Cloudflare changelogs | Cloudflare One

Cloudflare One Client - Cloudflare One Client for macOS (version 2026.3.846.0)

Thu, 02 Apr 2026 16:28:33 GMT

A new GA release for the macOS Cloudflare One Client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

The next stable release for macOS will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information.

Changes and improvements

Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts.
Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization.
Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
Added monitoring for tunnel statistics collection timeouts.
Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms.
Fixed initiating managed network detections checks when no network is available, which caused device profile flapping.

Cloudflare One Client - Cloudflare One Client for Linux (version 2026.3.846.0)

Thu, 02 Apr 2026 15:39:10 GMT

A new GA release for the Linux Cloudflare One Client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

The next stable release for Linux will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information.

Changes and improvements

Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts.
Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization.
Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
Added monitoring for tunnel statistics collection timeouts.
Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms.
Fixed initiating managed network detections checks when no network is available, which caused device profile flapping.

Cloudflare One, Access, Gateway - Logs UI refresh

Wed, 01 Apr 2026 00:00:00 GMT

Access authentication logs and Gateway activity logs (DNS, Network, and HTTP) now feature a refreshed user interface that gives you more flexibility when viewing and analyzing your logs.

The updated UI includes:

Filter by field - Select any field value to add it as a filter and narrow down your results.
Customizable fields - Choose which fields to display in the log table. Querying for fewer fields improves log loading performance.
View details - Select a timestamp to view the full details of a log entry.
Switch to classic view - Return to the previous log viewer interface if needed.

For more information, refer to Access authentication logs and Gateway activity logs.

Gateway - OIDC Claims filtering now available in Gateway Firewall, Resolver, and Egress policies

Tue, 24 Mar 2026 00:00:00 GMT

Cloudflare Gateway now supports OIDC Claims as a selector in Firewall, Resolver, and Egress policies. Administrators can use custom OIDC claims from their identity provider to build fine-grained, identity-based traffic policies across all Gateway policy types.

With this update, you can:

Filter traffic in DNS, HTTP, and Network firewall policies based on OIDC claim values.
Apply custom resolver policies to route DNS queries to specific resolvers depending on a user's OIDC claims.
Control egress policies to assign dedicated egress IPs based on OIDC claim attributes.

For example, you can create a policy that routes traffic differently for users with department=engineering in their OIDC claims, or restrict access to certain destinations based on a user's role claim.

To get started, configure custom OIDC claims on your identity provider and use the OIDC Claims selector in the Gateway policy builder.

For more information, refer to Identity-based policies.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Stream logs from multiple replicas of Cloudflare Tunnel simultaneously

Fri, 20 Mar 2026 00:00:00 GMT

In the Cloudflare One dashboard, the overview page for a specific Cloudflare Tunnel now shows all replicas of that tunnel and supports streaming logs from multiple replicas at once.

Previously, you could only stream logs from one replica at a time. With this update:

Replicas on the tunnel overview — All active replicas for the selected tunnel now appear on that tunnel's overview page under Connectors. Select any replica to stream its logs.
Multi-connector log streaming — Stream logs from multiple replicas simultaneously, making it easier to correlate events across your infrastructure during debugging or incident response. To try it out, log in to Cloudflare One and go to Networks > Connectors > Cloudflare Tunnels. Select View logs next to the tunnel you want to monitor.

For more information, refer to Tunnel log streams and Deploy replicas.

Cloudflare One Client - WARP client for macOS (version 2026.3.566.1)

Tue, 10 Mar 2026 17:10:39 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

This release contains minor fixes and introduces a brand new visual style for the client interface. The new Cloudflare One Client interface changes connectivity management from a toggle to a button and brings useful connectivity settings to the home screen. The redesign also introduces a collapsible navigation bar. When expanded, more client information can be accessed including connectivity, settings, and device profile information. If you have any feedback or questions, visit the Cloudflare Community forum and let us know.

Changes and improvements

Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts.
Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations.
Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
Added monitoring for tunnel statistics collection timeouts.
Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms.
Fixed initiating managed network detection checks when no network is available, which caused device profile flapping.

Known issues

The client may become stuck in a Connecting state. To resolve this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface. Alternatively, change the client's operation mode.
The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it.
Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client.

Cloudflare One Client - WARP client for Windows (version 2026.3.566.1)

Tue, 10 Mar 2026 17:10:37 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

Changes and improvements

Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
Added monitoring for tunnel statistics collection timeouts.
Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms.
Fixed packet capture failing on tunnel interface when the tunnel interface is renamed by SCCM VPN boundary support.
Fixed unnecessary registration deletion caused by RDP connections in multi-user mode.
Fixed increased tunnel interface start-up time due to a race between duplicate address detection (DAD) and disabling NetBT.
Fixed tunnel failing to connect when the system DNS search list contains unexpected characters.
Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts.
Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations.
Fixed initiating managed network detection checks when no network is available, which caused device profile flapping.

Known issues

The client may unexpectedly terminate during captive portal login. To work around this issue, use a web browser to authenticate with the captive portal and then re-launch the client.
An error indicating that Microsoft Edge can't read and write to its data directory may be displayed during captive portal login; this error is benign and can be dismissed.
The client may become stuck in a Connecting state. To resolve this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface. Alternatively, change the client's operation mode.
The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it.
Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client.
For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 version KB5062553 or higher for resolution.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later. This warning will be omitted from future release notes. This Microsoft Security Intelligence update was released in May 2025.
DNS resolution may be broken when the following conditions are all true:
- The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while the client is connected. To work around this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface.

Cloudflare One, Access - User risk score selector in Access policies

Wed, 04 Mar 2026 00:00:00 GMT

You can now use user risk scores in your Access policies. The new User Risk Score selector allows you to create Access policies that respond to user behavior patterns detected by Cloudflare's risk scoring system, including impossible travel, high DLP policy matches, and more.

For more information, refer to Use risk scores in Access policies.

Gateway - Gateway Authorization Proxy and hosted PAC files (open beta)

Wed, 04 Mar 2026 00:00:00 GMT

The Gateway Authorization Proxy and PAC file hosting are now in open beta for all plan types.

Previously, proxy endpoints relied on static source IP addresses to authorize traffic, providing no user-level identity in logs or policies. The new authorization proxy replaces IP-based authorization with Cloudflare Access authentication, verifying who a user is before applying Gateway filtering without installing the WARP client.

This is ideal for environments where you cannot deploy a device client, such as virtual desktops (VDI), mergers and acquisitions, or compliance-restricted endpoints.

Key capabilities

Identity-aware proxy traffic — Users authenticate through your identity provider (Okta, Microsoft Entra ID, Google Workspace, and others) via Cloudflare Access. Logs now show exactly which user accessed which site, and you can write identity-based policies like "only the Finance team can access this accounting tool."
Multiple identity providers — Display one or multiple login methods simultaneously, giving flexibility for organizations managing users across different identity systems.
Cloudflare-hosted PAC files — Create and host PAC files directly in Cloudflare One with pre-configured templates for Okta and Azure, hosted at https://pac.cloudflare-gateway.com/<account-id>/<slug> on Cloudflare's global network.
Simplified billing — Each user occupies a seat, exactly like they do with the Cloudflare One Client. No new metrics to track.

Get started

In Cloudflare One, go to Networks > Resolvers & Proxies > Proxy endpoints.
Create an authorization proxy endpoint and configure Access policies.
Create a hosted PAC file or write your own.
Configure browsers to use the PAC file URL.
Install the Cloudflare certificate for HTTPS inspection.

For more details, refer to the proxy endpoints documentation and the announcement blog post.

Cloudflare One - Copy Cloudflare One resources as JSON or POST requests

Mon, 02 Mar 2026 00:00:00 GMT

You can now copy Cloudflare One resources as JSON or as a ready-to-use API POST request directly from the dashboard. This makes it simple to transition workflows into API calls, automation scripts, or infrastructure-as-code pipelines.

To use this feature, click the overflow menu (⋮) on any supported resource and select Copy as JSON or Copy as POST request. The copied output includes only the fields present on your resource, giving you a clean and minimal starting point for your own API calls.

Initially supported resources:

Access applications
Access policies
Gateway policies
Resolver policies
Service tokens
Identity providers

We will continue to add support for more resources throughout 2026.

Access - Clipboard controls for browser-based RDP

Sun, 01 Mar 2026 00:00:00 GMT

You can now configure clipboard controls for browser-based RDP with Cloudflare Access. Clipboard controls allow administrators to restrict whether users can copy or paste text between their local machine and the remote Windows server.

This feature is useful for organizations that support bring-your-own-device (BYOD) policies or third-party contractors using unmanaged devices. By restricting clipboard access, you can prevent sensitive data from being transferred out of the remote session to a user's personal device.

Configuration options

Clipboard controls are configured per policy within your Access application. For each policy, you can independently allow or deny:

Copy from local client to remote RDP session — Users can copy/paste text from their local machine into the browser-based RDP session.
Copy from remote RDP session to local client — Users can copy/paste text from the browser-based RDP session to their local machine.

By default, both directions are denied for new policies. For existing Access applications created before this feature was available, clipboard access remains enabled to preserve backwards compatibility.

When a user attempts a restricted clipboard action, the clipboard content is replaced with an error message informing them that the action is not allowed.

For more information, refer to Clipboard controls for browser-based RDP.

Access - Export MCP server portal logs with Logpush

Fri, 27 Feb 2026 00:00:00 GMT

MCP server portals now supports Logpush integration. You can automatically export MCP server portal activity logs to third-party storage destinations or security information and event management (SIEM) tools for analysis and auditing.

Available log fields

The MCP server portal logs dataset includes fields such as:

Datetime — Timestamp of the request
PortalID / PortalAUD — Portal identifiers
ServerID / ServerURL — Upstream MCP server details
Method — JSON-RPC method (for example, tools/call, prompts/get, resources/read)
ToolCallName / PromptGetName / ResourceReadURI — Method-specific identifiers
UserID / UserEmail — Authenticated user information
Success / Error — Request outcome
ServerResponseDurationMs — Response time from upstream server

For the complete field reference, refer to MCP portal logs.

Set up Logpush

To configure Logpush for MCP server portal logs, refer to Logpush integration.

Gateway - New protocols added for Gateway Protocol Detection (Beta)

Fri, 27 Feb 2026 00:00:00 GMT

Gateway Protocol Detection now supports seven additional protocols in beta:

Protocol	Notes
IMAP	Internet Message Access Protocol — email retrieval
POP3	Post Office Protocol v3 — email retrieval
SMTP	Simple Mail Transfer Protocol — email sending
MYSQL	MySQL database wire protocol
RSYNC-DAEMON	rsync daemon protocol
LDAP	Lightweight Directory Access Protocol
NTP	Network Time Protocol

These protocols join the existing set of detected protocols (HTTP, HTTP2, SSH, TLS, DCERPC, MQTT, and TPKT) and can be used with the Detected Protocol selector in Network policies to identify and filter traffic based on the application-layer protocol, without relying on port-based identification.

If protocol detection is enabled on your account, these protocols will automatically be logged when detected in your Gateway network traffic.

For more information on using Protocol Detection, refer to the Protocol detection documentation.

Cloudflare One Client - WARP client for Windows (version 2026.1.150.0)

Tue, 24 Feb 2026 01:15:23 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains minor fixes, improvements, and new features.

Changes and improvements

Improvements to multi-user mode. Fixed an issue where when switching from a pre-login registration to a user registration, Mobile Device Management (MDM) configuration association could be lost.
Added a new feature to manage NetBIOS over TCP/IP functionality on the Windows client. NetBIOS over TCP/IP on the Windows client is now disabled by default and can be enabled in device profile settings.
Fixed an issue causing failure of the local network exclusion feature when configured with a timeout of 0.
Improvement for the Windows client certificate posture check to ensure logged results are from checks that run once users log in.
Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.
Fixed an issue where misconfigured DEX HTTP tests prevented new registrations.
Fixed an issue causing DNS requests to fail with clients in Traffic and DNS mode.
Improved service shutdown behavior in cases where the daemon is unresponsive.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2026.1.150.0)

Tue, 24 Feb 2026 01:15:22 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

Fixed an issue causing failure of the local network exclusion feature when configured with a timeout of 0.
Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.
Fixed an issue with DNS server configuration failures that caused tunnel connection delays.
Fixed an issue where misconfigured DEX HTTP tests prevented new registrations.
Fixed an issue causing DNS requests to fail with clients in Traffic and DNS mode.

Cloudflare One Client - WARP client for Linux (version 2026.1.150.0)

Tue, 24 Feb 2026 00:14:20 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025. Instructions to make this update are available at pkg.cloudflareclient.com.

Changes and improvements

Fixed an issue causing failure of the local network exclusion feature when configured with a timeout of 0.
Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.
Fixed an issue where misconfigured DEX HTTP tests prevented new registrations.
Fixed issues causing DNS requests to fail with clients in Traffic and DNS mode or DNS only mode.

CASB - Understand CASB findings instantly with Cloudy Summaries

Fri, 20 Feb 2026 00:00:00 GMT

You can now easily understand your SaaS security posture findings and why they were detected with Cloudy Summaries in CASB. This feature integrates Cloudflare's Cloudy AI directly into your CASB Posture Findings to automatically generate clear, plain-language summaries of complex security misconfigurations, third-party app risks, and data exposures.

This allows security teams and IT administrators to drastically reduce triage time by immediately understanding the context, potential impact, and necessary remediation steps for any given finding—without needing to be an expert in every connected SaaS application.

To view a summary, simply navigate to your Posture Findings in the Cloudflare One dashboard (under Cloud and SaaS findings) and open the finding details of a specific instance of a Finding.

Cloudy Summaries are supported on all available integrations, including Microsoft 365, Google Workspace, Salesforce, GitHub, AWS, Slack, and Dropbox. See the full list of supported integrations here.

Key capabilities

Contextual explanations — Quickly understand the specifics of a finding with plain-language summaries detailing exactly what was detected, from publicly shared sensitive files to risky third-party app scopes.
Clear risk assessment — Instantly grasp the potential security impact of the finding, such as data breach risks, unauthorized account access, or email spoofing vulnerabilities.
Actionable guidance — Get clear recommendations and next steps on how to effectively remediate the issue and secure your environment.
Built-in feedback — Help improve future AI summarization accuracy by submitting feedback directly using the thumbs-up and thumbs-down buttons.

Learn more

Learn more about managing CASB Posture Findings in Cloudflare.

Cloudy Summaries in CASB are available to all Cloudflare CASB users today.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Manage Cloudflare Tunnel directly from the main Cloudflare Dashboard

Fri, 20 Feb 2026 00:00:00 GMT

Cloudflare Tunnel is now available in the main Cloudflare Dashboard at Networking > Tunnels, bringing first-class Tunnel management to developers using Tunnel for securing origin servers.

This new experience provides everything you need to manage Tunnels for public applications, including:

Full Tunnel lifecycle management: Create, configure, delete, and monitor all your Tunnels in one place.
Native integrations: View Tunnels by name when configuring DNS records and Workers VPC — no more copy-pasting UUIDs.
Real-time visibility: Monitor replicas and Tunnel health status directly in the dashboard.
Routing map: Manage all ingress routes for your Tunnel, including public applications, private hostnames, private CIDRs, and Workers VPC services, from a single interactive interface.

Choose the right dashboard for your use case

Core Dashboard: Navigate to Networking > Tunnels to manage Tunnels for:

Securing origin servers and public applications with CDN, WAF, Load Balancing, and DDoS protection
Connecting Workers to private services via Workers VPC

Cloudflare One Dashboard: Navigate to Zero Trust > Networks > Connectors to manage Tunnels for:

Securing your public applications with Zero Trust access policies
Connecting users to private applications
Building a private mesh network

Both dashboards provide complete Tunnel management capabilities — choose based on your primary workflow.

Get started

New to Tunnel? Learn how to get started with Cloudflare Tunnel or explore advanced use cases like securing SSH servers or running Tunnels in Kubernetes.

Digital Experience Monitoring - DEX Supports EU Customer Metadata Boundary

Thu, 19 Feb 2026 00:00:00 GMT

Digital Experience Monitoring (DEX) provides visibility into WARP device connectivity and performance to any internal or external application.

Now, all DEX logs are fully compatible with Cloudflare's Customer Metadata Boundary (CMB) setting for the 'EU' (European Union), which ensures that DEX logs will not be stored outside the 'EU' when the option is configured.

If a Cloudflare One customer using DEX enables CMB 'EU', they will not see any DEX data in the Cloudflare One dashboard. Customers can ingest DEX data via LogPush, and build their own analytics and dashboards.

If a customer enables CMB in their account, they will see the following message in the Digital Experience dashboard: "DEX data is unavailable because Customer Metadata Boundary configuration is on. Use Cloudflare LogPush to export DEX datasets."

Access - Streamlined clientless browser isolation for private applications

Tue, 17 Feb 2026 00:00:00 GMT

A new Allow clientless access setting makes it easier to connect users without a device client to internal applications, without using public DNS.

Previously, to provide clientless access to a private hostname or IP without a published application, you had to create a separate bookmark application pointing to a prefixed Clientless Web Isolation URL (for example, https://<your-teamname>.cloudflareaccess.com/browser/https://10.0.0.1/). This bookmark was visible to all users in the App Launcher, regardless of whether they had access to the underlying application.

Now, you can manage clientless access directly within your private self-hosted application. When Allow clientless access is turned on, users who pass your Access application policies will see a tile in their App Launcher pointing to the prefixed URL. Users must have remote browser permissions to open the link.

Access - Policies for bookmark applications

Tue, 17 Feb 2026 00:00:00 GMT

You can now assign Access policies to bookmark applications. This lets you control which users see a bookmark in the App Launcher based on identity, device posture, and other policy rules.

Previously, bookmark applications were visible to all users in your organization. With policy support, you can now:

Tailor the App Launcher to each user — Users only see the applications they have access to, reducing clutter and preventing accidental clicks on irrelevant resources.
Restrict visibility of sensitive bookmarks — Limit who can view bookmarks to internal tools or partner resources based on group membership, identity provider, or device posture.

Bookmarks support all Access policy configurations except purpose justification, temporary authentication, and application isolation. If no policy is assigned, the bookmark remains visible to all users (maintaining backwards compatibility).

For more information, refer to Add bookmarks.

Cloudflare One, Cloudflare WAN, Cloudflare Network Firewall, Network Flow - Cloudflare One Product Name Updates

Tue, 17 Feb 2026 00:00:00 GMT

We are updating naming related to some of our Networking products to better clarify their place in the Zero Trust and Secure Access Service Edge (SASE) journey.

We are retiring some older brand names in favor of names that describe exactly what the products do within your network. We are doing this to help customers build better, clearer mental models for comprehensive SASE architecture delivered on Cloudflare.

What's changing

Magic WAN → Cloudflare WAN
Magic WAN IPsec → Cloudflare IPsec
Magic WAN GRE → Cloudflare GRE
Magic WAN Connector → Cloudflare One Appliance
Magic Firewall → Cloudflare Network Firewall
Magic Network Monitoring → Network Flow
Magic Cloud Networking → Cloudflare One Multi-cloud Networking

No action is required by you — all functionality, existing configurations, and billing will remain exactly the same.

For more information, visit the Cloudflare One documentation.

Cloudflare Fundamentals, Access - Fine-grained permissions for Access policies and service tokens

Fri, 13 Feb 2026 00:00:00 GMT

Fine-grained permissions for Access policies and Access service tokens are available. These new resource-scoped roles expand the existing RBAC model, enabling administrators to grant permissions scoped to individual resources.

New roles

Cloudflare Access policy admin: Can edit a specific Access policy in an account.
Cloudflare Access service token admin: Can edit a specific Access service token in an account.

These roles complement the existing resource-scoped roles for Access applications, identity providers, and infrastructure targets.

For more information:

Cloudflare WAN - Anycast IPs displayed on the dashboard

Thu, 12 Feb 2026 00:00:00 GMT

Cloudflare WAN now displays your Anycast IP addresses directly in the dashboard when you configure IPsec or GRE tunnels.

Previously, customers received their Anycast IPs during onboarding or had to retrieve them with an API call. The dashboard now pre-loads these addresses, reducing setup friction and preventing configuration errors.

No action is required. All Cloudflare WAN customers can see their Anycast IPs in the tunnel configuration form automatically.

For more information, refer to Configure tunnel endpoints.

Cloudflare One, Cloudflare WAN - Post-quantum encryption support for Cloudflare One Appliance

Wed, 11 Feb 2026 00:00:00 GMT

Cloudflare One Appliance version 2026.2.0 adds post-quantum encryption support using hybrid ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism).

The appliance now uses TLS 1.3 with hybrid ML-KEM for its connection to the Cloudflare edge. During the TLS handshake, the appliance and the edge share a symmetric secret over the TLS connection and inject it into the ESP layer of IPsec. This protects IPsec data plane traffic against harvest-now, decrypt-later attacks.

This upgrade deploys automatically to all appliances during their configured interrupt windows with no manual action required.

For more information, refer to Cloudflare One Appliance.

Email security - Improved Accessibility and Search for Monitoring

Mon, 02 Feb 2026 11:05:33 GMT

We have updated the Monitoring page to provide a more streamlined and insightful experience for administrators, improving both data visualization and dashboard accessibility.

Enhanced Visual Layout: Optimized contrast and the introduction of stacked bar charts for clearer data visualization and trend analysis.
Improved Accessibility & Usability:
- Widget Search: Added search functionality to multiple widgets, including Policies, Submitters, and Impersonation.
- Actionable UI: All available actions are now accessible via dedicated buttons.
- State Indicators: Improved UI states to clearly communicate loading, empty datasets, and error conditions.
Granular Data Breakdowns: New views for dispositions by month, malicious email details, link actions, and impersonations.

This applies to all Email Security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Cloudflare WAN, Magic Transit, Cloudflare One - BGP over GRE and IPsec tunnels

Fri, 30 Jan 2026 00:00:00 GMT

Magic WAN and Magic Transit customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using IPsec and GRE tunnel on-ramps (beta).

Using BGP peering allows customers to:

Automate the process of adding or removing networks and subnets.
Take advantage of failure detection and session recovery features.

With this functionality, customers can:

Establish an eBGP session between their devices and the Magic WAN / Magic Transit service when connected via IPsec and GRE tunnel on-ramps.
Secure the session by MD5 authentication to prevent misconfigurations.
Exchange routes dynamically between their devices and their Magic routing table.

For configuration details, refer to:

Cloudflare One Client - WARP client for Windows (version 2026.1.89.1)

Tue, 27 Jan 2026 18:47:00 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

This release contains minor fixes, improvements, and new features.

Changes and improvements

Improvements to multi-user mode. Fixed an issue where when switching from a pre-login registration to a user registration, Mobile Device Management (MDM) configuration association could be lost.
Added a new feature to manage NetBIOS over TCP/IP functionality on the Windows client. NetBIOS over TCP/IP on the Windows client is now disabled by default and can be enabled in device profile settings.
Fixed an issue causing failure of the local network exclusion feature when configured with a timeout of 0.
Improvement for the Windows client certificate posture check to ensure logged results are from checks that run once users log in.
Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2026.1.89.1)

Tue, 27 Jan 2026 18:46:59 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

Fixed an issue causing failure of the local network exclusion feature when configured with a timeout of 0.
Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.

Cloudflare One, Cloudflare WAN - Configure Cloudflare source IPs (beta)

Tue, 27 Jan 2026 00:00:00 GMT

Cloudflare source IPs are the IP addresses used by Cloudflare services (such as Load Balancing, Gateway, and Browser Isolation) when sending traffic to your private networks.

For customers using legacy mode routing, traffic to private networks is sourced from public Cloudflare IPs, which may cause IP conflicts. For customers using Unified Routing mode (beta), traffic to private networks is sourced from dedicated, non-Internet-routable private IPv4 range to ensure:

Symmetric routing over private network connections
Proper firewall state preservation
Private traffic stays on secure paths

Key details:

IPv4: Sourced from 100.64.0.0/12 by default, configurable to any /12 CIDR
IPv6: Sourced from 2606:4700:cf1:5000::/64 (not configurable)
Affected connectors: GRE, IPsec, CNI, WARP Connector, and WARP Client (Cloudflare Tunnel is not affected)

Configuring Cloudflare source IPs requires Unified Routing (beta) and the Cloudflare One Networks Write permission.

For configuration details, refer to Configure Cloudflare source IPs.

Cloudflare One, Access - Require Access protection for zones

Thu, 22 Jan 2026 00:00:00 GMT

You can now require Cloudflare Access protection for all hostnames in your account. When enabled, traffic to any hostname that does not have a matching Access application is automatically blocked.

This deny-by-default approach prevents accidental exposure of internal resources to the public Internet. If a developer deploys a new application or creates a DNS record without configuring an Access application, the traffic is blocked rather than exposed.

How it works

Blocked by default: Traffic to all hostnames in the account is blocked unless an Access application exists for that hostname.
Explicit access required: To allow traffic, create an Access application with an Allow or Bypass policy.
Hostname exemptions: You can exempt specific hostnames from this requirement.

To turn on this feature, refer to Require Access protection.

Access - New granular API token permissions for Cloudflare Access

Thu, 22 Jan 2026 00:00:00 GMT

Three new API token permissions are available for Cloudflare Access, giving you finer-grained control when building automations and integrations:

Access: Organizations Revoke — Grants the ability to revoke user sessions in a Zero Trust organization. Use this permission when you need a token that can terminate active sessions without broader write access to organization settings.
Access: Population Read — Grants read access to the SCIM users and groups synced from an identity provider to Cloudflare Access. Use this permission for tokens that only need to read synced user and group data.
Access: Population Write — Grants write access to the SCIM users and groups synced from an identity provider to Cloudflare Access. Use this permission for tokens that need to create or modify synced user and group data.

These permissions are scoped at the account level and can be combined with existing Access permissions.

For a full list of available permissions, refer to API token permissions.

Magic Transit, Cloudflare Network Firewall, Cloudflare WAN, Network Flow - Network Services navigation update

Thu, 15 Jan 2026 00:00:00 GMT

The Network Services menu structure in Cloudflare's dashboard has been updated to reflect solutions and capabilities instead of product names. This will make it easier for you to find what you need and better reflects how our services work together.

Your existing configurations will remain the same, and you will have access to all of the same features and functionality.

The changes visible in your dashboard may vary based on the products you use. Overall, changes relate to Magic Transit, Magic WAN, and Magic Firewall.

Summary of changes:

A new Overview page provides access to the most common tasks across Magic Transit and Magic WAN.
Product names have been removed from top-level navigation.
Magic Transit and Magic WAN configuration is now organized under Routes and Connectors. For example, you will find IP Prefixes under Routes, and your GRE/IPsec Tunnels under Connectors.
Magic Firewall policies are now called Firewall Policies.
Magic WAN Connectors and Connector On-Ramps are now referenced in the dashboard as Appliances and Appliance profiles. They can be found under Connectors > Appliances.
Network analytics, network health, and real-time analytics are now available under Insights.
Packet Captures are found under Insights > Diagnostics.
You can manage your Sites from Insights > Network health.
You can find Magic Network Monitoring under Insights > Network flow.

If you would like to provide feedback, complete this form. You can also find these details in the January 7, 2026 email titled [FYI] Upcoming Network Services Dashboard Navigation Update.

Risk Score - Support for CrowdStrike device scores in User Risk Scoring

Thu, 15 Jan 2026 00:00:00 GMT

Cloudflare One has expanded its [User Risk Scoring] (/cloudflare-one/insights/risk-score/) capabilities by introducing two new behaviors for organizations using the [CrowdStrike integration] (/cloudflare-one/integrations/service-providers/crowdstrike/).

Administrators can now automatically escalate the risk score of a user if their device matches specific CrowdStrike Zero Trust Assessment (ZTA) score ranges. This allows for more granular security policies that respond dynamically to the health of the endpoint.

New risk behaviors The following risk scoring behaviors are now available:

CrowdStrike low device score: Automatically increases a user's risk score when the connected device reports a "Low" score from CrowdStrike.
CrowdStrike medium device score: Automatically increases a user's risk score when the connected device reports a "Medium" score from CrowdStrike.

These scores are derived from [CrowdStrike device posture attributes] (/cloudflare-one/integrations/service-providers/crowdstrike/#device-posture-attributes), including OS signals and sensor configurations.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Verify WARP Connector connectivity with a simple ping

Thu, 15 Jan 2026 00:00:00 GMT

We have made it easier to validate connectivity when deploying WARP Connector as part of your software-defined private network.

You can now ping the WARP Connector host directly on its LAN IP address immediately after installation. This provides a fast, familiar way to confirm that the Connector is online and reachable within your network before testing access to downstream services.

Starting with version 2025.10.186.0, WARP Connector responds to traffic addressed to its own LAN IP, giving you immediate visibility into Connector reachability.

Learn more about deploying WARP Connector and building private network connectivity with Cloudflare One.

Cloudflare One Client - WARP client for Windows (version 2025.10.186.0)

Tue, 13 Jan 2026 15:48:19 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains minor fixes, improvements, and new features. New features include the ability to manage WARP client connectivity for all devices in your fleet using an external signal, and a new WARP client device posture check for Antivirus.

Changes and improvements

Added a new feature to manage WARP client connectivity for all devices using an external signal. This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint.
Fixed an issue that caused occasional audio degradation and increased CPU usage on Windows by optimizing route configurations for large domain-based split tunnel rules.
The Local Domain Fallback feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly.
Proxy mode now supports transparent HTTP proxying in addition to CONNECT-based proxying.
Fixed an issue where sending large messages to the daemon by Inter-Process Communication (IPC) could cause the daemon to fail and result in service interruptions.
Added support for a new WARP client device posture check for Antivirus. The check confirms the presence of an antivirus program on a Windows device with the option to check if the antivirus is up to date.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.10.186.0)

Tue, 13 Jan 2026 15:48:17 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains minor fixes, improvements, and new features, including the ability to manage WARP client connectivity for all devices in your fleet using an external signal.

Changes and improvements

The Local Domain Fallback feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly.
Proxy mode now supports transparent HTTP proxying in addition to CONNECT-based proxying.
Added a new feature to manage WARP client connectivity for all devices using an external signal. This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint.

Cloudflare One Client - WARP client for Linux (version 2025.10.186.0)

Tue, 13 Jan 2026 01:53:14 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

This release contains minor fixes, improvements, and new features, including the ability to manage WARP client connectivity for all devices in your fleet using an external signal.

Changes and improvements

The Local Domain Fallback feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly.
Linux disk encryption posture check now supports non-filesystem encryption types like dm-crypt.
Proxy mode now supports transparent HTTP proxying in addition to CONNECT-based proxying.
Fixed an issue where the GUI becomes unresponsive when the Re-Authenticate in browser button is clicked.
Added a new feature to manage WARP client connectivity for all devices using an external signal. This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint.

Email security - Enhanced visibility for post-delivery actions

Mon, 12 Jan 2026 11:15:33 GMT

The Action Log now provides enriched data for post-delivery actions to improve troubleshooting. In addition to success confirmations, failed actions now display the targeted Destination folder and a specific failure reason within the Activity field.

This update allows you to see the full lifecycle of a failed action. For instance, if an administrator tries to move an email that has already been deleted or moved manually, the log will now show the multiple retry attempts and the specific destination error.

