SME Cyber Bundle — Partner Quick-Start

The Phase 1 configuration baseline & best practices
Partner Technical Enablement
Cloudflare Pro plan + 50 Zero Trust seats · Dashboard · API · Terraform
ENABLEMENT WORKFLOW

The five-step motion, per customer

Do the prerequisites once; repeat steps 2–5 for every end customer.

1
Prerequisites
Set up your tenant, tokens & Terraform once.
2
Onboard
Create the account + zone under the tenant.
3
Baseline
Apply the standard config (dashboard or Terraform).
4
Verify
Run the test suite on a real device.
5
Hand off
DS record, protections summary, read-only access.
MENTAL MODEL

Account level vs. zone level

Know which layer a setting lives on — it tells you where to click and what a token needs to touch.

ACCOUNT LEVEL
Set once, applies broadly
WAF managed rulesets
Can be deployed account-wide across zones.
Zero Trust
Gateway (SWG) + Access (ZTNA) policies live here.
Governance
Users, roles, API tokens and audit logs.
ZONE LEVEL
Per customer domain
DNS & TLS
Records, DNSSEC, SSL mode, HSTS.
Caching
Cache rules, tiered cache, performance toggles.
WAF entry point
Per-zone rules and rate limiting.
PLAN SCOPE — PRO + 50 ZT SEATS

What the bundle includes

Anything marked "No" is a clear upsell conversation — not a gap in the baseline.

Capability
Requirement
In the bundle?
WAF Managed Ruleset + OWASP
Pro
Yes
Leaked Credential Check + Super Bot Fight
Pro
Yes
Rate limiting (2 rules, IP, ≤1 min)
Pro
Yes
Universal SSL, HSTS, TLS 1.2/1.3
Pro
Yes
Zero Trust — Gateway + Access
50 seats
Yes
WAF Attack Score (ML)
Business/Ent
No
Logpush / SIEM export, SSO/SAML
Enterprise
No
ORIENTATION

Two dashboards, know both

Tip: the dashboard search bar is the fastest way to jump to any setting by name.

APPLICATION (ZONE)
dash.cloudflare.com
Security → Settings
Deploy managed rulesets, bots, security level.
Security → Security rules
Custom rules, rate limiting, DDoS tab, overrides.
Security Center
Attack surface, analytics, reports (account).
ZERO TRUST
one.dash.cloudflare.com
Traffic policies
Gateway DNS + HTTP policies.
Access controls → Applications
Access apps and policies.
Networks → Connectors
Cloudflare Tunnels for private apps.
01
AT SCALE
Onboard Customers
Create accounts and zones programmatically under your tenant.
BEFORE YOU START

Prerequisites (once per tenant)

Least privilege everywhere — scope tokens to exactly what the baseline touches.

Tenant
Cloudflare Tenant platform access — request via your Partner Account team.
Token
Scoped, least-privilege API token (tenant or per-account). Never the Global API Key.
Terraform
cloudflare/cloudflare provider, pinned version. One workspace/state per customer.
Import
cf-terraforming to import existing customer config into state.
Naming
Consistent convention, e.g. cust-<name>-<env>, for zones, tokens, policies.
Scopes
Zone: WAF/DNS/SSL/Cache Write. Account: Rulesets, Access, Zero Trust Write.
TENANT PATTERN

Onboard a new customer

Same module, different tfvars — every customer gets an identical baseline.

1
Create the end-customer account
POST with your unit.id to tie the account to your tenant unit for billing and management.
2
Create the zone under that account
Add the customer domain, then give them the two assigned Cloudflare nameservers to set at their registrar.
3
Store per-customer variables
Put account_id, zone_id, domain and IdP details in customers/<name>.tfvars.
4
Apply the same baseline module
Run the shared Terraform module against each customer for an identical, auditable result.
02
BASELINE CONFIG
The Security Baseline
WAF, rate limiting and DDoS — the core of the bundle.
4.1 APPLICATION SECURITY — WAF

WAF recommended defaults (Pro)

Lead with the Managed Ruleset. Do not "enable all rules" — some are off by default on purpose.

Setting
Recommended
Status
Cloudflare Managed Ruleset
Enabled — primary protection
On
OWASP Core Ruleset
Log first, tune, then enforce
Tune
Leaked Credential Check
Turn on
On
Super Bot Fight Mode
Turn on
On
Custom rules
Simple operators (no regex on Pro)
On
Security Level
Medium (default)
On
WAF — DO THIS, NOT THAT

Three habits that avoid support tickets

1
Managed Ruleset first
It's your primary protection on Pro. Enable the tags that match the customer's stack (e.g. WordPress) rather than everything.
2
OWASP in Log, then tune
Deploy at PL1/Medium in Log mode, watch Security Analytics, then raise the action. Enforcing untuned OWASP locks out real users.
3
Attack Score is not here
The ML Attack Score is Business/Enterprise. On Pro, the Managed Ruleset carries the load — flag Attack Score as an upgrade if needed.
WAF — STEP BY STEP

Deploy the managed rulesets

The one-time WAF turn-on for a new customer zone.

DashboardSecuritySettings
1
Open the zone, go to Security → Settings.
2
Filter by Web application exploits — to find the ruleset controls.
3
Turn on Cloudflare managed ruleset — your primary protection.
4
Optionally turn on OWASP Core — but you will tune it next (keep it in Log first).
5
Select Save — the managed rules now show as deployed with their status and action.
6
Then go to Security → Settings — and also enable Super Bot Fight Mode, JS Detections and Leaked Credential Check.
WAF — STEP BY STEP

Tune a ruleset (set OWASP to Log)

DashboardSecuritySecurity rules
1
Go to Security → Security rules.
2
Filter to Managed rules — then open the Execute rule for the ruleset.
3
Set the ruleset Action / Status at the top level, or…
4
Select Browse rules — to change individual rules.
5
Set OWASP to Log — leave it logging until you have tuned out false positives.
6
Watch Security → Analytics for a day — then raise OWASP to Managed Challenge / Block.
7
Custom rules live here too — Create rule → Custom rules (simple operators; no regex on Pro).
4.1.1 RATE LIMITING

Every rule answers five questions

Fill these five fields in order and any rate-limit rule makes sense.

1
When requests match
Which requests does this watch? e.g. URI Path equals /api/login
2
With the same characteristics
Count separately per whom? Add IP so each source IP has its own counter.
3
When rate exceeds
How many in how long? e.g. 5 requests per 60 seconds (Pro max window = 1 min).
4
Then take action
Block, or a challenge action. Use Block when you need a fixed duration on Pro.
5
Duration
How long the action applies. Pro max = 1 hour.
RATE LIMITING — RECIPES

Three recipes (spend your 2 rules well)

Pro gives you 2 rate-limiting rules — login and API are the usual choices. Log for a day, then Block.

START HERE
A · One-click login
Security rules → Rate limiting → "Protect your login". Cloudflare builds the rule for you.
RECOMMENDED
B · Custom login
URI /api/login, per IP, 5 requests / 1 min, action Block, duration 15 min.
HIGH VALUE
C · Protect the API
URI starts with /api/, per IP, ~50 requests / 10s, action Block, duration 1 hour.
RATE LIMITING — STEP BY STEP

Recipe B: custom login protection

Pro values: block for 15 min, counting per IP over a 1-minute window.

DashboardSecuritySecurity rulesRate limiting rules
1
Create rule → Rate limiting rules; name it “Protect login”.
2
When incoming requests match — Field URI Path, Operator equals, Value /api/login.
3
With the same characteristics — add IP (one counter per source IP).
4
When rate exceeds — Requests 5, Period 1 minute (the Pro maximum).
5
Then take action — choose Block (fixed durations need Block on Pro).
6
Duration — 15 minutes.
7
Set action to Log for a day first — check Analytics, then switch to Block.
8
Select Deploy.
4.2 DDoS MITIGATION

Always-on, just tune the sensitivity

Security rules → DDoS protection tab → Create override. Leave the action at Cloudflare’s default.

WHAT'S AUTOMATIC
On by default, all plans
L3/4 + L7
Always-on network and application DDoS mitigation is included.
No setup
It's already protecting the zone — the override only tunes it.
WHAT YOU SET
One HTTP DDoS override
Sensitivity
Set to High (default) unless the app produces false positives.
Pro limit
One override applied to all requests. Advanced DDoS (Ent) allows 10 scoped.
DDoS — STEP BY STEP

Create the HTTP DDoS override

Always-on mitigation is already active — this only tunes it.

