Understanding Cloudflare Network Analytics v1
Overview
Access to Network Analytics requires the following:
- A Cloudflare Enterprise plan
- Cloudflare Magic Transit or Spectrum.
Cloudflare’s Network Analytics view provides near real-time visibility into network- and transport-layer traffic patterns and DDoS attacks. Network Analytics visualizes packet and bit-level data, the same data available via the GraphQL Analytics API.
Network Analytics accelerates reporting and investigation of malicious traffic. You can filter data by these parameters:
- Mitigation action taken by Cloudflare
- Source IP, port, ASN
- Destination IP and port
- The Cloudflare data center city and country of where the traffic was observed
- Attack size, type, rate, and duration
- TCP flag
- IP version
- Protocol
Use Network Analytics to quickly identify key intelligence:
- Top attack vectors targeting the network
- Traffic mitigation over time, broken down by action
- Attack source, by country or data center
You can access the Network Analytics view from your Cloudflare account’s Home page.
To access the Network Analytics view, follow these steps:
- Log in to your Cloudflare account.
- If you have multiple accounts, select an account that has access to Magic Transit or Spectrum.
- On the account’s Home page, click Network Analytics.
Navigate Network Analytics
Headline summary and side panels
The headline and the side panels provide a summary of activity over the period selected in the timeframe drop-down list.
The headline provides the total packets or bits and the number of attacks detected and mitigated. When there is an attack in progress, the headline displays the maximum rate of packets (or bits) rather than the total count.
To toggle your view of the data, click the Packets or Bits side panels.
Set the timeframe for the view
Use the timeframe drop-down list to change the time range over which Network Analytics displays data. When you select a timeframe, the entire view is updated to reflect your choice.
When you select Last 30 minutes, the Network Analytics view displays the data from the last 30 minutes, refreshing every 20 seconds. A Live notification appears next to the statistic drop-down list to let you know that the view keeps updating automatically:
When you select the Custom range option, you can specify a time range of up to 30 days throughout any period during the last 365 days.
View by average rate or total volume
Choose a statistic from the drop-down list to toggle between plotting Average rate and Total count.
Show IP prefix advertisement/withdrawal events
Enable the Show annotations toggle to show or hide annotations for advertised/withdrawn IP prefix events in the Network Analytics view. Click each annotation to get more details.
Zoom into the Packets summary
Click and drag your mouse on a region of the chart to zoom in. Using this technique you can zoom into a time range as short as 3 minutes.
To zoom out, click the X icon in the time range selector.
Apply filters to data
You can apply multiple filters and exclusions to adjust the scope of the data displayed in Network Analytics.
Filters affect all of the data displayed in the Network Analytics page.
There are two ways to filter Network Analytics data—use the Add filter button or click on one of the stat filters.
Use the Add filter button
Click the Add filter button to open the New filter popover. Specify a field, an operator, and a value to complete your filter expression. Click Apply to update the view.
When applying filters, observe these guidelines:
- Wildcards are not supported.
- You do not need to wrap values in quotes.
- When specifying an ASN number, leave out the AS prefix. For example, enter 1423 instead of AS1423.
Use a stat filter
To filter based on the type of data associated with one of the Network Analytics stats, use the Filter and Exclude buttons that display when you hover your pointer over the stat.
In this example, clicking the Filter button narrows the scope of the view to only traffic associated with the Allow action.
Create a Magic Firewall rule from the applied filters
You can create a Magic Firewall rule that blocks all traffic matching the selected filters in Network Analytics. The currently supported filters are:
- Destination IP
- Protocol
- Source data center
- Source IP
- TCP flags
Other types of Network Analytics filters will not be added to the new rule definition. However, you can further configure the rule in Magic Firewall.
Do the following:
1. Apply one or more filters in Network Analytics.
2. Click Create Magic Firewall rule.
The Magic Firewall rule editor displays with the selected filters and values.
3. Review the rule definition in the Magic Firewall rule editor.
4. Click Add new.
Supported filter fields, operators, and values
The table below shows the range of fields, operators, and values you can use to filter Network Analytics.
Field | Operators | Value |
---|---|---|
Action | Equals Does not equal | Allow: Traffic allowed through Cloudflare’s automated DDoS protection systems. May also include traffic mitigated by Firewall Rules, flowtrackd and L7 rules. Block: Traffic blocked by Cloudflare’s automated DDoS protection systems. Connection-tracking: Applies only exclusively to L7, as Magic Transit is excluded from scope and no conntrack ever runs for Magic Transit prefixes. Rate-limit: Can be applied per source IP, subnet or any connection. The decision is made programmatically based on heuristics. Monitor: Attacks which were identified but have chosen to simply observe and not mitigate with any rule. |
Attack ID | Equals Does not equal | Attack number |
Attack Type | Equals Does not equal | UDP Flood SYN Flood ACK Flood RST Flood LDAP Flood Christmas Flood FIN Flood GRE Flood ICMP Flood |
Destination IP | Equals Does not equal | IP address |
Destination Port | Equals Does not equal Greater than Greater than or equals Less than Less than or equals | Port number Port range |
Destination IP range | Equals Does not equal | IP range & mask |
IP Version | Equals Does not equal | 4 or 6 |
Protocol | Equals Does not equal | TCP UDP ICMP GRE |
Source ASN | Equals Does not equal | AS Number |
Source Country | Equals Does not equal | Country name |
Source data center | Equals Does not equal | Data center location |
Source IP | Equals Does not equal | IP address |
Source port | Equals Does not equal Greater than Greater than or equals Less than Less than or equals | Port number Port range |
TCP Flag | Equals Does not equal Contains | SYN, SYN-ACK, FIN, ACK, RST |
Select a dimension to plot
You can plot Network Analytics data along a variety of dimensions. By default, Network Analytics displays data broken down by Action.
