Cloudflare changelogs | Gateway

Cloudflare One, Access, Gateway - Logs UI refresh

Wed, 01 Apr 2026 00:00:00 GMT

Access authentication logs and Gateway activity logs (DNS, Network, and HTTP) now feature a refreshed user interface that gives you more flexibility when viewing and analyzing your logs.

The updated UI includes:

Filter by field - Select any field value to add it as a filter and narrow down your results.
Customizable fields - Choose which fields to display in the log table. Querying for fewer fields improves log loading performance.
View details - Select a timestamp to view the full details of a log entry.
Switch to classic view - Return to the previous log viewer interface if needed.

For more information, refer to Access authentication logs and Gateway activity logs.

Gateway - OIDC Claims filtering now available in Gateway Firewall, Resolver, and Egress policies

Tue, 24 Mar 2026 00:00:00 GMT

Cloudflare Gateway now supports OIDC Claims as a selector in Firewall, Resolver, and Egress policies. Administrators can use custom OIDC claims from their identity provider to build fine-grained, identity-based traffic policies across all Gateway policy types.

With this update, you can:

Filter traffic in DNS, HTTP, and Network firewall policies based on OIDC claim values.
Apply custom resolver policies to route DNS queries to specific resolvers depending on a user's OIDC claims.
Control egress policies to assign dedicated egress IPs based on OIDC claim attributes.

For example, you can create a policy that routes traffic differently for users with department=engineering in their OIDC claims, or restrict access to certain destinations based on a user's role claim.

To get started, configure custom OIDC claims on your identity provider and use the OIDC Claims selector in the Gateway policy builder.

For more information, refer to Identity-based policies.

Gateway - Gateway Authorization Proxy and hosted PAC files (open beta)

Wed, 04 Mar 2026 00:00:00 GMT

The Gateway Authorization Proxy and PAC file hosting are now in open beta for all plan types.

Previously, proxy endpoints relied on static source IP addresses to authorize traffic, providing no user-level identity in logs or policies. The new authorization proxy replaces IP-based authorization with Cloudflare Access authentication, verifying who a user is before applying Gateway filtering without installing the WARP client.

This is ideal for environments where you cannot deploy a device client, such as virtual desktops (VDI), mergers and acquisitions, or compliance-restricted endpoints.

Key capabilities

Identity-aware proxy traffic — Users authenticate through your identity provider (Okta, Microsoft Entra ID, Google Workspace, and others) via Cloudflare Access. Logs now show exactly which user accessed which site, and you can write identity-based policies like "only the Finance team can access this accounting tool."
Multiple identity providers — Display one or multiple login methods simultaneously, giving flexibility for organizations managing users across different identity systems.
Cloudflare-hosted PAC files — Create and host PAC files directly in Cloudflare One with pre-configured templates for Okta and Azure, hosted at https://pac.cloudflare-gateway.com/<account-id>/<slug> on Cloudflare's global network.
Simplified billing — Each user occupies a seat, exactly like they do with the Cloudflare One Client. No new metrics to track.

Get started

In Cloudflare One, go to Networks > Resolvers & Proxies > Proxy endpoints.
Create an authorization proxy endpoint and configure Access policies.
Create a hosted PAC file or write your own.
Configure browsers to use the PAC file URL.
Install the Cloudflare certificate for HTTPS inspection.

For more details, refer to the proxy endpoints documentation and the announcement blog post.

Gateway - New protocols added for Gateway Protocol Detection (Beta)

Fri, 27 Feb 2026 00:00:00 GMT

Gateway Protocol Detection now supports seven additional protocols in beta:

Protocol	Notes
IMAP	Internet Message Access Protocol — email retrieval
POP3	Post Office Protocol v3 — email retrieval
SMTP	Simple Mail Transfer Protocol — email sending
MYSQL	MySQL database wire protocol
RSYNC-DAEMON	rsync daemon protocol
LDAP	Lightweight Directory Access Protocol
NTP	Network Time Protocol

These protocols join the existing set of detected protocols (HTTP, HTTP2, SSH, TLS, DCERPC, MQTT, and TPKT) and can be used with the Detected Protocol selector in Network policies to identify and filter traffic based on the application-layer protocol, without relying on port-based identification.

If protocol detection is enabled on your account, these protocols will automatically be logged when detected in your Gateway network traffic.

For more information on using Protocol Detection, refer to the Protocol detection documentation.

Gateway, Cloudflare One - Shadow IT - domain level SaaS analytics

Wed, 17 Dec 2025 00:00:00 GMT

Zero Trust has again upgraded its Shadow IT analytics, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application.

