GraphQL Analytics
Use the GraphQL Analytics API to review data for Magic Firewall network traffic related to rules matching your traffic. This contains both rules you configured in the Magic Firewall dashboard, and the rules managed by Cloudflare as a part of Magic Firewall Managed rules and Magic Firewall IDS features.
Before you begin, you must have an API token. For additional help getting started with GraphQL Analytics, refer to GraphQL Analytics API.
To construct a Magic Firewall GraphQL query for an object, you will need a Cloudflare Account ID
- Log in to the Cloudflare dashboard ↗, and select your account.
- The URL in your browser's address bar should show
https://dash.cloudflare.com/
followed by a hex string. The hex string is your Cloudflare Account ID.
To construct queries to gather analytics for a particular rule, you need the rule ID for each firewall rule.
- Log in to your Cloudflare dashboard ↗, and select you account.
- Select Magic Firewall.
- Locate the rule you need the rule ID for from the list, and select Edit.
- Locate the Rule ID, and select the copy button.
- Select Cancel to return to the Magic Firewall page.
In this section, you will run a test query to retrieve a five minute count of all configured Magic Firewall rules within five minute intervals. You can copy and paste the code below into GraphiQL.
For additional information about the Analytics schema, refer to Explore the Analytics schema with GraphiQL.
Use the example below to display the total number of packets and bits for the top ten suspected malicious traffic streams within the last hour. After receiving the results, you can sort by packet rates with a five minute average.
For each stream, display the:
- Source and destination IP addresses
- Ingress Cloudflare data centers that received it
- Total traffic volume in bits and packets received within the hour
- Actions taken by the firewall rule
Use the example below to display the total number of packets and bits for the top 10 traffic streams that Magic Firewall IDS has detected in the last hour.
By setting verdict
to drop
and outcome
as pass
, we are filtering for traffic that was marked as a detection (i.e. verdict was drop) but was not dropped (for example, outcome was pass
). This is because currently, Magic Firewall IDS only detects malicious traffic but does not drop the traffic.
For each stream, display the:
- Source and destination IP addresses.
- Ingress Cloudflare data centers that received it.
- Total traffic volume in bits and packets received within the hour.
Alternatively, to inspect all traffic that was analyzed, but grouped into malicious traffic and other traffic, the example below can be used. The response will contain two entries for each five minute timestamp. verdict
will be set to drop
for malicious traffic, and verdict
will be set to pass
for traffic that did not match any of the IDS rules.