From a5403f4a2346b958c729e631b60abed0940ec797 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Fri, 4 Apr 2025 14:54:57 +0100 Subject: [PATCH 01/35] added new content --- .../magic-network-monitoring/rules/index.mdx | 97 ++++++++----------- 1 file changed, 39 insertions(+), 58 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/index.mdx b/src/content/docs/magic-network-monitoring/rules/index.mdx index 991fcabaad5aaa8..cc09f1ecfcce56e 100644 --- a/src/content/docs/magic-network-monitoring/rules/index.mdx +++ b/src/content/docs/magic-network-monitoring/rules/index.mdx @@ -2,105 +2,86 @@ title: Rules pcx_content_type: how-to sidebar: - label: Manage rules + label: Overview order: 4 --- -Magic Network Monitoring rules will allow you to monitor the traffic volume destined for IP addresses or IP prefixes on your network. You can also receive alerts if the volume of traffic arriving at specific destinations exceeds a defined threshold. +Magic Network Monitoring rules allow you to monitor your network traffic for DDoS attacks on specific IP addresses or IP prefixes within your network. If the network traffic that is monitored by a rule exceeds the rule's threshold or contains a DDoS attack fingerprint, then you will receive an alert. -:::caution[Invalid account settings error when trying to create a rule] -If you get the following error when trying to create a rule: +## Rule types -`Invalid account settings request body: account name format contains illegal characters or is not supported` +There are three different types of rules that can be configured within Magic Network Monitoring. You can refer to the linked documentation page for each rule type to learn more. -Make sure the name for your Cloudflare account does not contain unsupported characters, like, for example, `&`, `<`, `>`, `"`, `'`, ``` ` ```. +| Rule Type | Rule Description | Rule Availability | +| :---- | :---- | :---- | +| Dynamic threshold (recommended) | A dynamic threshold rule will analyze a network’s traffic patterns over time and automatically adjust the rule’s DDoS threshold, in terms of bits or packets, based on traffic history. | API configuration only | +| Static threshold | A static threshold rule allows you to define a constant numeric threshold, in terms of bits or packets, for DDoS traffic monitoring. | API configuration and dashboard configuration | +| sFlow DDoS attack | Magic Network Monitoring customers that send sFlow data to Cloudflare can receive alerts when a specific type of distributed denial-of-service (DDoS) attack is detected within their network traffic. | API configuration only Only applicable to sFlow data sets | -Refer to [Account name](/fundamentals/setup/account/customize-account/account-name/) to learn how to change your account name. -::: +# Create rules in the dashboard +Note: Only static traffic threshold rules can be configured in the Cloudflare dashboard. -## Create rules - -Refer to [Recommended rule configuration](/magic-network-monitoring/rules/recommended-rule-configuration/) for more details on the settings we recommend to create appropriate Magic Network Monitoring rules. - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. -2. Go to **Analytics & Logs** > **Magic Monitoring**. -3. Select **Configure Magic Network Monitoring** > **Add new rule**. -4. Create your rule according to your needs. Refer to [Rule fields](#rule-fields) for more information on what each field does. +1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account. +2. Go to **Analytics & Logs** \> **Magic Monitoring**. +3. Select **Configure Magic Network Monitoring** \> **Add new rule**. +4. Create a new static traffic threshold rule according to your needs. Refer to the documentation on [static threshold](https://developers.cloudflare.com/magic-network-monitoring/rules/static-threshold/) rules for more information on each field in the static threshold rule’s configuration. 5. Select **Create a new rule** when you are finished. -## Edit or delete rules +# Edit rules in the dashboard -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. -2. Go to **Analytics & Logs** > **Magic Monitoring**. +1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account. +2. Go to **Analytics & Logs** \> **Magic Monitoring**. 3. Select **Configure Magic Network Monitoring**. -4. Find the rule you want to edit, and select **Edit**. Optionally, you can also select **Delete** to delete a rule. -5. Edit the appropriate fields. Refer to [Rule fields](#rule-fields) for more information on what each field does. +4. Find the static threshold rule you want to edit, and select **Edit**. +5. Edit the appropriate fields. Refer to [Rule fields](https://developers.cloudflare.com/magic-network-monitoring/rules/#rule-fields) for more information on what each field does. 6. Select **Save** when you are finished. -## Rule Auto-Advertisement +# Delete rules in the dashboard -If you are an Enterprise customer using [Magic Transit On Demand](/magic-transit/on-demand), enable **Auto-Advertisement** if you want to automatically activate Magic Transit when a certain threshold is exceeded. +1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account. +2. Go to **Analytics & Logs** \> **Magic Monitoring**. +3. Select **Configure Magic Network Monitoring**. +4. Find the static threshold rule you want to delete, and select **Delete**. +5. Select **I understand that deleting a rule is permanent**, and select **Delete** again. -Follow the previous steps to [create](#create-rules) or [edit](#edit-or-delete-rules) a rule. Then, make sure you enable **Auto-Advertisement**. +# Common settings that apply to all rule types -## Rule fields +## Rule Auto-Advertisement -| Field | Description | -| ----------------------- | ----------- | -| **Rule name** | Must be unique and cannot contain spaces. Supports characters `A-Z`, `a-z`, `0-9`, underscore (`_`), dash (`-`), period (`.`), and tilde (`~`). Max 256 characters. | -| **Rule threshold type** | Can be defined in either bits per second or packets per second. | -| **Rule threshold** | The number of bits per second or packets per second for the rule alert. When this value is exceeded for the rule duration, an alert notification is sent. Minimum of `1` and no maximum. | -| **Rule duration** | The amount of time in minutes the rule threshold must exceed to send an alert notification. Choose from the following values: `1`, `5`, `10`, `15`, `20`, `30`, `45`, or `60` minutes. | -| **Auto-advertisement** | If you are a [Magic Transit On Demand](/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule alert is triggered.| -| **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as `160.168.0.1/24`. Max is 5,000 unique CIDR entries. | +If you are an Enterprise customer using [Magic Transit On Demand](https://developers.cloudflare.com/magic-transit/on-demand), you can enable **Auto-Advertisement** for any dynamic threshold, static threshold, and sFlow DDoS attack rule. The Auto-Advertisement feature will automatically activate Magic Transit when a static or dynamic rule threshold is exceeded or a DDoS attack fingerprint is identified in sFlow traffic logs. -## Enable per-prefix thresholds with the API +Follow the previous steps to [create](https://developers.cloudflare.com/magic-network-monitoring/rules/#create-rules) or [edit](https://developers.cloudflare.com/magic-network-monitoring/rules/#edit-or-delete-rules) a rule. Then, enable **Auto-Advertisement**. -You can also use the [Magic Network Monitoring API](/api/resources/magic_network_monitoring/subresources/rules/methods/list/) to configure custom thresholds for specific prefixes. +## Rule IP prefixes -The system uses the concept of rules, and each rule consists of a group of prefixes. All prefixes inside a rule are evaluated as a whole, and you should set up a rule if you want the prefixes' aggregated traffic to trigger an alert or advertisement. For thresholds on singular prefixes or IPs, you can create an individual rule with one prefix and the desired threshold. +Each rule must include a group of IP prefixes in its definition. All IP prefixes inside a rule are evaluated as a whole, and you should set up a rule with multiple IP prefixes when you want the IP prefixes' aggregated traffic to trigger an alert or advertisement. For thresholds on singular IP prefixes or IP addresses, you can create an individual rule with one prefix and the desired rule parameters. -### Example +## Rule IP prefixes example -For a rule with two prefix CIDRs and a `packet_threshold` of `10000` as shown below, the rule will be flagged if the joint packet traffic of `192.168.0.0/24` and `172.118.0.0/24` is greater than `10000`. This also means that Cloudflare attempts to auto advertise both CIDRs in case the flag is turned on. +For a rule with two prefix CIDRs and a packet\_threshold of 10000 as shown below, the rule will be flagged if the joint packet traffic of 192.168.0.0/24 and 172.118.0.0/24 is greater than 10000. This also means that Cloudflare attempts to auto advertise both CIDRs if the rule has the auto advertisement flag enabled. Customers can also [configure Rule IP prefixes at scale via Cloudflare’s API](https://developers.cloudflare.com/api/resources/magic_network_monitoring/subresources/rules/). -```bash +``` "rules":[ "name": "Too many packets", "prefixes": ["192.168.0.0/24", "172.118.0.0/24"], "packet_threshold": 10000, "automatic_advertisement": true, "duration": "1m0s", + "type": "threshold" ] ``` For more granular thresholds, create a more focused rule as shown below. -```bash +``` "rules":[ "name": "Too many packets", "prefixes": ["172.118.0.0/24"], "packet_threshold": 1000, "automatic_advertisement": true, "duration": "1m0s", + "type": "threshold" ] -``` - -Refer to the [Magic Network Monitoring API documentation](/api/resources/magic_network_monitoring/subresources/rules/methods/list/) for more information. - -## Notifications - -Webhook, PagerDuty, and email notifications are sent following an auto-advertisement attempt for all prefixes inside the flagged rule. - -You will receive the status of the advertisement for each prefix with the following available statuses: - -- **Advertised**: The prefix was successfully advertised. -- **Already Advertised**: The prefix was advertised prior to the auto advertisement attempt. -- **Delayed**: The prefix cannot currently be advertised but will attempt advertisement. After the prefix can be advertised, a new notification is sent with the updated status. -- **Locked**: The prefix is locked and cannot be advertised. -- **Could not Advertise**: Cloudflare was unable to advertise the prefix. This status can occur for multiple reasons, but usually occurs when you are not allowed to advertise a prefix. -- **Error**: A general error occurred during prefix advertisement. - -Refer to [Notifications](/magic-network-monitoring/notifications/) to learn how to create one. +``` \ No newline at end of file From 148a8a9001c4ea0116989e6e7de1b3e774765d29 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Fri, 4 Apr 2025 15:00:39 +0100 Subject: [PATCH 02/35] refined text --- .../magic-network-monitoring/rules/index.mdx | 54 +++++++++++-------- 1 file changed, 33 insertions(+), 21 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/index.mdx b/src/content/docs/magic-network-monitoring/rules/index.mdx index cc09f1ecfcce56e..74817e88bd09587 100644 --- a/src/content/docs/magic-network-monitoring/rules/index.mdx +++ b/src/content/docs/magic-network-monitoring/rules/index.mdx @@ -15,52 +15,64 @@ There are three different types of rules that can be configured within Magic Net | Rule Type | Rule Description | Rule Availability | | :---- | :---- | :---- | -| Dynamic threshold (recommended) | A dynamic threshold rule will analyze a network’s traffic patterns over time and automatically adjust the rule’s DDoS threshold, in terms of bits or packets, based on traffic history. | API configuration only | +| Dynamic threshold (recommended) | A dynamic threshold rule will analyze a network's traffic patterns over time and automatically adjust the rule's DDoS threshold, in terms of bits or packets, based on traffic history. | API configuration only | | Static threshold | A static threshold rule allows you to define a constant numeric threshold, in terms of bits or packets, for DDoS traffic monitoring. | API configuration and dashboard configuration | | sFlow DDoS attack | Magic Network Monitoring customers that send sFlow data to Cloudflare can receive alerts when a specific type of distributed denial-of-service (DDoS) attack is detected within their network traffic. | API configuration only Only applicable to sFlow data sets | -# Create rules in the dashboard +## Create rules in the dashboard -Note: Only static traffic threshold rules can be configured in the Cloudflare dashboard. +You can only configure static traffic threshold rules in the Cloudflare dashboard. -1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account. -2. Go to **Analytics & Logs** \> **Magic Monitoring**. -3. Select **Configure Magic Network Monitoring** \> **Add new rule**. -4. Create a new static traffic threshold rule according to your needs. Refer to the documentation on [static threshold](https://developers.cloudflare.com/magic-network-monitoring/rules/static-threshold/) rules for more information on each field in the static threshold rule’s configuration. +:::caution[Invalid account settings error when trying to create a rule] +If you get the following error when trying to create a rule: + +`Invalid account settings request body: account name format contains illegal characters or is not supported` + +Make sure the name for your Cloudflare account does not contain unsupported characters, like, for example, `&`, `<`, `>`, `"`, `'`, ``` ` ```. + +Refer to [Account name](/fundamentals/setup/account/customize-account/account-name/) to learn how to change your account name. +::: + +To create a new rule: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. +2. Go to **Analytics & Logs** > **Magic Monitoring**. +3. Select **Configure Magic Network Monitoring** > **Add new rule**. +4. Create a new static traffic threshold rule according to your needs. Refer to the documentation on [static threshold](/magic-network-monitoring/rules/static-threshold/) rules for more information on each field in the static threshold rule's configuration. 