for Cloudflare.
We are not on the latest update. Our last update was two or three months back.
This is a good product. It's reliable and scales well. For new users, you don't require too much expertise on Cloudflare. You just have to understand a WAF. Beyond that, it is very easy to deploy and very fast to implement.
I'd rate the solution eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer. Integrator

SOC Analyst at Paystack Inc
Successfully prevents web application attacks, SQL injections, and cross-site scripting attacks
Pros and Cons
- "Does a good job preventing web application attacks."
- "The reporting could be more granular."
What is our primary use case?
Our use case of this solution is to secure our web applications hosted on Cloudflare. I'm a security operations analyst and we are customers of Cloudflare.
What is most valuable?
This solution does a good job of preventing web application attacks, SQL injections, and cross-site scripting attacks. We know it's doing a good job because we've tested it.
What needs improvement?
The reporting could be improved if it were more granular. Fortigate Firewall, for example, shows all the events at a glance with different fields on a table; you can scroll through for patterns and look at all events. That's not possible with CloudFlare where I need to analyze a report that summarizes all the data. It requires exporting the report as a CSV file, analyzing it in Excel, and then going into CloudFlare to carry out a deeper analysis. If I could do that high-level analysis from the web console and then drill down specific events, it would be a great feature that would improve this product.
For how long have I used the solution?
I've been using this solution for seven months.
What do I think about the stability of the solution?
The solution is stable, we haven't had any downtime.
What do I think about the scalability of the solution?
The solution is easily scalable.
Which solution did I use previously and why did I switch?
I previously used Imperva Web Application Firewall. For tracking metrics, I think CloudFlare does a better job with its graphs and the user interface. Its web console presents those metrics in an easily readable manner and it does that better than Incapsula or Imperva. I think Imperva speaks more to security, and preventing attacks and is more focused on details about the attacks. CloudFlare does more because it shows your availability metrics, traffic metrics, and security metrics. In terms of the user interface, I'd say that CloudFlare does a better job in reporting.
How was the initial setup?
There is some maintenance required when it comes to updates and we periodically have to review the rules sets which require going into the list of rules and finding those connected to that particular view and then enabling them in your environment. We have three admins working on this product. We use the solution on a daily basis.
What other advice do I have?
If you're going to be reporting heavily and want to leverage the reporting features to measure the performance of your websites, then CloudFlare does that very well.
I rate this solution eight out of 10.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Cloudflare Web Application Firewall
July 2025

Learn what your peers think about Cloudflare Web Application Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: July 2025.
863,776 professionals have used our research since 2012.
Senior Security Consultant at Reliance Industries Ltd
Secure, reliable, reasonably priced, and has helpful technical support
Pros and Cons
- "The Cloudflare Web Application Firewall's most valuable feature is its ease of configuration."
- "The accuracy of the Cloudflare Web Application Firewall could be improved by reducing the number of false-negative alerts."
What is our primary use case?
Cloudflare Web Application Firewall is used to protect the web servers.
What is most valuable?
The Cloudflare Web Application Firewall's most valuable feature is its ease of configuration.
What needs improvement?
The accuracy of the Cloudflare Web Application Firewall could be improved by reducing the number of false-negative alerts.
Signature-based detection and data loss prevention could also be improved.
For how long have I used the solution?
I have been working with Cloudflare Web Application Firewall for one year.
What do I think about the stability of the solution?
Cloudflare Web Application Firewall is a stable solution.
What do I think about the scalability of the solution?
I am not familiar with the scalability of this solution,
We have 20 people in our organization who are using this solution.
How are customer service and support?
I have not had any issues with the technical support of the Cloudflare Web Application Firewall.
Local support is available.
How was the initial setup?
The initial setup is straightforward, it is easy.
It took four hours to deploy this solution.
What's my experience with pricing, setup cost, and licensing?
It is less expensive than its competitors.
The annual licensing fee is $10,000 USD.
What other advice do I have?
I have not had any issues with this solution, and I would recommend it to others who are interested in using it.
I would rate Cloudflare Web Application Firewall a nine out of ten.
We are partners with Cisco.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: My company has a business relationship with this vendor other than being a customer. partner
Senior Cloud Solution Architect at Integrated Technology Solution Group (ITSG)
Has a valuable security control functionality, but real-time authentication and response time need improvement
Pros and Cons
- "The product has a valuable security control functionality."
- "The platform's control features related to real-time authentication and response time need improvement."
What is our primary use case?
The primary use case for Cloudflare Web Application Firewall involves comprehensive security functionality across various access protocols. The system acts as a gateway, managing authentication, authorization pass-through, and traffic routing based on regional considerations. It encompasses web component modules and a reverse web application firewall, allowing secure authorization and authentication processes based on particular application sets.
What is most valuable?
The product has a valuable security control functionality. It monitors authorization processes to identify and address potential errors. We can view different components and prerequisites simultaneously, including time stamps, peak time, load time, etc. We only have to ensure that we have scaled all the authentication measures as per requirements.
What needs improvement?
The platform's control features related to real-time authentication and response time need improvement.
What other advice do I have?
