Cloudflare TV

Zero Trust Week: New Product Demo — Magic Firewall

Presented by David Harnett, Annika Garbers, Achiel van der Mandele
Originally aired on 

This is a session to demonstrate a new product release that will be announced the morning of this Cloudflare TV slot. Don't miss out because this will be hot off the presses!

Read the Blog Posts:

Zero Trust Week

Transcript (Beta)

Welcome to Zero Trust Week. This is a great week here at Cloudflare where we have announcements all week.

On Monday we had an announcement of Cloudflare One. Cloudflare One is a comprehensive cloud -based network as a service solution that defines the future of the corporate network.

We're going to be talking about that today in this session which is going to be really exciting.

On Tuesday we announced Access for SaaS.

On Wednesday we announced Cloudflare Gateway. Also Warp apps and agents for sending traffic directly from devices to our network.

And we announced Cloudflare One Intel.

Really exciting day on Wednesday. Thursday was the announcement of the beta of the Cloudflare browser isolation solution.

And then today, Friday, we have the announcement of Magic Firewall.

So I am now going to show my guests who are here with me right now and I'll introduce myself really quick.

My name is David Harnett. I'm Director of Product Management for Cloudflare for Teams.

I'm joined by Annika Garbers and Annika is the Product Manager for Magic Firewall, actually Magic Transit.

We're going to talk about Magic Firewall today, which will be fun.

And then Akhil Vandermandala is here also.

And Akhil tells me that he is the Product Manager of everything or anything.

And he says, more specifically, the Product Manager of the edge of the edge.

So interesting title, Akhil. I want to hear more about that later on. So just to open up this discussion, which is really going to be a great panel discussion today, what happened today?

What was announced and why is it so important for our customers?

Great question. So maybe recapping again, this is from the blog that we put out at the beginning of the week announcing Cloudflare One, our comprehensive cloud -based solution that allows you to apply policies anywhere and everywhere.

And where Magic Firewall, the product we're going to be talking about, fits in is in one of the on-ramps to the Cloudflare One network.

With Cloudflare, we have over 200 data centers. You can apply policies with the gateway and Teams and access anywhere.

We wanted to extend that. And we noticed that while we were very good at protecting web assets and increasingly allowing people to protect and apply policies to phones with our work client, the branch office or data center use case is also a really, really big one.

You essentially want to be able to plug in directly to the Cloudflare network using Magic Transit, which allows us to see all of the traffic that emits and comes into those properties.

And it's a very logical point to connect in, apply policies. And as a first step there, we're announcing Magic Firewall today, which is a product that allows you to apply static mitigations on that.

And Anika can tell you a little bit more about that.

This is a diagram of what a traditional firewall setup looks like. You essentially have your data center, which runs all of your applications and maybe internal systems.

And you have a box, the firewall box on-prem. And then when bad guys attack your infrastructure, all that traffic goes through your on -premise firewall.

But this doesn't really work anymore for a lot of large companies for a couple of reasons.

One is that it doesn't scale. The capacity is limited. We've heard from customers who say that, oh, my firewalls fall over all the time.

The CPU gets exhausted.

I have to go into a data center and stand them up again to be able to protect my network.

And then the other thing is that data centers aren't just in one place anymore.

It's very rare for a large company operating in a global network to have just one location with servers that they can trust one box to completely protect.

And so what ends up happening is these kind of fragmented solutions.

You'll have a mix of some hardware and some software-defined solutions, lots of different tools to manage things, legacy systems.

And so it just becomes really, really difficult to actually wrap your hands around everything that's going on with controlling your network.

And so what we've decided to launch is Magic Firewall, which is a firewall that runs in every single Cloudflare POP.

And like Akil mentioned, as your traffic comes into Cloudflare's network through Magic Transit, we're able to filter it at the location closest to the source of the traffic with any allow and deny rules that you'd like to configure.

And they run right at our edge so that you get only the clean traffic and the allowed traffic back to your data center.

And this means, this is a zoomed -in picture, but this means that your firewall is running all over the place, not just close to where your data center is.

And so the traffic always gets processed at a place extremely close to its source and your end users.

That's great.

One of the things that we've been hearing a lot is from our customers. And our customers, I'm on the Cloudflare for Teams team, like I said in the introduction.

