Post prefix advertisement monitoring and fine tuning
On this page, you can find suggestions to monitor your prefix advertisements and fine-tune them.
These rules are based on a seven-day rolling window. We recommend reviewing the logs from these adaptive rules in Network Analytics seven days after your last prefix advertisement.
If you see matches for legitimate traffic, consider lowering the sensitivity of the rule and then review the logs again. Once you are satisfied that legitimate traffic is not being flagged, create a DDoS override for this rule with action as DDOS Dynamic or Block.
For both Advanced TCP Protection and Advanced DNS Protection, your Cloudflare account team will need to configure manual thresholds for your account, based on your ingress traffic.
Once all your prefixes are advertised and/or once all your expected traffic is cut over to the Magic Transit prefixes, reach out to your Cloudflare account team to have the thresholds configured.
You can then change the mode on your Advanced TCP and DNS protections from monitoring to mitigation. You can also create a filter for monitoring mode for any traffic flows for which you see false positives. Try to keep this specific so that the protection is enabled for other inbound traffic flows.
We strongly encourage you to ensure you have a Magic Firewall ruleset configured and customized to your environment to help stop unwanted and attack traffic.
You can configure Magic Firewall rules and keep them in disabled mode to review the traffic that would have matched, using verdict = drop and the rule ID within Network Analytics. Once you are satisfied that the rule is blocking/permitting the intended traffic, you can change the mode to enabled.
Refer to Magic Firewall's best practices for configuration guidance and suggestions.
- Ensure all teams/members needing to receive these are getting the alerts.
- Check the Magic Tunnel Health Check Alert configuration for Sensitivity and Alert interval and tunnels in-scope.
- Refer to Set up Magic Tunnel health alerts and DDoS alerts for more details.
- Enable Logpush to your Security Information and Event Management (SIEM).
- Enable Magic Firewall's Intrusion Detection System (IDS). Requires Logpush and is only available for accounts with Advanced Magic Firewall.
- Use Magic Network Monitoring for visibility into traffic on your non-Magic Transit prefixes, using NetFlow or sFlow from your CPEs.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark