I don't see room for improvement to Cloudflare Web Application Firewall. One thing I don't know much about because we have a dedicated IT team for that, and I'm not involved with Cloudflare much anymore. But if I were to compare them to F5, I would like to see more features that F5 offers. F5 has an option to bring the whole infrastructure, the whole WAF and all their packages, Bot Management, and everything else on your infrastructure. You need to install certain services from their side, and then you can choose if you would like requests to hit your servers immediately or if requests need to be proxied through F5 backbone. That would be a nice addition because we have 90% of the traffic as legit traffic coming from whitelisted servers. If it comes from whitelisted servers, I don't need to go every request through the backbone; I could easily just IP whitelist everything. Then I could maybe have Bot Management on my infrastructure that drastically reduces the price of Cloudflare. I would like to see Push CDN more improved in the next release of Cloudflare Web Application Firewall. And maybe something similar to Pushpin that Fastly has, which is an option where you can push messages that then can be scaled globally over the network. From our perspective, if we have a listener that listens for stock updates, I would just need to have one processor that pushes those updates to the Cloudflare API, and then Cloudflare would broadcast that message to all listeners. Cloudflare will check the order of the message, and if you, as a customer, are not connected or have some kind of network issue, when you reconnect, you will receive the latest state and missing updates.
I don't really use the rule-based logic feature or utilize the WAF's ability to scale as a cloud-based service. I don't have specific areas that could be improved with Cloudflare Web Application Firewall. They are constantly improving and adding features to their feature set. I think they're doing a good job with DNS and as support for any domains that I create or that my clients create, it's mandatory for me to ensure they have Cloudflare as their DNS provider. I don't have anything specific that I would want in the next releases. When I go and set up a site or look at any of my sites, I discover new features they've implemented and I check them out.
I cannot say much about areas of improvement for Cloudflare Web Application Firewall because I haven't gone through deep understanding of it, as I am still learning. However, they need to improve their support because getting a response for basic requests took around 48 hours, which is too long. If I took 48 hours to answer a request at my company, it would be a tough time to see or address the issue, and it would be frustrating.
Network Architect at a computer software company with 11-50 employees
Real User
Top 20
Jan 9, 2025
The product can improve by having more multitenancy capability, which is currently not available. This improvement would enable managed service providers to implement it more effectively.
Learn what your peers think about Cloudflare Web Application Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: April 2026.
Managed Services Manager at Adapture Technology Group
MSP
Top 10
Jul 1, 2024
Account-level features would be a very good option. Some clients want to implement the same checks on multiple zones (URLs or websites). Cloudflare recently introduced account-level features, but it's not widely used by clients yet. We are working with Cloudflare on different aspects of zone-level implementation. If account-level features are implemented for certain use cases, it would be a big improvement. So, pushing more awareness around account-level features would be a plus.
Senior Enterprise Security Architect at HGS - Hinduja Global Solutions
Real User
Top 20
Apr 9, 2024
The solution's learning curve can still be further reduced, which presently stands at two or three months. The product has a custom rule set that users can modify and manifest as needed. The vendor can probably shorten the learning curve using cutting-edge technologies like AI. The solution provider can also work around the web applications and identify the toolset that needs to be implemented to deploy the solution in less time. The vendor has launched a SASE product that can function with Cloudflare Web Application Firewall, but many improvements are needed in terms of features, such as the web filtering feature, and CASB has not yet been added.
Cloudflare is evolving so quickly that we can't even keep up. In the past two years, they have released two major upgrades to their Web Application Firewall. However, the notification part could be improved. It's very much connected to Web Application Firewall, rate-limiting, and DDoS protection. The notification could be better configurable. Sometimes it makes too much noise. It should have better threshold handling or some setup features, which could set some thresholds because it tries to do it automatically. So, sometimes it just notifies about things that are not worth noticing and vice versa.
We are required to follow a specific and separate set of rules for web applications for DDoS attacks while working with AWS and Azure. Instead, there could be an option to duplicate the cluster to maintain the consistency of rules.
Head of Digital Transformation Department at MERUTE
Real User
Jun 14, 2023
Sometimes, it is challenging to access our applications using the solution. They should work on this particular area. Also, its availability needs improvement.