This applies to all Email Security packages:

Enterprise
Enterprise + PhishGuard

Access - Cloudflare admin activity logs capture creation of DNS over HTTP (DoH) users

Thu, 08 Jan 2026 00:00:00 GMT

Cloudflare admin activity logs now capture each time a DNS over HTTP (DoH) user is created.

These logs can be viewed from the Cloudflare One dashboard, pulled via the Cloudflare API, and exported through Logpush.

Cloudflare One, Cloudflare WAN - Breakout traffic visibility via NetFlow

Wed, 31 Dec 2025 00:00:00 GMT

Magic WAN Connector now exports NetFlow data for breakout traffic to Magic Network Monitoring (MNM), providing visibility into traffic that bypasses Cloudflare's security filtering.

This feature allows you to:

Monitor breakout traffic statistics in the Cloudflare dashboard.
View traffic patterns for applications configured to bypass Cloudflare.
Maintain visibility across all traffic passing through your Magic WAN Connector.

For more information, refer to NetFlow statistics.

Gateway, Cloudflare One - Shadow IT - domain level SaaS analytics

Wed, 17 Dec 2025 00:00:00 GMT

Zero Trust has again upgraded its Shadow IT analytics, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application.

With this update, you can review data transfer metrics at the domain level, rather than just the application level, providing more granular insight into your data transfer patterns.

These metrics can be filtered by all available filters on the dashboard, including user, application, or content category.

Both the analytics and policies are accessible in the Cloudflare Zero Trust dashboard, empowering organizations with better visibility and control.

Cloudflare One - New duplicate action for supported Cloudflare One resources

Tue, 16 Dec 2025 00:00:00 GMT

You can now duplicate specific Cloudflare One resources with a single click from the dashboard.

Initially supported resources:

Access Applications
Access Policies
Gateway Policies

To try this out, simply click on the overflow menu (⋮) from the resource table and click Duplicate. We will continue to add the Duplicate action for resources throughout 2026.

Cloudflare One Client - WARP client for Windows (version 2025.10.118.1)

Tue, 09 Dec 2025 23:03:10 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

The Local Domain Fallback feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly.
Proxy mode now supports transparent HTTP proxying in addition to CONNECT-based proxying.
Fixed an issue where sending large messages to the WARP daemon by Inter-Process Communication (IPC) could cause WARP to crash and result in service interruptions.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.10.118.1)

Tue, 09 Dec 2025 23:02:28 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

The Local Domain Fallback feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly.
Proxy mode now supports transparent HTTP proxying in addition to CONNECT-based proxying.

Email security - Reclassifications to Submissions

Wed, 03 Dec 2025 21:11:33 GMT

We have updated the terminology “Reclassify” and “Reclassifications” to “Submit” and “Submissions” respectively. This update more accurately reflects the outcome of providing these items to Cloudflare.

Submissions are leveraged to tune future variants of campaigns. To respect data sanctity, providing a submission does not change the original disposition of the emails submitted.

This applies to all Email Security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Email security - Adjustment to Final Disposition Column

Tue, 18 Nov 2025 00:00:00 GMT

Adjustment to Final Disposition column

The Final Disposition column in Submissions > Team Submissions tab is changing for non-Phishguard customers.

What's Changing

Column will be called Status instead of Final Disposition
Column status values will now be: Submitted, Accepted or Rejected.

Next Steps

We will listen carefully to your feedback and continue to find comprehensive ways to communicate updates on your submissions. Your submissions will continue to be addressed at an even greater rate than before, fuelling faster and more accurate email security improvement.

Cloudflare One - New Cloudflare One Navigation and Product Experience

Mon, 17 Nov 2025 00:00:00 GMT

The Zero Trust dashboard and navigation is receiving significant and exciting updates. The dashboard is being restructured to better support common tasks and workflows, and various pages have been moved and consolidated.

There is a new guided experience on login detailing the changes, and you can use the Zero Trust dashboard search to find product pages by both their new and old names, as well as your created resources. To replay the guided experience, you can find it in Overview > Get Started.

Notable changes

Product names have been removed from many top-level navigation items to help bring clarity to what they help you accomplish. For example, you can find Gateway policies under ‘Traffic policies' and CASB findings under ‘Cloud & SaaS findings.'
You can view all analytics, logs, and real-time monitoring tools from ‘Insights.'
‘Networks' better maps the ways that your corporate network interacts with Cloudflare. Some pages like Tunnels, are now a tab rather than a full page as part of these changes. You can find them at Networks > Connectors.
Settings are now located closer to the tools and resources they impact. For example, this means you'll find your WARP configurations at Team & Resources > Devices.

No changes to our API endpoint structure or to any backend services have been made as part of this effort.

Access - Generate Cloudflare Access SSH certificate authority (CA) directly from the Cloudflare dashboard

Fri, 14 Nov 2025 00:00:00 GMT

SSH with Cloudflare Access for Infrastructure allows you to use short-lived SSH certificates to eliminate SSH key management and reduce security risks associated with lost or stolen keys.

Previously, users had to generate this certificate by using the Cloudflare API directly. With this update, you can now create and manage this certificate in the Cloudflare One dashboard from the Access controls > Service credentials page.

For more details, refer to Generate a Cloudflare SSH CA.

CASB - New SaaS Security weekly digests with API CASB

Fri, 14 Nov 2025 00:00:00 GMT

You can now stay on top of your SaaS security posture with the new CASB Weekly Digest notification. This opt-in email digest is delivered to your inbox every Monday morning and provides a high-level summary of your organization's Cloudflare API CASB findings from the previous week.

This allows security teams and IT administrators to get proactive, at-a-glance visibility into new risks and integration health without having to log in to the dashboard.

To opt in, navigate to Manage Account > Notifications in the Cloudflare dashboard to configure the CASB Weekly Digest alert type.

Key capabilities

At-a-glance summary — Review new high/critical findings, most frequent finding types, and new content exposures from the past 7 days.
Integration health — Instantly see the status of all your connected SaaS integrations (Healthy, Unhealthy, or Paused) to spot API connection issues.
Proactive alerting — The digest is sent automatically to all subscribed users every Monday morning.
Easy to configure — Users can opt in by enabling the notification in the Cloudflare dashboard under Manage Account > Notifications.

Learn more

Configure notification preferences in Cloudflare.

The CASB Weekly Digest notification is available to all Cloudflare users today.

Digital Experience Monitoring - DEX Logpush jobs

Wed, 12 Nov 2025 00:00:00 GMT

Digital Experience Monitoring (DEX) provides visibility into WARP device metrics, connectivity, and network performance across your Cloudflare SASE deployment.

We've released four new WARP and DEX device data sets that can be exported via Cloudflare Logpush. These Logpush data sets can be exported to R2, a cloud bucket, or a SIEM to build a customized logging and analytics experience.

To create a new DEX or WARP Logpush job, customers can go to the account level of the Cloudflare dashboard > Analytics & Logs > Logpush to get started.

Cloudflare One Client - WARP client for Windows (version 2025.9.558.0)

Tue, 11 Nov 2025 17:28:35 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). When PMTUD is enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to diagnose connectivity issues.

Changes and improvements

Fixed an inconsistency with Global WARP override settings in multi-user environments when switching between users.
The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues.
Fixed an issue where deleting a registration was erroneously reported as having failed.
Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the PMTUD documentation.
Improvements for the OS version WARP client check. Windows Updated Build Revision (UBR) numbers can now be checked by the client to ensure devices have required security patches and features installed.
The WARP client now supports Windows 11 ARM-based machines. For information on known limitations, refer to the Known limitations page.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.9.558.0)

Tue, 11 Nov 2025 17:28:35 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

Changes and improvements

The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues.
Fixed an issue where deleting a registration was erroneously reported as having failed.
Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the PMTUD documentation.

Known issues

Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare One Client - WARP client for Linux (version 2025.9.558.0)

Tue, 11 Nov 2025 15:06:09 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

Changes and improvements

The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues.
Fixed an issue where deleting a registration was erroneously reported as having failed.
Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the PMTUD documentation.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - cloudflared proxy-dns command will be removed starting February 2, 2026

Tue, 11 Nov 2025 00:00:00 GMT

Starting February 2, 2026, the cloudflared proxy-dns command will be removed from all new cloudflared releases.

This change is being made to enhance security and address a potential vulnerability in an underlying DNS library. This vulnerability is specific to the proxy-dns command and does not affect any other cloudflared features, such as the core Cloudflare Tunnel service.

The proxy-dns command, which runs a client-side DNS-over-HTTPS (DoH) proxy, has been an officially undocumented feature for several years. This functionality is fully and securely supported by our actively developed products.

Versions of cloudflared released before this date will not be affected and will continue to operate. However, note that our official support policy for any cloudflared release is one year from its release date.

Migration paths

We strongly advise users of this undocumented feature to migrate to one of the following officially supported solutions before February 2, 2026, to continue benefiting from secure DNS-over-HTTPS.

End-user devices

The preferred method for enabling DNS-over-HTTPS on user devices is the Cloudflare WARP client. The WARP client automatically secures and proxies all DNS traffic from your device, integrating it with your organization's Zero Trust policies and posture checks.

Servers, routers, and IoT devices

For scenarios where installing a client on every device is not possible (such as servers, routers, or IoT devices), we recommend using the WARP Connector.

Instead of running cloudflared proxy-dns on a machine, you can install the WARP Connector on a single Linux host within your private network. This connector will act as a gateway, securely routing all DNS and network traffic from your entire subnet to Cloudflare for filtering and logging.

Cloudflare One, Cloudflare WAN - Automatic Return Routing (Beta)

Thu, 06 Nov 2025 00:00:00 GMT

Magic WAN now supports Automatic Return Routing (ARR), allowing customers to configure Magic on-ramps (IPsec/GRE/CNI) to learn the return path for traffic flows without requiring static routes.

Key benefits:

Route-less mode: Static or dynamic routes are optional when using ARR.
Overlapping IP space support: Traffic originating from customer sites can use overlapping private IP ranges.
Symmetric routing: Return traffic is guaranteed to use the same connection as the original on-ramp.

This feature is currently in beta and requires the new Unified Routing mode (beta).

For configuration details, refer to Configure Automatic Return Routing.

Cloudflare One, Cloudflare WAN - Designate WAN link for breakout traffic

Thu, 06 Nov 2025 00:00:00 GMT

Magic WAN Connector now allows you to designate a specific WAN port for breakout traffic, giving you deterministic control over the egress path for latency-sensitive applications.

With this feature, you can:

Pin breakout traffic for specific applications to a preferred WAN port.
Ensure critical traffic (such as Zoom or Teams) always uses your fastest or most reliable connection.
Benefit from automatic failover to standard WAN port priority if the preferred port goes down.

This is useful for organizations with multiple ISP uplinks who need predictable egress behavior for performance-sensitive traffic.

For configuration details, refer to Designate WAN ports for breakout apps.

Gateway - Applications to be remapped to the new categories

Thu, 06 Nov 2025 00:00:00 GMT

We have previously added new application categories to better reflect their content and improve HTTP traffic management: refer to Changelog. While the new categories are live now, we want to ensure you have ample time to review and adjust any existing rules you have configured against old categories. The remapping of existing applications into these new categories will be completed by January 30, 2026. This timeline allows you a dedicated period to:

Review the new category structure.
Identify any policies you have that target the older categories.
Adjust your rules to reference the new, more precise categories before the old mappings change. Once the applications have been fully remapped by January 30, 2026, you might observe some changes in the traffic being mitigated or allowed by your existing policies. We encourage you to use the intervening time to prepare for a smooth transition.

Applications being remappedd

Application Name	Existing Category	New Category
Google Photos	File Sharing	Photography & Graphic Design
Flickr	File Sharing	Photography & Graphic Design
ADP	Human Resources	Business
Greenhouse	Human Resources	Business
myCigna	Human Resources	Health & Fitness
UnitedHealthcare	Human Resources	Health & Fitness
ZipRecruiter	Human Resources	Business
Amazon Business	Human Resources	Business
Jobcenter	Human Resources	Business
Jobsuche	Human Resources	Business
Zenjob	Human Resources	Business
DocuSign	Legal	Business
Postident	Legal	Business
Adobe Creative Cloud	Productivity	Photography & Graphic Design
Airtable	Productivity	Development
Autodesk Fusion360	Productivity	IT Management
Coursera	Productivity	Education
Microsoft Power BI	Productivity	Business
Tableau	Productivity	Business
Duolingo	Productivity	Education
Adobe Reader	Productivity	Business
AnpiReport	Productivity	Travel
ビズリーチ	Productivity	Business
doda (デューダ)	Productivity	Business
求人ボックス	Productivity	Business
マイナビ2026	Productivity	Business
Power Apps	Productivity	Business
RECRUIT AGENT	Productivity	Business
シフトボード	Productivity	Business
スタンバイ	Productivity	Business
Doctolib	Productivity	Health & Fitness
Miro	Productivity	Photography & Graphic Design
MyFitnessPal	Productivity	Health & Fitness
Sentry Mobile	Productivity	Travel
Slido	Productivity	Photography & Graphic Design
Arista Networks	Productivity	IT Management
Atlassian	Productivity	Business
CoderPad	Productivity	Business
eAgreements	Productivity	Business
Vmware	Productivity	IT Management
Vmware Vcenter	Productivity	IT Management
AWS Skill Builder	Productivity	Education
Microsoft Office 365 (GCC)	Productivity	Business
Microsoft Exchange Online (GCC)	Productivity	Business
Canva	Sales & Marketing	Photography & Graphic Design
Instacart	Shopping	Food & Drink
Wawa	Shopping	Food & Drink
McDonald's	Shopping	Food & Drink
Vrbo	Shopping	Travel
American Airlines	Shopping	Travel
Booking.com	Shopping	Travel
Ticketmaster	Shopping	Entertainment & Events
Airbnb	Shopping	Travel
DoorDash	Shopping	Food & Drink
Expedia	Shopping	Travel
EasyPark	Shopping	Travel
UEFA Tickets	Shopping	Entertainment & Events
DHL Express	Shopping	Business
UPS	Shopping	Business

For more information on creating HTTP policies, refer to Applications and app types.

Access - Access private hostname applications support all ports/protocols

Tue, 28 Oct 2025 00:00:00 GMT

Cloudflare Access for private hostname applications can now secure traffic on all ports and protocols.

Previously, applying Zero Trust policies to private applications required the application to use HTTPS on port 443 and support Server Name Indicator (SNI).

This update removes that limitation. As long as the application is reachable via a Cloudflare off-ramp, you can now enforce your critical security controls — like single sign-on (SSO), MFA, device posture, and variable session lengths — to any private application. This allows you to extend Zero Trust security to services like SSH, RDP, internal databases, and other non-HTTPS applications.

For example, you can now create a self-hosted application in Access for ssh.testapp.local running on port 22. You can then build a policy that only allows engineers in your organization to connect after they pass an SSO/MFA check and are using a corporate device.

This feature is generally available across all plans.

CASB - CASB introduces new granular roles

Tue, 28 Oct 2025 00:00:00 GMT

Cloudflare CASB (Cloud Access Security Broker) now supports two new granular roles to provide more precise access control for your security teams:

Cloudflare CASB Read: Provides read-only access to view CASB findings and dashboards. This role is ideal for security analysts, compliance auditors, or team members who need visibility without modification rights.
Cloudflare CASB: Provides full administrative access to configure and manage all aspects of the CASB product.

These new roles help you better enforce the principle of least privilege. You can now grant specific members access to CASB security findings without assigning them broader permissions, such as the Super Administrator or Administrator roles.

To enable Data Loss Prevention (DLP), scans in CASB, account members will need the Cloudflare Zero Trust role.

You can find these new roles when inviting members or creating API tokens in the Cloudflare dashboard under Manage Account > Members.

To learn more about managing roles and permissions, refer to the Manage account members and roles documentation.

Gateway - New Application Categories added for HTTP Traffic Management

Tue, 28 Oct 2025 00:00:00 GMT

To give you precision and flexibility while creating policies to block unwanted traffic, we are introducing new, more granular application categories in the Gateway product.

