WAF migration

Promote WAF rules, stage by stage.

Tap a stage to see what Nanosek runs at each step.

Stage 2 of 4

Simulate — would-block analysis

Rules run in simulate (test) mode so Cloudflare reports what would have been blocked under each rule, without affecting users yet.

FP review: False-positive candidates triaged; scoped exceptions drafted.

Plan WAF migration View WAF tuning guide

On this page

AI summary Machine-readable context is available at /ai-index.json

Nanosek provides Cloudflare WAF migration services for organizations moving WAF policies, managed rules, custom rules, exceptions, skip logic, API protections, rate limits, bot controls, security logging, and operational workflows to Cloudflare. The service includes current-state discovery, rule inventory, policy translation, Cloudflare WAF target architecture, staged monitor-to-block rollout, false-positive tuning, validation, rollback planning, reporting, and managed Cloudflare operations.

cloudflarewaf migrationcloudflare wafmanaged rulescustom rulesfalse positive tuningrate limitingapi security

Who this is for

Security, application, infrastructure, platform, and SRE teams migrating WAF controls from legacy CDN, WAF, reverse proxy, or application delivery platforms to Cloudflare.

Organizations that need Cloudflare WAF enforcement without breaking login, checkout, APIs, partner integrations, mobile apps, search engines, or business-critical flows.

Teams that need a practical migration plan for managed rules, custom rules, exceptions, rate limits, bot controls, logging, dashboards, and post-launch operations.

What Cloudflare WAF migration covers

Managed rule migration

Existing vendor rule groups are reviewed and mapped to Cloudflare WAF Managed Rules with plan-aware rule selection, action strategy, and tuning requirements.

Custom rule translation

Custom signatures, path rules, header checks, IP rules, user-agent logic, country controls, and application-specific conditions are rebuilt with Cloudflare Custom Rules.

Exception and skip logic

Legacy exclusions and bypasses are reviewed so broad skips are replaced with scoped exceptions by hostname, path, method, header, IP, integration, or application flow.

False-positive reduction

Rules start in log or simulate mode where appropriate, with Security Events and request samples reviewed before promotion to challenge or block.

API-specific protection

APIs are separated from public web pages with endpoint-specific WAF rules, rate limits, API Shield, schema validation, mTLS, and method-aware controls where applicable.

Login and checkout safety

Sensitive flows need conservative rollout, bot and rate-limit alignment, and careful review before blocking to avoid user or revenue impact.

Bot and automation alignment

WAF migration is coordinated with Bot Management, verified bots, crawler handling, Turnstile, and rate limits so controls do not conflict.

Rate limiting migration

Existing rate controls are redesigned around Cloudflare Rate Limiting with thresholds, characteristics, response actions, and false-positive review.

Origin protection

WAF controls only work if attackers cannot bypass Cloudflare. Nanosek reviews direct-to-origin exposure, firewall allowlisting, and Authenticated Origin Pulls.

Security observability

Logpush, Security Analytics, GraphQL Analytics, dashboards, and alerting are configured so teams can investigate rule matches and enforcement impact.

Rollback readiness

Promotion to enforcement includes rollback steps, rule owner documentation, decision criteria, and validation checks before production changes.

Operational handover

Nanosek documents rules, exceptions, dashboards, alerts, review cadence, and managed operations workflow after migration.

Why WAF migration needs careful deployment

WAF migration fails when legacy policies are copied without understanding application behavior. Years of exceptions, vendor-specific rule semantics, hidden API behavior, custom headers, partner integrations, mobile clients, and checkout or login flows can create false positives if enforcement is rushed. Nanosek does not simply turn on blocking. We migrate WAF policy through discovery, mapping, logging, tuning, staged enforcement, and rollback-aware operations.

