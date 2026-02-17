You can encrypt the network flow data sent from your router to Cloudflare by routing ↗ your network flow traffic through a device running the WARP client. Encrypted network flow traffic is then forwarded from the WARP-enabled device to Cloudflare's network flow endpoints.

To learn more about the WARP client, and to install the WARP client on Linux, macOS, or Windows, you can visit the WARP client documentation.

1. Configure your WARP devices

Follow the instructions in the Network Flow (formerly Magic Network Monitoring) API to configure your WARP devices.

The warp_devices array at the account level is a list of WARP devices through which you can send encrypted flows. Each WARP device must have:

The WARP client UUID. You can obtain the UUID in the UI or through the following command: Terminal window warp-cli registration show

A name.

A router_ip that belongs to one of your configured router IP addresses.

For example:

Required API token permissions At least one of the following token permissions is required: Magic Network Monitoring Admin

Magic Network Monitoring Config Write

Update account configuration fields curl "https://api.cloudflare.com/client/v4/accounts/ $ACCOUNT_ID /mnm/config" \ --request PATCH \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL " \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY " \ --json '{ "warp_devices": [ { "id": "<YOUR_WARP_DEVICE_UNIQUE_IDENTIFIER>", "name": "<NAME_OF_WARP_DEVICE>", "router_ip": "YOUR_ROUTER_IP" } ] }'

2. Route Network Flow traffic through WARP

Depending on where you installed the WARP client, you may need to configure other devices on the subnet to route traffic through WARP. If you have access to your router and it runs a version/OS supported by the WARP client, we recommend using Option 1. This recommendation also applies if you have a software-based flow exporter (such as softflowd ) and are not using a physical router to collect and export flows to Cloudflare.

Option 1: Default gateway

If you installed a WARP client on your router or machine collector (something you can use to collect flow information, such as a computer, virtual machine or server), no additional configuration is necessary. All traffic will use the router as the default gateway. All you need to do is configure your flow export to send flow data to IP address 162.159.65.1 and port 2055 for NetFlow, or 162.159.65.1 and port 6343 for sFlow.

Option 2: Alternate gateway

If you have access to the router but installed WARP on another machine, you can configure the router to export flow traffic to the machine running WARP. To do this:

Set the machine's IP address as the export destination on the router. Configure the export port on the router to match the listening port on the WARP machine. Redirect traffic that arrives at your machine running WARP to the following Cloudflare's destination IPs and ports: For NetFlow : IP address 162.159.65.1 and port 2055 .

: IP address and port . For sFlow: IP 162.159.65.1 and port 6343 .

For example, if WARP is running on a machine in your network with the IP 10.10.10.10 , and you configured it to accept traffic on port 2055 or 6343 , you need to configure your flow export-capable router to send data to 10.10.10.10 and port 2055 or 6343 .

In the machine running WARP, you can redirect this traffic to Cloudflare using a proxy or redirect tool of your choice. Options include:

Using socat , listen on the desired port for UDP traffic. Then, proxy that traffic to Network Flow's destination and port. socat UDP-LISTEN:2055,reuseaddr,fork UDP:162.159.65.1:2055 socat UDP-LISTEN:6343,reuseaddr,fork UDP:162.159.65.1:6343

, listen on the desired port for UDP traffic. Then, proxy that traffic to Network Flow's destination and port. Using any other proxy or port forwarding tool, such as netcat , uredir or iptables .

3. (Optional) Configure split tunnels