What needs improvement with Cloudflare Web Application Firewall?

The dashboard could be more user-friendly, and a console approach like Cloudflare CLI could enhance its usability.

Account-level features would be a very good option. Some clients want to implement the same checks on multiple zones (URLs or websites). Cloudflare recently introduced account-level features, but it's not widely used by clients yet. We are working with Cloudflare on different aspects of zone-level implementation. If account-level features are implemented for certain use cases, it would be a big improvement. So, pushing more awareness around account-level features would be a plus.

The solution's learning curve can still be further reduced, which presently stands at two or three months. The product has a custom rule set that users can modify and manifest as needed. The vendor can probably shorten the learning curve using cutting-edge technologies like AI. The solution provider can also work around the web applications and identify the toolset that needs to be implemented to deploy the solution in less time. The vendor has launched a SASE product that can function with Cloudflare Web Application Firewall, but many improvements are needed in terms of features, such as the web filtering feature, and CASB has not yet been added.

The platform's control features related to real-time authentication and response time need improvement.

Cloudflare Web Application Firewall should improve visibility for a customer.

Improvements should be done according to our customer's requirements.

Cloudflare is evolving so quickly that we can't even keep up. In the past two years, they have released two major upgrades to their Web Application Firewall. However, the notification part could be improved. It's very much connected to Web Application Firewall, rate-limiting, and DDoS protection. The notification could be better configurable. Sometimes it makes too much noise. It should have better threshold handling or some setup features, which could set some thresholds because it tries to do it automatically. So, sometimes it just notifies about things that are not worth noticing and vice versa.

We are required to follow a specific and separate set of rules for web applications for DDoS attacks while working with AWS and Azure. Instead, there could be an option to duplicate the cluster to maintain the consistency of rules.

Sometimes, it is challenging to access our applications using the solution. They should work on this particular area. Also, its availability needs improvement.

The additional features I wish to see in the next release include rate limiting on Cloudflare Web Application Firewall and advanced DDoS protection. The current product is highly explorable and does not have many limitations. However, there are some limitations in terms of administrative privileges and the way it manages auto-alerts. Cloudflare needs to improve its customer support for Indian customers and work on the monitoring and reporting features.

Finding vulnerabilities or attack patterns needs to evolve continuously. The landscape is changing. Accordingly, the rules have been changed. The Core Ruleset, is already managing that. It has been good at catching malicious activity so far. They just need to continue to invest in this aspect. They have some limitations with third-party integrations. For example, we can't integrate with our site. On-premises, we can't do that. You can on Azure storage, of Google Cloud, however. It works better on the cloud.

The accuracy of the Cloudflare Web Application Firewall could be improved by reducing the number of false-negative alerts. Signature-based detection and data loss prevention could also be improved.

Their documentation could be better. They don't have documentation that explains everything well. They have documentation for everything you're looking for, but they lack a single piece of documentation to tie everything together. As a new user or beginner, it took us a little bit of time to figure out how to put all these things in place. I wish they had easier introduction documents written to help us transition into it. It takes a little bit of effort for a new user to figure out how to do this. I have asked them for some additional features. I want to be able to quickly find out the rules that I have modified because there are thousands of rules. It took a little bit of effort to figure out which rules I have modified. A feature like that will make it easier for me to track down the changes.

There is really only one area of the product that I think needs to be improved. That is that Cloudflare should update the version of the ModSecurity core rule set that they run on. They run a pretty old version of ModSecurity from 2013 and they need to update it. That is one thing I would very much like to see in a future release. The main issue that we have is really a decision about how the product fits our model. We use both AWS and Azure, and they have similar products. We are trying to determine whether or not we go for a cloud-native solution per the cloud provider we are using or stick with our current model and continue to use Cloudflare. Switching to AW or Azure as a lone solution means we would go with one or the other across all cloud providers to unify our WAF approach. It might simplify how we look at the maintenance of our web application firewall.