DashboardSecuritySecurity rulesDDoS protection
1
Go to Security → Security rules → DDoS protection tab.
2
On HTTP DDoS attack protection, select Create override.
3
Set Ruleset sensitivity — High (the default).
4
Leave the action at Cloudflare’s default.
5
Save — remember Pro allows one override, applied to all requests.
6
Only lower sensitivity — if a specific customer app produces false positives.
03
ZONE HARDENING
DNS, TLS & Performance
The per-zone settings that make a site secure and fast.
DNS & TLS BASELINE

Secure the name and the transport

4.3 DNS
Anycast + DNSSEC
Proxy status
Proxied (orange cloud) for web hostnames.
DNSSEC
Enable, then the customer adds the DS record at their registrar.
Handoff item
DNSSEC isn't active until that DS record is set — track it.
4.5 TLS / SSL
Full (Strict), never Flexible
Mode
Automatic SSL/TLS or Custom Full (Strict). Never Flexible.
Hardening
Always Use HTTPS, Min TLS 1.2, TLS 1.3 on.
HSTS
6-month max-age, includeSubDomains — only when HTTPS-only is confirmed.
DNS — STEP BY STEP

Enable DNSSEC + hand off the DS record

DashboardDNSSettings
1
Zone → DNS → Records — add A / AAAA / CNAME; enable the proxy (orange cloud) on web records.
2
Zone → DNS → Settings → DNSSEC.
3
Select Enable DNSSEC.
4
Copy the DS record Cloudflare generates.
5
Give the DS record to the customer — they set it at their domain registrar.
6
Track it as a handoff item — DNSSEC is not active until the DS record is live at the registrar.
TLS — STEP BY STEP

Harden the edge certificate settings

DashboardSSL/TLSEdge Certificates
1
Zone → SSL/TLS → Overview — keep Automatic SSL/TLS, or set Custom → Full (strict). Never Flexible.
2
Zone → SSL/TLS → Edge Certificates.
3
Turn on Always Use HTTPS.
4
Set Minimum TLS Version 1.2, and turn on TLS 1.3.
5
Turn on Automatic HTTPS Rewrites.
6
Enable HSTS — max-age 6 months, includeSubDomains, no preload to start.
7
Confirm the customer is HTTPS-only first — HSTS makes browsers refuse HTTP for the whole max-age.
4.4 PERFORMANCE / CDN

Performance defaults (also a security control)

Caching is DDoS protection: cached content never touches the origin.

Tiered
Smart Tiered Cache on — fewer origin hits, absorbs DDoS volume.
Cache
Cache rules for static assets, edge TTL 1 day+; bypass on session cookie.
HTTP/3
HTTP/2, HTTP/3 (QUIC), 0-RTT, IPv6 and WebSockets all on.
Polish
Polish (Lossy + WebP) and Mirage on — both included on Pro.
Rocket
Rocket Loader OFF by default — it can break JS. Enable only after testing.
Argo
Argo Smart Routing is an add-on — not in the bundle. Offer for latency-sensitive apps.
04
INCLUDED — 50 SEATS
Zero Trust
Gateway and Access are part of the baseline, not an add-on.
4.8 CLOUDFLARE GATEWAY (SWG)

Recommended baseline policies

Cloudflare One → Traffic policies. Deploy the Cloudflare CA to devices before HTTP inspection.

Layer
Policy
Action
DNS
Block security threats (malware, phishing, C2)
Block
DNS
Block security risks (new/parked domains, DGA)
Block
DNS
Block objectionable content per customer AUP
Block
HTTP
Enable TLS decryption (deploy CA first)
Inspect
HTTP
Block known malicious / high-risk apps
Block
GATEWAY — STEP BY STEP

Create the DNS block policies

Start with DNS-layer blocks — no device trust needed. HTTP inspection comes after the CA is deployed.

