Cloudflare Gateway

Block by ransomware, phishing, DGA domains, DNS tunneling, C2 & botnet, and more.

Filter by security or content category. Deploy via our device client or via routers for locations.

Control traffic based on source, destination country, domains, hosts, HTTP methods, URLs, and more. Unlimited TLS 1.3 inspection.

Allow or block traffic based on ports, IPs, and TCP/UDP protocols.

Scan uploaded / downloaded files across types (PDFs, ZIP, RAR, etc.).

Detection via our own machine learning algorithms and third-party threat feeds.

All functionality available for IPv4 and IPv6 connectivity.

Create network policies to manage and monitor SSH access to your applications.

Secure connectivity for DNS filtering directly from offices.

Render all browser code at the edge, instead of locally, to mitigate threats. Deploy with or without a device client. Selectively control what activity to isolate and when.

Stop phishing and business email compromise.

Apply HTTP policies at the browser level by configuring a PAC file. Apply filters without deploying client software on user devices.

Dedicated range of IPs (IPv4 or IPv6) geolocated to one or more Cloudflare network locations.

Dependable service level agreements (SLA) for paid plans with 100% uptime and reliable service you can trust.

Support options vary by plan type. Various professional advisory and hands-on implementation services available as add-on to Contract plans.

Zero Trust logs are stored for a varying period of time based on the plan type and service used. Contract users can export logs via Logpush.

Securely connects resources to Cloudflare without a publicly routable IP address. Does not require VM infrastructure and has no throughput limitations.

Securely and privately sends traffic from end user devices to Cloudflare’s global network. Enables capabilities like building device posture rules or enforcing filtering policies anywhere. Self-enroll or deploy via MDM.

ZTNA provides granular identity- and context-based access to all your internal self-hosted, SaaS, and non-web (e.g., SSH) resources.

SWG protects against ransomware, phishing, and other threats using L4-7 network, DNS, and HTTP filtering policies for faster, safer Internet browsing.

Provides user-centric visibility into device, network, and application performance across your Zero Trust organization.

Provides network traffic visibility and real-time alerts for unified insights into network activity. Available for free to everyone.

CASB continuously monitors SaaS apps at rest to detect potential data exposure due to misconfigurations or weak posture findings.

DLP detects sensitive data in transit and at rest across web, SaaS, and private apps with controls or remediation guides to stop leakage or exposure.

Log Explorer provides native log storage, retention, and analytics of HTTP and security event logs. Learn more

PRICING

• Pay-as-you-go: Free for the first 10 GB, $1 per GB per month after.
• Contract: Custom pricing

RBI layers additional threat defense and data protection controls across browsing activities by running all browser code on Cloudflare's global network.

Email security helps block and isolate multichannel phishing threats, including malware and business email compromise.

Cloudflare One is our single-vendor SASE platform that converges Zero Trust security services from the plans above with Network services — including Magic WAN and Firewall.

Custom application and private network policies, plus policy tester. Supports temporary authentication, purpose justification, and any IdP-provided auth method.

Protect self-hosted, SaaS, and non-web (SSH, VNC, RDP) apps, internal IPs and hostnames, or any arbitrary L4–7 TCP or UDP traffic.

Authenticate via enterprise and social IdPs, including multiple IdPs concurrently. Can also use generic SAML and OIDC connectors.

Configure contextual access based on IdP groups, geolocation, device posture, session duration, external APIs, etc.

Verify device posture using third-party endpoint protection provider integrations.

Clientless access for web apps and browser-based SSH or VNC.

Privileged SSH and VNC access through in-browser terminal.

Split tunneling for local or VPN connectivity.

Customizable app launcher for all apps, including bookmarks to apps outside of Access.

Service token support for automated services.

Configure local domain fallback. Define an internal DNS resolver to resolve private network requests.

Automate deployment of Cloudflare resources and connections.

Certificate-based auth for IoT and other mTLS use cases.

