--- title: Cloudflare One description: Learn how to secure self-hosted and SaaS applications with Cloudflare One. Configure a unified dashboard for seamless access and security. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare One Secure your organization with Cloudflare One — a cloud security platform that replaces legacy perimeters with Cloudflare's global network. Available on all plans Cloudflare One is Cloudflare's [Secure Access Service Edge (SASE) ↗](https://www.cloudflare.com/learning/access-management/what-is-sase/) platform. SASE is an architectural model that unifies enterprise networking services with Zero Trust security. [Zero Trust ↗](https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/) is a security model designed around the principle of least privilege. In the past, once you logged into a corporate network, you were "trusted" to move around freely. Zero Trust changes that. It assumes that threats can exist both outside and inside the network. Therefore, every request is authenticated and authorized based on identity and context before granting access. The Cloudflare One platform allows organizations to move away from a patchwork of hardware appliances and point solutions. Instead, it consolidates security and networking through a unified control plane that includes products like [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/), [Secure Web Gateway (SWG)](https://developers.cloudflare.com/cloudflare-one/traffic-policies/), [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/), [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/), [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/), [Cloud Access Security Broker (CASB)](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/), and [Email security](https://developers.cloudflare.com/cloudflare-one/email-security/). Refer to our [SASE reference architecture](https://developers.cloudflare.com/reference-architecture/architectures/sase/) to learn how to plan, deploy, and manage SASE architecture with Cloudflare. [ Get started ](https://developers.cloudflare.com/cloudflare-one/setup/) [ Cloudflare One dashboard ](https://one.dash.cloudflare.com/) [ Implementation guides ](https://developers.cloudflare.com/cloudflare-one/implementation-guides/) ## Products **[Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)** Authenticate users accessing your applications, seamlessly onboard third-party users, and log every event and request. **[Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/)** Securely connect your resources to Cloudflare without exposing a public IP by using Cloudflare Tunnel, which establishes outbound-only connections from your infrastructure to Cloudflare's global network via the lightweight `cloudflared` daemon. **[Secure Web Gateway (SWG)](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)** Inspect and filter DNS, network, HTTP, and egress traffic to enforce your company's Acceptable Use Policy (UAP), block risky sites with custom blocklists and threat intelligence, and enhance visibility and protection across SaaS applications. **[Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)** Protect corporate devices by privately sending traffic from those devices to Cloudflare's global network, build device posture rules, and enforce security policies anywhere. **[Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/)** Mitigate the impact of attacks by executing all browser code in the cloud and securely browse high-risk or sensitive websites in a remote browser. **[Cloud Access Security Broker (CASB)](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/)** Protect users and sensitive data at rest in SaaS applications and cloud environments, scan for misconfigurations, and detect insider threats as well as unsanctioned application usage to prevent data leaks and compliance violations. **[Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)** Scan your web traffic and SaaS applications for the presence of sensitive data such as social security numbers, financial information, secret keys, and source code. **[Email security](https://developers.cloudflare.com/cloudflare-one/email-security/)** Configure policies to manage your inbox, automatically move emails based on disposition, and use screen criteria to investigate messages. **[Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/)** Monitor device, network, and application performance across your Zero Trust organization. --- ## More resources [SASE video series](https://developers.cloudflare.com/learning-paths/sase-overview-course/series/evolution-corporate-networks-1/) New to Zero Trust and SASE? Get started with our introductory SASE video series. [Reference architecture](https://developers.cloudflare.com/reference-architecture/architectures/sase/) Explore our reference architecture to learn how to evolve your network and security architecture to Cloudflare One, our SASE platform. [Plans](https://www.cloudflare.com/plans/zero-trust-services/) Cloudflare Zero Trust offers both Free and Paid plans. Access to certain features depends on a customer's plan type. [Limits](https://developers.cloudflare.com/cloudflare-one/account-limits/) Learn about account limits. These limits may be increased on Enterprise accounts. [Support](https://developers.cloudflare.com/cloudflare-one/troubleshooting/) Find troubleshooting guides for Cloudflare One products and learn how to collect information for Support. [Community](https://community.cloudflare.com/) Ask questions, get answers, and share tips. Note Enterprise customers can preview this product as a [non-contract service](https://developers.cloudflare.com/billing/preview-services/), which provides full access, free of metered usage fees, limits, and certain other restrictions. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}}]} ``` --- --- title: Get started description: Set up Cloudflare Zero Trust for your organization. Choose a use case to get started with a guided quick-start. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/setup/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Get started Set up Cloudflare Zero Trust to protect your users, devices, and networks. Complete the prerequisites below, then choose a use case to get started. ## Prerequisites Before you begin any use case, you need a Cloudflare account and a Zero Trust organization. ### 1\. Create a Cloudflare account Sign up for a [Cloudflare account ↗](https://dash.cloudflare.com/sign-up) and enable two-factor authentication. ### 2\. Create a Zero Trust organization 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), select **Zero Trust**. [ Go to **Zero Trust** ](https://one.dash.cloudflare.com/) 2. On the onboarding screen, choose a team name. The team name is a unique, internal identifier for your Zero Trust organization. Users will enter this team name when they enroll their device manually, and it will be the subdomain for your App Launcher (as relevant). Your business name is the typical entry. You can find your team name in [Cloudflare One ↗](https://one.dash.cloudflare.com) by going to **Settings**. 3. Complete your onboarding by selecting a subscription plan and entering your payment details. If you chose the **Zero Trust Free plan**, this step is still needed but you will not be charged. ## What would you like to do? These use cases match the guided onboarding in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). To follow along in the dashboard, select **Get Started**. [Replace your VPN](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/) Give remote users, offices, and devices secure access to private networks and applications without a traditional VPN. [Secure access to private apps from any browser](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/) Provide browser-based access to internal web applications, SSH servers, and RDP sessions without installing software on user devices. [Filter DNS to block threats](https://developers.cloudflare.com/cloudflare-one/traffic-policies/initial-setup/dns/) Set up DNS filtering to block malware, phishing, and unwanted content across your network in minutes. [Secure web traffic from threats](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/concepts/) Inspect and filter all Internet-bound traffic from your users to block threats, enforce acceptable use policies, and prevent data loss. Note For in-depth deployment guides that cover policy design and advanced configuration, refer to [Implementation guides](https://developers.cloudflare.com/cloudflare-one/implementation-guides/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}}]} ``` --- --- title: Replace your VPN description: Replace your traditional VPN with Cloudflare Zero Trust. Choose a connection scenario to get started. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/setup/replace-vpn/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Replace your VPN Cloudflare One uses Cloudflare's global network and Zero Trust Network Access (ZTNA) to replace traditional VPNs. After you securely connect your devices and resources to Cloudflare, you can set policies to verify every request based on identity and context, reducing your attack surface and improving performance for remote users. For more background, refer to [Why should you replace your VPN?](https://developers.cloudflare.com/learning-paths/replace-vpn/concepts/why-vpn/) How you set this up depends on what needs to connect to what. Choose the scenario that matches your use case: [Device to network](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/device-to-network/) Connect remote users to internal applications and services through a secure connection. Best for remote access to private networks. [Device to device](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/device-to-device/) Create secure, peer-to-peer connections between two or more devices through Cloudflare's network. Best for direct device communication. [Network to network](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/network-to-network/) Connect two or more private networks bidirectionally through Cloudflare. Best for linking offices, data centers, or cloud environments. Note For in-depth guidance on policy design and device posture checks, refer to the [Replace your VPN learning path](https://developers.cloudflare.com/learning-paths/replace-vpn/concepts/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/setup/replace-vpn/","name":"Replace your VPN"}}]} ``` --- --- title: Device to device description: Create a secure peer-to-peer connection between two devices using the Cloudflare One Client and Cloudflare's network. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/setup/replace-vpn/device-to-device.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Device to device Create a secure connection between two devices so they can communicate directly through Cloudflare's network, without needing to be on the same physical network. This is useful when you need to remotely access a specific device, for example connecting to a home computer from a laptop at a coffee shop. To explore other connection scenarios, refer to [Replace your VPN](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/). This guide follows the same steps as the **Get Started** onboarding wizard in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). ## How it works The [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) is an app that you install on each device you want to connect. When you sign in to your Cloudflare account through the Cloudflare One Client (called "enrolling"), each device is assigned a [virtual IP address](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/peer-to-peer/). Devices use these virtual IPs to communicate with each other through Cloudflare's network. This works for most common types of network traffic, including web requests, remote desktop, file sharing, and ping. Only devices signed in to your Cloudflare account can reach these addresses, so they are not accessible to anyone outside your organization. No tunnel infrastructure or network configuration is required, and the connection does not disrupt existing traffic on your network. ## Prerequisites * A Cloudflare account with a Zero Trust organization. If you have not set this up, refer to [Get started](https://developers.cloudflare.com/cloudflare-one/setup/). * Two Linux, Windows, macOS, Android, or iOS devices you want to connect together. ## Step 1: Enroll your first device Enrollment permissions control which users can connect devices to your account. In this step, you set an enrollment email and download the Cloudflare One Client. The email you provide becomes the first allowed login for your organization, and anyone with that email address can enroll a device. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), select the **Get Started** tab. 2. For **Replace my client-based or site-to-site VPN**, select **Get started**. 3. For **Device to device**, select **Continue**. 4. On the **Create a device mesh on Cloudflare's network** screen, select **Continue**. 5. Enter the email you want to use to enroll your first device. 6. Select your device's operating system. 7. Select **Download to continue** to download the Cloudflare One Client, or copy the download link to send to a different device. 8. Select **Continue**. Note You can manage device enrollment permissions later in **Team & Resources** \> **Devices**. ## Step 2: Complete Cloudflare One Client setup On your first device, complete the Cloudflare One Client installation wizard. Then connect the Cloudflare One Client to your Zero Trust organization. For comprehensive OS-specific instructions, refer to [Manual deployment](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/). 1. Open the Cloudflare One Client. On macOS, select the Cloudflare icon in your status bar. On Windows, select the Cloudflare icon in your system tray. 2. Go to **Preferences** \> **Account** \> **Login to Cloudflare Zero Trust**. 3. Enter your team name when prompted. Your team name is the unique identifier for your Zero Trust organization and was set when the organization was created. The dashboard displays your team name on this screen for easy reference. Note To find or change your team name, go to **Settings** \> **Team name** and select **Edit**. 4. Complete the authentication steps. 5. The Cloudflare One Client should show as **Connected**. 6. Select **Continue** in the dashboard. ## Step 3: Enroll and set up your second device Both devices must be enrolled in your Cloudflare account for the connection to work. 1. Select the operating system of your second device. 2. Copy the download link and send it to your second device (for example, by email or messaging app), or select **Download to continue** if you are on that device. 3. On the second device, follow the same installation and login steps from [Step 2](#step-2-complete-cloudflare-one-client-setup). 4. The Cloudflare One Client should show as **Connected** on the second device. 5. Select **Continue** in the dashboard. ## Step 4: Verify your connection The dashboard confirms that your devices can securely communicate. Both devices are now connected through Cloudflare's network using their assigned virtual IPs. To view your device's assigned virtual IP: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Team & Resources** \> **Devices**. 2. Select a device. 3. Select **View details**. ## Recommended next steps After verifying your connection, consider securing your connected devices with policies and access controls: * **Set up Gateway policies**: By default, all enrolled devices can reach each other over the virtual IP space. Gateway policies let you scan, filter, and log traffic between your devices. For more information, refer to [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/), [Network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/), and [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). * **Create an Access application**: Restrict access to specific destinations on enrolled devices with identity-based rules. For more information, refer to [Secure a private IP or hostname](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). * **Explore more with Zero Trust**: Review your policies and connected devices in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). For in-depth guidance on policy design and device posture checks, refer to the [Replace your VPN learning path](https://developers.cloudflare.com/learning-paths/replace-vpn/concepts/). ## Troubleshoot If you have issues connecting, try these steps: * **Windows users**: Windows Firewall blocks device-to-device traffic by default. You may need to add a firewall rule that allows incoming traffic from `100.96.0.0/12`. For details, refer to [Peer-to-peer connectivity](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/peer-to-peer/#troubleshooting). * [Troubleshoot WARP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/): resolve Cloudflare One Client connection and enrollment issues. * [Peer-to-peer connectivity](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/peer-to-peer/): review Peer-to-peer setup details and firewall requirements. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/setup/replace-vpn/","name":"Replace your VPN"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/setup/replace-vpn/device-to-device/","name":"Device to device"}}]} ``` --- --- title: Device to network description: Connect a remote device to a private network using Cloudflare Tunnel and the Cloudflare One Client. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/setup/replace-vpn/device-to-network.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Device to network Connect a remote device to a private network so your users can securely access internal applications and services from anywhere, without the security risks and performance bottlenecks of a traditional VPN. To explore other connection scenarios, refer to [Replace your VPN](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/). This guide follows the same steps as the **Get Started** onboarding wizard in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). ## How it works [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) is a network connector that creates an outbound-only connection between your private network and Cloudflare. No open inbound ports or firewall changes are required. The [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) is an app that you install on each user's device. It routes traffic through Cloudflare and into the tunnel, so users can reach internal resources from anywhere. ## Prerequisites * A Cloudflare account with a Zero Trust organization. If you have not set this up, refer to [Get started](https://developers.cloudflare.com/cloudflare-one/setup/). * A Linux, Windows, or macOS device on your private network to run the tunnel. * A Linux, Windows, or macOS device to install the Cloudflare One Client on. ## Step 1: Assign a Tunnel Cloudflare Tunnel establishes an outbound connection between your resources and Cloudflare. This is how new devices can reach your private network. You can install Tunnel on any Windows, Mac, or Linux device currently in your private network. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), select the **Get Started** tab. 2. For **Replace my client-based or site-to-site VPN**, select **Get started**. 3. For **Device to network**, select **Continue**. 4. On the **Connect a remote device to a private network** screen, select **Continue**. 5. On the **Assign a Tunnel** screen, use the dropdown to choose an existing tunnel or create a new one. 6. Select **Continue**. ## Step 2: Set your Tunnel's IP range Add the IP range of your private network to the tunnel. This defines which internal resources your remote users can reach. Your tunnel accepts traffic to this range from devices enrolled in your Zero Trust organization. 1. Enter your IP range (for example, `10.0.1.0/24`). 2. Select **Continue**. Note If you are not sure of your IP range, check your router or network settings. ## Step 3: Deploy your Tunnel Install the `cloudflared` connector on a device in your private network and run the tunnel. This service creates the secure connection between your network and Cloudflare. 1. Select your device's operating system and architecture. 2. Copy the install command and run it on your device. For Windows, open Command Prompt as an administrator. For all other operating systems, use a terminal window. For macOS, the command looks similar to: Terminal window ``` brew install cloudflared && sudo cloudflared service install ``` For Windows and Linux, the dashboard provides a download link and install command for your selected architecture. For more download options, refer to [Downloads](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/). 3. After `cloudflared` connects, the dashboard confirms the tunnel is active. 4. Select **Continue**. ## Step 4: Enroll your devices Device enrollment controls which users can connect their devices to your private network through Cloudflare. In this step, you register your first device by providing an email address and installing the Cloudflare One Client. 1. Enter the email you want to use to enroll your first device. 2. Select your device's operating system. 3. Select **Download to continue** to download the Cloudflare One Client, or copy the download link to send to a different device. 4. Select **Continue**. Note You can manage device enrollment permissions later in **Team & Resources** \> **Devices**. ## Step 5: Complete Cloudflare One Client setup On your device, complete the Cloudflare One Client installation wizard. Then connect the Cloudflare One Client to your Zero Trust organization. For comprehensive OS-specific instructions, refer to [Manual deployment](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/). 1. Open the Cloudflare One Client. On macOS, select the Cloudflare icon in your status bar. On Windows, select the Cloudflare icon in your system tray. 2. Go to **Preferences** \> **Account** \> **Login to Cloudflare Zero Trust**. 3. Enter your team name when prompted. Your team name is the unique identifier for your Zero Trust organization and was set when the organization was created. The dashboard displays your team name on this screen for easy reference. Note To find or change your team name, go to **Settings** \> **Team name** and select **Edit**. 4. Complete the authentication steps. 5. The Cloudflare One Client should show as **Connected**. 6. Select **Continue** in the dashboard. ## Step 6: Verify your connection The dashboard confirms that you are securely connected. You now have remote access between your device and your private network resources. To verify connectivity, try reaching a resource on your private network (for example, `http://10.0.1.100` or `ssh 10.0.1.50`). ## Recommended next steps After verifying your connection, consider securing your private network with policies and access controls: * **Set up Gateway policies**: By default, all enrolled devices can reach your entire private network. Gateway policies let you scan, filter, and log traffic between your devices and your private network. For more information, refer to [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/), [Network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/), and [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). * **Create an Access application**: Restrict access to specific applications or hostnames on your private network with identity-based rules. For more information, refer to [Secure a private IP or hostname](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). * **Explore more with Zero Trust**: Review your tunnel, policies, and connected devices in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). For in-depth guidance on policy design and device posture checks, refer to the [Replace your VPN learning path](https://developers.cloudflare.com/learning-paths/replace-vpn/concepts/). ## Troubleshoot If you have issues connecting, refer to these resources: * [Troubleshoot WARP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/): resolve Cloudflare One Client connection and enrollment issues. * [Troubleshoot tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/): diagnose tunnel connectivity and routing problems. