Support

Yes, you should use both like we do.

CloudFlare's WAF is something that sits in front of your site and applies rules based solely on the content of the request, without any insight to the application's state or even knowing which application you are using. Conceptually it's the same as using mod_security2 in Apache. This is a great way to pre-filter what touches your site at all. It's like walking through the airport metal detection gate.

Admin Tools' WAF goes further since it runs inside Joomla. It's aware of the application state and how things will be used by Joomla and its extensions. As a result it can offer another layer of protection you can't have with an external WAF. It's basically giving each request a thorough pat-down.

I recommend using both at the same time. CloudFlare's  WAF will catch most attacks before they hit your server, minimizing the load your server experiences. Admin Tools' WAF will stop the few attacks that make it through which, without application context, would look like iffy but plausibly legitimate requests. Just remember that if you get blocked you need to first check your CloudFlare logs, especially if the error mentioned a Ray ID. If and only if you are absolutely positive the request wasn't blocked by CloudFlare should you check if it was blocked by Admin Tools. It's a bit more complicated but your site will be marginally safer and definitely faster. That's why we implemented the same solution I am suggesting on our own site.