Solutions Architect at Amazure Technologies Private Limited
Reseller
Feb 7, 2023
The additional features I wish to see in the next release include rate limiting on Cloudflare Web Application Firewall and advanced DDoS protection. The current product is highly explorable and does not have many limitations. However, there are some limitations in terms of administrative privileges and the way it manages auto-alerts. Cloudflare needs to improve its customer support for Indian customers and work on the monitoring and reporting features.
Solutions Architect at Amazure Technologies Private Limited
Reseller
Sep 16, 2022
Finding vulnerabilities or attack patterns needs to evolve continuously. The landscape is changing. Accordingly, the rules have been changed. The Core Ruleset, is already managing that. It has been good at catching malicious activity so far. They just need to continue to invest in this aspect. They have some limitations with third-party integrations. For example, we can't integrate with our site. On-premises, we can't do that. You can on Azure storage, of Google Cloud, however. It works better on the cloud.
Senior Security Consultant at Reliance Industries Ltd
Real User
May 31, 2022
The accuracy of the Cloudflare Web Application Firewall could be improved by reducing the number of false-negative alerts. Signature-based detection and data loss prevention could also be improved.
Director of Platform and Information Security at Brace Software
Real User
Apr 1, 2021
Their documentation could be better. They don't have documentation that explains everything well. They have documentation for everything you're looking for, but they lack a single piece of documentation to tie everything together. As a new user or beginner, it took us a little bit of time to figure out how to put all these things in place. I wish they had easier introduction documents written to help us transition into it. It takes a little bit of effort for a new user to figure out how to do this. I have asked them for some additional features. I want to be able to quickly find out the rules that I have modified because there are thousands of rules. It took a little bit of effort to figure out which rules I have modified. A feature like that will make it easier for me to track down the changes.
Superintendent of Cloud Platforms at a manufacturing company with 1,001-5,000 employees
Real User
Aug 11, 2020
There is really only one area of the product that I think needs to be improved. That is that Cloudflare should update the version of the ModSecurity core rule set that they run on. They run a pretty old version of ModSecurity from 2013 and they need to update it. That is one thing I would very much like to see in a future release. The main issue that we have is really a decision about how the product fits our model. We use both AWS and Azure, and they have similar products. We are trying to determine whether or not we go for a cloud-native solution per the cloud provider we are using or stick with our current model and continue to use Cloudflare. Switching to AW or Azure as a lone solution means we would go with one or the other across all cloud providers to unify our WAF approach. It might simplify how we look at the maintenance of our web application firewall.
Cloudflare Web Application Firewall integrates DDoS protection, load balancing, and firewall capabilities. Its ease of use, configurability, and robust security measures make it a versatile choice for protecting web applications.Cloudflare Web Application Firewall provides a comprehensive defense against threats with advanced reporting and robust security measures. It includes DNS integration, rate limiting, and extensive rule sets, all within a SaaS model that allows API configurability....
I don't see room for improvement to Cloudflare Web Application Firewall. One thing I don't know much about because we have a dedicated IT team for that, and I'm not involved with Cloudflare much anymore. But if I were to compare them to F5, I would like to see more features that F5 offers. F5 has an option to bring the whole infrastructure, the whole WAF and all their packages, Bot Management, and everything else on your infrastructure. You need to install certain services from their side, and then you can choose if you would like requests to hit your servers immediately or if requests need to be proxied through F5 backbone. That would be a nice addition because we have 90% of the traffic as legit traffic coming from whitelisted servers. If it comes from whitelisted servers, I don't need to go every request through the backbone; I could easily just IP whitelist everything. Then I could maybe have Bot Management on my infrastructure that drastically reduces the price of Cloudflare. I would like to see Push CDN more improved in the next release of Cloudflare Web Application Firewall. And maybe something similar to Pushpin that Fastly has, which is an option where you can push messages that then can be scaled globally over the network. From our perspective, if we have a listener that listens for stock updates, I would just need to have one processor that pushes those updates to the Cloudflare API, and then Cloudflare would broadcast that message to all listeners. Cloudflare will check the order of the message, and if you, as a customer, are not connected or have some kind of network issue, when you reconnect, you will receive the latest state and missing updates.
I don't really use the rule-based logic feature or utilize the WAF's ability to scale as a cloud-based service. I don't have specific areas that could be improved with Cloudflare Web Application Firewall. They are constantly improving and adding features to their feature set. I think they're doing a good job with DNS and as support for any domains that I create or that my clients create, it's mandatory for me to ensure they have Cloudflare as their DNS provider. I don't have anything specific that I would want in the next releases. When I go and set up a site or look at any of my sites, I discover new features they've implemented and I check them out.
