Cloudflare changelogs | Cloudflare WAN

Cloudflare WAN, Cloudflare One - Cisco IOS XE

Tue, 02 Jun 2026 00:00:00 GMT

The Cisco IOS XE third-party integration guide for Cloudflare WAN has been updated to include:

Post Quantum Cryptography (PQC)
Policy-Based Routing (PBR)
IP Service Level Agreement (IP SLA)

This link will take you directly to the updated Cisco IOS XE guide.

Cloudflare WAN, Magic Transit - Network Analytics support for Unified Routing

Mon, 18 May 2026 00:00:00 GMT

Network Analytics is now fully supported for accounts using Unified Routing mode. Traffic that traverses Unified Routing onramps and offramps is now visible in Network Analytics with the same dimensions and filters as traffic on the standard data plane.

This closes a parity gap for customers who had moved tunnels onto Unified Routing and lost visibility into their dataplane traffic in the Network Analytics dashboard. No configuration change is required — analytics data is collected automatically for all accounts with Unified Routing enabled.

For the remaining beta limitations, refer to Traffic steering beta limitations.

Cloudflare WAN, Magic Transit, Cloudflare One - New accounts assigned a single IPv4 anycast address

Tue, 12 May 2026 00:00:00 GMT

New Magic Transit and Cloudflare WAN accounts are now assigned a single IPv4 anycast address by default.

Cloudflare handles failures on its network automatically by advertising your endpoint IP from multiple nodes across many globally distributed data centers. To handle failures on your network, configure two tunnels from separate routers.

To request additional anycast IP addresses for your account, contact your account team.

For tunnel configuration guidance, refer to Configure tunnel endpoints for Cloudflare WAN or Configure tunnel endpoints for Magic Transit.

Cloudflare WAN, Magic Transit - NAT-T support for IKE on UDP port 500

Mon, 11 May 2026 00:00:00 GMT

Cloudflare IPsec now supports the standard NAT traversal (NAT-T) flow, where IKE begins on UDP port 500 and switches to UDP port 4500 after NAT is detected.

Previously, devices behind NAT had to be configured to initiate IKE on UDP port 4500 directly. Devices that started on UDP port 500 could not complete the IKE handshake when NAT was in the path. This required custom configuration on devices such as VeloCloud SD-WAN edges, Cisco IOS-XE routers, and Juniper SRX firewalls, and was not possible on every platform.

What changed:

Devices behind NAT can now initiate IKE on either UDP port 500 or UDP port 4500.
Devices that start IKE on UDP port 500 and switch to UDP port 4500 after NAT detection now complete the handshake successfully.
No configuration change is required on Cloudflare. The change is available for all IPsec tunnels on Cloudflare WAN and Magic Transit.

This change does not affect existing tunnels:

Tunnels using UDP port 500 with no NAT detected continue to operate as before.
Tunnels configured to start IKE on UDP port 4500 continue to operate as before.
NAT detection logic is unchanged.

For configuration details, refer to GRE and IPsec tunnels.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Custom DHCP options on Cloudflare One Appliance

Thu, 07 May 2026 00:00:00 GMT

When the Cloudflare One Appliance is acting as the DHCP server for a LAN, you can now configure custom DHCP options on the leases it issues. This unlocks workflows such as PXE / iPXE boot, VoIP phone provisioning, and vendor-specific client configuration.

Each option is defined by option_number, value, and one of four value types: text, integer, hex, or ip. Configurations are validated on the appliance before being applied — invalid configurations are rejected and the underlying error is returned to the API caller, so a bad option will not disrupt the live DHCP service.

For details, refer to DHCP server options.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Source-based breakout and prioritization on Cloudflare One Appliance

Thu, 07 May 2026 00:00:00 GMT

Breakout and traffic prioritization rules on the Cloudflare One Appliance can now match by source in addition to destination application. You can pin breakout or priority behavior to:

A source LAN interface — VLANs attached to that LAN are included automatically.
A source IP address, range, or CIDR block.

This is the natural way to break out a guest VLAN to the local Internet, or to prioritize traffic from a specific subnet, without enumerating destination applications.

