1. Expel Help Center
  2. Connect Your Technology
  3. A-C Integrations
  4. Cloudflare

Cloudflare Zero Trust Network Access (via Webhook) Setup for Workbench

This guide covers how to set up Cloudflare Zero Trust Network Access (ZTNA) with Expel Workbench.

Prerequisites

  1. You must have admin access in Workbench to set up this integration.
  2. You must have a Cloudflare Enterprise account with Zero Trust enabled.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Generate Cloudflare Credentials
  2. Add Cloudflare ZTNA as a Security Device in Workbench
  3. Configure Cloudflare Logpush

Step 1: Generate Cloudflare Credentials

In this step, you will create a new user for Expel console access and generate an API token for integration with Workbench.

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech. For more information, see Why Expel Asks for Console Access.

  1. Log in to the Cloudflare Dashboard.
  2. Select the Cloudflare account you will be using to integrate with Workbench.
  3. Select the vertical dots menu next to your account name and choose Copy account ID. Save this ID in a safe place for use in a later step.
    copy-acct-id.png
  4. In the left sidebar, select Manage account > Members.
  5. Select Invite Members.
  6. On the Invite Members screen, for the Email address, enter "soc+<Your_Organization_Name>@expel.io".
    • For example, if your organization were Acme Corp, the format would be "soc+acme_corp@expel.io".
  7. In the Add permission policies section, select Create a policy.
  8. Configure the policy as follows:
    • Define scope - select the account you are integrating with Workbench. ("Applies to: Entire account" will automatically be selected.)
    • Assign roles - select Cloudflare Zero Trust Read Only.
    • Select Create policy.
      cloudflare-ztna-scope-and-roles.png
  9. Select Invite members. This triggers an email invitation allowing the Expel SOC to create an account and complete console access configuration in Workbench on your behalf.
  10. Next, in the top right, select your profile icon and choose Profile.
  11. Save the Email address in a safe place for use in a later step.
  12. In the left sidebar, select API Tokens.
  13. In the API Keys section, locate the Global API Key and select View.
  14. A pop-up displays asking to send a verification code. 
  15. Select Send Verification Code. The code will be sent to the email address associated with your Cloudflare Profile.
  16. Enter the code received in the email and select View.
  17. The API key displays. Copy and save it in a safe place for later use.

Step 2: Add Cloudflare ZTNA as a Security Device in Workbench

The next step is to add a Cloudflare ZTNA security device in Workbench so that you can generate and copy the necessary webhook credentials, which you will need later in the guide. Before you begin, make sure you have the email address, account ID, and API key you saved in Step 1.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices. If you have multiple organizations, you must select the appropriate organization name from the list.
  3. Select Add Security Device.
  4. In the search box, type “Cloudflare” and then select the Cloudflare ZTNA (via Webhook) integration.
    cloudflare-znta-add-device.png
  5. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Cloudflare ZTNA”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud.” This is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Webhook fields - can be ignored for now.
    • Cloudflare email - enter the email you saved in Step 1.
    • Account ID of user - enter the account ID you saved in Step 1.
    • API key for Cloudflare email - enter the API key you saved in Step 1.
  6. Select Save.
  7. On the console access screen, select Set up later.
  8. Select Save.
  9. Select Done.
  10. Locate your new device in the list of security devices.
  11. Use the menu beside the device name to edit the device details. If you need help with this step, see Manage Security Devices.
  12. Copy and save the Webhook URL, username, and password in a safe place for use in the next step.

Step 3: Configure Cloudflare Logpush

This step establishes the direct, automated connection between your Cloudflare account and the Workbench platform using the Cloudflare Logpush service. This ensures immediate, continuous data delivery for security and performance analysis.

You will forward the following log types from Logpush to Workbench:

  • Access Request Logs 
  • Gateway HTTP Logs  
  • Gateway Network Logs 

Generate Your Token

The webhook is authenticated using the webhook username and password provided in Workbench. These credentials must be Base64-encoded and appended to the Logpush URL. This combination (username:password pair) will form the BASE64_TOKEN. Follow the instructions for your respective operating system to Base64-encode your credentials via command line, substituting the Webhook username and password in the command:

Windows:

[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("username:password"))

Linux:

echo -n "username:password" | base64

macOS | Unix

echo -n "username:password" | base64

Copy and save the token in a safe place for use in a later step.

Create Logpush Jobs in Cloudflare

  1. From within your account in Cloudflare, use the left sidebar to select Analytics & Logs > Logpush.
  2. Select Create a Logpush job.
  3. On the Select Destination page, choose HTTP destination.
  4. On the Enter destination details page, enter the HTTP endpoint using the following format, substituting the webhook URL from Workbench and the base64-encoded token you generated in the string: 
    <WEBHOOK_URL>?header_Content-Type=application%2Fjson&header_Authorization=Basic%20<BASE64_TOKEN>
    cloudflare-ztna-enter-destination-details.png
     
  5. Select Continue.
  6. On the Select dataset page, select Access requests.
  7. Select Continue.
  8. On the Configure logpush job page, configure as follows:
    • Name - enter a unique name for the Logpush job. For example, ”logpush-job-access-requests”. 
    • If logs match… - select All logs.
    • Send the following fields… - choose Select All
      cloudflare-ztna-configure-logpush-job.png
  9. Select Submit.
  10. Repeat steps 2-9 two more times, selecting Gateway HTTP and Gateway Network as datasets for the additional jobs. You will create three Logpush jobs in total

With the three logpush jobs created, setup is now complete. To check if alerts are coming through in Workbench, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check, and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

To check on the status of the device in Workbench, navigate to Organization Settings > Security Devices. Select the downward arrow for your device in the first column and choose View details.

 

Related articles