Vendor rule names and actions do not map one-to-oneBroad skip rules can silently remove protectionSensitive paths need conservative rolloutAPIs need separate controls from browser trafficSearch engines, partners, and mobile clients need explicit handlingBlocking should follow event review and validationRate limits need business-aware thresholdsOrigin bypass can make WAF controls ineffective

Our Cloudflare WAF migration approach

Phase 1

Current-state WAF discovery

Review existing WAF provider configuration, managed rule groups, custom rules, exceptions, skip logic, rate limits, bot controls, API rules, logs, and enforcement modes.
Identify critical paths such as login, checkout, forms, APIs, search, uploads, admin portals, payment callbacks, partner integrations, and mobile clients.

Phase 2

Rule inventory and risk classification

Classify existing controls by purpose: exploit protection, access control, API protection, automation control, country or ASN policy, virtual patching, and operational bypass.
Identify stale rules, duplicate rules, overbroad exceptions, rules with no owner, and controls that need redesign instead of direct translation.

Phase 3

Cloudflare WAF target architecture

Design Cloudflare WAF Managed Rules, Custom Rules, skip rules, rate limiting, Bot Management alignment, API Shield alignment, rule ordering, and logging model.
Define when traffic should be allowed, logged, challenged, rate limited, blocked, skipped, or reviewed manually.

Phase 4

Implementation in monitor mode

Deploy Cloudflare WAF policies in log, simulate, or low-risk challenge mode where appropriate before broad enforcement.
Configure Security Events, Logpush, dashboards, and field visibility so rule matches can be reviewed by hostname, path, method, source, and rule ID.

Phase 5

Validation and false-positive tuning

Review WAF events against application owners, traffic samples, known integrations, search crawlers, partner clients, and synthetic monitoring.
Tune exceptions narrowly by path, method, header, IP, service token, mTLS client, or verified integration rather than using broad bypasses.

Phase 6

Controlled enforcement rollout

Promote validated controls from log to managed challenge, challenge, rate limit, or block based on path sensitivity and observed risk.
Execute enforcement changes with rollback steps, monitoring windows, stakeholder approvals, and post-change validation.

Phase 7

Post-migration operations

Create rule documentation, dashboards, alert routing, review cadence, exception ownership, and remediation backlog.
Operate WAF tuning as part of managed Cloudflare services with event review, rule updates, reporting, and continuous improvement.

WAF migration architecture considerations

Rule ordering and phases: Cloudflare rulesets, managed rules, custom rules, skip rules, rate limits, and bot controls need predictable order and ownership.

Sensitive path strategy: login, checkout, API, admin, payment, upload, and partner paths need path-specific actions and validation criteria.

Exception model: exceptions should be scoped by hostname, path, method, header, IP range, service identity, or integration rather than global bypasses.

Observability model: Security Events, Logpush, dashboards, alerts, and incident workflow must be ready before enforcement changes.

Cloudflare WAF controls we use

WAF Managed Rules

Provide Cloudflare-maintained protection against common application vulnerabilities and attack patterns. Nanosek selects action modes and tunes exceptions by application risk.

WAF Custom Rules

Rebuild legacy custom signatures, access controls, virtual patches, country or ASN rules, header checks, path rules, and business-specific conditions.

Skip rules

Scope exclusions for specific managed rules or phases when an application flow needs a controlled exception without disabling protection broadly.

Ruleset phases

Control where custom, managed, rate limiting, transform, and security logic executes so policy behavior is predictable.

Security Events

Review rule matches, actions, sampled requests, source characteristics, and false-positive candidates during tuning.

Logpush

Export WAF and HTTP request events to SIEM, storage, or analytics destinations for investigation and long-term reporting.

Security Analytics

Analyze attack trends, enforcement impact, source patterns, and affected hostnames during migration and operations.

GraphQL Analytics

Build custom reporting for WAF events, traffic baselines, status codes, cache interaction, and operational dashboards.

Rate Limiting

Control request volume for login, forms, APIs, search, checkout, and expensive endpoints where WAF signatures are not enough.

Bot Management

Coordinate WAF policy with bot score, verified bots, crawler handling, automation controls, and false-positive tuning.