For details, refer to Breakout traffic.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Self-serve provisioning of Cloudflare One Virtual Appliance via API

Thu, 07 May 2026 00:00:00 GMT

You can now create, rotate, and delete Cloudflare One Virtual Appliance instances and their license keys directly via the API and Terraform.

Create a virtual appliance and receive a license key: POST /accounts/{account_id}/magic/connectors with device.provision_license: true.
Rotate the license key for an existing virtual appliance: PATCH /accounts/{account_id}/magic/connectors/{connector_id} with provision_license: true. The previous key is immediately and irrevocably revoked.
Delete a virtual appliance to release the associated licensed device.

The license key is returned in the response only once, at create or rotate time. Copy and store it securely.

For details, refer to Configure a Cloudflare One Virtual Appliance.

Cloudflare One, Cloudflare WAN - Post-quantum IPsec interoperability with third-party devices

Thu, 30 Apr 2026 00:00:00 GMT

Cloudflare IPsec now supports post-quantum key agreement with compatible third-party devices. Cisco and Fortinet are the first third-party vendors validated to interoperate with Cloudflare IPsec using ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism).

Post-quantum IPsec uses RFC 9370 and draft-ietf-ipsecme-ikev2-mlkem to negotiate hybrid key agreement during the IKEv2 IKE_INTERMEDIATE phase. This combines classical Diffie-Hellman (Group 20) with ML-KEM-768 or ML-KEM-1024 to protect against harvest-now, decrypt-later attacks.

Key details:

Compatible with Cisco 8000 Series Secure Routers with IOS XR Release 26.1.1 and Fortinet FortiOS 7.6.6 and later.
Uses ML-KEM-768 or ML-KEM-1024 as an additional Key Exchange to DH Group 20.
Follows RFC 9370 and draft-ietf-ipsecme-ikev2-mlkem standards.
No additional licensing required.

Post-quantum IPsec with third-party devices is now generally available with confirmed interoperability for the platforms listed above. Cloudflare intends to support interoperability with more vendors as they build out support for draft-ietf-ipsecme-ikev2-mlkem. Contact your account team to discuss support for additional vendors.

For supported key exchange methods and the list of validated platforms, refer to GRE and IPsec tunnels.

Cloudflare Network Firewall, Magic Transit, Cloudflare WAN - Country rules supported in Unified Routing

Tue, 21 Apr 2026 12:00:00 GMT

Cloudflare Advanced Network Firewall Country rules are now supported for accounts using Unified Routing mode. This feature requires a Cloudflare Advanced Network Firewall subscription.

You can create firewall rules that match traffic based on source or destination country to enforce geographic access policies across your network.

This is the first of the Cloudflare Advanced Network Firewall features to become available in Unified Routing. Support for additional features - IP Lists, ASN Lists, Threat Intel Lists, IDS, Rate Limiting, SIP, and Managed Rulesets - is planned.

For the full list of current beta limitations, refer to Traffic steering beta limitations.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Link aggregation (LACP) support for Cloudflare One Appliance

Tue, 07 Apr 2026 00:00:00 GMT

Cloudflare One Appliance now supports Link Aggregation Control Protocol (LACP), allowing you to bundle up to six physical LAN ports into a single logical interface. Link aggregation increases available bandwidth and eliminates single points of failure on the LAN side of the appliance.

This feature is available in beta on physical appliance hardware with the latest OS. No entitlement is required.

To configure a Link Aggregation Group, refer to Configure link aggregation groups.

Cloudflare One, Cloudflare WAN, Cloudflare Network Firewall, Network Flow - Cloudflare One Product Name Updates

Tue, 17 Feb 2026 00:00:00 GMT

We are updating naming related to some of our Networking products to better clarify their place in the Zero Trust and Secure Access Service Edge (SASE) journey.

We are retiring some older brand names in favor of names that describe exactly what the products do within your network. We are doing this to help customers build better, clearer mental models for comprehensive SASE architecture delivered on Cloudflare.

What's changing

Magic WAN → Cloudflare WAN
Magic WAN IPsec → Cloudflare IPsec
Magic WAN GRE → Cloudflare GRE
Magic WAN Connector → Cloudflare One Appliance
Magic Firewall → Cloudflare Network Firewall
Magic Network Monitoring → Network Flow
Magic Cloud Networking → Cloudflare One Multi-cloud Networking

No action is required by you — all functionality, existing configurations, and billing will remain exactly the same.

