Skip to content

[Magic Firewall] Restructure IA #26096

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Oct 30, 2025
+2,041 −18
Merged

[Magic Firewall] Restructure IA #26096

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
2f894c4
[Magic Firewall] Restructure IA
Maddy-Cloudflare Oct 27, 2025
2cd67eb
Adding more files
Maddy-Cloudflare Oct 29, 2025
bdbed63
Add enable managed rules + fix links
Maddy-Cloudflare Oct 30, 2025
1421137
Add remaining pages
Maddy-Cloudflare Oct 30, 2025
b2c145c
Fix ordering
Maddy-Cloudflare Oct 30, 2025
4163214
Add packet filtering + fix broken link
Maddy-Cloudflare Oct 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/content/changelog/magic-firewall/2024-10-02-custom-rule-search.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,4 @@ The Magic Firewall dashboard now allows you to search custom rules using the rul

Additionally, the rule ID URL link has been added to Network Analytics.

For more details about rules, refer to [Add rules](/magic-firewall/how-to/add-rules/).
For more details about rules, refer to [Add rules](/cloudflare-one/traffic-policies/packet-filtering/add-rules/).
22 changes: 22 additions & 0 deletions src/content/docs/cloudflare-one/changelog/magic-firewall.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
---
pcx_content_type: changelog
title: Magic Firewall
---

import { ProductChangelog } from "~/components";

{/* <!-- Actual content lives in /src/content/changelog/magic-firewall/. Update the file there for new entries to appear here. For more details, refer to https://developers.cloudflare.com/style-guide/documentation-content-strategy/content-types/changelog/#yaml-file --> */}

<ProductChangelog product="magic-firewall" hideEntry="2024-06-16-cloudflare-one"/>

## 2024-09-12

**New UI improvements**

The dashboard now displays the order number of custom rules, and improved drag and drop functionality. You can also preview rules on a side panel without leaving the current page.

## 2024-08-16

**Magic Firewall Analytics Rule Log Enhancement**

Customers who create a rule in a disabled mode will see the rule as **Log (rule disabled)**.
97 changes: 97 additions & 0 deletions src/content/docs/cloudflare-one/insights/logs/filter-views.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
---
title: Filter different views
pcx_content_type: how-to

---

You can utilize different [Log filters](/logs/logpush/logpush-job/filters/) to only view specific data from Magic Firewall.

## Filter by enabled or disabled rules

Use the filter examples below to filter your Magic Firewall traffic to display events for enabled or disabled rules.

The example below only displays fields relevant to Magic Firewall, and the filter only displays events for disabled rules.

```bash
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
...
"output_options": {
"field_names": ["ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol","IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict"],
},
"filter": "{\"where\":{\"or\":[{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"!eq\",\"value\":\"\"},{\"key\":\"Outcome\",\"operator\":\"eq\",\"value\":\"pass\"},{\"key\":\"Verdict\",\"operator\":\"eq\",\"value\":\"drop\"}]}]}}"
}'
```

The example below only displays fields relevant to Magic Firewall, and the filter only displays events for enabled rules.

```bash
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
...
"output_options": {
"field_names": ["ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol","IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict"],
},
"filter": "{\"where\":{\"or\":[{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"!eq\",\"value\":\"\"},{\"or\":[{\"key\":\"Outcome\",\"operator\":\"eq\",\"value\":\"drop\"},{\"key\":\"Verdict\",\"operator\":\"eq\",\"value\":\"pass\"}]}]}]}}"
}'
```

## Filter by allowed or blocked traffic

Use the filter examples below to filter your Magic Firewall traffic to display events for allowed or blocked traffic.

The example below only displays fields relevant to Magic Firewall, and the filter only displays events where no explicit action was taken, for example, a packet "fell through" Magic Firewall. This example does not have any rules applied.

```bash
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
...
"output_options": {
"field_names": ["ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol","IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict"],
},
"filter": "{\"where\":{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"eq\",\"value\":\"\"}]}}"
}'
```

The example below only displays fields relevant to Magic Firewall, and the filter only displays events where explicit action was taken. The example includes both enabled and disabled Magic Firewall rules.

```bash
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
...
"output_options": {
"field_names": ["ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol","IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict"],
},
"filter": "{\"where\":{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"!eq\",\"value\":\"\"}]}}"
}'
```

## Filter by relevant fields to Magic Firewall

Use the examples below to filter out fields that are not relevant to traffic flowing through Magic Firewall. The example below only includes Magic Firewall events.

```bash
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
...
"output_options": {
"field_names": ["ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol","IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict"],
},
"filter": "{\"where\":{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"}}"
}'
```
21 changes: 21 additions & 0 deletions src/content/docs/cloudflare-one/insights/logs/use-logpush-with-ids.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
---
title: Use Logpush with IDS
pcx_content_type: concept

---

You can use Logpush with Magic Firewall IDS to log detected risks:

1. Consult the [Logpush Destination docs](/logs/logpush/logpush-job/api-configuration/#destination) to learn about what destinations Logpush supports. The documentation will also instruct you on how to correctly format the destination URL for Logpush.

