Understanding WAF managed rules (previous version)

​​ Overview

Managed rules, a feature of Cloudflare WAF (Web Application Firewall), identifies and removes suspicious activity for HTTP GET and POST requests.

Examples of malicious content Open external link that managed rules identify include: 

• Common keywords used in comment spam (XX, Rolex, Viagra, etc.), 
• cross-site scripting attacks (XSS), and 
• SQL injections (SQLi).

Managed rules are available to Pro, Business, and Enterprise plans for any subdomains proxied to Cloudflare Open external link . Control managed rules settings in Security > WAF > Managed rules. Managed rules includes three packages: 

• Cloudflare Managed Ruleset 
• Package: OWASP ModSecurity Core Rule Set
• Customer Requested Rules 

Review threats blocked via the Security Events’ Activity log available in Security > Events.

​​ Important considerations

• Managed rules introduce a limited amount of latency. 
• Changes to WAF managed rules take about 30 seconds to update globally.
• Cloudflare uses proprietary rules to filter traffic. 
• Established Websockets do not trigger managed rules for subsequent requests.
• Managed rules parse JSON responses to identify vulnerabilities targeted at APIs. JSON payload parsing is limited to 128 KB.
• Managed rules mitigate padding techniques. We recommend the following:
  1. Turn on rule 100048. This rule now protects against padding type attacks, but it is not deployed by default as it causes many false positives in customer environments. It is, however, important that customers tune their managed rules configuration. Cloudflare is working on a better long term solution.
  2. Create a firewall rule using the Expression Editor depending on the need to check headers and/or body to block larger payload (> 128 KB). Make sure to test your firewall rule in Log mode first as it could be prone to generating false positives.
     • http.request.body.truncated
     • http.request.headers.truncated
• There are a handful of managed rules that Cloudflare does not disable even if Managed rules is turned Off in the Cloudflare dashboard, such as rule IDs WP0025B, 100043A, and 100030.

​​ A note about false positives and false negatives

By default, WAF managed rules are fully managed via the Cloudflare dashboard and are compatible with most websites and web applications. However, false positives and false negatives are possible considering the immense Internet:

• False positives: Legitimate requests detected and filtered as malicious.
• False negatives: Malicious requests not filtered.

​​ Troubleshoot WAF managed rules false positives

The definition of suspicious content is subjective for each website.  For example, PHP code posted to your website is suspicious unless your website teaches how to code and requires PHP code submissions from visitors.  Therefore, such a website must disable related managed rules that interfere with normal operation.

To test for false positives, set WAF managed rules to Simulate mode, to record the response to possible attacks without challenging or blocking. Also, use the Firewall Analytics Activity log to determine which managed rules caused false positives.

If you encounter a false positive due to the  legacy WAF Open external link , there are several potential resolutions:

• Add the client’s IP addresses to the IP Access Rules Open external link allowlist: If the browser or client visits from the same IP addresses, allowing is recommended. 
• Disable the corresponding managed rule(s Open external link ): Stops blocking or challenging false positives, but reduces overall site security. A request blocked by Rule ID 981176 refers to OWASP rules. Decrease OWASP sensitivity to resolve the issue.
• Bypass WAF managed rules with a firewall rule: Create a Firewall Rule with the bypass action to deactivate WAF managed rules for a specific combination of parameters. For example, bypass managed rules for a specific URL and a specific IP address or user agent.
• (not recommended) Disable WAF managed rules for traffic to a URL:  Lowers security on the particular URL endpoint.  Configured via Page Rules Open external link .

If you encounter a false positive due to the  new WAF Open external link , there are several potential resolutions:

1. Add WAF Exception: You can define WAF exceptions in the Cloudflare dashboard or using the Rulesets API.
2. Disable the corresponding managed rule(s Open external link ): Stops blocking or challenging false positives, but reduces overall site security. A request blocked by Rule ID 949110 refers to the new OWASP rules Open external link . Decrease OWASP sensitivity to resolve the issue.

Note: If contacting Cloudflare Support Open external link to verify whether a WAF managed rule triggers as expected, provide a HAR file Open external link captured while sending the specific request of concern.