DashboardCloudflare OneTraffic policiesDNS
1
Open one.dash.cloudflare.com → Traffic policies → DNS.
2
Create a policy — block Security threats (malware, phishing, C2/botnet).
3
Create a policy — block Security risks (new / parked domains, DGA).
4
Create a policy — block content categories per the customer’s AUP.
5
List current category IDs via the API — GET /accounts/$ACCOUNT_ID/gateway/categories.
6
For HTTP inspection — deploy the Cloudflare CA to devices first, then enable TLS decryption.
7
Then add HTTP policies — block known malicious / high-risk applications.
4.9 CLOUDFLARE ACCESS (ZTNA)

Stand up the first protected app

1
Integrate the customer IdP
Okta, Entra ID or Google, under Cloudflare One → Settings → Authentication.
2
Add a self-hosted application
Access controls → Applications → set the public hostname.
3
Write the default policy
Allow the customer's email domain / IdP group; require MFA. 24h session.
4
Connect private apps via Tunnel
Networks → Connectors (cloudflared) — no inbound ports exposed. The "replace VPN" pattern.
05
OPERATE & HAND OFF
Govern, Verify, Deliver
Access control, analytics, the checklist and the handoff.
GOVERN & OBSERVE

Access control and visibility

4.6 ACCESS & GOVERNANCE
Least privilege, 2FA
Roles
Scoped RBAC; no shared logins. Customers get Administrator Read Only.
2FA
Require 2FA for all members (all plans). SSO/SAML is Enterprise-only.
Tokens
Scoped, per-purpose, rotated — never the Global API Key.
4.7 ANALYTICS & COMPLIANCE
In-dashboard on Pro
Security Analytics
Review after every rule goes live to catch false positives.
Audit Log
Account-level record of who changed what.
Compliance
ISO 27001 / SOC 2 / PCI DSS reports via the Trust Hub. SIEM export is Ent.
GO-LIVE CHECKLIST

Per-customer checklist (Pro baseline)

Access mgmt: scoped roles, 2FA enforced, no Global API Key. Then verify and hand off.

Onboard
Account + zone created; nameservers delegated; zone active.
WAF
Managed Ruleset on; Leaked Creds on; OWASP logged then tuned.
Limits
Rate-limit rule(s) on login/API; custom rules set.
Network
DDoS override High; DNSSEC + DS given; TLS Full (Strict) + HSTS.
CDN
Tiered cache on; cache rules set; HTTP/3 + IPv6 + WebSockets on.
Zero Trust
Gateway DNS block policy; Access IdP + first app + MFA; Tunnel for private.
VERIFY & HAND OFF

Prove it works, then deliver

QUICK TESTS
Verify on a real device
WAF
Send a benign attack-like request — expect it blocked/logged.
Rate limit
Exceed the login threshold — expect the block.
Gateway
On a WARP device, browse a blocked category — expect the block page.
Access
Open the app hostname — expect IdP login, then MFA, then app.
HANDOFF PACKAGE
What the customer gets
DS record
Nameservers + DS value for them to set at the registrar.
Summary
Enabled protections and any HSTS / HTTPS-only implications.
Access
Read-only dashboard access; IdP + Access app list + MFA requirement.
APPENDIX — TERRAFORM

One reusable baseline module

One module, applied per customer — identical, auditable, reviewable in a merge request.

MODULE LAYOUT
baseline/ + per-customer vars
Files
versions.tf, variables.tf, main.tf, outputs.tf.
Per customer
customers/<name>.tfvars holds account_id, zone_id, domain, IdP.
Apply
terraform apply -var-file=customers/acme.tfvars.
WHAT IT STAMPS
The whole baseline, as code
Covers
TLS/zone settings, DNSSEC, WAF + OWASP, rate limit, DDoS, cache, Gateway, Access.
Outputs
DS record and Access AUD for the handoff.
Provider note
Module is v4.x syntax; v5 renames resources — pin your version.
SME CYBER BUNDLE — PHASE 1

One baseline, every customer.

Prescriptive defaults, dashboard paths, and Terraform — so any partner delivers enterprise-grade protection at SME scale.
WAF + Rate limitingDDoS + DNS + TLSGateway + AccessTerraform baseline
PPowerPoint (.pptx)Pixel-perfect, editable in PowerPoint & Keynote
Slides render as high-res images — nothing reflows. Animated slides show a single frame.