And you're on Magic Firewall and Magic Transit teams. And I also want to hear about Cloudflare Network Interconnect in a minute too.

But we're hearing from our customers that they want them together.

And they want to be able to use a platform that really can fit wherever they are on a Zero Trust journey.

Like this week is Zero Trust.

And our customers say, I just can't ditch my firewall.

I can't ditch my network and all my infrastructure just immediately. I have a journey to get there.

So can you bring in Magic Transit and now Magic Firewall and Cloudflare Network Interconnect?

So I have my on-ramps for my own network into what is now Cloudflare 1.

And then I can go on that Zero Trust journey with you. We've been on lots of customer calls together.

Tell me a little bit, Anika and Akhil, about what you're hearing from customers and how all of this fits together with Cloudflare 1.

Yeah, sure. So before I answer that question, I want to touch on something you said, which is that the teams and the networking things are coming together.

I think Matthew Prince put it really well last Sunday when he tweeted out a picture of the A-team saying, I love it when a plan comes together.

It very, very much feels that way right now this week. When I look at everything that's going on, it feels like we've gone through this journey in the last 10 years where we've built all of these pieces and looking together.

And it's really, really fantastic to see that culmination of all those products coming together that allow you to literally onboard all of your traffic onto the Cloudflare network and apply policies, gain visibility, manage everything from a single pane of glass at unprecedented scale.

So to answer your question, I think, as Anika mentioned, CPU starvation and managing boxes is a big one.

And there's a few aspects to that.

So for one, it's very difficult when you're dealing with hardware boxes to kind of really figure out, so how much capacity do I need?

We all do this dance every couple of years with our vendors. And they're like, OK, should I buy one box?

Maybe I should buy two boxes. And it's not just difficult to kind of estimate or figure out how much capacity you need now.

You also need to figure out how that capacity is going to have to grow.

Will I have to pick up the phone again in a year from now when I've doubled the amount of people inside my office or when I've doubled the amount of services that I'm offering at the edge?

That's really, really tricky.

The other problem is that we have a lot of disparate vendors.

I mean, what we see a lot of folks doing is they will use different vendors for different solutions and kind of mix and matching that.

Sometimes it's because of features.

Sometimes it's also just because of legacy. Maybe you've acquired a different company which had standardized on vendor X and you're used to vendor Y.

How do you consolidate that? Do you replace those? And that's led to a lot of people doing very clunky things and has literally spawned an industry of services to keep all of that configuration in sync, not only across maybe 10 of the same boxes, but also across vendors, which is immensely complex.

And I think with Cloudflare, what's really great with having one firewall is you can consolidate everything and see everything happening in real time and apply policy that gets pushed to the entire global edge within seconds instead of having to go into little boxes one by one and hoping that you don't mess up.

Yeah, that's great. And Anika, we were talking right before this broadcast about a great blog that you're going to be posting very soon, hopefully later on today, about our network and really how it was built for Cloudflare One.

Can you tell us a little bit, same question to you, but maybe introducing some of the stuff, a preview of what's going to be in your blog later on today?

Yeah, for sure. Akila was mentioning Cloudflare One is amazing to see come together because it's all of these different pieces that we've built over time.

But really the foundation for all of those pieces that we've been really consistent with building over the past 10 years is our network.

All of our products rely on our network. Our network is sort of the foundation of value for all of them.

And so, for example, if you take our CDN product, one of Cloudflare's oldest products, most widely used, CDN really requires us to be close to eyeballs everywhere in the world.

It's critical for us to be as close to people as possible because that's how we deliver content fast.

But that also means that the other products that run on Cloudflare's network get those same kind of benefits of being close to eyeballs.

So if you have employees working from home and trying to connect to data centers to access assets, their connectivity through Cloudflare to your data center is going to be really high quality because we are connected to all of the eyeball ISPs that your employees are probably connected to.

All of our products run everywhere. So it's not like we have some dedicated data centers for CDN and some dedicated for bot management and some for Magic Transit.

Every product is on every server. And so that means that if you're using multiple Cloudflare products together, stacking them like our Cloudflare for Teams and Magic Transit together, that when the traffic comes in, it will sort of just be dispatched to the correct services based on the products that you're using, but on that same box or in that same place in the data center.