API Shield

Add API discovery, schema validation, mTLS, and endpoint-specific controls where APIs require protection beyond browser-focused WAF rules.

Turnstile

Introduce low-friction human verification for suspicious form, login, signup, or abuse-prone flows where blocking is too aggressive.

Transform Rules

Normalize request headers, URL behavior, or response headers where WAF policy depends on consistent request shape.

Origin Rules

Align origin Host header, SNI, and routing behavior so WAF-proxied traffic reaches the correct backend safely.

Cloudflare Workers

Used only for advanced decision logic that cannot be expressed safely with native WAF, ruleset, rate limiting, or bot controls.

Terraform / API automation

Keep WAF rules, exceptions, rate limits, and managed rules configuration repeatable, reviewable, and aligned with change management.

Control	When Nanosek uses it
WAF Managed Rules	Provide Cloudflare-maintained protection against common application vulnerabilities and attack patterns. Nanosek selects action modes and tunes exceptions by application risk.
WAF Custom Rules	Rebuild legacy custom signatures, access controls, virtual patches, country or ASN rules, header checks, path rules, and business-specific conditions.
Skip rules	Scope exclusions for specific managed rules or phases when an application flow needs a controlled exception without disabling protection broadly.
Ruleset phases	Control where custom, managed, rate limiting, transform, and security logic executes so policy behavior is predictable.
Security Events	Review rule matches, actions, sampled requests, source characteristics, and false-positive candidates during tuning.
Logpush	Export WAF and HTTP request events to SIEM, storage, or analytics destinations for investigation and long-term reporting.
Security Analytics	Analyze attack trends, enforcement impact, source patterns, and affected hostnames during migration and operations.
GraphQL Analytics	Build custom reporting for WAF events, traffic baselines, status codes, cache interaction, and operational dashboards.
Rate Limiting	Control request volume for login, forms, APIs, search, checkout, and expensive endpoints where WAF signatures are not enough.
Bot Management	Coordinate WAF policy with bot score, verified bots, crawler handling, automation controls, and false-positive tuning.
API Shield	Add API discovery, schema validation, mTLS, and endpoint-specific controls where APIs require protection beyond browser-focused WAF rules.
Turnstile	Introduce low-friction human verification for suspicious form, login, signup, or abuse-prone flows where blocking is too aggressive.
Transform Rules	Normalize request headers, URL behavior, or response headers where WAF policy depends on consistent request shape.
Origin Rules	Align origin Host header, SNI, and routing behavior so WAF-proxied traffic reaches the correct backend safely.
Cloudflare Workers	Used only for advanced decision logic that cannot be expressed safely with native WAF, ruleset, rate limiting, or bot controls.
Terraform / API automation	Keep WAF rules, exceptions, rate limits, and managed rules configuration repeatable, reviewable, and aligned with change management.

Cloudflare WAF migration examples

Deploy WAF Managed Rules in log mode on critical hostnames, then promote tuned rules to block after false-positive review.

Replace a broad legacy bypass for `/api/*` with method-aware rules, API Shield validation, and scoped partner exceptions.

Challenge suspicious login traffic while allowing known mobile app clients and trusted identity-provider callbacks.

Apply stricter WAF and rate limit policies to admin portals, upload endpoints, and expensive search paths.

Allow verified search engine crawlers separately from unknown automation and scraping traffic.

Convert legacy IP allowlists into scoped allow rules with documented owner, reason, and review date.

Use custom rules to block exploit payloads on affected paths while a vulnerable application dependency is being patched.

Log before blocking checkout and payment callback paths so legitimate transactions are not interrupted by an aggressive migration.

WAF migration by traffic area

Public websites

Migration risk

Generic attacks, rule mismatch, and broad false positives

Cloudflare approach

WAF Managed Rules, Custom Rules, log-mode validation, and path-specific exceptions.

Migration risk

Credential stuffing, account takeover, and user lockout risk

Cloudflare approach

WAF rules, Bot Management, rate limiting, Turnstile where appropriate, and careful challenge strategy.