Additional guidelines are as follows:

• If one specific rule causes false positives, set rule’s Mode to Disable rather than turning Off the entire rule Group.
• For false positives with the administrator content on your website, create a Page Rule Open external link to Disable Security for the admin section of your site resources, i.e. yoursite.com/admin.

​​ Troubleshoot WAF managed rules false negatives

To identify false negatives, review the HTTP logs on your origin web server. To reduce false negatives, use the following checklist:

• Are WAF managed rules enabled in Security > WAF > Managed rules?
• Are WAF managed rules being disabled via Page Rules Open external link ?
• Not all managed rules are enabled by default, so review individual managed rule default actions.
  • For example, Cloudflare allows requests with empty user agents by default. To block requests with an empty user agent, change the rule Mode to Block
  • Another example, if you are looking to block unmitigated SQL injection attacks, make sure the relevant SQLi rules are enabled and set to Block under the Cloudflare Specials group.
• Are DNS records that serve HTTP traffic proxied through Cloudflare?
• Is a firewall rule bypassing managed rules? 
• Does an allowed country, ASN, IP range, or IP in IP access rules Open external link or firewall rules match the attack traffic?
• Is the malicious traffic directed at your origin IP addresses to bypass Cloudflare protection? Block all traffic except from Cloudflare’s IP addresses Open external link at your origin web server.

​​ Cloudflare Managed Ruleset

The Cloudflare Managed Ruleset contains security rules written and curated by Cloudflare. Click on a ruleset name under Group to reveal the rule descriptions. 

Cloudflare Specials is a Group that provides core firewall security against common attacks Open external link .   

When viewing a ruleset, Cloudflare shows default actions for each rule listed under Default mode. The Mode available for individual rules within a specific Cloudflare Managed Ruleset are:

• Default - takes the default action listed under Default mode when viewing a specific rule.
• Disable - turns off the specific rule within the group**.**
• Block - the request is discarded. 
• Interactive Challenge - the visitor receives a challenge page that requires interaction.
• Simulate - the request is allowed through but is logged in the Activity log.

Cloudflare’s WAF changelog allows customers to monitor ongoing changes to the Cloudflare Managed Ruleset.

​​ Package: OWASP ModSecurity Core Rule Set

​​ Understand Cloudflare’s OWASP package

Package: OWASP ModSecurity Core Rule Set assigns a score to each request based on how many OWASP rules trigger. Some OWASP rules have a higher sensitivity score than others. After OWASP evaluates a request, Cloudflare compares the final score to the Sensitivity configured for the domain.  If the score exceeds the Sensitivity, the request is actioned based on the Action configured within Package: OWASP ModSecurity Core Rule Set:

• Block - the request is discarded.
• Challenge - the visitor receives an interactive challenge page.
• Simulate - the request is allowed through but is logged in the Activity log.

The sensitivity score required to trigger the WAF for a specific Sensitivity is as follows:

• Low - 60 and higher
• Medium - 40 and higher
• High - 25 and higher

For Ajax requests, the following scores are applied instead:

• Low - 120 and higher
• Medium - 80 and higher
• High - 65 and higher

Review the Activity log for the final score as well as the individual triggered rules.

​​ Control Cloudflare’s OWASP package

Package: OWASP ModSecurity Core Rule Set contains several rules from the OWASP project Open external link . Cloudflare does not write or curate OWASP rules.  Click on a ruleset name under Group to reveal the rule descriptions.  Unlike the Cloudflare Managed Ruleset, specific OWASP rules are either turned On or Off.

To manage OWASP thresholds, set the Sensitivity to Low, Medium, or High under Package: OWASP ModSecurity Core Rule Set. Setting the Sensitivity to Off will disable the entire OWASP package including all its rules. Determining the appropriate Sensitivity depends on your business industry and operations. For instance, a Low setting is appropriate for:

• Certain business industries more likely to trigger the WAF, and
• large file uploads. 

Cloudflare recommends initially setting the Sensitivity to Low and reviewing for false positives before further increasing the Sensitivity.

​​ Related resources

• Security Events
• Cloudflare Firewall Rules
• Cloudflare’s WAF changelog