Cloudflare One How to create internal firewall going out?

I am wondering if Cloudflare One can be used to stop nefarious traffic as described here, Firewall Best Practices - Egress Traffic Filtering - The Security Skeptic.

So say someone inside the network opens a malicious email and gets infected with malware, how to prevent as much damage as possible once malware is inside the network, without restricting all ips and ports? So preventing port scans, torrent, C2 communications, illegal material accessing/downloading, etc.