I rate Cloudflare Web Application Firewall a seven out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Chief Information Officer at F.P. eSafe Solutions LTD
Reasonably priced with a straightforward setup and the ability to scale
Pros and Cons
- "Technical support has a very fast response time and they are helpful."
- "It would be ideal if the solution offered better log integration and more integration with different platforms."
What is our primary use case?
We primarily use the solution as an application firewall.
What is most valuable?
In general, it's a very good product.
The solution is very stable. The performance is great.
The product offers very good scalability.
The pricing is very reasonable.
The installation is very straightforward. It's quite simple.
Technical support has a very fast response time and they are helpful.
We never had any issues with the analytics, dashboards, or monitoring.
What needs improvement?
I can't recall dealing with features that were not sufficient. It's very good.
It would be ideal if the solution offered better log integration and more integration with different platforms.
For how long have I used the solution?
I've been using the solution for about a year and a half at this point. It's been a while.
What do I think about the stability of the solution?
The performance of the solution is very good. It's very stable. The product doesn't crash or freeze. There are no bugs or glitches. It's reliable.
What do I think about the scalability of the solution?
The solution can scale quite well. If a company needs to expand the product, it can do so with relative ease.
I am unsure as to if the company plans to increase usage, as I used it primarily at my previous organization. I've since moved on.
How are customer service and technical support?
Technical support is very good. They are very helpful and responsive. We've been quite satisfied with the level of support they provide to our organization.
How was the initial setup?
The initial setup is very straightforward. It's not complex or overly difficult. We found it quite simple to execute. A company should be able to handle the process easily.
We only required two individuals for deployment and maintenance. They were a manager and an admin.
What's my experience with pricing, setup cost, and licensing?
I'm pretty satisfied with the solution in terms of the pricing. It's reasonable. I have no complaints.
Which other solutions did I evaluate?
Before the organizations chose this solution, it's my understanding that it did not evaluate any other options.
What other advice do I have?
We always have the latest version of the solution. As a cloud deployment, it's always updating to the latest version.
We're a Cloudflare partner.
I'd rate the product at a nine out of ten overall. We've been quite pleased with the overall capabilities of the solution.
I would recommend the solution to other users and companies.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
A scalable multi-cloud holistic security solution with a valuable OWASP security feature
Pros and Cons
- "The security features are valuable. The particular feature we use is called OWASP."
- "Their documentation could be better. They don't have documentation that explains everything well. They have documentation for everything you're looking for, but they lack a single piece of documentation to tie everything together. As a new user or beginner, it took us a little bit of time to figure out how to put all these things in place."
What is our primary use case?
As the name suggests, it's a web application firewall. You use it almost like a firewall in front of a web application. It helps filter out the bad traffic or the Layer 7 malicious traffic.
What is most valuable?
Cloudflare provides packaged OWASP rulesets and Cloudflared managed rulesets. Cloudflare provides weekly scheduled rule updates or emergency rule updates. Both rulesets seem very accurate, does not generate much false positives. Before the deployment, I was concerned about how many false positives I have to deal with daily. Very glad the WAF rulesets works out of box, and requires very little tuning or maintenance.
What needs improvement?
Their documentation could be better. They don't have documentation that explains everything well. They have documentation for everything you're looking for, but they lack a single piece of documentation to tie everything together. As a new user or beginner, it took us a little bit of time to figure out how to put all these things in place. I wish they had easier introduction documents written to help us transition into it. It takes a little bit of effort for a new user to figure out how to do this.
I have asked them for some additional features. I want to be able to quickly find out the rules that I have modified because there are thousands of rules. It took a little bit of effort to figure out which rules I have modified. A feature like that will make it easier for me to track down the changes.
For how long have I used the solution?
I have been using CloudFlare WAF for a few months.
What do I think about the stability of the solution?
CloudFlare WAF is a stable solution. Once you figure out how to set it up and get it running, it's beautiful.
What do I think about the scalability of the solution?
Scalability is wonderful. It's very easy to scale, and this is the primary reason for selecting it. After all, the software is a service. There's no problem when it comes to scaling.
How are customer service and technical support?
Tech support is solid. No issues there.
How was the initial setup?
The initial setup is a little bit tricky because of poor documentation. Their modeling steers you more towards the enterprise tier. When you pay for the enterprise tier, you can have engineers work directly with you to guide you and help you set it up. But if you just try to do it by yourself, that's when you'll face some difficulty.
What about the implementation team?
We implemented this solution by ourselves.
What's my experience with pricing, setup cost, and licensing?
We pay $210 per month for CloudFlare WAF.
What other advice do I have?
I would tell potential users that once you figured out that initial part, it's straightforward. I would suggest that they look at what they need and compare the costs and management costs. There are various WAFs out there, but it really comes down to comparing the cost and how much effort it takes to deploy it and manage them.
On a scale from one to ten, I would give CloudFlare WAF a solid eight.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Superintendent of Cloud Platforms at a manufacturing company with 1,001-5,000 employees
A SaaS solution that is API configurable and a convenient part of a suite but needs updating of core rules
Pros and Cons
- "It is configurable via API."
- "It is a SaaS solution unlike much of the competition."