We have added the following categories to provide more precise organization and allow for finer-grained policy creation, designed around how users interact with different types of applications:

Business
Education
Entertainment & Events
Food & Drink
Health & Fitness
Lifestyle
Navigation
Photography & Graphic Design
Travel

The new categories are live now, but we are providing a transition period for existing applications to be fully remapped to these new categories.

The full remapping will be completed by January 30, 2026.

We encourage you to use this time to:

Review the new category structure.
Identify and adjust any existing HTTP policies that reference older categories to ensure a smooth transition.

For more information on creating HTTP policies, refer to Applications and app types.

Gateway - Schedule DNS policies from the UI

Mon, 20 Oct 2025 00:00:00 GMT

Admins can now create scheduled DNS policies directly from the Zero Trust dashboard, without using the API. You can configure policies to be active during specific, recurring times, such as blocking social media during business hours or gaming sites on school nights.

Preset Schedules: Use built-in templates for common scenarios like Business Hours, School Days, Weekends, and more.
Custom Schedules: Define your own schedule with specific days and up to three non-overlapping time ranges per day.
Timezone Control: Choose to enforce a schedule in a specific timezone (for example, US Eastern) or based on the local time of each user.
Combined with Duration: Policies can have both a schedule and a duration. If both are set, the duration's expiration takes precedence.

You can see the flow in the demo GIF:

This update makes time-based DNS policies accessible to all Gateway customers, removing the technical barrier of the API.

Email security - On-Demand Security Report

Fri, 17 Oct 2025 22:14:43 GMT

You can now generate on-demand security reports directly from the Cloudflare dashboard. This new feature provides a comprehensive overview of your email security posture, making it easier than ever to demonstrate the value of Cloudflare’s Email security to executives and other decision makers.

These reports offer several key benefits:

Executive Summary: Quickly view the performance of Email security with a high-level executive summary.
Actionable Insights: Dive deep into trend data, breakdowns of threat types, and analysis of top targets to identify and address vulnerabilities.
Configuration Transparency: Gain a clear view of your policy, submission, and domain configurations to ensure optimal setup.
Account Takeover Risks: Get a snapshot of your M365 risky users (requires a Microsoft Entra ID P2 license and M365 SaaS integration).

This feature is available across the following Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Cloudflare One Client - WARP client for Windows (version 2025.9.173.1)

Thu, 16 Oct 2025 15:29:54 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). With PMTUD enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to debug connectivity issues.

Changes and improvements

Improvements for Windows multi-user to maintain the Global WARP override state when switching between users.
The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues.
Deleting registrations no longer returns an error when succeeding.
Path Maximum Transmission Unit Discovery (PMTUD) is now used to discover the effective MTU of the connection. This allows the client to improve connection performance optimized for the current network.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.9.173.1)

Thu, 16 Oct 2025 15:29:52 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

Changes and improvements

The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues.
Deleting registrations no longer returns an error when succeeding.
Path Maximum Transmission Unit Discovery (PMTUD) is now used to discover the effective MTU of the connection. This allows the client to improve connection performance optimized for the current network.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Gateway - New domain categories added

Fri, 10 Oct 2025 00:00:00 GMT

We have added three new domain categories under the Technology parent category, to better reflect online content and improve DNS filtering.

New categories added

Parent ID	Parent Name	Category ID	Category Name
26	Technology	194	Keep Awake Software
26	Technology	192	Remote Access
26	Technology	193	Shareware/Freeware

Refer to Gateway domain categories to learn more.

Cloudflare One Client - WARP client for Linux (version 2025.8.779.0)

Tue, 07 Oct 2025 19:20:00 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

This release contains significant fixes and improvements including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025. Instructions to make this update are available at pkg.cloudflareclient.com.

Changes and improvements

Proxy mode has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases.
The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity.

Known issues

Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare One Client - WARP client for Windows (version 2025.8.779.0)

Tue, 07 Oct 2025 17:02:40 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains significant fixes and improvements.

Changes and improvements

Proxy mode has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases.
The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.8.779.0)

Tue, 07 Oct 2025 17:02:40 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains significant fixes and improvements.

Changes and improvements

Proxy mode has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases.
The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare Fundamentals, Access - Fine-grained Permissioning for Access for Apps, IdPs, & Targets now in Public Beta

Thu, 02 Oct 2025 00:00:00 GMT

Fine-grained permissions for Access Applications, Identity Providers (IdPs), and Targets is now available in Public Beta. This expands our RBAC model beyond account & zone-scoped roles, enabling administrators to grant permissions scoped to individual resources.

What's New

Access Applications: Grant admin permissions to specific Access Applications.
Identity Providers: Grant admin permissions to individual Identity Providers.
Targets: Grant admin rights to specific Targets

For more info:

Data Loss Prevention - Expanded File Type Controls for Executables and Disk Images

Wed, 01 Oct 2025 00:00:00 GMT

You can now enhance your security posture by blocking additional application installer and disk image file types with Cloudflare Gateway. Preventing the download of unauthorized software packages is a critical step in securing endpoints from malware and unwanted applications.

We have expanded Gateway's file type controls to include:

Apple Disk Image (dmg)
Microsoft Software Installer (msix, appx)
Apple Software Package (pkg)

You can find these new options within the Upload File Types and Download File Types selectors when creating or editing an HTTP policy. The file types are categorized as follows:

System: Apple Disk Image (dmg)
Executable: Microsoft Software Installer (msix), Microsoft Software Installer (appx), Apple Software Package (pkg)

To ensure these file types are blocked effectively, please note the following behaviors:

DMG: Due to their file structure, DMG files are blocked at the very end of the transfer. A user's download may appear to progress but will fail at the last moment, preventing the browser from saving the file.
MSIX: To comprehensively block Microsoft Software Installers, you should also include the file type Unscannable. MSIX files larger than 100 MB are identified as Unscannable ZIP files during inspection.

To get started, go to your HTTP policies in Zero Trust. For a full list of file types, refer to supported file types.

Cloudflare One Client - WARP client for Windows (version 2025.7.176.0)

Tue, 30 Sep 2025 20:43:09 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

MASQUE is now the default tunnel protocol for all new WARP device profiles.
Improvement to limit idle connections in Gateway with DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving.
Improvement to maintain TCP connections to reduce interruptions in long-lived connections such as RDP or SSH.
Improvements to maintain Global WARP override settings when switching between organizations.
Improvements to maintain client connectivity during network changes.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.7.176.0)

Tue, 30 Sep 2025 20:43:08 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

Fixed a bug preventing the warp-diag captive-portal command from running successfully due to the client not parsing SSID on macOS.
Improvements to maintain Global WARP override settings when switching between organizations.
MASQUE is now the default tunnel protocol for all new WARP device profiles.
Improvement to limit idle connections in Gateway with DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving.
Improvements to maintain client connectivity during network changes.
The WARP client now supports macOS Tahoe (version 26.0).

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare One Client - WARP client for Linux (version 2025.7.176.0)

Tue, 30 Sep 2025 20:20:30 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025. Instructions to make this update are available at pkg.cloudflareclient.com.

Changes and improvements

MASQUE is now the default tunnel protocol for all new WARP device profiles.
Improvement to limit idle connections in Gateway with DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving.
Improvements to maintain Global WARP override settings when switching between organizations.
Improvements to maintain client connectivity during network changes.

Known issues

Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Gateway - Application granular controls for operations in SaaS applications

Tue, 30 Sep 2025 00:00:00 GMT

Gateway users can now apply granular controls to their file sharing and AI chat applications through HTTP policies.

The new feature offers two methods of controlling SaaS applications:

Application Controls are curated groupings of Operations which provide an easy way for users to achieve a specific outcome. Application Controls may include Upload, Download, Prompt, Voice, and Share depending on the application.
Operations are controls aligned to the most granular action a user can take. This provides a fine-grained approach to enforcing policy and generally aligns to the SaaS providers API specifications in naming and function.

Get started using Application Granular Controls and refer to the list of supported applications.

Gateway, Data Loss Prevention - Refine DLP Scans with New Body Phase Selector

Thu, 25 Sep 2025 00:00:00 GMT

You can now more precisely control your HTTP DLP policies by specifying whether to scan the request or response body, helping to reduce false positives and target specific data flows.

In the Gateway HTTP policy builder, you will find a new selector called Body Phase. This allows you to define the direction of traffic the DLP engine will inspect:

Request Body: Scans data sent from a user's machine to an upstream service. This is ideal for monitoring data uploads, form submissions, or other user-initiated data exfiltration attempts.
Response Body: Scans data sent to a user's machine from an upstream service. Use this to inspect file downloads and website content for sensitive data.

For example, consider a policy that blocks Social Security Numbers (SSNs). Previously, this policy might trigger when a user visits a website that contains example SSNs in its content (the response body). Now, by setting the Body Phase to Request Body, the policy will only trigger if the user attempts to upload or submit an SSN, ignoring the content of the web page itself.

All policies without this selector will continue to scan both request and response bodies to ensure continued protection.

For more information, refer to Gateway HTTP policy selectors.

Email security - Invalid Submissions Feedback

Tue, 23 Sep 2025 23:11:49 GMT

Email security relies on your submissions to continuously improve our detection models. However, we often receive submissions in formats that cannot be ingested, such as incomplete EMLs, screenshots, or text files.

To ensure all customer feedback is actionable, we have launched two new features to manage invalid submissions sent to our team and user submission aliases:

Email Notifications: We now automatically notify users by email when they provide an invalid submission, educating them on the correct format. To disable notifications, go to Settings > Invalid submission emails and turn the feature off.

Invalid Submission dashboard: You can quickly identify which users need education to provide valid submissions so Cloudflare can provide continuous protection.

Learn more about this feature on invalid submissions.

This feature is available across these Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Access - Access Remote Desktop Protocol (RDP) destinations securely from your browser — now generally available!

Mon, 22 Sep 2025 00:00:00 GMT

Browser-based RDP with Cloudflare Access is now generally available for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients.

Since we announced our open beta, we've made a few improvements:

Support for targets with IPv6.
Support for Magic WAN and WARP Connector as on-ramps.
More robust error messaging on the login page to help you if you encounter an issue.
Worldwide keyboard support. Whether your day-to-day is in Portuguese, Chinese, or something in between, your browser-based RDP experience will look and feel exactly like you are using a desktop RDP client.
Cleaned up some other miscellaneous issues, including but not limited to enhanced support for Entra ID accounts and support for usernames with spaces, quotes, and special characters.

As a refresher, here are some benefits browser-based RDP provides:

Control how users authenticate to internal RDP resources with single sign-on (SSO), multi-factor authentication (MFA), and granular access policies.
Record who is accessing which servers and when to support regulatory compliance requirements and to gain greater visibility in the event of a security event.
Eliminate the need to install and manage software on user devices. You will only need a web browser.
Reduce your attack surface by keeping your RDP servers off the public Internet and protecting them from common threats like credential stuffing or brute-force attacks.

To get started, refer to Connect to RDP in a browser.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Connect and secure any private or public app by hostname, not IP — with hostname routing for Cloudflare Tunnel

Thu, 18 Sep 2025 00:00:00 GMT

You can now route private traffic to Cloudflare Tunnel based on a hostname or domain, moving beyond the limitations of IP-based routing. This new capability is free for all Cloudflare One customers.

Previously, Tunnel routes could only be defined by IP address or CIDR range. This created a challenge for modern applications with dynamic or ephemeral IP addresses, often forcing administrators to maintain complex and brittle IP lists.

What’s new:

Hostname & Domain Routing: Create routes for individual hostnames (e.g., payroll.acme.local) or entire domains (e.g., *.acme.local) and direct their traffic to a specific Tunnel.
Simplified Zero Trust Policies: Build resilient policies in Cloudflare Access and Gateway using stable hostnames, making it dramatically easier to apply per-resource authorization for your private applications.
Precise Egress Control: Route traffic for public hostnames (e.g., bank.example.com) through a specific Tunnel to enforce a dedicated source IP, solving the IP allowlist problem for third-party services.
No More IP Lists: This feature makes the workaround of maintaining dynamic IP Lists for Tunnel connections obsolete.

Get started in the Tunnels section of the Zero Trust dashboard with your first private hostname or public hostname route.

Learn more in our blog post.

Cloudflare One - New AI-Enabled Search for Zero Trust Dashboard

Tue, 16 Sep 2025 00:00:00 GMT

Zero Trust Dashboard has a brand new, AI-powered search functionality. You can search your account by resources (applications, policies, device profiles, settings, etc.), pages, products, and more.

Ask Cloudy — You can also ask Cloudy, our AI agent, questions about Cloudflare Zero Trust. Cloudy is trained on our developer documentation and implementation guides, so it can tell you how to configure functionality, best practices, and can make recommendations.

Cloudy can then stay open with you as you move between pages to build configuration or answer more questions.

Find Recents — Recent searches and Cloudy questions also have a new tab under Zero Trust Overview.

Email security - Regional Email Processing for Germany, India, or Australia

Thu, 11 Sep 2025 23:15:00 GMT

We’re excited to announce that Email security customers can now choose their preferred mail processing location directly from the UI when onboarding a domain. This feature is available for the following onboarding methods: MX, BCC, and Journaling.

What’s new

Customers can now select where their email is processed. The following regions are supported:

Germany
India
Australia

Global processing remains the default option, providing flexibility to meet both compliance requirements or operational preferences.

How to use it

When onboarding a domain with MX, BCC, or Journaling:

Select the desired processing location (Germany, India, or Australia).
The UI will display updated processing addresses specific to that region.
For MX onboarding, if your domain is managed by Cloudflare, you can automatically update MX records directly from the UI.

Availability

This feature is available across these Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

What’s next

We’re expanding the list of processing locations to match our Data Localization Suite (DLS) footprint, giving customers the broadest set of regional options in the market without the complexity of self-hosting.

Gateway, Cloudflare WAN, Cloudflare Tunnel for SASE - DNS filtering for private network onramps

Thu, 11 Sep 2025 00:00:00 GMT

Magic WAN and WARP Connector users can now securely route their DNS traffic to the Gateway resolver without exposing traffic to the public Internet.

Routing DNS traffic to the Gateway resolver allows DNS resolution and filtering for traffic coming from private networks while preserving source internal IP visibility. This ensures Magic WAN users have full integration with our Cloudflare One features, including Internal DNS and hostname-based policies.

To configure DNS filtering, change your Magic WAN or WARP Connector DNS settings to use Cloudflare's shared resolver IPs, 172.64.36.1 and 172.64.36.2. Once you configure DNS resolution and filtering, you can use Source Internal IP as a traffic selector in your resolver policies for routing private DNS traffic to your Internal DNS.

Cloudflare One Client - WARP client for Windows (version 2025.7.106.1)

Wed, 10 Sep 2025 14:09:30 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

This release contains minor fixes and improvements including enhancements to Proxy mode for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or all devices matching the profile will lose connectivity.

Changes and improvements

Enhancements to Proxy mode for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or all devices matching the profile will lose connectivity.
Improvement to keep TCP connections up the first time WARP connects on devices so that remote desktop sessions (such as RDP or SSH) continue to work.
Improvements to maintain Global WARP Override settings when switching between organization configurations.
The MASQUE protocol is now the default protocol for all new WARP device profiles.
Improvement to limit idle connections in DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.7.106.1)

Wed, 10 Sep 2025 14:09:02 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

Changes and improvements

Enhancements to Proxy mode for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or all devices matching the profile will lose connectivity.
Fixed a bug preventing the warp-diag captive-portal command from running successfully due to the client not parsing SSID on macOS.
Improvements to maintain Global WARP Override settings when switching between organization configurations.
The MASQUE protocol is now the default protocol for all new WARP device profiles.
Improvement to limit idle connections in DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare WAN - Custom IKE ID for IPsec Tunnels

Mon, 08 Sep 2025 00:00:00 GMT

Now, Magic WAN customers can configure a custom IKE ID for their IPsec tunnels. Customers that are using Magic WAN and a VeloCloud SD-WAN device together can utilize this new feature to create a high availability configuration.

