diff --git a/src/content/docs/byoip/concepts/loa.mdx b/src/content/docs/byoip/concepts/loa.mdx index c29f8ee9b5bdc2c..9bd1b636d3fb7c3 100644 --- a/src/content/docs/byoip/concepts/loa.mdx +++ b/src/content/docs/byoip/concepts/loa.mdx @@ -9,6 +9,8 @@ head: --- +import { Render } from "~/components" + A Letter of Agency (LOA) - sometimes referred to as a Letter of Authorization - is a document that authorizes Cloudflare to announce a prefix(es) on behalf of another entity. The LOA is required by Cloudflare's transit providers so they can accept the routes Cloudflare advertises on behalf of another entity. The letter must contain both the prefixes you are authorizing Cloudflare to announce and which ASN they will be announced under. Cloudflare can announce a prefix under your ASN or you can use Cloudflare's ASN, which is AS13335. @@ -25,37 +27,4 @@ An LOA is a formal document which should be on company letterhead and contain a You can use the below template when creating an LOA document. -```txt title="Letter of Agency template" -[COMPANY LETTERHEAD] - -LETTER OF AGENCY ("LOA") - -[DATE] - - -To whom it may concern: - -[COMPANY NAME] (the "Company") authorizes Cloudflare, Inc. with AS13335 to advertise the following IP address blocks / originating ASNs: - -- - - - - - - - - - - - - - - - - - - -[Subnet & Originating ASN] -[Subnet & Originating ASN] -[Subnet & Originating ASN] -- - - - - - - - - - - - - - - - - - - - -As a representative of the Company that is the owner of the aforementioned IP address blocks / originating ASNs, I hereby declare that I am authorized to sign this LOA on the Company’s behalf. - -Should you have any questions please email me at [E-MAIL ADDRESS], or call: [TELEPHONE NUMBER] - -Regards, - - -[SIGNATURE] - - -[NAME TYPED] -[TITLE] -[COMPANY NAME] -[COMPANY ADDRESS] -[COMPANY STAMP] -``` + diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx index 05fae58ec8e1134..eb1cd0600c9f33a 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx @@ -11,9 +11,9 @@ head: import { Render } from "~/components" -Cloudflare's Advanced DNS Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), provides stateful protection against DNS-based DDoS attacks, specifically sophisticated and fully randomized DNS attacks such as [random prefix attacks](/dns/dns-firewall/random-prefix-attacks/about/). + - + ## How it works @@ -27,7 +27,7 @@ The [Network Analytics dashboard](/analytics/network-analytics/) will display sy ## Setup -[Create a rule](/ddos-protection/advanced-ddos-systems/how-to/create-rule/#create-an-advanced-dns-protection-rule) to enable Advanced DNS Protection. + --- diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx index ada3e3edfc38e1f..68312321809bf16 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx @@ -11,9 +11,9 @@ head: import { Render } from "~/components" -Cloudflare's Advanced TCP Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), is a stateful TCP inspection engine used to detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods or SYN and SYN-ACK floods. + - + ## How it works @@ -51,4 +51,4 @@ For more information on the configuration settings of out-of-state TCP rules, re ## Setup -[Create a global configuration](/ddos-protection/advanced-ddos-systems/overview/#rules) to set up SYN Flood and Out-of-state TCP rules and filters for Advanced TCP Protection. \ No newline at end of file + \ No newline at end of file diff --git a/src/content/docs/ddos-protection/managed-rulesets/network/configure-dashboard.mdx b/src/content/docs/ddos-protection/managed-rulesets/network/configure-dashboard.mdx index 62f679e42a8b37a..9e418ece3415e83 100644 --- a/src/content/docs/ddos-protection/managed-rulesets/network/configure-dashboard.mdx +++ b/src/content/docs/ddos-protection/managed-rulesets/network/configure-dashboard.mdx @@ -9,7 +9,7 @@ head: --- -import { Details, Render } from "~/components" +import { Render } from "~/components" Configure the Network-layer DDoS Attack Protection managed ruleset by defining [overrides](/ruleset-engine/managed-rulesets/override-managed-ruleset/) in the Cloudflare dashboard. DDoS overrides allow you to customize the **action** and **sensitivity** of one or more rules in the managed ruleset. @@ -19,35 +19,6 @@ For more information on the available parameters and allowed values, refer to [R ## Create a DDoS override -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. -2. Go to Account Home > **L3/4 DDoS** > **Network-layer DDoS Protection**. -3. Select **Deploy a DDoS override**. -4. In **Set scope**, specify if you wish to apply the override to all incoming packets or to a subset of the packets. -5. If you are creating an override for a subset of the incoming packets, define the [custom expression](/ddos-protection/managed-rulesets/network/override-expressions/) that matches the incoming packets you wish to target in the override, using either the Rule Builder or the Expression Editor. -6. Select **Next**. -7. Depending on what you wish to override, refer to the following sections (you can perform both configurations on the same override): -
- 8. Select **Next**. - 9. Enter a name for your override in **Execution name**. - 10. To always apply a given action for all the rules in the ruleset, select an action in **Ruleset action**. - 11. To set the sensitivity level for all the rules in the ruleset, select a value in **Ruleset sensitivity**. -
- -
- 12. Search for the rules you wish to override using the available filters. You can search for tags. - 13. To override a single rule, select the desired value for a field in the displayed dropdowns next to the rule. - - To configure more than one rule, select the rules using the row checkboxes and update the fields for the selected rules using the dropdowns displayed before the table. You can also configure all the rules with a given tag. For more information, refer to [Configure rules in bulk in a managed ruleset](/waf/managed-rules/deploy-zone-dashboard/#configure-rules-in-bulk-in-a-managed-ruleset). - 14. Select **Next**. - 15. Enter a name for your override in **Execution name**. -
