Configuring the BlueApp for Cloudflare

Role Availability Read-Only Investigator Analyst Manager

Cloudflare Enterprise customers have access to the Cloudflare Logs service, which is a REpresentational State Transfer (REST) API used to consume request logs over HTTP. This REST API includes a method for accessing a domain’s request logs using a client API key.

When the BlueApp for Cloudflare is enabled and connected to your Cloudflare Enterprise service, the predefined, scheduled job collects log data from Cloudflare every 20 minutes. After USM Anywhere collects and analyzes the first of these events, you can view them in the Events page.

Getting Your Cloudflare API Key

Before you can use the BlueApp for Cloudflare to collect and analyze Cloudflare log data within USM Anywhere, you must have an API key that can be used to connect to your Cloudflare service. Cloudflare issues an API key for a specific user account and all requests with that key act on behalf of that user.

To acquire the API key for Cloudflare

  1. Go to the Cloudflare Managing API Tokens and Keys page and follow the View API Key instructions.
  2. Copy the Global API Key value to be entered in USM Anywhere.

Enabling the BlueApp for Cloudflare API Connection

After you have your Cloudflare API key value, you're ready to enable the BlueApp for Cloudflare in USM Anywhere.

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled BlueApp.

    BlueApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the BlueApp API endpoints.

  6. Enter the connection information for your Cloudflare service:

    Configure the Cloudflare app's settings

    • Email: Enter the email for the Cloudflare user account to use for API authentication.
    • Cloudflare API Key: Click Change Cloudflare API Key and enter the API key value associated with that user account.
    • Zones: (Optional.) If you want to limit the zones from which the BlueApp pulls data, list the identifications (IDs) you do want the app to pull from here. To pull from all zones, leave this field blank or enter all.
  7. Click Save.
  8. Verify the connection.

    After USM Anywhere completes a successful connection to the Cloudflare APIs, a icon displays in the Health column.

    If the icon displays, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Cloudflare connection.

BlueApp Log Collection

Once the BlueApp has been configured, you can choose to have USM Anywhere collect logs from the app on a regular basis.

To configure log collection for the BlueApp

  1. Go to Settings > Scheduler.
  2. In the Job Scheduler, search for the BlueApp on the sensor to which it was deployed.
  3. In the enabled column, click the icon for the inactive collection job.

    The icon turns green, and collection is enabled.

  4. (Optional.) Click the icon to customize the frequency of the event collection.

Scaling BlueApp for Cloudflare Across Multiple Sensors

If you have multiple zones managed in Cloudflare and those zones are outputting so many events that they overwhelm the USM Anywhere Sensor, you may want to consider scaling your zones across multiple sensors. If you find that the BlueApp for Cloudflare is often entering throttling mode, this may be a sign that you should scale to multiple sensors. See Understanding the Status of the Cloudflare App for more information about throttling mode.

To distribute the load of your BlueApp for Cloudflare across multiple sensors, distribute your zones among the sensors such that no sensor should be receiving more than a total of 1000 events per second (EPS).

Note: If any single zone is producing 1000 EPS or more, its data will still be throttled to reduce the load. This scaling will not be able to prevent throttling due to a single zone's high EPS.

To configure your sensor to monitor specific zones

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click Configure API.
  5. From the sensor drop-down list, select the first sensor you want to configure.
  6. Enter the connection information for your Cloudflare service.
  7. Configure the Zones field, list only the zones you want this sensor to monitor.
  8. Go to to Settings > Scheduler, enable the Collect Cloudflare events job that corresponds to that sensor.
  9. Repeat step 4 through 8 to configure anothor sensor to monitor a different zone.

Important: If you do not assign a zone to any sensor, it will not be monitored unless one of your sensors is configured to monitor all zones.