This feature is available via API only. Customers can read the Magic WAN documentation to learn more about the Custom IKE ID feature and the API call to configure it.

Cloudflare WAN - Bidirectional tunnel health checks are compatible with all Magic on-ramps

Fri, 05 Sep 2025 00:00:00 GMT

All bidirectional tunnel health check return packets are accepted by any Magic on-ramp.

Previously, when a Magic tunnel had a bidirectional health check configured, the bidirectional health check would pass when the return packets came back to Cloudflare over the same tunnel that was traversed by the forward packets.

There are SD-WAN devices, like VeloCloud, that do not offer controls to steer traffic over one tunnel versus another in a high availability tunnel configuration.

Now, when a Magic tunnel has a bidirectional health check configured, the bidirectional health check will pass when the return packet traverses over any tunnel in a high availability configuration.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Cloudflare Tunnel and Networks API will no longer return deleted resources by default starting December 1, 2025

Tue, 02 Sep 2025 00:00:00 GMT

Starting December 1, 2025, list endpoints for the Cloudflare Tunnel API and Zero Trust Networks API will no longer return deleted tunnels, routes, subnets and virtual networks by default. This change makes the API behavior more intuitive by only returning active resources unless otherwise specified.

No action is required if you already explicitly set is_deleted=false or if you only need to list active resources.

This change affects the following API endpoints:

List all tunnels: GET /accounts/{account_id}/tunnels
List Cloudflare Tunnels: GET /accounts/{account_id}/cfd_tunnel
List WARP Connector tunnels: GET /accounts/{account_id}/warp_connector
List tunnel routes: GET /accounts/{account_id}/teamnet/routes
List subnets: GET /accounts/{account_id}/zerotrust/subnets
List virtual networks: GET /accounts/{account_id}/teamnet/virtual_networks

What is changing?

The default behavior of the is_deleted query parameter will be updated.

Scenario	Previous behavior (before December 1, 2025)	New behavior (from December 1, 2025)
`is_deleted` parameter is omitted	Returns active & deleted tunnels, routes, subnets and virtual networks	Returns only active tunnels, routes, subnets and virtual networks

Action required

If you need to retrieve deleted (or all) resources, please update your API calls to explicitly include the is_deleted parameter before December 1, 2025.

To get a list of only deleted resources, you must now explicitly add the is_deleted=true query parameter to your request:

# Example: Get ONLY deleted Tunnels
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/tunnels?is_deleted=true" \
     -H "Authorization: Bearer $API_TOKEN"

# Example: Get ONLY deleted Virtual Networks
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks?is_deleted=true" \
     -H "Authorization: Bearer $API_TOKEN"

Following this change, retrieving a complete list of both active and deleted resources will require two separate API calls: one to get active items (by omitting the parameter or using is_deleted=false) and one to get deleted items (is_deleted=true).

Why we’re making this change

This update is based on user feedback and aims to:

Create a more intuitive default: Aligning with common API design principles where list operations return only active resources by default.
Reduce unexpected results: Prevents users from accidentally operating on deleted resources that were returned unexpectedly.
Improve performance: For most users, the default query result will now be smaller and more relevant.

To learn more, please visit the Cloudflare Tunnel API and Zero Trust Networks API documentation.

Email security - Updated Email security roles

Mon, 01 Sep 2025 23:25:49 GMT

To provide more granular controls, we refined the existing roles for Email security and launched a new Email security role as well.

All Email security roles no longer have read or write access to any of the other Zero Trust products:

Email Configuration Admin
Email Integration Admin
Email security Read Only
Email security Analyst
Email security Policy Admin
Email security Reporting

To configure Data Loss Prevention (DLP) or Remote Browser Isolation (RBI), you now need to be an admin for the Zero Trust dashboard with the Cloudflare Zero Trust role.

Also through customer feedback, we have created a new additive role to allow Email security Analyst to create, edit, and delete Email security policies, without needing to provide access via the Email Configuration Admin role. This role is called Email security Policy Admin, which can read all settings, but has write access to allow policies, trusted domains, and blocked senders.

This feature is available across these Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Cloudflare One Client - Cloudflare One WARP Diagnostic AI Analyzer

Fri, 29 Aug 2025 00:00:00 GMT

We're excited to share a new AI feature, the WARP diagnostic analyzer, to help you troubleshoot and resolve WARP connectivity issues faster. This beta feature is now available in the Zero Trust dashboard to all users. The AI analyzer makes it easier for you to identify the root cause of client connectivity issues by parsing remote captures of WARP diagnostic logs. The WARP diagnostic analyzer provides a summary of impact that may be experienced on the device, lists notable events that may contribute to performance issues, and recommended troubleshooting steps and articles to help you resolve these issues. Refer to WARP diagnostics analyzer (beta) to learn more about how to maximize using the WARP diagnostic analyzer to troubleshoot the WARP client.

Digital Experience Monitoring - DEX MCP Server

Fri, 29 Aug 2025 00:00:00 GMT

Digital Experience Monitoring (DEX) provides visibility into device connectivity and performance across your Cloudflare SASE deployment.

We've released an MCP server (Model Context Protocol) for DEX.

The DEX MCP server is an AI tool that allows customers to ask a question like, "Show me the connectivity and performance metrics for the device used by carly‌@acme.com", and receive an answer that contains data from the DEX API.

Any Cloudflare One customer using a Free, PayGo, or Enterprise account can access the DEX MCP Server. This feature is available to everyone.

Customers can test the new DEX MCP server in less than one minute. To learn more, read the DEX MCP server documentation.

Gateway, Cloudflare One - Shadow IT - SaaS analytics dashboard

Wed, 27 Aug 2025 00:00:00 GMT

Zero Trust has significantly upgraded its Shadow IT analytics, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application.

You can review these metrics against application type, such as Artificial Intelligence or Social Media. You can also mark applications with an approval status, including Unreviewed, In Review, Approved, and Unapproved designating how they can be used in your organization.

These application statuses can also be used in Gateway HTTP policies, so you can block, isolate, limit uploads and downloads, and more based on the application status.

Both the analytics and policies are accessible in the Cloudflare Zero Trust dashboard, empowering organizations with better visibility and control.

CASB - New CASB integrations for ChatGPT, Claude, and Gemini

Tue, 26 Aug 2025 16:00:00 GMT

Cloudflare CASB now supports three of the most widely used GenAI platforms — OpenAI ChatGPT, Anthropic Claude, and Google Gemini. These API-based integrations give security teams agentless visibility into posture, data, and compliance risks across their organization’s use of generative AI.

Key capabilities

Agentless connections — connect ChatGPT, Claude, and Gemini tenants via API; no endpoint software required
Posture management — detect insecure settings and misconfigurations that could lead to data exposure
DLP detection — identify sensitive data in uploaded chat attachments or files
GenAI-specific insights — surface risks unique to each provider’s capabilities

Learn more

These integrations are available to all Cloudflare One customers today.

Access - Manage and restrict access to internal MCP servers with Cloudflare Access

Tue, 26 Aug 2025 00:00:00 GMT

You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind Cloudflare Access.

Self-hosted applications in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes.

For example, if you have an MCP server designed for internal use within your organization, you can configure Access policies to ensure that only authorized users can access it, regardless of which MCP client they use. Support for internal, self-hosted MCP servers also works with MCP server portals, allowing you to provide a single MCP endpoint for multiple MCP servers. For more on MCP server portals, read the blog post on the Cloudflare Blog.

Access - MCP server portals

Tue, 26 Aug 2025 00:00:00 GMT

An MCP server portal centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include:

Streamlined access to multiple MCP servers: MCP server portals support both unauthenticated MCP servers as well as MCP servers secured using any third-party or custom OAuth provider. Users log in to the portal URL through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth.
Customized tools per portal: Admins can tailor an MCP portal to a particular use case by choosing the specific tools and prompt templates that they want to make available to users through the portal. This allows users to access a curated set of tools and prompts — the less external context exposed to the AI model, the better the AI responses tend to be.
Observability: Once the user's AI agent is connected to the portal, Cloudflare Access logs the indiviudal requests made using the tools in the portal.

This is available in an open beta for all customers across all plans! For more information check out our blog for this release.

Data Loss Prevention - New DLP topic based detection entries for AI prompt protection

Mon, 25 Aug 2025 00:00:00 GMT

You now have access to a comprehensive suite of capabilities to secure your organization's use of generative AI. AI prompt protection introduces four key features that work together to provide deep visibility and granular control.

Prompt Detection for AI Applications

DLP can now natively detect and inspect user prompts submitted to popular AI applications, including Google Gemini, ChatGPT, Claude, and Perplexity.

Prompt Analysis and Topic Classification

Our DLP engine performs deep analysis on each prompt, applying topic classification. These topics are grouped into two evaluation categories:

Content: PII, Source Code, Credentials and Secrets, Financial Information, and Customer Data.
Intent: Jailbreak attempts, requests for malicious code, or attempts to extract PII.

To help you apply these topics quickly, we have also released five new predefined profiles (for example, AI Prompt: AI Security, AI Prompt: PII) that bundle these new topics.

Granular Guardrails

You can now build guardrails using Gateway HTTP policies with application granular controls. Apply a DLP profile containing an AI prompt topic detection to individual AI applications (for example, ChatGPT) and specific user actions (for example, SendPrompt) to block sensitive prompts.
Full Prompt Logging

To aid in incident investigation, an optional setting in your Gateway policy allows you to capture prompt logs to store the full interaction of prompts that trigger a policy match. To make investigations easier, logs can be filtered by conversation_id, allowing you to reconstruct the full context of an interaction that led to a policy violation.

AI prompt protection is now available in open beta. To learn more about it, read the blog or refer to AI prompt topics.

Cloudflare One Client - WARP client for Windows (version 2025.6.1400.0)

Thu, 21 Aug 2025 22:36:07 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains a hotfix for pre-login for multi-user for the 2025.6.1135.0 release.

Changes and improvements

Fixes an issue where new pre-login registrations were not being properly created.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, please reconnect the WARP client by toggling off and back on.

Gateway - Gateway BYOIP Dedicated Egress IPs now available.

Thu, 21 Aug 2025 00:00:00 GMT

Enterprise Gateway users can now use Bring Your Own IP (BYOIP) for dedicated egress IPs.

Admins can now onboard and use their own IPv4 or IPv6 prefixes to egress traffic from Cloudflare, delivering greater control, flexibility, and compliance for network traffic.

Get started by following the BYOIP onboarding process. Once your IPs are onboarded, go to Gateway > Egress policies and select or create an egress policy. In Select an egress IP, choose Use dedicated egress IPs (Cloudflare or BYOIP), then select your BYOIP address from the dropdown menu.

For more information, refer to BYOIP for dedicated egress IPs.

Cloudflare One Client - WARP client for Windows (version 2025.6.1335.0)

Tue, 19 Aug 2025 22:10:43 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

Improvements to better manage multi-user pre-login registrations.
Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected.
Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect.
Improvement for faster client connectivity on high-latency captive portal networks.
Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 version KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.6.1335.0)

Tue, 19 Aug 2025 22:10:43 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected.
Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect.
Improvement for faster client connectivity on high-latency captive portal networks.
Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare One Client - WARP client for Linux (version 2025.6.1335.0)

Tue, 19 Aug 2025 19:45:33 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected.
Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect.
Improvement for faster client connectivity on high-latency captive portal networks.
Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues.

Known issues

Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Access - SFTP support for SSH with Cloudflare Access for Infrastructure

Fri, 15 Aug 2025 00:00:00 GMT

SSH with Cloudflare Access for Infrastructure now supports SFTP. It is compatible with SFTP clients, such as Cyberduck.

Access - Cloudflare Access Logging supports the Customer Metadata Boundary (CMB)

Thu, 14 Aug 2025 00:00:00 GMT

Cloudflare Access logs now support the Customer Metadata Boundary (CMB). If you have configured the CMB for your account, all Access logging will respect that configuration.

Email security - Expanded Email Link Isolation

Thu, 07 Aug 2025 23:22:49 GMT

When you deploy MX or Inline, not only can you apply email link isolation to suspicious links in all emails (including benign), you can now also apply email link isolation to all links of a specified disposition. This provides more flexibility in controlling user actions within emails.

For example, you may want to deliver suspicious messages but isolate the links found within them so that users who choose to interact with the links will not accidentally expose your organization to threats. This means your end users are more secure than ever before.

To isolate all links within a message based on the disposition, select Settings > Link Actions > View and select Configure. As with other other links you isolate, an interstitial will be provided to warn users that this site has been isolated and the link will be recrawled live to evaluate if there are any changes in our threat intel. Learn more about this feature on Configure link actions.

This feature is available across these Email security packages:

Enterprise
Enterprise + PhishGuard

Cloudflare WAN - Terraform V5 support for tunnels and routes

Thu, 31 Jul 2025 00:00:00 GMT

The Cloudflare Terraform provider resources for Cloudflare WAN tunnels and routes now support Terraform provider version 5. Customers using infrastructure-as-code workflows can manage their tunnel and route configuration with the latest provider version.

For more information, refer to the Cloudflare Terraform provider documentation.

Magic Transit, Cloudflare WAN - Magic Transit and Magic WAN health check data is fully compatible with the CMB EU setting.

Wed, 30 Jul 2025 00:00:00 GMT

Today, we are excited to announce that all Magic Transit and Magic WAN customers with CMB EU (Customer Metadata Boundary - Europe) enabled in their account will be able to access GRE, IPsec, and CNI health check and traffic volume data in the Cloudflare dashboard and via API.

This ensures that all Magic Transit and Magic WAN customers with CMB EU enabled will be able to access all Magic Transit and Magic WAN features.

Specifically, these two GraphQL endpoints are now compatible with CMB EU:

magicTransitTunnelHealthChecksAdaptiveGroups
magicTransitTunnelTrafficAdaptiveGroups

Gateway - Scam domain category introduced under Security Threats

Mon, 28 Jul 2025 00:00:00 GMT

We have introduced a new Security Threat category called Scam. Relevant domains are marked with the Scam category. Scam typically refers to fraudulent websites and schemes designed to trick victims into giving away money or personal information.

New category added

Parent ID	Parent Name	Category ID	Category Name
21	Security Threats	191	Scam

Refer to Gateway domain categories to learn more.

Cloudflare One Client - WARP client for Windows (version 2025.6.824.1)

Thu, 24 Jul 2025 12:28:40 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

Improvements to better manage multi-user pre-login registrations.
Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected.
Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect.
Improvement to managed network detection checks for faster switching between managed networks.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 version KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.6.824.1)

Thu, 24 Jul 2025 12:28:40 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected.
Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect.
Improvement to managed network detection checks for faster switching between managed networks.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Gateway - Gateway HTTP Filtering on all ports available in open BETA

Thu, 24 Jul 2025 00:00:00 GMT

Gateway can now apply HTTP filtering to all proxied HTTP requests, not just traffic on standard HTTP (80) and HTTPS (443) ports. This means all requests can now be filtered by A/V scanning, file sandboxing, Data Loss Prevention (DLP), and more.

You can turn this setting on by going to Settings > Network > Firewall and choosing Inspect on all ports.

To learn more, refer to Inspect on all ports (Beta).

Cloudflare One Client - WARP client for Windows (version 2025.5.943.0)

Wed, 23 Jul 2025 20:41:54 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect.
Changes to the SCCM VPN boundary support feature to no longer restart the SMS Agent Host (ccmexec.exe) service.
Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 version KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.5.943.0)

Wed, 23 Jul 2025 20:41:33 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect.
Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client.
For macOS deployments, the WARP client can now be managed using an mdm.xml file placed in /Library/Application Support/Cloudflare/mdm.xml. This new configuration option offers an alternative to the still supported method of deploying a managed plist through an MDM solution.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare One Client - WARP client for Linux (version 2025.5.943.0)

Wed, 23 Jul 2025 19:17:49 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect.
Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client.

