Secure WAN traffic
Once traffic reaches Cloudflare through WAN on-ramps (IPsec tunnels, GRE tunnels, CNI, or Appliance), you can apply multiple security services inline. This page explains which services apply to WAN traffic, when to use each one, and how they work together.
Cloudflare WAN carries three types of traffic, and different security services apply to each:
- Outbound (site-to-Internet): Traffic from WAN-connected sites to the public Internet. For example, employees at a branch office browsing the web or accessing SaaS applications.
- East-west (site-to-site): Traffic between WAN-connected locations routed through Cloudflare. For example, a branch office accessing an application hosted in a data center.
- Inbound (Internet-to-site): Traffic from the Internet destined for customer networks. This typically applies to Magic Transit scenarios where you advertise your own IP prefixes (BYOIP) through Cloudflare.
Cloudflare Network Firewall provides packet-level filtering at layers 3 and 4. You define allow or block rules based on IP addresses, ports, and protocols.
- Applies to: inbound, outbound, and east-west traffic
- Included with: Cloudflare WAN by default for standard features
Use Network Firewall when you need to control traffic at the packet level — for example, blocking specific IP ranges, restricting traffic to certain ports, or filtering protocols between sites.
Cloudflare Gateway inspects traffic at layers 4 through 7 and supports three policy types:
- DNS policies: Filter and log DNS queries from your sites. You configure the DNS resolver for your WAN networks to point to Gateway's resolver IPs.
- Network policies: Filter TCP, UDP, and ICMP traffic based on IP, port, protocol, and identity attributes.
- HTTP policies: Inspect HTTP and HTTPS traffic for threats, content categories, and application-level controls.
HTTP inspection requires TLS decryption and a Cloudflare root certificate installed on client devices. You must also enable the Gateway proxy for your WAN traffic.
- Applies to: outbound and east-west traffic
Gateway provides the deepest inspection for WAN traffic, covering DNS, network, and HTTP layers. For detailed setup instructions, refer to Connect to Cloudflare Gateway with Cloudflare WAN.
Browser Isolation runs web content in a remote browser on Cloudflare's network and streams a visual representation to the user's device. No web code executes locally.
- Applies to: outbound web traffic
- Triggered by: Gateway HTTP policies using the Isolate action
Use Browser Isolation when users at branch offices need to access untrusted or uncategorized websites without exposing local devices to web-based threats.
Data Loss Prevention (DLP) scans HTTP uploads and downloads for sensitive data patterns such as Social Security numbers, credit card numbers, and custom regular expressions.
- Applies to: outbound HTTP traffic
- Requires: Gateway HTTP filtering with TLS decryption enabled
You define DLP profiles with detection rules and reference those profiles in Gateway HTTP policies. When a policy matches, Gateway can block, log, or allow the transfer.
CASB provides visibility and control over SaaS application usage through two modes:
- Applies to: outbound traffic to SaaS applications
- API-based scanning: Connects to your SaaS applications (Google Workspace, Microsoft 365, and others) to detect misconfigurations and security posture issues.
- Inline remediation: Gateway HTTP policies can block unsanctioned SaaS application usage detected by CASB — for example, preventing file uploads to unapproved cloud storage services.
The AI Security Report provides visibility into AI application usage across your organization. It shows which AI tools employees are using, how frequently, and what data is being shared.
AI visibility is not a separate inline security service. It is an analytics feature powered by Gateway — it requires Gateway to be inspecting outbound traffic from your sites.
| Traffic scenario | Recommended services |
|---|---|
| Block traffic between sites by IP, port, or protocol | Network Firewall |
| Filter DNS queries from branch offices | Gateway DNS policies |
| Block malware downloads from branch offices | Gateway HTTP policies |
| Prevent sensitive data uploads to the Internet | DLP (via Gateway HTTP policies) |
| Isolate risky web browsing from branch users | Browser Isolation (via Gateway HTTP policies) |
| Detect and block unsanctioned SaaS applications | CASB + Gateway HTTP policies |
| Monitor employee AI tool usage | AI Security Report (via Gateway) |
| Protect against DDoS on customer-owned IPs | Network Firewall (inbound) + Magic Transit |
Traffic on the Cloudflare network passes through a single-pass inspection pipeline. You do not need to backhaul traffic between services — all inspection happens at the nearest Cloudflare data center.
The evaluation order is:
- Network Firewall (L3/L4): Packet-level rules are evaluated first.
- Gateway (L4-L7 proxy): If traffic passes the Network Firewall, Gateway inspects it. Within Gateway, policies are evaluated in order: DNS → Network → HTTP.
- DLP, Browser Isolation, and CASB: These services are triggered through Gateway HTTP policies. A single HTTP policy can reference a DLP profile, apply an Isolate action, or block a CASB-flagged application.
This means you can layer multiple security services on the same traffic flow without adding network hops or latency.
- Connect to Cloudflare Gateway with Cloudflare WAN: Detailed setup guide for Gateway integration with WAN traffic.
- Cloudflare Network Firewall: Configure packet-level filtering rules.
- SASE reference architecture: Explore the full architecture of Cloudflare One as a SASE platform.
- WAN transformation: Plan your migration from traditional WAN to Cloudflare.