Cloudflare Knows Who Gets In. Does It Know What’s Already There?

What Cloudflare Does Well

Cloudflare One’s device posture checks feed directly into Access and Gateway policies — via the Cloudflare One Client, third-party endpoint providers, or custom posture integrations where an external API returns a 0–100 score used in policy decisions.

On the operational network, the questions change.

The Questions the Operational Network Asks

Manufacturing and OT environments have more devices than users. PLCs, HMIs, industrial PCs, cameras, sensors, printers, badge readers, barcode scanners, IIoT gateways, vendor laptops, and legacy Windows machines all coexist on the same network.

• Many devices do not perform SAML login.
• Many devices cannot run an endpoint agent.
• Some devices do not support 802.1X at all.

This is not a ZTNA problem. It is a NAC problem.

The Layer Zero Trust Doesn’t Reach

Cloudflare’s writing on IoT security states this directly. Cloudflare distinguishes between controlled environments — like a corporate office — and old production networks, multi-vendor environments, and settings dense with machine-to-machine connections. In the latter, Cloudflare acknowledges that providing the same Zero Trust guarantees becomes difficult.

A concrete example appears in the Cloudflare Community. One user attempted to use Cloudflare Tunnel to reach a PLC via an HMI application, referencing port 44818 used by EtherNet/IP. The thread concluded that Cloudflare Tunnel has no solution for this case.

Reaching a PLC through a tunnel and identifying what that PLC is, determining which segment it belongs in, and isolating a device that was never approved — these are different problems.

The tunnel creates the path. NAC judges the connection.

Device Posture and Device Platform Intelligence Are Not Competing

Cloudflare device posture provides health signals for access policies: whether a device runs the Cloudflare One Client, meets OS or certificate conditions, or passes signals from an endpoint security provider.

Genian NAC and Device Platform Intelligence answer a different question:

“What exactly is this device?”

Genian NAC uses a non-intrusive, Layer 2-based Network Sensor to monitor IP-enabled devices in real time and classify them into logical groups aligned with policy objectives. Device Platform Intelligence adds platform classification, EOL/EOS status, CVE exposure, vendor business status, and known vulnerability context to each discovered device.

Cloudflare asks: Should this device access the resource?

Genians asks: What is this device, where is it, and should it be on this network at all?

Why Genian NAC: The Sensor-Based Approach

NAC is not a new category. Cisco ISE, Aruba ClearPass, Forescout, and FortiNAC all exist. The difference with Genian NAC is where deployment starts.

Most NAC projects begin with 802.1X. That works for managed IT endpoints. In manufacturing, OT, IoT, and branch environments, it stalls quickly:

• OT devices may not have a supplicant.
• IoT devices are often incompatible with agent installation.
• Printers, cameras, badge readers, and scanners have no user identity.
• Vendor laptops arrive temporarily and get forgotten.

See first. Classify next. Apply policy after.

For manufacturing, branch, and OT environments where a heavy NAC transition creates operational risk, Genian NAC starts the conversation differently: see what is connected first, enforce where it matters.

Four Ways to Extend Zero Trust to Every Device

Scenario 1: Manufacturing / OT — Remote Vendor Access

Cloudflare secures the remote session. Genian NAC secures the on-site connection.

Cloudflare controls the session when an external vendor accesses a jump server, engineering workstation, or private application — enforcing identity, MFA, posture, and least-privilege access.

Genian NAC controls the moment that same vendor arrives on-site and plugs their laptop into the network.

1. The vendor device connects to the factory network.
2. Genian NAC identifies the device.
3. Unapproved devices move to a guest or quarantine segment.
4. Approved devices are placed in a restricted segment.
5. Cloudflare Access applies additional control over private resource access.
6. Vendor exceptions are managed by owner, approval, and expiry.

Security value — The same vendor is fully covered whether connecting remotely or on-site. No gap between the session and the physical connection.

Deployment reality — No network redesign required. Genian NAC deploys alongside existing Cloudflare infrastructure without touching production systems.

Scenario 2: Device Posture + Network Access Posture

Cloudflare sees endpoint health. Genian NAC adds network access context.

Cloudflare device posture looks at the endpoint state. Genian NAC adds the network context that endpoint posture cannot see:

• Known / unknown device status
• IT / OT / IoT / guest / contractor classification
• Connection location and switch port
• IP / MAC address
• VLAN or segment assignment
• Policy compliance status
• Temporary exception expiry
• Network access history
• Device platform, EOL/EOS status, known vulnerability context

Genians provides an Open API across its platform. Cloudflare’s custom posture integration already supports external API-based posture scoring — where an external system returns a signal that Cloudflare uses in policy decisions. These two facts together mean that Genian NAC’s network posture context — device classification, segment assignment, connection history, exception status — can be surfaced as a structured signal for Cloudflare access policy. No proprietary connector required on either side.

Security value — Cloudflare access decisions gain network context: not just whether a device is healthy, but whether it belongs on the network at all.

Deployment reality — Open API on both sides. No additional connector licensing — integration is an architectural decision, not a procurement one.

Scenario 3: Branch — Unknown Device Cleanup

Cloudflare protects the traffic path. Genian NAC answers what is generating it.

Branch locations consistently accumulate unexpected devices: personal routers, temporary APs, printers, CCTV units, POS terminals, visitor laptops, contractor devices, test equipment, and aging Windows machines.

Genian NAC provides:

• Branch device discovery and inventory
• Unknown device isolation
• Contractor device governance
• Guest / BYOD segmentation
• Exception governance with owner and expiry tracking
• Compliance evidence reporting

Security value — Closes the inventory blind spot present in every branch: the devices Cloudflare cannot classify because they never authenticate.

Deployment reality — Typically operational within days. No switch replacement, no VLAN redesign, no impact to existing Cloudflare configuration.

Scenario 4: OT / IoT — Segmentation Readiness

Start with visibility. Enforce at the pace the environment allows.

Manufacturing customers rarely want enforcement from day one. Production disruption risk makes immediate blocking unrealistic. Genian NAC supports a phased approach:

• Sensor-based discovery
• Device classification
• IT / OT / IoT / guest segmentation mapping
• Policy impact review
• Exception approval workflow
• Phased enforcement
• Audit reporting

Cloudflare connects Access, Tunnel, Gateway, WARP, and posture policy to secure the access path as enforcement is applied.

Security value — Gives OT teams a defensible foundation for IEC 62443 and NIS2 compliance: asset inventory and classification first, enforcement second.

Deployment reality — Phased rollout protects production continuity. Compliance progress is demonstrable before full enforcement is committed.

Complete the Zero Trust Picture and Where to Start

Cloudflare Zero Trust answers who gets in and what they can reach. Genian NAC answers what is on the network before that question is ever asked. The two operate at different layers and address different problems — which is precisely what makes them complementary.