Encrypt network flow data
You can encrypt the network flow data sent from your router to Cloudflare by routing ↗ your network flow traffic through a device running the Cloudflare One Client. Encrypted network flow traffic is then forwarded from the Cloudflare One Client device to Cloudflare's network flow endpoints.
To learn more about the Cloudflare One Client, and to install it on Linux, macOS, or Windows, refer to the Cloudflare One Client documentation.
Follow the instructions in the Network Flow (formerly Magic Network Monitoring) API to configure your devices.
The warp_devices array at the account level is a list of WARP devices through which you can send encrypted flows. Each WARP device must have:
- The Cloudflare One Client UUID. You can obtain the UUID in the UI or through the following command:
Terminal window warp-cli registration show - A name.
- A
router_ipthat belongs to one of your configured router IP addresses.
For example:
Required API token permissions
At least one of the following token permissions
is required:
Magic Network Monitoring AdminMagic Network Monitoring Config Write
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/mnm/config" \ --request PATCH \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" \ --json '{ "warp_devices": [ { "id": "<YOUR_WARP_DEVICE_UNIQUE_IDENTIFIER>", "name": "<NAME_OF_WARP_DEVICE>", "router_ip": "YOUR_ROUTER_IP" } ] }'Depending on where you installed the Cloudflare One Client, you may need to configure other devices on the subnet to route traffic through the Cloudflare One Client. If you have access to your router and it runs a version/OS supported by the Cloudflare One Client, Cloudflare recommends Option 1. This also applies if you use a software-based flow exporter (such as softflowd) instead of a physical router to collect and export flows.
If you installed the Cloudflare One Client on your router or machine collector (a computer, virtual machine, or server that collects flow information), no additional configuration is necessary. All traffic uses the router as the default gateway. Configure your flow export to send data to IP address 162.159.65.1 and port 2055 for NetFlow, or 162.159.65.1 and port 6343 for sFlow.
If you have access to the router but installed the Cloudflare One Client on another machine, you can configure the router to export flow traffic to the machine running the Cloudflare One Client. To do this:
- Set the machine's IP address as the export destination on the router.
- Configure the export port on the router to match the listening port on the Cloudflare One Client machine.
- Redirect traffic that arrives at your machine running the Cloudflare One Client to the following Cloudflare destination IPs and ports:
- For NetFlow: IP address
162.159.65.1and port2055. - For sFlow: IP
162.159.65.1and port6343.
For example, if WARP is running on a machine in your network with the IP10.10.10.10, and you configured it to accept traffic on port2055or6343, you need to configure your flow export-capable router to send data to10.10.10.10and port2055or6343.
- For NetFlow: IP address
In the machine running the Cloudflare One Client, you can redirect this traffic to Cloudflare using a proxy or redirect tool of your choice. Options include:
- Using
socat, listen on the desired port for UDP traffic. Then, proxy that traffic to Network Flow's destination and port.socat UDP-LISTEN:2055,reuseaddr,fork UDP:162.159.65.1:2055socat UDP-LISTEN:6343,reuseaddr,fork UDP:162.159.65.1:6343
- Using any other proxy or port forwarding tool, such as
netcat,urediroriptables.
If you do not want all traffic on your device to route through the Cloudflare One Client, configure split tunnels/proxy mode to either only allow Network Flow traffic towards 162.159.65.1 or exclude everything else.