With this update, you can review data transfer metrics at the domain level, rather than just the application level, providing more granular insight into your data transfer patterns.

These metrics can be filtered by all available filters on the dashboard, including user, application, or content category.

Both the analytics and policies are accessible in the Cloudflare Zero Trust dashboard, empowering organizations with better visibility and control.

Gateway - Applications to be remapped to the new categories

Thu, 06 Nov 2025 00:00:00 GMT

We have previously added new application categories to better reflect their content and improve HTTP traffic management: refer to Changelog. While the new categories are live now, we want to ensure you have ample time to review and adjust any existing rules you have configured against old categories. The remapping of existing applications into these new categories will be completed by January 30, 2026. This timeline allows you a dedicated period to:

Review the new category structure.
Identify any policies you have that target the older categories.
Adjust your rules to reference the new, more precise categories before the old mappings change. Once the applications have been fully remapped by January 30, 2026, you might observe some changes in the traffic being mitigated or allowed by your existing policies. We encourage you to use the intervening time to prepare for a smooth transition.

Applications being remappedd

Application Name	Existing Category	New Category
Google Photos	File Sharing	Photography & Graphic Design
Flickr	File Sharing	Photography & Graphic Design
ADP	Human Resources	Business
Greenhouse	Human Resources	Business
myCigna	Human Resources	Health & Fitness
UnitedHealthcare	Human Resources	Health & Fitness
ZipRecruiter	Human Resources	Business
Amazon Business	Human Resources	Business
Jobcenter	Human Resources	Business
Jobsuche	Human Resources	Business
Zenjob	Human Resources	Business
DocuSign	Legal	Business
Postident	Legal	Business
Adobe Creative Cloud	Productivity	Photography & Graphic Design
Airtable	Productivity	Development
Autodesk Fusion360	Productivity	IT Management
Coursera	Productivity	Education
Microsoft Power BI	Productivity	Business
Tableau	Productivity	Business
Duolingo	Productivity	Education
Adobe Reader	Productivity	Business
AnpiReport	Productivity	Travel
ビズリーチ	Productivity	Business
doda (デューダ)	Productivity	Business
求人ボックス	Productivity	Business
マイナビ2026	Productivity	Business
Power Apps	Productivity	Business
RECRUIT AGENT	Productivity	Business
シフトボード	Productivity	Business
スタンバイ	Productivity	Business
Doctolib	Productivity	Health & Fitness
Miro	Productivity	Photography & Graphic Design
MyFitnessPal	Productivity	Health & Fitness
Sentry Mobile	Productivity	Travel
Slido	Productivity	Photography & Graphic Design
Arista Networks	Productivity	IT Management
Atlassian	Productivity	Business
CoderPad	Productivity	Business
eAgreements	Productivity	Business
Vmware	Productivity	IT Management
Vmware Vcenter	Productivity	IT Management
AWS Skill Builder	Productivity	Education
Microsoft Office 365 (GCC)	Productivity	Business
Microsoft Exchange Online (GCC)	Productivity	Business
Canva	Sales & Marketing	Photography & Graphic Design
Instacart	Shopping	Food & Drink
Wawa	Shopping	Food & Drink
McDonald's	Shopping	Food & Drink
Vrbo	Shopping	Travel
American Airlines	Shopping	Travel
Booking.com	Shopping	Travel
Ticketmaster	Shopping	Entertainment & Events
Airbnb	Shopping	Travel
DoorDash	Shopping	Food & Drink
Expedia	Shopping	Travel
EasyPark	Shopping	Travel
UEFA Tickets	Shopping	Entertainment & Events
DHL Express	Shopping	Business
UPS	Shopping	Business

For more information on creating HTTP policies, refer to Applications and app types.

Gateway - New Application Categories added for HTTP Traffic Management

Tue, 28 Oct 2025 00:00:00 GMT

To give you precision and flexibility while creating policies to block unwanted traffic, we are introducing new, more granular application categories in the Gateway product.

We have added the following categories to provide more precise organization and allow for finer-grained policy creation, designed around how users interact with different types of applications:

Business
Education
Entertainment & Events
Food & Drink
Health & Fitness
Lifestyle
Navigation
Photography & Graphic Design
Travel

The new categories are live now, but we are providing a transition period for existing applications to be fully remapped to these new categories.

The full remapping will be completed by January 30, 2026.

We encourage you to use this time to:

Review the new category structure.
Identify and adjust any existing HTTP policies that reference older categories to ensure a smooth transition.

For more information on creating HTTP policies, refer to Applications and app types.