2. Follow the [Manage Lopush with cURL](/logs/logpush/examples/example-logpush-curl/) tutorial to validate your Logpush destination and define a Logpush job.

## Notes on using Logpush with IDS

* Magic IDS is an account-scoped dataset. This means the string `/zone/<ZONE_ID>` in the Cloudflare API URLs in the tutorial should be replaced with `/account/<ACCOUNT_ID>`.

* Consult the [Magic IDS Detection fields doc](/logs/logpush/logpush-job/datasets/account/magic_ids_detections/) to know what fields you want configured for the job.

* When creating the Logpush job, the dataset field should equal `magic_ids_detections`.

* Timestamps by default are unixnano. Consult the [Logpush Options docs](/logs/logpush/logpush-job/api-configuration/#options) to learn what format you can choose that will be compatible with your destination and/or expectations. Note that all options must be added *after* all fields you want from the Logpush job, akin to URL parameters.
219 changes: 219 additions & 0 deletions ...content/docs/cloudflare-one/insights/network-visibility/diagnostics/buckets.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,219 @@
---
title: Buckets
pcx_content_type: how-to
sidebar:
order: 3
---

import { GlossaryTooltip, TabItem, Tabs, DashButton } from "~/components";

Before you can begin a full <GlossaryTooltip term="data packet">packet</GlossaryTooltip> capture, you must first configure a bucket that Cloudflare can use to upload your files. Setting up a bucket is not required for sample packet captures.

You can configure an Amazon S3 or Google Cloud Platform bucket to use as a target. You can also [use R2](#r2) as a target using the API.

## Set up a bucket

Learn how to set up a bucket for use with full packet captures.

<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">

1. In the [Cloudflare One](https://one.dash.cloudflare.com) dashboard, go to **Network visibility** > **Diagnostics**.
2. Select the **Buckets** tab > **Add a bucket**.
3. Select a bucket service and select **Next**.
4. Enter the information related to your bucket for your service provider.
5. When you are done, select **Next**.

The **Prove ownership** step of the **Bucket configuration** displays.

</TabItem> <TabItem label="API">

Before you can begin using a bucket, you must first enable destinations.

Refer to the [Amazon S3](/logs/logpush/logpush-job/enable-destinations/aws-s3/#create-and-get-access-to-an-s3-bucket) or [Google Cloud Storage](/logs/logpush/logpush-job/enable-destinations/google-cloud-storage/#create-and-get-access-to-a-gcs-bucket) documentation and follow the steps for those specific services.

</TabItem> </Tabs>

Next, validate the bucket and confirm ownership.

## Validate a bucket

After the initial bucket set up, you need to confirm you own the bucket via an ownership challenge. After you validate your bucket, you can begin using it to collect full packet captures.

<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">

1. From the **Prove ownership** step of the **Bucket configuration**, locate the **Ownership token** field.
2. In the **Ownership token** field, enter the ownership token for your service provider.
3. When you are done, select **Create**. The **Packet captures** page displays.

The **Buckets** tab displays a list of the buckets associated with your account. Refer to the **Status** column to see the status of your bucket configuration.

</TabItem> <TabItem label="API">

The `bucket` field should be the URI of the bucket. For Amazon S3, the `bucket` field is in the form `s3://<bucket-name>/<directory>?region=<bucket-region>`, and for Google Cloud Storage the form is `gs://<bucket-name>/<directory>`.

```bash title="Ownership challenge request example"
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"destination_conf": "'${bucket}'"
}'
```

The response has a `"filename"` parameter which contains the content of the `ownership-challenge` text. Find the file in your bucket and copy the contents of the file.

```json title="Ownership challenge response example"
{
"result": {
"id": "cc20c2d6c62e11ecbe646b173af3b6b9",
"status": "pending",
"submitted": "2022-04-22T18:54:13.397413Z",
"validated": "",
"destination_conf": "gs://bucket-test", // Ensure you use a bucket that you created and registered in the Cloudflare dashboard.
"filename": "ownership-challenge-1234.txt"
},
"success": true,
"errors": [],
"messages": []
}
```

