Cloudflare Gateway
A cloud-native, low-latency Secure Web Gateway (SWG)
With visibility into approximately 20% of the web, Cloudflare’s unmatched network scale protects employee Internet browsing and blocks breach-causing threats.
Benefits of Cloudflare Gateway
Accelerate user Internet access
No more traffic backhauling. Our single-pass inspection is 50% faster than SWG alternatives.
Block known and unknown threats
Cloudflare's DNS and HTTP telemetry and threat detection models catch more risks.
Monitor traffic across your network
Stack in-line Zero Trust services to provide holistic Internet traffic visibility across users, devices, and locations.
Easy implementation and management
Streamline policy building and auditing with predefined categories.
How it works
Inspect browser traffic from our global network
Our Secure Web Gateway runs everywhere in Cloudflare’s global network, letting you inspect traffic wherever employees work.
It also runs in-line with our data loss prevention and remote browser isolation — offering secure browsing with no disruptions.
Learn how Gateway works within Cloudflare’s SASE platform
ANALYST RECOGNITION
What top analysts say
Cloudflare named a Visionary in 2025 Gartner® Magic Quadrant™ for SASE Platforms
Scored 2nd highest in ‘Strategy’ category in The Forrester Wave™: Zero Trust Platforms, Q3 2025
Cloudflare a Strong Performer in The Forrester Wave™: Email, Messaging, And Collaboration Security Solutions, 2025Q2
What our customers are saying
“Algolia is growing pretty fast. We needed a way to have visibility across our corporate network without slowing things down for our employees. Gateway gave us a simple way to do that.”
Director of Infrastructure & Security
TOP GATEWAY USE CASES
Protect against phishing and ransomware
Block attacks with proactive filtering and inspection policies across many security categories.
Secure distributed remote offices
Protect office users across any location with DNS filtering or more advanced inspections.
Protect remote workers
Keep users safe on the open web, regardless of where they work.
Helping organizations worldwide progress towards Zero Trust
Pricing
Threat protection features across full Zero Trust platform
Free Plan
$0
forever
Best for teams under 50 users or enterprise proof-of-concept tests.
Pay-as-you-go
$7
Per user/month (Paid annually)
Best for teams over 50 users solving narrow SSE use cases and do not require enterprise support services.
Contract Plan
Custom price
Per user/month (Paid annually)
Best for organizations building toward a full-featured SSE or SASE deployment that also desire maximum support.
Free Plan
Pay-as-you-go
Contract Plan
Free Plan
Pay-as-you-go
Contract Plan
Threat Protection
Comprehensive security categories
Block by ransomware, phishing, DGA domains, DNS tunneling, C2 & botnet, and more.
Recursive DNS filtering
Filter by security or content category. Deploy via our device client or via routers for locations.
HTTP(S) filtering
Control traffic based on source, destination country, domains, hosts, HTTP methods, URLs, and more. Unlimited TLS 1.3 inspection.
L4 firewall filtering
Allow or block traffic based on ports, IPs, and TCP/UDP protocols.
Antivirus inspection
Scan uploaded / downloaded files across types (PDFs, ZIP, RAR, etc.)
Integrated threat intelligence
Detection via our own machine learning algorithms and third-party threat feeds.
IPv6-only & dual stack support
All functionality available for IPv4 and IPv6 connectivity.
SSH proxying and command logging
Create network policies to manage and monitor SSH access to your applications
Network-level policies for physical locations
Secure connectivity for DNS filtering directly from offices.
Remote Browser Isolation (natively integrated)
Render all browser code at the edge, instead of locally, to mitigate threats. Deploy with or without a device client. Selectively control what activity to isolate and when.
Email Security
Stop phishing and business email compromise.
Proxy endpoints for PAC file support
Apply HTTP policies at the browser level by configuring a PAC file. Apply filters without deploying client software on user devices.
Dedicated egress IPs
Dedicated range of IPs (IPv4 or IPv6) geolocated to one or more Cloudflare network locations.
Core Capabilities
Uptime
Dependable service level agreements (SLA) for paid plans with 100% uptime and reliable service you can trust.
Standard log retention
Zero Trust logs are stored for a varying period of time based on the plan type and service used. Contract users can export logs via Logpush.
Application connector software
Securely connects resources to Cloudflare without a publicly routable IP address. Does not require VM infrastructure and has no throughput limitations.
