Advanced DDoS Protection setup
Follow the steps described in the below to get started with Advanced DDoS Protection systems.
When you get access to Advanced DDoS Protection systems, there are no configured thresholds in your account.
Thresholds are based on your network’s individual behavior, derived from your traffic profile as monitored by Cloudflare. Defining the thresholds will effectively determine what the High, Medium, and Low sensitivities will be for your specific case.
Ask your Implementation Manager to configure initial threshold values.
Once thresholds are configured, the Implementation Manager will let you know that Advanced DDoS Protection systems have been initialized and can be configured and enabled.
Add the prefixes you would like to use with Advanced TCP and DNS Protection. You will be able to register prefixes that you previously onboarded to Magic Transit or a subset of these prefixes.
You cannot add unapproved prefixes to Advanced DDoS Protection systems. Contact your account team to get help with prefix approvals.
Create a rule for SYN Flood Protection and another rule for Out-of-state TCP Protection, both with global scope and in monitoring mode. These rules will apply to all received packets.
Optionally, you can create filters for each protection system component (SYN flood protection and out-of-state TCP protection).
A filter modifies Advanced TCP Protection’s execution mode — monitoring, mitigation (enabled), or disabled — for all incoming packets matching an expression.
Add prefixes to the allowlist if their traffic should bypass Advanced DDoS Protection rules.
The allowlist only applies to source IPs — it does not apply to your own IPs or prefixes. To exclude a subset of an onboarded prefix from Advanced TCP Protection, refer to Exclude a prefix or a prefix subset.
- Log in to the Cloudflare dashboard ↗ and select your account.
- Go to L3/4 DDoS > Advanced Protection > General settings.
- Under General settings, toggle the feature status On.