Skip to main content

Cloudflare WAF

Download With Dependencies

Use Cloudflare WAF to manage firewall rules, filters, and IP-lists.

Cloudflare WAF Pack

Use Cloudflare WAF to manage firewall rules, filters, and IP-lists.

What does this pack do?

  • Create, update, delete or retrieve a new firewall rule.
  • Create, update, delete or retrieve a new filter.
  • Create, delete or retrieve a new IP-list.
  • Create, Replace, delete or retrieve a new IP-list items.
  • Retrieve all zones in account.
  • Run a pipeline.

This pack contains an integration, whose main purpose is to manage firewall rules in Cloudflare Services.

In addition, this pack includes XSIAM content.

Cloudflare WAF Pack

Use Cloudflare WAF to manage firewall rules, filters, and IP-lists.

What does this pack do?

  • Create, update, delete or retrieve a new firewall rule.
  • Create, update, delete or retrieve a new filter.
  • Create, delete or retrieve a new IP-list.
  • Create, Replace, delete or retrieve a new IP-list items.
  • Retrieve all zones in account.
  • Run a pipeline.

This pack contains an integration, whose main purpose is to manage firewall rules in Cloudflare Services.

In addition, this pack includes XSIAM content.

Collect Events from Cloudflare WAF (XSIAM)

We currently support the retrieval of events from Cloudflare WAF by using an HTTP Log Collector, and Cloudflare waf logpush v2.

On XSIAM:

  1. Navigate to Settings -> Data Sources -> Add Data Source -> Custom - HTTP based Collector.
  2. Click Connect Another Instance.
  3. Set the Name and Compression and then set:
    • Name as Cloudflare
    • Compression gzip
    • Log Format as JSON
    • Vendor as cloudflare
    • Product as waf
  4. Creating a new HTTP Log Collector allows you to generate a unique token. Save it since it will be used later.
  5. Click the 3 dots next to the newly created instance and copy the API URL. It will also be used later.

On Cloudflare:

In order to configure the logpush on the Cloudflare side, read this documentation.

Guidelines:

  1. For the destination_conf, use the API URL (copied in step 5 on the XSIAM side) and the newly created token (copied in step 4 on the XSIAM side) to create a value in the following format: "{XSIAM API URL}?header_Authorization=Basic%20{XSIAM API Token}".
  2. Important:
    Make sure to specify under logpull_options in the Logpush API configuration the string EdgeEndTimestamp&timestamps=rfc3339.
    This is in order to send this time field as a timestamp string, which will be used as the time of the event.
    In addition, make sure to set the timezone of the logs to UTC (UTC+0).

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedJune 14, 2022
Last ReleaseMay 9, 2024
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.