You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -32,8 +30,6 @@ Cloudflare Adaptive DDoS Protection is available to Enterprise customers accordi
32
30
| For Protocols | IP protocol | — | Yes |
33
31
| For Protocols | Client IP country and Region for UDP | — | Yes |
34
32
35
-
36
-
37
33
<sup>1</sup> _WAF/CDN customers on the Enterprise plan with the Advanced DDoS Protection subscription._<br/>
38
34
<sup>2</sup> _Magic Transit and Spectrum BYOIP customers on an Enterprise plan._
39
35
@@ -70,10 +66,24 @@ To view traffic flagged by L3/4 Adaptive DDoS Protection rules:
70
66
71
67
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account.
72
68
2. Go to Account Home > **Analytics & Logs** > **Network Analytics**.
73
-
3. Filter by `Ruleset ID equals 3b64149bfa6e4220bbbc2bd6db589552` (the ID of the Network-layer DDoS Attack Protection managed ruleset) and by rule ID.
69
+
3. Filter by rule ID.
74
70
75
71
You may also obtain information about flagged traffic through [Logpush](/logs/about/) or the [GraphQL API](/analytics/graphql-api/).
76
72
73
+
To determine if an adaptive rule fits your traffic in a way that will only mitigate attack traffic and will not cause false positives, review the traffic that is _Logged_ by the adaptive rules.
74
+
75
+
:::note
76
+
You may not see any traffic matching the adaptive rules. This can be because there was no deviation from your traffic profile, so you may want to increase the time range and look for any _Logged_ traffic. Another reason why you may not see _Logged_ traffic by the adaptive rules is that there was not sufficient traffic volume to generate a traffic profile for your zone.
77
+
:::
78
+
79
+
If you do see traffic that was _Logged_ by the adaptive rules, use the dashboard to determine if the traffic matches the characteristics of legitimate users or that of attack traffic. As each Internet property is unique, understanding if the traffic is legitimate requires your understanding of how your legitimate traffic looks. For example, the user agent, source country, headers, query string for HTTP requests, and protocols and ports for L3/4 traffic.
80
+
81
+
- In cases where you are certain that the rule is only flagging attack traffic, you should consider creating an override and enabling that rule with a [Managed Challenge](/waf/reference/cloudflare-challenges/#managed-challenge-recommended) or `Block` action.
82
+
- In cases where you see legitimate traffic being flagged, you should lower the sensitivity level of the rule and observe the flagged traffic. You can continue reducing the sensitivity level until you reach a point where legitimate traffic is not flagged. Then, you should create an override to enable the rule with a mitigation action.
83
+
- If the rule is still flagging legitimate traffic you can consider using the expression filters to condition the rules to exclude certain types of traffic.
84
+
85
+
The default rule action for `log` with a sensitivity set to `high` will only show packets or requests with suspected attack traffic over internal `high` thresholds in your logs. For instance, if you set the threshold to `medium` or `low`, then only packets over those thresholds will be logged.
86
+
77
87
## Configure the rules
78
88
79
89
You can adjust the action and sensitivity of the Adaptive DDoS Protection rules. The default action is _Log_. Use this action to first observe what traffic is flagged before deciding on a mitigation action.
0 commit comments