Validate the bucket by inserting the copied text in the `ownership_text` below:

```bash title="Bucket validation example"
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership/validate \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"destination_conf": "'${bucket}'",
"ownership_challenge": "'${ownership_text}'"
}'
```

```json title="Bucket validation response"
{
"result": {
"id": "cc20c2d6c62e11ecbe646b173af3b6b9",
"status": "success",
"submitted": "2022-04-22T18:54:13.397413Z",
"validated": "2022-04-27T14:54:46.440548Z",
"destination_conf": "gs://<bucket-name>", // Ensure you use a bucket that you created and registered in the Cloudflare dashboard
"filename": "ownership-challenge-1234.txt"
},
"success": true,
"errors": [],
"messages": []
}
```

If the `status` shows `success`, the bucket is configured and ready to use.

</TabItem> </Tabs>

The bucket status displays one of the following options:

- **Success:** The bucket is fully verified and ready to use.
- **Pending:** The challenge response was initiated but is pending verification. Bucket verification can take five to ten minutes to finish processing.
- **Failed:** The bucket could not be validated. If this occurs, verify your ownership information.

## List configured buckets

View a list of all buckets configured on your account.

<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">

1. In the Cloudflare One dashboard, go to the **Packet captures** page in Magic Transit or Magic WAN.

To set up a packet capture in Magic Transit: <DashButton url="/?to=/:account/magic-transit/packet-captures/captures" />

To set up a packet capture in Magic WAN: <DashButton url="/?to=/:account/magic-wan/packet-captures/captures" />
2. In **Packet captures**, select **Start a capture**.
3. Select the **Buckets** tab.

The list of buckets associated with your account displays.

</TabItem> <TabItem label="API">

```bash title="Bucket list request example"
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>"
```

```json title="Bucket list response example"
{
"result": [
{
"id": "9a993aa6c58711ec89d3037647342e63",
"status": "success",
"submitted": "2022-04-26T16:58:24.550762Z",
"validated": "2022-04-26T17:01:18.426458Z",
"destination_conf": "s3://test-bucket?region=us-east-1",
"filename": "ownership-challenge-1234.txt"
}
],
"success": true,
"errors": [],
"messages": []
}
```

</TabItem> </Tabs>

To learn how to collect packet captures, refer to [Collect packet captures](/magic-firewall/packet-captures/collect-pcaps/).

## R2

To start collecting packet captures with R2, you first need to configure it properly. For all the required details, refer to the [Cloudflare R2](/r2/) documentation.

### Create bucket and API token

1. In the Cloudflare One dashboard, go to the **R2** page.

<DashButton url="/?to=/:account/r2/overview" />

2. Select **Create bucket**.
3. Give your bucket a name > **Create bucket**.
4. Go to the R2 Overview page, and select **Manage R2 API Tokens**.
5. Select **Create API Token**.
6. In **Permissions**, choose **Object Read & Write**. Make sure you also select **Apply to specific buckets only**, and select the bucket you have created for PCAPs from the drop-down menu.
7. Select **Create API Token**.
8. Make sure you copy the **Secret Access Key** and **Access Key ID** values, as you will need them for the next step.

### Create initial request

Create your initial request to R2:

```bash
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"destination_conf": "r2://<BUCKET_NAME>?account-id=<ACCOUNT_ID>&access-key-id=<R2_ACCESS_KEY_ID>&secret-access-key=<R2_SECRET_ACCESS_KEY>"
}'
```

The [response](/api/resources/magic_transit/subresources/pcaps/subresources/ownership/methods/create/) has a `"filename"` parameter with the name of a file that Cloudflare wrote to your R2 bucket. You need to download it for the next step. Example:

```json
{
"errors": [],
"messages": [],
"result": {
"destination_conf": "<YOUR_R2_BUCKET>",
"filename": "ownership-challenge-9883874ecac311ec8475433579a6bf5f.txt",
"id": "9883874ecac311ec8475433579a6bf5f",
"status": "success",
"submitted": "2020-01-01T08:00:00Z",
"validated": "2020-01-01T08:00:00Z"
},
"success": true
}
```

### Validate bucket ownership

Refer to the [Validate a bucket](#validate-a-bucket) API instructions for more details on the entire process to [validate your R2 bucket](/api/resources/magic_transit/subresources/pcaps/subresources/ownership/methods/validate/). When specifying the R2 destination for this validation, exclude the secret and access keys from the URL.
Loading
Loading