5. Select **Create a new rule** when you are finished. -# Edit rules in the dashboard +## Edit rules in the dashboard -1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account. -2. Go to **Analytics & Logs** \> **Magic Monitoring**. +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. +2. Go to **Analytics & Logs** > **Magic Monitoring**. 3. Select **Configure Magic Network Monitoring**. 4. Find the static threshold rule you want to edit, and select **Edit**. -5. Edit the appropriate fields. Refer to [Rule fields](https://developers.cloudflare.com/magic-network-monitoring/rules/#rule-fields) for more information on what each field does. +5. Edit the appropriate fields. Refer to [Rule fields](/magic-network-monitoring/rules/#rule-fields) for more information on what each field does. 6. Select **Save** when you are finished. -# Delete rules in the dashboard +## Delete rules in the dashboard -1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account. -2. Go to **Analytics & Logs** \> **Magic Monitoring**. +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. +2. Go to **Analytics & Logs** > **Magic Monitoring**. 3. Select **Configure Magic Network Monitoring**. 4. Find the static threshold rule you want to delete, and select **Delete**. 5. Select **I understand that deleting a rule is permanent**, and select **Delete** again. -# Common settings that apply to all rule types +## Common settings that apply to all rule types -## Rule Auto-Advertisement +### Rule Auto-Advertisement -If you are an Enterprise customer using [Magic Transit On Demand](https://developers.cloudflare.com/magic-transit/on-demand), you can enable **Auto-Advertisement** for any dynamic threshold, static threshold, and sFlow DDoS attack rule. The Auto-Advertisement feature will automatically activate Magic Transit when a static or dynamic rule threshold is exceeded or a DDoS attack fingerprint is identified in sFlow traffic logs. +If you are an Enterprise customer using [Magic Transit On Demand](/magic-transit/on-demand), you can enable **Auto-Advertisement** for any dynamic threshold, static threshold, and sFlow DDoS attack rule. The Auto-Advertisement feature will automatically activate Magic Transit when a static or dynamic rule threshold is exceeded or a DDoS attack fingerprint is identified in sFlow traffic logs. -Follow the previous steps to [create](https://developers.cloudflare.com/magic-network-monitoring/rules/#create-rules) or [edit](https://developers.cloudflare.com/magic-network-monitoring/rules/#edit-or-delete-rules) a rule. Then, enable **Auto-Advertisement**. +Follow the previous steps to [create](#create-rules-in-the-dashboard) or [edit](#edit-rules-in-the-dashboard) a rule. Then, enable **Auto-Advertisement**. -## Rule IP prefixes +### Rule IP prefixes Each rule must include a group of IP prefixes in its definition. All IP prefixes inside a rule are evaluated as a whole, and you should set up a rule with multiple IP prefixes when you want the IP prefixes' aggregated traffic to trigger an alert or advertisement. For thresholds on singular IP prefixes or IP addresses, you can create an individual rule with one prefix and the desired rule parameters. -## Rule IP prefixes example +### Rule IP prefixes example -For a rule with two prefix CIDRs and a packet\_threshold of 10000 as shown below, the rule will be flagged if the joint packet traffic of 192.168.0.0/24 and 172.118.0.0/24 is greater than 10000. This also means that Cloudflare attempts to auto advertise both CIDRs if the rule has the auto advertisement flag enabled. Customers can also [configure Rule IP prefixes at scale via Cloudflare’s API](https://developers.cloudflare.com/api/resources/magic_network_monitoring/subresources/rules/). +For a rule with two prefix CIDRs and a `packet_threshold` of `10000` as shown below, the rule will be flagged if the joint packet traffic of `192.168.0.0/24` and `172.118.0.0/24` is greater than `10000`. This also means that Cloudflare attempts to auto advertise both CIDRs if the rule has the auto advertisement flag enabled. Customers can also [configure Rule IP prefixes at scale via Cloudflare's API](https://developers.cloudflare.com/api/resources/magic_network_monitoring/subresources/rules/). ``` "rules":[ From a82b17833dfb9f5a2ae4cbf622e4cf4e7c73c365 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Fri, 4 Apr 2025 15:01:22 +0100 Subject: [PATCH 03/35] refined text --- src/content/docs/magic-network-monitoring/rules/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/index.mdx b/src/content/docs/magic-network-monitoring/rules/index.mdx index 74817e88bd09587..0374a5a503965d3 100644 --- a/src/content/docs/magic-network-monitoring/rules/index.mdx +++ b/src/content/docs/magic-network-monitoring/rules/index.mdx @@ -74,7 +74,7 @@ Each rule must include a group of IP prefixes in its definition. All IP prefixes For a rule with two prefix CIDRs and a `packet_threshold` of `10000` as shown below, the rule will be flagged if the joint packet traffic of `192.168.0.0/24` and `172.118.0.0/24` is greater than `10000`. This also means that Cloudflare attempts to auto advertise both CIDRs if the rule has the auto advertisement flag enabled. Customers can also [configure Rule IP prefixes at scale via Cloudflare's API](https://developers.cloudflare.com/api/resources/magic_network_monitoring/subresources/rules/). -``` +```json "rules":[ "name": "Too many packets", "prefixes": ["192.168.0.0/24", "172.118.0.0/24"], @@ -87,7 +87,7 @@ For a rule with two prefix CIDRs and a `packet_threshold` of `10000` as shown be For more granular thresholds, create a more focused rule as shown below. -``` +```json "rules":[ "name": "Too many packets", "prefixes": ["172.118.0.0/24"], From 8e6f59e6ec1d094314c25cd63b26956dd2b82c69 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Fri, 4 Apr 2025 15:05:06 +0100 Subject: [PATCH 04/35] deleted old pages --- .../rules/recommended-rule-configuration.mdx | 66 ------------------- .../rules/sflow-ddos-alerts.mdx | 34 ---------- 2 files changed, 100 deletions(-) delete mode 100644 src/content/docs/magic-network-monitoring/rules/recommended-rule-configuration.mdx delete mode 100644 src/content/docs/magic-network-monitoring/rules/sflow-ddos-alerts.mdx diff --git a/src/content/docs/magic-network-monitoring/rules/recommended-rule-configuration.mdx b/src/content/docs/magic-network-monitoring/rules/recommended-rule-configuration.mdx deleted file mode 100644 index 4fa704ff1735393..000000000000000 --- a/src/content/docs/magic-network-monitoring/rules/recommended-rule-configuration.mdx +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: Recommended rule configuration -pcx_content_type: how-to -sidebar: - order: 1 - ---- - -import { GlossaryTooltip } from "~/components" - -You can create [Magic Network Monitoring rules](/magic-network-monitoring/rules/) to monitor the traffic volume of your network, for a set of IP addresses and/or IP prefixes. The traffic volume threshold for these rules is also set by you. If the traffic volume threshold is crossed, Magic Network Monitoring will send an alert via email, webhook, or PagerDuty. - -Follow the guidelines outlined in this page to create appropriate Magic Network Monitoring rules and set accurate rule thresholds. - -## Rule IP prefixes - -Cloudflare recommends that customers start by creating one Magic Network Monitoring rule for each public `/24` IP prefix within their network. It is helpful to include the range of the `/24` IP prefix to make it easier to find and filter for the rule in Magic Network Monitoring analytics. - -As you become more familiar with the traffic patterns across each IP prefix, we encourage you to create more complex rules with IP prefixes that are smaller or larger than a `/24` prefix depending on your needs. You can also combine and monitor multiple IP prefixes within the same rule. - -## Rule threshold - -Follow the steps below to configure appropriate rule thresholds. - -### Initial rule configuration - -When you initially configure Magic Network Monitoring, you may not know the typical traffic volume patterns across each of your IP prefixes. Cloudflare recommends that you set a high rule threshold of either 10 Gbps (gigabits per second) or 10 Mpps (million packets per second) that is unlikely to be crossed during initial configuration. - -This will allow you to collect initial information about the typical traffic volume for a Magic Network Monitoring rule without receiving any alerts. After you have collected and analyzed the historical traffic data for an Magic Network Monitoring rule, the threshold should be adjusted to an appropriate value. - -| Threshold type | Recommended rule threshold to collect initial data | -| -------------- | -------------------------------------------------- | -| Bits | 10 Gpbs (10,000,000,000 bits per second) | -| Packets | 10 Mpps (10,000,000 packets per second) | - -### Setting the appropriate threshold - -After creating the initial set of rules to monitor your network traffic, you should collect 14-30 days of historical traffic volume data for each rule. - -Cloudflare recommends that new customers set a rule threshold that is two times larger than the maximum non-attack traffic observed for a one minute time interval within an Magic Network Monitoring rule. - -To find the maximum non-attack traffic for a one minute time interval over the past 14-30 days, you can filter for the specific rule you want to analyze. To do that: - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. -2. Go to **Analytics & Logs** > **Magic Monitoring**. -3. Select **Add filter**. -4. In **New filter**, use the drop-down menus to create the following filter: - | Field | Operator | Rule name | - | ----------------- | -------- | ------------- | - | _Monitoring Rule_ | _equals_ | `` | - -Once the rule filter is selected in Magic Network Monitoring Analytics, you can check the historical traffic volume data for the rule over the selected time period. We recommend that you check your historical traffic volume data in increments of seven days since that is the largest window that shows one hour time intervals. You can select a custom seven day time range in Magic Network Monitoring Analytics by going to the top right corner of Magic Network Monitoring analytics, opening the time window dropdown, and selecting **Custom range**. - -![How to choose a custom time range.](~/assets/images/magic-network-monitoring/custom-time-range.png) - -You should review the selected seven day time range and identify the largest traffic volume peak. Then, click and drag on the largest traffic peak to view the traffic volume data for a smaller time window. Continue until you are viewing the traffic volume data in one minute time intervals. - -Record the largest traffic volume peak for the rule in a spreadsheet, then repeat this process across 14-30 days of data. The rule threshold should be updated to be two times the largest traffic spike for a one minute time interval across 14-30 days of data. You should go through this process to set the threshold for each Magic Network Monitoring rule. - -## Rule duration - -Your IP prefixes may experience inconsistent spikes in traffic volume across one minute time intervals. We recommend that you set a rule duration of 120 seconds to reduce false positive alerts on short-term non-malicious traffic spikes. A rule duration of 120 seconds means that the traffic volume must be above the rule threshold for 120 seconds before an alert is fired. - -## Adjusting rules over time - -After you update your first set of rule thresholds based on historical traffic data, it will be important to monitor for Magic Network Monitoring alerts to check if the rule thresholds are appropriate. Customers are encouraged to adjust the rule thresholds and the duration over time to find the ideal alert sensitivity level for their specific network environment. diff --git a/src/content/docs/magic-network-monitoring/rules/sflow-ddos-alerts.mdx b/src/content/docs/magic-network-monitoring/rules/sflow-ddos-alerts.mdx deleted file mode 100644 index fbbb98f16153512..000000000000000 --- a/src/content/docs/magic-network-monitoring/rules/sflow-ddos-alerts.mdx +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: sFlow DDoS alerts -pcx_content_type: how-to -sidebar: - order: 2 - ---- - -import { GlossaryTooltip } from "~/components" - -Magic Network Monitoring customers that send sFlow data to Cloudflare can receive alerts when a specific type of distributed denial-of-service (DDoS) attack is detected within their network traffic. Cloudflare uses the same DDoS attack detection rules that protect our own global network to generate these alerts for customers. - -## Send sFlow data from your network to Cloudflare - -Customers can export sFlow data of their network traffic to Cloudflare via Magic Network Monitoring. There are [specific brands and models](/magic-network-monitoring/routers/supported-routers/) of routers that are capable of generating sFlow data. Make