Cloudflare freebie will help customers shield against the next Log4j

representational image of a cloud firewall
Image Credit: Pixabay (Image credit: Pixabay)

Cloudflare has announced that its WAF (Web Application Firewall) Managed Ruleset is coming to all users, completely free. 

The company’s firewall, described as the “core component” of the Cloudflare platform, is one of the most used products in its portfolio, blocking more than 650,000 malicious HTTP requests per second (to a total of 57 billion cyber threats a day).

Those Cloudflare users on the free plan are already being protected, the company added. In the coming weeks and months, all of the free zone plan users will also be allowed access to the Cloudflare WAF user interface in the dashboard, and will be able to deploy and configure the new ruleset. 

TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Keeping up with updates and patches

Those interested in accessing the broader set of WAF rulesets (such as Cloudflare Managed Rules, Cloudflare OWASP Core Ruleset and Cloudflare Leaked Credential Check Ruleset), or advanced WAF features, will still need to upgrade at least to the PRO plan. 

“Small application owners and teams don’t always have the time to keep up with fast-moving security-related patches, causing many applications to be compromised and/or used for nefarious purposes,” Cloudflare’s Michael Tremante said in a blog post announcing the change.

“High profile vulnerabilities have a major impact across the Internet affecting organizations of all sizes. We’ve recently seen this with Log4J, but even before that, major vulnerabilities such as Shellshock and Heartbleed have left scars across the Internet.”

While the ruleset is deployed on all new Cloudflare zone by default, it is “specifically designed” to reduce false positives as much as possible, Tremante further claims, adding that customers will be able to disable the ruleset, if necessary. 

Further configuration, and filtering, are also made possible. For starters, the ruleset comes with these rules: Log4J rules matching payloads in the URI and HTTP headers; Shellshock rules; Rules matching very common WordPress exploits.

When a rule is matched, the service will generate an event, viewable in the Security Overview tab.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.