- - :::note[Notes] - - - Tag and rule overrides have priority over ruleset overrides. - - - ::: - -8. To save and deploy the override, select **Deploy**. If you are not ready to deploy your override, select **Save as Draft**. + L3/4 DDoS > Network-layer DDoS Protection" }} /> diff --git a/src/content/docs/learning-paths/data-center-protection/advertise-prefixes.mdx b/src/content/docs/learning-paths/data-center-protection/advertise-prefixes.mdx new file mode 100644 index 000000000000000..129577688b37efd --- /dev/null +++ b/src/content/docs/learning-paths/data-center-protection/advertise-prefixes.mdx @@ -0,0 +1,10 @@ +--- +title: Advertise prefixes +pcx_content_type: learning-unit +sidebar: + order: 8 +--- + +import { Render } from "~/components"; + + \ No newline at end of file diff --git a/src/content/docs/learning-paths/data-center-protection/concepts/benefits-magic-transit.mdx b/src/content/docs/learning-paths/data-center-protection/concepts/benefits-magic-transit.mdx new file mode 100644 index 000000000000000..9f646f3a8cdf2fb --- /dev/null +++ b/src/content/docs/learning-paths/data-center-protection/concepts/benefits-magic-transit.mdx @@ -0,0 +1,21 @@ +--- +title: Benefits of using Magic Transit +pcx_content_type: learning-unit +sidebar: + order: 3 +--- + +import { PublicStats } from "~/components"; + +Magic Transit leverages Cloudflare's global anycast network. As of writing this guide, Cloudflare's global network spans , and has . This bandwidth allows it to absorb all manners of attack that otherwise would overwhelm a typical data center or on-premise hardware Distributed Denial-of-Service (DDoS) appliances. + +The number of DDoS attacks has been steadily increasing in recent years. In the first quarter of 2025, Cloudflared [mitigated 16.8 million network-layer DDoS attacks](https://blog.cloudflare.com/ddos-threat-report-for-2025-q1/#ddos-attacks-in-numbers). This represents a 397% increase quarter over quarter and a 509% increase year over year. + +Other advantages of choosing Magic Transit: + +- **Scalability**: As Cloudflare's global network expands, so does Magic Transit ability to absorb ever bigger DDoS attacks. +- **Ease of management**: Magic Transit offers centralized, cloud-based management tools that simplify configuration and monitoring of your network security. +- **Improvement of network performance**: Magic Transit steers traffic along tunnel routes based on priorities you define and uses equal-cost multi-path routing to provide load-balancing across tunnels with the same prefix and priority. +- **Integration with zero-trust services**: Magic Transit integrates with other Cloudflare products, including Cloudflare One's SASE offerings, Magic Firewall, and more. +- **Integration with CNI**: Directly connect your infrastructure to Cloudflare with CNI and bypass the Internet. Beyond a more reliable and secure experience, using CNI is an alternative to anycast GRE tunnels for getting traffic delivered to your infrastructure with a 1500-byte maximum transmission unit (MTU) handoff. +- **Real-time traffic visibility and alerting**: Monitor and analyze traffic patterns, threat activity, and mitigation actions in real time through Cloudflare's analytics and logging tools. Set up customized alerts to notify you of potential threats, enabling faster incident response and better-informed network decisions. diff --git a/src/content/docs/learning-paths/data-center-protection/concepts/index.mdx b/src/content/docs/learning-paths/data-center-protection/concepts/index.mdx new file mode 100644 index 000000000000000..932b05ca115584c --- /dev/null +++ b/src/content/docs/learning-paths/data-center-protection/concepts/index.mdx @@ -0,0 +1,15 @@ +--- +title: Concepts +pcx_content_type: overview +sidebar: + order: 1 +--- + +Learn core concepts about Magic Transit and its functionality, in order to protect your data centers from distributed denial-of-service (DDoS) attacks. + +## Objectives + +By the end of this module you will be able to: +- Understand what Magic Transit is +- Why you should use it to protect your IP network + diff --git a/src/content/docs/learning-paths/data-center-protection/concepts/what-is-magic-transit.mdx b/src/content/docs/learning-paths/data-center-protection/concepts/what-is-magic-transit.mdx new file mode 100644 index 000000000000000..a1c64f097480395 --- /dev/null +++ b/src/content/docs/learning-paths/data-center-protection/concepts/what-is-magic-transit.mdx @@ -0,0 +1,18 @@ +--- +title: What is Magic Transit? +pcx_content_type: learning-unit +sidebar: + order: 2 +--- + +Magic Transit is a network security and performance solution that offers Distributed Denial-of-Service (DDoS) protection, traffic acceleration, and more for on-premise, cloud-hosted, and hybrid networks. + +Magic Transit works at Layer 3 of the [OSI model](https://www.cloudflare.com/en-gb/learning/ddos/glossary/open-systems-interconnection-model-osi/), protecting entire IP networks from DDoS attacks. Instead of relying on local infrastructure that can be overwhelmed by large DDoS attacks, Magic Transit uses the [global Cloudflare Network](https://www.cloudflare.com/network/) to ingest and mitigate attacks close to their source. + +Magic Transit delivers its connectivity, security, and performance benefits by serving as the front door to your IP network. This means it accepts IP packets destined for your network, processes them, and then forwards them to your origin infrastructure. + +The Cloudflare network uses Border Gateway Protocol (BGP) to announce your company's IP address space, extending your network presence globally, and [anycast](/magic-transit/reference/tunnels/#anycast) to absorb and distribute attack traffic. + +Once packets hit Cloudflare's network, traffic is inspected for attacks, filtered, steered, accelerated, and sent onward to your origin. Magic Transit users have two options for their implementation: ingress traffic or ingress and egress traffic. Users with an egress implementation will need to set up policy-based routing (PBR) or ensure default routing on their end forwards traffic to Cloudflare via tunnels. + +For an in-depth explanation of Magic Transit, refer to [Magic Transit Reference Architecture](/reference-architecture/architectures/magic-transit/). diff --git a/src/content/docs/learning-paths/data-center-protection/configure-ddos.mdx b/src/content/docs/learning-paths/data-center-protection/configure-ddos.mdx new file mode 100644 index 000000000000000..0f907e1c68fdc0b --- /dev/null +++ b/src/content/docs/learning-paths/data-center-protection/configure-ddos.mdx @@ -0,0 +1,39 @@ +--- +title: Configure DDoS protection +pcx_content_type: learning-unit +sidebar: + order: 4 +--- + +import { Render } from "~/components" + +Cloudflare DDoS protection automatically detects and mitigates Distributed Denial of Service (DDoS) attacks using its Autonomous Edge. Magic Transit customers have access to additional features, such as: + +- [Advanced TCP protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) (disabled by default) +- [Advanced DNS protection (beta)](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/) + +## Create a DDoS override + + + +## DDoS advanced protection + +### Advanced TCP Protection + + + + + +#### Setup + + + +### Advanced DNS Protection + + + + + +#### Setup + + \ No newline at end of file diff --git a/src/content/docs/learning-paths/data-center-protection/configure-tunnels-routes/configure-routes.mdx b/src/content/docs/learning-paths/data-center-protection/configure-tunnels-routes/configure-routes.mdx new file mode 100644 index 000000000000000..114814fd5d2c63a --- /dev/null +++ b/src/content/docs/learning-paths/data-center-protection/configure-tunnels-routes/configure-routes.mdx @@ -0,0 +1,22 @@ +--- +title: Configure routes +pcx_content_type: learning-unit +sidebar: + order: 2 +--- + +import { Render } from "~/components" + + \ No newline at end of file diff --git a/src/content/docs/learning-paths/data-center-protection/configure-tunnels-routes/configure-tunnels.mdx b/src/content/docs/learning-paths/data-center-protection/configure-tunnels-routes/configure-tunnels.mdx new file mode 100644 index 000000000000000..7fd20ff3e2564de --- /dev/null +++ b/src/content/docs/learning-paths/data-center-protection/configure-tunnels-routes/configure-tunnels.mdx @@ -0,0 +1,26 @@ +--- +title: Configure tunnels +pcx_content_type: learning-unit +sidebar: + order: 1 +--- + +import { GlossaryTooltip, Render } from "~/components"; + + Configuration", + updateHCFrequencyPage: "/magic-transit/network-health/update-tunnel-health-checks/", + tunnelHealthChecksPage: "/magic-transit/reference/tunnel-health-checks/", + antiReplayPagePath: "/magic-transit/reference/anti-replay-protection/", + biVsUniHealthCheck: "unidirectional", + tunnelHealthDash: "/magic-transit/network-health/check-tunnel-health-dashboard/", + biVsUniHealthCheckDefaults: "For Magic Transit this option defaults to unidirectional" + }} /> \ No newline at end of file diff --git a/src/content/docs/learning-paths/data-center-protection/configure-tunnels-routes/index.mdx b/src/content/docs/learning-paths/data-center-protection/configure-tunnels-routes/index.mdx new file mode 100644 index 000000000000000..fa0b887888e720d --- /dev/null +++ b/src/content/docs/learning-paths/data-center-protection/configure-tunnels-routes/index.mdx @@ -0,0 +1,15 @@ +--- +title: Configure tunnels and routes +pcx_content_type: overview +sidebar: + order: 3 +--- + +In this unit you will learn how to set up tunnels and routes to steer traffic. + +## Objectives + +By the end of this module you will be able to: +- Create tunnels on both the Cloudflare side and your router side to connect to your infrastructure. +- Configure static routes or dynamic routes with BGP peering to steer your traffic via next-hop from Cloudflare's global network to your connected networks. + diff --git a/src/content/docs/learning-paths/data-center-protection/enable-magic-firewall.mdx b/src/content/docs/learning-paths/data-center-protection/enable-magic-firewall.mdx new file mode 100644 index 000000000000000..da88f46872dbf95 --- /dev/null +++ b/src/content/docs/learning-paths/data-center-protection/enable-magic-firewall.mdx @@ -0,0 +1,15 @@ +--- +title: Enable Magic Firewall +pcx_content_type: learning-unit +sidebar: + order: 5 +--- + + +Magic Transit customers are automatically provided with the [standard features](/magic-firewall/plans/#standard-features) of Magic Firewall, Cloudflare's firewall-as-a-service product. + +Cloudflare recommends creating a ruleset customized to your environment and needs. Without any rules configured, Magic Firewall will pass on all traffic after mitigations are applied to your tunnels. + +The [Extended ruleset](/magic-firewall/best-practices/extended-ruleset/) is the best practice for reducing your attack surface by adopting a positive security model. If possible, use your current Edge Firewall policies to help you decide what ports to permit/block. + +If you cannot use the extended ruleset, then use the [minimal ruleset guidance](/magic-firewall/best-practices/minimal-ruleset/) to create a customized ruleset to block known unwanted traffic and common vectors for attack. \ No newline at end of file diff --git a/src/content/docs/learning-paths/data-center-protection/enable-notifications.mdx b/src/content/docs/learning-paths/data-center-protection/enable-notifications.mdx new file mode 100644 index 000000000000000..7b6cc4317f82c23 --- /dev/null +++ b/src/content/docs/learning-paths/data-center-protection/enable-notifications.mdx @@ -0,0 +1,31 @@ +--- +title: Enable Notifications +pcx_content_type: learning-unit +sidebar: + order: 6 +--- + +import { Render } from "~/components"; + + + +## Other notifications + +Cloudflare also recommends that you enable the following account notifications for your Magic Transit service: + +- Layer 3/4 DDoS Attack Alert +- Route Leak Detection Alert (to detect BGP Hijacks) +- (Optional) Advanced Layer 3/4 DDoS Attack Alert +- (Optional) Cloudflare status - Maintenance Notification (in case you want to be alerted regarding maintenance in specific Cloudflare data centers). + +Refer to [Cloudflare Notifications](/notifications/) for more information on how to enable these notifications. \ No newline at end of file diff --git a/src/content/docs/learning-paths/data-center-protection/get-started.mdx b/src/content/docs/learning-paths/data-center-protection/get-started.mdx new file mode 100644 index 000000000000000..0de763a69086a9a --- /dev/null +++ b/src/content/docs/learning-paths/data-center-protection/get-started.mdx @@ -0,0 +1,10 @@ +--- +title: Get started +pcx_content_type: learning-unit +sidebar: + order: 2 +--- + +import { Render } from "~/components" + + \ No newline at end of file diff --git a/src/content/docs/learning-paths/data-center-protection/post-prefix-fine-tuning.mdx b/src/content/docs/learning-paths/data-center-protection/post-prefix-fine-tuning.mdx new file mode 100644 index 000000000000000..d217db69524019d --- /dev/null +++ b/src/content/docs/learning-paths/data-center-protection/post-prefix-fine-tuning.mdx @@ -0,0 +1,44 @@ +--- +title: Post prefix advertisement monitoring and fine tuning +pcx_content_type: reference +sidebar: + order: 10 +--- + +On this page, you can find suggestions to monitor your prefix advertisements and fine-tune them. + +## DDOS Managed Rules + +### Adaptive DDOS rules + +[These rules](/ddos-protection/managed-rulesets/adaptive-protection/) are based on a seven-day rolling window. We recommend reviewing the logs from these adaptive rules in Network Analytics seven days after your last prefix advertisement. + +If you see matches for legitimate traffic, consider lowering the sensitivity of the rule and then review the logs again. Once you are satisfied that legitimate traffic is not being flagged, [create a DDoS override](/ddos-protection/managed-rulesets/network/configure-dashboard/#create-a-ddos-override) for