[Magic Firewall] Restructure IA (#26096)

* [Magic Firewall] Restructure IA

* Adding more files

* Add enable managed rules + fix links

* Add remaining pages

* Fix ordering

* Add packet filtering + fix broken link

Author: Maddy-Cloudflare

src/content/changelog/magic-firewall/2024-10-02-custom-rule-search.mdx

@@ -15,4 +15,4 @@ The Magic Firewall dashboard now allows you to search custom rules using the rul
 
 Additionally, the rule ID URL link has been added to Network Analytics.
 
-For more details about rules, refer to [Add rules](/magic-firewall/how-to/add-rules/).
+For more details about rules, refer to [Add rules](/cloudflare-one/traffic-policies/packet-filtering/add-rules/).

src/content/docs/cloudflare-one/changelog/magic-firewall.mdx

@@ -0,0 +1,22 @@
+---
+pcx_content_type: changelog
+title: Magic Firewall
+---
+
+import { ProductChangelog } from "~/components";
+
+{/* <!-- Actual content lives in /src/content/changelog/magic-firewall/. Update the file there for new entries to appear here. For more details, refer to https://developers.cloudflare.com/style-guide/documentation-content-strategy/content-types/changelog/#yaml-file --> */}
+
+<ProductChangelog product="magic-firewall" hideEntry="2024-06-16-cloudflare-one"/>
+
+## 2024-09-12
+
+**New UI improvements**
+
+The dashboard now displays the order number of custom rules, and improved drag and drop functionality. You can also preview rules on a side panel without leaving the current page.
+
+## 2024-08-16
+
+**Magic Firewall Analytics Rule Log Enhancement**
+
+Customers who create a rule in a disabled mode will see the rule as **Log (rule disabled)**.

src/content/docs/cloudflare-one/insights/logs/filter-views.mdx

@@ -0,0 +1,97 @@
+---
+title: Filter different views
+pcx_content_type: how-to
+
+---
+
+You can utilize different [Log filters](/logs/logpush/logpush-job/filters/) to only view specific data from Magic Firewall.
+
+## Filter by enabled or disabled rules
+
+Use the filter examples below to filter your Magic Firewall traffic to display events for enabled or disabled rules.
+
+The example below only displays fields relevant to Magic Firewall, and the filter only displays events for disabled rules.
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs \
+--header "X-Auth-Email: <EMAIL>" \
+--header "X-Auth-Key: <API_KEY>" \
+--header "Content-Type: application/json" \
+--data '{
+  ...
+  "output_options": {
+      "field_names": ["ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol","IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict"],
+  },
+  "filter": "{\"where\":{\"or\":[{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"!eq\",\"value\":\"\"},{\"key\":\"Outcome\",\"operator\":\"eq\",\"value\":\"pass\"},{\"key\":\"Verdict\",\"operator\":\"eq\",\"value\":\"drop\"}]}]}}"
+}'
+```
+
+The example below only displays fields relevant to Magic Firewall, and the filter only displays events for enabled rules.
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs \
+--header "X-Auth-Email: <EMAIL>" \
+--header "X-Auth-Key: <API_KEY>" \
+--header "Content-Type: application/json" \
+--data '{
+  ...
+  "output_options": {
+      "field_names": ["ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol","IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict"],
+  },
+  "filter": "{\"where\":{\"or\":[{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"!eq\",\"value\":\"\"},{\"or\":[{\"key\":\"Outcome\",\"operator\":\"eq\",\"value\":\"drop\"},{\"key\":\"Verdict\",\"operator\":\"eq\",\"value\":\"pass\"}]}]}]}}"
+}'
+```
+
+## Filter by allowed or blocked traffic
+
+Use the filter examples below to filter your Magic Firewall traffic to display events for allowed or blocked traffic.
+
+The example below only displays fields relevant to Magic Firewall, and the filter only displays events where no explicit action was taken, for example, a packet "fell through" Magic Firewall. This example does not have any rules applied.
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs \
+--header "X-Auth-Email: <EMAIL>" \
+--header "X-Auth-Key: <API_KEY>" \
+--header "Content-Type: application/json" \
+--data '{
+  ...
+  "output_options": {
+      "field_names": ["ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol","IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict"],
+  },
+  "filter": "{\"where\":{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"eq\",\"value\":\"\"}]}}"
+}'
+```
+
+The example below only displays fields relevant to Magic Firewall, and the filter only displays events where explicit action was taken. The example includes both enabled and disabled Magic Firewall rules.
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs \
+--header "X-Auth-Email: <EMAIL>" \
+--header "X-Auth-Key: <API_KEY>" \
+--header "Content-Type: application/json" \
+--data '{
+  ...
+  "output_options": {
+      "field_names": ["ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol","IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict"],
+  },
+  "filter": "{\"where\":{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"!eq\",\"value\":\"\"}]}}"
+}'
+```
+
+## Filter by relevant fields to Magic Firewall
+
+Use the examples below to filter out fields that are not relevant to traffic flowing through Magic Firewall. The example below only includes Magic Firewall events.
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs \
+--header "X-Auth-Email: <EMAIL>" \
+--header "X-Auth-Key: <API_KEY>" \
+--header "Content-Type: application/json" \
+--data '{
+  ...
+  "output_options": {
+      "field_names": ["ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol","IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict"],
+  },
+  "filter": "{\"where\":{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"}}"
+}'
+```

