Under SSL/TLS It doesn't make much sense to suggest installing a certificate and then using "Full". "Full" accepts any cert installed on the server and most servers already have a default unsigned cert. If you have valid certificate for the domain installed or the origin certificate issued by Cloudflare you can use "Full strict" which helps insure the communications from your server to Cloudflare cannot be spoofed unless they somehow managed to obtain the private cert.
Under the Firewall suggestions they suggest not touching anything but the tools here are some of the best features for CF. For example you can create rules for country codes. China, India and other major sources of spam you can use JS Challenge. This is effectively the same thing used for DDOS protection but you are focusing it on problem countries. The bots can't get through it and legitimate users have a minor inconvenience. Of course if the bulk of your legitimate traffic is from China or India you may not want to do that.
Below that under the Under attack section. You only want to enable this when you are seeing severe issues affecting server performance because as they note it affects every user. If you are in that scenario you can switch this on quickly and focus on the problems using firewalls rules before switching it off.
Just be aware you need to be careful with firewall rules. For example you may see a lot of scraper traffic from AWS IP's and blocking them by ASN may seem to be the way to go since no legitimate traffic should be coming from such a service.... except Duckduckgo. VPN's are in the same boat, spammers increasingly are using them but it's generally not a network you want to block.
Lastly under the Real IP section they suggest installing a phpBB extension for Cloudflare so phpBB uses the real IP of visitor. While this isn't necessarily bad advice it should be the last resort as it only applies to phpBB. Log files and anything else that records IP will still be recording Cloudflare IP's. Ideally you install mod_cloudflare or mod_remoteip which covers everything.
It's been pretty sweet overall, apart from sometimes being logged out when I go between the forum and the ACP, after which I need to clear the board cookies (I've double checked my cookie settings against the KB linked earlier in this topic).
This shouldn't be a problem, you have something configured wrong somewhere.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”
Attributed - Thomas Edison