For more information, visit the Cloudflare One documentation.

Cloudflare WAN - Anycast IPs displayed on the dashboard

Thu, 12 Feb 2026 00:00:00 GMT

Cloudflare WAN now displays your Anycast IP addresses directly in the dashboard when you configure IPsec or GRE tunnels.

Previously, customers received their Anycast IPs during onboarding or had to retrieve them with an API call. The dashboard now pre-loads these addresses, reducing setup friction and preventing configuration errors.

No action is required. All Cloudflare WAN customers can see their Anycast IPs in the tunnel configuration form automatically.

For more information, refer to Configure tunnel endpoints.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Post-quantum encryption support for Cloudflare One Appliance

Wed, 11 Feb 2026 00:00:00 GMT

Cloudflare One Appliance version 2026.2.0 adds post-quantum encryption support using hybrid ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism).

The appliance now uses TLS 1.3 with hybrid ML-KEM for its connection to the Cloudflare edge. During the TLS handshake, the appliance and the edge share a symmetric secret over the TLS connection and inject it into the ESP layer of IPsec. This protects IPsec data plane traffic against harvest-now, decrypt-later attacks.

This upgrade deploys automatically to all appliances during their configured interrupt windows with no manual action required.

For more information, refer to Cloudflare One Appliance.

Cloudflare WAN, Magic Transit, Cloudflare One - BGP over GRE and IPsec tunnels

Fri, 30 Jan 2026 00:00:00 GMT

Magic WAN and Magic Transit customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using IPsec and GRE tunnel on-ramps (beta).

Using BGP peering allows customers to:

Automate the process of adding or removing networks and subnets.
Take advantage of failure detection and session recovery features.

With this functionality, customers can:

Establish an eBGP session between their devices and the Magic WAN / Magic Transit service when connected via IPsec and GRE tunnel on-ramps.
Secure the session by MD5 authentication to prevent misconfigurations.
Exchange routes dynamically between their devices and their Magic routing table.

For configuration details, refer to:

Cloudflare One, Cloudflare WAN - Configure Cloudflare source IPs (beta)

Tue, 27 Jan 2026 00:00:00 GMT

Cloudflare source IPs are the IP addresses used by Cloudflare services (such as Load Balancing, Gateway, and Browser Isolation) when sending traffic to your private networks.

For customers using legacy mode routing, traffic to private networks is sourced from public Cloudflare IPs, which may cause IP conflicts. For customers using Unified Routing mode (beta), traffic to private networks is sourced from dedicated, non-Internet-routable private IPv4 range to ensure:

Symmetric routing over private network connections
Proper firewall state preservation
Private traffic stays on secure paths

Key details:

IPv4: Sourced from 100.64.0.0/12 by default, configurable to any /12 CIDR
IPv6: Sourced from 2606:4700:cf1:5000::/64 (not configurable)
Affected connectors: GRE, IPsec, CNI, WARP Connector, and WARP Client (Cloudflare Tunnel is not affected)

Configuring Cloudflare source IPs requires Unified Routing (beta) and the Cloudflare One Networks Write permission.

For configuration details, refer to Configure Cloudflare source IPs.

Magic Transit, Cloudflare Network Firewall, Cloudflare WAN, Network Flow - Network Services navigation update

Thu, 15 Jan 2026 00:00:00 GMT

The Network Services menu structure in Cloudflare's dashboard has been updated to reflect solutions and capabilities instead of product names. This will make it easier for you to find what you need and better reflects how our services work together.

Your existing configurations will remain the same, and you will have access to all of the same features and functionality.

The changes visible in your dashboard may vary based on the products you use. Overall, changes relate to Magic Transit, Magic WAN, and Magic Firewall.