sure to check the router specifications to ensure that it is able to export sFlow data. Customers can follow this [sFlow configuration guide](/magic-network-monitoring/routers/sflow-config/) to configure sFlow exports to Magic Network Monitoring. - -## Use sFlow DDoS alerts - -Customers can configure sFlow DDoS alerts and receive notifications if a DDoS attack is detected within their sFlow traffic. These alerts are not compatible with NetFlow traffic. The sFlow DDoS alerts can be used along with traffic volume threshold alerts to give customers multiple layers of DDoS protection. - -## Configure the sFlow DDoS alerts - -To configure sFlow DDoS alerts: - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. -2. Go to **Notifications**, and select **Add**. -3. Select **Magic Transit** from the product dropdown menu. -4. Find the **Magic Network Monitoring: DDoS Attack** alert, and select **Select**. -5. Fill in the notification configuration details. -6. Select **Save**. - -## Tune the sFlow DDoS alert thresholds - -Customers can tune the thresholds of their sFlow DDoS alerts in the dashboard and via the Cloudflare API by following the [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/) guide. From 5e07d123967c8bf9da5e8b16cf62de76a1cf239f Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 09:33:51 +0100 Subject: [PATCH 05/35] added static threshold --- .../rules/static-threshold.mdx | 87 +++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 src/content/docs/magic-network-monitoring/rules/static-threshold.mdx diff --git a/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx new file mode 100644 index 000000000000000..48f707d1cd0cced --- /dev/null +++ b/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx @@ -0,0 +1,87 @@ +--- +title: Static threshold rule +pcx_content_type: how-to +sidebar: + order: 1 + +--- + +A static threshold rule allows you to define a constant numeric threshold, in terms of bits or packets, for DDoS traffic monitoring. The total traffic across all IP prefixes and IP addresses in the rule is compared to the static rule threshold. If the total traffic exceeds the static rule threshold for the duration of the rule, then an alert is sent. + +Customers that send NetFlow and / or sFlow data to Cloudflare can configure static threshold rules. + +# Rule configuration fields + +| Field | Description | +| :---- | :---- | +| **Rule name** | Must be unique and cannot contain spaces. Supports characters A-Z, a-z, 0-9, underscore (\_), dash (\-), period (.), and tilde (\~). Max 256 characters. | +| **Rule type** | threshold | +| **Rule threshold type** | Can be defined in either bits per second or packets per second. | +| **Rule threshold** | The number of bits per second or packets per second for the rule alert. When this value is exceeded for the rule duration, an alert notification is sent. Minimum of 1 and no maximum. | +| **Rule duration** | The amount of time in minutes the rule threshold must exceed to send an alert notification. Choose from the following values: 1, 5, 10, 15, 20, 30, 45, or 60 minutes. | +| **Auto-advertisement** | If you are a [Magic Transit On Demand](https://developers.cloudflare.com/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule alert is triggered. To learn more and see an example, view the [Auto-Advertisement section](https://developers.cloudflare.com/magic-network-monitoring/overview/#rule-auto-advertisement). | +| **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as 160.168.0.1/24. Max is 5,000 unique CIDR entries. To learn more and see an example, view the Rule IP prefixes section. | + +# API documentation + +You can visit developers.cloudflare.com/api, navigate to Magic Network Monitoring, and expand the [Magic Network Monitoring Rules](https://developers.cloudflare.com/api/resources/magic_network_monitoring/subresources/rules/) section to see an example CURL API configuration call that will create a new rule. The API documentation also includes an example of a successful response. + +# Recommended rule configuration + +You can create [Magic Network Monitoring rules](https://developers.cloudflare.com/magic-network-monitoring/rules/) to monitor the traffic volume of your network for a set of IP prefixes and / or IP addresses. The traffic volume threshold for these rules is also set by you. If the traffic volume threshold is crossed, Magic Network Monitoring will send an alert via email, webhook, or PagerDuty. + +Follow the guidelines outlined in this page to create appropriate Magic Network Monitoring rules and set accurate rule thresholds. + +## Rule IP prefixes + +Cloudflare recommends that customers start by creating one Magic Network Monitoring rule for each public /24 IP prefix within their network. It is helpful to include the range of the /24 IP prefix to make it easier to find and filter for the rule in Magic Network Monitoring analytics. + +As you become more familiar with the traffic patterns across each IP prefix, we encourage you to create more complex rules with IP prefixes that are smaller or larger than a /24 prefix depending on your needs. You can also combine and monitor multiple IP prefixes within the same rule. + +## Rule threshold + +Follow the steps below to configure appropriate rule thresholds. + +### Initial rule configuration + +When you initially configure Magic Network Monitoring, you may not know the typical traffic volume patterns across each of your IP prefixes. Cloudflare recommends that you set a high rule threshold of either 10 Gbps (gigabits per second) or 10 Mpps (million packets per second) that is unlikely to be crossed during initial configuration. + +This will allow you to collect initial information about the typical traffic volume for a Magic Network Monitoring rule without receiving any alerts. After you have collected and analyzed the historical traffic data for an Magic Network Monitoring rule, the threshold should be adjusted to an appropriate value. + +| Threshold type | Recommended rule threshold to collect initial data | +| :---- | :---- | +| Bits | 10 Gpbs (10,000,000,000 bits per second) | +| Packets | 10 Mpps (10,000,000 packets per second) | + +### Setting the appropriate threshold + +After creating the initial set of rules to monitor your network traffic, you should collect 14-30 days of historical traffic volume data for each rule. + +Cloudflare recommends that new customers set a rule threshold that is two times larger than the maximum non-attack traffic observed for a one minute time interval within an Magic Network Monitoring rule. + +To find the maximum non-attack traffic for a one minute time interval over the past 14-30 days, you can filter for the specific rule you want to analyze. To do that: + +1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account. +2. Go to **Analytics & Logs** \> **Magic Monitoring**. +3. Select **Add filter**. +4. In **New filter**, use the drop-down menus to create the following filter: + +| Field | Operator | Rule name | +| :---- | :---- | :---- | +| *Monitoring Rule* | *equals* | \ | + +Once the rule filter is selected in Magic Network Monitoring Analytics, you can check the historical traffic volume data for the rule over the selected time period. We recommend that you check your historical traffic volume data in increments of seven days since that is the largest window that shows one hour time intervals. You can select a custom seven-day time range in Magic Network Monitoring Analytics by going to the top right corner of Magic Network Monitoring analytics, opening the time window dropdown, and selecting **Custom range**. + +![][image1] + +You should review the selected seven-day time range and identify the largest traffic volume peak. Then, click and drag on the largest traffic peak to view the traffic volume data for a smaller time window. Continue until you are viewing the traffic volume data in one-minute intervals. + +Record the largest traffic volume peak for the rule in a spreadsheet, then repeat this process across 14-30 days of data. The rule threshold should be updated to be two times the largest traffic spike for a one minute time interval across 14-30 days of data. You should go through this process to set the threshold for each Magic Network Monitoring rule. + +## Rule duration + +Your IP prefixes may experience inconsistent spikes in traffic volume across one minute time intervals. We recommend that you set a rule duration of 120 seconds or greater to reduce false positive alerts on short-term non-malicious traffic spikes. A rule duration of 120 seconds means that the traffic volume must be above the rule threshold for 120 seconds before an alert is fired. + +## Adjusting rules over time + +After you update your first set of rule thresholds based on historical traffic data, it will be important to monitor for Magic Network Monitoring alerts to check if the rule thresholds are appropriate. Customers are encouraged to adjust the rule thresholds and the duration over time to find the ideal alert sensitivity level for their specific network environment. \ No newline at end of file From 2ad711e79d0362bfeeb75b018e80a8be4607a946 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 09:54:26 +0100 Subject: [PATCH 06/35] refined text --- .../rules/static-threshold.mdx | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx index 48f707d1cd0cced..3874d32faf23400 100644 --- a/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx +++ b/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx @@ -10,33 +10,33 @@ A static threshold rule allows you to define a constant numeric threshold, in te Customers that send NetFlow and / or sFlow data to Cloudflare can configure static threshold rules. -# Rule configuration fields +## Rule configuration fields | Field | Description | | :---- | :---- | -| **Rule name** | Must be unique and cannot contain spaces. Supports characters A-Z, a-z, 0-9, underscore (\_), dash (\-), period (.), and tilde (\~). Max 256 characters. | -| **Rule type** | threshold | +| **Rule name** | Must be unique and cannot contain spaces. Supports characters `A-Z`, `a-z`, `0-9`, underscore (`_`), dash (`-`), period (`.`), and tilde (`~`). Maximum of 256 characters. | +| **Rule type** | Threshold | | **Rule threshold type** | Can be defined in either bits per second or packets per second. | -| **Rule threshold** | The number of bits per second or packets per second for the rule alert. When this value is exceeded for the rule duration, an alert notification is sent. Minimum of 1 and no maximum. | -| **Rule duration** | The amount of time in minutes the rule threshold must exceed to send an alert notification. Choose from the following values: 1, 5, 10, 15, 20, 30, 45, or 60 minutes. | -| **Auto-advertisement** | If you are a [Magic Transit On Demand](https://developers.cloudflare.com/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule alert is triggered. To learn more and see an example, view the [Auto-Advertisement section](https://developers.cloudflare.com/magic-network-monitoring/overview/#rule-auto-advertisement). | -| **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as 160.168.0.1/24. Max is 5,000 unique CIDR entries. To learn more and see an example, view the Rule IP prefixes section. | +| **Rule threshold** | The number of bits per second or packets per second for the rule alert. When this value is exceeded for the rule duration, an alert notification is sent. Minimum of `1` and no maximum. | +| **Rule duration** | The amount of time in minutes the rule threshold must exceed to send an alert notification. Choose from the following values: `1`, `5`, `10`, `15`, `20`, `30`, `45`, or `60` minutes. | +| **Auto-advertisement** | If you are a [Magic Transit On Demand](/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule alert is triggered. To learn more and see an example, view the [Auto-Advertisement section](/magic-network-monitoring/rules/rule-notifications/#TO-DO). | +| **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as `160.168.0.1/24`. Max is 5,000 unique CIDR entries. To learn more and see an example, view the [Rule IP prefixes](/magic-network-monitoring/rules/#rule-ip-prefixes) section. | -# API documentation +## API documentation -You can visit developers.cloudflare.com/api, navigate to Magic Network Monitoring, and expand the [Magic Network Monitoring Rules](https://developers.cloudflare.com/api/resources/magic_network_monitoring/subresources/rules/) section to see an example CURL API configuration call that will create a new rule. The API documentation also includes an example of a successful response. +You can visit developers.cloudflare.com/api, navigate to Magic Network Monitoring, and expand the [Magic Network Monitoring Rules](/api/resources/magic_network_monitoring/subresources/rules/) section to see an example CURL API configuration call that will create a new rule. The API documentation also includes an example of a successful response. -# Recommended rule configuration +## Recommended rule configuration -You can create [Magic Network Monitoring rules](https://developers.cloudflare.com/magic-network-monitoring/rules/) to monitor the traffic volume of your network for a set of IP prefixes and / or IP addresses. The traffic volume threshold for these rules is also set by you. If the traffic volume threshold is crossed, Magic Network Monitoring will send an alert via email, webhook, or PagerDuty. +You can create [Magic Network Monitoring rules](/magic-network-monitoring/rules/) to monitor the traffic volume of your network for a set of IP prefixes and / or IP addresses. The traffic volume threshold for these rules is also set by you. If the traffic volume threshold