I cannot say much about areas of improvement for Cloudflare Web Application Firewall because I haven't gone through deep understanding of it, as I am still learning. However, they need to improve their support because getting a response for basic requests took around 48 hours, which is too long. If I took 48 hours to answer a request at my company, it would be a tough time to see or address the issue, and it would be frustrating.
The product can improve by having more multitenancy capability, which is currently not available. This improvement would enable managed service providers to implement it more effectively.
The rate limiting functionality could be enhanced, as we find it somewhat limited.
The dashboard could be more user-friendly, and a console approach like Cloudflare CLI could enhance its usability.
Account-level features would be a very good option. Some clients want to implement the same checks on multiple zones (URLs or websites). Cloudflare recently introduced account-level features, but it's not widely used by clients yet. We are working with Cloudflare on different aspects of zone-level implementation. If account-level features are implemented for certain use cases, it would be a big improvement. So, pushing more awareness around account-level features would be a plus.
The solution's learning curve can still be further reduced, which presently stands at two or three months. The product has a custom rule set that users can modify and manifest as needed. The vendor can probably shorten the learning curve using cutting-edge technologies like AI. The solution provider can also work around the web applications and identify the toolset that needs to be implemented to deploy the solution in less time. The vendor has launched a SASE product that can function with Cloudflare Web Application Firewall, but many improvements are needed in terms of features, such as the web filtering feature, and CASB has not yet been added.
The platform's control features related to real-time authentication and response time need improvement.
Cloudflare Web Application Firewall should improve visibility for a customer.
Improvements should be done according to our customer's requirements.
Cloudflare is evolving so quickly that we can't even keep up. In the past two years, they have released two major upgrades to their Web Application Firewall. However, the notification part could be improved. It's very much connected to Web Application Firewall, rate-limiting, and DDoS protection. The notification could be better configurable. Sometimes it makes too much noise. It should have better threshold handling or some setup features, which could set some thresholds because it tries to do it automatically. So, sometimes it just notifies about things that are not worth noticing and vice versa.
We are required to follow a specific and separate set of rules for web applications for DDoS attacks while working with AWS and Azure. Instead, there could be an option to duplicate the cluster to maintain the consistency of rules.
Sometimes, it is challenging to access our applications using the solution. They should work on this particular area. Also, its availability needs improvement.
The additional features I wish to see in the next release include rate limiting on Cloudflare Web Application Firewall and advanced DDoS protection. The current product is highly explorable and does not have many limitations. However, there are some limitations in terms of administrative privileges and the way it manages auto-alerts. Cloudflare needs to improve its customer support for Indian customers and work on the monitoring and reporting features.
Finding vulnerabilities or attack patterns needs to evolve continuously. The landscape is changing. Accordingly, the rules have been changed. The Core Ruleset, is already managing that. It has been good at catching malicious activity so far. They just need to continue to invest in this aspect. They have some limitations with third-party integrations. For example, we can't integrate with our site. On-premises, we can't do that. You can on Azure storage, of Google Cloud, however. It works better on the cloud.
The accuracy of the Cloudflare Web Application Firewall could be improved by reducing the number of false-negative alerts. Signature-based detection and data loss prevention could also be improved.
Their documentation could be better. They don't have documentation that explains everything well. They have documentation for everything you're looking for, but they lack a single piece of documentation to tie everything together. As a new user or beginner, it took us a little bit of time to figure out how to put all these things in place. I wish they had easier introduction documents written to help us transition into it. It takes a little bit of effort for a new user to figure out how to do this. I have asked them for some additional features. I want to be able to quickly find out the rules that I have modified because there are thousands of rules. It took a little bit of effort to figure out which rules I have modified. A feature like that will make it easier for me to track down the changes.
There is really only one area of the product that I think needs to be improved. That is that Cloudflare should update the version of the ModSecurity core rule set that they run on. They run a pretty old version of ModSecurity from 2013 and they need to update it. That is one thing I would very much like to see in a future release. The main issue that we have is really a decision about how the product fits our model. We use both AWS and Azure, and they have similar products. We are trying to determine whether or not we go for a cloud-native solution per the cloud provider we are using or stick with our current model and continue to use Cloudflare. Switching to AW or Azure as a lone solution means we would go with one or the other across all cloud providers to unify our WAF approach. It might simplify how we look at the maintenance of our web application firewall.