Known issues

Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Gateway - Google Bard Application replaced by Gemini

Tue, 22 Jul 2025 00:00:00 GMT

The Google Bard application (ID: 1198) has been deprecated and fully removed from the system. It has been replaced by the Gemini application (ID: 1340). Any existing Gateway policies that reference the old Google Bard application will no longer function. To ensure your policies continue to work as intended, you should update them to use the new Gemini application. We recommend replacing all instances of the deprecated Bard application with the new Gemini application in your Gateway policies. For more information about application policies, please see the Cloudflare Gateway documentation.

Cloudflare One, Cloudflare WAN - Virtual Cloudflare One Appliance with KVM support (open beta)

Mon, 21 Jul 2025 00:00:00 GMT

The KVM-based virtual Cloudflare One Appliance is now in open beta with official support for Proxmox VE.

Customers can deploy the virtual appliance on KVM hypervisors to connect branch or data center networks to Cloudflare WAN without dedicated hardware.

For setup instructions, refer to Configure a virtual Cloudflare One Appliance.

Data Loss Prevention - New detection entry type: Document Matching for DLP

Thu, 17 Jul 2025 00:00:00 GMT

You can now create document-based detection entries in DLP by uploading example documents. Cloudflare will encrypt your documents and create a unique fingerprint of the file. This fingerprint is then used to identify similar documents or snippets within your organization's traffic and stored files.

Key features and benefits:

Upload documents, forms, or templates: Easily upload .docx and .txt files (up to 10 MB) that contain sensitive information you want to protect.
Granular control with similarity percentage: Define a minimum similarity percentage (0-100%) that a document must meet to trigger a detection, reducing false positives.
Comprehensive coverage: Apply these document-based detection entries in:
- Gateway policies: To inspect network traffic for sensitive documents as they are uploaded or shared.
- CASB (Cloud Access Security Broker): To scan files stored in cloud applications for sensitive documents at rest.
Identify sensitive data: This new detection entry type is ideal for identifying sensitive data within completed forms, templates, or even small snippets of a larger document, helping you prevent data exfiltration and ensure compliance.

Once uploaded and processed, you can add this new document entry into a DLP profile and policies to enhance your data protection strategy.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Faster, more reliable UDP traffic for Cloudflare Tunnel

Tue, 15 Jul 2025 00:00:00 GMT

Your real-time applications running over Cloudflare Tunnel are now faster and more reliable. We've completely re-architected the way cloudflared proxies UDP traffic in order to isolate it from other traffic, ensuring latency-sensitive applications like private DNS are no longer slowed down by heavy TCP traffic (like file transfers) on the same Tunnel.

This is a foundational improvement to Cloudflare Tunnel, delivered automatically to all customers. There are no settings to configure — your UDP traffic is already flowing faster and more reliably.

What’s new:

Faster UDP performance: We've significantly reduced the latency for establishing new UDP sessions, making applications like private DNS much more responsive.
Greater reliability for mixed traffic: UDP packets are no longer affected by heavy TCP traffic, preventing timeouts and connection drops for your real-time services.

Learn more about running TCP or UDP applications and private networks through Cloudflare Tunnel.

Cloudflare One - New onboarding guides for Zero Trust

Thu, 10 Jul 2025 00:00:00 GMT

Use our brand new onboarding experience for Cloudflare Zero Trust. New and returning users can now engage with a Get Started tab with walkthroughs for setting up common use cases end-to-end.

There are eight brand new onboarding guides in total:

Securely access a private network (sets up device client and Tunnel)
Device-to-device / mesh networking (sets up and connects multiple device clients)
Network to network connectivity (sets up and connects multiple WARP Connectors, makes reference to Magic WAN availability for Enterprise)
Secure web traffic (sets up device client, Gateway, pre-reqs, and initial policies)
Secure DNS for networks (sets up a new DNS location and Gateway policies)
Clientless web access (sets up Access to a web app, Tunnel, and public hostname)
Clientless SSH access (all the same + the web SSH experience)
Clientless RDP access (all the same + RDP-in-browser)

Each flow walks the user through the steps to configure the essential elements, and provides a “more details” panel with additional contextual information about what the user will accomplish at the end, along with why the steps they take are important.

Try them out now in the Zero Trust dashboard!

Cloudflare One - Cloudy summaries for Access and Gateway Logs

Mon, 07 Jul 2025 00:00:00 GMT

Cloudy, Cloudflare's AI Agent, will now automatically summarize your Access and Gateway block logs.

In the log itself, Cloudy will summarize what occurred and why. This will be helpful for quick troubleshooting and issue correlation.

If you have feedback about the Cloudy summary - good or bad - you can provide that right from the summary itself.

Cloudflare One - New App Library for Zero Trust Dashboard

Mon, 07 Jul 2025 00:00:00 GMT

Cloudflare Zero Trust customers can use the App Library to get full visibility over the SaaS applications that they use in their Gateway policies, CASB integrations, and Access for SaaS applications.

App Library, found under My Team, makes information available about all Applications that can be used across the Zero Trust product suite.

You can use the App Library to see:

How Applications are defined
Where they are referenced in policies
Whether they have Access for SaaS configured
Review their CASB findings and integration status.

Within individual Applications, you can also track their usage across your organization, and better understand user behavior.

Access - Access RDP securely from your browser — now in open beta

Tue, 01 Jul 2025 00:00:00 GMT

Browser-based RDP with Cloudflare Access is now available in open beta for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients.

With browser-based RDP, you can:

Control how users authenticate to internal RDP resources with single sign-on (SSO), multi-factor authentication (MFA), and granular access policies.
Record who is accessing which servers and when to support regulatory compliance requirements and to gain greater visibility in the event of a security event.
Eliminate the need to install and manage software on user devices. You will only need a web browser.
Reduce your attack surface by keeping your RDP servers off the public Internet and protecting them from common threats like credential stuffing or brute-force attacks.

To get started, see Connect to RDP in a browser.

Cloudflare One Client - WARP client for Windows (version 2025.5.893.0)

Mon, 30 Jun 2025 21:10:37 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains improvements and new exciting features, including SCCM VPN boundary support and post-quantum cryptography. By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems.

Changes and improvements

Fixed a device registration issue that caused WARP connection failures when changing networks.
Captive portal improvements and fixes:
- Captive portal sign in notifications will now be sent through operating system notification services.
- Fix for firewall configuration issue affecting clients in DoH only mode.
Improved the connectivity status message in the client GUI.
Fixed a bug affecting clients in Gateway with DoH mode where the original DNS servers were not restored after disabling WARP.
The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by MDM.
Improvement to handle client configuration changes made by an MDM while WARP is not running.
Improvements for multi-user experience to better handle fast user switching and transitions from a pre-login to a logged-in state.
Added a WARP client device posture check for SAN attributes to the client certificate check.
Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks.
Added SCCM VPN boundary support to device profile settings. With SCCM VPN boundary support enabled, operating systems will register WARP's local interface IP with the on-premise DNS server when reachable.
Fix for an issue causing WARP connectivity to fail without full system reboot.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 version KB5060829 or higher for resolution.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.5.893.0)

Mon, 30 Jun 2025 21:10:36 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains improvements and new exciting features, including post-quantum cryptography. By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems.

Changes and improvements

Fixed an issue where WARP sometimes failed to automatically relaunch after updating.
Fixed a device registration issue causing WARP connection failures when changing networks.
Captive portal improvements and fixes:
- Captive portal sign in notifications will now be sent through operating system notification services.
- Fix for firewall configuration issue affecting clients in DoH only mode.
Improved the connectivity status message in the client GUI.
The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by MDM.
Improvement to handle client configuration changes made by an MDM while WARP is not running.
Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks.
Improvement for WARP connectivity issues on macOS due to the operating system not accepting DNS server configurations.
Added a WARP client device posture check for SAN attributes to the client certificate check.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.

Cloudflare One Client - WARP client for Linux (version 2025.5.893.0)

Mon, 30 Jun 2025 19:44:34 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

Changes and improvements

Fixed a device registration issue causing WARP connection failures when changing networks.
Captive portal improvements and fixes:
- Captive portal sign in notifications will now be sent through operating system notification services.
- Fix for firewall configuration issue affecting clients in DoH only mode.
Improved the connectivity status message in the client GUI.
The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by MDM.
Improvement to handle client configuration changes made by MDM while WARP is not running.
Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks.
Added a WARP client device posture check for SAN attributes to the client certificate check.

Known issues

Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare One Client - Cloudflare One Agent for Android (version 2.4.2)

Mon, 30 Jun 2025 00:00:00 GMT

A new GA release for the Android Cloudflare One Agent is now available in the Google Play Store. This release contains improvements and new exciting features, including post-quantum cryptography. By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems.

Changes and improvements

QLogs are now disabled by default and can be enabled in the app by turning on Enable qlogs under Settings > Advanced > Diagnostics > Debug Logs. The QLog setting from previous releases will no longer be respected.
DNS over HTTPS traffic is now included in the WARP tunnel by default.
The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by MDM.
Fixed an issue that caused WARP connection failures on ChromeOS devices.

Cloudflare One Client - Cloudflare One Agent for iOS (version 1.11)

Mon, 30 Jun 2025 00:00:00 GMT

A new GA release for the iOS Cloudflare One Agent is now available in the iOS App Store. This release contains improvements and new exciting features, including post-quantum cryptography. By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems.

Changes and improvements

QLogs are now disabled by default and can be enabled in the app by turning on Enable qlogs under Settings > Advanced > Diagnostics > Debug Logs. The QLog setting from previous releases will no longer be respected.
DNS over HTTPS traffic is now included in the WARP tunnel by default.
The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by MDM.

Data Loss Prevention, CASB, Cloudflare One - Data Security Analytics in the Zero Trust dashboard

Mon, 23 Jun 2025 09:00:00 GMT

Zero Trust now includes Data security analytics, providing you with unprecedented visibility into your organization sensitive data.

The new dashboard includes:

Sensitive Data Movement Over Time:
- See patterns and trends in how sensitive data moves across your environment. This helps understand where data is flowing and identify common paths.
Sensitive Data at Rest in SaaS & Cloud:
- View an inventory of sensitive data stored within your corporate SaaS applications (for example, Google Drive, Microsoft 365) and cloud accounts (such as AWS S3).
DLP Policy Activity:
- Identify which of your Data Loss Prevention (DLP) policies are being triggered most often.
- See which specific users are responsible for triggering DLP policies.

To access the new dashboard, log in to Cloudflare One and go to Insights on the sidebar.

Gateway - Gateway will now evaluate Network policies before HTTP policies from July 14th, 2025

Wed, 18 Jun 2025 00:00:00 GMT

Gateway will now evaluate Network (Layer 4) policies before HTTP (Layer 7) policies. This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users.

This change will roll out progressively between July 14–18, 2025. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent.

Updated order of enforcement

Previous order:

DNS policies
HTTP policies
Network policies

New order:

DNS policies
Network policies
HTTP policies

Action required: Review your Gateway HTTP policies

This change may affect block notifications. For example:

You have an HTTP policy to block example.com and display a block page.
You also have a Network policy to block example.com silently (no client notification).

With the new order, the Network policy will trigger first — and the user will no longer see the HTTP block page.

To ensure users still receive a block notification, you can:

Add a client notification to your Network policy, or
Use only the HTTP policy for that domain.

Why we’re making this change

This update is based on user feedback and aims to:

Create a more intuitive model by evaluating network-level policies before application-level policies.
Minimize 526 connection errors by verifying the network path to an origin before attempting to establish a decrypted TLS connection.

To learn more, visit the Gateway order of enforcement documentation.

Cloudflare One Client - WARP client for Windows (version 2025.5.828.1)

Tue, 17 Jun 2025 12:04:39 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

This release contains new improvements in addition to the features and improvements introduced in Beta client version 2025.5.735.1.

Changes and improvements

Improvement to better handle multi-user fast user switching.
Fix for an issue causing WARP connectivity to fail without full system reboot.

Known issues

Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.5.828.1)

Tue, 17 Jun 2025 12:04:39 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

This release contains new improvements in addition to the features and improvements introduced in Beta client version 2025.5.735.1.

Changes and improvements

Improvement for WARP connectivity issues on macOS due to the operating system not accepting DNS server configurations.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.

Cloudflare One Client - WARP client for Windows (version 2025.5.735.1)

Thu, 05 Jun 2025 20:38:05 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

Changes and improvements

Fixed a device registration issue causing WARP connection failures when changing networks.
Captive portal improvements including showing connectivity status in the client and sending system notifications for captive portal sign in.
Fixed a bug where in Gateway with DoH mode, connection to DNS servers was not automatically restored after reconnecting WARP.
The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by MDM.
Improvement to gracefully handle changes made by MDM while WARP is not running.
Improvement for multi-user mode to avoid unnecessary key rotations when transitioning from a pre-login to a logged-in state.
Added a WARP client device posture check for SAN attributes to the client certificate check.
Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks.
Added SCCM VPN boundary support to device profile settings. With SCCM VPN boundary support enabled, operating systems will register WARP's local interface IP with the on-premise DNS server when reachable.

Known issues

Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.5.735.1)

Thu, 05 Jun 2025 20:38:04 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

Changes and improvements

Fixed an issue where the Cloudflare WARP application may not have automatically relaunched after an update.
Fixed a device registration issue causing WARP connection failures when changing networks.
Captive portal improvements including showing connectivity status in the client and sending system notifications for captive portal sign in.
The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by MDM.
Improvement to gracefully handle changes made by MDM while WARP is not running.
Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.

Access, Cloudflare One - Cloudflare One Analytics Dashboards and Exportable Access Report

Thu, 05 Jun 2025 00:00:00 GMT

Cloudflare One now offers powerful new analytics dashboards to help customers easily discover available insights into their application access and network activity. These dashboards provide a centralized, intuitive view for understanding user behavior, application usage, and security posture.

![Cloudflare One Analytics Dashboards](~/assets/images/changelog/cloudflare-one/Analytics Dashboards.png)

Additionally, a new exportable access report is available, allowing customers to quickly view high-level metrics and trends in their application access. A preview of the report is shown below, with more to be found in the report:

Both features are accessible in the Cloudflare Zero Trust dashboard, empowering organizations with better visibility and control.

Gateway, Cloudflare One - New Gateway Analytics in the Cloudflare One Dashboard

Thu, 29 May 2025 00:00:00 GMT

Users can now access significant enhancements to Cloudflare Gateway analytics, providing you with unprecedented visibility into your organization's DNS queries, HTTP requests, and Network sessions. These powerful new dashboards enable you to go beyond raw logs and gain actionable insights into how your users are interacting with the Internet and your protected resources.

You can now visualize and explore:

Patterns Over Time: Understand trends in traffic volume and blocked requests, helping you identify anomalies and plan for future capacity.
Top Users & Destinations: Quickly pinpoint the most active users, enabling better policy enforcement and resource allocation.
Actions Taken: See a clear breakdown of security actions applied by Gateway policies, such as blocks and allows, offering a comprehensive view of your security posture.
Geographic Regions: Gain insight into the global distribution of your traffic.

To access the new overview, log in to your Cloudflare Zero Trust dashboard and go to Analytics in the side navigation bar.

Gateway - Gateway Protocol Detection Now Available for PAYGO and Free Plans

Tue, 27 May 2025 00:00:00 GMT

All Cloudflare One Gateway users can now use Protocol detection logging and filtering, including those on Pay-as-you-go and Free plans.

With Protocol Detection, admins can identify and enforce policies on traffic proxied through Gateway based on the underlying network protocol (for example, HTTP, TLS, or SSH), enabling more granular traffic control and security visibility no matter your plan tier.

