From 4ee9fda771775ec9ddd372577b75c99d5820a207 Mon Sep 17 00:00:00 2001 From: hajer Date: Wed, 6 May 2026 09:27:22 -0700 Subject: [PATCH 1/2] [Cloudflare WAN, Magic Transit] Remove GeoIP/Country rules from Unified Routing beta limitations --- .../partials/networking-services/reference/traffic-steering.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/networking-services/reference/traffic-steering.mdx b/src/content/partials/networking-services/reference/traffic-steering.mdx index 9eca0ee8829d16b..a4820c49001627a 100644 --- a/src/content/partials/networking-services/reference/traffic-steering.mdx +++ b/src/content/partials/networking-services/reference/traffic-steering.mdx @@ -276,7 +276,7 @@ The following limitations apply to accounts using Unified Routing mode. This lis | Network analytics | Not yet fully supported | | Basic packet captures | Captures exclude Automatic Return Routing or BGP-over-tunnels traffic | | Full packet captures | Not yet supported | -| Advanced Cloudflare Network Firewall features: GeoIP/Country rules, IP Lists, ASN Lists, Threat Intel Lists, IDS, Rate Limiting, SIP, Managed Rulesets | Not yet supported | +| Advanced Cloudflare Network Firewall features: IP Lists, ASN Lists, Threat Intel Lists, IDS, Rate Limiting, SIP, Managed Rulesets | Not yet supported | | Gateway filtering rules | Not supported on traffic where both the onramp and offramp is IPsec/GRE/CNI | | Load Balancer | Public-to-private use case is supported to IPsec/GRE/CNI destinations. Private-to-private use case does not yet support Cloudflare Source IPs | From f994fdfe3d06fd9150ec838fca68c1d606fbc2cd Mon Sep 17 00:00:00 2001 From: hajer Date: Wed, 6 May 2026 09:59:20 -0700 Subject: [PATCH 2/2] [Cloudflare WAN, Magic Transit] Remove Country rules from beta limitations and add changelog --- ...04-21-unified-routing-geoip-country-rules.mdx | 16 ++++++++++++++++ .../reference/traffic-steering.mdx | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 src/content/changelog/cloudflare-wan/2026-04-21-unified-routing-geoip-country-rules.mdx diff --git a/src/content/changelog/cloudflare-wan/2026-04-21-unified-routing-geoip-country-rules.mdx b/src/content/changelog/cloudflare-wan/2026-04-21-unified-routing-geoip-country-rules.mdx new file mode 100644 index 000000000000000..8039032afb40070 --- /dev/null +++ b/src/content/changelog/cloudflare-wan/2026-04-21-unified-routing-geoip-country-rules.mdx @@ -0,0 +1,16 @@ +--- +title: Country rules supported in Unified Routing +description: Cloudflare Advanced Network Firewall Country rules now work with Unified Routing mode. +date: 2026-04-21T12:00:00 +products: + - cloudflare-network-firewall + - magic-transit +--- + +[Cloudflare Advanced Network Firewall](/cloudflare-network-firewall/) Country rules are now supported for accounts using [Unified Routing](/cloudflare-wan/reference/traffic-steering/#unified-routing-mode-beta) mode. This feature requires a Cloudflare Advanced Network Firewall subscription. + +You can create firewall rules that match traffic based on source or destination country to enforce geographic access policies across your network. + +This is the first of the Cloudflare Advanced Network Firewall features to become available in Unified Routing. Support for additional features - IP Lists, ASN Lists, Threat Intel Lists, IDS, Rate Limiting, SIP, and Managed Rulesets - is planned. + +For the full list of current beta limitations, refer to [Traffic steering beta limitations](/cloudflare-wan/reference/traffic-steering/#beta-limitations). diff --git a/src/content/partials/networking-services/reference/traffic-steering.mdx b/src/content/partials/networking-services/reference/traffic-steering.mdx index a4820c49001627a..fad924fbb101b02 100644 --- a/src/content/partials/networking-services/reference/traffic-steering.mdx +++ b/src/content/partials/networking-services/reference/traffic-steering.mdx @@ -276,7 +276,7 @@ The following limitations apply to accounts using Unified Routing mode. This lis | Network analytics | Not yet fully supported | | Basic packet captures | Captures exclude Automatic Return Routing or BGP-over-tunnels traffic | | Full packet captures | Not yet supported | -| Advanced Cloudflare Network Firewall features: IP Lists, ASN Lists, Threat Intel Lists, IDS, Rate Limiting, SIP, Managed Rulesets | Not yet supported | +| Cloudflare Advanced Network Firewall features: IP Lists, ASN Lists, Threat Intel Lists, IDS, Rate Limiting, SIP, Managed Rulesets | Not yet supported | | Gateway filtering rules | Not supported on traffic where both the onramp and offramp is IPsec/GRE/CNI | | Load Balancer | Public-to-private use case is supported to IPsec/GRE/CNI destinations. Private-to-private use case does not yet support Cloudflare Source IPs |