← Act 2: Network Services & Zero Trust

Magic Firewall

What is it?

Magic Firewall is a cloud-native network firewall that filters traffic at the packet level (Layer 3 and Layer 4) for networks connected to Cloudflare through Magic Transit or Magic WAN. Think of it as replacing the physical firewall appliances sitting in your data center with a cloud-delivered equivalent running on Cloudflare's global network.

What problem does it solve?

Traditional network firewalls are expensive hardware boxes (from vendors like Palo Alto, Fortinet, Check Point) that sit in data centers and inspect network traffic. They have several problems:

  • Capacity limits: Hardware firewalls can be overwhelmed during traffic spikes or DDoS attacks.
  • Single location: They only inspect traffic at one point, creating bottlenecks and requiring traffic to be backhauled through the data center.
  • Management overhead: Physical appliances need firmware updates, hardware replacements, and rack space.
  • No cloud-native option: As workloads move to the cloud, physical firewalls can't follow.

How does it work?

  1. Traffic to and from a customer's network flows through Cloudflare (via Magic Transit or Magic WAN).
  2. Before the traffic is forwarded to the customer, it passes through Magic Firewall.
  3. Customers define packet-level rules based on:
    • Source/destination IP addresses
    • Ports and protocols
    • Packet attributes (TCP flags, ICMP types, etc.)
  4. Traffic matching the rules is blocked, allowed, or logged.

Additional capabilities:

  • Intrusion Detection System (IDS): Monitors network traffic for known attack patterns and signatures.
  • Packet Captures: Capture and analyze network packets for debugging and forensics.
  • Programmable rules: Rules can be configured via the dashboard, API, or Terraform.

Why it matters strategically

Magic Firewall completes Cloudflare's network security stack. Combined with Magic Transit (DDoS), Magic WAN (connectivity), and Gateway (web filtering), it means enterprises can replace their entire network security hardware stack with Cloudflare. This "rip and replace" value proposition is key to winning large enterprise deals and competing with Palo Alto, Fortinet, and other traditional firewall vendors.

Learn more

← Magic WAN Browser Isolation →