← Act 2: Network Services & Zero Trust

Cloudflare Gateway (Secure Web Gateway)

What is it?

Cloudflare Gateway is a Secure Web Gateway (SWG) that filters and inspects internet-bound traffic from an organization's users. It acts as a security checkpoint between employees and the internet, blocking access to malicious sites, preventing data leaks, and enforcing corporate policies — all from the cloud.

What problem does it solve?

When employees browse the internet or use SaaS applications, they're exposed to threats:

  • Phishing sites: Employees may click malicious links in emails or messages.
  • Malware downloads: Visiting compromised websites can silently install malware.
  • Data exfiltration: Sensitive company data can be uploaded to unauthorized services (like personal Dropbox accounts).
  • Shadow IT: Employees use unapproved SaaS tools without IT's knowledge.

Traditionally, organizations used on-premise proxy appliances for this. But with remote work, those appliances can't protect employees who aren't in the office.

How does it work?

Gateway operates at three layers:

  1. DNS Filtering: The most lightweight option. Route DNS queries through Cloudflare and block entire categories of domains (malware, adult content, gambling, etc.) before any connection is made. This is fast and doesn't require installing anything on devices.

  2. Network Filtering: Create policies based on source/destination IP, port, and protocol. Useful for controlling what network traffic employees can generate.

  3. HTTP/HTTPS Inspection: The most powerful option. Cloudflare decrypts, inspects, and re-encrypts HTTPS traffic to apply policies based on URL, file type, request body, and more. This enables:

    • Blocking specific pages within allowed sites
    • Scanning downloads for malware
    • Preventing uploads of sensitive files (DLP - Data Loss Prevention)
    • Blocking access to personal instances of SaaS apps (e.g., allow corporate Google Drive but block personal Google Drive)

The Cloudflare One Client (formerly WARP) is a lightweight agent installed on employee devices that routes traffic through Gateway for inspection.

Why it matters strategically

Gateway is the "bread and butter" of SASE. It's the product CISOs think of first when evaluating Zero Trust vendors. It directly competes with Zscaler Internet Access (ZIA), which is Zscaler's core product. For Cloudflare, Gateway generates significant recurring revenue and creates sticky adoption — once an organization routes all employee internet traffic through Gateway, switching costs are high.

Learn more

← Cloudflare Access Cloudflare Tunnel →