Security filters

Once your traffic flows through Cloudflare's network, you can apply security policies to it without deploying additional hardware. Cloudflare WAN (formerly Magic WAN) integrates with two primary security services, each operating at different layers of the network stack.

Cloudflare Network Firewall filters traffic at layers 3 and 4 of the OSI model ↗ — the network and transport layers. You can allow or block traffic based on packet characteristics such as source and destination IP addresses, ports, protocols, and packet length. All Cloudflare WAN customers have automatic access to Cloudflare Network Firewall.

Cloudflare Gateway inspects traffic at higher layers, including DNS queries, network sessions, and HTTP requests. Use Gateway to set up policies that control Internet-bound traffic and access to your private network infrastructure. Refer to Connect to Cloudflare Gateway with Cloudflare WAN to learn how to filter Cloudflare WAN traffic with Gateway policies.