This feature is available to enable in your account network settings for all accounts. For more information on using Protocol Detection, refer to the Protocol detection documentation.

Cloudflare One Client - WARP client for Windows (version 2025.4.943.0)

Thu, 22 May 2025 21:34:06 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains a hotfix for managed networks for the 2025.4.929.0 release.

Changes and improvements

Fixed an issue where it could take up to 3 minutes for the correct device profile to be applied in some circumstances. In the worst case, it should now only take up to 40 seconds. This will be improved further in a future release.

Known issues

DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.
Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.

Cloudflare One Client - WARP client for macOS (version 2025.4.943.0)

Thu, 22 May 2025 21:34:06 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains a hotfix for managed networks for the 2025.4.929.0 release.

Changes and improvements

Fixed an issue where it could take up to 3 minutes for the correct device profile to be applied in some circumstances. In the worst case, it should now only take up to 40 seconds. This will be improved further in a future release.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.

Cloudflare One Client - WARP client for Linux (version 2025.4.943.0)

Thu, 22 May 2025 19:22:32 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

This release contains a hotfix for managed networks for the 2025.4.929.0 release.

Changes and improvements

Fixed an issue where it could take up to 3 minutes for the correct device profile to be applied in some circumstances. In the worst case, it should now only take up to 40 seconds. This will be improved further in a future release.

Known issues

Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare One - New Applications Added to Zero Trust

Sun, 18 May 2025 00:00:00 GMT

42 new applications have been added for Zero Trust support within the Application Library and Gateway policy enforcement, giving you the ability to investigate or apply inline policies to these applications.

33 of the 42 applications are Artificial Intelligence applications. The others are Human Resources (2 applications), Development (2 applications), Productivity (2 applications), Sales & Marketing, Public Cloud, and Security.

To view all available applications, log in to your Cloudflare Zero Trust dashboard, navigate to the App Library under My Team.

For more information on creating Gateway policies, see our Gateway policy documentation.

Access, Cloudflare One - New Access Analytics in the Cloudflare One Dashboard

Fri, 16 May 2025 00:00:00 GMT

A new Access Analytics dashboard is now available to all Cloudflare One customers. Customers can apply and combine multiple filters to dive into specific slices of their Access metrics. These filters include:

Logins granted and denied
Access events by type (SSO, Login, Logout)
Application name (Salesforce, Jira, Slack, etc.)
Identity provider (Okta, Google, Microsoft, onetimepin, etc.)
Users (chris@cloudflare.com, sally@cloudflare.com, rachel@cloudflare.com, etc.)
Countries (US, CA, UK, FR, BR, CN, etc.)
Source IP address
App type (self-hosted, Infrastructure, RDP, etc.)

To access the new overview, log in to your Cloudflare Zero Trust dashboard and find Analytics in the side navigation bar.

Email security - Open email attachments with Browser Isolation

Thu, 15 May 2025 23:22:49 GMT

You can now safely open email attachments to view and investigate them.

What this means is that messages now have a Attachments section. Here, you can view processed attachments and their classifications (for example, Malicious, Suspicious, Encrypted). Next to each attachment, a Browser Isolation icon allows your team to safely open the file in a clientless, isolated browser with no risk to the analyst or your environment.

To use this feature, you must:

Enable Clientless Web Isolation in your Zero Trust settings.
Have Browser Isolation (BISO) seats assigned.

For more details, refer to our setup guide.

Some attachment types may not render in Browser Isolation. If there is a file type that you would like to be opened with Browser Isolation, reach out to your Cloudflare contact.

This feature is available across these Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Cloudflare One Client - WARP client for Windows (version 2025.4.929.0)

Wed, 14 May 2025 21:32:45 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains two significant changes all customers should be aware of:

All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our DoH IP addresses and domains.
When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks.

Changes and improvements

Fixed an issue causing reconnection loops when captive portals are detected.
Fixed an issue that caused WARP client disk encryption posture checks to fail due to missing drive names.
Fixed an issue where managed network policies could incorrectly report network location beacons as missing.
Improved DEX test error reporting.
Fixed an issue where some parts of the WARP Client UI were missing in high contrast mode.
Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.
Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically.
Added new IP addresses for tunnel connectivity checks. If your organization uses a firewall or other policies you will need to exempt these IPs.
DNS over HTTPS traffic is now included in the WARP tunnel by default.
Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met.
Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments.
Fixed an issue where frequent network changes could cause WARP to become unresponsive.
Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect.
Fixed an issue causing WARP connection disruptions after network changes.

Known issues

DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.
Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.

Gateway - Domain Categories improvements

Wed, 14 May 2025 00:00:00 GMT

New categories added

Parent ID	Parent Name	Category ID	Category Name
1	Ads	66	Advertisements
3	Business & Economy	185	Personal Finance
3	Business & Economy	186	Brokerage & Investing
21	Security Threats	187	Compromised Domain
21	Security Threats	188	Potentially Unwanted Software
6	Education	189	Reference
9	Government & Politics	190	Charity and Non-profit

Changes to existing categories

Original Name	New Name
Religion	Religion & Spirituality
Government	Government/Legal
Redirect	URL Alias/Redirect

Refer to Gateway domain categories to learn more.

Browser Isolation - SAML HTTP-POST bindings support for RBI

Tue, 13 May 2025 00:00:00 GMT

Remote Browser Isolation (RBI) now supports SAML HTTP-POST bindings, enabling seamless authentication for SSO-enabled applications that rely on POST-based SAML responses from Identity Providers (IdPs) within a Remote Browser Isolation session. This update resolves a previous limitation that caused 405 errors during login and improves compatibility with multi-factor authentication (MFA) flows.

With expanded support for major IdPs like Okta and Azure AD, this enhancement delivers a more consistent and user-friendly experience across authentication workflows. Learn how to set up Remote Browser Isolation.

Gateway - New Applications Added for DNS Filtering

Tue, 13 May 2025 00:00:00 GMT

You can now create DNS policies to manage outbound traffic for an expanded list of applications. This update adds support for 273 new applications, giving you more control over your organization's outbound traffic.

With this update, you can:

Create DNS policies for a wider range of applications
Manage outbound traffic more effectively
Improve your organization's security and compliance posture

For more information on creating DNS policies, see our DNS policy documentation.

Cloudflare One Client - WARP client for Linux (version 2025.4.929.0)

Mon, 12 May 2025 23:21:47 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

This release contains two significant changes all customers should be aware of:

All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our DoH IP addresses and domains.
When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks.

Changes and improvements

Fixed an issue where the managed network policies could incorrectly report network location beacons as missing.
Improved DEX test error reporting.
Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.
Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically.
Added new IP addresses for tunnel connectivity checks. If your organization uses a firewall or other policies you will need to exempt these IPs.
Fixed an issue where frequent network changes could cause WARP to become unresponsive.
DNS over HTTPS traffic is now included in the WARP tunnel by default.
Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect.
Fixed an issue causing WARP connection disruptions after network changes.

Known issues

Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare One Client - WARP client for macOS (version 2025.4.929.0)

Mon, 12 May 2025 23:20:27 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains two significant changes all customers should be aware of:

All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our DoH IP addresses and domains.
When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks.

Changes and improvements

Fixed an issue where the managed network policies could incorrectly report network location beacons as missing.
Improved DEX test error reporting.
Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.
Improved captive portal detection.
Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically.
Added new IP addresses for tunnel connectivity checks. If your organization uses a firewall or other policies you will need to exempt these IPs.
DNS over HTTPS traffic is now included in the WARP tunnel by default.
Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met.
Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments.
Fixed an issue where frequent network changes could cause WARP to become unresponsive.
Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect.
Fixed an issue causing WARP connection disruptions after network changes.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.

Data Loss Prevention - Case Sensitive Custom Word Lists

Mon, 12 May 2025 00:00:00 GMT

You can now configure custom word lists to enforce case sensitivity. This setting supports flexibility where needed and aims to reduce false positives where letter casing is critical.

Email security - Open email links with Browser Isolation

Thu, 08 May 2025 23:22:49 GMT

You can now safely open links in emails to view and investigate them.

From Investigation, go to View details, and look for the Links identified section. Next to each link, the Cloudflare dashboard will display an Open in Browser Isolation icon which allows your team to safely open the link in a clientless, isolated browser with no risk to the analyst or your environment. Refer to Open links to learn more about this feature.

To use this feature, you must:

Enable Clientless Web Isolation in your Zero Trust settings.
Have Browser Isolation (RBI) seats assigned.

For more details, refer to our setup guide.

This feature is available across these Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Data Loss Prevention - Send forensic copies to storage without DLP profiles

Wed, 07 May 2025 00:00:00 GMT

You can now send DLP forensic copies to third-party storage for any HTTP policy with an Allow or Block action, without needing to include a DLP profile. This change increases flexibility for data handling and forensic investigation use cases.

By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs.

Browser Isolation - Browser Isolation Overview page for Zero Trust

Thu, 01 May 2025 00:00:00 GMT

A new Browser Isolation Overview page is now available in the Cloudflare Zero Trust dashboard. This centralized view simplifies the management of Remote Browser Isolation (RBI) deployments, providing:

Streamlined Onboarding: Easily set up and manage isolation policies from one location.
Quick Testing: Validate clientless web application isolation with ease.
Simplified Configuration: Configure isolated access applications and policies efficiently.
Centralized Monitoring: Track aggregate usage and blocked actions.

This update consolidates previously disparate settings, accelerating deployment, improving visibility into isolation activity, and making it easier to ensure your protections are working effectively.

To access the new overview, log in to your Cloudflare Zero Trust dashboard and find Browser Isolation in the side navigation bar.

Cloudflare One - Dark Mode for Zero Trust Dashboard

Wed, 30 Apr 2025 00:00:00 GMT

The Cloudflare Zero Trust dashboard now supports Cloudflare's native dark mode for all accounts and plan types.

Zero Trust Dashboard will automatically accept your user-level preferences for system settings, so if your Dashboard appearance is set to 'system' or 'dark', the Zero Trust dashboard will enter dark mode whenever the rest of your Cloudflare account does.

Zero Trust Dashboard
To update your view preference in the Zero Trust dashboard:
1. Log into the Zero Trust dashboard.
2. Select your user icon.
3. Select Dark Mode.
Core Dashboard
To update your view preference in the Core dashboard:
1. Log into the Cloudflare dashboard.
2. Go to My Profile
3. For Appearance, choose Dark.

Cloudflare One, Cloudflare WAN - Cloudflare One Appliance supports multiple DNS server IPs

Wed, 30 Apr 2025 00:00:00 GMT

Cloudflare One Appliance DHCP server settings now support specifying multiple DNS server IP addresses in the DHCP pool.

Previously, customers could only configure a single DNS server per DHCP pool. With this update, you can specify multiple DNS servers to provide redundancy for clients at branch locations.

For configuration details, refer to DHCP server.

Gateway - FQDN Filtering For Gateway Egress Policies

Mon, 28 Apr 2025 00:00:00 GMT

Cloudflare One administrators can now control which egress IP is used based on a destination's fully qualified domain name (FDQN) within Gateway Egress policies.

Host, Domain, Content Categories, and Application selectors are now available in the Gateway Egress policy builder in beta.
During the beta period, you can use these selectors with traffic on-ramped to Gateway with the WARP client, proxy endpoints (commonly deployed with PAC files), or Cloudflare Browser Isolation.
- For WARP client support, additional configuration is required. For more information, refer to the WARP client configuration documentation.

This will help apply egress IPs to your users' traffic when an upstream application or network requires it, while the rest of their traffic can take the most performant egress path.

Cloudflare One Client - WARP client for Windows (version 2025.4.589.1)

Tue, 22 Apr 2025 20:20:21 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

Changes and improvements

Fixed an issue causing reconnection loops when captive portals are detected.
Fixed an issue that caused WARP client disk encryption posture checks to fail due to missing drive names.
Fixed an issue where managed network policies could incorrectly report network location beacons as missing.
Improved error reporting for DEX tests.
Improved WARP client UI high contrast mode.
Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.
Added a TCP fallback for the MASQUE tunnel protocol to improve compatibility with networks on MASQUE.
Added new IP addresses for tunnel connectivity checks. If your organization uses a firewall or other policies you will need to exempt these IPs.
DNS over HTTPS traffic is now included in the WARP tunnel by default.
Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met.
Added a Collect Captive Portal Diag button in the client GUI to make it easier for users to collect captive portal debugging diagnostics.
Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments.
Fixed an issue where frequent network changes could cause WARP to become unresponsive.

Known issues

DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.4.589.1)

Tue, 22 Apr 2025 20:20:21 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

Changes and improvements

Fixed an issue where managed network policies could incorrectly report network location beacons as missing.
Improved DEX test error reporting.
Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.
Improved captive portal detection.
Added a TCP fallback for the MASQUE tunnel protocol to improve compatibility with networks on MASQUE.
Added new IP addresses for tunnel connectivity checks. If your organization uses a firewall or other policies you will need to exempt these IPs.
DNS over HTTPS traffic is now included in the WARP tunnel by default.
Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met.
Added a Collect Captive Portal Diag button in the client GUI to make it easier for users to collect captive portal debugging diagnostics.
Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments.
Fixed an issue where frequent network changes could cause WARP to become unresponsive.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.

Access - Access bulk policy tester

Mon, 21 Apr 2025 00:00:00 GMT

The Access bulk policy tester is now available in the Cloudflare Zero Trust dashboard. The bulk policy tester allows you to simulate Access policies against your entire user base before and after deploying any changes. The policy tester will simulate the configured policy against each user's last seen identity and device posture (if applicable).

Data Loss Prevention - New predefined detection entry for ICD-11

Mon, 14 Apr 2025 00:00:00 GMT

You now have access to the World Health Organization (WHO) 2025 edition of the International Classification of Diseases 11th Revision (ICD-11) as a predefined detection entry. The new dataset can be found in the Health Information predefined profile.

ICD-10 dataset remains available for use.

Gateway - HTTP redirect and custom block page redirect

Fri, 11 Apr 2025 00:00:00 GMT

You can now use more flexible redirect capabilities in Cloudflare One with Gateway.

A new Redirect action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters.
For Block actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL.

Learn more in our documentation for HTTP Redirect and Block page redirect.

Access - Cloudflare Zero Trust SCIM User and Group Provisioning Logs

Wed, 09 Apr 2025 00:00:00 GMT

Cloudflare Zero Trust SCIM provisioning now has a full audit log of all create, update and delete event from any SCIM Enabled IdP. The SCIM logs support filtering by IdP, Event type, Result and many more fields. This will help with debugging user and group update issues and questions.

SCIM logs can be found on the Zero Trust Dashboard under Logs -> SCIM provisioning.

Cloudflare One Client - WARP client for Windows (version 2025.2.664.0)

Tue, 08 Apr 2025 21:25:24 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains a hotfix for captive portal detection for the 2025.2.600.0 release.

Changes and improvements

Fix to reduce the number of browser tabs opened during captive portal logins.

Known issues

DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.2.664.0)

Tue, 08 Apr 2025 21:25:07 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains a hotfix for captive portal detection and PF state tables for the 2025.2.600.0 release.

Changes and improvements

Fix to reduce the number of browser tabs opened during captive portal logins.
Improvement to exclude local DNS traffic entries from PF state table to reduce risk of connectivity issues from exceeding table capacity.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.

Email security - CASB and Email security

Tue, 01 Apr 2025 23:22:49 GMT

With Email security, you get two free CASB integrations.

Use one SaaS integration for Email security to sync with your directory of users, take actions on delivered emails, automatically provide EMLs for reclassification requests for clean emails, discover CASB findings and more.

With the other integration, you can have a separate SaaS integration for CASB findings for another SaaS provider.

Refer to Add an integration to learn more about this feature.

