Cloudflare WAF (Web Application Firewall) helps protect applications and APIs from cybersecurity threats. Traceable integrates with Cloudflare's WAF to block IP addresses and threat actors. As part of the integration, Traceable identifies the IP address that has violated some rule, such as a rate-limiting rule. These IP addresses are communicated to Cloudflare WAF. Once the IP addresses are sent to Cloudflare, you can individually view and edit them in Cloudflare. Before proceeding with Cloudflare integration, ensure that the Traceable Platform agent is installed and configured in your environment.
You can choose between using an agentless deployment or using an agent-based deployment. For more information on Traceable agents, see the Installation section. Traceable's integration with Cloudflare supports the following two types of rules:
IP range rules
Threat actor rules
Custom signature rules
Note
Cloudflare only supports header, parameter based custom signature rule where header key or parameter key is being matched only using equals operator.
The following is a high-level integration diagram:
The threat actor module detects malicious activities as threats. The Custom Policy Module is used to set custom policies.
Before you begin
Make sure that you have the following information before you proceed with the integration:
Authorization email — The email address you use to log in to your Cloudflare account.
Zone information – When you log in to Cloudflare, the zone information is available on the home page. For example, in the screenshot below, the zone is
dc-traceable.com.
API token — If you do not already have a token, complete the following steps to create one.
Navigate to My Profile → API Tokens → Create Token, as shown in the screenshot below.
On the API Tokens page, navigate to the Custom token section to create a token for integration with Traceable.
API token permission — You only need one permission, Zone → Firewall Services → Edit, for the API token as shown in the screenshot below.
Configuration
To integrate Traceable with Cloudflare, navigate to the Integrations page. Complete the following steps:
Click on WAF.
Click on Configure on the Cloudflare card.
.png)
Enter the Description, Zone, Authorization Email, and API Token, and click on Save.
Create an IP range rule. For more information on creating IP range rules, see Malicious sources in Custom policy. Navigate to Protection → Custom Policy in Traceable UI.
After successful integration, the IP range or threat actor rules are communicated to Cloudflare to block or allow IP addresses. In your Cloudflare account, you will see the IP addresses identified by Traceable.
(Optional) Alternate threat actor flow
Traceable also provides an alternate flow to synchronize threat actors’ IP addresses to Cloudflare WAF. The new flow uses the concept of lists in Cloudflare. In the new flow, Traceable creates two lists in Cloudflare, one for IP addresses that would be blocked and one for IP addresses that would be allowed. With the new flow, Traceable maintains only these two lists in Traceable, and IP addresses are added to or removed from these two lists only.
Important
The new flow to synchronize threat actor IP addresses to Cloudflare WAF is not available by default. If you wish to use this flow, contact Traceable’s support team at support@traceable.ai or your sales representative to enable it for you.
After enabling the new flow, you will see two lists in Cloudflare, as shown below. Click on each list to view more details.
The new flow does not support the x-forwarded-for header for threat actor-based rule IP addresses. However, the x-forwarded-for continues to be supported for IP range rules in the new flow.
Permissions
For the new flow to be effective, you need to update the API token permissions in Cloudflare, as shown in the screenshot below.