this rule with action as `DDOS Dynamic` or `Block`. + +### Advanced TCP Protection and Advanced DNS Protection + +For both [Advanced TCP Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) and [Advanced DNS Protection](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/), your Cloudflare account team will need to configure manual thresholds for your account, based on your ingress traffic. + +Once all your prefixes are advertised and/or once all your expected traffic is cut over to the Magic Transit prefixes, reach out to your Cloudflare account team to have the thresholds configured. + +You can then change the mode on your Advanced TCP and DNS protections from `monitoring` to `mitigation`. You can also create a filter for `monitoring` mode for any traffic flows for which you see false positives. Try to keep this specific so that the protection is enabled for other inbound traffic flows. + +## Magic Firewall rules + +We strongly encourage you to ensure you have a Magic Firewall ruleset configured and customized to your environment to help stop unwanted and attack traffic. + +You can configure Magic Firewall rules and keep them in `disabled` mode to review the traffic that would have matched, using `verdict = drop` and the rule ID within Network Analytics. Once you are satisfied that the rule is blocking/permitting the intended traffic, you can change the mode to `enabled`. + +Refer to Magic Firewall's [best practices](/magic-firewall/best-practices/) for configuration guidance and suggestions. + +## Alerts for Magic Tunnel health checks and DDoS + +- Ensure all teams/members needing to receive these are getting the alerts. +- Check the Magic Tunnel Health Check Alert configuration for Sensitivity and Alert interval and tunnels in-scope. +- Refer to [Set up Magic Tunnel health alerts](/learning-paths/data-center-protection/enable-notifications/#set-up-magic-tunnel-health-alerts) and [DDoS alerts](/ddos-protection/reference/alerts/) for more details. + +## Optional + +- Enable [Logpush](/logs/about/) to your Security Information and Event Management (SIEM). +- Enable Magic Firewall's [Intrusion Detection System (IDS)](/magic-firewall/about/ids/). Requires Logpush and is only available for accounts with [Advanced Magic Firewall](/magic-firewall/plans/#advanced-features). +- Use [Magic Network Monitoring](/magic-network-monitoring/) for visibility into traffic on your non-Magic Transit prefixes, using NetFlow or sFlow from your CPEs. \ No newline at end of file diff --git a/src/content/docs/learning-paths/data-center-protection/run-pre-flight-checks.mdx b/src/content/docs/learning-paths/data-center-protection/run-pre-flight-checks.mdx new file mode 100644 index 000000000000000..f0898b3f289cb26 --- /dev/null +++ b/src/content/docs/learning-paths/data-center-protection/run-pre-flight-checks.mdx @@ -0,0 +1,23 @@ +--- +title: Run pre-flight checks +pcx_content_type: learning-unit +sidebar: + order: 7 +--- + +After setting up your Magic Transit product, Cloudflare validates: +- Tunnel connectivity +- Tunnel and endpoint [health checks](/magic-transit/reference/tunnel-health-checks/#types-of-health-checks) +- Letter of Agency (LOA) +- Internet Routing Registry (IRR) +- Maximum segment size (MSS) configurations. + +Refer to [Get started](/learning-paths/data-center-protection/get-started/) for information about the above topics. + +Configurations for Cloudflare global network are applied and take around one day to rollout. + +On your side, you should do the following: + +- Confirm that your upstream ISPs do not have [uRPF](/byoip/troubleshooting/#urpf-filtering-and-packet-loss) strict-mode enabled. If they do, ask them to change this setting to uRPF loose mode. Having strict-mode uRPF will result in packet loss when you advertise your prefix from Cloudflare and withdraw your prefix advertisement from your ISP. +- Confirm you have adjusted MSS/MTU value on any IPsec or GRE tunnels with third parties that are configured on your Magic Transit prefix. +- If you are using BGP for Magic Transit prefix advertisement, configure your own alerts/logs for the BGP peerings with Cloudflare route reflectors. Cloudflare will not notify you if these peerings go down, so you should enable this on your equipment using syslog or other event-alerting tools. diff --git a/src/content/docs/learning-paths/data-center-protection/troubleshooting.mdx b/src/content/docs/learning-paths/data-center-protection/troubleshooting.mdx new file mode 100644 index 000000000000000..eaf282f6b62161d --- /dev/null +++ b/src/content/docs/learning-paths/data-center-protection/troubleshooting.mdx @@ -0,0 +1,74 @@ +--- +title: Troubleshooting connectivity issues after prefix advertisement +pcx_content_type: troubleshooting +sidebar: + order: 9 +--- + +## For Magic Transit ingress-only with Direct Server Return + +### Magic Transit devices cannot reach Internet IPs after cutover to Cloudflare. + +**Potential solutions**: +- Run a traceroute from the Magic Transit prefix out to the destination IP on the Internet. +- Verify on your CPE there is no uRPF strict mode or anti-spoofing which would drop this traffic. +- Verify that your CPE is not enforcing uRPF strict mode or other anti-spoofing mechanisms that could drop this traffic. If they do, ask them to change this to loose mode. +- Other workarounds: + - If you have a less-specific prefix then you can continue to advertise this to your ISP while Cloudflare advertises a more-specific prefix. For example, Cloudflare advertises a `/24` to the Internet; you advertise its parent `/23` to your ISP. + - You can continue advertising a `/24` to your ISP, but this is not recommended, as inbound traffic from your ISP would bypass Cloudflare and therefore not benefit from Magic Transit DDoS protection. + +### Devices connected to the Magic Transit prefix cannot access Internet websites via TCP on ports `443` or `80` (HTTPS/HTTP) + +**Potential solutions**: +- The MSS clamp is configured on all your CPE egress ports at the location where the Magic Transit prefix is configured. +- Confirm the MSS values advertised in the TCP SYN-ACK by capturing packets at both ends of the traffic flow — for example, on the remote Internet IP and on your Magic Transit device. +- To quickly test whether the issue is related to MTU or MSS settings, you can temporarily lower the MSS clamp on the LAN interface of a test device within the Magic Transit prefix. If this resolves the issue, it confirms that the MSS clamp setting needs to be fine-tuned for your prefix. Be sure to verify that the correct MSS clamp is applied on all egress interfaces of your edge