Device client (agent) software
Securely and privately sends traffic from end user devices to Cloudflare’s global network. Enables capabilities like building device posture rules or enforcing filtering policies anywhere. Self-enroll or deploy via MDM.
Zero Trust Network Access (ZTNA)
ZTNA provides granular identity- and context-based access to all your internal self-hosted, SaaS, and non-web (e.g., SSH) resources.
Secure Web Gateway (SWG)
SWG protects against ransomware, phishing, and other threats using L4-7 network, DNS, and HTTP filtering policies for faster, safer Internet browsing.
Digital Experience Monitoring (DEX)
Provides user-centric visibility into device, network, and application performance across your Zero Trust organization.
Network flow monitoring
Provides network traffic visibility and real-time alerts for unified insights into network activity. Available for free to everyone.
Cloud Access Security Broker (CASB)
CASB continuously monitors SaaS apps at rest to detect potential data exposure due to misconfigurations or weak posture findings.
Data Loss Prevention (DLP)
DLP detects sensitive data in transit and at rest across web, SaaS and private apps with controls or remediation guides to stop leakage or exposure.
Log Explorer
Log Explorer provides native log storage, retention, and analytics of HTTP and security event logs. Learn more
PRICING
- Pay-as-you-go: Free for the first 10 GB, $1 per GB per month after.
- Contract: Custom pricing
Remote Browser Isolation (RBI)
RBI layers additional threat defense and data protection controls across browsing activities by running all browser code on Cloudflare's global network.
Email security
Email security helps block and isolate multichannel phishing threats, including malware and business email compromise.
Network services for SASE
Cloudflare One is our single-vendor SASE platform that converges Zero Trust security services from the plans above with Network services — including Magic WAN and Firewall.
Access Controls
Customizable access policies
Custom application and private network policies, plus policy tester. Supports temporary authentication, purpose justification, and any IdP-provided auth method.
Protect access to all your apps and private networks
Protect self-hosted, SaaS, and non-web (SSH, VNC, RDP) apps, internal IPs and hostnames, or any arbitrary L4-7 TCP or UDP traffic.
Authentication via Identity Providers (IdPs)
Authenticate via enterprise and social IdPs, including multiple IdPs concurrently. Can also use generic SAML and OIDC connectors.
Identity-based context
Configure contextual access based on IdP groups, geolocation, device posture, session duration, external APIs, etc.
Device posture integration
Verify device posture using third-party endpoint protection provider integrations.
Clientless access option
Clientless access for web apps and browser-based SSH or VNC.
Browser-based SSH and VNC
Privileged SSH and VNC access through in-browser terminal.
Split tunneling
Split tunneling for local or VPN connectivity.
Application launcher
Customizable app launcher for all apps, including bookmarks to apps outside of Access.
Token authentication
Service token support for automated services.
Internal DNS support
Configure local domain fallback. Define an internal DNS resolver to resolve private network requests.
Infrastructure-as-code automation (via Terraform)
Automate deployment of Cloudflare resources and connections.
mTLS authentication
Certificate-based auth for IoT and other mTLS use cases.
Data Protection
Zero Trust access to mitigate data leakage (via ZTNA)
Set least-privilege policies per application to ensure users only access data they need.
File upload / download controls based on Mime type (via SWG)
Allow or block uploads / downloads of files based on Mime type.
Application and application type controls (via SWG)
Allow or block traffic to specific apps or app types.
CASB to detect risk of data leakage from SaaS apps
Add Cloudflare CASB to detect if misconfigurations in SaaS applications leak sensitive data. View full list of supported integrations.
Data Loss Prevention (DLP)
Inspect HTTP(S) traffic and files for the presence of sensitive data. Free tier includes predefined profiles like financial info, while full-featured contract plans also include custom profiles, custom datasets, OCR, DLP logs, and more.
Controls over data interactions within a browser (via RBI)
Restrict download, upload, copy/paste, keyboard input, and printing actions within isolated web pages and applications. Prevent data leakage onto local devices, and control user inputs on suspicious websites. Deploy with or without a device client.
SaaS app protection
Inline access and traffic controls for every SaaS app
All access controls, data controls, and threat protection capabilities (as outlined in prior sections) apply consistently across SaaS apps.
SaaS app tenant controls
Allow traffic only to corporate tenants of SaaS apps. Prevent leakage of sensitive data to personal or consumer tenants.