This feature is available across these Email security packages:

Enterprise
Enterprise + PhishGuard

Gateway - Secure DNS Locations Management User Role

Fri, 21 Mar 2025 00:00:00 GMT

We're excited to introduce the Cloudflare Zero Trust Secure DNS Locations Write role, designed to provide DNS filtering customers with granular control over third-party access when configuring their Protective DNS (PDNS) solutions.

Many DNS filtering customers rely on external service partners to manage their DNS location endpoints. This role allows you to grant access to external parties to administer DNS locations without overprovisioning their permissions.

Secure DNS Location Requirements:

Mandate usage of Bring your own DNS resolver IP addresses if available on the account.
Require source network filtering for IPv4/IPv6/DoT endpoints; token authentication or source network filtering for the DoH endpoint.

You can assign the new role via Cloudflare Dashboard (Manage Accounts > Members) or via API. For more information, refer to the Secure DNS Locations documentation.

Cloudflare One Client - Cloudflare One Agent for Android (version 2.4)

Mon, 17 Mar 2025 00:00:00 GMT

A new GA release for the Android Cloudflare One Agent is now available in the Google Play Store. This release includes a new feature allowing team name insertion by URL during enrollment, as well as fixes and minor improvements.

Changes and improvements

Improved in-app error messages.
Improved mobile client login with support for team name insertion by URL.
Fixed an issue preventing admin split tunnel settings taking priority for traffic from certain applications.

Cloudflare One Client - Cloudflare One Agent for iOS (version 1.10)

Mon, 17 Mar 2025 00:00:00 GMT

A new GA release for the iOS Cloudflare One Agent is now available in the iOS App Store. This release includes a new feature allowing team name insertion by URL during enrollment, as well as fixes and minor improvements.

Changes and improvements

Improved in-app error messages.
Improved mobile client login with support for team name insertion by URL.
Bug fixes and performance improvements.

Cloudflare Network Firewall - Cloudflare IP Ranges List

Thu, 13 Mar 2025 00:00:00 GMT

Magic Firewall now supports a new managed list of Cloudflare IP ranges. This list is available as an option when creating a Magic Firewall policy based on IP source/destination addresses. When selecting "is in list" or "is not in list", the option "Cloudflare IP Ranges" will appear in the dropdown menu.

This list is based on the IPs listed in the Cloudflare IP ranges. Updates to this managed list are applied automatically.

Note: IP Lists require a Cloudflare Advanced Network Firewall subscription. For more details about Cloudflare Network Firewall plans, refer to Plans.

Digital Experience Monitoring - Cloudflare One Agent now supports Endpoint Monitoring

Fri, 07 Mar 2025 00:00:00 GMT

Digital Experience Monitoring (DEX) provides visibility into device, network, and application performance across your Cloudflare SASE deployment. The latest release of the Cloudflare One agent (v2025.1.861) now includes device endpoint monitoring capabilities to provide deeper visibility into end-user device performance which can be analyzed directly from the dashboard.

Device health metrics are now automatically collected, allowing administrators to:

View the last network a user was connected to
Monitor CPU and RAM utilization on devices
Identify resource-intensive processes running on endpoints

This feature complements existing DEX features like synthetic application monitoring and network path visualization, creating a comprehensive troubleshooting workflow that connects application performance with device state.

For more details refer to our DEX documentation.

Browser Isolation - Gain visibility into user actions in Zero Trust Browser Isolation sessions

Tue, 04 Mar 2025 00:00:00 GMT

We're excited to announce that new logging capabilities for Remote Browser Isolation (RBI) through Logpush are available in Beta starting today!

With these enhanced logs, administrators can gain visibility into end user behavior in the remote browser and track blocked data extraction attempts, along with the websites that triggered them, in an isolated session.

{
  "AccountID": "$ACCOUNT_ID",
  "Decision": "block",
  "DomainName": "www.example.com",
  "Timestamp": "2025-02-27T23:15:06Z",
  "Type": "copy",
  "UserID": "$USER_ID"
}

User Actions available:

Copy & Paste
Downloads & Uploads
Printing

Learn more about how to get started with Logpush in our documentation.

Access - New SAML and OIDC Fields and SAML transforms for Access for SaaS

Mon, 03 Mar 2025 00:00:00 GMT

Access for SaaS applications now include more configuration options to support a wider array of SaaS applications.

SAML and OIDC Field Additions

OIDC apps now include:

Group Filtering via RegEx
OIDC Claim mapping from an IdP
OIDC token lifetime control
Advanced OIDC auth flows including hybrid and implicit flows

SAML apps now include improved SAML attribute mapping from an IdP.

SAML transformations

SAML identities sent to Access applications can be fully customized using JSONata expressions. This allows admins to configure the precise identity SAML statement sent to a SaaS application.

Email security - Use Logpush for Email security detections

Sat, 01 Mar 2025 23:22:49 GMT

You can now send detection logs to an endpoint of your choice with Cloudflare Logpush.

Filter logs matching specific criteria you have set and select from over 25 fields you want to send. When creating a new Logpush job, remember to select Email security alerts as the dataset.

For more information, refer to Enable detection logs.

This feature is available across these Email security packages:

Enterprise
Enterprise + PhishGuard

Email security - Check status of Email security or Area 1

Thu, 27 Feb 2025 23:22:49 GMT

Concerns about performance for Email security or Area 1? You can now check the operational status of both on the Cloudflare Status page.

For Email security, look under Cloudflare Sites and Services.

Dashboard is the dashboard for Cloudflare, including Email security
Email security (Zero Trust) is the processing of email
API are the Cloudflare endpoints, including the ones for Email security

For Area 1, under Cloudflare Sites and Services:

Area 1 - Dash is the dashboard for Cloudflare, including Email security
Email security (Area1) is the processing of email
Area 1 - API are the Area 1 endpoints

This feature is available across these Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Email security - Use DLP Assist for M365

Tue, 25 Feb 2025 23:22:49 GMT

Cloudflare Email security customers who have Microsoft 365 environments can quickly deploy an Email DLP (Data Loss Prevention) solution for free.

Simply deploy our add-in, create a DLP policy in Cloudflare, and configure Outlook to trigger behaviors like displaying a banner, alerting end users before sending, or preventing delivery entirely.

Refer to Outbound Data Loss Prevention to learn more about this feature.

In GUI alert:

Alert before sending:

Prevent delivery:

This feature is available across these Email security packages:

Enterprise
Enterprise + PhishGuard

Cloudflare WAN - Configure your Magic WAN Connector to connect via static IP assigment

Fri, 14 Feb 2025 00:00:00 GMT

You can now locally configure your Magic WAN Connector to work in a static IP configuration.

This local method does not require having access to a DHCP Internet connection. However, it does require being comfortable with using tools to access the serial port on Magic WAN Connector as well as using a serial terminal client to access the Connector's environment.

For more details, refer to WAN with a static IP address.

Email security - Open email links with Security Center

Fri, 07 Feb 2025 23:22:49 GMT

You can now investigate links in emails with Cloudflare Security Center to generate a report containing a myriad of technical details: a phishing scan, SSL certificate data, HTTP request and response data, page performance data, DNS records, what technologies and libraries the page uses, and more.

From Investigation, go to View details, and look for the Links identified section. Select Open in Security Center next to each link. Open in Security Center allows your team to quickly generate a detailed report about the link with no risk to the analyst or your environment.

For more details, refer to Open links.

This feature is available across these Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Data Loss Prevention, Gateway - Block files that are password-protected, compressed, or otherwise unscannable.

Mon, 03 Feb 2025 00:00:00 GMT

Gateway HTTP policies can now block files that are password-protected, compressed, or otherwise unscannable.

These unscannable files are now matched with the Download and Upload File Types traffic selectors for HTTP policies:

Password-protected Microsoft Office document
Password-protected PDF
Password-protected ZIP archive
Unscannable ZIP archive

To get started inspecting and modifying behavior based on these and other rules, refer to HTTP filtering.

Data Loss Prevention - Detect source code leaks with Data Loss Prevention

Mon, 20 Jan 2025 00:00:00 GMT

You can now detect source code leaks with Data Loss Prevention (DLP) with predefined checks against common programming languages.

The following programming languages are validated with natural language processing (NLP).

C
C++
C#
Go
Haskell
Java
JavaScript
Lua
Python
R
Rust
Swift

DLP also supports confidence level for source code profiles.

For more details, refer to DLP profiles.

Access - Export SSH command logs with Access for Infrastructure using Logpush

Wed, 15 Jan 2025 00:00:00 GMT

Cloudflare now allows you to send SSH command logs to storage destinations configured in Logpush, including third-party destinations. Once exported, analyze and audit the data as best fits your organization! For a list of available data fields, refer to the SSH logs dataset.

To set up a Logpush job, refer to Logpush integration.

Email security - Escalate user submissions

Thu, 19 Dec 2024 23:22:49 GMT

After you triage your users' submissions (that are machine reviewed), you can now escalate them to our team for reclassification (which are instead human reviewed). User submissions from the submission alias, PhishNet, and our API can all be escalated.

From Reclassifications, go to User submissions. Select the three dots next to any of the user submissions, then select Escalate to create a team request for reclassification. The Cloudflare dashboard will then show you the submissions on the Team Submissions tab.

Refer to User submissions to learn more about this feature.

This feature is available across these Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Email security - Increased transparency for phishing email submissions

Thu, 19 Dec 2024 00:00:00 GMT

You now have more transparency about team and user submissions for phishing emails through a Reclassification tab in the Zero Trust dashboard.

Reclassifications happen when users or admins submit a phish to Email security. Cloudflare reviews and - in some cases - reclassifies these emails based on improvements to our machine learning models.

This new tab increases your visibility into this process, allowing you to view what submissions you have made and what the outcomes of those submissions are.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Troubleshoot tunnels with diagnostic logs

Thu, 19 Dec 2024 00:00:00 GMT

The latest cloudflared build 2024.12.2 introduces the ability to collect all the diagnostic logs needed to troubleshoot a cloudflared instance.

A diagnostic report collects data from a single instance of cloudflared running on the local machine and outputs it to a cloudflared-diag file.

For more information, refer to Diagnostic logs.

Magic Transit, Cloudflare WAN, Network Interconnect - Establish BGP peering over Direct CNI circuits

Tue, 17 Dec 2024 00:00:00 GMT

Magic WAN and Magic Transit customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using a Direct CNI on-ramp.

Using BGP peering allows customers to:

Automate the process of adding or removing networks and subnets.
Take advantage of failure detection and session recovery features.

With this functionality, customers can:

Establish an eBGP session between their devices and the Magic WAN / Magic Transit service when connected via CNI.
Secure the session by MD5 authentication to prevent misconfigurations.
Exchange routes dynamically between their devices and their Magic routing table.

Refer to Magic WAN BGP peering or Magic Transit BGP peering to learn more about this feature and how to set it up.

Multi-Cloud Networking - Generate customized terraform files for building cloud network on-ramps

Thu, 05 Dec 2024 00:00:00 GMT

You can now generate customized terraform files for building cloud network on-ramps to Magic WAN.

Magic Cloud can scan and discover existing network resources and generate the required terraform files to automate cloud resource deployment using their existing infrastructure-as-code workflows for cloud automation.

You might want to do this to:

Review the proposed configuration for an on-ramp before deploying it with Cloudflare.
Deploy the on-ramp using your own infrastructure-as-code pipeline instead of deploying it with Cloudflare.

For more details, refer to Set up with Terraform.

CASB - Find security misconfigurations in your AWS cloud environment

Fri, 22 Nov 2024 00:00:00 GMT

You can now use CASB to find security misconfigurations in your AWS cloud environment using Data Loss Prevention.

You can also connect your AWS compute account to extract and scan your S3 buckets for sensitive data while avoiding egress fees. CASB will scan any objects that exist in the bucket at the time of configuration.

To connect a compute account to your AWS integration:

In Cloudflare One, go to Cloud & SaaS findings > Integrations.
Find and select your AWS integration.
Select Open connection instructions.
Follow the instructions provided to connect a new compute account.
Select Refresh.

Browser Isolation - Improved non-English keyboard support

Thu, 21 Nov 2024 00:00:00 GMT

You can now type in languages that use diacritics (like á or ç) and character-based scripts (such as Chinese, Japanese, and Korean) directly within the remote browser. The isolated browser now properly recognizes non-English keyboard input, eliminating the need to copy and paste content from a local browser or device.

Email security - Use Logpush for Email security user actions

Thu, 07 Nov 2024 23:22:49 GMT

You can now send user action logs for Email security to an endpoint of your choice with Cloudflare Logpush.

Filter logs matching specific criteria you have set or select from multiple fields you want to send. For all users, we will log the date and time, user ID, IP address, details about the message they accessed, and what actions they took.

When creating a new Logpush job, remember to select Audit logs as the dataset and filter by:

Field: "ResourceType"
Operator: "starts with"
Value: "email_security".

For more information, refer to Enable user action logs.

This feature is available across all Email security packages:

Enterprise
Enterprise + PhishGuard

Cloudflare Network Firewall - Search for custom rules using rule name and/or ID

Wed, 02 Oct 2024 00:00:00 GMT

The Magic Firewall dashboard now allows you to search custom rules using the rule name and/or ID.

Log into the Cloudflare dashboard and select your account.
Go to Analytics & Logs > Network Analytics.
Select Magic Firewall.
Add a filter for Rule ID.

Additionally, the rule ID URL link has been added to Network Analytics.

Access - Eliminate long-lived credentials and enhance SSH security with Cloudflare Access for Infrastructure

Tue, 01 Oct 2024 00:00:00 GMT

Organizations can now eliminate long-lived credentials from their SSH setup and enable strong multi-factor authentication for SSH access, similar to other Access applications, all while generating access and command logs.

SSH with Access for Infrastructure uses short-lived SSH certificates from Cloudflare, eliminating SSH key management and reducing the security risks associated with lost or stolen keys. It also leverages a common deployment model for Cloudflare One customers: WARP-to-Tunnel.

SSH with Access for Infrastructure enables you to:

Author fine-grained policy to control who may access your SSH servers, including specific ports, protocols, and SSH users.
Monitor infrastructure access with Access and SSH command logs, supporting regulatory compliance and providing visibility in case of security breach.
Preserve your end users' workflows. SSH with Access for Infrastructure supports native SSH clients and does not require any modifications to users’ SSH configs.

To get started, refer to SSH with Access for Infrastructure.

Risk Score - Exchange user risk scores with Okta

Mon, 17 Jun 2024 00:00:00 GMT

Beyond the controls in Zero Trust, you can now exchange user risk scores with Okta to inform SSO-level policies.

First, configure Cloudflare One to send user risk scores to Okta.

Set up the Okta SSO integration.
In Cloudflare One, go to Integrations > Identity providers.
In Your identity providers, locate your Okta integration and select Edit.
Turn on Send risk score to Okta.
Select Save.
Upon saving, Cloudflare One will display the well-known URL for your organization. Copy the value.

Next, configure Okta to receive your risk scores.

On your Okta admin dashboard, go to Security > Device Integrations.
Go to Receive shared signals, then select Create stream.
Name your integration. In Set up integration with, choose Well-known URL.
In Well-known URL, enter the well-known URL value provided by Cloudflare One.
Select Create.

Access, Browser Isolation, CASB, Cloudflare Tunnel for SASE, Digital Experience Monitoring, Data Loss Prevention, Email security, Gateway, Multi-Cloud Networking, Cloudflare Network Firewall, Network Flow, Magic Transit, Cloudflare WAN, Network Interconnect, Risk Score, Cloudflare One Client - Explore product updates for Cloudflare One

Sun, 16 Jun 2024 00:00:00 GMT

Welcome to your new home for product updates on Cloudflare One.

Our new changelog lets you read about changes in much more depth, offering in-depth examples, images, code samples, and even gifs.

If you are looking for older product updates, refer to the following locations.

Older product updates