Set least-privilege policies per application to ensure users only access data they need.

Allow or block uploads / downloads of files based on Mime type.

Allow or block traffic to specific apps or app types.

Add Cloudflare CASB to detect if misconfigurations in SaaS applications leak sensitive data. View full list of supported integrations.

Inspect HTTP(S) traffic and files for the presence of sensitive data. Free tier includes predefined profiles like financial info, while full-featured contract plans also include custom profiles, custom datasets, OCR, DLP logs, and more.

Restrict download, upload, copy/paste, keyboard input, and printing actions within isolated webpages and applications. Prevent data leakage onto local devices, and control user inputs on suspicious websites. Deploy with or without a device client.

All access controls, data controls, and threat protection capabilities (as outlined in prior sections) apply consistently across SaaS apps.

Allow traffic only to corporate tenants of SaaS apps. Prevent leakage of sensitive data to personal or consumer tenants.

Review apps your end users visit. Set approval status for those apps.

Integrate with your most-used SaaS apps (e.g., Google Workspace, Microsoft 365) to scan, detect, and monitor for security issues. View full list of supported integrations.

API integrations continuously monitor SaaS apps for suspicious activities, data exfiltration, unauthorized access, and more.

Identify inappropriate file sharing behaviors within your most used SaaS apps.

Discover misconfigurations and incorrect user permissions within SaaS apps. Immediately action surfaced security findings with step-by-step remediation guides.

Inspect HTTP(S) traffic and files for the presence of sensitive data. Free tier includes predefined profiles like financial info, while full-featured contract plans also include custom profiles, custom datasets, OCR, DLP logs, and more.

Stop phishing and business email compromise with Cloudflare’s email security.

On contract plans, DNS logs are stored 6 months, and HTTP and network logs for 30 days.

Comprehensive details for all requests, users, and devices, including block reasons. Block policy decisions are stored for a week, and authentication logs for 6 months.

Audit logs for the connection status of tunnels and for when a new DNS record is registered for an app.

Track usage and review approval status across applications end users visit.

Full replay of all commands run during an SSH session. Provides SSH visibility at a network layer.

Passively monitor private network traffic to catalog discovered apps and users who access them.

By default, logs will not store any employee PII (source IP, user email, user ID, etc.) and will be unavailable to all roles in your organization.

Provides predictive, historical, and real-time intelligence around application outages, network issues, and performance slow-downs to keep users productive. View capabilities.

Findings are security issues detected within SaaS applications that involve users, data at rest, and other configuration settings. Free tier includes basic findings, while Contract plans include deeper details about each instance.

PII can be redacted from logs for all permission roles except for those specially designated.

Integrations with analytics and SIEM tools like Sumo Logic, Splunk, and Datadog.

Log Explorer provides native log storage, retention, and analytics of HTTP and security event logs. Learn more

PRICING

• Pay-as-you-go: Free for the first 10 GB, $1 per GB per month after.
• Contract: Custom pricing

Built-in support for one or more storage destinations concurrently including AWS, Azure, Google Cloud, and any S3-compatible API.

50 ms away from 95% of the Internet-connected population globally.

Anycast network spanning 330 cities in 125 countries with 388 Tbps of network edge capacity.

13,000 interconnects, including major ISPs, cloud services, and enterprises.

Network architected so that every service operating at the edge is built to run in every data center and be available to every customer.

All traffic is processed in a single pass at the data center closest to its source. No backhauling.

Optimized routes to avoid congestion issues.

Available across all major OSes (Win, Mac, iOS, Android, Linux, ChromeOS).

Default mode sends traffic through WireGuard tunnels to enable the full range of security functionality.

Use DoH mode to only enforce DNS filtering policies, or use proxy mode to filter traffic only to specific apps.

Deploy to your entire device fleet via MDM tools. Or, users can download the device client themselves to self-enroll.

Connect resources to Cloudflare without a publicly routable IP address. Deploy via UI, API, or CLI.