is crossed, Magic Network Monitoring will send an alert via email, webhook, or PagerDuty. Follow the guidelines outlined in this page to create appropriate Magic Network Monitoring rules and set accurate rule thresholds. -## Rule IP prefixes +### Rule IP prefixes -Cloudflare recommends that customers start by creating one Magic Network Monitoring rule for each public /24 IP prefix within their network. It is helpful to include the range of the /24 IP prefix to make it easier to find and filter for the rule in Magic Network Monitoring analytics. +Cloudflare recommends that customers start by creating one Magic Network Monitoring rule for each public `/24` IP prefix within their network. It is helpful to include the range of the `/24` IP prefix to make it easier to find and filter for the rule in Magic Network Monitoring analytics. -As you become more familiar with the traffic patterns across each IP prefix, we encourage you to create more complex rules with IP prefixes that are smaller or larger than a /24 prefix depending on your needs. You can also combine and monitor multiple IP prefixes within the same rule. +As you become more familiar with the traffic patterns across each IP prefix, we encourage you to create more complex rules with IP prefixes that are smaller or larger than a `/24` prefix depending on your needs. You can also combine and monitor multiple IP prefixes within the same rule. ## Rule threshold From 29a44f993c7f31b1c11681de32246c4cdf11bf75 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:00:50 +0100 Subject: [PATCH 07/35] refined text --- .../rules/static-threshold.mdx | 28 +++++++++---------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx index 3874d32faf23400..39848436e6cba8d 100644 --- a/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx +++ b/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx @@ -38,22 +38,22 @@ Cloudflare recommends that customers start by creating one Magic Network Monitor As you become more familiar with the traffic patterns across each IP prefix, we encourage you to create more complex rules with IP prefixes that are smaller or larger than a `/24` prefix depending on your needs. You can also combine and monitor multiple IP prefixes within the same rule. -## Rule threshold +### Rule threshold Follow the steps below to configure appropriate rule thresholds. -### Initial rule configuration +#### Initial rule configuration When you initially configure Magic Network Monitoring, you may not know the typical traffic volume patterns across each of your IP prefixes. Cloudflare recommends that you set a high rule threshold of either 10 Gbps (gigabits per second) or 10 Mpps (million packets per second) that is unlikely to be crossed during initial configuration. This will allow you to collect initial information about the typical traffic volume for a Magic Network Monitoring rule without receiving any alerts. After you have collected and analyzed the historical traffic data for an Magic Network Monitoring rule, the threshold should be adjusted to an appropriate value. | Threshold type | Recommended rule threshold to collect initial data | -| :---- | :---- | -| Bits | 10 Gpbs (10,000,000,000 bits per second) | -| Packets | 10 Mpps (10,000,000 packets per second) | +| :---- | :---- | +| Bits | 10 Gpbs (10,000,000,000 bits per second) | +| Packets | 10 Mpps (10,000,000 packets per second) | -### Setting the appropriate threshold +#### Setting the appropriate threshold After creating the initial set of rules to monitor your network traffic, you should collect 14-30 days of historical traffic volume data for each rule. @@ -61,27 +61,25 @@ Cloudflare recommends that new customers set a rule threshold that is two times To find the maximum non-attack traffic for a one minute time interval over the past 14-30 days, you can filter for the specific rule you want to analyze. To do that: -1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account. -2. Go to **Analytics & Logs** \> **Magic Monitoring**. +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. +2. Go to **Analytics & Logs** > **Magic Monitoring**. 3. Select **Add filter**. 4. In **New filter**, use the drop-down menus to create the following filter: -| Field | Operator | Rule name | -| :---- | :---- | :---- | -| *Monitoring Rule* | *equals* | \ | +| Field | Operator | Rule name | +| :---- | :---- | :---- | +| _Monitoring Rule_ | _equals_ | `` | Once the rule filter is selected in Magic Network Monitoring Analytics, you can check the historical traffic volume data for the rule over the selected time period. We recommend that you check your historical traffic volume data in increments of seven days since that is the largest window that shows one hour time intervals. You can select a custom seven-day time range in Magic Network Monitoring Analytics by going to the top right corner of Magic Network Monitoring analytics, opening the time window dropdown, and selecting **Custom range**. -![][image1] - You should review the selected seven-day time range and identify the largest traffic volume peak. Then, click and drag on the largest traffic peak to view the traffic volume data for a smaller time window. Continue until you are viewing the traffic volume data in one-minute intervals. Record the largest traffic volume peak for the rule in a spreadsheet, then repeat this process across 14-30 days of data. The rule threshold should be updated to be two times the largest traffic spike for a one minute time interval across 14-30 days of data. You should go through this process to set the threshold for each Magic Network Monitoring rule. -## Rule duration +### Rule duration Your IP prefixes may experience inconsistent spikes in traffic volume across one minute time intervals. We recommend that you set a rule duration of 120 seconds or greater to reduce false positive alerts on short-term non-malicious traffic spikes. A rule duration of 120 seconds means that the traffic volume must be above the rule threshold for 120 seconds before an alert is fired. -## Adjusting rules over time +### Adjusting rules over time After you update your first set of rule thresholds based on historical traffic data, it will be important to monitor for Magic Network Monitoring alerts to check if the rule thresholds are appropriate. Customers are encouraged to adjust the rule thresholds and the duration over time to find the ideal alert sensitivity level for their specific network environment. \ No newline at end of file From ed5da211afecbd4cde82f0fc83e8d892d5d68ef8 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:02:46 +0100 Subject: [PATCH 08/35] refined text --- .../docs/magic-network-monitoring/rules/static-threshold.mdx | 1 - 1 file changed, 1 deletion(-) diff --git a/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx index 39848436e6cba8d..c696cd39566731c 100644 --- a/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx +++ b/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx @@ -3,7 +3,6 @@ title: Static threshold rule pcx_content_type: how-to sidebar: order: 1 - --- A static threshold rule allows you to define a constant numeric threshold, in terms of bits or packets, for DDoS traffic monitoring. The total traffic across all IP prefixes and IP addresses in the rule is compared to the static rule threshold. If the total traffic exceeds the static rule threshold for the duration of the rule, then an alert is sent. From bdc4d63c0f35a4dd5511ba490e185356b16881ad Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:03:06 +0100 Subject: [PATCH 09/35] added dynamic threshold --- .../rules/dynamic-threshold.mdx | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx diff --git a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx new file mode 100644 index 000000000000000..89e8affeac579ea --- /dev/null +++ b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx @@ -0,0 +1,43 @@ +--- +title: Static threshold rule +pcx_content_type: how-to +sidebar: + order: 1 + badge: + text: Beta +--- + +# Dynamic threshold rule \[Beta\] + +A dynamic threshold rule will analyze a network’s traffic patterns over time and automatically adjust the rule’s DDoS threshold, in terms of bits or packets, based on traffic history. The total traffic across all IP prefixes and IP addresses in the rule is compared to the current value of the dynamic threshold. If the total traffic exceeds the dynamic threshold, then an alert is sent. + +Dynamic thresholds are calculated using a [statistical measure called z-score (also referred to as standard score)](https://en.wikipedia.org/wiki/Standard_score). You can visit the section on **How the dynamic rule threshold is calculated** to learn more. + +Customers that send NetFlow and / or sFlow data to Cloudflare can configure dynamic threshold rules. + +A dynamic threshold rule can only be configured via [Cloudflare’s Magic Network Monitoring Rules API](https://developers.cloudflare.com/api/resources/magic_network_monitoring/subresources/rules/). Today, customers are unable to configure dynamic threshold rules in the Cloudflare dashboard. + +# Rule configuration fields + +| Field | Description | +| :---- | :---- | +| **Rule name** | Must be unique and cannot contain spaces. Supports characters A-Z, a-z, 0-9, underscore (\_), dash (-), period (.), and tilde (\~). Max 256 characters. | +| **Rule type** | zscore | +| **Target** | Can be defined in either bits per second or packets per second. | +| **Sensitivity** | Z-Score sensitivity has three values: low, medium, and high. | +| **Auto-advertisement** | If you are a [Magic Transit On Demand](https://developers.cloudflare.com/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule’s dynamic threshold is triggered. To learn more and see an example, view the [Auto-Advertisement section](https://developers.cloudflare.com/magic-network-monitoring/overview/#rule-auto-advertisement). | +| **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as 160.168.0.1/24. The maximum is 5,000 unique CIDR entries. To learn more and see an example, view the Rule IP prefixes section. | + +# API documentation + +You can visit [developers.cloudflare.com/api](http://developers.cloudflare.com/api), navigate to [Magic Network Monitoring](https://developers.cloudflare.com/api/resources/magic_network_monitoring/), and expand the [Rules](https://developers.cloudflare.com/api/resources/magic_network_monitoring/subresources/rules/) section to see an example API configuration call using CURL and the expected output for a successful response. + +# How the dynamic rule threshold is calculated + +Dynamic thresholds for this rule type are calculated using a statistical measure called Z-Socre. The dynamic threshold for this rule will automatically adjust based on your traffic history as this rule uses statistical analysis to detect traffic anomalies. Z-Score is calculated by comparing short-term traffic patterns (five-minute time window) against long-term baselines (four-hour time window) . + +Z-Score is calculated by using the following formula: Z \= (X \- μ) / σ + +* X \= Current traffic value +* μ \= Mean traffic value over the long window +* σ \= Standard deviation over the long window \ No newline at end of file From 4810ce1b431b64fd22b6719ca997dd9d39e657ac Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:04:56 +0100 Subject: [PATCH 10/35] refined text --- .../magic-network-monitoring/rules/dynamic-threshold.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx index 89e8affeac579ea..d2a4ad9bc5258e3 100644 --- a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx +++ b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx @@ -7,11 +7,11 @@ sidebar: text: Beta --- -# Dynamic threshold rule \[Beta\] +# Dynamic threshold rule (beta) -A dynamic threshold rule will analyze a network’s traffic patterns over time and automatically adjust the rule’s DDoS threshold, in terms of bits or packets, based on traffic history. The total traffic across all IP prefixes and IP addresses in the rule is compared to the current value of the dynamic threshold. If the total traffic exceeds the dynamic threshold, then an alert is sent. +A dynamic threshold rule will analyze a network's traffic patterns over time and automatically adjust the rule's DDoS threshold, in terms of bits or packets, based on traffic history. The total traffic across all IP prefixes and IP addresses in the rule is compared to the current value of the dynamic threshold. If the total traffic exceeds the dynamic threshold, then an alert is sent. -Dynamic thresholds are calculated using a [statistical measure called z-score (also referred to as standard score)](https://en.wikipedia.org/wiki/Standard_score). You can visit the section on **How the dynamic rule threshold is calculated** to learn more. +Dynamic thresholds are calculated using a [statistical measure called z-score (also referred to as standard score)](https://en.wikipedia.org/wiki/Standard_score). You can visit the section on [How the dynamic rule threshold is calculated](#how-the-dynamic-rule-threshold-is-calculated) to learn more. Customers that send NetFlow and / or sFlow data to Cloudflare can configure dynamic threshold rules. From ba8c9116e7344ee326941459791e804e8adea717 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:05:14 +0100 Subject: [PATCH 11/35] refined url --- .../docs/magic-network-monitoring/rules/dynamic-threshold.