Checkout flows

Migration risk

Revenue impact from false positives or over-challenge

Cloudflare approach

Monitor first, scope rules by path, protect payment callbacks, and promote enforcement gradually.

APIs

Migration risk

Browser WAF assumptions breaking API clients

Cloudflare approach

API Shield, method-aware custom rules, mTLS, schema validation, rate limiting, and API-specific logging.

Mobile apps

Migration risk

Legitimate app traffic challenged or blocked

Cloudflare approach

Client identification, endpoint-specific rules, careful bot policy, and exception model for known app behavior.

Partner integrations

Migration risk

Trusted automation blocked by mistake

Cloudflare approach

Scoped allow policy, mTLS or service identity where possible, and logging for partner-specific rules.

Admin portals

Migration risk

Targeted abuse, brute force, and privileged access exposure

Cloudflare approach

Access, WAF rules, IP restrictions, rate limits, bot controls, and stronger authentication patterns.

Upload and form endpoints

Migration risk

Spam, file abuse, and expensive backend processing

Cloudflare approach

WAF custom rules, rate limits, Turnstile, file-type controls, and request-size review.

Search and catalog pages

Migration risk

Scraping, query abuse, and origin load

Cloudflare approach

Rate limits, bot score thresholds, cache strategy, and WAF rules scoped to abusive patterns.

Static assets

Migration risk

Unnecessary WAF overhead or accidental bypass of needed headers

Cloudflare approach

Minimal security policy, cache optimization, and clear separation from dynamic application paths.

Traffic area	Migration risk	Cloudflare approach
Public websites	Generic attacks, rule mismatch, and broad false positives	WAF Managed Rules, Custom Rules, log-mode validation, and path-specific exceptions.
Login pages	Credential stuffing, account takeover, and user lockout risk	WAF rules, Bot Management, rate limiting, Turnstile where appropriate, and careful challenge strategy.
Checkout flows	Revenue impact from false positives or over-challenge	Monitor first, scope rules by path, protect payment callbacks, and promote enforcement gradually.
APIs	Browser WAF assumptions breaking API clients	API Shield, method-aware custom rules, mTLS, schema validation, rate limiting, and API-specific logging.
Mobile apps	Legitimate app traffic challenged or blocked	Client identification, endpoint-specific rules, careful bot policy, and exception model for known app behavior.
Partner integrations	Trusted automation blocked by mistake	Scoped allow policy, mTLS or service identity where possible, and logging for partner-specific rules.
Admin portals	Targeted abuse, brute force, and privileged access exposure	Access, WAF rules, IP restrictions, rate limits, bot controls, and stronger authentication patterns.
Upload and form endpoints	Spam, file abuse, and expensive backend processing	WAF custom rules, rate limits, Turnstile, file-type controls, and request-size review.
Search and catalog pages	Scraping, query abuse, and origin load	Rate limits, bot score thresholds, cache strategy, and WAF rules scoped to abusive patterns.
Static assets	Unnecessary WAF overhead or accidental bypass of needed headers	Minimal security policy, cache optimization, and clear separation from dynamic application paths.

Legacy WAF to Cloudflare mapping

WAF policy mapping model

Legacy area

Managed rule groups

Cloudflare target

WAF Managed Rules

Migration notes

Select matching protections, start in log or simulate mode, tune exceptions, and promote rule actions gradually.

Legacy area

Custom signatures

Cloudflare target

WAF Custom Rules

Migration notes

Translate conditions into Cloudflare expressions and validate against real request samples.

Legacy area

Global exclusions

Cloudflare target

Scoped skip rules

Migration notes

Replace broad bypasses with hostname, path, method, header, IP, or integration-specific skip logic.

Legacy area

IP allow and block lists

Cloudflare target

Custom Rules, IP Lists, Access, or mTLS

Migration notes

Preserve known trusted sources while avoiding permanent broad allowlists that bypass security review.

