Cloudflare Zero Trust Knows Who Gets In. Does It Know What’s Already There?
Cloudflare has transformed the Zero Trust journey for many organizations. Cloudflare Access enforces identity- and device posture-based access control when users reach self-hosted, SaaS, and non-web applications. Cloudflare Tunnel and private network capabilities extend that protection to private and non-HTTP resources. Cloudflare One operates at Layer 3 and above — securing users, applications, and internet traffic.
But in manufacturing, OT, IoT, branch, hospital, and logistics environments, a prior question surfaces before any of that applies: App access is controlled. But who controls what connects to the network itself?
That is a Layer 2 question. Cloudflare does not address it by design. Genian NAC does.
Cloudflare protects the access path. Genian NAC protects the first connection.
About Genians
Genians provides Genian NAC — a Network Access Control solution built on a Layer 2 sensor-based architecture — that gives organizations real-time visibility and access control over every IP-enabled device on their network, including OT, IoT, and unmanaged endpoints. Genians further enhances Genian NAC through Device Platform Intelligence: a service layer that adds platform classification, EOL/EOS status, CVE exposure, and manufacturer context to each discovered device. Together, they form a network-layer foundation that complements identity- and application-layer controls such as Cloudflare One.
What Cloudflare Does Well?
Cloudflare One’s device posture checks feed directly into Access and Gateway policies — via the Cloudflare One Client, third-party endpoint providers, or custom posture integrations where an external API returns a 0–100 score used in policy decisions.
| Question | Cloudflare Fit |
|---|---|
| Who is this user? | High |
| What application is this user trying to reach? | High |
| Does this device meet posture requirements? | High |
| Should access to this private resource be allowed? | High |
| Is this traffic protected through the Cloudflare network? | High |
On the operational network, the questions change.
The Questions the Operational Network Asks
Manufacturing and OT environments have more devices than users. PLCs, HMIs, industrial PCs, cameras, sensors, printers, badge readers, barcode scanners, IIoT gateways, vendor laptops, and legacy Windows machines all coexist on the same network.
- Many devices do not perform SAML login.
- Many devices cannot run an endpoint agent.
- Some devices do not support 802.1X at all.
| Operational Network Question | Control Required |
|---|---|
| What is this device? | Device visibility |
| Where did it connect? | Layer 2 / switch port visibility |
| Is it IT, OT, IoT, guest, or contractor? | Device classification |
| Is it in an approved segment? | Network access policy |
| Is it an unknown device? | Restriction or quarantine |
| If it’s an exception, does it have an owner, approval, and expiry? | Exception governance |
This is not a ZTNA problem. It is a NAC problem.
The Layer Zero Trust Doesn’t Reach
Cloudflare’s writing on IoT security states this directly. Cloudflare distinguishes between controlled environments — like a corporate office — and old production networks, multi-vendor environments, and settings dense with machine-to-machine connections. In the latter, Cloudflare acknowledges that providing the same Zero Trust guarantees becomes difficult.
A concrete example appears in the Cloudflare Community. One user attempted to use Cloudflare Tunnel to reach a PLC via an HMI application, referencing port 44818 used by EtherNet/IP. The thread concluded that Cloudflare Tunnel has no solution for this case.
Reaching a PLC through a tunnel and identifying what that PLC is, determining which segment it belongs in, and isolating a device that was never approved — these are different problems.
The tunnel creates the path. NAC judges the connection.
Device Posture and Device Platform Intelligence Are Not Competing
Cloudflare device posture provides health signals for access policies: whether a device runs the Cloudflare One Client, meets OS or certificate conditions, or passes signals from an endpoint security provider.
Genian NAC and Device Platform Intelligence answer a different question:
“What exactly is this device?”
Genian NAC uses a non-intrusive, Layer 2-based Network Sensor to monitor IP-enabled devices in real time and classify them into logical groups aligned with policy objectives. Device Platform Intelligence adds platform classification, EOL/EOS status, CVE exposure, vendor business status, and known vulnerability context to each discovered device.
| Cloudflare Device Posture | Genian NAC / Device Platform Intelligence | |
|---|---|---|
| Primary purpose | Inform access policy decisions | Identify devices and understand network context |
| Core question | Does this device meet access conditions? | What is this device, and where is it connected? |
| Strength | Access / Gateway policy signal | Layer 2 visibility, device classification |
| Enforcement point | Resource access path | First network connection |
| Complementary potential | Genian signals usable as posture context | Device context that makes Cloudflare policy more precise |
Cloudflare asks: Should this device access the resource?
Genians asks: What is this device, where is it, and should it be on this network at all?
Why Genian NAC: The Sensor-Based Approach
NAC is not a new category. Cisco ISE, Aruba ClearPass, Forescout, and FortiNAC all exist. The difference with Genian NAC is where deployment starts.
Most NAC projects begin with 802.1X. That works for managed IT endpoints. In manufacturing, OT, IoT, and branch environments, it stalls quickly:
- OT devices may not have a supplicant.