And so you don't have this situation where traffic is being sent around and adding unnecessary latency before being sent back to your network.

So really the way that we've architected our network, super globally distributed, super well interconnected on commodity hardware, so it's really easy for us to scale.

And then also the fact that we just have such a diverse traffic workload coming through our network, so we can get lots of insight on attacks and malicious traffic patterns, but also on congestion around the world.

All of these things kind of give us the tools to improve all of our products that run on the network.

That's great. Akhil, I read your blog today and the announcement.

It was really great. Can you tell us a little bit more and kind of walk us through in a little bit more detail on the announcement today and Magic Firewall and talk about some of the areas that you were highlighting in your blog so that we can kind of hear a little bit more technically what it is.

And then also at some point, whether you want to do it now or later, tell us how can we learn more and when should we expect the product to be available for customers.

I know it's in development and we're starting to use it with Cloudfire's own network, but it would be great if you could tell us a little bit more about that.

Yeah, for sure. So we launched Magic Transit, I think a little bit over a year ago, and it was very apparent there that we needed at least like some basic firewalling capabilities, but we never had any good way of giving you like a good expression language or a way of even doing that yourself.

So the pain that we've noticed our customers having over the past year is whenever they would want to make a change, they would have to like literally come to Cloudfire and say, hey, can you mitigate this traffic or that traffic?

But it was a very clunky process and not only for our customers, but for us as well, because if you're applying policies on behalf of someone that's sometimes error prone, it's also difficult to gain like insights into like where are things going wrong?

Are you really blocking traffic?

That type of thing. So we knew immediately that we really wanted to make this into a full product.

And that's the product that we're launching today, which is Magic Firewall.

And essentially what it allows you to do is completely self-service, create firewall rules, and apply them at our global edge.

We're focusing right now on static mitigations. So you can think of the way like a lot of these policies work is we know that this traffic over here is bad because we know that we've seen like an attacker coming from there.

Or we know that this is part of a known botnet.

So we want to block those IPs. Whereas we know that these IPs here are from known folks or branch offices or anywhere.

We know that that traffic is good.

We want to allow that traffic. So we allow you to express that with Magic Firewall.

And we're doing all of that using a Wireshark filter syntax.

So that's a well-known syntax that's common throughout the industry.

And so well understood. If you don't want to use that syntax, we also have an expensive UI that allows you to, almost like a, I want to say WYSIWYG, but it's not really WYSIWYG, but allows you to like build out your expressions with the and or statements, which is very intuitive and easy to use.

And that's another way that you can express those things.

In terms of looking ahead, I think a lot of what we've learned from customers is that they want us to be a lot more intelligent in this regard.

I think in a lot of places, we are that. As a company, our roots were originally in CDN, WAF, very much on the web property.

So that's a lot of like, we look at traffic that's coming in and try to do intelligent things there.

And we have a really great WAF that does that, right?

Whenever new vulnerabilities come out or whenever we see a new style of attack, we can immediately provision a rule and offer those to our customers.

They can opt in to have those be applied automatically, or we can also offer them to just enable it manually.

More and more from customers, we've seen people ask about the reverse.

And with Magic Transit, we are in that position, right?

If you're connecting your branch office or your headquarters or something through Magic Transit and connecting to the Cloudflare network, we see the data as it's egressing or coming out of that location.

And we want to be able to offer similar, like very smart style of detections and mitigations there.

The way one of our customers talked about it is like, you're really, really great at WAF.

We feel totally comfortable sleeping at night because we know you got our back and we don't have to worry about that stuff.

We don't have a good solution for our offices.

And we would love if you could do the same thing for us there.

And we, I tease this out a little bit in the blog, but we're actively looking into very, very advanced technologies there and hope to make some announcements there in the near future.

That's great. That's great. Thanks for that, Ahil.

I'm sure you will get lots more questions from our customers about the future roadmap there, which looks really exciting.

Annika, back to you on Magic Transit.

I've seen a lot of activity that you've been involved with with our customers this week.

We were talking about some of the customer stories earlier in the week.

Tell us a little bit about what's going on with customers this week, how your and the Magic Transit team has been called to protect them and then how that is now leading to discussions about onboarding more holistically to Cloudflare One.