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx index d2a4ad9bc5258e3..2f9c4f04f857c6c 100644 --- a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx +++ b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx @@ -15,7 +15,7 @@ Dynamic thresholds are calculated using a [statistical measure called z-score (a Customers that send NetFlow and / or sFlow data to Cloudflare can configure dynamic threshold rules. -A dynamic threshold rule can only be configured via [Cloudflare’s Magic Network Monitoring Rules API](https://developers.cloudflare.com/api/resources/magic_network_monitoring/subresources/rules/). Today, customers are unable to configure dynamic threshold rules in the Cloudflare dashboard. +A dynamic threshold rule can only be configured via [Cloudflare's Magic Network Monitoring Rules API](/api/resources/magic_network_monitoring/subresources/rules/). Today, customers are unable to configure dynamic threshold rules in the Cloudflare dashboard. # Rule configuration fields From 12913ad305ab70df8b9dd945412d26a97d7b10c3 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:07:52 +0100 Subject: [PATCH 12/35] refined title --- .../rules/dynamic-threshold.mdx | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx index 2f9c4f04f857c6c..7ebfed987c5850e 100644 --- a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx +++ b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx @@ -1,5 +1,5 @@ --- -title: Static threshold rule +title: Dynamic threshold rule pcx_content_type: how-to sidebar: order: 1 @@ -7,9 +7,7 @@ sidebar: text: Beta --- -# Dynamic threshold rule (beta) - -A dynamic threshold rule will analyze a network's traffic patterns over time and automatically adjust the rule's DDoS threshold, in terms of bits or packets, based on traffic history. The total traffic across all IP prefixes and IP addresses in the rule is compared to the current value of the dynamic threshold. If the total traffic exceeds the dynamic threshold, then an alert is sent. +A dynamic threshold rule (beta) will analyze a network's traffic patterns over time and automatically adjust the rule's DDoS threshold, in terms of bits or packets, based on traffic history. The total traffic across all IP prefixes and IP addresses in the rule is compared to the current value of the dynamic threshold. If the total traffic exceeds the dynamic threshold, then an alert is sent. Dynamic thresholds are calculated using a [statistical measure called z-score (also referred to as standard score)](https://en.wikipedia.org/wiki/Standard_score). You can visit the section on [How the dynamic rule threshold is calculated](#how-the-dynamic-rule-threshold-is-calculated) to learn more. @@ -21,12 +19,12 @@ A dynamic threshold rule can only be configured via [Cloudflare's Magic Network | Field | Description | | :---- | :---- | -| **Rule name** | Must be unique and cannot contain spaces. Supports characters A-Z, a-z, 0-9, underscore (\_), dash (-), period (.), and tilde (\~). Max 256 characters. | +| **Rule name** | Must be unique and cannot contain spaces. Supports characters `A-Z`, `a-z`, `0-9`, underscore (`_`), dash (`-`), period (`.`), and tilde (`~`). Maximum of 256 characters. | | **Rule type** | zscore | | **Target** | Can be defined in either bits per second or packets per second. | | **Sensitivity** | Z-Score sensitivity has three values: low, medium, and high. | -| **Auto-advertisement** | If you are a [Magic Transit On Demand](https://developers.cloudflare.com/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule’s dynamic threshold is triggered. To learn more and see an example, view the [Auto-Advertisement section](https://developers.cloudflare.com/magic-network-monitoring/overview/#rule-auto-advertisement). | -| **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as 160.168.0.1/24. The maximum is 5,000 unique CIDR entries. To learn more and see an example, view the Rule IP prefixes section. | +| **Auto-advertisement** | If you are a [Magic Transit On Demand](/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule's dynamic threshold is triggered. To learn more and see an example, view the [Auto-Advertisement section](/magic-network-monitoring/rules/rule-notifications/#TO-DO). | +| **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as `160.168.0.1/24`. The maximum is 5,000 unique CIDR entries. To learn more and see an example, view the Rule IP prefixes section. | # API documentation From 1d2edccd15859828589680e5c4e2483ac1825938 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:08:32 +0100 Subject: [PATCH 13/35] refined url --- .../magic-network-monitoring/rules/dynamic-threshold.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx index 7ebfed987c5850e..7955279746da96c 100644 --- a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx +++ b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx @@ -15,7 +15,7 @@ Customers that send NetFlow and / or sFlow data to Cloudflare can configure dyna A dynamic threshold rule can only be configured via [Cloudflare's Magic Network Monitoring Rules API](/api/resources/magic_network_monitoring/subresources/rules/). Today, customers are unable to configure dynamic threshold rules in the Cloudflare dashboard. -# Rule configuration fields +## Rule configuration fields | Field | Description | | :---- | :---- | @@ -26,9 +26,9 @@ A dynamic threshold rule can only be configured via [Cloudflare's Magic Network | **Auto-advertisement** | If you are a [Magic Transit On Demand](/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule's dynamic threshold is triggered. To learn more and see an example, view the [Auto-Advertisement section](/magic-network-monitoring/rules/rule-notifications/#TO-DO). | | **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as `160.168.0.1/24`. The maximum is 5,000 unique CIDR entries. To learn more and see an example, view the Rule IP prefixes section. | -# API documentation +## API documentation -You can visit [developers.cloudflare.com/api](http://developers.cloudflare.com/api), navigate to [Magic Network Monitoring](https://developers.cloudflare.com/api/resources/magic_network_monitoring/), and expand the [Rules](https://developers.cloudflare.com/api/resources/magic_network_monitoring/subresources/rules/) section to see an example API configuration call using CURL and the expected output for a successful response. +You can visit [developers.cloudflare.com/api](/api), navigate to [Magic Network Monitoring](/api/resources/magic_network_monitoring/), and expand the [Rules](/api/resources/magic_network_monitoring/subresources/rules/) section to see an example API configuration call using CURL and the expected output for a successful response. # How the dynamic rule threshold is calculated From ba321563b8b7b401c1425349c45402bf3f766f28 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:08:49 +0100 Subject: [PATCH 14/35] refined text --- .../docs/magic-network-monitoring/rules/dynamic-threshold.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx index 7955279746da96c..90d8c460b979cf5 100644 --- a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx +++ b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx @@ -30,9 +30,9 @@ A dynamic threshold rule can only be configured via [Cloudflare's Magic Network You can visit [developers.cloudflare.com/api](/api), navigate to [Magic Network Monitoring](/api/resources/magic_network_monitoring/), and expand the [Rules](/api/resources/magic_network_monitoring/subresources/rules/) section to see an example API configuration call using CURL and the expected output for a successful response. -# How the dynamic rule threshold is calculated +## How the dynamic rule threshold is calculated -Dynamic thresholds for this rule type are calculated using a statistical measure called Z-Socre. The dynamic threshold for this rule will automatically adjust based on your traffic history as this rule uses statistical analysis to detect traffic anomalies. Z-Score is calculated by comparing short-term traffic patterns (five-minute time window) against long-term baselines (four-hour time window) . +Dynamic thresholds for this rule type are calculated using a statistical measure called Z-Score. The dynamic threshold for this rule will automatically adjust based on your traffic history as this rule uses statistical analysis to detect traffic anomalies. Z-Score is calculated by comparing short-term traffic patterns (five-minute time window) against long-term baselines (four-hour time window) . Z-Score is calculated by using the following formula: Z \= (X \- μ) / σ From d81d6bab509f85a91e1c01744ad6e0599b60c29e Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:16:47 +0100 Subject: [PATCH 15/35] refined text --- .../rules/dynamic-threshold.mdx | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx index 90d8c460b979cf5..73f31cb203172e0 100644 --- a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx +++ b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx @@ -2,7 +2,7 @@ title: Dynamic threshold rule pcx_content_type: how-to sidebar: - order: 1 + order: 2 badge: text: Beta --- @@ -24,7 +24,7 @@ A dynamic threshold rule can only be configured via [Cloudflare's Magic Network | **Target** | Can be defined in either bits per second or packets per second. | | **Sensitivity** | Z-Score sensitivity has three values: low, medium, and high. | | **Auto-advertisement** | If you are a [Magic Transit On Demand](/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule's dynamic threshold is triggered. To learn more and see an example, view the [Auto-Advertisement section](/magic-network-monitoring/rules/rule-notifications/#TO-DO). | -| **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as `160.168.0.1/24`. The maximum is 5,000 unique CIDR entries. To learn more and see an example, view the Rule IP prefixes section. | +| **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as `160.168.0.1/24`. The maximum is 5,000 unique CIDR entries. To learn more and see an example, view the [Rule IP prefixes](/magic-network-monitoring/rules/#rule-ip-prefixes). | ## API documentation @@ -34,8 +34,12 @@ You can visit [developers.cloudflare.com/api](/api), navigate to [Magic Network Dynamic thresholds for this rule type are calculated using a statistical measure called Z-Score. The dynamic threshold for this rule will automatically adjust based on your traffic history as this rule uses statistical analysis to detect traffic anomalies. Z-Score is calculated by comparing short-term traffic patterns (five-minute time window) against long-term baselines (four-hour time window) . -Z-Score is calculated by using the following formula: Z \= (X \- μ) / σ +Z-Score is calculated by using the following formula: -* X \= Current traffic value -* μ \= Mean traffic value over the long window -* σ \= Standard deviation over the long window \ No newline at end of file +```txt +Z = (X - μ) / σ +``` + +- `X` = Current traffic value. +- `μ` = Mean traffic value over the long window. +- `σ` = Standard deviation over the long window. \ No newline at end of file From 3e60d976fc0ca9e8c9b99726ae1b4a6762054f9c Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:19:20 +0100 Subject: [PATCH 16/35] added sflow rule --- .../rules/s-flow-ddos-attack.mdx | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx diff --git a/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx b/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx new file mode 100644 index 000000000000000..fa64859a9e254c3 --- /dev/null +++ b/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx @@ -0,0 +1,36 @@ +--- +title: sFlow DDoS attack rule +pcx_content_type: how-to +sidebar: + order: 3 + badge: + text: Beta +--- + +Magic Network Monitoring customers that send sFlow data to Cloudflare can receive alerts when a specific type of distributed denial-of-service (DDoS) attack is detected within their network traffic. Magic Network Monitoring uses the same DDoS attack detection rules that protect Cloudflare's global network to generate these alerts for customers. + +Only customers that send sFlow data to Cloudflare can configure a sFlow DDoS attack rule. + +An sFlow DDoS attack rule can only be configured via Cloudflare’s API. Today, customers are unable to configure a sFlow DDoS attack rule in the Cloudflare dashboard. + +# Send sFlow data from your network to Cloudflare + +Customers can export sFlow data of their network traffic to Cloudflare via Magic Network Monitoring. There are [specific brands and models](https://developers.cloudflare.com/magic-network-monitoring/routers/supported-routers/) of routers that are capable of generating sFlow data. Make sure to check the router specifications to ensure that it is able to export sFlow data. Customers can follow this [sFlow configuration guide](https://developers.cloudflare.com/magic-network-monitoring/routers/sflow-config/) to configure sFlow exports to Magic Network Monitoring. + +# Rule configuration fields + +| Field | Description | +| :---- | :---- | +| **Rule name** | Must be unique and cannot contain spaces. Supports characters A-Z, a-z, 0-9, underscore (\_), dash (-), period (.), and tilde (\~). Max 256 characters. | +| **Rule type** | advanced\_ddos | +| **Prefix Match** | The field “prefix\_match” determines how IP matches are handled Recommended: Subnet: Automatically advertise if the attacked IPs are within a subnet of a public IP prefix that can be advertised by Magic Transit. Other prefix match options: Exact: Automatically advertise if the attacked IPs are an exact match with a public IP prefix that can be advertised by Magic Transit. | +| **Auto-advertisement** | If you are a [Magic Transit On Demand](https://developers.cloudflare.com/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule’s dynamic threshold is triggered. To learn more and see an example, view the [Auto-Advertisement section](https://developers.cloudflare.com/api/resources/magic_network_monitoring/subresources/rules/). | +| **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as 160.168.0.1/24. The maximum is 5,000 unique CIDR entries. To learn more and see an example, view the Rule IP prefixes section. | + +# API documentation + +You can visit [developers.cloudflare.com/api](http://developers.cloudflare.com/api), navigate to [Magic Network Monitoring](https://developers.cloudflare.com/api/resources/magic_network_monitoring/), and expand the [Rules](https://developers.cloudflare.com/api/resources/magic_network_monitoring/subresources/rules/) section to see an example API configuration call using CURL and the expected output for a successful response. + +# Tune the sFlow DDoS alert thresholds + +Customers can tune the thresholds of their sFlow DDoS alerts in the dashboard and via the Cloudflare API by following the [Network-layer DDoS Attack Protection managed ruleset](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/) guide. \ No newline at end of file From 27f5b9e8851063af68a20d8b212dca9a410e3c2b Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:19:49 +0100 Subject: [PATCH 17/35] corrected url --- .../magic-network-monitoring/rules/s-flow-ddos-attack.