CPE(s). + + +### Devices on the Internet cannot access a TCP service on Magic Transit prefix + +For example, devices cannot browse to a server which is hosted on the Magic Transit prefix. + +**Potential solutions**: +- The MSS clamp is configured on all your CPE egress ports at the location where the Magic Transit prefix is configured. +- Confirm the MSS values advertised in the TCP SYN-ACK by capturing packets at both ends of the traffic flow — for example, on the remote Internet IP and on your Magic Transit device. +- To quickly test whether the issue is related to MTU or MSS settings, you can temporarily lower the MSS clamp on the LAN interface of a test device within the Magic Transit prefix. If this resolves the issue, it confirms that the MSS clamp setting needs to be fine-tuned for your prefix. Be sure to verify that the correct MSS clamp is applied on all egress interfaces of your edge CPE(s). + +### Users report issues with IPsec or GRE traffic between Magic Transit and third parties + +**Potential solutions**: +- The MSS clamp is properly applied to traffic traversing the IPsec/GRE tunnel. Use packet captures at both tunnel endpoints to inspect the MSS values advertised in the TCP SYN-ACK. +- Verify the MSS setting on your firewall's IPsec internal tunnel interface connected to the Magic Transit prefix. Set it to approximately 1300 bytes to avoid fragmentation of inbound packets traversing the Magic Transit GRE tunnel (MTU 1476 bytes). For GRE tunnels, adjust the MSS by subtracting 24 bytes from the original value to account for GRE encapsulation overhead. +- If this does not work, then you can reach out to Cloudflare to ask that we enable the `clear don't fragment` bit for a specific endpoint IP on your prefix which is having the problem, to see if that resolves the issue. + +### Cloudflare might be dropping valid traffic to your Magic Transit prefix + +If you suspect that Cloudflare mitigations might be dropping legitimate traffic to your Magic Transit prefix: + +1. Go to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. +2. Go to **Analytics & Logs** > **Network Analytics**. +3. In the **All traffic** tab select **Add filter** to configure the filters for the traffic-flow in question — like source IP, destination IP and protocol/ports. +4. Check the analytics results to determine which Cloudflare mitigation system has dropped the traffic — for example, DDoS Managed Rules, Advanced TCP/DNS Protection or Magic Firewall. +5. If the traffic was dropped by DDoS Managed Rules: + - Check whether the rule that dropped the traffic is customizable. If it is, go to [DDoS Overrides](/ddos-protection/managed-rulesets/network/configure-dashboard/#create-a-ddos-override). There, you can create/amend an existing override to ensure that this endpoint IP is added to the override with a lower sensitivity applied. + - If this rule is not customizable and is part of Cloudflare's always-on standard DDoS mitigations, reach out to Cloudflare support team to request for assistance on this. +6. If the traffic was dropped by Advanced TCP Protection (ATP): + - If the mode for the global rule is **Mitigation** you can set up a filter for `monitoring` so that ATP will not drop traffic for this particular traffic flow. + - If you need further assistance, reach out to your Cloudflare support team who can adjust other backend configuration options for this mitigation system. +7. If the traffic was dropped by Advanced DNS Protection: + - You can create a rule to apply on traffic received in a region or datacenter with a lower sensitivity setting. Once created, you can change the mode of the rule to `monitoring`. + - Alternatively, you can change the mode for the global rule from `mitigation` to `monitoring`. +8. If the traffic was dropped by Magic Firewall: + - Check which configured Magic Firewall rule caused the drop. + - You can choose to edit the rule or disable it. You can also add a new rule to permit your traffic and ensure it is placed above the rule that is configured to drop the traffic. + +## For Magic Transit ingress + egress + +### Devices using your Magic Transit IP cannot reach any Internet sites via TCP, UDP, or ICMP + +**Potential solutions**: +- If you are using Cloudflare Magic Transit leased IPs, ensure your CPE is correctly NATing to the Cloudflare leased IP and has policy-based Routing configured properly to forward egress traffic via the Magic Transit IPsec/GRE tunnel. +- Check that the Magic Firewall rules are configured to allow the egress traffic. As a reminder, Magic Firewall is stateless, and configured rules will apply for both ingress and egress traffic. +- Check that the egress traffic flow is visible inside Network Analytics. Also, check for the inbound traffic flow returning to the Magic Transit prefix. Verify if any mitigations are applied on the traffic. + +If the problem is seen for TCP only and UDP/ICMP are successful, check the MSS and MTU configuration on your CPE's GRE/IPsec tunnel. Perform a packet capture on the CPE/end-device to confirm the SYN-ACK values exchanged. \ No newline at end of file diff --git a/src/content/docs/magic-transit/cloudflare-ips.mdx b/src/content/docs/magic-transit/cloudflare-ips.mdx index b38f624e251c956..d804df54167d491 100644 --- a/src/content/docs/magic-transit/cloudflare-ips.mdx +++ b/src/content/docs/magic-transit/cloudflare-ips.mdx @@ -3,19 +3,15 @@ title: Cloudflare IPs pcx_content_type: concept sidebar: order: 10 - --- -import { GlossaryTooltip } from "~/components" - -In addition to using Magic Transit with your own IP address, you can use Magic Transit with a Cloudflare-owned IP address. This option is helpful for users who do not meet the `/24` prefix length requirements or who want to protect a smaller network. - -To protect your network using a Cloudflare IP address, contact your account manager. After receiving your IP address, you will need to: - -- [Create a tunnel](/magic-transit/how-to/configure-tunnels/). -- [Set up static routes](/magic-transit/how-to/configure-routes/#configure-static-routes) or [BGP peering](/magic-transit/how-to/configure-routes/#configure-bgp-routes). -- [Configure health checks](/magic-transit/network-health/run-endpoint-health-checks/). -- Confirm [tunnel](/magic-transit/network-health/update-tunnel-health-checks/) and endpoint health checks were properly configured. -- Update your infrastructure at your own pace to use the allocated Cloudflare IPs. +import { Render } from "~/components" -When you use a Cloudflare-owned IP space, you do not need a Letter of Agency (LOA). You can skip this step from the Prerequisites page. + diff --git a/src/content/docs/magic-transit/get-started.mdx