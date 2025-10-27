Cloudflare Gateway, our comprehensive Secure Web Gateway, allows you to set up policies to inspect DNS, network, HTTP, and egress traffic.

You can apply network and HTTP Gateway policies alongside Magic Firewall policies (for L3/4 traffic filtering) to Internet-bound traffic or private traffic entering the Cloudflare network via WAN Tunnels. Additionally, you can configure Gateway to resolve DNS queries from WAN Tunnels.

HTTPS filtering

In order to inspect HTTPS traffic, you need to install a Cloudflare root certificate on each client device. You can use the WARP client to automatically install a Cloudflare certificate on supported devices. If your device or application does not support certificate installation via WARP, you can manually install a certificate. A certificate is required for Cloudflare to decrypt TLS.

If you cannot or do not want to install the certificate, you can create Do Not Inspect policies to exempt incompatible WAN Tunnels traffic from inspection or to disable TLS decryption entirely. Because Gateway cannot discern WAN Tunnels traffic, you must use WARP client checks or the IP addresses associated with WAN Tunnels to match traffic with Gateway policies. For example, if your organization onboards devices to WAN Tunnels via WARP, you can exempt devices not running WARP using OS version checks:

Selector Operator Value Logic Action Passed Device Posture Checks not in Windows (OS version) Or Do Not Inspect Passed Device Posture Checks not in macOS (OS version) Or Do Not Inspect Passed Device Posture Checks not in Linux (OS version) Or Do Not Inspect Passed Device Posture Checks not in iOS (OS version) Or Do Not Inspect Passed Device Posture Checks not in Android (OS version) Do Not Inspect

If your organization onboards users to WAN Tunnels via an on-ramp other than WARP, you can exempt devices from inspection using the IP addresses for your Magic IPsec tunnels:

Selector Operator Value Action Source IP in 203.0.113.0/24 Do Not Inspect

DNS filtering

You can configure the DNS resolver for your WAN Tunnels networks to the shared IP addresses for the Gateway DNS resolver. The Gateway DNS resolver IPs are 172.64.36.1 and 172.64.36.2 . When you resolve DNS queries from WAN Tunnels through Gateway, Gateway will log the queries with the private source IP. You can use the private source IP to create resolver policies for queries intended for internal DNS records.

flowchart LR subgraph subGraph0["Data center"] direction TB InternalDNS(["Internal DNS"]) ResolverPolicies["Resolver policies"] CloudflareGatewayDNSResolver["Gateway DNS resolver"] end ResolverPolicies -- Retain and use</br>Source Internal IP --> InternalDNS CloudflareGatewayDNSResolver -- <br> --> ResolverPolicies WarpConnector["WARP Connector"] -- DHCP/DNS resolver --> IPSecTunnel["IPsec tunnel"] MagicWAN[WAN Tunnels] -- DHCP/DNS resolver --> IPSecTunnel IPSecTunnel -- Shared IP endpoints --> CloudflareGatewayDNSResolver ResolverPolicies@{ shape: proc} WarpConnector@{ shape: in-out} MagicWAN@{ shape: in-out}

Outbound Internet traffic

By default, the following traffic routed through WAN Tunnels tunnels and destined to public IP addresses is proxied/filtered through Cloudflare Gateway:

TCP, UDP, and ICMP traffic sourced from RFC 1918 ↗ IPs or WARP devices.

IPs or WARP devices. TCP and UDP traffic sourced from BYO or Leased IPs and destined to a well-known port ( 0 - 1023 ).

Traffic destined to public IPs will be routed over the public Internet, unless explicitly specified otherwise. If you want to configure specific public IP ranges to be routed through your WAN Tunnels tunnels instead of over the public Internet after filtering, contact your account team.

This traffic will egress from Cloudflare according to the egress policies you define in Cloudflare Gateway. By default, it will egress from a shared Cloudflare public IP range.

Private traffic

By default, TCP, UDP, and ICMP traffic routed through WAN Tunnels tunnels and destined to routes behind Cloudflare Tunnel will be proxied/filtered through Cloudflare Gateway.

Contact your account team to enable Gateway filtering for traffic destined to routes behind WAN Tunnels tunnels.

If enabled, by default TCP/UDP traffic meeting all the following criteria will be proxied/filtered by Cloudflare Gateway:

Both source and destination IPs are part of either RFC1918 ↗ space, WARP, BYO or Leased IPs

space, WARP, BYO or Leased IPs Source port must be a client port strictly higher than 1023

Destination port is a well-known port lower than 1024

Optionally, more specific matches may be specified to override the default:

Source IP prefix in a subset of RFC1918 space, or BYO or Leased IPs

Destination IP prefix in a subset of RFC1918 space, or BYO or Leased IPs

Destination port number anywhere from 0 - 65535

Source ports are hard-coded to 1024 - 65535 and may not be overridden.

Run traceroute WAN Tunnels clients connecting through GRE, IPsec, CNI or WARP that want to perform a traceroute to an endpoint behind a Cloudflare Tunnel will need to change some settings to make the command useful. Refer to Run traceroute for more information.

Test Gateway integration

To check if Gateway is working properly with your WAN Tunnels connection, open a browser from a host behind your customer premise equipment, and browse to https://ifconfig.me .

If you are still in the process of testing Gateway, and Cloudflare is not your default route, configure a policy-based route on your router to send traffic to Cloudflare Gateway first, before browsing to https://ifconfig.me .

Confirm there is an entry for the test in HTTP Gateway Activity Logs. The destination IP address should be the public IP address of ifconfig.me , and the source IP address should be the private (WAN) address of the host with the browser. Your outbound connection should be sourced from a WAN Tunnels IP address, and not any public IP address that Cloudflare might be advertising on your behalf. This is true as well when using Magic Transit With Egress Option.