src/content/docs/cloudflare-one/insights/logs/use-logpush-with-ids.mdx

@@ -0,0 +1,21 @@
+---
+title: Use Logpush with IDS
+pcx_content_type: concept
+
+---
+
+You can use Logpush with Magic Firewall IDS to log detected risks:
+
+1. Consult the [Logpush Destination docs](/logs/logpush/logpush-job/api-configuration/#destination) to learn about what destinations Logpush supports. The documentation will also instruct you on how to correctly format the destination URL for Logpush.
+
+2. Follow the [Manage Lopush with cURL](/logs/logpush/examples/example-logpush-curl/) tutorial to validate your Logpush destination and define a Logpush job.
+
+## Notes on using Logpush with IDS
+
+* Magic IDS is an account-scoped dataset. This means the string `/zone/<ZONE_ID>` in the Cloudflare API URLs in the tutorial should be replaced with `/account/<ACCOUNT_ID>`.
+
+* Consult the [Magic IDS Detection fields doc](/logs/logpush/logpush-job/datasets/account/magic_ids_detections/) to know what fields you want configured for the job.
+
+* When creating the Logpush job, the dataset field should equal `magic_ids_detections`.
+
+* Timestamps by default are unixnano. Consult the [Logpush Options docs](/logs/logpush/logpush-job/api-configuration/#options) to learn what format you can choose that will be compatible with your destination and/or expectations. Note that all options must be added *after* all fields you want from the Logpush job, akin to URL parameters.

src/content/docs/cloudflare-one/insights/network-visibility/diagnostics/buckets.mdx