Yeah, totally. One of the things that we've seen or the trends in general that we've seen since the start of COVID, it's just a rise in DDoS attacks in general.

Attackers understand that infrastructure is extremely vulnerable and also extremely critical right now.

And so they're taking this as an opportunity and an advantage to attack networks at a much higher rate than we've seen kind of ever before.

And in the past couple of weeks, the specific kind of uptick that we've seen is in ransom DDoS attacks, actually.

So attack groups will send like a note to large companies and say, hey, we've chosen you as a target.

We're going to launch a test attack so that you can see that we're not kidding around.

And if you don't pay us a bunch of Bitcoin or money or whatever they're asking for, then we're going to come back and attack you for real and take down your network.

And that means that your employees won't be able to access your services.

Your users won't be able to access your services.

The thing that they're threatening is a huge deal for these companies.

And so Magic Transit and then also Magic Firewall come in here because these products can actually help customers protect their networks.

Magic Transit protects from Layer 3 and 4 DDoS attacks, so exactly the types of attacks that these attackers are launching and threatening to launch.

And then Magic Firewall also gives the ability to get sort of closer to that Zero Trust model of allowing only the traffic that customers expect.

So especially in situations where they're under threat or on sort of extra high alert about protecting their infrastructure, they have the ability to sort of lock things down even more.

And so we've been onboarding a lot of these customers recently with Magic Transit, configuring the firewall rules with Magic Firewall and been able to protect them, which is a really good feeling.

But it sucks that these people are out there trying to be opportunistic and take advantage of this opportunity when lots of folks are really vulnerable.

We're publishing a blog post about specifically this phenomenon, the uptick in ransom attacks, later this week with some guidance to companies about how to navigate these situations if you end up receiving a ransom attack.

So look out for that coming soon. That's great, thank you for that.

And later this week, given that it's Friday, it's going to be interesting that you're going to have to have to write that and publish that so quickly.

Maybe next week.

Yeah, maybe next week. We were talking before this about maybe another blog that's going to go out sometime later today or over the weekend to round out this great Zero Trust Week.

One more thing. Yeah, exactly. Well, as Michelle, our co-founder, says, we're just getting started and we definitely are with Zero Trust.

This week has been great and we now have a lot more work to do and working with our customers, which would be really awesome.

Okay, so we have, at the beginning of this conversation, Akhil, you walked us through Cloudflare One, which was great.

And I noticed that the on -ramps, which customers always ask us about, you talked about Warp being an on -ramp for our devices, you talked about Magic Transit, and then you just kind of breezed through pretty quickly Cloudflare Network Interconnect.

So throwing it out to you and Annika, can you tell us a little bit more about CNI, how it's being used, what it is, and a little bit about what's coming there as well?

Yeah, so with Magic Transit, the way that we attract traffic to our network is with BGP.

So we actually announce customers' prefixes on their behalf and then we do the traffic processing at the location closest to the source and then we send the clean traffic on to our users.

And so the sort of on -ramp that you're talking about is in that the method sort of to get traffic from Cloudflare to our users.

One option that a lot of our customers use is in-cast GRE tunnels over the Internet.

So we essentially set up a tunnel with an endpoint in Cloudflare's network, an endpoint in our customer's network, and then from our perspective, those tunnels are established from every one of our locations.

From the customers, they see Cloudflare as sort just one network that they're connecting with.

So it's really easy to manage, but it means that they can get traffic, clean traffic back to them from anywhere that it comes into our network.

Another option that we've heard customers ask about is CNI, Cloudflare Network Interconnect, which we launched a few months ago.

And what that allows our customers to do is actually connect to Cloudflare with a secure, private, dedicated physical or virtual link.

So if we're co-located with you in a data center, which pretty high chances that we are if you're operating a global network, because we are pretty much everywhere in private peering facilities around the world.

If we're co-located, you can run a physical cable and get traffic delivered to your network that way.

So essentially, once it comes into Cloudflare, it's Cloudflare to Cloudflare to you.

Or the other option that we have available is with partnerships with organizations that do packet fabric.

So Megaport and Equinix are examples of this.

We have partnerships with some others as well. And in that case, we're essentially saying, hey, Cloudflare is connected to Megaport in this location, and you're connected to Megaport in this location.