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/setup/replace-vpn/","name":"Replace your VPN"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/setup/replace-vpn/device-to-network/","name":"Device to network"}}]} ``` --- --- title: Network to network description: Connect two private networks using WARP Connectors and Cloudflare's network. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Linux ](https://developers.cloudflare.com/search/?tags=Linux)[ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/setup/replace-vpn/network-to-network.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Network to network Connect two separate private networks so devices on each network can send and receive traffic in both directions through Cloudflare. This is useful when you need to link office locations, data centers, or cloud environments. For example, employees in one office could access a file server, printer, or internal application in another office. To explore other connection scenarios, refer to [Replace your VPN](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/). This guide follows the same steps as the **Get Started** experience in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). ## How it works [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) Beta is a network connector that you install on a single Linux device in each network. That device handles traffic for the entire network: it sends outbound traffic to Cloudflare and receives inbound traffic back, then passes it to the right device on the network. Because of this, other devices on the network do not need to install any software. ## Prerequisites * A Cloudflare account with a Zero Trust organization. If you have not set this up, refer to [Get started](https://developers.cloudflare.com/cloudflare-one/setup/). * A Linux device or virtual machine on your first private network. This is where you install your first WARP Connector. * A second Linux device or virtual machine on a separate private network. This is where you install your second WARP Connector. Note WARP Connector is currently Linux-only. For more details on requirements and limitations, refer to [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/). ## Step 1: Define a network segment A network segment identifies the IP range of a private network you want to connect. When you define a segment, the dashboard creates a WARP Connector configuration and sets up the routes that tell Cloudflare how to reach your network. You install and run the connector in the next step. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), select the **Get Started** tab. 2. For **Replace my client-based or site-to-site VPN**, select **Get started**. 3. For **Network to network**, select **Continue**. 4. On the **Route traffic between private networks** screen, select **Continue**. 5. Enter the IP range of your first network segment (for example, `10.0.0.0/24`). 6. Enter a name for this network segment (for example, `office-a`). 7. Select **Continue**. Note If you are not sure of your network's IP range, check your router or network settings. ## Step 2: Deploy first connector Install the WARP Connector on a Linux device in your first network segment. The dashboard generates commands specific to your operating system. 1. Select your device's operating system from the dropdown. 2. Copy and run the commands shown in the dashboard on your Linux device. The dashboard provides three sets of commands: 1. **Install WARP**: Sets up the package repository and installs the `cloudflare-warp` package. 2. **Enable IP forwarding**: Allows the device to forward traffic between networks. 3. **Run the WARP Connector with token**: Registers the connector with your Cloudflare account and connects it. 3. After the connector deploys, the dashboard confirms your network segment is active. 4. Select **Continue**. ## Step 3: Define a second segment Repeat the same process as [Step 1](#step-1-define-a-network-segment) for your second network. The IP range must not overlap with your first segment. Each network needs its own unique range so Cloudflare can route traffic to the correct destination (for example, `10.0.1.0/24` if your first segment is `10.0.0.0/24`). ## Step 4: Deploy second connector Repeat the same process as [Step 2](#step-2-deploy-first-connector) on a Linux device in your second network segment. After the connector deploys, the dashboard confirms your network segment is active. ## Step 5: Forward device traffic If the WARP Connector is installed on your network's router (the device that serves as the default gateway), other devices on the network automatically send traffic through it. No additional configuration is needed, and you can skip this step. If the WARP Connector is installed on a different device, other devices on the network need a static route so they know to send cross-network traffic to the WARP Connector device. Without this route, devices do not know where to send traffic destined for the other network, and the connection does not work. The dashboard provides OS-specific commands for the devices you want to forward traffic from. 1. Select the operating system of the device you want to configure. 2. Select the tunnel you want to route traffic through. 3. Copy and run the generated command on the target device. 4. Repeat for additional devices as needed, or select **Continue** to proceed to the final step. For more details on routing options, refer to [Connect two or more private networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-site/#4-route-traffic-from-subnet-to-warp-connector). ## Step 6: Verify your connection The dashboard confirms that your connectors can reach devices in the opposite network segment. Devices on both networks can now communicate through Cloudflare. To verify connectivity, try reaching a device on the opposite network (for example, `ping 10.0.1.100` from a device on your first network). ## Recommended next steps After verifying your connection, consider securing your connected networks with policies and access controls: * **Set up Gateway policies**: By default, all traffic between your network segments flows through Cloudflare without restriction. Gateway policies let you scan, filter, and log traffic between your networks. For more information, refer to [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/), [Network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/), and [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). * **Create an Access application**: Restrict access to specific services or hosts on your connected networks with identity-based rules. For more information, refer to [Secure a private IP or hostname](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). * **Create a device profile**: Control which traffic your connectors route through Cloudflare independently from your user devices. For more information, refer to [Connect two or more private networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-site/). * **Explore more with Zero Trust**: Review your connectors, policies, and routes in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). For in-depth guidance on policy design and device posture checks, refer to the [Replace your VPN learning path](https://developers.cloudflare.com/learning-paths/replace-vpn/concepts/). ## Troubleshoot If you have issues connecting, refer to these resources: * [Tips and best practices](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/tips/): review common WARP Connector configuration tips and troubleshooting strategies. * [Troubleshoot tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/): diagnose tunnel connectivity and routing problems. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/setup/replace-vpn/","name":"Replace your VPN"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/setup/replace-vpn/network-to-network/","name":"Network to network"}}]} ``` --- --- title: Secure private apps description: Provide browser-based access to internal web applications, SSH servers, and remote desktops without installing software on user devices. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/setup/secure-private-apps/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Secure private apps Cloudflare Access lets users reach internal applications through a browser without a VPN or client software on their device. You connect your application to Cloudflare using a secure connection called a tunnel, then protect it with policies that control who can access it. For more background, refer to [What is clientless access?](https://developers.cloudflare.com/learning-paths/clientless-access/concepts/what-is-clientless-access/). How you set this up depends on the type of application you are securing. Choose the scenario that matches your use case: [Private web application](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/private-web-app/) Connect an internal web application to Cloudflare and control who can access it. Best for applications like company intranets, internal wikis, or admin panels. [Clientless SSH](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/clientless-ssh/) Provide in-browser command line access to an internal server without SSH client software on the user's device. [In-browser remote desktop](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/in-browser-rdp/) Provide in-browser remote desktop access to Windows hosts without remote desktop client software on the user's device. Note For in-depth guidance on clientless access and advanced configuration, refer to the [Clientless access learning path](https://developers.cloudflare.com/learning-paths/clientless-access/concepts/what-is-clientless-access/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/setup/secure-private-apps/","name":"Secure private apps"}}]} ``` --- --- title: Clientless SSH description: Provide in-browser SSH access to an internal server through Cloudflare Access. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/setup/secure-private-apps/clientless-ssh.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Clientless SSH Provide secure, in-browser command line access to an internal server without SSH client software on the user's device. This is useful when you need to give developers or IT staff remote access to servers for administration or troubleshooting from any browser. To explore other access scenarios, refer to [Secure private apps](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/). This guide follows the same steps as the **Get Started** experience in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). ## How it works [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) connects your private network to Cloudflare without opening any ports on your network. You install `cloudflared`, a connector service that runs in the background, on a device that can reach your server. It creates a secure connection from your network out to Cloudflare, so no firewall changes are required. [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/) sits in front of the server and verifies who each user is before letting them through. Users sign in through a browser using an email one-time PIN or your identity provider, then interact with the server through an in-browser terminal. For details on connection methods and advanced configuration, refer to [Connect to SSH in the browser](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-browser-rendering/). ## Prerequisites * A Cloudflare account with a Zero Trust organization. If you have not set this up, refer to [Get started](https://developers.cloudflare.com/cloudflare-one/setup/). * An [active domain on your Cloudflare account](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/). A public subdomain is created on this domain for your application. * A Linux, Windows, or macOS device on your private network that can reach the server. This is where you install the tunnel. * A server on your private network with SSH enabled. ## Step 1: Define your application In this step, you describe the internal server you want to make available through Cloudflare. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), select the **Get Started** tab. 2. For **Set up secure access to private apps from any browser**, select **Get started**. 3. For **Configure clientless SSH access to an internal service**, select **Continue**. 4. On the **Zero Trust SSH terminal directly from your browser** screen, select **Continue**. 5. Enter a name for your application. 6. Enter the hostname or IP address of the server. Use the IP address if you are not sure (for example, `10.10.1.25`). 7. Enter the SSH port (the default is `22`). 8. Select **Continue**. ## Step 2: Select a public domain Your application needs a public URL so users can reach it from a browser. Cloudflare creates a public URL on one of your existing domains for the application. 1. Select a domain from the dropdown. 2. Enter a subdomain (for example, `grafana`). A preview of the full URL appears (for example, `grafana.example.com`). 3. Select **Continue**. ## Step 3: Add your first policy An Access policy controls who can reach your application. In this step, you create a simple policy using email-based one-time PINs. Users you add here receive a one-time PIN by email when they try to access the application. 1. Enter the email addresses of users you want to grant access to. 2. Select **Continue**. Note You can add your identity provider (for example, Okta or Google Workspace) to the application later. For more information, refer to [Identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). ## Step 4: Assign a tunnel A tunnel connects your private network to Cloudflare so traffic can reach your application. You can select an existing tunnel or create a new one. 1. In the **Choose or create a Tunnel** dropdown, select an existing tunnel or enter a name to create a new one. 2. Select **Continue**. ## Step 5: Deploy your tunnel Install `cloudflared` on a device in your private network that can reach the application. The dashboard generates commands specific to your operating system. 1. Select your operating system from the dropdown. 2. Copy and run the commands shown in the dashboard. For Windows, open Command Prompt as an administrator. For all other operating systems, use a terminal window. 3. After the tunnel connects, select **Continue**. ## Step 6: Review details The dashboard confirms that your application is available and protected behind Cloudflare Access. ## Recommended next steps * **Test your application**: 1. Select **Test login** on the success screen. 2. On the Access login screen, enter one of the email addresses you added to your Access policy. 3. Select **Send me a code**. 4. Enter the code from your email and select **Sign in**. * **Explore more with Zero Trust**: Review your applications, policies, and tunnels in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). * **Configure an identity provider**: Replace email one-time PINs with your organization's identity provider for a seamless login experience. For more information, refer to [Identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). For in-depth guidance on clientless access, refer to the [Clientless access learning path](https://developers.cloudflare.com/learning-paths/clientless-access/concepts/what-is-clientless-access/). ## Troubleshoot If you have issues connecting, refer to these resources: * [Troubleshoot tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/): diagnose tunnel connectivity and routing problems. * [Troubleshooting](https://developers.cloudflare.com/cloudflare-one/troubleshooting/): resolve common Zero Trust errors and issues. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/setup/secure-private-apps/","name":"Secure private apps"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/setup/secure-private-apps/clientless-ssh/","name":"Clientless SSH"}}]} ``` --- --- title: In-browser remote desktop description: Provide in-browser remote desktop access to Windows hosts through Cloudflare Access. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks)[ Windows ](https://developers.cloudflare.com/search/?tags=Windows) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/setup/secure-private-apps/in-browser-rdp.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # In-browser remote desktop Provide secure, in-browser remote desktop access to Windows hosts without Remote Desktop Protocol (RDP) client software on the user's device. This is useful when you need to give IT staff or support teams remote access to Windows machines for administration or troubleshooting from any browser. To explore other access scenarios, refer to [Secure private apps](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/). This guide follows the same steps as the **Get Started** experience in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). ## How it works [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) connects your private network to Cloudflare without opening any ports on your network. You install `cloudflared`, a connector service that runs in the background, on a device that can reach the Windows host. It creates a secure connection from your network out to Cloudflare, so no firewall changes are required. [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/) sits in front of the host and verifies who each user is before letting them through. Users sign in through a browser using an email one-time PIN or your identity provider, then interact with the Windows desktop through an in-browser remote desktop session. For details on supported operating systems, connection methods, and known limitations, refer to [Connect to RDP in a browser](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/). ## Prerequisites * A Cloudflare account with a Zero Trust organization. If you have not set this up, refer to [Get started](https://developers.cloudflare.com/cloudflare-one/setup/). * An [active domain on your Cloudflare account](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/). A public subdomain is created on this domain for your application. * A Linux, Windows, or macOS device on your private network that can reach the Windows host. This is where you install the tunnel. * A Windows host on your private network that accepts Remote Desktop connections. ## Step 1: Define your application In this step, you describe the Windows host you want to make available through Cloudflare. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), select the **Get Started** tab. 2. For **Set up secure access to private apps from any browser**, select **Get started**. 3. For **Enable in-browser remote desktop sessions to Windows hosts**, select **Continue**. 4. On the **Zero Trust RDP client directly from your browser** screen, select **Continue**. 5. Enter a name for your application. 6. Enter the local IP address of the Windows host (for example, `10.10.1.25`). 7. Enter the RDP port (the default is `3389`). 8. Select **Continue**. ## Step 2: Select a public domain Your application needs a public URL so users can reach it from a browser. Cloudflare creates a public URL on one of your existing domains for the application. 1. Select a domain from the dropdown. 2. Enter a subdomain (for example, `grafana`). A preview of the full URL appears (for example, `grafana.example.com`). 3. Select **Continue**. ## Step 3: Add your first policy An Access policy controls who can reach your application. In this step, you create a simple policy using email-based one-time PINs. Users you add here receive a one-time PIN by email when they try to access the application. 1. Enter the email addresses of users you want to grant access to. 2. Select **Continue**. Note You can add your identity provider (for example, Okta or Google Workspace) to the application later. For more information, refer to [Identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). ## Step 4: Assign a tunnel A tunnel connects your private network to Cloudflare so traffic can reach your application. You can select an existing tunnel or create a new one. 1. In the **Choose or create a Tunnel** dropdown, select an existing tunnel or enter a name to create a new one. 2. Select **Continue**. ## Step 5: Deploy your tunnel Install `cloudflared` on a device in your private network that can reach the application. The dashboard generates commands specific to your operating system. 1. Select your operating system from the dropdown. 2. Copy and run the commands shown in the dashboard. For Windows, open Command Prompt as an administrator. For all other operating systems, use a terminal window. 3. After the tunnel connects, select **Continue**. ## Step 6: Review details The dashboard confirms that your application is available and protected behind Cloudflare Access. ## Recommended next steps * **Test your application**: 1. Select **Test login** on the success screen. 2. On the Access login screen, enter one of the email addresses you added to your Access policy. 3. Select **Send me a code**. 4. Enter the code from your email and select **Sign in**. * **Explore more with Zero Trust**: Review your applications, policies, and tunnels in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). * **Configure an identity provider**: Replace email one-time PINs with your organization's identity provider for a seamless login experience. For more information, refer to [Identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). For in-depth guidance on clientless access, refer to the [Clientless access learning path](https://developers.cloudflare.com/learning-paths/clientless-access/concepts/what-is-clientless-access/). ## Troubleshoot If you have issues connecting, refer to these resources: * [Troubleshoot tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/): diagnose tunnel connectivity and routing problems. * [Troubleshooting](https://developers.cloudflare.com/cloudflare-one/troubleshooting/): resolve common Zero Trust errors and issues. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/setup/secure-private-apps/","name":"Secure private apps"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/setup/secure-private-apps/in-browser-rdp/","name":"In-browser remote desktop"}}]} ``` --- --- title: Private web application description: Connect a private web application to Cloudflare and protect it with Access. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/setup/secure-private-apps/private-web-app.