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx b/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx index fa64859a9e254c3..f1cc5d6b5a6b0de 100644 --- a/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx +++ b/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx @@ -11,11 +11,11 @@ Magic Network Monitoring customers that send sFlow data to Cloudflare can receiv Only customers that send sFlow data to Cloudflare can configure a sFlow DDoS attack rule. -An sFlow DDoS attack rule can only be configured via Cloudflare’s API. Today, customers are unable to configure a sFlow DDoS attack rule in the Cloudflare dashboard. +An sFlow DDoS attack rule can only be configured via Cloudflare's API. Today, customers are unable to configure a sFlow DDoS attack rule in the Cloudflare dashboard. -# Send sFlow data from your network to Cloudflare +## Send sFlow data from your network to Cloudflare -Customers can export sFlow data of their network traffic to Cloudflare via Magic Network Monitoring. There are [specific brands and models](https://developers.cloudflare.com/magic-network-monitoring/routers/supported-routers/) of routers that are capable of generating sFlow data. Make sure to check the router specifications to ensure that it is able to export sFlow data. Customers can follow this [sFlow configuration guide](https://developers.cloudflare.com/magic-network-monitoring/routers/sflow-config/) to configure sFlow exports to Magic Network Monitoring. +Customers can export sFlow data of their network traffic to Cloudflare via Magic Network Monitoring. There are [specific brands and models](/magic-network-monitoring/routers/supported-routers/) of routers that are capable of generating sFlow data. Make sure to check the router specifications to ensure that it is able to export sFlow data. Customers can follow this [sFlow configuration guide](/magic-network-monitoring/routers/sflow-config/) to configure sFlow exports to Magic Network Monitoring. # Rule configuration fields From 3a1320173d6bd9f6e9372650b4d97a75b222ee22 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:20:46 +0100 Subject: [PATCH 18/35] refined text --- .../magic-network-monitoring/rules/s-flow-ddos-attack.mdx | 6 +++--- .../magic-network-monitoring/rules/static-threshold.mdx | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx b/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx index f1cc5d6b5a6b0de..9dde6e643f3cd0b 100644 --- a/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx +++ b/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx @@ -17,12 +17,12 @@ An sFlow DDoS attack rule can only be configured via Cloudflare's API. Today, cu Customers can export sFlow data of their network traffic to Cloudflare via Magic Network Monitoring. There are [specific brands and models](/magic-network-monitoring/routers/supported-routers/) of routers that are capable of generating sFlow data. Make sure to check the router specifications to ensure that it is able to export sFlow data. Customers can follow this [sFlow configuration guide](/magic-network-monitoring/routers/sflow-config/) to configure sFlow exports to Magic Network Monitoring. -# Rule configuration fields +## Rule configuration fields | Field | Description | | :---- | :---- | -| **Rule name** | Must be unique and cannot contain spaces. Supports characters A-Z, a-z, 0-9, underscore (\_), dash (-), period (.), and tilde (\~). Max 256 characters. | -| **Rule type** | advanced\_ddos | +| **Rule name** | Must be unique and cannot contain spaces. Supports characters `A-Z`, `a-z`, `0-9`, underscore (`_`), dash (`-`), period (`.`), and tilde (`~`). Maximum of 256 characters. | +| **Rule type** | advanced_ddos | | **Prefix Match** | The field “prefix\_match” determines how IP matches are handled Recommended: Subnet: Automatically advertise if the attacked IPs are within a subnet of a public IP prefix that can be advertised by Magic Transit. Other prefix match options: Exact: Automatically advertise if the attacked IPs are an exact match with a public IP prefix that can be advertised by Magic Transit. | | **Auto-advertisement** | If you are a [Magic Transit On Demand](https://developers.cloudflare.com/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule’s dynamic threshold is triggered. To learn more and see an example, view the [Auto-Advertisement section](https://developers.cloudflare.com/api/resources/magic_network_monitoring/subresources/rules/). | | **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as 160.168.0.1/24. The maximum is 5,000 unique CIDR entries. To learn more and see an example, view the Rule IP prefixes section. | diff --git a/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx index c696cd39566731c..e0ce595bb6cda3c 100644 --- a/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx +++ b/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx @@ -14,7 +14,7 @@ Customers that send NetFlow and / or sFlow data to Cloudflare can configure stat | Field | Description | | :---- | :---- | | **Rule name** | Must be unique and cannot contain spaces. Supports characters `A-Z`, `a-z`, `0-9`, underscore (`_`), dash (`-`), period (`.`), and tilde (`~`). Maximum of 256 characters. | -| **Rule type** | Threshold | +| **Rule type** | threshold | | **Rule threshold type** | Can be defined in either bits per second or packets per second. | | **Rule threshold** | The number of bits per second or packets per second for the rule alert. When this value is exceeded for the rule duration, an alert notification is sent. Minimum of `1` and no maximum. | | **Rule duration** | The amount of time in minutes the rule threshold must exceed to send an alert notification. Choose from the following values: `1`, `5`, `10`, `15`, `20`, `30`, `45`, or `60` minutes. | From 3736236bb219bda0eb7edcd65379643700818be7 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:23:21 +0100 Subject: [PATCH 19/35] refined text --- .../magic-network-monitoring/rules/s-flow-ddos-attack.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx b/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx index 9dde6e643f3cd0b..2ed139d78cff06c 100644 --- a/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx +++ b/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx @@ -23,9 +23,9 @@ Customers can export sFlow data of their network traffic to Cloudflare via Magic | :---- | :---- | | **Rule name** | Must be unique and cannot contain spaces. Supports characters `A-Z`, `a-z`, `0-9`, underscore (`_`), dash (`-`), period (`.`), and tilde (`~`). Maximum of 256 characters. | | **Rule type** | advanced_ddos | -| **Prefix Match** | The field “prefix\_match” determines how IP matches are handled Recommended: Subnet: Automatically advertise if the attacked IPs are within a subnet of a public IP prefix that can be advertised by Magic Transit. Other prefix match options: Exact: Automatically advertise if the attacked IPs are an exact match with a public IP prefix that can be advertised by Magic Transit. | -| **Auto-advertisement** | If you are a [Magic Transit On Demand](https://developers.cloudflare.com/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule’s dynamic threshold is triggered. To learn more and see an example, view the [Auto-Advertisement section](https://developers.cloudflare.com/api/resources/magic_network_monitoring/subresources/rules/). | -| **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as 160.168.0.1/24. The maximum is 5,000 unique CIDR entries. To learn more and see an example, view the Rule IP prefixes section. | +| **Prefix Match** | The field `prefix_match` determines how IP matches are handled.
**Recommended**: Subnet — Automatically advertise if the attacked IPs are within a subnet of a public IP prefix that can be advertised by Magic Transit.
**Other prefix match options**: Exact — Automatically advertise if the attacked IPs are an exact match with a public IP prefix that can be advertised by Magic Transit. | +| **Auto-advertisement** | If you are a [Magic Transit On Demand](/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule's dynamic threshold is triggered. To learn more and see an example, view the [Auto-Advertisement section](/api/resources/magic_network_monitoring/subresources/rules/). | +| **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as `160.168.0.1/24`. The maximum is 5,000 unique CIDR entries. To learn more and see an example, view the [Rule IP prefixes](/magic-network-monitoring/rules/#rule-ip-prefixes). | # API documentation From 3b4896a8cc609adb15169002d2c7ebd6c4cca9e1 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:24:20 +0100 Subject: [PATCH 20/35] refined text --- .../magic-network-monitoring/rules/s-flow-ddos-attack.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx b/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx index 2ed139d78cff06c..0c327861ae3d17f 100644 --- a/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx +++ b/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx @@ -27,10 +27,10 @@ Customers can export sFlow data of their network traffic to Cloudflare via Magic | **Auto-advertisement** | If you are a [Magic Transit On Demand](/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule's dynamic threshold is triggered. To learn more and see an example, view the [Auto-Advertisement section](/api/resources/magic_network_monitoring/subresources/rules/). | | **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as `160.168.0.1/24`. The maximum is 5,000 unique CIDR entries. To learn more and see an example, view the [Rule IP prefixes](/magic-network-monitoring/rules/#rule-ip-prefixes). | -# API documentation +## API documentation -You can visit [developers.cloudflare.com/api](http://developers.cloudflare.com/api), navigate to [Magic Network Monitoring](https://developers.cloudflare.com/api/resources/magic_network_monitoring/), and expand the [Rules](https://developers.cloudflare.com/api/resources/magic_network_monitoring/subresources/rules/) section to see an example API configuration call using CURL and the expected output for a successful response. +You can visit [developers.cloudflare.com/api](/api), navigate to [Magic Network Monitoring](/api/resources/magic_network_monitoring/), and expand the [Rules](/api/resources/magic_network_monitoring/subresources/rules/) section to see an example API configuration call using CURL and the expected output for a successful response. -# Tune the sFlow DDoS alert thresholds +## Tune the sFlow DDoS alert thresholds -Customers can tune the thresholds of their sFlow DDoS alerts in the dashboard and via the Cloudflare API by following the [Network-layer DDoS Attack Protection managed ruleset](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/) guide. \ No newline at end of file +Customers can tune the thresholds of their sFlow DDoS alerts in the dashboard and via the Cloudflare API by following the [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/) guide. \ No newline at end of file From 836937a5e64aaebacca425bd1541061ed58723d0 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:31:05 +0100 Subject: [PATCH 21/35] added ul --- .../docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx b/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx index 0c327861ae3d17f..96a6e8d3dad3939 100644 --- a/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx +++ b/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx @@ -23,7 +23,7 @@ Customers can export sFlow data of their network traffic to Cloudflare via Magic | :---- | :---- | | **Rule name** | Must be unique and cannot contain spaces. Supports characters `A-Z`, `a-z`, `0-9`, underscore (`_`), dash (`-`), period (`.`), and tilde (`~`). Maximum of 256 characters. | | **Rule type** | advanced_ddos | -| **Prefix Match** | The field `prefix_match` determines how IP matches are handled.
**Recommended**: Subnet — Automatically advertise if the attacked IPs are within a subnet of a public IP prefix that can be advertised by Magic Transit.
**Other prefix match options**: Exact — Automatically advertise if the attacked IPs are an exact match with a public IP prefix that can be advertised by Magic Transit. | +| **Prefix Match** | The field `prefix_match` determines how IP matches are handled.
  • **Recommended**
    • **Subnet**: Automatically advertise if the attacked IPs are within a subnet of a public IP prefix that can be advertised by Magic Transit.
  • **Other prefix match options**
    • **Exact**: Automatically advertise if the attacked IPs are an exact match with a public IP prefix that can be advertised by Magic Transit.
