Cloudflare Docs
Magic WAN
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)


This tutorial shows you how to use Magic WAN with the following versions of the SonicWall appliances:

  • Hardware tested:
    • SonicWall NSv 470
    • SonicWal 3700
  • Software versions tested:
    • SonicOS 7.0.1

You can connect your SonicWall appliance through IPsec tunnels to Magic WAN. Generic Routing Encapsulation (GRE) is not supported on SonicWall.

​​ Topology

Topology diagram showing how to connect SonicWall appliances to Magic WAN

The following instructions show how to setup an IPsec connection on your SonicWall device. We will use the IP ranges from the above topology example to create the connections needed. Settings not explicitly mentioned can be left with their default values.

​​ 1. Create an IPsec tunnel on your Cloudflare account

  1. Start by creating your IPsec tunnels on Cloudflare. Name and describe the tunnels as needed, and add the following settings:

    • Interface address: Enter the internal tunnel IP on the Cloudflare side of the IPsec tunnel. In this example, it is
    • Customer endpoint: Enter the WAN IP address of your SonicWall device. In our example, this is
    • Cloudflare endpoint: Enter the IP address provided by Cloudflare. In our example, this is
    • Pre-shared key: Select Use my own pre-shared key and paste a secure key of your own.
  2. Select Add tunnels when you are finished.

  3. After you create your tunnel, Cloudflare dashboard will load a list of tunnels set up for your account. Select the arrow to expand the tunnels you have just created, and check the following settings:

    • Customer endpoint: Refers to the SonicWall WAN IP that the VPN policy is bound to (in red).
    • Cloudflare endpoint: Refers to the anycast IP provided by Cloudflare (in blue).
    • FQDN ID: The ID used in the VPN policy for the SonicWall’s Local IKE ID. Copy this ID and save it. You will need it when configuring the tunnel on your SonicWall (in green).

    An example of what your IPsec tunnel should look like

​​ 2. Create static routes on Cloudflare dashboard

Static routes are required for any networks that will be reached via the IPsec tunnel. In our example, there are two networks: and the tunnel network

  1. Create your static routes. Name and describe them as needed, and add the following settings:

    • First tunnel: Following our example, add as the Prefix and for the Tunnel/Next hop.
    • Second tunnel: Following our example, add as the Prefix and for the Tunnel/Next hop.
  2. Select Add routes when you are finished.

​​ 3. Add a VPN configuration in SonicWall

  1. Go to Network > IPsec VPN > Rules and Settings.
  2. Select Add.
  3. In General > Security Policy group, add the following settings:
    • Authentication Method: IKE Using Preshared Secret.
    • IPsec Primary Gateway Name or Address: Enter Cloudflare’s anycast IP address for the primary gateway (in blue).
  4. In the IKE Authentication group, add the following settings:
    • Shared secret: Paste the pre-shared key you use to create the IPsec tunnel in step 1 (in purple).
    • Local IKE ID: Select Domain name from the dropdown menu, and paste here the FQDN ID you saved from step 1, after creating the IPsec tunnel (in green).
    • Peer IKE IDE: Select IPv4 Address from the dropdown menu, and enter the Cloudflare anycast IP address (in blue).

Configure a VPN policy on your SonicWall device
  1. Select Proposals. VPN Policy is somewhat flexible. Adjust these settings to match your organization’s preferred security policy. As an example, you can use the settings in the examples below.
  2. In the IKE (Phase 1) Proposal group, select the following settings:
    • Exchange: IKEv2 Mode
    • DH Group: Group 14
    • Encryption: AES-256
    • Authentication: SHA256
    • Life Time (seconds): 28800
  3. In the IPsec (Phase 2) Proposal group, add the following settings:
    • Protocol: ESP
    • Encryption: AESGCM16-256
    • Authentication: None
    • Enable Perfect Forward Secrecy: Enabled
    • DH Group: Group 14
    • Life Time (seconds): 28800

Configure a VPN policy on your SonicWall device
  1. Select Advanced.
  2. Enable Disable IPsec Anti-Replay.
  3. In VPN Policy bound to select your WAN interface from the dropdown menu, to bind it to your VPN.
  4. Select Save.