- IoT devices are often incompatible with agent installation.
- Printers, cameras, badge readers, and scanners have no user identity.
- Vendor laptops arrive temporarily and get forgotten.
See first. Classify next. Apply policy after.
| 802.1X-First Approach | Genian NAC Sensor-Based Approach |
|---|---|
| 802.1X readiness is the starting point | Layer 2 visibility is the starting point |
| Strong assumption of agent / supplicant availability | Suited to agentless visibility |
| Begins with devices that can authenticate | Discovers unknown and unmanaged devices first |
| High initial deployment burden | Visibility-first entry is possible |
| OT/IoT exceptions multiply | Suited to OT/IoT classification and phased enforcement |
| Hard to assess policy impact before rollout | Sequence: observe → classify → restrict → isolate |
For manufacturing, branch, and OT environments where a heavy NAC transition creates operational risk, Genian NAC starts the conversation differently: see what is connected first, enforce where it matters.
Four Ways to Extend Zero Trust to Every Device
Scenario 1: Manufacturing / OT — Remote Vendor Access
Cloudflare secures the remote session. Genian NAC secures the on-site connection.
Cloudflare controls the session when an external vendor accesses a jump server, engineering workstation, or private application — enforcing identity, MFA, posture, and least-privilege access.
Genian NAC controls the moment that same vendor arrives on-site and plugs their laptop into the network.
- The vendor device connects to the factory network.
- Genian NAC identifies the device.
- Unapproved devices move to a guest or quarantine segment.
- Approved devices are placed in a restricted segment.
- Cloudflare Access applies additional control over private resource access.
- Vendor exceptions are managed by owner, approval, and expiry.
Security value — The same vendor is fully covered whether connecting remotely or on-site. No gap between the session and the physical connection.
Deployment reality — No network redesign required. Genian NAC deploys alongside existing Cloudflare infrastructure without touching production systems.
Scenario 2: Device Posture + Network Access Posture
Cloudflare sees endpoint health. Genian NAC adds network access context.
Cloudflare device posture looks at the endpoint state. Genian NAC adds the network context that endpoint posture cannot see:
- Known / unknown device status
- IT / OT / IoT / guest / contractor classification
- Connection location and switch port
- IP / MAC address
- VLAN or segment assignment
- Policy compliance status
- Temporary exception expiry
- Network access history
- Device platform, EOL/EOS status, known vulnerability context
Genians provides an Open API across its platform. Cloudflare’s custom posture integration already supports external API-based posture scoring — where an external system returns a signal that Cloudflare uses in policy decisions. These two facts together mean that Genian NAC’s network posture context — device classification, segment assignment, connection history, exception status — can be surfaced as a structured signal for Cloudflare access policy. No proprietary connector required on either side.
Security value — Cloudflare access decisions gain network context: not just whether a device is healthy, but whether it belongs on the network at all.
Deployment reality — Open API on both sides. No additional connector licensing — integration is an architectural decision, not a procurement one.
Scenario 3: Branch — Unknown Device Cleanup
Cloudflare protects the traffic path. Genian NAC answers what is generating it.
Branch locations consistently accumulate unexpected devices: personal routers, temporary APs, printers, CCTV units, POS terminals, visitor laptops, contractor devices, test equipment, and aging Windows machines.
Genian NAC provides:
- Branch device discovery and inventory
- Unknown device isolation
- Contractor device governance
- Guest / BYOD segmentation
- Exception governance with owner and expiry tracking
- Compliance evidence reporting
Security value — Closes the inventory blind spot present in every branch: the devices Cloudflare cannot classify because they never authenticate.
Deployment reality — Typically operational within days. No switch replacement, no VLAN redesign, no impact to existing Cloudflare configuration.
Scenario 4: OT / IoT — Segmentation Readiness
Start with visibility. Enforce at the pace the environment allows.
Manufacturing customers rarely want enforcement from day one. Production disruption risk makes immediate blocking unrealistic. Genian NAC supports a phased approach:
- Sensor-based discovery
- Device classification
- IT / OT / IoT / guest segmentation mapping
- Policy impact review
- Exception approval workflow
- Phased enforcement
- Audit reporting
Cloudflare connects Access, Tunnel, Gateway, WARP, and posture policy to secure the access path as enforcement is applied.
Security value — Gives OT teams a defensible foundation for IEC 62443 and NIS2 compliance: asset inventory and classification first, enforcement second.
Deployment reality — Phased rollout protects production continuity. Compliance progress is demonstrable before full enforcement is committed.
Four Ways to Extend Zero Trust to Every Device
Cloudflare Zero Trust answers who gets in and what they can reach. Genian NAC answers what is on the network before that question is ever asked. The two operate at different layers and address different problems — which is precisely what makes them complementary.
For Cloudflare customers
See what’s below your ZTNA. Free.
Try Genian NAC free for 30 days. No infrastructure changes required. Deploy in monitoring mode and get full Layer 2 visibility of every device on your network — including the ones Cloudflare can’t see.