Cloudflare Docs
Magic Firewall
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)


If you are a Magic Transit or Magic WAN user, you are automatically provided with a standard list of Magic Firewall features. For additional features available for purchase, refer to the list of advanced features below.

​​ Standard features

  • Filtering rules based on protocol, port, IP addresses, packet length, and bit field match.
  • Fast propagation of rule changes in less than a minute.
  • Single dashboard to manage firewall and network configuration.
  • Programmable API for automated deployment and management — compatible with infrastructure-as-code platforms like Terraform.
  • Traffic analytics per rule in the dashboard and using the GraphQL API.
  • Integration with Magic WAN network-as-a-service.
  • Included DDoS protection with Magic Transit.

​​ Advanced features

All standard features are included with the purchase of the advanced features below.

  • Customizable IP lists.
  • Managed threat intelligence IP lists (Anonymizer, Botnet, Malware, Open Proxies, VPNs).
  • Geoblocking based on user location by country.
  • Block or allow packets based on Autonomous System Number (ASN).
  • Packet captures on demand for network troubleshooting.
  • Protocol validation rules to inspect traffic validity and enforce a positive security model.
  • Optional upgrade to full stateful Secure Web Gateway using Cloudflare Zero Trust for outbound Internet traffic. The Secure Web Gateway upgrade supports all TCP and UDP ports, as well as traffic sourced from RFC. Gateway will proxy BYOIP traffic to egress via the default Cloudflare IPs or your assigned dedicated egress IPs.
  • Intrusion Detection System (IDS).