b/src/content/docs/magic-transit/get-started.mdx index bbd6abfc639db54..2fc400e9f866390 100644 --- a/src/content/docs/magic-transit/get-started.mdx +++ b/src/content/docs/magic-transit/get-started.mdx @@ -5,119 +5,6 @@ sidebar: order: 4 --- -import { GlossaryTooltip, Render } from "~/components"; +import { Render } from "~/components" -Before you can begin using Magic Transit, be sure to complete the onboarding steps below. Cloudflare can significantly accelerate this timeline during active-attack scenarios. - -## 1. Scope your configuration - -The onboarding process begins with an initial kickoff call where Cloudflare engages with your organization to confirm the scope and timeline for setting up Magic Transit. - -After your call with Cloudflare, complete the prerequisites step. - -## 2. Prerequisites - -Before you can begin using Magic Transit, verify that you meet Cloudflare's onboarding requirements. - -### Verify router compatibility - -Magic Transit relies on anycast tunnels to transmit packets from Cloudflare's global network to your origin network. - -The routers at your tunnel endpoints must meet the following requirements to ensure compatibility with Magic Transit. - -- Support anycast tunneling. -- Allow configuration of at least one tunnel per Internet service provider (ISP). -- Support maximum segment size (MSS) clamping. - -### Draft Letter of Agency - -Draft a [Letter of Agency (LOA)](/byoip/concepts/loa/) - sometimes referred to as a Letter of Authorization - that identifies the prefixes you want to advertise and gives Cloudflare permission to announce them. The LOA is required by Cloudflare's transit providers so they can accept the routes Cloudflare advertises on your behalf. See this [LOA template](/byoip/concepts/loa/) for an example. - -If you are an Internet service provider (ISP) and advertising prefixes on behalf of a customer, an LOA is required for the ISP and for the customer. - -If you are using a [Cloudflare IP address](/magic-transit/cloudflare-ips/), you do not need to submit an LOA. - -:::note[Note] -The LOA must be a PDF. Transit providers may reject the LOA if it is a JPG or PNG. -::: - -### Verify IRR entries - -Verify that your Internet Routing Registry (IRR) entries match your corresponding origin autonomous system numbers (ASNs) to ensure Magic Transit routes traffic to the correct autonomous systems (AS). For guidance, refer to [Verify IRR entries](/byoip/concepts/irr-entries/best-practices/#verify-an-irr-entry). - -If you are using a Cloudflare IP, you do not need to verify your IRR entries. - -#### Optional: RPKI check for prefix validation - -You can also use the Resource Public Key Infrastructure (RPKI) as an additional option to validate your prefixes. RPKI is a [security framework method](https://blog.cloudflare.com/rpki/) that associates a route with an autonomous system. It uses cryptography to validate the information before being passed onto the routers. - -If you operate a network (ISP, cloud provider, enterprise, etc.), using RPKI ensures that your IP prefixes are correctly recognized. This prevents service disruptions and protects your brand's reputation. Without RPKI, attackers could announce your IP space, misdirect your traffic, and potentially harm your business. - -To check your prefixes, you can use [Cloudflare's RPKI Portal](https://rpki.cloudflare.com/?view=validator). - -### Set maximum segment size - - - -#### MSS clamping recommendations - -##### GRE tunnels as off-ramp - - - -##### IPsec tunnels - - - -:::caution[Important] -Refer to your device documentation to check if it sets IPsec MSS clamping automatically. If that is not the case and you are using IPsec inside GRE, you have to set MSS clamp manually. -::: - -Refer to [Maximum transmission unit and maximum segment size](/magic-transit/reference/mtu-mss/) for more details. - -#### Clear Do not fragment (DF) - -If you are unable to set the MSS on your physical interfaces to a value lower than 1500 bytes, you can choose to clear the `do not fragment` bit in the IP header. When this option is enabled, Cloudflare fragments [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) greater than 1500 bytes, and the packets are reassembled on your infrastructure after decapsulation. In most environments, enabling this option does not have significant impact on traffic throughput. - -To enable this option for your network, contact your account team. - -Refer to [Maximum transmission unit and maximum segment size](/magic-transit/reference/mtu-mss/) for more details. - -### Follow router vendor guidelines - - - -## 3. Configure tunnels - -[Configure the tunnels](/magic-transit/how-to/configure-tunnels/) on both the Cloudflare side and your router side to connect to your origin infrastructure. - -## 4. Configure static routes or BGP peering - -Configure [static routes](/magic-transit/how-to/configure-routes/#configure-static-routes) or [BGP peering](/magic-transit/how-to/configure-routes/#configure-bgp-routes) to route traffic from Cloudflare's global network to your locations. - -## 5. Run pre-flight checks - -After setting up your tunnels and routes, Cloudflare validates tunnel connectivity, tunnel and endpoint [health checks](/magic-transit/reference/tunnel-health-checks/#tunnel-health-checks), Letter of Agency (LOA), Internet Routing Registry (IRR), and maximum segment size (MSS) configurations. Configurations for Cloudflare global network are applied and take around one day to rollout. - -## 6. Advertise prefixes - -Once pre-flight checks are completed, Cloudflare will unlock your prefixes for you to [advertise via the dashboard, API or BGP](/magic-transit/how-to/advertise-prefixes/) at a time of your choosing. Refer to [Dynamic advertisement best practices](/byoip/concepts/dynamic-advertisement/best-practices/) to learn more about advertising prefixes. - -If you are using a Cloudflare IP, you do not need to advertise your prefixes. - -:::caution[Important] -You must [put the appropriate MSS clamps](#set-maximum-segment-size) in place before [routing](https://www.cloudflare.com/learning/network-layer/what-is-routing/) changes are made. Failure to apply an MSS clamp can result in dropped packets and hard-to-debug connectivity issues. - -Also, when using [Cloudflare Network Interconnect](/magic-transit/network-interconnect/) with Magic Transit you must set the following MSS clamp sizes to accommodate additional overhead: - -- GRE tunnels over Classic CNI: 1476 bytes -- Direct CNI / Classic CNI with a maximum transmission unit (MTU) size of 1500 bytes handoff does not require an MSS clamp. - -MSS clamps are used to backhaul data from the data