If you are using CloudFlare (the CDN) and want to add our WAF/Firewall protection to your website, this guide should help you get that configured.

There are two known issues you should be aware of before proceeding:

1) Sucuri Firewall (D)DoS Protection will still work when CloudFlare is in place, however we are unable to block (D)DoS attackers IP addresses using the IDS (Intrusion detection System) because the IP addresses hitting us are from CloudFlare, which we can't block in a network level. This network design limitation decrease the (D)DoS Protection efficiency.

2) Let's Encrypt SSL will not be issued if you are using CloudFlare in front of Sucuri Firewall. You must upload your own SSL or disable CloudFlare until the Let's Encrypt SSL is issued, which could take a couple hours after DNS changes.

Often due to our caching technology and global Anycast CDN, most sites benefit from, an additional CDN will not improve performance further.

Now, let's proceed to the steps. We'll need to setup the following:

  1. Sucuri Firewall pointing to Hosting Provider, as normally it is;
  2. CloudFlare pointing to the Sucuri Firewall.

Note: If you find this process complicated, open a support ticket and we'll help you setup.

Step by Step

1) Enable the CDN option on the Sucuri Firewall dashboard setting it to CloudFlare. Just like this image:

Sucuri Firewall External CDN Settings

2) On Sucuri Firewall side, make sure that the Hosting IP address is actually pointing to your hosting company IP address and not CloudFlare.

If the site was previously live at CloudFlare when you added it to Sucuri Firewall, you will need to manually edit the hosting IP address to point to your web server.

3) Inside CloudFlare's Zone File for your domain, add our Firewall IP address as the main A record:

CloudFlare Editing Zone

Also, set CloudFlare to active if it does not have the "orange" cloud. If you want to use Let's Encrypt SSL provided by Sucuri Firewall, change the icon to orange only after a couple hours of editing the DNS.

That's it. For the other CDN providers, the process is pretty similar as well the known issues.