Summary of changes:

A new Overview page provides access to the most common tasks across Magic Transit and Magic WAN.
Product names have been removed from top-level navigation.
Magic Transit and Magic WAN configuration is now organized under Routes and Connectors. For example, you will find IP Prefixes under Routes, and your GRE/IPsec Tunnels under Connectors.
Magic Firewall policies are now called Firewall Policies.
Magic WAN Connectors and Connector On-Ramps are now referenced in the dashboard as Appliances and Appliance profiles. They can be found under Connectors > Appliances.
Network analytics, network health, and real-time analytics are now available under Insights.
Packet Captures are found under Insights > Diagnostics.
You can manage your Sites from Insights > Network health.
You can find Magic Network Monitoring under Insights > Network flow.

If you would like to provide feedback, complete this form. You can also find these details in the January 7, 2026 email titled [FYI] Upcoming Network Services Dashboard Navigation Update.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Breakout traffic visibility via NetFlow

Wed, 31 Dec 2025 00:00:00 GMT

Magic WAN Connector now exports NetFlow data for breakout traffic to Magic Network Monitoring (MNM), providing visibility into traffic that bypasses Cloudflare's security filtering.

This feature allows you to:

Monitor breakout traffic statistics in the Cloudflare dashboard.
View traffic patterns for applications configured to bypass Cloudflare.
Maintain visibility across all traffic passing through your Magic WAN Connector.

For more information, refer to NetFlow statistics.

Cloudflare One, Cloudflare WAN - Automatic Return Routing (Beta)

Thu, 06 Nov 2025 00:00:00 GMT

Magic WAN now supports Automatic Return Routing (ARR), allowing customers to configure Magic on-ramps (IPsec/GRE/CNI) to learn the return path for traffic flows without requiring static routes.

Key benefits:

Route-less mode: Static or dynamic routes are optional when using ARR.
Overlapping IP space support: Traffic originating from customer sites can use overlapping private IP ranges.
Symmetric routing: Return traffic is guaranteed to use the same connection as the original on-ramp.

This feature is currently in beta and requires the new Unified Routing mode (beta).

For configuration details, refer to Configure Automatic Return Routing.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Designate WAN link for breakout traffic

Thu, 06 Nov 2025 00:00:00 GMT

Magic WAN Connector now allows you to designate a specific WAN port for breakout traffic, giving you deterministic control over the egress path for latency-sensitive applications.

With this feature, you can:

Pin breakout traffic for specific applications to a preferred WAN port.
Ensure critical traffic (such as Zoom or Teams) always uses your fastest or most reliable connection.
Benefit from automatic failover to standard WAN port priority if the preferred port goes down.

This is useful for organizations with multiple ISP uplinks who need predictable egress behavior for performance-sensitive traffic.

For configuration details, refer to Designate WAN ports for breakout apps.

Gateway, Cloudflare WAN, Cloudflare Tunnel for SASE - DNS filtering for private network onramps

Thu, 11 Sep 2025 00:00:00 GMT

Magic WAN and WARP Connector users can now securely route their DNS traffic to the Gateway resolver without exposing traffic to the public Internet.

Routing DNS traffic to the Gateway resolver allows DNS resolution and filtering for traffic coming from private networks while preserving source internal IP visibility. This ensures Magic WAN users have full integration with our Cloudflare One features, including Internal DNS and hostname-based policies.

To configure DNS filtering, change your Magic WAN or WARP Connector DNS settings to use Cloudflare's shared resolver IPs, 172.64.36.1 and 172.64.36.2. Once you configure DNS resolution and filtering, you can use Source Internal IP as a traffic selector in your resolver policies for routing private DNS traffic to your Internal DNS.

Cloudflare WAN - Custom IKE ID for IPsec Tunnels

Mon, 08 Sep 2025 00:00:00 GMT

Now, Magic WAN customers can configure a custom IKE ID for their IPsec tunnels. Customers that are using Magic WAN and a VeloCloud SD-WAN device together can utilize this new feature to create a high availability configuration.

This feature is available via API only. Customers can read the Magic WAN documentation to learn more about the Custom IKE ID feature and the API call to configure it.

Cloudflare WAN - Bidirectional tunnel health checks are compatible with all Magic on-ramps

Fri, 05 Sep 2025 00:00:00 GMT

All bidirectional tunnel health check return packets are accepted by any Magic on-ramp.

Previously, when a Magic tunnel had a bidirectional health check configured, the bidirectional health check would pass when the return packets came back to Cloudflare over the same tunnel that was traversed by the forward packets.