center where traffic is ingested (close to the end user) to the facility with the CNI link. -::: + \ No newline at end of file diff --git a/src/content/docs/magic-transit/how-to/configure-tunnels.mdx b/src/content/docs/magic-transit/how-to/configure-tunnels.mdx index 010dc979f01fa3e..30911b1fb44fa29 100644 --- a/src/content/docs/magic-transit/how-to/configure-tunnels.mdx +++ b/src/content/docs/magic-transit/how-to/configure-tunnels.mdx @@ -9,7 +9,7 @@ description: Cloudflare recommends two tunnels for each ISP and network location or GRE tunnels. --- -import { GlossaryTooltip, Render } from "~/components"; +import { Render } from "~/components"; **L3/4 DDoS** > **Network-layer DDoS Protection**. +3. Select **Deploy a DDoS override**. +4. In **Set scope**, specify if you wish to apply the override to all incoming packets or to a subset of the packets. +5. If you are creating an override for a subset of the incoming packets, define the [custom expression](/ddos-protection/managed-rulesets/network/override-expressions/) that matches the incoming packets you wish to target in the override, using either the Rule Builder or the Expression Editor. +6. Select **Next**. +7. Depending on what you wish to override, refer to the following sections (you can perform both configurations on the same override): +
+ 8. Select **Next**. + 9. Enter a name for your override in **Execution name**. + 10. To always apply a given action for all the rules in the ruleset, select an action in **Ruleset action**. + 11. To set the sensitivity level for all the rules in the ruleset, select a value in **Ruleset sensitivity**. +
+ +
+ 12. Search for the rules you wish to override using the available filters. You can search for tags. + 13. To override a single rule, select the desired value for a field in the displayed dropdowns next to the rule. + + To configure more than one rule, select the rules using the row checkboxes and update the fields for the selected rules using the dropdowns displayed before the table. You can also configure all the rules with a given tag. For more information, refer to [Configure rules in bulk in a managed ruleset](/waf/managed-rules/deploy-zone-dashboard/#configure-rules-in-bulk-in-a-managed-ruleset). + 14. Select **Next**. + 15. Enter a name for your override in **Execution name**. +
+ + :::note[Notes] + + - Tag and rule overrides have priority over ruleset overrides. + - + ::: + +8. To save and deploy the override, select **Deploy**. If you are not ready to deploy your override, select **Save as Draft**. \ No newline at end of file diff --git a/src/content/partials/networking-services/magic-transit/advertise-prefixes.mdx b/src/content/partials/networking-services/magic-transit/advertise-prefixes.mdx new file mode 100644 index 000000000000000..9cb968d436d224c --- /dev/null +++ b/src/content/partials/networking-services/magic-transit/advertise-prefixes.mdx @@ -0,0 +1,19 @@ +--- +{} +--- + +import { GlossaryTooltip } from "~/components"; + +Once pre-flight checks are completed, Cloudflare will unlock your prefixes for you to [advertise via the dashboard, API or BGP](/magic-transit/how-to/advertise-prefixes/) at a time of your choosing. Refer to [Dynamic advertisement best practices](/byoip/concepts/dynamic-advertisement/best-practices/) to learn more about advertising prefixes. + +If you are using a Cloudflare IP, you do not need to advertise your prefixes. + +:::caution +You must [put the appropriate MSS clamps](#set-maximum-segment-size) in place before [routing](https://www.cloudflare.com/learning/network-layer/what-is-routing/) changes are made. Failure to apply an MSS clamp can result in dropped packets and hard-to-debug connectivity issues. + +Also, when using [Cloudflare Network Interconnect](/magic-transit/network-interconnect/) with Magic Transit you must set the following MSS clamp sizes to accommodate additional overhead: +- GRE tunnels over Classic CNI: 1476 bytes +- Direct CNI / Classic CNI with a maximum transmission unit (MTU) size of 1500 bytes handoff does not require an MSS clamp. + +MSS clamps are used to backhaul data from the data center where traffic is ingested (close to the end user) to the facility with the CNI link. +::: \ No newline at end of file diff --git a/src/content/partials/networking-services/magic-transit/cloudflare-ips.mdx b/src/content/partials/networking-services/magic-transit/cloudflare-ips.mdx new file mode 100644 index 000000000000000..df9382e92590076 --- /dev/null +++ b/src/content/partials/networking-services/magic-transit/cloudflare-ips.mdx @@ -0,0 +1,21 @@ +--- +params: + - mtLpCreateTunnel + - mtLpStaticRoute + - mtLpBgpPeering + +--- + +import { GlossaryTooltip } from "~/components" + +To use Magic Transit you need to own a publicly routable IP address block with a minimum size of `/24`. If you do not own a `/24` address block, you can use Magic Transit with a Cloudflare-owned IP address. This option is helpful for users who do not meet the `/24` prefix length requirements or who want to protect a smaller network. + +To protect your network using a Cloudflare IP address, contact your account manager. After receiving your IP address, you will need to: + +- Create a tunnel. +- Set up static routes or BGP peering. +- [Configure health checks](/magic-transit/network-health/run-endpoint-health-checks/). +- Confirm [tunnel](/magic-transit/network-health/update-tunnel-health-checks/) and endpoint health checks were properly configured. +- Update your infrastructure at your own pace to use the allocated Cloudflare IPs. + +When you use a Cloudflare-owned IP space, you do not need a Letter of Agency (LOA). When using Cloudflare-leased IPs, [Magic Transit Egress](/magic-transit/reference/egress/) is automatically enabled — that is, your egress traffic will also be destined to Cloudflare instead of the Internet. Because of this, you will need to set up policy-based routing on your end to make sure that return traffic is properly routed. \ No newline at end of file diff --git a/src/content/partials/networking-services/magic-transit/get-started.mdx b/src/content/partials/networking-services/magic-transit/get-started.mdx new file mode 100644 index 000000000000000..e3e335e54d1fd37 --- /dev/null +++ b/src/content/partials/networking-services/magic-transit/get-started.mdx @@ -0,0 +1,152 @@ +--- +params: + - magicWord +--- + +import { AnchorHeading, Aside, GlossaryTooltip, Markdown, Render } from "~/components"; + +{ props.magicWord === "Magic Transit" && ( + <> +

Before you can begin using Magic Transit, be sure to complete the onboarding steps below. Cloudflare can significantly accelerate this timeline during active-attack scenarios.

