Cloudflare Docs
Magic WAN
Visit Magic WAN on GitHub
Set theme to dark (⇧+D)

Cloudflare Gateway with Magic WAN

Cloudflare Gateway, our comprehensive Secure Web Gateway, allows you to set up policies to inspect DNS, network, HTTP, and egress traffic.

You can apply network and HTTP Gateway policies alongside Magic Firewall policies (for L3/4 traffic filtering) to Internet-bound traffic or private traffic entering the Cloudflare network via Magic WAN. DNS filtering requires using Cloudflare’s DNS resolver.

​​ HTTPS Filtering

In order to inspect HTTPS traffic, you need to install the Cloudflare root certificate on any client machines that are not running WARP. This is required in order for Cloudflare to terminate TLS.

If you cannot or do not want to install the certificate, you can create Do Not Inspect policies to exempt Magic WAN traffic or disable TLS decryption entirely.

​​ Outbound Internet traffic

By default, the following traffic routed through Magic WAN tunnels and destined to public IP addresses is proxied/filtered through Cloudflare Gateway:

Traffic destined to public IPs will be routed over the public Internet, unless explicitly specified otherwise. If you want to configure specific public IP ranges to be routed through your Magic WAN tunnels instead of over the public Internet after filtering, contact your account team.

This traffic will egress from Cloudflare according to the egress policies you define in Cloudflare Gateway. By default, it will egress from a shared Cloudflare public IP range.

​​ Private traffic

By default, TCP, UDP, and ICMP traffic routed through Magic WAN tunnels and destined to routes behind Cloudflare Tunnel will be proxied/filtered through Cloudflare Gateway.

Contact your account team to enable Gateway filtering for traffic destined to routes behind Magic WAN tunnels. If enabled, by default, TCP and UDP traffic sourced from and destined to RFC1918 space, WARP, or BYO or Leased IPs with source port higher than 1023 and destination port lower than 1024 will be proxied/filtered by Cloudflare Gateway.

Optionally, more specific matches may be specified to override the default:

  • Source IP prefix in a subset of RFC1918 space, or BYO or Leased IPs
  • Destination IP prefix in a subset of RFC1918 space, or BYO or Leased IPs
  • Destination port number anywhere from 0-65535

Source ports are hard-coded to 1024-65535 and may not be overridden.