| | **Auto-advertisement** | If you are a [Magic Transit On Demand](/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule's dynamic threshold is triggered. To learn more and see an example, view the [Auto-Advertisement section](/api/resources/magic_network_monitoring/subresources/rules/). | | **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as `160.168.0.1/24`. The maximum is 5,000 unique CIDR entries. To learn more and see an example, view the [Rule IP prefixes](/magic-network-monitoring/rules/#rule-ip-prefixes). | From cf752ee2f8d8e806969d5c4c83433e37bd5fc753 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:32:28 +0100 Subject: [PATCH 22/35] added rule notifications --- .../rules/rule-notifications.mdx | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx diff --git a/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx b/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx new file mode 100644 index 000000000000000..31f8a180e1901cf --- /dev/null +++ b/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx @@ -0,0 +1,33 @@ +--- +title: Configure rule notifications +pcx_content_type: how-to +sidebar: + order: 4 +--- + +After configuring one or multiple rule types in Magic Network Monitoring, customers can also choose to receive notifications via email, webhook, or PagerDuty when a rule is triggered. + +Customers can configure multiple rule types and alerts together to create layers of DDoS protection based on their network environment and their security needs. + +You can read [Cloudflare’s Notifications documentation](https://developers.cloudflare.com/notifications/) for more information on our notification platform including: + +* [Configure Cloudflare notifications](https://developers.cloudflare.com/notifications/get-started/) +* [Configure PagerDuty](https://developers.cloudflare.com/notifications/get-started/configure-pagerduty/) +* [Configure webhooks](https://developers.cloudflare.com/notifications/get-started/configure-webhooks/) +* [Test a notification](https://developers.cloudflare.com/notifications/get-started/#test-a-notification) +* [Notification History](https://developers.cloudflare.com/notifications/notification-history/) + +# MNM notification configuration fields + +| Field | Description | +| :---- | :---- | +| **Notification name** | The name of the Magic Network Monitoring notification for the rule type that was selected. | +| **Description (optional)** | The description of the Magic Network Monitoring notification. | +| **Webhooks** | The webhook(s) that will receive the Magic Network Monitoring notification. | +| **Notification email** | The email(s) that will receive the Magic Network Monitoring notification. | + +# Rule Auto-Advertisement notifications + +Webhook, PagerDuty, and email notifications are sent following an auto-advertisement attempt for all prefixes inside the flagged rule. + +You will receive the status of the advertisement for each prefix with the following available statuses: From 2b96af55aaabde2dac11eebc5c8c7d7832b2c045 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:33:23 +0100 Subject: [PATCH 23/35] refined text --- .../rules/rule-notifications.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx b/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx index 31f8a180e1901cf..05fd355c03f2e56 100644 --- a/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx +++ b/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx @@ -9,13 +9,13 @@ After configuring one or multiple rule types in Magic Network Monitoring, custom Customers can configure multiple rule types and alerts together to create layers of DDoS protection based on their network environment and their security needs. -You can read [Cloudflare’s Notifications documentation](https://developers.cloudflare.com/notifications/) for more information on our notification platform including: +You can read [Cloudflare's Notifications documentation](/notifications/) for more information on our notification platform including: -* [Configure Cloudflare notifications](https://developers.cloudflare.com/notifications/get-started/) -* [Configure PagerDuty](https://developers.cloudflare.com/notifications/get-started/configure-pagerduty/) -* [Configure webhooks](https://developers.cloudflare.com/notifications/get-started/configure-webhooks/) -* [Test a notification](https://developers.cloudflare.com/notifications/get-started/#test-a-notification) -* [Notification History](https://developers.cloudflare.com/notifications/notification-history/) +- [Configure Cloudflare notifications](/notifications/get-started/) +- [Configure PagerDuty](/notifications/get-started/configure-pagerduty/) +- [Configure webhooks](/notifications/get-started/configure-webhooks/) +- [Test a notification](/notifications/get-started/#test-a-notification) +- [Notification History](/notifications/notification-history/) # MNM notification configuration fields From 2fe88db65ee626d347eb0f8e92ec0e0e28d2b459 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:34:56 +0100 Subject: [PATCH 24/35] refined text --- .../rules/rule-notifications.mdx | 54 ++++++++++++++++--- 1 file changed, 48 insertions(+), 6 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx b/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx index 05fd355c03f2e56..9fe8f76a6501172 100644 --- a/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx +++ b/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx @@ -17,17 +17,59 @@ You can read [Cloudflare's Notifications documentation](/notifications/) for mor - [Test a notification](/notifications/get-started/#test-a-notification) - [Notification History](/notifications/notification-history/) -# MNM notification configuration fields +## Magic Network Monitoring notification configuration fields | Field | Description | | :---- | :---- | -| **Notification name** | The name of the Magic Network Monitoring notification for the rule type that was selected. | -| **Description (optional)** | The description of the Magic Network Monitoring notification. | -| **Webhooks** | The webhook(s) that will receive the Magic Network Monitoring notification. | -| **Notification email** | The email(s) that will receive the Magic Network Monitoring notification. | +| **Notification name** | The name of the Magic Network Monitoring notification (MNM) for the rule type that was selected. | +| **Description (optional)** | The description of the MNM notification. | +| **Webhooks** | The webhook(s) that will receive the MNM notification. | +| **Notification email** | The email(s) that will receive the MNM notification. | -# Rule Auto-Advertisement notifications +## Rule Auto-Advertisement notifications Webhook, PagerDuty, and email notifications are sent following an auto-advertisement attempt for all prefixes inside the flagged rule. You will receive the status of the advertisement for each prefix with the following available statuses: + +- **Advertised**: The prefix was successfully advertised. +- **Already Advertised**: The prefix was advertised prior to the auto advertisement attempt. +- **Delayed**: The prefix cannot currently be advertised but will attempt advertisement. After the prefix can be advertised, a new notification is sent with the updated status. +- **Locked**: The prefix is locked and cannot be advertised. +- **Could not Advertise**: Cloudflare was unable to advertise the prefix. This status can occur for multiple reasons, but usually occurs when you are not allowed to advertise a prefix. +- **Error**: A general error occurred during prefix advertisement. + +Refer to [Notifications](https://developers.cloudflare.com/magic-network-monitoring/notifications/) to learn how to create one. + +# Configure static threshold notifications + +To configure static threshold notifications: + +1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account. +2. Go to **Notifications**, and select **Add**. +3. Select **Magic Transit** from the product dropdown menu. +4. Find the **Magic Network Monitoring: Volumetric Attack** alert, and select **Select**. +5. Fill in the notification configuration details. +6. Select **Save**. + +# Configure dynamic threshold notifications + +To configure dynamic threshold notifications: + +1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account. +2. Go to **Notifications**, and select **Add**. +3. Select **Magic Transit** from the product dropdown menu. +4. Find the **Magic Network Monitoring: Volumetric Attack** alert, and select **Select**. +5. Fill in the notification configuration details. +6. Select **Save**. + +# Configure sFlow DDoS attack notifications + +To configure sFlow DDoS attack notifications: + +1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account. +2. Go to **Notifications**, and select **Add**. +3. Select **Magic Transit** from the product dropdown menu. +4. Find the **Magic Network Monitoring: DDoS Attack** alert, and select **Select**. +5. Fill in the notification configuration details. +6. Select **Save**. \ No newline at end of file From dc67623f12f78a08b0e3c797147190442f6566bf Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:36:05 +0100 Subject: [PATCH 25/35] refined text --- .../rules/rule-notifications.mdx | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx b/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx index 9fe8f76a6501172..546174d2787dc30 100644 --- a/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx +++ b/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx @@ -39,36 +39,36 @@ You will receive the status of the advertisement for each prefix with the follow - **Could not Advertise**: Cloudflare was unable to advertise the prefix. This status can occur for multiple reasons, but usually occurs when you are not allowed to advertise a prefix. - **Error**: A general error occurred during prefix advertisement. -Refer to [Notifications](https://developers.cloudflare.com/magic-network-monitoring/notifications/) to learn how to create one. +Refer to [Notifications](/magic-network-monitoring/notifications/) to learn how to create one. -# Configure static threshold notifications +## Configure static threshold notifications To configure static threshold notifications: -1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account. -2. Go to **Notifications**, and select **Add**. +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. +2. Go to **Notifications** > **Add**. 3. Select **Magic Transit** from the product dropdown menu. 4. Find the **Magic Network Monitoring: Volumetric Attack** alert, and select **Select**. 5. Fill in the notification configuration details. 6. Select **Save**. -# Configure dynamic threshold notifications +## Configure dynamic threshold notifications To configure dynamic threshold notifications: -1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account. -2. Go to **Notifications**, and select **Add**. +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. +2. Go to **Notifications** > **Add**. 3. Select **Magic Transit** from the product dropdown menu. 4. Find the **Magic Network Monitoring: Volumetric Attack** alert, and select **Select**. 5. Fill in the notification configuration details. 6. Select **Save**. -# Configure sFlow DDoS attack notifications +## Configure sFlow DDoS attack notifications To configure sFlow DDoS attack notifications: -1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account. -2. Go to **Notifications**, and select **Add**. +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. +2. Go to **Notifications** > **Add**. 3. Select **Magic Transit** from the product dropdown menu. 4. Find the **Magic Network Monitoring: DDoS Attack** alert, and select **Select**. 5. Fill in the notification configuration details. From 53e4dfd06dcf30a4462e16f6495ef3761216aa08 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:37:08 +0100 Subject: [PATCH 26/35] refined links --- .../docs/magic-network-monitoring/rules/dynamic-threshold.mdx | 2 +- .../docs/magic-network-monitoring/rules/static-threshold.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx index 73f31cb203172e0..e351af00d03e879 100644 --- a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx +++ b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx @@ -23,7 +23,7 @@ A dynamic threshold rule can only be configured via [Cloudflare's Magic Network | **Rule type** | zscore | | **Target** | Can be defined in either bits per second or packets per second. | | **Sensitivity** | Z-Score sensitivity has three values: low, medium, and high. | -| **Auto-advertisement** | If you are a [Magic Transit On Demand](/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule's dynamic threshold is triggered. To learn more and see an example, view the [Auto-Advertisement section](/magic-network-monitoring/rules/rule-notifications/#TO-DO). | +| **Auto-advertisement** | If you are a [Magic Transit On Demand](/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule's dynamic threshold is triggered. To learn more and see an example, view the [Auto-Advertisement section](/magic-network-monitoring/rules/rule-notifications/#rule-auto-advertisement-notifications). | | **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as `160.168.0.1/24`. The maximum is 5,000 unique CIDR entries. To learn more and see an example, view the [Rule IP prefixes](/magic-network-monitoring/rules/#rule-ip-prefixes). | ## API documentation diff --git a/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx index e0ce595bb6cda3c..b42ca48e0553ef5 100644 --- a/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx +++ b/src/content/docs/magic-network-monitoring/rules/static-threshold.mdx @@ -18,7 +18,7 @@ Customers that send NetFlow and / or sFlow data to Cloudflare can configure stat | **Rule threshold type** | Can be defined in either bits per second or packets per second. | | **Rule threshold** | The number of bits per second or packets per second for the rule alert. When this value is exceeded for the rule duration, an alert notification is sent. Minimum of `1` and no maximum. | | **Rule duration** | The amount of time in minutes the rule threshold must exceed to send an alert notification. Choose from the following values: `1`, `5`, `10`, `15`, `20`, `30`, `45`, or `60` minutes. | -| **Auto-advertisement** | If you are a [Magic Transit On Demand](/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule alert is triggered. To learn more and see an example, view the [Auto-Advertisement section](/magic-network-monitoring/rules/rule-notifications/#TO-DO). | +| **Auto-advertisement** | If you are a [Magic Transit On Demand](/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule alert is triggered. To learn more and see an example, view the [Auto-Advertisement section](/magic-network-monitoring/rules/rule-notifications/#rule-auto-advertisement-notifications). | | **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as `160.168.0.1/24`. Max is 5,000 unique CIDR entries. To learn more and see an example, view the [Rule IP prefixes](/magic-network-monitoring/rules/#rule-ip-prefixes) section. | ## API documentation From b5fd79c16908dbc68d9c66818da78f0c873df4b4 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:49:47 +0100 Subject: [PATCH 27/35] refined text --- .../magic-network-monitoring/rules/dynamic-threshold.mdx | 2 +- src/content/docs/magic-network-monitoring/rules/index.mdx | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx index e351af00d03e879..1c6dd628790a1f8 100644 --- a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx +++ b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx @@ -9,7 +9,7 @@ sidebar: A dynamic threshold rule (beta) will analyze a network's traffic patterns over time and automatically