+ + ) +} + +## Scope your configuration + +Magic Transit is not a self-serve product, and as such you need to start by [engaging with our team](https://www.cloudflare.com/network-services/products/magic-transit/) to assess the scope of your needs and a timeline to implement Magic Transit. This is where we assess specific requirements such as your prefix count and how fast you can go through the necessary steps to implement Magic Transit on your network. + +## IPs + +{ props.magicWord === "Magic Transit" && ( + <> + + + ) +} + +{ props.magicWord === "Learning Path" && ( + <> + + + ) +} + +## Verify router compatibility + +Magic Transit relies on anycast tunnels to transmit packets from Cloudflare's global network to your origin network. + +The routers at your tunnel endpoints must meet the following requirements to ensure compatibility with Magic Transit. + +- Support GRE tunnels (or IPsec if GRE is not available). +- Allow configuration of at least one tunnel per Internet service provider (ISP). +- Support maximum segment size (MSS) clamping. +- Support asymmetric traffic flow (for ingress-only Magic Transit). + +## Draft Letter of Agency + +Draft a [Letter of Agency (LOA)](/byoip/concepts/loa/) — sometimes referred to as a Letter of Authorization — that identifies the prefixes you want to advertise and gives Cloudflare permission to announce them. The LOA is required by Cloudflare's transit providers so they can accept the routes Cloudflare advertises on your behalf. + +If you are an Internet service provider (ISP) and advertising prefixes on behalf of a customer, an LOA is required for the ISP and for the customer. + +If you are using a [Cloudflare IP address](#ips), you do not need to submit an LOA. + +:::note +The LOA must be a PDF. Transit providers may reject the LOA if it is a JPG or PNG. +::: + +### Example of a Letter of Agency + + + +## Verify IRR entries + +Verify that your Internet Routing Registry (IRR) entries match your corresponding origin autonomous system numbers (ASNs) to ensure Magic Transit routes traffic to the correct autonomous systems (AS). For guidance, refer to [Verify IRR entries](/byoip/concepts/irr-entries/best-practices/#verify-an-irr-entry). + +If you are using a [Cloudflare IP](#ips), you do not need to verify your IRR entries. + +### Optional: RPKI check for prefix validation + +You can also use the Resource Public Key Infrastructure (RPKI) as an additional option to validate your prefixes. RPKI is a [security framework method](https://blog.cloudflare.com/rpki/) that associates a route with an autonomous system. It uses cryptography to validate the information before being passed onto the routers. + +If you operate a network (ISP, cloud provider, enterprise, and others.), using RPKI ensures that your IP prefixes are correctly recognized. This prevents service disruptions and protects your brand's reputation. Without RPKI, attackers could announce your IP space, misdirect your traffic, and potentially harm your business. + +To check your prefixes, you can use [Cloudflare's RPKI Portal](https://rpki.cloudflare.com/?view=validator). + +## Set maximum segment size + + + +### MSS clamping recommendations + +#### GRE tunnels as off-ramp + + + +#### IPsec tunnels + + + +:::caution[Important] +Refer to your device documentation to check if it sets IPsec MSS clamping automatically. If that is not the case and you are using IPsec inside GRE, you have to set MSS clamp manually. +::: + +Refer to [Maximum transmission unit and maximum segment size](/magic-transit/reference/mtu-mss/) for more details. + +#### Clear Do not fragment (DF) + +If you are unable to set the MSS on your physical interfaces to a value lower than 1500 bytes, you can choose to clear the `do not fragment` bit in the IP header. When this option is enabled, Cloudflare fragments [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) greater than 1500 bytes, and the packets are reassembled on your infrastructure after decapsulation. In most environments, enabling this option does not have a significant impact on traffic throughput. + +To enable this option for your network, contact your account team. + +Refer to [Maximum transmission unit and maximum segment size](/magic-transit/reference/mtu-mss/) for more details. + +## Follow router vendor guidelines + + + + +{ props.magicWord === "Magic Transit" && ( + <> + + Configure the tunnelson both the Cloudflare side and your router side to connect to your origin infrastructure. + + +

Configure static routes or BGP peeringto route traffic from Cloudflare's global network to your locations.

+ + +

After setting up your tunnels and routes, Cloudflare validates tunnel connectivity, tunnel and endpoint health checks, Letter of Agency (LOA), Internet Routing Registry (IRR), and maximum segment size (MSS) configurations. Configurations for Cloudflare global network are applied and take around one day to rollout.

+ + + + + + ) +} + +{ props.magicWord === "Learning Path" && ( + <> + +

If you want to use BGP for prefix advertisement control then you need to let the account team know the IPs and ASN for your customer premises equipment (CPE) to use for the BGP peerings. You should allow around five working days for Cloudflare to add this to our Route Reflectors.

+ + ) +} + diff --git a/src/content/partials/networking-services/magic-transit/mtu-mss/mss-clamping-ipsec.mdx b/src/content/partials/networking-services/magic-transit/mtu-mss/mss-clamping-ipsec.mdx index 06eaefc758ee206..41718669c0cf952 100644 --- a/src/content/partials/networking-services/magic-transit/mtu-mss/mss-clamping-ipsec.mdx +++ b/src/content/partials/networking-services/magic-transit/mtu-mss/mss-clamping-ipsec.mdx @@ -6,7 +6,7 @@ For IPsec tunnels, the value you need to specify depends on how your network is - **Magic Transit ingress-only traffic (DSR):** - - **On your edge router transit ports**: TCP MSS clamp should be 1,360 bytes maximum. + - **On your edge router transit ports**: TCP MSS clamp should be 1,436 bytes maximum. - **On any IPsec/GRE tunnels with third parties on your Magic Transit prefix**: on the internal tunnel interface (most likely on a separate firewall behind the GRE-terminating router) to reduce its current value by 140 bytes. - **Magic Transit ingress + egress traffic:** diff --git a/src/content/partials/networking-services/prerequisites/maximum-segment-size.mdx b/src/content/partials/networking-services/prerequisites/maximum-segment-size.mdx index faf0b52e5961bc7..cf7ec039172f4a2 100644 --- a/src/content/partials/networking-services/prerequisites/maximum-segment-size.mdx +++ b/src/content/partials/networking-services/prerequisites/maximum-segment-size.mdx @@ -5,4 +5,4 @@ params: import { Markdown, Render } from "~/components"; -Cloudflare {props.productName} uses tunnels to deliver [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) from our global network to your data centers. Cloudflare encapsulates these packets adding new headers. You must account for the space consumed by these headers when configuring the maximum transmission unit (MTU) and maximum segment size (MSS) values for your network. +Before enabling {props.productName}, you must make sure that you set up the maximum segment size on your network. Cloudflare {props.productName} uses tunnels to deliver [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) from our global network to your data centers. Cloudflare encapsulates these packets adding new headers. You must account for the space consumed by these headers when configuring the maximum transmission unit (MTU) and maximum segment size (MSS) values for your network. diff --git a/src/pages/learning-paths.astro b/src/pages/learning-paths.astro index 60b8049ef4072be..6b9543019fa21e1 100644 --- a/src/pages/learning-paths.astro +++ b/src/pages/learning-paths.astro @@ -37,6 +37,7 @@ const icons = { "Application security": iconToSvg("ddos-protection"), "Cloudflare One": iconToSvg("cloudflare-one"), "Developer platform": iconToSvg("workers"), + "Network security": iconToSvg("magic-transit"), }; ---