Legacy area

Virtual patches

Cloudflare target

Custom Rules and Managed Rules overrides

Migration notes

Implement targeted protection for vulnerable paths while remediation work proceeds.

Legacy area

Rate controls

Cloudflare target

Cloudflare Rate Limiting

Migration notes

Redesign thresholds by path, method, client identity, request characteristics, and abuse pattern.

Legacy area

API protections

Cloudflare target

API Shield, WAF Custom Rules, mTLS, schema validation

Migration notes

Treat APIs separately from browser traffic and validate auth, methods, headers, and schema behavior.

Legacy area

Bot and crawler rules

Cloudflare target

Bot Management, verified bots, WAF rules, rate limits

Migration notes

Separate legitimate crawlers and trusted automation from scraping, fraud, and automated abuse.

Legacy area

Security logging

Cloudflare target

Security Events, Logpush, GraphQL Analytics

Migration notes

Preserve investigation workflows before enforcing migrated controls.

Legacy area

Change approvals

Cloudflare target

Runbooks, Terraform/API automation, managed operations

Migration notes

Keep rules reviewable, repeatable, documented, and rollback-aware.

Legacy area	Cloudflare target	Migration notes
Managed rule groups	WAF Managed Rules	Select matching protections, start in log or simulate mode, tune exceptions, and promote rule actions gradually.
Custom signatures	WAF Custom Rules	Translate conditions into Cloudflare expressions and validate against real request samples.
Global exclusions	Scoped skip rules	Replace broad bypasses with hostname, path, method, header, IP, or integration-specific skip logic.
IP allow and block lists	Custom Rules, IP Lists, Access, or mTLS	Preserve known trusted sources while avoiding permanent broad allowlists that bypass security review.
Virtual patches	Custom Rules and Managed Rules overrides	Implement targeted protection for vulnerable paths while remediation work proceeds.
Rate controls	Cloudflare Rate Limiting	Redesign thresholds by path, method, client identity, request characteristics, and abuse pattern.
API protections	API Shield, WAF Custom Rules, mTLS, schema validation	Treat APIs separately from browser traffic and validate auth, methods, headers, and schema behavior.
Bot and crawler rules	Bot Management, verified bots, WAF rules, rate limits	Separate legitimate crawlers and trusted automation from scraping, fraud, and automated abuse.
Security logging	Security Events, Logpush, GraphQL Analytics	Preserve investigation workflows before enforcing migrated controls.
Change approvals	Runbooks, Terraform/API automation, managed operations	Keep rules reviewable, repeatable, documented, and rollback-aware.

Deployment steps

01 Inventory the current WAF configuration, managed rules, custom rules, exceptions, rate limits, bot controls, API controls, logs, and enforcement modes.
02 Classify rules by business purpose, affected hostnames, critical paths, owners, and false-positive history.
03 Design the Cloudflare WAF target architecture with Managed Rules, Custom Rules, skip rules, rate limits, bot alignment, API Shield alignment, logging, and rollback.
04 Deploy policies in log, simulate, or conservative challenge mode where appropriate and validate Security Events and Logpush visibility.
05 Review event samples with application owners, tune false positives, narrow exceptions, and document known-good automation.
06 Promote validated controls to managed challenge, challenge, rate limit, or block using a staged rollout with rollback steps.
07 Transition to managed operations with dashboards, alerting, reporting, exception review, rule tuning, and continuous improvement.

Risks and mitigations

Risk

Blocking legitimate users during enforcement.

Mitigation

Start in log or simulate mode, review sampled requests, tune exceptions, and promote rules gradually by path sensitivity.

Risk

Broad skip rules remove too much protection.

Mitigation

Replace global bypasses with scoped exceptions by hostname, path, method, header, IP, service identity, or known integration.

Risk

APIs break under browser-oriented WAF rules.

Mitigation

Separate API policies, validate methods and headers, use API Shield where appropriate, and tune endpoint-specific rules.

Risk

Search engines or trusted automation blocked.

Mitigation

Use verified bot signals, documented allow policies, and separate treatment for known crawlers, partners, mobile apps, and monitoring systems.