Gateway - Schedule DNS policies from the UI

Mon, 20 Oct 2025 00:00:00 GMT

Admins can now create scheduled DNS policies directly from the Zero Trust dashboard, without using the API. You can configure policies to be active during specific, recurring times, such as blocking social media during business hours or gaming sites on school nights.

Preset Schedules: Use built-in templates for common scenarios like Business Hours, School Days, Weekends, and more.
Custom Schedules: Define your own schedule with specific days and up to three non-overlapping time ranges per day.
Timezone Control: Choose to enforce a schedule in a specific timezone (for example, US Eastern) or based on the local time of each user.
Combined with Duration: Policies can have both a schedule and a duration. If both are set, the duration's expiration takes precedence.

You can see the flow in the demo GIF:

This update makes time-based DNS policies accessible to all Gateway customers, removing the technical barrier of the API.

Gateway - New domain categories added

Fri, 10 Oct 2025 00:00:00 GMT

We have added three new domain categories under the Technology parent category, to better reflect online content and improve DNS filtering.

New categories added

Parent ID	Parent Name	Category ID	Category Name
26	Technology	194	Keep Awake Software
26	Technology	192	Remote Access
26	Technology	193	Shareware/Freeware

Refer to Gateway domain categories to learn more.

Gateway - Application granular controls for operations in SaaS applications

Tue, 30 Sep 2025 00:00:00 GMT

Gateway users can now apply granular controls to their file sharing and AI chat applications through HTTP policies.

The new feature offers two methods of controlling SaaS applications:

Application Controls are curated groupings of Operations which provide an easy way for users to achieve a specific outcome. Application Controls may include Upload, Download, Prompt, Voice, and Share depending on the application.
Operations are controls aligned to the most granular action a user can take. This provides a fine-grained approach to enforcing policy and generally aligns to the SaaS providers API specifications in naming and function.

Get started using Application Granular Controls and refer to the list of supported applications.

Gateway, Data Loss Prevention - Refine DLP Scans with New Body Phase Selector

Thu, 25 Sep 2025 00:00:00 GMT

You can now more precisely control your HTTP DLP policies by specifying whether to scan the request or response body, helping to reduce false positives and target specific data flows.

In the Gateway HTTP policy builder, you will find a new selector called Body Phase. This allows you to define the direction of traffic the DLP engine will inspect:

Request Body: Scans data sent from a user's machine to an upstream service. This is ideal for monitoring data uploads, form submissions, or other user-initiated data exfiltration attempts.
Response Body: Scans data sent to a user's machine from an upstream service. Use this to inspect file downloads and website content for sensitive data.

For example, consider a policy that blocks Social Security Numbers (SSNs). Previously, this policy might trigger when a user visits a website that contains example SSNs in its content (the response body). Now, by setting the Body Phase to Request Body, the policy will only trigger if the user attempts to upload or submit an SSN, ignoring the content of the web page itself.

All policies without this selector will continue to scan both request and response bodies to ensure continued protection.

For more information, refer to Gateway HTTP policy selectors.

Gateway, Cloudflare WAN, Cloudflare Tunnel for SASE - DNS filtering for private network onramps

Thu, 11 Sep 2025 00:00:00 GMT

Magic WAN and WARP Connector users can now securely route their DNS traffic to the Gateway resolver without exposing traffic to the public Internet.

Routing DNS traffic to the Gateway resolver allows DNS resolution and filtering for traffic coming from private networks while preserving source internal IP visibility. This ensures Magic WAN users have full integration with our Cloudflare One features, including Internal DNS and hostname-based policies.

To configure DNS filtering, change your Magic WAN or WARP Connector DNS settings to use Cloudflare's shared resolver IPs, 172.64.36.1 and 172.64.36.2. Once you configure DNS resolution and filtering, you can use Source Internal IP as a traffic selector in your resolver policies for routing private DNS traffic to your Internal DNS.

Gateway, Cloudflare One - Shadow IT - SaaS analytics dashboard

Wed, 27 Aug 2025 00:00:00 GMT

Zero Trust has significantly upgraded its Shadow IT analytics, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application.

You can review these metrics against application type, such as Artificial Intelligence or Social Media. You can also mark applications with an approval status, including Unreviewed, In Review, Approved, and Unapproved designating how they can be used in your organization.

These application statuses can also be used in Gateway HTTP policies, so you can block, isolate, limit uploads and downloads, and more based on the application status.

Both the analytics and policies are accessible in the Cloudflare Zero Trust dashboard, empowering organizations with better visibility and control.

