Diagnose traffic decisions
When traffic is unexpectedly blocked, multiple Cloudflare systems could be responsible. This guide walks you through identifying what is blocking your traffic and how to resolve it.
Traffic passing through Cloudflare's network is evaluated by several independent security systems in the following sequence:
- Network-layer DDoS protection: This layer manages DDoS rulesets.
- Advanced TCP protection: Cloudflare carries a stateful TCP inspection known as (flowtrackd ↗).
- Network Firewall: Your custom and managed firewall rules.
Each system operates independently. Traffic blocked by an earlier system never reaches later systems for evaluation.
To diagnose blocked traffic, use Network Analytics to identify which system is blocking the traffic and why. If Network Analytics does not provide enough information, you can use packet captures for deeper analysis.
Before making changes, gather the following information:
- What traffic is affected? Check source IP, destination IP, ports, and protocols.
- When did the issue start?
- Were any configuration changes made recently?
- Is this affecting all traffic or specific flows?
- Check Cloudflare Status ↗ for any ongoing incidents
- Log in to the Cloudflare dashboard ↗.
- Under Protect & Connect, go to Insights > Network analytics.
- In the All Traffic tab, select Add filter.
- Configure the filter:
- Select Action > equals > Drop
- Select Apply.
- Filter the time range to when the issue occurred.
- Add additional filters if you know the affected traffic characteristics (such as Source IP, Destination IP, and more).
- To identify the blocking system: In the Packet Summary graph, select the the three dots > Mitigation system. This tells you which Cloudflare system blocked the traffic.
If the mitigation system displays DDoS Managed Ruleset, this means that traffic was blocked by DDoS Managed Ruleset. Note the Rule ID and Rule Name fields to identify which specific rule triggered.
- At the top of Network analytics, select DDoS managed rules.
- Make sure to include any relevant filters to identify the traffic and to narrow down the time range to the relevant issue timing.
- In the Packets summary graph, select the three dots, then choose Rule. The dashboard will show you the rules that were acting on your traffic.
- To resolve: Adjust the DDoS managed rule sensitivity or create an override for the affected traffic pattern.
If the mitigation system displays TCP Protection, it means that traffic was blocked by TCP Protection. Refer to Mitigation Reason field to understand why it displays TCP Protection.
To resolve, create an Advanced TCP Protection allowlist or filter to bypass protection for the affected traffic.
If your traffic was blocked by your Network Firewall configuration:
- At the top of Network analytics, select the Firewall tab.
- Make sure to include any relevant filters to identify the traffic and to narrow down the time range to the relevant issue timing.
- In the Packets summary graph, select the three dots, then choose Rule. The dashboard will show you the rules that were acting on your traffic.
- Review your Network Firewall policies and adjust the rule order or expressions as needed.
If you cannot identify the issue from Network Analytics, use packet captures to inspect the actual traffic:
- Log in to the Cloudflare dashboard ↗.
- Under Protect & Connect, go to Insights > Network health.
- Go to Diagnostics, and configure a packet capture filter matching the affected traffic. Try to be as specific as possible to avoid generating too many packet capture files.
- Analyze the captured packets to understand traffic characteristics.
- Compare against your rule configurations.
| Scenario | Symptoms | Likely cause | Recommended action |
|---|---|---|---|
| Partner traffic blocked | Specific source IP blocked | DDoS or ATP sensitivity | Allowlist partner IP ranges in both systems |
| New rule not working | Traffic still passes | Rule order (earlier rule matches first) | Adjust rule priority or refine the matching criteria |
| Traffic blocked after change | Sudden drops after configuration change | Rule misconfiguration | Review recent changes and revert to the last version |