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Private web application Connect a self-hosted web application to Cloudflare so authorized users can access it from a browser without a VPN. This is useful when you need to give employees or contractors secure access to applications like company intranets, internal wikis, or admin panels. To explore other access scenarios, refer to [Secure private apps](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/). This guide follows the same steps as the **Get Started** experience in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). ## How it works [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) connects your private network to Cloudflare without opening any ports on your network. You install `cloudflared`, a connector service that runs in the background, on a device that can reach your application. It creates a secure connection from your network out to Cloudflare, so no firewall changes are required. [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/) sits in front of the application and verifies who each user is before letting them through. Users sign in through a browser using an email one-time PIN or your identity provider. ## Prerequisites * A Cloudflare account with a Zero Trust organization. If you have not set this up, refer to [Get started](https://developers.cloudflare.com/cloudflare-one/setup/). * An [active domain on your Cloudflare account](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/). A public subdomain is created on this domain for your application. * A Linux, Windows, or macOS device on your private network that can reach the application. This is where you install the tunnel. * A running web application on your private network (for example, `http://10.10.1.25` or `http://grafana.local`). ## Step 1: Define your application In this step, you describe the internal application you want to make available through Cloudflare. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), select the **Get Started** tab. 2. For **Set up secure access to private apps from any browser**, select **Get started**. 3. For **Connect a private web application**, select **Continue**. 4. On the **Connect and access private web applications** screen, select **Continue**. 5. Enter a name for your application (for example, `grafana-gcp`). 6. Enter the hostname or IP address where the application is running. Use the IP address if you are not sure (for example, `10.10.1.25`). 7. Select the protocol your application uses (HTTP or HTTPS). 8. Enter the port your application listens on. This is usually part of the URL you use to access the application locally (for example, the `80` in `http://10.10.1.25:80`). 9. Select **Continue**. ## Step 2: Select a public domain Your application needs a public URL so users can reach it from a browser. Cloudflare creates a public URL on one of your existing domains for the application. 1. Select a domain from the dropdown. 2. Enter a subdomain (for example, `grafana`). A preview of the full URL appears (for example, `grafana.example.com`). 3. Select **Continue**. ## Step 3: Add your first policy An Access policy controls who can reach your application. In this step, you create a simple policy using email-based one-time PINs. Users you add here receive a one-time PIN by email when they try to access the application. 1. Enter the email addresses of users you want to grant access to. 2. Select **Continue**. Note You can add your identity provider (for example, Okta or Google Workspace) to the application later. For more information, refer to [Identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). ## Step 4: Assign a tunnel A tunnel connects your private network to Cloudflare so traffic can reach your application. You can select an existing tunnel or create a new one. 1. In the **Choose or create a Tunnel** dropdown, select an existing tunnel or enter a name to create a new one. 2. Select **Continue**. ## Step 5: Deploy your tunnel Install `cloudflared` on a device in your private network that can reach the application. The dashboard generates commands specific to your operating system. 1. Select your operating system from the dropdown. 2. Copy and run the commands shown in the dashboard. For Windows, open Command Prompt as an administrator. For all other operating systems, use a terminal window. 3. After the tunnel connects, select **Continue**. ## Step 6: Review details The dashboard confirms that your application is available and protected behind Cloudflare Access. ## Recommended next steps * **Test your application**: 1. Select **Test login** on the success screen. 2. On the Access login screen, enter one of the email addresses you added to your Access policy. 3. Select **Send me a code**. 4. Enter the code from your email and select **Sign in**. * **Explore more with Zero Trust**: Review your applications, policies, and tunnels in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). * **Configure an identity provider**: Replace email one-time PINs with your organization's identity provider for a seamless login experience. For more information, refer to [Identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). For in-depth guidance on clientless access, refer to the [Clientless access learning path](https://developers.cloudflare.com/learning-paths/clientless-access/concepts/what-is-clientless-access/). ## Troubleshoot If you have issues connecting, refer to these resources: * [Troubleshoot tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/): diagnose tunnel connectivity and routing problems. * [Troubleshooting](https://developers.cloudflare.com/cloudflare-one/troubleshooting/): resolve common Zero Trust errors and issues. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/setup/secure-private-apps/","name":"Secure private apps"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/setup/secure-private-apps/private-web-app/","name":"Private web application"}}]} ``` --- --- title: Implementation guides description: View implementation guides for Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/implementation-guides/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Implementation guides Implementation guides cover deployment steps and best practices for specific Cloudflare One use cases. [Secure web traffic from threats](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/concepts/) Inspect and filter all Internet-bound traffic from your users to block threats, enforce acceptable use policies, and prevent data loss. [Replace your VPN](https://developers.cloudflare.com/learning-paths/replace-vpn/concepts/) Give users secure, auditable network and application access. [Secure private apps without a client](https://developers.cloudflare.com/learning-paths/clientless-access/concepts/) Provide browser-based access to internal web applications, SSH servers, and RDP sessions without installing software on user devices. [Secure your email with Email security](https://developers.cloudflare.com/learning-paths/secure-your-email/concepts/) Use Cloudflare's Email security to protect your Microsoft 365 email inbox from phishing and malware attacks. [Holistic AI security with Cloudflare One](https://developers.cloudflare.com/learning-paths/holistic-ai-security/concepts/) Monitor and secure generative AI usage within your organization. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/implementation-guides/","name":"Implementation guides"}}]} ``` --- --- title: Deploy clientless access image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/implementation-guides/clientless-access.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Deploy clientless access ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/implementation-guides/","name":"Implementation guides"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/implementation-guides/clientless-access/","name":"Deploy clientless access"}}]} ``` --- --- title: Holistic AI security with Cloudflare One image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/implementation-guides/holistic-ai-security.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Holistic AI security with Cloudflare One ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/implementation-guides/","name":"Implementation guides"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/implementation-guides/holistic-ai-security/","name":"Holistic AI security with Cloudflare One"}}]} ``` --- --- title: Replace your VPN image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/implementation-guides/replace-vpn.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Replace your VPN ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/implementation-guides/","name":"Implementation guides"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/implementation-guides/replace-vpn/","name":"Replace your VPN"}}]} ``` --- --- title: Secure your Internet traffic and SaaS apps image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/implementation-guides/secure-internet-traffic.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Secure your Internet traffic and SaaS apps ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/implementation-guides/","name":"Implementation guides"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/implementation-guides/secure-internet-traffic/","name":"Secure your Internet traffic and SaaS apps"}}]} ``` --- --- title: Secure your email with Email security image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/implementation-guides/secure-your-email.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Secure your email with Email security ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/implementation-guides/","name":"Implementation guides"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/implementation-guides/secure-your-email/","name":"Secure your email with Email security"}}]} ``` --- --- title: Videos image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/video-tutorials.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Videos [ Build and secure your SASE corporate network ](https://developers.cloudflare.com/learning-paths/sase-overview-course/series/evolution-corporate-networks-1/) Dive into Cloudflare's Secure Access Service Edge (SASE) platform and learn how it's been designed to revolutionize the idea of the corporate network. [ Understand and troubleshoot Cloudflare WARP ](https://developers.cloudflare.com/learning-paths/warp-overview-course/series/warp-basics-1/) In this series, we cover the basics of Cloudflare WARP, share useful troubleshooting tips, and explain the warp-diag logs in detail. [ What's a Cloudflare Tunnel? ](https://developers.cloudflare.com/videos/what-is-cf-tunnel/) Cloundflare Tunnel is like a private, secure pathway from your computer to the Internet, so you don't have to leave the front door (your network) wide open. [ Add your domain to Cloudflare ](https://developers.cloudflare.com/videos/the-online-address-book/) To begin using a Cloudflare Tunnel, you need a domain name. Learn how DNS works and how Cloudlare manages your domain through the metaphor of an online address book. [ Set up Access policies for your tunnel ](https://developers.cloudflare.com/videos/set-up-access-policies/) Set up access policies using Cloudflare Access to verify the identity of every user. [ Set up Cloudflare Tunnel ](https://developers.cloudflare.com/videos/set-up-cf-tunnel) Set up Cloudflare Tunnel to create a secure link between your private environment and the Cloudflare edge. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/video-tutorials/","name":"Videos"}}]} ``` --- --- title: Insights description: Cloudflare One offers observability tools to monitor and troubleshoot your environment: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Insights Cloudflare One offers observability tools to monitor and troubleshoot your environment: * [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) to monitor overall Cloudflare One usage. * [Analytics Dashboards](https://developers.cloudflare.com/cloudflare-one/insights/analytics/) to review organizational traffic trends and policy insights. * [Logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/) for event-level investigation. * [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for device, network, and application performance. ## Troubleshooting workflow example A user reports they cannot reach an internal application behind [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/). To address the issue: 1. The admin checks the [Access Event Analytics dashboard](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) to review if other users are experiencing similar issues. 2. The admin then reviews [Logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/) to examine the user's authentication attempts and blocked requests. 3. Finally, the admin uses [DEX](https://developers.cloudflare.com/cloudflare-one/insights/dex/) to evaluate the user's device health and network performance. ## How to use these tools together ### Onboarding After onboarding your devices and users, use these tools to confirm everything is set up correctly and to monitor your organization's activity. 1. Start with [Logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/) to validate initial configuration and confirm that authentication is successful. 2. Use [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) to confirm expected patterns and policy activity. If your device is experiencing connectivity issues, Cloudflare recommends starting with [troubleshooting WARP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide/) as WARP misconfiguration is the most common cause of connectivity issues. ### Daily monitoring 1. Use [Analytics Dashboards](https://developers.cloudflare.com/cloudflare-one/insights/analytics/) to understand trends and for visualizations of your log data. Administrators typically start with Analytics Dashboards because they offer: * A high-level view of activity across your products, like Access, or security use cases, such as AI and shadow IT. * Visibility into trends, provided through time-series graphs, to track the evolution of key metrics (such as [DNS queries](https://developers.cloudflare.com/cloudflare-one/insights/analytics/gateway/#dns-query-analytics), [network sessions](https://developers.cloudflare.com/cloudflare-one/insights/analytics/gateway/#network-session-analytics), [HTTP requests](https://developers.cloudflare.com/cloudflare-one/insights/analytics/gateway/#http-request-analytics), and [CASB posture/content findings](https://developers.cloudflare.com/cloudflare-one/insights/analytics/data-analytics/)) over time. 2. Use [Logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/) as needed for event-level verification. Use Logs when you need to: * Investigate a specific event; for example, a user's [failed authentication attempt](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/) when trying to log into an application. * Validate identity or device details; for example, confirming which user made the request, how they authenticated, and whether their device met required [posture conditions](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/posture-logs/). * Confirm policy matches; for example, verifying which [specific rule](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#rule-types) allowed, blocked, or challenged a user's request and why it was applied. ### User-reported issues Users may report problems like slow or failing connections to internal apps. 1. Start with [Analytics Dashboards](https://developers.cloudflare.com/cloudflare-one/insights/analytics/) to review whether the issue impacts others. 2. Check [Logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/) for failed authentication attempts, blocked requests, or unexpected policy matches. 3. Use [DEX](https://developers.cloudflare.com/cloudflare-one/insights/dex/) to diagnose device- or network-level causes with [synthetic tests](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) and [device monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}}]} ``` --- --- title: Analytics overview description: The Cloudflare One Analytics overview provides a dashboard that reports on how Cloudflare One is protecting your organization and networks. Use this page to monitor usage and potential security concerns within your organization. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/analytics-overview.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Analytics overview The Cloudflare One Analytics overview provides a dashboard that reports on how Cloudflare One is protecting your organization and networks. Use this page to monitor usage and potential security concerns within your organization. To view the Analytics overview, log into [Cloudflare One ↗](https://one.dash.cloudflare.com) and go to **Overview**. The Analytics overview includes reports and insights across the following products and categories: * [Global status](#global-status) of your Zero Trust Organization * [Access](#access) * Gateway * [HTTP traffic](#proxy-traffic) * [Network traffic](#gateway-network-requests) * [DNS traffic](#dns-traffic) * [Firewall policies](#gateway-insights) Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## Global status In **Global status**, you can view a report on your organization's Cloudflare One adoption that contains the following metrics: * Access apps configured * Gateway HTTP policies * Gateway network policies * Gateway DNS policies * SaaS integrations * DLP profiles You can also view a report on your [seat usage](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management/) across your Zero Trust Organization that contains the following metrics: * Total seats * Used seats * Unused seats ## Access In **Access**, you can view a report on your Access configuration that contains: **Metrics:** * Total access attempts * Granted access * Denied (policy violation) * Active logins overtime * Top applications with most logins **Filters:** * Access data by country ## Gateway ### Proxy traffic In **Proxy traffic**, you can view a report on your Gateway HTTP traffic that contains: **Metrics:** * Total requests overtime * Allowed requests * Blocked requests * Isolated requests * Do not inspect requests * Top bandwidth consumers (GB) * Top denied users **Filters:** * Gateway HTTP traffic data by country ### Gateway (network requests) In **Gateway (network requests)**, you can view a report on your Gateway network traffic that contains: **Metrics:** * Total sessions * Authenticated sessions * Blocked sessions * Audit SSH sessions * Allowed sessions * Override sessions * Top bandwidth consumers in GB * Top denied users **Filters:** * Gateway network traffic data by country ### DNS traffic In **DNS traffic**, you can view a report on your Gateway DNS traffic that contains: **Metrics:** * Total DNS queries * Allowed DNS queries * Blocked DNS queries * Override DNS queries * Safe Search DNS queries * Restricted DNS queries * Other DNS queries **Filters:** * Gateway DNS traffic by query type * Gateway DNS traffic by country ### Gateway insights In **Gateway insights**, you can view a report on your Gateway firewall policies that contains the following metrics: * Top domain blocking policies * Most user queries * Top devices * Top countries ### CASB metrics In **CASB**, you can review instances of security issues found in your SaaS integrations. * Integrations by number of findings * DLP findings by profile name ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/analytics-overview/","name":"Analytics overview"}}]} ``` --- --- title: Access event analytics description: Access event analytics allows you to review login attempts to the applications you protect behind Access. Access event analytics are powered by Access authentication logs. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/analytics/access.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Access event analytics Access event analytics allows you to review login attempts to the applications you protect behind [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). Access event analytics are powered by [Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/). To view Access event analytics: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Insights**. 2. Go to **Dashboards**. 3. Select **Access event analytics**. Access Event Analytics aggregates authentication activity based on your [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/). The [Application Access Report](https://developers.cloudflare.com/cloudflare-one/insights/analytics/application-access/) dashboard offers a summary of overall Access activity, while [Access event analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/access/) dashboard provides a view of login events. You can export the Application Access Report to a PDF to share with stakeholders. Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## Available insights The Access event analytics dashboard includes a chart of Access activity over time. You can view a chronological chart of access events. The Access event analytics dashboard shows when access requests occurred, helping you spot spikes in login attempts. * Events are displayed on the vertical axis. * Time (in your local timezone) is shown along the horizontal axis. The Access event analytics dashboard also shows data on your usage patterns with metrics including: * Top used applications * Top users * Top IP addresses * Top identities * Top countries * Top application types These insights help you detect anomalies, and optimize policy rules. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/analytics/","name":"Dashboards"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/analytics/access/","name":"Access event analytics"}}]} ``` --- --- title: AI prompt logs image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/analytics/ai-prompt-logs.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # AI prompt logs ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/analytics/","name":"Dashboards"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/analytics/ai-prompt-logs/","name":"AI prompt logs"}}]} ``` --- --- title: AI security description: The AI security report dashboard summarizes your organization's AI usage and potential security risks. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/analytics/ai-security.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # AI security The AI security report dashboard summarizes your organization's AI usage and potential security risks. To view the AI security report dashboard: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Insights**. 2. Go to **Dashboards**. 3. Select **AI security report**. Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## Prerequisites To populate the AI security report dashboard, you must have: * [Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) enabled to inspect outbound HTTP and DNS traffic. * User traffic to SaaS AI applications (for example, ChatGPT or Gemini) sent through Cloudflare Gateway. * MCP servers behind Cloudflare Access policies. ## Available insights The AI security report dashboard includes the following panels and metrics: * [Top 5 visited AI applications by user count](#top-5-visited-ai-applications-by-user-count) * [Statuses applied to AI applications by application count](#statuses-applied-to-ai-applications-by-application-count) * [Data uploaded to Artificial Intelligence applications by status](#data-uploaded-to-artificial-intelligence-applications-by-status) * [MCP servers behind Access over time](#mcp-servers-behind-access-over-time) * [Access login events to MCP servers](#access-login-events-to-mcp-servers) ### Top 5 visited AI applications by user count Displays the most accessed AI tools in your organization and the number of users visiting each application in a time-series graph. Each bar represents user activity for a specific AI application (for example, ChatGPT or Gemini) over time. Use this chart to monitor adoption trends and detect new or unauthorized AI tools being accessed. ### Statuses applied to AI applications by application count Reports the total number of AI applications identified and their review statuses. Statuses include: * Unreviewed — Applications not yet evaluated by administrators. * In Review — Applications currently under review for approval. * Unapproved — Applications that are restricted or blocked. * Approved — Applications explicitly permitted for organizational use. ### Data uploaded to Artificial Intelligence applications by status Reports the amount of data transferred to AI tools, broken down by review status (Unreviewed, In Review, Unapproved, Approved). Use this report to understand whether sensitive data is being sent to unapproved or unreviewed AI applications. ### MCP servers behind Access over time Displays the number of Managed Control Plane (MCP) servers that are protected behind Access policies over time. Use this panel to monitor the number of MCP servers protected behind Access policies. ### Access login events to MCP servers Reports the number of login events to MCP servers protected behind Access policies. Use this panel to monitor the number of login events to MCP servers protected behind Access policies. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/analytics/","name":"Dashboards"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/analytics/ai-security/","name":"AI security"}}]} ``` --- --- title: Application Access Report description: The Application Access Report provides a high-level summary of Access usage across your organization. This dashboard helps administrators monitor authentication patterns, identity provider usage, and Access configuration metrics. If Access is not configured in your account, the dashboard appears empty. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/analytics/application-access.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Application Access Report The Application Access Report provides a high-level summary of [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) usage across your organization. This dashboard helps administrators monitor authentication patterns, identity provider usage, and Access configuration metrics. If Access is not configured in your account, the dashboard appears empty. The Application Access Report is powered by [Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/). To view the Application Access Report dashboard: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Insights**. 2. Go to **Dashboards**. 3. Select **Application Access Report**. The [Application Access Report](https://developers.cloudflare.com/cloudflare-one/insights/analytics/application-access/) dashboard offers a summary of overall Access activity, while [Access event analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/access/) dashboard provides a view of login events. You can export the Application Access Report to a PDF to share with stakeholders. Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## Prerequisites To populate the Application Access Report dashboard, you must have: * At least one [Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/) configured in your account. * Users authenticating to these applications through Cloudflare Access. ## Available insights The Application Access Report dashboard includes the following panels and metrics: * [Summary of Access activity](#summary-of-access-activity) * [Access events](#access-events) * [Access decisions by event count](#access-decisions-by-event-count) * [Access applications by event count](#access-applications-by-event-count) * [Access events by type](#access-events-by-type) * [Top counts of event details](#top-counts-of-event-details) * [Access admin metrics](#access-admin-metrics) ### Summary of Access activity The Summary of Access activity section shows a time series of Access login events over a selected period and a summary of login events. You can filter a time period in the upper right corner of the dashboard. ### Access events Shows a time series of Access login events over a selected period. Each bar represents the number of login events in the x-axis time interval. You can use this graph to review user authentication activity and detect unusual login spikes. ### Access decisions by event count Displays the total number of Access decisions made, grouped by outcome (for example, **Granted** or **Denied**). ### Access applications by event count Shows a breakdown of authentication events by application type (for example, **Self-hosted**, **SaaS**, **Private network**, **Infrastructure** or **MCP Portal**). Use this view to determine which application types users most frequently access. ### Access events by type Categorizes authentication events by method, such as **SSO** or **Login** (direct credential-based authentication). This panel helps administrators understand how users are authenticating across applications and identity providers. ### Top counts of event details Lists the most common Access event attributes, including: * Application name — Displays the top accessed applications. * Identity provider — Shows which identity providers (IdPs) were most used. * Users — Lists top users by number of login events. * Countries — Displays top countries where users logged in. * IP addresses — Lists the top source IPs associated with login events. These insights help administrators identify usage patterns and trends. ### Access admin metrics Provides a summary of Access configurations made by admin in your organization, including: * Applications configured — Total number of Access-protected applications, broken down by type (for example, Self-hosted, SaaS, RDP, SSH, Private network, and Dash SSO.) * Policies configured — Total number of Access policies, grouped by policy type (for example, Allow, Block, Bypass, or Service Auth.) This section helps administrators audit their Access setup and verify that expected resources and policies are in place. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/analytics/","name":"Dashboards"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/analytics/application-access/","name":"Application Access Report"}}]} ``` --- --- title: Data security analytics description: The Data security analytics dashboard reports security issues and sensitive data found within your SaaS applications, cloud environments, and HTTP traffic. It visualizes event data collected from your DLP and CASB policies. If neither DLP nor CASB is enabled in your account, the dashboard appears empty. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/analytics/data-analytics.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Data security analytics The Data security analytics dashboard reports security issues and sensitive data found within your SaaS applications, cloud environments, and HTTP traffic. It visualizes event data collected from your DLP and CASB policies. If neither DLP nor CASB is enabled in your account, the dashboard appears empty. To view the Data security analytics dashboard: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Insights**. 2. Go to **Dashboards**. 3. Select **Data security analytics**. Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## Prerequisites To populate this dashboard, you must have: * [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) configured to generate event data from scanned web traffic or SaaS applications. * At least one [Cloud Access Security Broker (CASB)](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) integration connected to capture findings from your SaaS applications or cloud environments. ## Available insights The dashboard includes the following panels and metrics: * [SaaS and Cloud findings by count](https://developers.cloudflare.com/cloudflare-one/insights/analytics/data-analytics/#saas-and-cloud-findings-by-count) * [Posture findings by Severity](https://developers.cloudflare.com/cloudflare-one/insights/analytics/data-analytics/#posture-findings-by-severity) * [DLP matches in HTTP requests over time](https://developers.cloudflare.com/cloudflare-one/insights/analytics/data-analytics/#dlp-matches-in-http-requests-over-time) * Top integrations by posture findings * Top integrations by content findings * Top cloud resources by findings * Top users by DLP policies triggered ### SaaS and Cloud findings by count The SaaS and Cloud findings by count chart shows a time series view of Posture and Content findings. [Posture](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/manage-findings/#posture-findings) denotes posture findings which include misconfigurations, unauthorized user activity, and other data security issues. [Content](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/manage-findings/#content-findings) denotes content findings which include instances of potential data exposure as identified by [DLP](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/). Each bar represents the total number of findings detected within a given time interval. You can use this view to observe patterns or spikes in findings over time. Hover over any bar to view the exact count of Posture and Content findings for that period. To review findings in detail, log into [Cloudflare One ↗](https://one.dash.cloudflare.com) and go to **Cloud & SaaS findings** \> **Posture Findings** or **Content Findings**. ### Posture findings by Severity The Posture findings by severity chart displays the distribution of CASB findings based on their [severity levels](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/manage-findings/#severity-levels). Each segment of the circle represents the number of posture issues classified as `Critical`, `High`, `Medium`, or `Low`. To review findings in detail, log into [Cloudflare One ↗](https://one.dash.cloudflare.com) and go to **Cloud & SaaS findings** \> **Posture Findings**. ### DLP matches in HTTP requests over time The DLP matches in HTTP requests over time chart displays when [DLP policies](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/) were triggered by users over a specified period of time. Unlike the SaaS and Cloud findings by count chart above, which relies on CASB findings from data at rest, the DLP matches in HTTP requests over time chart reflects DLP detections in HTTP traffic — helping you monitor sensitive data movement in real time. To review DLP detections in detail, log into [Cloudflare One ↗](https://one.dash.cloudflare.com) and go to **Insights** \> **Logs** \> **HTTP request logs**. Use the **DLP profiles** or **DLP match data** filters to view HTTP requests that triggered a DLP policy. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/analytics/","name":"Dashboards"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/analytics/data-analytics/","name":"Data security analytics"}}]} ``` --- --- title: Gateway analytics (DNS, HTTP, network sessions) description: Gateway analytics include three separate dashboards: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/analytics/gateway.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Gateway analytics (DNS, HTTP, network sessions) Gateway analytics include three separate dashboards: * HTTP request analytics. * DNS query analytics. * Network session analytics. To review Gateway analytics: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Insights**. 2. Go to **Dashboards**. 3. Select your desired dashboard. Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## HTTP request analytics Your [Gateway HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) power the HTTP request analytics dashboard. If you are not using Gateway HTTP policies, the dashboard will appear empty. The HTTP request analytics dashboard helps you identify trends in how your HTTP policies apply over time. By visualizing allowed, isolated, and do not inspect requests, the dashboard provides insights into traffic behavior and policy trends, making it easier to spot anomalies or shifts in usage patterns. To review a detailed description of an HTTP request and its associated policy: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Insights**. 2. Select **Logs**. 3. Select **HTTP request logs**. 4. Use the **Policy** filter to view HTTP requests that triggered a policy or other filters to narrow down your results. ### Provided analytics * HTTP Requests over time * Time series view of HTTP requests * Top Actions * Top Countries * Top Blocked Users * Top Bandwidth Consumers * Top Devices * Top Source IPs ## DNS query analytics Your [Gateway DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/) power the DNS query analytics dashboard. If you are not using Gateway DNS policies, the dashboard will appear empty. The DNS query analytics dashboard helps you identify trends in how your DNS policies apply over time. By visualizing allowed, blocked, and overridden queries, the dashboard provides insights into traffic behavior and policy trends, making it easier to spot anomalies or shifts in usage patterns. To review a detailed description of a DNS query and its associated policy: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Insights**. 2. Select **Logs**. 3. Select **DNS query logs**. 4. Use the **Policy** filter to view DNS queries that triggered a policy or other filters to narrow down your results. ### Provided analytics * DNS Queries over time * Time series view of DNS queries * Top Actions * Top Countries * Top Blocked Users * Top Allowed Users * Top Blocked Devices ## Network session analytics Your [Gateway network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) power the Network session analytics dashboard. If you are not using Gateway network policies, the dashboard will appear empty. The Network session analytics dashboard helps you identify trends in how your Gateway network policies apply over time. By visualizing allowed, blocked, and overridden sessions, the dashboard provides insights into traffic behavior and policy trends, making it easier to spot anomalies or shifts in usage patterns. To review a detailed description of a network session and its associated policy: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Insights**. 2. Select **Logs**. 3. Select **Network logs**. 4. Use the **Policy** filter to view network sessions that triggered a policy or other filters to narrow down your results. ### Provided analytics * Network Sessions over time * Time series view of network sessions * Top Actions * Top Countries * Top Blocked Users * Top Bandwidth Consumers * Top Devices * Top Source IPs ## GraphQL queries You can use the [GraphQL Analytics API](https://developers.cloudflare.com/analytics/graphql-api/) to query your Gateway Analytics data. Available [datasets](https://developers.cloudflare.com/analytics/graphql-api/features/data-sets/) for Gateway include: | Dataset | Description | | ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | gatewayL4DownstreamSessionsAdaptiveGroups | Metrics for Gateway network sessions from user devices to the Cloudflare global network. | | gatewayL4UpstreamSessionsAdaptiveGroups | Metrics for Gateway network sessions from the Cloudflare global network to user devices. | | gatewayL4SessionsAdaptiveGroups | Metrics for Gateway network sessions with adaptive sampling. | | gatewayL7RequestsAdaptiveGroups | Metrics for Gateway HTTP requests with adaptive sampling. | | gatewayResolverQueriesAdaptiveGroups | Metrics for Gateway DNS queries with adaptive sampling. | | gatewayResolverByRuleExecutionPerformanceAdaptiveGroups | Time to execute Gateway DNS policies on the Cloudflare global network. | | gatewayResolverByCustomResolverGroups | Metrics for Gateway DNS queries resolved using custom resolvers. | | gatewayResolverByCategoryAdaptiveGroups | Metrics for Gateway DNS queries sorted by [domain category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) with adaptive sampling. | To explore the schema, you can use a GraphQL client such as [GraphiQL ↗](https://github.com/graphql/graphiql/tree/main/packages/graphiql#readme) or [Altair ↗](https://altairgraphql.dev/). 1. [Create an API token](https://developers.cloudflare.com/analytics/graphql-api/getting-started/authentication/api-token-auth/) with the following permissions: | Type | Item | Permission | | ------- | ----------------- | ---------- | | Account | Account Analytics | Read | 2. In your GraphQL client, [add your API token](https://developers.cloudflare.com/analytics/graphql-api/getting-started/authentication/graphql-client-headers/) as an Authorization header. 3. Compose a query to access your Gateway Analytics datasets. For example, you can query the `gatewayResolverQueriesAdaptiveGroups` dataset to return the adaptive groups of DNS queries resolved by Gateway: ``` query GatewaySampleQuery($accountTag: string!, $start: Time) { viewer { accounts(filter: { accountTag: $accountTag }) { gatewayResolverQueriesAdaptiveGroups( filter: { datetime_gt: $start } limit: 10 ) { count dimensions { queryNameReversed resolverDecision } } } } } ``` [Run in GraphQL API Explorer](https://graphql.cloudflare.com/explorer?query=I4VwpgTgngBA4gQwC5gO4KgZQQWwA4A2YAiuNABQAkCAxjQPYgB2SAKggOYBcMAzkhACWTDgEIANDEr8EEJD1aCcYAJQwA3gCgYMAG6C0kDdp0xaDZkl7kAZoIIoIPdWbqMW7blPPu2nGAC+alqmphzIaBgASmC89AS6kKSQBrwAggAmCHhIgolwEIx41iahOnYOkM4wWSi5ygD6HPJSMnKBpWUESoItAIwADJ06wcOmFixjOhlKYEy8gvTzxmVloJBQAHK4YDGJELxgGVOmELHx+wAiYDSCC0snAWNPoS8dAUA&variables=N4IghgxhD2CuB2AXAKmA5iAXCAggYTwHkBVAOWQH0BJAERABoQBnRMAJ0SxACYAGbgGwBaXgBYRAZmS9emAKxzMARlEAtEAF8gA) For more information, refer to [Compose a query in GraphiQL](https://developers.cloudflare.com/analytics/graphql-api/getting-started/compose-graphql-query/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/analytics/","name":"Dashboards"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/analytics/gateway/","name":"Gateway analytics (DNS, HTTP, network sessions)"}}]} ``` --- --- title: Shadow IT SaaS analytics description: Shadow IT SaaS analytics provides visibility into the SaaS applications your users are visiting. This information allows you to create identity and device-driven Cloudflare One policies to secure your users and data. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Shadow IT SaaS analytics Shadow IT SaaS analytics provides visibility into the SaaS applications your users are visiting. This information allows you to create identity and device-driven Cloudflare One policies to secure your users and data. To access Shadow IT SaaS analytics: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Insights**. 2. Go to **Dashboards**. 3. Select **Shadow IT: SaaS analytics**. Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## Prerequisites To allow Cloudflare to discover shadow IT in your traffic, you must set up [HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/). ## Use Shadow IT SaaS analytics ### 1\. Review applications The first step in using the Shadow IT SaaS analytics dashboard is to review applications in the [Application Library](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/). The App Library synchronizes application review statuses with approval statuses from the Shadow IT Discovery SaaS analytics dashboard. To organize applications into their approval status for your organization, you can mark them as **Unreviewed** (default), **In review**, **Approved**, and **Unapproved**. | Status | API value | Description | | ---------- | ---------- | ------------------------------------------------------------------------------------------------------ | | Approved | approved | Applications that have been marked as sanctioned by your organization. | | Unapproved | unapproved | Applications that have been marked as unsanctioned by your organization. | | In review | in review | Applications in the process of being reviewed by your organization. | | Unreviewed | unreviewed | Unknown applications that are neither sanctioned nor being reviewed by your organization at this time. | To set the status of an application: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Team & Resources** \> **Applications**. 2. Locate the card for the application. 3. In the three-dot menu, select the option to mark your desired status. Once you mark the status of an application, its badge will change. You can filter applications by their status to review each application in the list for your organization. The review status for an application in the App Library and Shadow IT Discovery will update within one hour. Note Approval status does not impact a user's ability to access an application. Users are allowed or blocked according to your [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) and [Gateway policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/). To filter traffic based on approval status, use the [_Application Status_](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#application-approval-status) selector. ### 2\. Monitor usage Review the Shadow IT SaaS analytics dashboard for application usage. Filter the view based on: | Field | Description | | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Application | SaaS application's name and logo. | | Application type | [Application type](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/#app-types) assigned by Cloudflare Cloudflare One. | | Status | Application's approval status. | | Secured | Whether the application is currently secured behind Cloudflare Access. | | Users | Number of users who connected to the application over the period of time specified on the Shadow IT Discovery overview page. | To manage application statuses in bulk, select **Set Application Statuses** to review applications your users commonly visit and update their approval statuses. ### 3\. Create policies After marking applications, you can create [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) based on application review status. For example, you can create policies that: * Launch all **Unreviewed** and **In review** applications in an [isolated browser](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/common-policies/#1-isolate-unreviewed-or-in-review-applications). * [Block access](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/common-policies/#2-block-unapproved-applications) to all **Unapproved** applications. * Limit file upload capabilities for specific application statuses. To create an HTTP status policy directly from Shadow IT Discovery: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Insights**. 2. Select **Dashboards** \> **Shadow IT: SaaS analytics**. 3. Select **Set application statuses**. 4. Select **Manage HTTP status policies**, then choose an application status and select **Create policy**. ## Available insights The Shadow IT SaaS analytics dashboard includes several insights to help you monitor and manage SaaS application usage. * **Number of applications by status**: A breakdown of how many applications have been categorized into each [approval status](#1-review-applications). The list of applications is available in the [App Library](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/). * **Data uploaded per application status**: A time-series graph showing the amount of data (in gigabytes) uploaded to an application in the given status. * **Data downloaded per application status**: A time-series graph showing the amount of data (in gigabytes) downloaded from an application in the given status. * **User count per application status**: A time-series graph showing the number of users who have interacted with at least one application in a given status. For example, a user can use an **Approved** application shortly followed by an **In review** application, contributing to counts for both of those statuses. * **Top-N metrics**: A collection of metrics providing insights into top applications, users, devices, and countries. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/analytics/","name":"Dashboards"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/analytics/shadow-it-discovery/","name":"Shadow IT SaaS analytics"}}]} ``` --- --- title: Digital experience description: Digital Experience Monitoring (DEX) provides visibility into device, network, and application performance across your Zero Trust organization. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/dex/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Digital experience Digital Experience Monitoring (DEX) provides visibility into device, network, and application performance across your Zero Trust organization. With DEX, you can monitor the state of your [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) deployment and resolve issues impacting end-user productivity. DEX is designed for IT and security teams who need to proactively monitor and troubleshoot device and network health across distributed environments. DEX is available on all Cloudflare Zero Trust and SASE plans. DEX is compatible with Cloudflare's [Customer Metadata Boundary](https://developers.cloudflare.com/data-localization/metadata-boundary/) for the 'EU' (European Union) which ensures that customer log will not leave the 'EU' region. Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## When a user reports a problem If a user notifies that “the connection is not working” or “performance is slow,” DEX allows you to: * Use [device monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/) to check device health and endpoint connectivity. * Test network health and application responsiveness with [synthetic tests](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/). * Identify whether problems originate from the device (such as [issues with the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide/)), the network, or Cloudflare. ## Troubleshooting other Cloudflare One features Use DEX to troubleshoot other Cloudflare One features: * Test connectivity to a [SaaS application secured with Access](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/). * Verify that a website routed through [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) is reachable from user devices. * Confirm that users can successfully reach internal resources after configuring a [Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/). ### Get started To start using DEX for device, network, and application monitoring: 1. [Create a Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization). 2. [Install the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) and sign in to register your device to the organization. 3. Create [tests](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) to verify device connectivity to applications and networks. 4. [Monitor](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/) device and network health across your fleet using real-time and historical metrics. 5. Run [remote captures](https://developers.cloudflare.com/cloudflare-one/insights/dex/remote-captures/) to collect diagnostic logs and packet captures from user devices. 6. Set up [notifications](https://developers.cloudflare.com/cloudflare-one/insights/dex/notifications/) to get alerts when degraded connectivity or application performance is detected. ### Troubleshooting For help resolving common issues with Digital Experience Monitoring, refer to [Troubleshoot Digital Experience Monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/troubleshooting/). ### Directory Review all available documentation for DEX capabilities. * [ Device monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/) * [ Synthetic tests ](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) * [ Rules ](https://developers.cloudflare.com/cloudflare-one/insights/dex/rules/) * [ Remote captures ](https://developers.cloudflare.com/cloudflare-one/insights/dex/remote-captures/) * [ Notifications ](https://developers.cloudflare.com/cloudflare-one/insights/dex/notifications/) * [ IP visibility ](https://developers.cloudflare.com/cloudflare-one/insights/dex/ip-visibility/) * [ DEX MCP server ](https://developers.cloudflare.com/cloudflare-one/insights/dex/dex-mcp-server/) * [ Troubleshoot Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/troubleshooting/) * [ MCP server ](https://github.com/cloudflare/mcp-server-cloudflare/tree/main/apps/dex-analysis) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}}]} ``` --- --- title: DEX MCP server description: The MCP server (Model Context Protocol) for Digital Experience Monitoring (DEX) is an AI tool that allows customers to ask a question like, "Show me the connectivity and performance metrics for the device used by carly‌@acme.com", and receive an answer that contains data from the DEX API. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ MCP ](https://developers.cloudflare.com/search/?tags=MCP) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/dex/dex-mcp-server.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # DEX MCP server The MCP server [(Model Context Protocol) ↗](https://cloudflare.com/learning/ai/what-is-model-context-protocol-mcp/) for Digital Experience Monitoring (DEX) is an AI tool that allows customers to ask a question like, "Show me the connectivity and performance metrics for the device used by carly‌@acme.com", and receive an answer that contains data from the DEX API. Any Cloudflare One customer using a Free, PayGo, or Enterprise account can access the DEX MCP Server. This feature is available to everyone. There are two primary options for connecting to the DEX MCP server: * [In Cloudflare's AI Playground](#cloudflare-ai-playground) * [With your preferred AI assistant](#ai-assistant) ## Cloudflare AI Playground Cloudflare's AI Playground is a great way to quickly try out a new MCP Server. You can test the DEX MCP server in less than one minute by visiting the AI Playground's website. 1. Copy the URL for the DEX MCP server: `https://dex.mcp.cloudflare.com/mcp`. 2. Open [playground.ai.cloudflare.com ↗](https://playground.ai.cloudflare.com) in a browser. 3. Find the section in the left sidebar titled **MCP Servers**. 4. Paste the URL for the DEX MCP server into the URL input box and select **Connect**. 5. Authenticate your Cloudflare account, and then start asking questions about your DEX data. Note You need to ask specific and explicit questions to get a response. For example, first you need to provide the following instruction: "Set XYZ as the active account". Then, you can ask a specific question: "Fetch the DEX test results for the user bob@‌acme.com over the past 24 hours". ## AI Assistant Customers will get a more flexible and robust prompt experience by configuring the DEX MCP server with their preferred AI assistant (for example, Claude, Gemini, or ChatGPT). If you have any issues during the configuration process, you can ask your AI assistant for help with configuring an MCP server via URL. ### Claude You need a Claude Pro account (or higher subscription) to configure an MCP server. 1. Download the [Claude desktop client ↗](https://claude.ai/download). 2. Open the Claude desktop client, and log in or set up an account. 3. Expand the left sidebar menu, and select **Claude Code**. 4. Under **Desktop app**, select **Developer** to show the **Local MCP servers** page. 5. Select **Edit Config** and open the `claude_desktop_config.json` file in a text editor of your choice. 6. Copy the JSON configuration for the DEX MCP server and paste it into `claude_desktop_config.json`. Save the file. ``` { "globalShortcut": "", "mcpServers": { "cloudflare-dex-analysis": { "command": "npx", "args": ["mcp-remote", "https://dex.mcp.cloudflare.com/mcp"] } } } ``` 7. Fully close Claude by using the task manager to stop any background processes related to Claude. 8. Open Claude, and your DEX MCP server configuration should appear on the **Local MCP servers** page. 9. Authenticate your Cloudflare account and allow the DEX MCP server. 10. You can start asking Claude questions about DEX. As a simple test, you can ask "Are you connected to the DEX MCP server". ### Gemini CLI All tiers of Google AI Free, Pro, and Ultra offer an MCP server integration via the Gemini CLI. You will need to use a CLI of your choice and npm or homebrew to install and access the Gemini CLI. 1. Visit the GitHub page for the [Gemini CLI ↗](https://github.com/google-gemini/gemini-cli) and follow the installation instructions. 2. Navigate to the `settings.json` file for your Gemini CLI install and open it in a text editor of your choice. File path for the `settings.json` file * Windows: `%USERPROFILE%\.gemini\settings.json` * Mac and Linux: `~/.gemini/settings.json` 3. Copy the JSON configuration for the DEX MCP server and paste it into **settings.json**. Save the file. ``` { "globalShortcut": "", "mcpServers": { "cloudflare-dex-analysis": { "command": "npx", "args": ["mcp-remote", "https://dex.mcp.cloudflare.com/mcp"] } } } ``` 4. Run Gemini in your CLI of choice. 5. If everything is working as expected, the Gemini CLI will show the following message: `Using: 1 MCP server (ctrl+t to view)` 6. Authenticate the email associated with your Cloudflare account in the Gemini CLI. 7. You can start asking the Gemini CLI questions about DEX. As a simple test, you can ask "Are you connected to the DEX MCP server". ### ChatGPT You need a ChatGPT Pro or Business account to configure an MCP server. ChatGPT Free and Plus do not support MCP servers. 1. Download the [ChatGPT desktop app ↗](https://chatgpt.com/features/desktop). 2. Open the ChatGPT desktop app, and log in or set up an account. 3. Open the **Settings** menu and select **Connectors**. 4. Select the option to create a new Connector. 5. Provide a **Name** (like `DEX MCP`), **Description** (optional), and **MCP Server URL** for the Connector. The DEX MCP Server URL is: `https://dex.mcp.cloudflare.com/mcp`. 6. Create the new Connector. 7. Before you ask ChatGPT a question about DEX, select the **+** (plus) button next to the ChatGPT prompt box. 8. Select **Use Connectors** \> **Add Sources**, then select the DEX MCP as a source. 9. You can start asking ChatGPT questions about DEX. As a simple test, you can ask "Are you connected to the DEX MCP server". ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/dex-mcp-server/","name":"DEX MCP server"}}]} ``` --- --- title: IP visibility description: DEX's IP visibility gives administrators insight into three different IP types per device: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/dex/ip-visibility.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # IP visibility Feature availability | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2025.1.861.0 | | macOS | ✅ | 2025.1.861.0 | | Linux | ✅ | 2025.1.861.0 | | iOS | ❌ | | | Android | ❌ | | | ChromeOS | ❌ | | DEX's IP visibility gives administrators insight into three different IP types per device: 1. **Device**: The private IP address of an end-user device. 2. **ISP**: The public IP that the ISP assigns when it routes the end-user device's traffic. 3. **Gateway**: The router's private IP (the router the end device is connected to.) Note The ISP IP is only visible to users with the [Zero Trust PII role](https://developers.cloudflare.com/cloudflare-one/roles-permissions/#cloudflare-zero-trust-pii). DEX's IP visibility supports both IPv6 and IPv4 addresses. IP information is crucial for IT administrators to accurately troubleshoot network issues and identify user locations. IT administrators face challenges like: * Pinpointing the exact location of a user experiencing issues ("AP 87 is bad.") * Identifying network access control policy violations ("NAC Policies is not applied properly.") * Troubleshooting firewall restrictions ("Firewall on VLAN 93 is blocking.") * Resolving Layer 2 and DHCP related problems. * Indirectly determining user identity and device location. ## View a device's IP information To view IP information for a user device: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Team & Resources** \> **Devices** \> **Your devices**. 2. Select a device, then select **View details**. 3. Go to **IP details**. 4. Review the IP details for your selected device's most recent session. ## View a device's IP history DEX's IP visibility allows you to review an event log of a device's IP history for the last seven days. To view a device's IP history: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Team & Resources** \> **Devices** \> **Your devices**. 2. Select a device > **View details** \> go to **IP details**. 3. Select **View all ISPs**. ## Troubleshoot with IP visibility While IP visibility allows you to inspect a device's IP information, use [DEX's live analytics](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/#available-metrics) to review which Cloudflare data center the device is connected to. When traffic leaves a Cloudflare One Client-connected end-user device, it will hit a [Cloudflare data center](https://developers.cloudflare.com/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#identify-the-cloudflare-data-center-serving-your-request). To find which Cloudflare data center a device is connected to: 1. Follow the steps listed in [View IP information](#view-a-devices-ip-history) to find a device's IP information. 2. On the device page, select **Colocation & client** or find the **Client** table at the top of the page. 3. In the **Client** table, find **Colocation** to review which Cloudflare data center your selected device's egress traffic is connected to. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/ip-visibility/","name":"IP visibility"}}]} ``` --- --- title: MCP server image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/dex/mcp-server.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # MCP server ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/mcp-server/","name":"MCP server"}}]} ``` --- --- title: Device monitoring description: Monitor performance and network status for your organization's fleet or individual user devices. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/dex/monitoring.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Device monitoring Monitor performance and network status for your organization's [fleet](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/#fleet-status) or individual [user devices](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/#device-monitoring). Network and device performance data helps IT administrators troubleshoot performance issues, investigate network connectivity problems, and monitor device health. ## Device overview A fleet is a collection of user devices. All devices in a fleet have the Cloudflare One Client installed and are connected to a [Cloudflare Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization). To view fleet status: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Digital experience**. 2. Review the information under **Live analytics**. ### View metrics The **Device overview** tab shows real-time and historical connectivity metrics for all devices in your organization. To view analytics on a per-device level, go to [Device monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/#device-monitoring). ### Available metrics * **Devices connected by colo**: Number of devices connected to a given [Cloudflare data center ↗](https://www.cloudflarestatus.com/). * **Connectivity status**: Percentage of devices in a given Cloudflare One Client state. | Status | Description | | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Connected | the Cloudflare One Client has successfully established a connection to the Cloudflare global network. | | Disconnected | the Cloudflare One Client has been intentionally or unintentionally disconnected from the Cloudflare global network. | | Paused | A user or administrator has taken an explicit action to temporarily turn off WARP, for example by entering an [admin override code](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-admin-override-codes). Paused clients will [auto-connect](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#auto-connect) after a timeout period. | | Connecting | the Cloudflare One Client is pending connection, but is actively trying to establish a connection to the Cloudflare global network. | * **Mode**: [Client mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) deployed on the device. * **Colo**: Percentage of devices connected to a given Cloudflare data center. * **Platform**: Operating system of the device. * **Major Version**: Cloudflare One Client version installed on the device. * **Device Status Over Time**: Cloudflare One Client connection status over the selected time period. * **Connection Methods Over Time**: Client mode used by the device over the selected time period. ## Device monitoring Review network and device performance for a device enrolled in your fleet. ### View a device's performance To view a device's network and device performance metrics: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Team & Resources** \> **Devices** \> **Your devices**. 2. Select a device > **View details**. 3. Select the **DEX** tab. 4. In **Device Monitoring**, scroll down to **Network performance** and **Device Performance**. ### Network and device performance metrics #### Network performance metrics * **Unique networks over time**: How many unique SSIDs the device was connected to. * **Network I/O**: How much data the device transferred (uploads and downloads) over the primary network interface. #### Device performance metrics * **Battery percentage and cycles**: Displays battery percentage and [battery cycles ↗](https://support.apple.com/en-us/102888) over time. Use this metric to debug potential performance issues possibly related to battery health or power-saving measures that trigger at low-battery levels. * **CPU usage**: CPU utilization over time. Use this metric to debug slow system performance due to high CPU usage. * **Memory utilization**: Memory utilization over time. Use this metric to debug performance issues related to an overtaxed memory. * **Disk I/O**: Displays number of disk read/write operations over time. Use this metric to debug performance errors due to heavy disk operations. ## Export DEX device state event logs The log data for all [DEX device state events](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fdevice%5Fstate%5Fevents/) can be exported to [R2](https://developers.cloudflare.com/r2/), a cloud bucket, or a SIEM via [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/monitoring/","name":"Device monitoring"}}]} ``` --- --- title: Notifications description: Administrators can receive alerts when Cloudflare detects connectivity issues with the Cloudflare One Client or degraded application performance. Notifications can be delivered via email, webhook, and third-party services. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/dex/notifications.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Notifications Administrators can receive alerts when Cloudflare detects connectivity issues with the Cloudflare One Client or degraded application performance. Notifications can be delivered via email, webhook, and third-party services. ## Manage notifications DEX notifications are configured on the [Cloudflare dashboard ↗](https://dash.cloudflare.com/). For more information, refer to [Create a notification](https://developers.cloudflare.com/notifications/get-started/#create-a-notification). ## Available notifications Device connectivity anomaly **Who is it for?** Zero Trust customers who want to be notified when Cloudflare detects a spike or drop in the number of devices connected to the WARP client. **Other options / filters** * **Alert configuration**: Choose when to trigger a notification. Available options are _Connectivity spike_, _Connectivity drop_, and _Connectivity spike or drop_. * Filters: * **Colo**: Cloudflare data center that the device is connected to. * **Platform**: Operating system of the device. * **Version**: WARP client version (for example, `2024.3.409.0`). * **Mode**: [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) deployed on the device. **Included with** All Cloudflare Zero Trust plans. **What should you do if you receive one?** Review your [fleet status](https://developers.cloudflare.com/cloudflare-one/insights/dex/fleet-status/) to investigate why the spike or drop occurred and which devices are impacted. **Additional information** To learn more about the alert logic, refer to [Z-score](https://developers.cloudflare.com/cloudflare-one/insights/dex/notifications/#z-score). DEX test latency **Who is it for?** Zero Trust customers who wish to receive alerts when there is a spike or drop in application latency, as measured by the HTTP test [Resource Fetch time](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/http/#test-results) or Traceroute test [Round trip time](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/traceroute/#test-results). Requires setting up a [DEX test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/). **Other options / filters** * **Alert configuration**: Choose when to trigger a notification. Available options are _Latency spike_, _Latency drop_, and _Latency spike or drop_. * Filters: * **Colo**: Cloudflare data center that the device is connected to. * **Platform**: Operating system of the device. * **Version**: WARP client version (for example, `2024.3.409.0`). * **Test name**: Choose which DEX test the alert should monitor. You will receive individual notifications for each test. **Included with** All Cloudflare Zero Trust plans. **What should you do if you receive one?** View your [test results](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/view-results/) to investigate why the spike occurred. **Additional information** To learn more about the alert logic, refer to [Z-score](https://developers.cloudflare.com/cloudflare-one/insights/dex/notifications/#z-score). DEX test low availability **Who is it for?** Zero Trust customers who wish to receive alerts when the percentage of successful HTTP or traceroute requests to an application drops below the selected service-level objective (SLO). Requires setting up a [DEX test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/). **Other options / filters** * **Service Level Objective (SLO)**: Specify the availability threshold that will trigger an alert. Enter a percentage in `xx.x` format (for example, `98.0`). * Filters: * **Colo**: Cloudflare data center that the device is connected to. * **Platform**: Operating system of the device. * **Version**: WARP client version (for example, `2024.3.409.0`). * **Test name**: Choose which DEX test the alert should monitor. You will receive individual notifications for each test. **Included with** All Cloudflare Zero Trust plans. **What should you do if you receive one?** View your [test results](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/view-results/) to investigate why the degradation occurred. **Additional information** To learn more about the alert logic, refer to [SLO](https://developers.cloudflare.com/cloudflare-one/insights/dex/notifications/#slo). ## Alert logic ### Z-score Cloudflare uses a z-score to detect traffic spikes or drops. A [z-score ↗](https://en.wikipedia.org/wiki/Standard%5Fscore) is the number of standard deviations the current value is to the mean. We calculate the mean and standard deviation by comparing the current five minutes to the past four hours. This is measured every five minutes. To trigger an alert, the z-score value must be above 3.5 or less than -3.5. ### SLO A service-level objective (SLO) is defined as (x / y) \* 100 where x = the number of good events and y = the number of valid events for a given time period. DEX notifications look at both a short window (five minutes) and a long time window (one hour) and triggers an alert if the availability falls below the SLO threshold in either window. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/notifications/","name":"Notifications"}}]} ``` --- --- title: Remote captures description: Remote captures allow administrators to collect packet captures (PCAPs) and Cloudflare One Client diagnostic logs directly from end user devices. This data can be used to troubleshoot network problems, investigate security incidents, and identify performance bottlenecks. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/dex/remote-captures.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Remote captures Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | All plans | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2024.12.492.0 | | macOS | ✅ | 2024.12.492.0 | | Linux | ✅ | 2024.12.492.0 | | iOS | ❌ | | | Android | ❌ | | | ChromeOS | ❌ | | Remote captures allow administrators to collect packet captures (PCAPs) and Cloudflare One Client diagnostic logs directly from end user devices. This data can be used to troubleshoot network problems, investigate security incidents, and identify performance bottlenecks. ## Start a remote capture Devices must be actively connected to the Internet for remote captures to run. To capture data from a remote device: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **DEX** \> **Remote captures**. 2. Select up to 10 devices that you want to run a capture on. Devices must be [registered](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) in your Zero Trust organization. 3. Configure the types of captures to run. * **Packet captures (PCAP)**: Performs packet captures for traffic outside of the WARP tunnel (default network interface) and traffic inside of the WARP tunnel ([virtual interface](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/#ip-traffic)). * **Device diagnostic logs**: Generates a [Cloudflare One Client diagnostic log](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diag-logs) of the past 96 hours. To include a routing test for all IPs and domains in your [Split Tunnel configuration](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/), select **Test all routes**. Note **Test all routes** will extend the time for diagnostics to run and may temporarily impact device performance during the test. 4. Select **Run diagnostics**. DEX will now send capture requests to the configured devices. If the Cloudflare One Client is disconnected, the capture will time out after 10 minutes. ## Check remote capture status To view a list of captures, go to **DEX** \> **Remote captures**. The **Status** column displays one of the following options: * **Success**: The capture is complete and ready for download. Any partially successful captures will still upload to Cloudflare. For example, there could be a scenario where the PCAP succeeds on the primary network interface but fails on the WARP tunnel interface. You can [review PCAP results](https://developers.cloudflare.com/cloudflare-one/insights/dex/remote-captures/#download-remote-captures) to determine which PCAPs succeeded or failed. * **Running**: The capture is in progress on the device. * **Pending Upload**: The capture is complete but not yet ready for download. * **Failed**: The capture has either timed out or encountered an error. To retry the capture, check the Cloudflare One Client version and [connectivity status](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/#fleet-status), then start a [new capture](https://developers.cloudflare.com/cloudflare-one/insights/dex/remote-captures/#start-a-remote-capture). ## Download remote captures 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **DEX** \> **Remote captures**. 2. Find a successful capture. 3. Select the three-dot menu and select **Download**. This will download a ZIP file to your local machine called `.zip`. DEX will store capture data according to our [log retention policy](https://developers.cloudflare.com/cloudflare-one/insights/logs/#log-retention). ### Device PCAP contents The downloaded PCAP folder contains three files: * `capture-default.pcap`: Packet captures for the primary network interface. * `capture-tunnel.pcap`: Packet captures for traffic inside of the WARP tunnel. * `results.json`: Reports successful and failed packet captures. You can analyze `.pcap` files using Wireshark or another third-party packet capture tool. ### Diagnostic log files Refer to [Cloudflare One Client diagnostic logs](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diag-logs) for a description of each file. ## Diagnostics analyzer (beta) The diagnostics analyzer highlights what Cloudflare determines to be the most important detection events in a `warp-diag` log. You can use the detection report to help parse your [log files](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diag-logs) and identify the root cause of client issues. The diagnostics analyzer is only available for logs [collected via the dashboard](#collect-logs-via-the-dashboard). To access the diagnostics analyzer: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **DEX** \> **Remote captures**. 2. Locate an existing `warp-diag` log from the list or select **Run diagnostics** to generate a new `warp-diag` log. 3. Select the three dots for the `warp-diag` log that you want to analyze, then select **View Device Diag**. The **Overview** tab will display an [AI-generated summary](https://developers.cloudflare.com/fundamentals/reference/cloudy-ai-agent/) of the results, a list of detection events, and basic device information. Explanation of the fields | Field | Description | | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Detection type | A common Cloudflare One Client issue that can appear in the diagnostic logs. | | Occurences | Number of times an issue was detected in the logs. | | Severity level | Indicates the impact of the issue on Cloudflare One Client functionality. The severity levels are: **Critical**: Issue causes complete loss of functionality. **Warning**: Issue causes degraded functionality but core features should still work. **No detection**: Issue was not detected in the logs. | | Operating system | OS and OS version of the device. | | Cloudflare One Client version | [Cloudflare One Client release version](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/) | | Profile ID | [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) UUID | | Service mode | [Client mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | | Configuration name | Name of the [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/) that the Cloudflare One Client is connected to. | | Device ID | ID generated by the Cloudflare One Client. | 4. Select a detection type for more information about the event and recommended next steps. Cloudflare DEX will store the `warp-diag` log and its detection report per our [log retention policy](https://developers.cloudflare.com/cloudflare-one/insights/logs/#log-retention). To save a copy onto your local machine, [download the log file](#download-remote-captures) and go to the **JSON file** tab to copy the report in JSON format. ## Limitations * Packet captures are subject to the following limits: | Limit Type | Maximum Value | | ----------- | ------------- | | Time limit | 600 seconds | | File size | 50 MB | | Packet size | 1500 bytes | * Cloudflare One Client diagnostic logs have no file size limit, but files larger than 100 MB cannot be uploaded to Cloudflare and must be shared directly with the admin. * Windows devices do not support concurrent remote captures. If you start a remote capture while another is in progress, the second capture will fail immediately. * PCAPs will fail on Windows if you have another third-party packet capture tool (such as, Packet Monitor `pktmon`) running. * On Windows, packet captures may fail on devices configured with a non-English language due to limitations with the underlying `PktMon` tool. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/remote-captures/","name":"Remote captures"}}]} ``` --- --- title: Rules description: DEX rules allow you to create and manage testing policies for targeted user groups within your fleet. After creating a rule, you can use it to define the scope of a test to specific groups such as departments (like finance or sales), devices, and/or users. You can apply and reuse rules on your desired tests. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/dex/rules.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Rules DEX rules allow you to create and manage testing policies for targeted user groups within your [fleet](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/). After creating a rule, you can use it to define the scope of a [test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) to specific groups such as departments (like finance or sales), devices, and/or users. You can apply and reuse rules on your desired tests. DEX rules are ideal for admins who want to define the scope of a test to a specific group within their fleet to allow for more precise problem detection and resolution. ## Create a rule To create a rule: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Digital experience**. 2. Select the **Rules** tab. 3. Select **Add a rule**. 4. Give your rule a name and build your desired expressions. 5. Select **Create rule** to finalize your rule. ### Selectors Selectors are required categories in a DEX rule expression that define a group within a fleet. The selector(s) you have defined in a rule will determine which group a test will impact. Review the available selectors and their scope in the following list. | Selector | Description | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **User email** | For specifying [user emails](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#user-email). | | **User group emails** | For specifying [group emails](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#user-group-email). | | **User group IDs** | For specifying [group IDs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#user-group-ids). | | **User group names** | For specifying a [group name](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#user-group-names). | | **Operating systems** | For specifying operating systems. | | **Operating system version** | For specifying an operating system version (use Operator in) or versions (use Operator is). | | **Managed network** | For specifying users accessing the network from the office (managed network) compared to those accessing remotely. | | **SAML attributes** | For specifying a value from the [SAML Attribute Assertion](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#saml-attributes). | | **Colos** | For specifying a Cloudflare data center location users are connected to. | ## Add a rule to a test After you have created a rule, you can add it to a test. If you do not add a rule to a test, the test will run on your entire device fleet. To add a rule to a test: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Digital experience**. 2. Select the **Tests** tab. 3. Choose an existing test and select **Edit**, or select **Add a test** to make a new test. 4. Under **Select DEX rules**, select the rule you would like to apply. 5. Select **Save test** for an existing rule or **Add rule** for the new test. Note It may take up to 10 minutes for newly updated settings to propagate to devices. To view which tests a rule is being applied to: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Digital experience**. 2. Select the **Rules** tab. 3. Choose a rule and select **Edit**. 4. Select the **DEX tests** tab and review the list of tests that include your selected rule. ## Create a test using a rule You can create a new test from the [DEX test dashboard as described above](https://developers.cloudflare.com/cloudflare-one/insights/dex/rules/#add-a-rule-to-a-test) or directly from the DEX rules dashboard. To create a new test using a rule from DEX rules: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Digital experience**. 2. Select the **Rules** tab. 3. Select a rule and select **Edit**. 4. Select the **DEX tests** tab. 5. You will be able to review all the tests that currently include this rule. To create a new test, select **Create a test using this rule**. 6. Enter all required information, making sure that the box next to your rule name is checked. 7. Select **Add test**. ## Related resources * [DEX HTTP test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/http/) \- Assess the accessibility of a web application. * [DEX Traceroute test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/traceroute/) \- Measure the network path of an IP packet from an end-user device to a server. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/rules/","name":"Rules"}}]} ``` --- --- title: Synthetic tests description: With Digital Experience Monitoring (DEX), you can test if your devices can connect to a private or public endpoint through the Cloudflare One Client. Tests allow you to monitor availability for a given application and investigate performance issues reported by your end users. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/dex/tests/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Synthetic tests With Digital Experience Monitoring (DEX), you can test if your devices can connect to a private or public endpoint through the Cloudflare One Client. Tests allow you to monitor availability for a given application and investigate performance issues reported by your end users. DEX tests will only run when the Cloudflare One Client is turned on, whereas [fleet status](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/#fleet-status) metrics are always available. To specify the target group of a test, use [DEX rules](https://developers.cloudflare.com/cloudflare-one/insights/dex/rules/). * [ HTTP test ](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/http/) * [ Traceroute test ](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/traceroute/) * [ View test results ](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/view-results/) ## Export DEX application test logs The Cloudflare Logs documentation lists the full set of data fields available in [DEX application tests](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fapplication%5Ftests/). The log data for all [DEX application tests](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fapplication%5Ftests/) (including HTTP tests) can be exported to [R2](https://developers.cloudflare.com/r2/), a cloud bucket, or a SIEM via [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/tests/","name":"Synthetic tests"}}]} ``` --- --- title: HTTP test description: An HTTP test sends a GET request from an end-user device to a specific web application. You can use the response metrics to troubleshoot connectivity issues. For example, you can check whether the application is inaccessible for all users in your organization, or only certain ones. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/dex/tests/http.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # HTTP test Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | All plans | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2023.3.381 | | macOS | ✅ | 2023.3.381 | | Linux | ✅ | 2023.3.398 | | iOS | ❌ | | | Android | ✅ | 1.0 | | ChromeOS | ✅ | 1.0 | An HTTP test sends a `GET` request from an end-user device to a specific web application. You can use the response metrics to troubleshoot connectivity issues. For example, you can check whether the application is inaccessible for all users in your organization, or only certain ones. ## Create a test To set up an HTTP test for an application: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Digital experience**. 2. Select the **Tests** tab. 3. Select **Add a Test**. 4. Fill in the following fields: * **Name**: Enter any name for the test. * **Target**: Enter the URL of the website or application that you want to test (for example, `https://jira.site.com`). Both public and private hostnames are supported. If testing a private hostname, ensure that the domain is on your [local domain fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) list. * **Source device profiles**: (Optional) Select the [device profiles](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) that you want to run the test on. If no profiles are selected, the test will run on all supported devices connected to your Zero Trust organization. * **Test type**: Select _HTTP Get_. * **Test frequency**: Specify how often the test will run. Input a minute value between 5 and 60. 5. Select **Add test**. 6. After the test is created and running, you can [view the results](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/view-results/) of your test. ## Test results An HTTP test measures the following data: | Data | Description | | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Resource fetch time | Total time of all steps of the request, measured from [startTime to responseEnd ↗](https://developer.mozilla.org/en-US/docs/Web/API/Performance%5FAPI/Resource%5Ftiming). | | Server response time | Round-trip time for the device to receive a response from the target. | | DNS response time | Round-trip time for the DNS query to resolve. | | HTTP status codes | [Status code ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status) returned by the target. | ## Export DEX application test logs The log data for all [DEX application tests](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fapplication%5Ftests/) (including HTTP tests) can be exported to [R2](https://developers.cloudflare.com/r2/), a cloud bucket, or a SIEM via [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ## Related resources * [DEX rules](https://developers.cloudflare.com/cloudflare-one/insights/dex/rules/) \- Specify the target group of a test. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/tests/","name":"Synthetic tests"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/dex/tests/http/","name":"HTTP test"}}]} ``` --- --- title: Traceroute test description: A traceroute test measures the network path of an IP packet from an end-user device to a server. You can use the test results to troubleshoot network issues. For example, increased latency may indicate a problem with connectivity along the network path. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/dex/tests/traceroute.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Traceroute test Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | All plans | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2023.5.587 | | macOS | ✅ | 2023.5.589 | | Linux | ❌ | | | iOS | ❌ | | | Android | ✅ | 1.0 | | ChromeOS | ✅ | 1.0 | A traceroute test measures the network path of an IP packet from an end-user device to a server. You can use the test results to troubleshoot network issues. For example, increased latency may indicate a problem with connectivity along the network path. ## Create a test To set up a traceroute test for an application: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Digital experience**. 2. Select the **Tests** tab. 3. Select **Add a Test**. 4. Fill in the following fields: * **Name**: Enter any name for the test. * **Target**: Enter the IP address of the server you want to test (for example, `192.0.2.0`). You can test either a public-facing endpoint or a private endpoint you have connected to Cloudflare. * **Source device profiles**: (Optional) Select the [device profiles](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) that you want to run the test on. If no profiles are selected, the test will run on all supported devices connected to your Zero Trust organization. * **Test type**: Select _Traceroute_. * **Test frequency**: Specify how often the test will run. Input a minute value between 5 and 60. 5. Select **Add test**. Next, [view the results](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/view-results/) of your test. ## Test results A traceroute test measures the following data: | Data | Description | | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Network path | IP address, average response time, and packet loss for each hop between the device and the target. | | Round trip time | Time between sending out a packet and receiving a response from the target. | | Number of hops | Number of routers encountered between the device and the target. | | Packet loss | Percentage of IP packets that failed to receive a response. | | Availability | Percentage of tests where at least one packet reached the destination. | | Last seen ISP | The Internet Service Provider that is managing the connection from the device to Cloudflare. (Only available on macOS and Windows.) DEX looks up the IP address of the ISP in a geolocation database and returns the corresponding [ASO and ASN ↗](https://www.cloudflare.com/learning/network-layer/what-is-an-autonomous-system/). If the ASO and ASN are Unknown, it means this information is unavailable in the geolocation data provider. | ## Export DEX application test logs The log data for all [DEX application tests](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fapplication%5Ftests/) (including HTTP tests) can be exported to [R2](https://developers.cloudflare.com/r2/), a cloud bucket, or a SIEM via [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ## Related resources * [DEX rules](https://developers.cloudflare.com/cloudflare-one/insights/dex/rules/) \- Specify the target group of a test. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/tests/","name":"Synthetic tests"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/dex/tests/traceroute/","name":"Traceroute test"}}]} ``` --- --- title: View test results description: Use the results of a DEX test to monitor availability and performance for a specific application. DEX will store test results according to our log retention policy. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/dex/tests/view-results.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # View test results Use the results of a DEX test to monitor availability and performance for a specific application. DEX will store test results according to our [log retention policy](https://developers.cloudflare.com/cloudflare-one/insights/logs/#log-retention). ## Prerequisites * At least one [test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) has been created under **DEX** \> **Tests**. * Admins must have at least the [Cloudflare Zero Trust Reporting role](https://developers.cloudflare.com/cloudflare-one/roles-permissions/#zero-trust-roles). ## View results for all devices To view an overview of test results for all devices: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Digital experience**. 2. Select the **Tests** tab. 3. Select a test to view detailed results. ## View results for an individual device To view analytics on a per-device level: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Team & Resources** \> **Devices** \> **Your devices**. 2. Select the device you want to view, and then select **View details**. 3. Select the **Tests** tab. 4. Select a test to view detailed results. ## Export DEX application test logs The log data for all [DEX application tests](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fapplication%5Ftests/) (including HTTP tests) can be exported to [R2](https://developers.cloudflare.com/r2/), a cloud bucket, or a SIEM via [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ## Related resources * [DEX HTTP test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/http/) \- Assess the accessibility of a web application. * [DEX Traceroute test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/traceroute/) \- Measure the network path of an IP packet from an end-user device to a server. * [DEX rules](https://developers.cloudflare.com/cloudflare-one/insights/dex/rules/) \- Specify the target group of a test. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/tests/","name":"Synthetic tests"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/dex/tests/view-results/","name":"View test results"}}]} ``` --- --- title: Troubleshoot Digital Experience Monitoring description: Resolve common issues with Digital Experience Monitoring (DEX), including data visibility problems and remote capture failures. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/dex/troubleshooting.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshoot Digital Experience Monitoring Review common troubleshooting scenarios for Digital Experience Monitoring (DEX). ## Data visibility ### No data displayed for certain users If you do not see DEX data for specific users in your organization, verify the following: * **Client version**: Ensure the users are running a version of the Cloudflare One Client that supports DEX. * **DEX enabled**: Confirm that DEX is enabled for the [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) assigned to those users. * **Traffic routing**: DEX requires that traffic to Cloudflare's orchestration API is not blocked by local firewalls or SSL-inspecting proxies. ### Fleet status not updating The Fleet status dashboard can take several minutes to reflect changes in device connectivity. If a device remains in an incorrect state, try disconnecting and reconnecting the Cloudflare One Client to force a status update. ## Remote captures ### Remote capture fails to start Remote captures require the Cloudflare One Client to be connected and able to communicate with the Cloudflare control plane. If a capture fails to start: * Verify the device status in the Zero Trust dashboard. * Ensure the device has sufficient disk space to store the capture files before upload. * Check for any local firewall rules that might be blocking the capture command. --- ## How to contact Support If you cannot resolve the issue, [open a support case](https://developers.cloudflare.com/support/contacting-cloudflare-support/). Please provide a [remote capture](https://developers.cloudflare.com/cloudflare-one/insights/dex/remote-captures/) from the Zero Trust dashboard for the affected device. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/troubleshooting/","name":"Troubleshoot Digital Experience Monitoring"}}]} ``` --- --- title: Logs description: Review detailed logs for your Zero Trust organization. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/logs/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Logs Review detailed logs for your Zero Trust organization. * [ Dashboard logs ](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/) * [ Logpush integration ](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/) ## Log retention Cloudflare stores Zero Trust logs for different periods of time based on the service and plan type: | Free | Standard | Access | Gateway | Enterprise | | | ----------------------- | --------- | --------- | --------- | ---------- | ------------------------------- | | **Admin logs** | 18 months | 18 months | 18 months | 18 months | 18 months | | **Access logs** | 24 hours | 30 days | 30 days | 24 hours | 180 days | | **DNS logs** | 24 hours | 30 days | 24 hours | 30 days | 180 days[1](#user-content-fn-1) | | **Network logs** | 24 hours | 30 days | 24 hours | 30 days | 30 days | | **HTTP logs** | 24 hours | 30 days | 24 hours | 30 days | 30 days | | **DEX logs** | 7 days | 7 days | 7 days | 7 days | 7 days | | **Device posture logs** | 30 days | 30 days | 30 days | 30 days | 30 days | ## Log Explorer Beta Log Explorer users can store Zero Trust logs directly within Cloudflare in an [R2 bucket](https://developers.cloudflare.com/r2/) and access them with the dashboard or API. Log Explorer supports the following Zero Trust datasets: * [Access requests](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/access%5Frequests/) (`FROM access_requests`) * [CASB Findings](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/casb%5Ffindings/) (`FROM casb_findings`) * [Device posture results](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/device%5Fposture%5Fresults/) (`FROM device_posture_results`) * [Gateway DNS](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/gateway%5Fdns/) (`FROM gateway_dns`) * [Gateway HTTP](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/gateway%5Fhttp/) (`FROM gateway_http`) * [Gateway Network](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/gateway%5Fnetwork/) (`FROM gateway_network`) * [Zero Trust Network Session Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/) (`FROM zero_trust_network_sessions`) For more information, refer to [Log Explorer](https://developers.cloudflare.com/log-explorer/). ## Customer Metadata Boundary You can use Cloudflare Zero Trust with the Data Localization Suite to restrict data storage to a specific geographic region. For more information, refer to [Customer Metadata Boundary](https://developers.cloudflare.com/data-localization/metadata-boundary/). ## Data privacy For more information on how we use this data, refer to our [Privacy Policy ↗](https://www.cloudflare.com/application/privacypolicy/). ## Footnotes 1. Enterprise users on per query plans cannot store DNS logs via Cloudflare. You can still export logs via [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). For more information, contact your account team. [↩](#user-content-fnref-1) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}}]} ``` --- --- title: Access authentication logs description: Use Access authentication logs to review authentication events and requests to protected URI paths and infrastructure targets. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Access authentication logs Cloudflare Access generates two types of audit logs: * **[Authentication audit logs](#authentication-logs)** maintain a record of authentication events. * **[Per-request audit logs](#per-request-logs)** record requests to protected URI paths and infrastructure targets. ## Authentication logs Cloudflare Access logs an authentication event whenever a user or service attempts to log in to an application, whether the attempt succeeds or not. [Identity-based authentication](#identity-based-authentication) refers to login attempts that matched on user email, IdP group, SAML group, or OIDC claim. [Non-identity authentication](#non-identity-authentication) refers to login attempts that matched a non-identity policy such as IP address, device posture, country, valid certificate, or service token. Note Authentication logs do not capture the user's actions during a self-hosted or SaaS application session. ### Identity-based authentication #### View Access authentication logs * [ Dashboard ](#tab-panel-3451) * [ API ](#tab-panel-3452) To view logs for identity-based authentication events: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Insights** \> **Logs**. 2. Select **Access authentication logs**. Log viewer (beta) Access authentication logs use an updated log viewer with enhanced filtering capabilities. To switch to the classic view, select **Return to old logs**. 3. (Optional) Filter the logs that display in the log viewer. You can filter logs by their timestamp and event details (such as the Access application, user email, policy decision, and more). Tip Querying for fewer fields improves log loading performance. 4. Select an individual timestamp to investigate the event in more detail. The [Access authentication logs](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/logs/subresources/access%5Frequests/methods/list/) API endpoint provides a custom URL to export audit log events for your account. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Audit Logs Read` Get Access authentication logs ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/logs/access_requests?limit=25&direction=desc&since=2020-07-01T05%3A20%3A00Z&until=2020-10-01T05%3A20%3A00Z" \ --request GET \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` Response ``` { "success": true, "errors": [], "messages": [], "result": [ { "user_email": "michelle@example.com", "ip_address": "198.41.129.166", "app_uid": "df7e2w5f-02b7-4d9d-af26-8d1988fca630", "app_domain": "test.example.com/admin", "action": "login", "connection": "saml", "allowed": false, "created_at": "2014-01-01T05:20:00.12345Z", "ray_id": "187d944c61940c77" } ] } ``` #### Explanation of the fields Identity-based authentication logs contain the following fields: ##### Basic information | Field | Description | | ---------------- | ---------------------------------------------------------------------------------------------------------------------- | | **App** | Name of the Access application. | | **User email** | Email address of the authenticating user. | | **User ID** | UUID of the authenticating user. | | **IP address** | IP address of the authenticating user. | | **App UID** | UUID of the Access application. | | **App domain** | URL of the Access application. | | **App type** | Specifies the type of Access application: self-hosted, browser SSH, browser VNC, browser RDP, SaaS, or infrastructure. | | **Event** | Type of authentication event, such as a login attempt. | | **Connection** | IdP used to authenticate. | | **Allow** | Result of the authentication event. | | **Request time** | Timestamp of the authentication event. | | **Ray ID** | A unique identifier for every request through Cloudflare. | | **Country** | Country associated with the user's IP address. | ##### Infrastructure applications Cloudflare Access logs the following information when the user authenticates to an [infrastructure application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/): | Field | Description | | ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Hostname** | Hostname of the infrastructure target. | | **Target ID** | UUID of the infrastructure target. | | **SSH user** | The UNIX user, such as root, that the authenticating user specified when connecting to the infrastructure target. | | **SSH logs** | SSH commands that the user ran on the target. Requires configuring an [SSH encryption key](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#ssh-command-logs) before the session begins. | ### Non-identity authentication To retrieve logs for non-identity authentication events, use the [GraphQL Analytics API](https://developers.cloudflare.com/analytics/graphql-api/tutorials/querying-access-login-events/). These logs are not available in Zero Trust. ## Per-request logs Users who have authenticated through Access have access to authorized URL paths for the duration of their session. Cloudflare provides several ways to audit these requests. ### Using Cloudflare Logs Enterprise customers have access to detailed logs of requests on their Cloudflare dashboard. Enterprise customers also have access to Cloudflare's Logpush service, which can be configured from the Cloudflare dashboard or API. For more information about Cloudflare HTTP and infrastructure logging, refer to [Cloudflare Logs](https://developers.cloudflare.com/logs/). Once a member of your team authenticates to reach an HTTP resource behind Access, Cloudflare generates a token for that user that contains their SSO identity. The token is structured as a JSON Web Token (JWT). Cloudflare relies on an RSA Signature with SHA-256, or RS256, an asymmetric algorithm, to perform that signature. Cloudflare also makes the public key available, so that you can validate their authenticity, as well. When a user requests a given URL, Access appends the user identity from that token as a request header, which we then log as the request passes through our network. Your team can collect these logs in your preferred third-party Security information and event management (SIEM) software or storage destination by using [Cloudflare Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). When enabled with the Access user identity field, the logs will export to your systems as JSON similar to the logs below. ``` { "ClientIP": "198.51.100.206", "ClientRequestHost": "jira.widgetcorp.tech", "ClientRequestMethod": "GET", "ClientRequestURI": "/secure/Dashboard/jspa", "ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "EdgeEndTimestamp": "2019-11-10T09:51:07Z", "EdgeResponseBytes": 4600, "EdgeResponseStatus": 200, "EdgeStartTimestamp": "2019-11-10T09:51:07Z", "RayID": "5y1250bcjd621y99", "RequestHeaders":{"cf-access-user":"srhea"} }, { "ClientIP": "198.51.100.206", "ClientRequestHost": "jira.widgetcorp.tech", "ClientRequestMethod": "GET", "ClientRequestURI": "/browse/EXP-12", "ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "EdgeEndTimestamp": "2019-11-10T09:51:27Z", "EdgeResponseBytes": 4570, "EdgeResponseStatus": 200, "EdgeStartTimestamp": "2019-11-10T09:51:27Z", "RayID": "yzrCqUhRd6DVz72a", "RequestHeaders":{"cf-access-user":"srhea"} } ``` ### Using the `cf-access-user` field In addition to the HTTP request fields available in Cloudflare Enterprise logging, requests made to applications behind Access include the `cf-access-user` field, which contains the user identity string. This offers another tool for auditing user behavior. To add the `cf-access-user` field to your HTTP request logs, you must add it as a custom field. Refer to [Custom fields](https://developers.cloudflare.com/logs/logpush/logpush-job/custom-fields/) for instructions. Keep in mind that Access does not log all interactions. For example, per-request audit logs can indicate that a specific user visited `domain.com/admin` and then `domain.com/admin/panel`, but the logs can only identify user interactions that result in a new HTTP request. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/","name":"Access authentication logs"}}]} ``` --- --- title: Admin activity logs description: Monitor when a member on your account creates, updates, or deletes configurations. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/admin-activity-logs.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Admin activity logs Admin activity logs record configuration changes made by members of your Cloudflare account. Use these logs to monitor when a member creates, updates, or deletes configurations in your Zero Trust organization. To view admin activity logs, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Insights** \> **Logs** \> **Admin activity logs**. ## Explanation of the fields | Field | Description | | -------------------- | ----------------------------------------------------------- | | **Action timestamp** | Date and time when the change occurred. | | **Action type** | Type of action taken (for example, create, update, delete). | | **Action result** | Whether the action was successful. | | **Actor email** | Email address of the user who performed the action. | | **Actor IP address** | IP address of the user who performed the action. | | **Actor type** | Type of user that initiated the action. | | **Resource type** | The type of resource that was changed. | | **Resource product** | The Cloudflare product associated with the resource. | ## Export admin activity logs Enterprise users can export admin activity logs using [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). For a list of all available fields, refer to [Audit Logs V2](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/audit%5Flogs%5Fv2/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/admin-activity-logs/","name":"Admin activity logs"}}]} ``` --- --- title: Gateway activity logs description: Review DNS queries, network traffic, and HTTP requests inspected by Gateway. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Gateway activity logs Gateway activity logs show the individual DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted [SSH command logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/ssh-command-logs/) for sessions proxied by Gateway. Enterprise users can generate more detailed logs with [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). * [ Manage PII ](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/manage-pii/) Private source IP substitution Gateway logs will only show the public IP address for the **Source IP** field. Private IP addresses are substituted by a public IP address via network address translation (NAT). ## View Gateway activity logs To view Gateway activity logs: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Logs**. 2. Choose a type of Gateway log: * **DNS query logs** * **Network logs** * **HTTP request logs** Log viewer (beta) Gateway logs use an updated log viewer with enhanced filtering capabilities. To switch to the classic view, select **Return to old logs**. 3. (Optional) Filter the logs that display in the log viewer. You can filter logs by their timestamp and event details (such as host, URL, user email, policy action, and more). Tip Querying for fewer fields improves log loading performance. 4. Select an individual timestamp to investigate the event in more detail. ## Selective logging By default, Gateway logs all events, including DNS queries and HTTP requests that are allowed and not a risk. You can choose to disable logs or only log blocked requests. To customize what type of events are recorded, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Traffic policies** \> **Traffic settings**. Under **Traffic logging** \> **Log traffic activity**, indicate your DNS, Network, and HTTP log preferences. These settings will only apply to logs displayed in Cloudflare One. Logpush data is unaffected. ## DNS logs ### Explanation of the fields #### Basic information | Field | Description | | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Query name** | Name of the domain that was queried. | | **Query ID** | UUID of the query assigned by Cloudflare. | | **Email** | Email address of the user who registered the Cloudflare One Client where traffic originated from. If a non-identity on-ramp (such as a [proxy endpoint](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/)) or machine-level authentication (such as a [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/)) was used, this value will be non\_identity@.cloudflareaccess.com. | | **Action** | The [Action](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#actions) Gateway applied to the query (such as Allow or Block). | | **Time** | Date and time of the DNS query. | | **Resolver decision** | The reason why Gateway applied a particular **Action** to the request. Refer to the [list of resolver decisions](#resolver-decisions). | | **Resolved IPs** | Resolved IP addresses in the response. | | **CNAMEs** | CNAME records in the query. | #### Configuration information | Field | Description | | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **DNS location** | [User-configured location](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) from where the DNS query was made. | | **Policy name** | Name of the matched policy. | | **Policy ID** | ID of the matched policy. | | **Policy description** | Description of the matched policy. | | **DoH subdomain** | DoH subdomain of the DNS location. | | **Protocol** | Protocol that was used to make the DNS query (such as https). | #### Identities | Field | Description | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Email** | Email address of the user who registered the Cloudflare One Client where traffic originated from. | | **User ID** | UUID of the user. Each unique email address in your organization will have a UUID associated with it. | | **Registration ID** | UUID of the user's Cloudflare One Client registration. A unique registration ID is generated each time a device is registered for a particular email. The same physical device may have multiple registration IDs. | | **Device name** | Display name of the device returned by the operating system to the Cloudflare One Client. Typically this is the hostname of a device. Not all devices will have a device name. Device names are not guaranteed to be unique. | | **Device ID** | UUID of the device connected with the Cloudflare One Client. Each physical device in your organization will have a UUID. | | **Last authenticated** | Date and time the user last authenticated their Zero Trust session. | #### DNS query details | Field | Description | | ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------- | | **Query ID** | UUID of the query assigned by Cloudflare. | | **Query type** | Type of [DNS query ↗](https://en.wikipedia.org/wiki/List%5Fof%5FDNS%5Frecord%5Ftypes). | | **Initial query domain categories** | [Content categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) that the domain belongs to. | | **Matched categories** | Name of the Gateway policy category that match the domain. | | **Matched indicator feed names** | Name of the indicator feeds that matched a Gateway policy. | | **Query indicator feed names** | Name of the indicator feeds that a matched domain or IP belongs to. | | **Resolved continent IP geolocation** | Continent code of the resolved IP address. | | **Resolved country IP geolocation** | Country code of the resolved IP address. | | **DoT subdomain** | DoT subdomain of the DNS location. | | **Source IP** | Public source IP address of the DNS query. | | **Source IP continent** | Continent code of the source IP address. | | **Source IP country** | Country code of the source IP address. | | **Source internal IP** | Private IP address assigned by the user's local network. | | **Application name** | Name of the application that matched the domain. | | **Resolver IP** | Public IP address of the DNS resolver. | | **Port** | Port that was used to make the DNS query. | | **Location ID** | ID of the DNS location where the query originated. | | **Scheduling - Time zone** | Time zone of the DNS query source. | | **Scheduling - Time zone inferred method** | Method used to determine the DNS query source's time zone. | #### DNS response details | Field | Description | | ------------------------------- | ------------------------------------------------------------------------------------------ | | **Resolved CNAME categories** | Content categories associated with the resolved CNAME records in the response. | | **Resolved IP categories** | Content categories associated with the resolved IPs in the response. | | **Resolved IPs** | Resolved IPs in the response. | | **Authoritative nameserver IP** | IP address of the authoritative nameserver answering the DNS query. | | **EDE errors** | [Extended DNS error codes ↗](https://www.rfc-editor.org/rfc/rfc8914.html) in the response. | #### Custom resolver | Field | Description | | -------------------------- | ------------------------------------------------------------ | | **Address** | Address of your custom resolver. | | **Policy** | Name of the matched resolver policy. | | **Response** | Status of the custom resolver response. | | **Time (in milliseconds)** | Duration of time it took for the custom resolver to respond. | ### Resolver decisions | Name | Value | Description | | ---------------------- | ----- | ----------------------------------------------------------- | | blockedByCategory | 3 | Domain or hostname matched a category in a Block policy. | | allowedOnNoLocation | 4 | Allowed because query did not match a Gateway DNS location. | | allowedOnNoPolicyMatch | 5 | Allowed because query did not match a policy. | | blockedAlwaysCategory | 6 | Domain or hostname is always blocked by Cloudflare. | | overrideForSafeSearch | 7 | Response was overridden by a Safe Search policy. | | overrideApplied | 8 | Response was overridden by an Override policy. | | blockedRule | 9 | IP address in the response matched a Block policy. | | allowedRule | 10 | IP address in the response matched an Allow policy. | ## Network logs Failed connection logs Gateway will only log TCP traffic with completed connections. If a connection is not complete (such as a TCP SYN with no SYN ACK), Gateway will not log this traffic in network logs. Gateway can log failed connections