Risk

Legacy vendor rules do not map cleanly.

Mitigation

Map the purpose of each rule rather than copying syntax. Use Cloudflare-native Managed Rules, Custom Rules, Rate Limiting, API Shield, and Bot Management.

Risk

Sensitive checkout or payment flows over-challenged.

Mitigation

Use conservative monitor-first rollout, path-specific controls, and business owner validation before blocking.

Risk

Missing logs during tuning.

Mitigation

Configure Security Events, Logpush, dashboards, and alerting before promotion to enforcement.

Risk

Origin can be reached directly outside Cloudflare.

Mitigation

Review origin exposure, firewall allowlisting, Authenticated Origin Pulls, and direct DNS records during migration.

Risk

Rate limits trigger on legitimate traffic spikes.

Mitigation

Baseline request rates, test thresholds safely, and scope rate limits by endpoint, method, client behavior, and business flow.

Risk

Rollback path unclear during a false-positive incident.

Mitigation

Document rollback per rule group, assign decision owners, and monitor production changes in an approved change window.

Risk	Mitigation
Blocking legitimate users during enforcement.	Start in log or simulate mode, review sampled requests, tune exceptions, and promote rules gradually by path sensitivity.
Broad skip rules remove too much protection.	Replace global bypasses with scoped exceptions by hostname, path, method, header, IP, service identity, or known integration.
APIs break under browser-oriented WAF rules.	Separate API policies, validate methods and headers, use API Shield where appropriate, and tune endpoint-specific rules.
Search engines or trusted automation blocked.	Use verified bot signals, documented allow policies, and separate treatment for known crawlers, partners, mobile apps, and monitoring systems.
Legacy vendor rules do not map cleanly.	Map the purpose of each rule rather than copying syntax. Use Cloudflare-native Managed Rules, Custom Rules, Rate Limiting, API Shield, and Bot Management.
Sensitive checkout or payment flows over-challenged.	Use conservative monitor-first rollout, path-specific controls, and business owner validation before blocking.
Missing logs during tuning.	Configure Security Events, Logpush, dashboards, and alerting before promotion to enforcement.
Origin can be reached directly outside Cloudflare.	Review origin exposure, firewall allowlisting, Authenticated Origin Pulls, and direct DNS records during migration.
Rate limits trigger on legitimate traffic spikes.	Baseline request rates, test thresholds safely, and scope rate limits by endpoint, method, client behavior, and business flow.
Rollback path unclear during a false-positive incident.	Document rollback per rule group, assign decision owners, and monitor production changes in an approved change window.

WAF migration validation checklist

Current WAF rules and managed rule groups exported
Custom rules inventoried with owner and purpose
Existing exceptions, exclusions, and bypasses reviewed
Critical hostnames and paths classified
Login, checkout, form, upload, admin, and API paths mapped
Partner integrations and mobile app clients documented
Search engine crawler handling defined
Cloudflare Managed Rules selected
Cloudflare Custom Rules drafted and peer reviewed
Skip rules scoped narrowly
Rate limiting thresholds designed safely
Bot Management alignment reviewed
API Shield alignment reviewed where APIs are in scope
Security Events and Logpush visibility configured
Rules deployed in log or simulate mode first where appropriate
False-positive samples reviewed with application owners
Sensitive paths validated before block actions
Rollback steps documented for each enforcement change
Monitoring window and decision owners assigned
Post-migration review cadence defined

Deliverables

Current WAF configuration inventory
Legacy-to-Cloudflare WAF mapping workbook
Managed Rules selection and action plan
Custom Rules design
Exception and skip-rule strategy
API, bot, and rate limiting alignment plan
Critical path risk map
Log-mode validation report
False-positive tuning report
Controlled enforcement rollout plan
Cloudflare WAF implementation
Security dashboard and alerting setup
Rollback runbook
Post-migration optimization backlog
Managed operations handover

When Nanosek should help

You are moving WAF controls from Akamai, Imperva, Fastly, CloudFront, F5, NGINX, or another platform to Cloudflare.