@@ -0,0 +1,219 @@
+---
+title: Buckets
+pcx_content_type: how-to
+sidebar:
+  order: 3
+---
+
+import { GlossaryTooltip, TabItem, Tabs, DashButton } from "~/components";
+
+Before you can begin a full <GlossaryTooltip term="data packet">packet</GlossaryTooltip> capture, you must first configure a bucket that Cloudflare can use to upload your files. Setting up a bucket is not required for sample packet captures.
+
+You can configure an Amazon S3 or Google Cloud Platform bucket to use as a target. You can also [use R2](#r2) as a target using the API.
+
+## Set up a bucket
+
+Learn how to set up a bucket for use with full packet captures.
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+1. In the [Cloudflare One](https://one.dash.cloudflare.com) dashboard, go to **Network visibility** > **Diagnostics**.
+2. Select the **Buckets** tab > **Add a bucket**.
+3. Select a bucket service and select **Next**.
+4. Enter the information related to your bucket for your service provider.
+5. When you are done, select **Next**.
+
+The **Prove ownership** step of the **Bucket configuration** displays.
+
+</TabItem> <TabItem label="API">
+
+Before you can begin using a bucket, you must first enable destinations.
+
+Refer to the [Amazon S3](/logs/logpush/logpush-job/enable-destinations/aws-s3/#create-and-get-access-to-an-s3-bucket) or [Google Cloud Storage](/logs/logpush/logpush-job/enable-destinations/google-cloud-storage/#create-and-get-access-to-a-gcs-bucket) documentation and follow the steps for those specific services.
+
+</TabItem> </Tabs>
+
+Next, validate the bucket and confirm ownership.
+
+## Validate a bucket
+
+After the initial bucket set up, you need to confirm you own the bucket via an ownership challenge. After you validate your bucket, you can begin using it to collect full packet captures.
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+1. From the **Prove ownership** step of the **Bucket configuration**, locate the **Ownership token** field.
+2. In the **Ownership token** field, enter the ownership token for your service provider.
+3. When you are done, select **Create**. The **Packet captures** page displays.
+
+The **Buckets** tab displays a list of the buckets associated with your account. Refer to the **Status** column to see the status of your bucket configuration.
+
+</TabItem> <TabItem label="API">
+
+The `bucket` field should be the URI of the bucket. For Amazon S3, the `bucket` field is in the form `s3://<bucket-name>/<directory>?region=<bucket-region>`, and for Google Cloud Storage the form is `gs://<bucket-name>/<directory>`.
+
+```bash title="Ownership challenge request example"
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership \
+--header "X-Auth-Email: <EMAIL>" \
+--header "X-Auth-Key: <API_KEY>" \
+--header "Content-Type: application/json" \
+--data '{
+  "destination_conf": "'${bucket}'"
+}'
+```
+
+The response has a `"filename"` parameter which contains the content of the `ownership-challenge` text. Find the file in your bucket and copy the contents of the file.
+
+```json title="Ownership challenge response example"
+{
+	"result": {
+		"id": "cc20c2d6c62e11ecbe646b173af3b6b9",
+		"status": "pending",
+		"submitted": "2022-04-22T18:54:13.397413Z",
+		"validated": "",
+		"destination_conf": "gs://bucket-test", // Ensure you use a bucket that you created and registered in the Cloudflare dashboard.
+		"filename": "ownership-challenge-1234.txt"
+	},
+	"success": true,
+	"errors": [],
+	"messages": []
+}
+```
+
+Validate the bucket by inserting the copied text in the `ownership_text` below:
+
+```bash title="Bucket validation example"
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership/validate \
+--header "X-Auth-Email: <EMAIL>" \
+--header "X-Auth-Key: <API_KEY>" \
+--header "Content-Type: application/json" \
+--data '{
+  "destination_conf": "'${bucket}'",
+  "ownership_challenge": "'${ownership_text}'"
+}'
+```
+
+```json title="Bucket validation response"
+{
+	"result": {
+		"id": "cc20c2d6c62e11ecbe646b173af3b6b9",
+		"status": "success",
+		"submitted": "2022-04-22T18:54:13.397413Z",
+		"validated": "2022-04-27T14:54:46.440548Z",
+		"destination_conf": "gs://<bucket-name>", // Ensure you use a bucket that you created and registered in the Cloudflare dashboard