Gateway - Gateway BYOIP Dedicated Egress IPs now available.

Thu, 21 Aug 2025 00:00:00 GMT

Enterprise Gateway users can now use Bring Your Own IP (BYOIP) for dedicated egress IPs.

Admins can now onboard and use their own IPv4 or IPv6 prefixes to egress traffic from Cloudflare, delivering greater control, flexibility, and compliance for network traffic.

Get started by following the BYOIP onboarding process. Once your IPs are onboarded, go to Gateway > Egress policies and select or create an egress policy. In Select an egress IP, choose Use dedicated egress IPs (Cloudflare or BYOIP), then select your BYOIP address from the dropdown menu.

For more information, refer to BYOIP for dedicated egress IPs.

Gateway - Scam domain category introduced under Security Threats

Mon, 28 Jul 2025 00:00:00 GMT

We have introduced a new Security Threat category called Scam. Relevant domains are marked with the Scam category. Scam typically refers to fraudulent websites and schemes designed to trick victims into giving away money or personal information.

New category added

Parent ID	Parent Name	Category ID	Category Name
21	Security Threats	191	Scam

Refer to Gateway domain categories to learn more.

Gateway - Gateway HTTP Filtering on all ports available in open BETA

Thu, 24 Jul 2025 00:00:00 GMT

Gateway can now apply HTTP filtering to all proxied HTTP requests, not just traffic on standard HTTP (80) and HTTPS (443) ports. This means all requests can now be filtered by A/V scanning, file sandboxing, Data Loss Prevention (DLP), and more.

You can turn this setting on by going to Settings > Network > Firewall and choosing Inspect on all ports.

To learn more, refer to Inspect on all ports (Beta).

Gateway - Google Bard Application replaced by Gemini

Tue, 22 Jul 2025 00:00:00 GMT

The Google Bard application (ID: 1198) has been deprecated and fully removed from the system. It has been replaced by the Gemini application (ID: 1340). Any existing Gateway policies that reference the old Google Bard application will no longer function. To ensure your policies continue to work as intended, you should update them to use the new Gemini application. We recommend replacing all instances of the deprecated Bard application with the new Gemini application in your Gateway policies. For more information about application policies, please see the Cloudflare Gateway documentation.

Gateway - Gateway will now evaluate Network policies before HTTP policies from July 14th, 2025

Wed, 18 Jun 2025 00:00:00 GMT

Gateway will now evaluate Network (Layer 4) policies before HTTP (Layer 7) policies. This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users.

This change will roll out progressively between July 14–18, 2025. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent.

Updated order of enforcement

Previous order:

DNS policies
HTTP policies
Network policies

New order:

DNS policies
Network policies
HTTP policies

Action required: Review your Gateway HTTP policies

This change may affect block notifications. For example:

You have an HTTP policy to block example.com and display a block page.
You also have a Network policy to block example.com silently (no client notification).

With the new order, the Network policy will trigger first — and the user will no longer see the HTTP block page.

To ensure users still receive a block notification, you can:

Add a client notification to your Network policy, or
Use only the HTTP policy for that domain.

Why we’re making this change

This update is based on user feedback and aims to:

Create a more intuitive model by evaluating network-level policies before application-level policies.
Minimize 526 connection errors by verifying the network path to an origin before attempting to establish a decrypted TLS connection.

To learn more, visit the Gateway order of enforcement documentation.

Gateway, Cloudflare One - New Gateway Analytics in the Cloudflare One Dashboard

Thu, 29 May 2025 00:00:00 GMT

Users can now access significant enhancements to Cloudflare Gateway analytics, providing you with unprecedented visibility into your organization's DNS queries, HTTP requests, and Network sessions. These powerful new dashboards enable you to go beyond raw logs and gain actionable insights into how your users are interacting with the Internet and your protected resources.

You can now visualize and explore:

Patterns Over Time: Understand trends in traffic volume and blocked requests, helping you identify anomalies and plan for future capacity.
Top Users & Destinations: Quickly pinpoint the most active users, enabling better policy enforcement and resource allocation.
Actions Taken: See a clear breakdown of security actions applied by Gateway policies, such as blocks and allows, offering a comprehensive view of your security posture.
Geographic Regions: Gain insight into the global distribution of your traffic.

To access the new overview, log in to your Cloudflare Zero Trust dashboard and go to Analytics in the side navigation bar.

Gateway - Gateway Protocol Detection Now Available for PAYGO and Free Plans

Tue, 27 May 2025 00:00:00 GMT

All Cloudflare One Gateway users can now use Protocol detection logging and filtering, including those on Pay-as-you-go and Free plans.