- "The ModSecurity core rules need to be updated."
What is our primary use case?
Our primary use is as a SaaS-based firewall solution for web applications.
What is most valuable?
The most valuable part of the solution for us overall is exactly that it is a Software-as-a-Service product. It fits our use needs because it is configurable via API.
What needs improvement?
There is really only one area of the product that I think needs to be improved. That is that Cloudflare should update the version of the ModSecurity core rule set that they run on. They run a pretty old version of ModSecurity from 2013 and they need to update it. That is one thing I would very much like to see in a future release.
The main issue that we have is really a decision about how the product fits our model. We use both AWS and Azure, and they have similar products. We are trying to determine whether or not we go for a cloud-native solution per the cloud provider we are using or stick with our current model and continue to use Cloudflare. Switching to AW or Azure as a lone solution means we would go with one or the other across all cloud providers to unify our WAF approach. It might simplify how we look at the maintenance of our web application firewall.
For how long have I used the solution?
We have been using Cloudflare's web application firewall for twelve months.
What do I think about the stability of the solution?
I am one-hundred percent convinced of the stability of the product.
What do I think about the scalability of the solution?
I can say I am pretty confident in the scalability of Cloudflare WAF. I believe that they are the largest WAF provider on the internet at the moment. That is probably at least in part because they are pretty scalable. It is our primary WAF product at the moment.
How are customer service and technical support?
As far as technical support, we have not really had any issues that require contacting them.
How was the initial setup?
The initial setup of Cloudflare WAF was very easy. It is a SaaS service so it is just online and it is really only a few clicks away to get started with it. There is no physical infrastructure to bother with so that whole component of maintenance is removed.
What's my experience with pricing, setup cost, and licensing?
There is no upfront cost for infrastructure because it is a SaaS solution. You just pay per month for the product and usage.
Which other solutions did I evaluate?
We have evaluated other WAF (Web Application Firewall) solutions. In fact, that is what we are investigating now in taking a deeper look at the advantages of AWS and Azure. That evaluation is really part of my current job.
At this stage, we have not really considered replacing Cloudflare as a solution with either of those specific solutions or other WAF products. The thing that differentiates Cloudflare WAF is that is it Software-as-a-Service. It is integrated tightly with all of Cloudflare's other services. That is probably the better way to look at it: it is an integrated part of a product suite and not really a separate solution.
What other advice do I have?
My advice to people who are considering Cloudflare WAF is to check service limits of other providers. Cloudflare does not really have a lot of service limits and that makes a difference. Also, look at the pricing and the pricing models carefully as other products seem to me to become more complicated as your demand scales. It is more straightforward with Cloudflare — or at least it seems to be in comparison to other providers.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
CTO at a tech services company with 51-200 employees
A highly scalable solution that has good caching feature
Pros and Cons
- "Caching is the most valuable feature of Cloudflare Web Application Firewall."
- "Cloudflare Web Application Firewall should improve visibility for a customer."
What is most valuable?
Caching is the most valuable feature of Cloudflare Web Application Firewall.
What needs improvement?
Cloudflare Web Application Firewall should improve visibility for a customer.
For how long have I used the solution?
I have been using Cloudflare Web Application Firewall for five years.
What do I think about the scalability of the solution?
Cloudflare Web Application Firewall is a scalable solution. More than 10,000 retail solutions and more than 50,000 online customers are using the solution in our company.
How are customer service and support?
The solution's customer support is really bad. When you have some issue, you will never get an answer from customer support.
How would you rate customer service and support?
Negative
Which solution did I use previously and why did I switch?
We previously worked with F5 on-premises.
What's my experience with pricing, setup cost, and licensing?
The solution's pricing option needs to be more transparent for enterprise clients.
What other advice do I have?
I am using the latest version of Cloudflare Web Application Firewall. Cloudflare Web Application Firewall is deployed on the cloud in our organization.
Overall, I rate Cloudflare Web Application Firewall a nine out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.

Buyer's Guide
Download our free Cloudflare Web Application Firewall Report and get advice and tips from experienced pros
sharing their opinions.
Updated: July 2025
Product Categories
Web Application Firewall (WAF)Popular Comparisons
Prisma Cloud by Palo Alto Networks
Microsoft Azure Application Gateway
Azure Front Door
F5 Advanced WAF
Fortinet FortiWeb
Imperva Web Application Firewall
Akamai App and API Protector
Azure Web Application Firewall
Radware Alteon
NGINX App Protect
Radware Cloud WAF Service
Check Point CloudGuard WAF
Buyer's Guide
Download our free Cloudflare Web Application Firewall Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which lesser known firewall product has the best chance at unseating the market leaders?
- Which WAF solution would you recommend to cater to 100 to 125 concurrent sessions?
- What do you recommend for a securing Web Application?
- Fortinet vs Sophos? Help choose a NGFW solution that can replace Microsoft TMG.
- Imperva WAF vs. Barracuda: Which One is Better?
- F5 vs. Imperva WAF?
- When should companies use SSL Inspection?
- NGFW with URL Filtering vs Web Proxy
- How does a WAF help to protect against DDoS attacks?
- What's right for me? Fortinet or Citrix?