Enable Intrusion Detection System (IDS)
Cloudflare’s IDS takes advantage of the threat intelligence powered by our global network and extends the capabilities of the Cloudflare Firewall to monitor and protect your network from malicious actors.
You can enable IDS through the dashboard or via the API.
- Log in to your Cloudflare dashboard, and select your account.
- Select Magic Firewall > IDS.
- Enable IDS.
To start using IDS via the API, first create a new ruleset in the magic-transit-ids-managed
phase with a rule which is enabled.
Follow instructions in the Rulesets Engine Page to view all rulesets for your account. You must see a ruleset with phase
magic-transit-ids-managed
and kindmanaged
. If not, please contact your account team. The managed ruleset ID will be used in the next step.Create a new root ruleset with a single rule in the
magic_transit_ids_managed
phase by running:
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{ "name": "IDS Execute ruleset", "description": "Ruleset to enable IDS", "kind": "root", "phase": "magic_transit_ids_managed", "rules": [ { "enabled": true, "expression": "true", "action": "execute", "description": "enable ids", "action_parameters": { "id": "${managed_ruleset_id}" } } ]}'
With this ruleset added, IDS will start inspecting packets and report any anomalous traffic. Next, you can configure Logpush to start receiving details about the anomalous traffic.
- Use the rule created in the previous step to enable or disable IDS. The Rulesets API documentation describes how to patch a rule.
For example, the following patch request to set theenabled
field tofalse
will disable IDS. The ruleset and rule ID from the ruleset created in the previous step are used below.
curl --request PATCH \https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{root_ruleset_id}/rules/{rule_id} \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{ "enabled": false, "expression": "true", "action": "execute", "action_parameters": { "id": "${managed_ruleset_id}" }}'
Similarly, sending a patch request with the enabled
field set to true
will enable IDS.
Next steps
You must configure Logpush to log detected risks. Refer to Configure a Logpush destination for more information. Additionally, all traffic that is analyzed can be accessed via network analytics. Refer to GraphQL Analytics to query the analytics data.