With Protocol Detection, admins can identify and enforce policies on traffic proxied through Gateway based on the underlying network protocol (for example, HTTP, TLS, or SSH), enabling more granular traffic control and security visibility no matter your plan tier.

This feature is available to enable in your account network settings for all accounts. For more information on using Protocol Detection, refer to the Protocol detection documentation.

Gateway - Domain Categories improvements

Wed, 14 May 2025 00:00:00 GMT

New categories added

Parent ID	Parent Name	Category ID	Category Name
1	Ads	66	Advertisements
3	Business & Economy	185	Personal Finance
3	Business & Economy	186	Brokerage & Investing
21	Security Threats	187	Compromised Domain
21	Security Threats	188	Potentially Unwanted Software
6	Education	189	Reference
9	Government & Politics	190	Charity and Non-profit

Changes to existing categories

Original Name	New Name
Religion	Religion & Spirituality
Government	Government/Legal
Redirect	URL Alias/Redirect

Refer to Gateway domain categories to learn more.

Gateway - New Applications Added for DNS Filtering

Tue, 13 May 2025 00:00:00 GMT

You can now create DNS policies to manage outbound traffic for an expanded list of applications. This update adds support for 273 new applications, giving you more control over your organization's outbound traffic.

With this update, you can:

Create DNS policies for a wider range of applications
Manage outbound traffic more effectively
Improve your organization's security and compliance posture

For more information on creating DNS policies, see our DNS policy documentation.

Gateway - FQDN Filtering For Gateway Egress Policies

Mon, 28 Apr 2025 00:00:00 GMT

Cloudflare One administrators can now control which egress IP is used based on a destination's fully qualified domain name (FDQN) within Gateway Egress policies.

Host, Domain, Content Categories, and Application selectors are now available in the Gateway Egress policy builder in beta.
During the beta period, you can use these selectors with traffic on-ramped to Gateway with the WARP client, proxy endpoints (commonly deployed with PAC files), or Cloudflare Browser Isolation.
- For WARP client support, additional configuration is required. For more information, refer to the WARP client configuration documentation.

This will help apply egress IPs to your users' traffic when an upstream application or network requires it, while the rest of their traffic can take the most performant egress path.

Gateway - HTTP redirect and custom block page redirect

Fri, 11 Apr 2025 00:00:00 GMT

You can now use more flexible redirect capabilities in Cloudflare One with Gateway.

A new Redirect action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters.
For Block actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL.

Learn more in our documentation for HTTP Redirect and Block page redirect.

Gateway - Secure DNS Locations Management User Role

Fri, 21 Mar 2025 00:00:00 GMT

We're excited to introduce the Cloudflare Zero Trust Secure DNS Locations Write role, designed to provide DNS filtering customers with granular control over third-party access when configuring their Protective DNS (PDNS) solutions.

Many DNS filtering customers rely on external service partners to manage their DNS location endpoints. This role allows you to grant access to external parties to administer DNS locations without overprovisioning their permissions.

Secure DNS Location Requirements:

Mandate usage of Bring your own DNS resolver IP addresses if available on the account.
Require source network filtering for IPv4/IPv6/DoT endpoints; token authentication or source network filtering for the DoH endpoint.

You can assign the new role via Cloudflare Dashboard (Manage Accounts > Members) or via API. For more information, refer to the Secure DNS Locations documentation.

Data Loss Prevention, Gateway - Block files that are password-protected, compressed, or otherwise unscannable.

Mon, 03 Feb 2025 00:00:00 GMT

Gateway HTTP policies can now block files that are password-protected, compressed, or otherwise unscannable.

These unscannable files are now matched with the Download and Upload File Types traffic selectors for HTTP policies:

Password-protected Microsoft Office document
Password-protected PDF
Password-protected ZIP archive
Unscannable ZIP archive

To get started inspecting and modifying behavior based on these and other rules, refer to HTTP filtering.

Access, Browser Isolation, CASB, Cloudflare Tunnel for SASE, Digital Experience Monitoring, Data Loss Prevention, Email security, Gateway, Multi-Cloud Networking, Cloudflare Network Firewall, Network Flow, Magic Transit, Cloudflare WAN, Network Interconnect, Risk Score, Cloudflare One Client - Explore product updates for Cloudflare One

Sun, 16 Jun 2024 00:00:00 GMT

Welcome to your new home for product updates on Cloudflare One.

Our new changelog lets you read about changes in much more depth, offering in-depth examples, images, code samples, and even gifs.

If you are looking for older product updates, refer to the following locations.

Older product updates