adjust the rule's DDoS threshold, in terms of bits or packets, based on traffic history. The total traffic across all IP prefixes and IP addresses in the rule is compared to the current value of the dynamic threshold. If the total traffic exceeds the dynamic threshold, then an alert is sent. -Dynamic thresholds are calculated using a [statistical measure called z-score (also referred to as standard score)](https://en.wikipedia.org/wiki/Standard_score). You can visit the section on [How the dynamic rule threshold is calculated](#how-the-dynamic-rule-threshold-is-calculated) to learn more. +Dynamic thresholds are calculated using a statistical measure called [z-score](https://en.wikipedia.org/wiki/Standard_score) (also referred to as standard score). You can visit the section on [How the dynamic rule threshold is calculated](#how-the-dynamic-rule-threshold-is-calculated) to learn more. Customers that send NetFlow and / or sFlow data to Cloudflare can configure dynamic threshold rules. diff --git a/src/content/docs/magic-network-monitoring/rules/index.mdx b/src/content/docs/magic-network-monitoring/rules/index.mdx index 0374a5a503965d3..4607485642f4f80 100644 --- a/src/content/docs/magic-network-monitoring/rules/index.mdx +++ b/src/content/docs/magic-network-monitoring/rules/index.mdx @@ -15,9 +15,9 @@ There are three different types of rules that can be configured within Magic Net | Rule Type | Rule Description | Rule Availability | | :---- | :---- | :---- | -| Dynamic threshold (recommended) | A dynamic threshold rule will analyze a network's traffic patterns over time and automatically adjust the rule's DDoS threshold, in terms of bits or packets, based on traffic history. | API configuration only | -| Static threshold | A static threshold rule allows you to define a constant numeric threshold, in terms of bits or packets, for DDoS traffic monitoring. | API configuration and dashboard configuration | -| sFlow DDoS attack | Magic Network Monitoring customers that send sFlow data to Cloudflare can receive alerts when a specific type of distributed denial-of-service (DDoS) attack is detected within their network traffic. | API configuration only Only applicable to sFlow data sets | +| [Dynamic threshold](/magic-network-monitoring/rules/dynamic-threshold/) (recommended) | A dynamic threshold rule will analyze a network's traffic patterns over time and automatically adjust the rule's DDoS threshold, in terms of bits or packets, based on traffic history. | API configuration only | +| [Static threshold](/magic-network-monitoring/rules/static-threshold/) | A static threshold rule allows you to define a constant numeric threshold, in terms of bits or packets, for DDoS traffic monitoring. | API configuration and dashboard configuration | +| [sFlow DDoS attack](/magic-network-monitoring/rules/s-flow-ddos-attack/) | Magic Network Monitoring customers that send sFlow data to Cloudflare can receive alerts when a specific type of distributed denial-of-service (DDoS) attack is detected within their network traffic. | API configuration only. Only applicable to sFlow data sets | ## Create rules in the dashboard @@ -47,7 +47,7 @@ To create a new rule: 2. Go to **Analytics & Logs** > **Magic Monitoring**. 3. Select **Configure Magic Network Monitoring**. 4. Find the static threshold rule you want to edit, and select **Edit**. -5. Edit the appropriate fields. Refer to [Rule fields](/magic-network-monitoring/rules/#rule-fields) for more information on what each field does. +5. Edit the appropriate fields. Refer to [Rule configuration fields](/magic-network-monitoring/rules/static-threshold/#rule-configuration-fields) for more information on what each field does. 6. Select **Save** when you are finished. ## Delete rules in the dashboard From 2d40bc76f05abc32488ff851632fd343832f9ff5 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:50:48 +0100 Subject: [PATCH 28/35] refined url --- .../docs/magic-network-monitoring/rules/dynamic-threshold.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx index 1c6dd628790a1f8..da9c3abc7715183 100644 --- a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx +++ b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx @@ -28,7 +28,7 @@ A dynamic threshold rule can only be configured via [Cloudflare's Magic Network ## API documentation -You can visit [developers.cloudflare.com/api](/api), navigate to [Magic Network Monitoring](/api/resources/magic_network_monitoring/), and expand the [Rules](/api/resources/magic_network_monitoring/subresources/rules/) section to see an example API configuration call using CURL and the expected output for a successful response. +You can visit [developers.cloudflare.com/api/](/api/), navigate to [Magic Network Monitoring](/api/resources/magic_network_monitoring/), and expand the [Rules](/api/resources/magic_network_monitoring/subresources/rules/) section to see an example API configuration call using CURL and the expected output for a successful response. ## How the dynamic rule threshold is calculated From dacf4abbcc998ed11380e68b229e6de17fae4b9b Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:51:47 +0100 Subject: [PATCH 29/35] refined text --- .../docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx b/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx index 96a6e8d3dad3939..686dfe4fb9e8de7 100644 --- a/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx +++ b/src/content/docs/magic-network-monitoring/rules/s-flow-ddos-attack.mdx @@ -29,7 +29,7 @@ Customers can export sFlow data of their network traffic to Cloudflare via Magic ## API documentation -You can visit [developers.cloudflare.com/api](/api), navigate to [Magic Network Monitoring](/api/resources/magic_network_monitoring/), and expand the [Rules](/api/resources/magic_network_monitoring/subresources/rules/) section to see an example API configuration call using CURL and the expected output for a successful response. +You can visit [developers.cloudflare.com/api/](/api/), navigate to [Magic Network Monitoring](/api/resources/magic_network_monitoring/), and expand the [Rules](/api/resources/magic_network_monitoring/subresources/rules/) section to see an example API configuration call using CURL and the expected output for a successful response. ## Tune the sFlow DDoS alert thresholds From 458233ea8d8be51513803354dcc75894a7fb0c1a Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:54:36 +0100 Subject: [PATCH 30/35] deleted old notification page --- .../magic-network-monitoring/notifications.mdx | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 src/content/docs/magic-network-monitoring/notifications.mdx diff --git a/src/content/docs/magic-network-monitoring/notifications.mdx b/src/content/docs/magic-network-monitoring/notifications.mdx deleted file mode 100644 index 9891a184e0ff9a4..000000000000000 --- a/src/content/docs/magic-network-monitoring/notifications.mdx +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: Notifications -pcx_content_type: how-to -sidebar: - order: 6 - ---- - -You can receive Magic Network Monitoring notifications via email, PagerDuty, or webhooks. - -For more information on receiving notifications via PagerDuty or using webhooks, refer to [Create a notification](/notifications/get-started/#create-a-notification). - -1. Log in to your [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. -2. Select **Notifications** > **Add**. -3. Locate **Magic Transit** > **Magic Network Monitoring: Volumetric Attack** in the list, and choose **Select** to add a notification. -4. Enter a name and description for the notification. -5. Add an email address for the person who should receive the notification. -6. Select **Create** when you are done. From 66f174c7437fd664ad8c1d07041db07a6e374cd8 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:56:10 +0100 Subject: [PATCH 31/35] added redirects --- public/__redirects | 3 +++ 1 file changed, 3 insertions(+) diff --git a/public/__redirects b/public/__redirects index 4f4e27950ef997a..40bccf4c7328ad4 100644 --- a/public/__redirects +++ b/public/__redirects @@ -791,6 +791,9 @@ # magic-network-monitoring /magic-network-monitoring/routers/ /magic-network-monitoring/routers/supported-routers/ 301 /magic-network-monitoring/tutorials/ /magic-network-monitoring/tutorials/graphql-analytics/ 301 +/magic-network-monitoring/rules/recommended-rule-configuration/ /magic-network-monitoring/rules/static-threshold/ 301 +/magic-network-monitoring/rules/sflow-ddos-alerts/ /rules/configure-rule-notifications/ 301 +/magic-network-monitoring/notifications/ /rules/rule-notifications/ 301 # magic-transit /magic-transit/magic-firewall/ /magic-firewall/ 301 From b47f8b0a90fdb4effc0c90fd81df65fa98945536 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:58:15 +0100 Subject: [PATCH 32/35] corrected link --- src/content/docs/magic-network-monitoring/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/magic-network-monitoring/index.mdx b/src/content/docs/magic-network-monitoring/index.mdx index ec10ad12688d40b..7b3752eb6c4cb74 100644 --- a/src/content/docs/magic-network-monitoring/index.mdx +++ b/src/content/docs/magic-network-monitoring/index.mdx @@ -52,7 +52,7 @@ Magic Transit On Demand customers can use Magic Network Monitoring to enable DDo - + Set up notifications to learn about an attack. From b2e27d250acf757f3809cb2d2b073409c581ed53 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 10:58:19 +0100 Subject: [PATCH 33/35] refined text --- .../docs/magic-network-monitoring/rules/rule-notifications.mdx | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx b/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx index 546174d2787dc30..9eb9b6a6ba9d482 100644 --- a/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx +++ b/src/content/docs/magic-network-monitoring/rules/rule-notifications.mdx @@ -39,8 +39,6 @@ You will receive the status of the advertisement for each prefix with the follow - **Could not Advertise**: Cloudflare was unable to advertise the prefix. This status can occur for multiple reasons, but usually occurs when you are not allowed to advertise a prefix. - **Error**: A general error occurred during prefix advertisement. -Refer to [Notifications](/magic-network-monitoring/notifications/) to learn how to create one. - ## Configure static threshold notifications To configure static threshold notifications: From 469fc78a16d3c453783fcd2eb89469b5f3d0488e Mon Sep 17 00:00:00 2001 From: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> Date: Mon, 7 Apr 2025 12:38:59 +0100 Subject: [PATCH 34/35] Apply suggestions from code review Co-authored-by: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> --- .../magic-network-monitoring/rules/dynamic-threshold.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx index da9c3abc7715183..21a78e9eb3d5280 100644 --- a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx +++ b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx @@ -9,9 +9,9 @@ sidebar: A dynamic threshold rule (beta) will analyze a network's traffic patterns over time and automatically adjust the rule's DDoS threshold, in terms of bits or packets, based on traffic history. The total traffic across all IP prefixes and IP addresses in the rule is compared to the current value of the dynamic threshold. If the total traffic exceeds the dynamic threshold, then an alert is sent. -Dynamic thresholds are calculated using a statistical measure called [z-score](https://en.wikipedia.org/wiki/Standard_score) (also referred to as standard score). You can visit the section on [How the dynamic rule threshold is calculated](#how-the-dynamic-rule-threshold-is-calculated) to learn more. +Dynamic thresholds are calculated using a statistical measure called [z-score](https://en.wikipedia.org/wiki/Standard_score) (also referred to as standard score). Review [How the dynamic rule threshold is calculated](#how-the-dynamic-rule-threshold-is-calculated) to learn more. -Customers that send NetFlow and / or sFlow data to Cloudflare can configure dynamic threshold rules. +Customers that send NetFlow and/or sFlow data to Cloudflare can configure dynamic threshold rules. A dynamic threshold rule can only be configured via [Cloudflare's Magic Network Monitoring Rules API](/api/resources/magic_network_monitoring/subresources/rules/). Today, customers are unable to configure dynamic threshold rules in the Cloudflare dashboard. @@ -24,11 +24,11 @@ A dynamic threshold rule can only be configured via [Cloudflare's Magic Network | **Target** | Can be defined in either bits per second or packets per second. | | **Sensitivity** | Z-Score sensitivity has three values: low, medium, and high. | | **Auto-advertisement** | If you are a [Magic Transit On Demand](/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule's dynamic threshold is triggered. To learn more and see an example, view the [Auto-Advertisement section](/magic-network-monitoring/rules/rule-notifications/#rule-auto-advertisement-notifications). | -| **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as `160.168.0.1/24`. The maximum is 5,000 unique CIDR entries. To learn more and see an example, view the [Rule IP prefixes](/magic-network-monitoring/rules/#rule-ip-prefixes). | +| **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as `160.168.0.1/24`. The maximum is 5,000 unique CIDR entries. To learn more and review an example, refer to the [Rule IP prefixes](/magic-network-monitoring/rules/#rule-ip-prefixes). | ## API documentation -You can visit [developers.cloudflare.com/api/](/api/), navigate to [Magic Network Monitoring](/api/resources/magic_network_monitoring/), and expand the [Rules](/api/resources/magic_network_monitoring/subresources/rules/) section to see an example API configuration call using CURL and the expected output for a successful response. +to review an example API configuration call using CURL and the expected output for a successful response, go to [Magic Network Monitoring](/api/resources/magic_network_monitoring/) in [developers.cloudflare.com/api/](/api/) and expand the [Rules](/api/resources/magic_network_monitoring/subresources/rules/) section. ## How the dynamic rule threshold is calculated From 23523eae058fdd3785bb9540dec8fd66730276bf Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 7 Apr 2025 12:40:16 +0100 Subject: [PATCH 35/35] refined text --- .../docs/magic-network-monitoring/rules/dynamic-threshold.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx index 21a78e9eb3d5280..28424f7b0de1463 100644 --- a/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx +++ b/src/content/docs/magic-network-monitoring/rules/dynamic-threshold.mdx @@ -9,7 +9,7 @@ sidebar: A dynamic threshold rule (beta) will analyze a network's traffic patterns over time and automatically adjust the rule's DDoS threshold, in terms of bits or packets, based on traffic history. The total traffic across all IP prefixes and IP addresses in the rule is compared to the current value of the dynamic threshold. If the total traffic exceeds the dynamic threshold, then an alert is sent. -Dynamic thresholds are calculated using a statistical measure called [z-score](https://en.wikipedia.org/wiki/Standard_score) (also referred to as standard score). Review [How the dynamic rule threshold is calculated](#how-the-dynamic-rule-threshold-is-calculated) to learn more. +Dynamic thresholds are calculated using a statistical measure called [Z-score](https://en.wikipedia.org/wiki/Standard_score) (also referred to as standard score). Review [How the dynamic rule threshold is calculated](#how-the-dynamic-rule-threshold-is-calculated) to learn more. Customers that send NetFlow and/or sFlow data to Cloudflare can configure dynamic threshold rules.