FAQ
If you cannot find your answer here, refer to the community page ↗ for more resources.
I am getting an "Invalid account settings request body: account name format contains illegal characters or is not supported" error when trying to create a rule.
This probably means that your account name has unsupported characters. Make sure your account name does not have characters like, for example, &, <, >, ", ', `.
Refer to Account name to learn how to change your account name.
Yes. Both enterprise and free customers can send encrypted network flow data to Cloudflare.
Enterprise customers with Magic Transit or Cloudflare WAN (formerly Magic WAN) can send encrypted network flow data via an IPsec tunnel to Cloudflare's network. You can achieve this by:
- Configuring your NetFlow or sFlow data to be sent to Cloudflare's network for parsing.
- Directing that network flow data to be sent over Magic Transit IPsec tunnels or Cloudflare WAN IPsec tunnels to Cloudflare's network.
Cloudflare identifies the flow traffic by its destination IP address and port, then forwards it to Network Flow for parsing.
Free customers can route their network flow traffic through a device that is running the Cloudflare One Client. Then, network flow traffic can be forwarded from the Cloudflare One Client enabled device to Cloudflare's network flow endpoints. Learn more in the Encrypt network flow data tutorial.
I have Auto-Advertisement enabled and it was triggered by an attack. Do I have to turn Magic Transit off manually?
Yes. After Auto-Advertisement activates for a prefix under attack, Cloudflare continues advertising that prefix even after the attack ends. You must manually withdraw the prefix to stop Magic Transit. Refer to Configure dynamic advertisement to withdraw your prefixes.
If Auto-Advertisement is enabled, and the threshold has been triggered, will the IP prefix show as advertised in the dashboard?
Yes, the IP prefix will show as advertised under the IP Prefixes tab.
No. Auto-advertisement only works with API-controlled advertisement, not BGP-controlled advertisement.
In the API, Network Flow rules have a bandwidth_threshold data field. Does the value for this field refer to bytes transferred or current throughput?
A Network Flow rule threshold has two values:
bandwidth_threshold— the total ingress throughput on your network at any given moment, measured in bits per second.duration— how longbandwidth_thresholdmust be exceeded before you receive an alert.
For example, you create a Network Flow rule with the following parameters:
"bandwidth_threshold": 50000000"duration": "1m0s"With this rule, your network needs to receive a throughput greater than 50,000,000 bits per second (50 Megabits per second or Mbps) for 60 seconds. If both of these conditions are met, then Network Flow will send you an alert.
My router's public IP address is different from the IP address of my network flow agent-ip. I cannot change my network flow agent-ip, and I am not seeing my router's traffic in Network Flow analytics
Set your router's public IP address and network flow agent-ip to the same value. If you cannot change the agent-ip, register both your router's public IP and the agent-ip in the Network Flow router configuration.
Registering both addresses prevents Network Flow from blocking traffic from unrecognized IPs. Your router's flow data appears under the agent-ip.
All flow data is processed on Cloudflare's servers in the US. If you enable data sovereignty in Europe, you cannot use Network Flow.
Cloudflare retains GraphQL analytics data for 90 days for enterprise customers and seven days for non-enterprise customers. Cloudflare also retains flow data for six hours for threshold crossing detection.