Enable anti-replay on your SonicWall device

​​ 4. Add a VPN tunnel interface

SonicOS requires a VPN tunnel interface to route traffic via Magic WAN. When creating the interface, use the prefix This matches with the Cloudflare side for this tunnel, which is

  1. Go to Network > System > Interfaces.
  2. Select Add interface > VPN Tunnel Interface.
  3. For IP Address, use
  4. Enable Ping. This is required so the interface can be pinged for debugging and Magic WAN health checks.

Enable ping to that your interface can be pinged for debugging and Magic WAN health checks
  1. Select Advanced.
  2. Enable the Enable Asymmetric Route Support option. This is required for the Magic WAN tunnel health check.

Enable Asymmetric Route Support. It is required for Magic WAN health checks
  1. Select OK.

​​ 5. Add address object(s)

Address objects are necessary for route policies. In our example, we have one other site that will be reached via Magic WAN. First, you need to create address objects for each network. Then, you need to create an address group that contains all the remote networks. This address group will be used in the next step to create the correct route policies.

To add an address object:

  1. Select Object > Match Objects > Addresses
  2. Select Address Objects > Add.
  3. Enter the information for your address object - refer to the topology image for the examples this tutorial is using. Since the addresses are in the VPN zone, set the Zone Assignment for the object to VPN.
  4. Select Save. The window will stay on to facilitate multiple entries. Select X to close it.

Enter the appropriate settings for you object
  1. Select Address Groups > Add to add a new address group.
  2. Enter a Name for your address group.
  3. Select the individual network objects you have created on the left menu, and add them to the group by selecting the right-facing arrow in the middle column.
  4. Select Save.

Copy the individual network objects and add them to your group

​​ 6. Set up routing

Add a route using the address object or group just created as the destination.

  1. Select Policy > Rules and Policies > Routing Rules.
  2. Select Add to add your route policy.
  3. The Next Hop should be the VPN tunnel interface that was previously created in the interface panel.

​​ 7. Add access rule for health checks

An additional access rule is required for Magic WAN health checks to work properly. This will enable the WAN IP to receive ICMP pings via the tunnel, and return them over the WAN.

  1. Select Policy > Rules and Policies.
  2. Select Access Rules > Add.
  3. Enter a descriptive name for your policy.
  4. In Source / Destination > Destination > Port/Services, select ICMP from the dropdown.
  5. Select Optional Settings.
  6. In Others, enable Allow Management traffic.

​​ 8. Setup health checks

You have to configure Magic WAN health checks correctly. Here is an example of how to set up health checks:

curl --request PUT \{account_id}/magic/ipsec_tunnels/{tunnel_id} \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"health_check": {
"enabled": true,
"target": "SONICWALL_WAN_IP",
"type": "request",
"rate": "mid"

Health checks might take some time to stabilize after the configuration is changed.

​​ 9. Verify tunnel status on Cloudflare dashboard

The Cloudflare dashboard monitors the health of all anycast tunnels on your account that route traffic from Cloudflare to your origin network.

The dashboard shows the view of tunnel health as measured from each Cloudflare location where your traffic is likely to land. If the tunnels are healthy on your side, you will see the majority of servers reporting an up status. It is normal for a subset of these locations to show tunnel status as degraded or unhealthy, since the Internet is not homogeneous and intermediary path issues between Cloudflare and your network can cause interruptions for specific paths.

Not all data centers will be relevant to you at all times. You can refer to the Average ingress traffic (last hour) column to understand if a given data center is receiving traffic for your network, and if its health status is relevant to you.

To check for anycast tunnel health:

  1. Go to the Cloudflare dashboard and select your account.
  2. Go to Magic WAN > Tunnel health.
  3. In Cloudflare colos, you can choose one or more Cloudflare data centers to filter out the traffic that shows up in your anycast tunnels. For example, if you chose the Lisbon data center, your anycast tunnels would only show connections to that data center.
  4. Below, you have a list of all your anycast tunnels, as well as their current health status. Find the tunnel you wish to inspect and select the arrow (>) before it to open its details.
  5. The details pane shows the connection status between different Cloudflare servers and your tunnel. Select Traceroute for details in one of the Cloudflare servers shown to check for issues between Cloudflare and your origin network.