Your existing WAF has many custom rules, exclusions, bypasses, or vendor-specific controls.

You are afraid of blocking legitimate users, mobile apps, search engines, APIs, partners, or checkout flows.

You need to migrate WAF and bot, API, DDoS, rate limiting, and logging controls together.

You need a monitor-to-block rollout plan before enforcing Cloudflare WAF controls.

You have WAF false positives today and need a more maintainable exception model.

You need Cloudflare WAF documentation, dashboards, alerting, and operational handover.

You want Nanosek to manage WAF tuning and security operations after migration.

Frequently asked questions

What is a Cloudflare WAF migration?

A Cloudflare WAF migration is the process of moving WAF policies, managed rules, custom rules, exceptions, skip logic, rate limits, API protections, bot controls, security logging, and operational workflows from an existing platform to Cloudflare.

Can legacy WAF rules be copied directly into Cloudflare?

Not reliably. Vendor rule semantics, managed rule coverage, action models, and exception behavior differ. Nanosek maps the intent of each control and rebuilds it using Cloudflare-native Managed Rules, Custom Rules, Rate Limiting, API Shield, Bot Management, and scoped exceptions.

Should Cloudflare WAF rules immediately block traffic?

Usually no. Production WAF migration should normally start with logging, simulation, or conservative challenge actions on sensitive paths. Blocking should follow traffic review, false-positive tuning, and stakeholder validation.

How does Nanosek reduce WAF false positives?

Nanosek reviews Security Events, request samples, critical paths, trusted automation, partner integrations, mobile app behavior, and API traffic. Exceptions are scoped narrowly and rules are promoted gradually from monitor to challenge or block.

Can Cloudflare WAF protect APIs?

Yes. API protection usually combines WAF Custom Rules, API Shield, schema validation, mTLS, rate limiting, Bot Management, and endpoint-specific policies. APIs should be handled separately from browser traffic.

What happens to existing WAF exceptions?

Existing exceptions are reviewed for owner, reason, scope, and current need. Broad bypasses are replaced where possible with scoped skip rules or targeted exceptions by hostname, path, method, IP, header, service identity, or integration.

How do you handle search engines and partner integrations?

Verified search crawlers, known partner integrations, monitoring systems, and trusted automation are documented and handled separately from unknown automated traffic. Nanosek avoids broad allowlists unless there is a clear business reason and review process.

Can Nanosek manage WAF tuning after migration?

Yes. Nanosek provides managed Cloudflare operations including WAF event review, rule tuning, false-positive handling, exception review, reporting, dashboards, incident support, and continuous optimization.

Migrate WAF controls to Cloudflare safely

Nanosek helps you preserve security intent, reduce false positives, validate sensitive paths, and move Cloudflare WAF controls from visibility to controlled enforcement.

Talk to Nanosek View managed Cloudflare services

Promote WAF rules, stage by stage.

Simulate — would-block analysis

Who this is for

What Cloudflare WAF migration covers

Managed rule migration

Custom rule translation

Exception and skip logic

False-positive reduction

API-specific protection

Login and checkout safety

Bot and automation alignment

Rate limiting migration

Origin protection

Security observability

Rollback readiness

Operational handover

Why WAF migration needs careful deployment

Our Cloudflare WAF migration approach

Current-state WAF discovery

Rule inventory and risk classification

Cloudflare WAF target architecture

Implementation in monitor mode

Validation and false-positive tuning

Controlled enforcement rollout

Post-migration operations

WAF migration architecture considerations

Cloudflare WAF controls we use

Cloudflare WAF migration examples

WAF migration by traffic area

Legacy WAF to Cloudflare mapping

WAF policy mapping model

Deployment steps

Risks and mitigations

WAF migration validation checklist

Deliverables

When Nanosek should help

Frequently asked questions

Migrate WAF controls to Cloudflare safely

Deliver Cloudflare without surprises.