+		"filename": "ownership-challenge-1234.txt"
+	},
+	"success": true,
+	"errors": [],
+	"messages": []
+}
+```
+
+If the `status` shows `success`, the bucket is configured and ready to use.
+
+</TabItem> </Tabs>
+
+The bucket status displays one of the following options:
+
+- **Success:** The bucket is fully verified and ready to use.
+- **Pending:** The challenge response was initiated but is pending verification. Bucket verification can take five to ten minutes to finish processing.
+- **Failed:** The bucket could not be validated. If this occurs, verify your ownership information.
+
+## List configured buckets
+
+View a list of all buckets configured on your account.
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+1. In the Cloudflare One dashboard, go to the **Packet captures** page in Magic Transit or Magic WAN.
+
+	To set up a packet capture in Magic Transit: <DashButton url="/?to=/:account/magic-transit/packet-captures/captures" />
+
+	To set up a packet capture in Magic WAN: <DashButton url="/?to=/:account/magic-wan/packet-captures/captures" />
+2. In **Packet captures**, select **Start a capture**.
+3. Select the **Buckets** tab.
+
+The list of buckets associated with your account displays.
+
+</TabItem> <TabItem label="API">
+
+```bash title="Bucket list request example"
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership \
+--header "X-Auth-Email: <EMAIL>" \
+--header "X-Auth-Key: <API_KEY>"
+```
+
+```json title="Bucket list response example"
+{
+	"result": [
+		{
+			"id": "9a993aa6c58711ec89d3037647342e63",
+			"status": "success",
+			"submitted": "2022-04-26T16:58:24.550762Z",
+			"validated": "2022-04-26T17:01:18.426458Z",
+			"destination_conf": "s3://test-bucket?region=us-east-1",
+			"filename": "ownership-challenge-1234.txt"
+		}
+	],
+	"success": true,
+	"errors": [],
+	"messages": []
+}
+```
+
+</TabItem> </Tabs>
+
+To learn how to collect packet captures, refer to [Collect packet captures](/magic-firewall/packet-captures/collect-pcaps/).
+
+## R2
+
+To start collecting packet captures with R2, you first need to configure it properly. For all the required details, refer to the [Cloudflare R2](/r2/) documentation.
+
+### Create bucket and API token
+
+1. In the Cloudflare One dashboard, go to the **R2** page.
+
+	<DashButton url="/?to=/:account/r2/overview" />
+
+2. Select **Create bucket**.
+3. Give your bucket a name > **Create bucket**.
+4. Go to the R2 Overview page, and select **Manage R2 API Tokens**.
+5. Select **Create API Token**.
+6. In **Permissions**, choose **Object Read & Write**. Make sure you also select **Apply to specific buckets only**, and select the bucket you have created for PCAPs from the drop-down menu.
+7. Select **Create API Token**.
+8. Make sure you copy the **Secret Access Key** and **Access Key ID** values, as you will need them for the next step.
+
+### Create initial request
+
+Create your initial request to R2:
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership \
+--header "X-Auth-Email: <EMAIL>" \
+--header "X-Auth-Key: <API_KEY>" \
+--header "Content-Type: application/json" \
+--data '{
+  "destination_conf": "r2://<BUCKET_NAME>?account-id=<ACCOUNT_ID>&access-key-id=<R2_ACCESS_KEY_ID>&secret-access-key=<R2_SECRET_ACCESS_KEY>"
+}'
+```
+
+The [response](/api/resources/magic_transit/subresources/pcaps/subresources/ownership/methods/create/) has a `"filename"` parameter with the name of a file that Cloudflare wrote to your R2 bucket. You need to download it for the next step. Example:
+
+```json
+{
+	"errors": [],
+	"messages": [],
+	"result": {
+		"destination_conf": "<YOUR_R2_BUCKET>",
+		"filename": "ownership-challenge-9883874ecac311ec8475433579a6bf5f.txt",
+		"id": "9883874ecac311ec8475433579a6bf5f",
+		"status": "success",
+		"submitted": "2020-01-01T08:00:00Z",
+		"validated": "2020-01-01T08:00:00Z"
+	},
+	"success": true
+}
+```
+
+### Validate bucket ownership
+
+Refer to the [Validate a bucket](#validate-a-bucket) API instructions for more details on the entire process to [validate your R2 bucket](/api/resources/magic_transit/subresources/pcaps/subresources/ownership/methods/validate/). When specifying the R2 destination for this validation, exclude the secret and access keys from the URL.