So let's just use that path to send traffic securely over to you.

And so if traffic comes into our network with sort of the BGP process that we use for Magic Transit, gets processed with allow and deny rules for Magic Firewall, then we can just send it securely over that link.

And that also works for any of our other products as well.

So if you're using Access, if you're using Layer 7, you'll be able to use CNI to get traffic delivered to you in a secure way.

Akil, anything to add there? No, I think you nailed it.

So I actually had a question for David, if you don't mind me.

I know you've been asking most of the questions. Yeah, no, that's definitely not permitted, Akil.

I'm asking questions. Definitely can't do that. Go ahead. We're going to go for it anyway.

So you've been at the middle of a lot of this week, and there's just so much that's come out this week.

If you had to kind of pick one announcement that we did this week, what would your favorite be and why?

Sure, that's a good question.

And of course, the right answer is to say they're all the favorites.

So what do I think? I actually think that the Cloudflare 1 announcement, and I'm saying over the weekend because we were working with Matthew as he was pulling all that together over the weekend, it did come out on Monday.

I think that that was the favorite announcement for me because over the last few months, our customers have been talking about Cloudflare 1.

We just haven't put a name on it.

And as we've now started adding more products to Cloudflare for Teams, customers could start seeing that our network was the real big component that they really wanted.

And when Teams was access for internal apps, it was a little bit harder for them to see that full picture.

But then as we started launching gateway, and then as we launched and we're starting to beta the warp applications that are basically agents that send your traffic to gateway, customers could start seeing that.

And we were being called into more and more meetings with you and your team about how do I just get this network thing together?

How can I have a secure web gateway and proxy my traffic and protect my devices, but also protect my network and my branch offices?

So we were all talking about that and planning it internally.

But I think that Cloudflare 1 bringing it all together, brought it together for our customers and then as well for us internally.

And I think it's facilitating a lot of great things. And that's why I said we're just getting started because we really are in the momentum that we're building around Cloudflare 1.

So that's my answer on the favorite announcement. I do have a favorite product though that went out, a specific product that went out.

Cloudflare 1 is a platform that you can connect into and it makes things a lot simpler for companies to connect to our network.

But I will have to fall back to my favorite browser because I came in with the S2 acquisition.

And yesterday I was browsing in our Seattle Colo for the first time, which was quite amazing because I'm here in Seattle and the Colo is really just like a few feet away really.

And the speed was incredible.

When we were in a startup and we were running in five data centers around the world, we were always embarrassed because they were never really close enough to be just so, so screaming fast.

So yesterday we announced the beta. We're all using it in the ETI group, the Emerging Technology and Incubation group.

We're using it internally and we're starting to let our customers now use browser.

So that was really exciting for me on a product launch yesterday. I began to launch that.

So we have three minutes to go here. Any other questions that anybody wants to throw out to me or anything else that we've missed?

We certainly want to do a bit of a wrap up, but I'll say, I'll throw it out to both of you.

Anything else you want to say about the announcement of Magic Firewall today before we do a wrap up?

Yeah, absolutely. So we're very, very excited about this and are working with many customers to implement.

If this is interesting to you, or you have thoughts about other exciting new features, or you just want to learn more, please do reach out either to ourselves,, or contact your account team.

And we'd love to learn more about what this means for you and any other developments that you'd like to see.

Okay, that's great. Thank you very much, Akil.

So I'll just do a quick wrap up since this is our last session of the week.

It's been an awesome week and we will be doing a lot more of these types of weeks in the future.

But we also had a webinar today, and that's available to our customers.

People can go onto our website right now,, and they'll be able to see a lot of this new content and also get links to our webinar and see all the announcements that came out this week that we've all talked about.

So Cloudflare .com, you can see all of that.

Also, blog In a few hours or very soon, there'll be another blog coming out from Annika, and everybody can see the announcement today of Magic Firewall that was on the blog.

And we actually had about 10 other blogs this week all around Zero Trust that people can look at too.

So with that, we will wrap up.

Thank you very much, Annika Garbers, and thank you, Akil Vandermandela.

And that is the end of our session. And thank you, everybody, for joining us for Zero Trust Week.

Thanks for having us.