There are SD-WAN devices, like VeloCloud, that do not offer controls to steer traffic over one tunnel versus another in a high availability tunnel configuration.

Now, when a Magic tunnel has a bidirectional health check configured, the bidirectional health check will pass when the return packet traverses over any tunnel in a high availability configuration.

Cloudflare WAN - Terraform V5 support for tunnels and routes

Thu, 31 Jul 2025 00:00:00 GMT

The Cloudflare Terraform provider resources for Cloudflare WAN tunnels and routes now support Terraform provider version 5. Customers using infrastructure-as-code workflows can manage their tunnel and route configuration with the latest provider version.

For more information, refer to the Cloudflare Terraform provider documentation.

Magic Transit, Cloudflare WAN - Magic Transit and Magic WAN health check data is fully compatible with the CMB EU setting.

Wed, 30 Jul 2025 00:00:00 GMT

Today, we are excited to announce that all Magic Transit and Magic WAN customers with CMB EU (Customer Metadata Boundary - Europe) enabled in their account will be able to access GRE, IPsec, and CNI health check and traffic volume data in the Cloudflare dashboard and via API.

This ensures that all Magic Transit and Magic WAN customers with CMB EU enabled will be able to access all Magic Transit and Magic WAN features.

Specifically, these two GraphQL endpoints are now compatible with CMB EU:

magicTransitTunnelHealthChecksAdaptiveGroups
magicTransitTunnelTrafficAdaptiveGroups

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Virtual Cloudflare One Appliance with KVM support (open beta)

Mon, 21 Jul 2025 00:00:00 GMT

The KVM-based virtual Cloudflare One Appliance is now in open beta with official support for Proxmox VE.

Customers can deploy the virtual appliance on KVM hypervisors to connect branch or data center networks to Cloudflare WAN without dedicated hardware.

For setup instructions, refer to Configure a virtual Cloudflare One Appliance.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Cloudflare One Appliance supports multiple DNS server IPs

Wed, 30 Apr 2025 00:00:00 GMT

Cloudflare One Appliance DHCP server settings now support specifying multiple DNS server IP addresses in the DHCP pool.

Previously, customers could only configure a single DNS server per DHCP pool. With this update, you can specify multiple DNS servers to provide redundancy for clients at branch locations.

For configuration details, refer to DHCP server.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Configure your Magic WAN Connector to connect via static IP assignment

Fri, 14 Feb 2025 00:00:00 GMT

You can now locally configure your Magic WAN Connector to work in a static IP configuration.

This local method does not require having access to a DHCP Internet connection. However, it does require being comfortable with using tools to access the serial port on Magic WAN Connector as well as using a serial terminal client to access the Connector's environment.

For more details, refer to WAN with a static IP address.

Magic Transit, Cloudflare WAN, Network Interconnect - Establish BGP peering over Direct CNI circuits

Tue, 17 Dec 2024 00:00:00 GMT

Magic WAN and Magic Transit customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using a Direct CNI on-ramp.

Using BGP peering allows customers to:

Automate the process of adding or removing networks and subnets.
Take advantage of failure detection and session recovery features.

With this functionality, customers can:

Establish an eBGP session between their devices and the Magic WAN / Magic Transit service when connected via CNI.
Secure the session by MD5 authentication to prevent misconfigurations.
Exchange routes dynamically between their devices and their Magic routing table.

Refer to Magic WAN BGP peering or Magic Transit BGP peering to learn more about this feature and how to set it up.

Access, Browser Isolation, CASB, Cloudflare Tunnel for SASE, Digital Experience Monitoring, Data Loss Prevention, Email security, Gateway, Multi-Cloud Networking, Cloudflare Network Firewall, Network Flow, Magic Transit, Cloudflare WAN, Network Interconnect, Risk Score, Cloudflare One Client - Explore product updates for Cloudflare One

Sun, 16 Jun 2024 00:00:00 GMT

Welcome to your new home for product updates on Cloudflare One.

Our new changelog lets you read about changes in much more depth, offering in-depth examples, images, code samples, and even gifs.

If you are looking for older product updates, refer to the following locations.

Older product updates