Select one of the Summary tabs to view the data along a different dimension.
You can choose from these options:
- Action
- Attack type
- Destination IP
- Destination port
- IP version
- Protocol
- Source ASN
- Source country
- Source data center
- Source IP
- Source port
- TCP flag
Share Network Analytics filters
When you add filters and specify a time range in the Network Analytics page, the URL changes to reflect those parameters.
To share your view of the data, copy the URL and send it to other users so that they can work with the same view.
View the Activity log
The Network Analytics Activity log shows up to 500 log events in the currently selected time range, paginated with 10 results per page per time range view. (The GraphQL Analytics API does not have this limitation.)
To display event details, click the expansion widget associated with the events.
Configure columns
To configure which columns display in the Activity log, click the Edit columns button.
This is particularly useful when you would like to identify a DDoS attack, during which you can specify the desired attributes such as IP addresses, max bit rate, and attack ID among others.
View top items
The Source Country, Source, and Destination panels display the top items in each view.
To select the number of items to display, use the drop-down list associated with the view.
To review the top data centers, select Data center from the drop-down list in the Source country view. The Source data center view replaces the Source country view.
Export log data and reports
Export activity log data
You can export up to 500 raw events from the Activity log at a time. This option is useful when you need to combine and analyze Cloudflare data with data stored in a separate system or database, such as a security information and event management system (SIEM).
To export log data, click Export.
Choose either CSV or JSON format for rendering exported data. The downloaded file name will reflect the selected time range, using this pattern:
network-analytics-attacks-[start time]-[end time].json
Export a Network Analytics report
To print or download a snapshot report from Network Analytics, follow these steps:
Click Print report. Your web browser’s print interface displays options for printing or saving as a PDF.
Limitations
Network Analytics currently has these limitations:
- Network Analytics v1 provides insights on denial of service daemon (dosd) attacks. Although it provides a timely view of the data, it does not have a complete view of all events.
- The following data sources are not available in Network Analytics v1:
- Firewall Rules (available in Network Analytics v2)
- Application layer rules
- Gatekeeper and manually applied rules
- flowtrackd (Advanced TCP protection) (available in Network Analytics v2)
- WARP traffic and Orange-clouded traffic
- Data from Cloudflare services that proxy traffic, such as CDN, is not available in Network Analytics.
Related resources
- Cloudflare Network Analytics v2
- Migrating from Network Analytics v1 to Network Analytics v2
- Cloudflare GraphQL API
- Cloudflare Analytics: a quick overview
- IANA port numbers and service names
Frequently asked questions
How long does Cloudflare retain data in the Network Analytics portal?
If you are using Network Analytics v2 (NAv2), the range of historical data you can query is 90 days.
Network Analytics v1 (NAv1) uses GraphQL nodes to roll up data into 1 minute, 1 hour, and 1 day IP flows. For example, the ipFlows1mGroups node stores data in minute-wise aggregations.
To identify the range of historical data you can query in NAv1, refer to this table. Use the notOlderThan column as an indicator of retention time.
| GraphQL data node
|
maxDuration*
|
notOlderThan**
|
time range selections in Network Analytics
|
Number of data points
ipFlows1mGroups
|
25 hours
|
30 days
|
30 minutes
|
30
| |
6 hours
|
71
| |
12 hours
|
48
| |
24 hours
|
96
| |
ipFlows1dGroups
|
6 months
|
1 year
|
1 week
|
168
| |
1 month
|
30
|
*maxDuration defines the time window that can be requested in one query (varies by data node).
**notOlderThan limits how far back in the record a query can search. It is indicative of how long the data stays in our database.
When working with attack logs in the dashboard, keep the following in mind:
- Attack logs are stored with start and end timestamps, packet and bit statistics for minimum, maximum, and average data rate, as well as totals, attack type, and action taken.
- Source IP addresses are considered personally identifiable information. Therefore, Cloudflare only stores them for 30 days. After 30 days, source IP addresses are discarded, and the logs are rolled up first into 1-hour groups, then 1-day groups. The 1-hour rollups are stored for 6 month. The one day rollups are stored for 1 year.
For more information on querying and accessing log data, refer to the GraphQL Analytics API.
Why does Network Analytics say the destination IP is “unavailable”?
The destination IP is indicated as Unavailable, when the destination IP was not included in the real-time signature generated by our DDoS protection systems.
To view the destination IP, filter by Attack ID and scroll to the Destination section in the top items lists. When you filter on a specific Attack ID, the entire Network Analytics dashboard becomes an attack report.