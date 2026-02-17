Encrypt network flow data
You can encrypt the network flow data sent from your router to Cloudflare by routing ↗ your network flow traffic through a device running the WARP client. Encrypted network flow traffic is then forwarded from the WARP-enabled device to Cloudflare's network flow endpoints.
To learn more about the WARP client, and to install the WARP client on Linux, macOS, or Windows, you can visit the WARP client documentation.
Follow the instructions in the Network Flow (formerly Magic Network Monitoring) API to configure your WARP devices.
The
warp_devices array at the account level is a list of WARP devices through which you can send encrypted flows. Each WARP device must have:
- The WARP client UUID. You can obtain the UUID in the UI or through the following command:
- A name.
- A
router_ipthat belongs to one of your configured router IP addresses.
For example:
At least one of the following token permissions
is required:
Required API token permissions
Magic Network Monitoring Admin
Magic Network Monitoring Config Write
Depending on where you installed the WARP client, you may need to configure other devices on the subnet to route traffic through WARP. If you have access to your router and it runs a version/OS supported by the WARP client, we recommend using Option 1. This recommendation also applies if you have a software-based flow exporter (such as
softflowd) and are not using a physical router to collect and export flows to Cloudflare.
If you installed a WARP client on your router or machine collector (something you can use to collect flow information, such as a computer, virtual machine or server), no additional configuration is necessary. All traffic will use the router as the default gateway. All you need to do is configure your flow export to send flow data to IP address
162.159.65.1 and port
2055 for NetFlow, or
162.159.65.1 and port
6343 for sFlow.
If you have access to the router but installed WARP on another machine, you can configure the router to export flow traffic to the machine running WARP. To do this:
- Set the machine's IP address as the export destination on the router.
- Configure the export port on the router to match the listening port on the WARP machine.
- Redirect traffic that arrives at your machine running WARP to the following Cloudflare's destination IPs and ports:
- For NetFlow: IP address
162.159.65.1and port
2055.
- For sFlow: IP
162.159.65.1and port
6343.
For example, if WARP is running on a machine in your network with the IP
10.10.10.10, and you configured it to accept traffic on port
2055or
6343, you need to configure your flow export-capable router to send data to
10.10.10.10and port
2055or
6343.
- For NetFlow: IP address
In the machine running WARP, you can redirect this traffic to Cloudflare using a proxy or redirect tool of your choice. Options include:
- Using
socat, listen on the desired port for UDP traffic. Then, proxy that traffic to Network Flow's destination and port.
socat UDP-LISTEN:2055,reuseaddr,fork UDP:162.159.65.1:2055
socat UDP-LISTEN:6343,reuseaddr,fork UDP:162.159.65.1:6343
-
- Using any other proxy or port forwarding tool, such as
netcat,
urediror
iptables.
If you do not want all the traffic in your device to be WARP-enabled, configure split tunnels/proxy mode to either only allow Network Flow traffic towards
162.159.65.1 or exclude everything else.