Shadow IT discovery
Review apps your end users visit. Set approval status for those apps.
In-depth SaaS app integrations
Integrate with your must used SaaS apps (e.g. Google Workspace, Microsoft 365) to scan, detect, and monitor for security issues. View full list of supported integrations.
Continuous monitoring of data security risks and user activities
API integrations continuously monitor SaaS apps for suspicious activities, data exfiltration, unauthorized access, and more.
File sharing detection
Identify inappropriate file sharing behaviors within your most used SaaS apps.
SaaS app posture management and remediation
Discover misconfigurations and incorrect user permissions within SaaS apps. Immediately action surfaced security findings with step-by-step remediation guides.
Data Loss Prevention (DLP)
Inspect HTTP(S) traffic and files for the presence of sensitive data. Free tier includes predefined profiles like financial info, while full-featured contract plans also include custom profiles, custom datasets, OCR, DLP logs, and more.
Phishing detection for cloud-based email apps
Stop phishing and business email compromise with Cloudflare’s email security.
Visibility
Standard activity log retention
On contract plans, DNS logs are stored 6 months, and HTTP and network logs for 30 days.
Access and authentication logs
Comprehensive details for all requests, users, and devices, including block reasons. Block policy decisions are stored for a week, and authentication logs for 6 months.
App connector (tunnel) logs
Audit logs for the connection status of tunnels and for when a new DNS record is registered for an app.
Shadow IT visibility with categorized application groups
Track usage and review approval status across applications end users visit.
SSH command logging
Full replay of all commands run during an SSH session. Provides SSH visibility at a network layer.
Private network discovery
Passively monitor private network traffic to catalog discovered apps and users who access them.
Exclude personally identifiable information (PII)
By default, logs will not store any employee PII (source IP, user email, user ID, etc.) and be unavailable to all roles in your organization.
Digital Experience Monitoring (DEX)
Provides predictive, historical, and real time intelligence around application outages, network issues, and performance slow-downs to keep users productive. View capabilities.
CASB findings
Findings are security issues detected within SaaS applications that involve users, data at rest, and other configuration settings. Free tier includes basic findings, while Contract plans include deeper details about each instance.
Redact PII
PII can be redacted from logs for all permission roles except for those specially designated.
Logpush to SIEM
Integrations with analytics and SIEM tools like Sumo Logic, Splunk, and Datadog.
Log Explorer
Log Explorer provides native log storage, retention, and analytics of HTTP and security event logs. Learn more
PRICING
- Pay-as-you-go: Free for the first 10 GB, $1 per GB per month after.
- Contract: Custom pricing
Logpush to cloud storage
Built-in support for one or more storage destinations concurrently including AWS, Azure, Google Cloud, and any S3-compatible API.
Network performance and connectivity on-ramps
Lightning-fast network speed
50 ms away from 95% (or 50 ms away from 80%) of the Internet- connected population globally
Global Anycast network
Anycast network spanning 330 cities in 125 countries with 388 Tbps Tbps of network edge capacity.
Global interconnects
13,000 interconnects, including major ISPs, cloud services, & enterprises.
One control plane for all edge services
Network architected so that every service operating at the edge is built to run in every data center and available to every customer.
Single-pass inspection for L3 - L7 traffic
All traffic is processed in a single pass at the data center closest to its source. No backhauling.
Smart routing over virtual backbone
Optimized routes to avoid congestion issues.
Device client (agent) software
Available across all major OSes (Win, Mac, iOS, Android, Linux, ChromeOS).
Multiple modes for device client (agent)
Default mode sends traffic through WireGuard tunnels to enable the full range of security functionality.
Use DoH mode to only enforce DNS filtering policies, or use proxy mode to filter traffic only to specific apps.
Managed deployment and self-enrollment options
Deploy to your entire device fleet via MDM tools. Or, users can download the device client themselves to self-enroll.
App connector (tunnels)
Connect resources to Cloudflare without a publicly routable IP address. Deploy via UI, API, or CLI.
Resources
Securing distributed workplaces
Modernize branch office security with approachable initial steps like location-based DNS filtering.
Multi-channel phishing threat defense
See how Cloudflare protects users, apps, and networks from multi-channel phishing.
Interactive Tour of Cloudflare’s Zero Trust Platform
Walk through key capabilities in a simulated dashboard, exploring workflows across 25+ short demo videos.