in [network session logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/). These logs are available for Enterprise users via [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/) or [GraphQL](https://developers.cloudflare.com/cloudflare-one/insights/analytics/gateway/#graphql-queries). ### Explanation of the fields #### Basic information | Field | Description | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Source IP** | IP address of the user sending the packet. | | **Source Internal IP** | Private IP address assigned by the user's local network. | | **Destination IP** | IP address of the packet's target. | | **Action** | The Gateway [Action](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). | | **Session ID** | ID of the unique session. | | **Time** | Date and time of the session. | #### Matched policies | Field | Description | | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **DNS location** | [User-configured location](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) from where the DNS query was made. | | **Policy name** | Name of the matched policy. | | **Policy ID** | ID of the policy enforcing the decision Gateway made. | | **Policy description** | Description of the matched policy. | #### Identities | Field | Description | | ---------------------- | ----------------------------------------------------------------------------------------------- | | **Email** | Email address of the user sending the packet. This is generated by the Cloudflare One Client. | | **User ID** | ID of the user sending the packet. This is generated by the Cloudflare One Client. | | **Registration ID** | ID of the user's device registration. This is generated by the Cloudflare One Client. | | **Device name** | Name of the device that sent the packet. | | **Device ID** | ID of the physical device that sent the packet. This is generated by the Cloudflare One Client. | | **Last authenticated** | Date and time the user last authenticated with Zero Trust. | #### Network query details | Field | Description | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Source IP** | IP address of the user sending the packet. | | **Source port** | Source port number for the packet. | | **Source country** | Country code for the packet source. | | **Source IP continent** | Continent code of the source IP address. | | **Source IP country** | Country code of the source IP address. | | **Destination IP** | IP address of the packet's target. | | **Destination port** | Destination port number for the packet. | | **Destination IP continent** | Continent code of the IP address for the packet's destination. | | **Destination IP country** | Country code of the IP address for the packet's destination. | | **Transport protocol** | Protocol over which the packet was sent. | | **Detected Protocol** | The detected [network protocol](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/). | | **SNI** | Host whose Server Name Indication (SNI) header Gateway will filter traffic against. | | **Virtual Network** | [Virtual network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) that the client is connected to. | | **Category details** | Category or categories associated with the packet. | | **Proxy endpoint** | [PAC file proxy endpoint](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) Gateway forwarded traffic to, if applicable. | | **Application ID** | ID of the application that matched the domain. | | **Application name** | Name of the application that matched the domain. | ## HTTP logs Note When an HTTP request results in an error, Gateway logs the first 512 bytes of the request for 30 days for internal troubleshooting. Otherwise, Gateway does not log HTTP bodies. ### Explanation of the fields #### Basic information | Field | Description | | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Host** | Hostname in the HTTP header for the HTTP request. Gateway will log the SNI in this field if it responded to the request with a Do Not Inspect action. If Gateway does not receive the SNI, this field will be empty. | | **Email** | Email address of the user who made the HTTP request. This is generated by the Cloudflare One Client. | | **Action** | The Gateway [Action](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). | | **Request ID** | Unique ID of the request. | | **Time** | Date and time of the HTTP request. | | **Source internal IP** | Private IP address assigned by the user's local network. | | **User agent** | User agent header sent in the request by the originating device. | | **Policy details** | Policy corresponding to the decision Gateway made based on the traffic criteria of the request. | | **DLP profiles** | Name of the matched [DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/). | | **DLP profile entries** | Name of the matched entry within the DLP profile. | | **Uploaded/downloaded file** | Information about the file transferred in the request found by [enhanced file detection](#enhanced-file-detection). Details include: File nameFile typeFile sizeFile hash (for Allowed requests only)Content typeDirection (Upload/Download)Action (Block/Allow) | #### Matched policies | Field | Description | | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **DNS location** | [User-configured location](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) from where the DNS query was made. | | **Policy name** | Name of the matched policy. | | **Policy ID** | ID of the matched policy. | | **Policy description** | Description of the matched policy. | | **Matched category ID** | ID of the category matched in the policy. | | **Matched category name** | Name of the category matched in the policy. | #### Identities | Field | Description | | ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | | **Email** | Email address of the user who made the HTTP request. This is generated by the Cloudflare One Client. | | **User ID** | ID of the user who made the request. This is generated by the Cloudflare One Client. | | **Registration ID** | ID of the user's device registration. This is generated by the Cloudflare One Client. | | **Device name** | Name of the device that made the request. | | **Device ID** | ID of the physical device that made the request. This is generated by the Cloudflare One Client on the device that created the request. | | **Last authenticated** | Date and time the user last authenticated with Zero Trust. | #### HTTP query details | Field | Description | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **HTTP Version** | HTTP version of the origin that Gateway connected to on behalf of the user. | | **HTTP Method** | HTTP method used for the request (such as GET or POST). | | **HTTP Status Code** | [HTTP status code](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/) returned in the response. | | **URL** | Full URL of the HTTP request. | | **Referer** | Referer request header containing the address of the page making the request. | | **Source IP** | Public source IP address of the HTTP request. | | **Source Port** | Port that was used to make the HTTP request. | | **Source IP continent** | Continent code of the HTTP request. | | **Source IP country** | Country code of the HTTP request. | | **Destination IP** | Public IP address of the destination requested. | | **Destination Port** | Port of the destination requested. | | **Destination IP continent** | Continent code of the destination requested. | | **Destination IP country** | Country code of the destination requested. | | **Blocked file reason** | Reason why the file was blocked if a file transfer occurred or was attempted. | | **Category details** | Detailed information on the category the blocked file belongs to. | | **Application ID** | ID of the application that matched the domain. | | **Application name** | Name of the application that matched the domain. | | **Categories** | [Content categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) that the domain belongs to. | | **Proxy endpoint** | [PAC file proxy endpoint](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) Gateway forwarded traffic to, if applicable. | | **Virtual Network** | [Virtual network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) that the client is connected to. | | **Sandbox scanned** | Status of the [file quarantine](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/file-sandboxing/). | #### File detection details | Field | Description | | ---------------- | -------------------------------------------------- | | **Name** | Name of the detected file. | | **Type** | File type of the detected file. | | **Size** | Size of the detected file. | | **Hash** | Hash of the detected file, generated by DLP. | | **Content type** | MIME type of the detected file. | | **Direction** | Upload or download direction of the detected file. | | **Action** | The Action Gateway applied to the request. | ### Enhanced file detection Enhanced file detection is an optional feature to extract more file information from HTTP traffic. When turned on, Gateway will read file information from the HTTP body rather than the HTTP headers to provide greater accuracy and reliability. This feature may have a minor impact on performance for file-heavy organizations. To turn on enhanced file detection: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Traffic settings**. 2. In **Proxy and inspection settings**, turn on **Inspect HTTPS requests with TLS decryption**. 3. In **Policy settings**, turn on **Allow enhanced file detection**. ### Isolate requests When a user creates an [isolation policy](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/), Gateway logs the initial request that triggers isolation as an Isolate action. Because this request is not isolated yet, the `is_isolated` field will return `false`. Zero Trust then securely returns the result to the user in an isolated browser. Gateway will log all subsequent requests in the isolated browser with the action (such as Allow or Block), and the `is_isolated` field will return `true`. ## Limitations If a connection closes before Gateway inspects and filters the traffic, Gateway will log the traffic with an Unknown action. Gateway activity logs are not available in the dashboard if you turn on the [Customer Metadata Boundary (CMB)](https://developers.cloudflare.com/data-localization/metadata-boundary/) within Cloudflare Data Localization Suite (DLS). Enterprise users using CMB can still export logs via [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). For more information, refer to [DLS product compatibility](https://developers.cloudflare.com/data-localization/compatibility/#zero-trust). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/","name":"Gateway activity logs"}}]} ``` --- --- title: Manage PII description: Cloudflare Gateway gives you multiple ways to safely handle your employees' personally identifiable information (PII). By default, PII is redacted from Gateway Activity logs for all permission roles except the Super Administrator and users with the Cloudflare Zero Trust PII role assigned to them. Only the Super Administrator can assign roles and determine who has permission to view PII. Redacting PII does not affect the way PII is captured in logs as the data is simply hidden and no information is lost. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Privacy ](https://developers.cloudflare.com/search/?tags=Privacy) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/manage-pii.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Manage PII Cloudflare Gateway gives you multiple ways to safely handle your employees' personally identifiable information (PII). By default, PII is redacted from Gateway Activity logs for all permission roles except the Super Administrator and users with the [Cloudflare Zero Trust PII role](https://developers.cloudflare.com/cloudflare-one/roles-permissions/#cloudflare-zero-trust-pii) assigned to them. Only the Super Administrator can assign roles and determine who has permission to view PII. Redacting PII does not affect the way PII is captured in logs as the data is simply hidden and no information is lost. To add or remove the Cloudflare Zero Trust PII role for a user in your organization, refer to [Roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/). Alternatively, you can choose to [exclude PII](#exclude-pii) from Gateway activity logs for all users. ## Types of PII Cloudflare Gateway can log the following types of PII: * Source IP * User email * User ID * Device ID * URL * Referer * User agent ## Exclude PII Turning on the setting to exclude PII means Cloudflare Gateway will log activity without storing any employee PII. Changes to this setting will not change PII storage of any previous logs. This means if the setting is turned on and then turned off, there will be no PII data for logs captured while this setting was turned on. The PII data will be unavailable to all roles within your Zero Trust organization, including the Super Administrator. To turn on the setting to exclude PII: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Traffic settings**. 2. In **Traffic logging**, turn on **Exclude personally identifiable information (PII) from logs**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/","name":"Gateway activity logs"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/manage-pii/","name":"Manage PII"}}]} ``` --- --- title: Posture logs description: Monitor the results of device posture checks performed on your users' devices. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/posture-logs.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Posture logs Posture logs show the [device posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/) results reported by the Cloudflare One Client. To view device posture logs, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Insights** \> **Logs** \> **Posture logs**. Logs will only display if you have configured [device posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/) for your Zero Trust organization. Enterprise users can generate more detailed logs with [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ## Explanation of the fields ### Device details | Field | Description | | ----------------- | ------------------------------------------------- | | **Name** | Name of the device. | | **ID** | Device ID generated by the Cloudflare One Client. | | **Serial number** | Serial number of the device. | | **Manufacturer** | Manufacturer of the device. | | **Model** | Model of the device. | ### User details | Field | Description | | ------------------- | ------------------------------------------------------ | | **Email** | Email used to register the device with Zero Trust. | | **User ID** | UUID of the user who registered the device. | | **Registration ID** | UUID of the user's Cloudflare One Client registration. | ### Posture details | Field | Description | | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Name** | Name of the [device posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). | | **Type** | Type of [Cloudflare One Client check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/) or [service provider check](https://developers.cloudflare.com/cloudflare-one/integrations/service-providers/). | | **Rule ID** | UUID of the device posture check. | | **Conditions met** | Whether the device passed or failed the posture check criteria. Evaluates to true if the **Received values** match the **Expected values**. | | **Expected values** | Values required to pass the device posture check. | | **Received values** | Posture check values detected by the Cloudflare One Client. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/posture-logs/","name":"Posture logs"}}]} ``` --- --- title: SCIM provisioning logs description: SCIM activity logs allow administrators to audit how SCIM provisioning events in an identity provider (such as create, update, and delete) affect a user's identity and group membership in Zero Trust. You can compare your Zero Trust SCIM logs with your identity provider's SCIM logs to track how identity data is shared between the two services and pinpoint the source of any provisioning errors. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SCIM ](https://developers.cloudflare.com/search/?tags=SCIM) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/scim-logs.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # SCIM provisioning logs SCIM activity logs allow administrators to audit how [SCIM provisioning](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) events in an identity provider (such as create, update, and delete) affect a user's identity and group membership in Zero Trust. You can compare your Zero Trust SCIM logs with your identity provider's SCIM logs to track how identity data is shared between the two services and pinpoint the source of any provisioning errors. ## View SCIM logs For an overview of SCIM events across all users, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Insights** \> **Logs** \> **SCIM provisioning logs**. This page lists the inbound SCIM requests from all identity providers configured with SCIM. You can select an individual request to view more details about the SCIM operation. To investigate how SCIM events impacted a specific user, go to their [User Registry identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/users/). Note New users must first [register the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/) or authenticate to an Access application before SCIM provisioning can begin. ## Log fields SCIM provisioning logs show the following information for each inbound SCIM request: * **IdP name**: Name of the identity provider * **Timestamp**: Date and time of the request * **Action**: HTTP request method (`POST`, `PUT`, `PATCH`, `DELETE`) * **User email**: User who received the SCIM identity update * **Group name**: Group that received the SCIM identity update * **Resource type**: SCIM resource that was modified (`GROUP` or `USER`) * **CF resource ID**: Persistent identifier for the user or group created by Cloudflare SCIM * **IDP resource ID**: Identifier for the user or group provided by the identity provider * **Outcome**: Whether the SCIM request was applied successfully (`SUCCESS` or `ERROR`) * **Request body**: HTTP request body containing the data that was added, modified, or removed * **JSON log**: SCIM request log in JSON format ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/scim-logs/","name":"SCIM provisioning logs"}}]} ``` --- --- title: SSH command logs description: Review SSH commands a user ran on a target. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/ssh-command-logs.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # SSH command logs SSH command logs record the commands that users run on infrastructure targets protected by [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). Use these logs to audit user activity on your SSH servers. To view SSH command logs, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Insights** \> **Logs** \> **SSH command logs**. ## Prerequisites To generate SSH command logs, you must: 1. Set up [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) for your SSH servers. 2. [Enable SSH command logging](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#ssh-command-logs) by uploading an encryption public key. ## View SSH logs SSH command logs displayed in the dashboard are encrypted using a public key you provide. To view the contents of the logs: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Logs** \> **SSH command logs**. 2. Filter the logs using the name of your SSH application. 3. Select the SSH session for which you want to export command logs. 4. In the side panel, scroll down to **SSH logs** and select **Download**. 5. Decrypt the log using the [SSH Logging CLI ↗](https://github.com/cloudflare/ssh-log-cli/). ## Explanation of the fields | Field | Description | | --------------------------- | -------------------------------------------------------------------------------------------- | | **Session ID** | Unique identifier for the SSH session. | | **User email** | Email address of the user who initiated the SSH session. | | **Target ID** | Identifier of the infrastructure target being accessed. | | **Client address** | Source IP address of the SSH connection. | | **Server address** | Destination IP address of the SSH server. | | **Session start datetime** | Timestamp when the SSH session started. | | **Session finish datetime** | Timestamp when the SSH session ended. | | **Program type** | Type of SSH program (shell, exec, x11, direct-tcpip, or forwarded-tcpip). | | **Payload** | Captured request/response data in asciicast v2 format, including commands for exec programs. | | **Error** | SSH error message, if an error occurred. | ## Export SSH logs with Logpush Enterprise users can export SSH command logs using [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). Logpush payloads are not encrypted with a customer-provided public key. For a list of all available fields, refer to [SSH Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/ssh%5Flogs/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/ssh-command-logs/","name":"SSH command logs"}}]} ``` --- --- title: Tunnel audit logs description: Review Cloudflare Tunnel connection events. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/tunnel-audit-logs.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Tunnel audit logs Audit logs for Tunnel are available in the [account section of the Cloudflare dashboard ↗](https://dash.cloudflare.com/?account=audit-log) which you can find by selecting your name or email in the upper right-hand corner of the dashboard. The following actions are logged: | Action | Description | | ------------ | --------------------------------------------------------------------------------------------------- | | Registered | This is logged when Tunnel is started and connects to the Cloudflare edge. | | Unregistered | This is logged when Tunnel is disconnected from the Cloudflare edge. | | CNAME add | This is logged when Tunnel registers a new DNS (CNAME or AAAA) record for the tunneled application. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/tunnel-audit-logs/","name":"Tunnel audit logs"}}]} ``` --- --- title: Logpush integration description: With Cloudflare's Logpush service, you can configure the automatic export of Zero Trust logs to third-party storage destinations or to third-party security information and event management (SIEM) solutions. Once exported, your team can analyze and audit the data as needed. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/logs/logpush/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Logpush integration Enterprise-only With Cloudflare's [Logpush](https://developers.cloudflare.com/logs/logpush/) service, you can configure the automatic export of Zero Trust logs to third-party storage destinations or to third-party security information and event management (SIEM) solutions. Once exported, your team can analyze and audit the data as needed. ## Export Zero Trust logs with Logpush To configure Logpush for Zero Trust logs: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Logs**. 2. Select **Manage Logpush**. 3. In Logpush, select **Create a Logpush job**. 4. Choose a [Logpush destination](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/). 5. Follow the service-specific instructions to configure and validate your destination. 6. Choose the [Zero Trust datasets](#zero-trust-datasets) to export. 7. Enter a **Job name**, any [filters](https://developers.cloudflare.com/logs/logpush/logpush-job/filters/) you would like to add, and the data fields you want to include in the logs. 8. (Optional) In **Advanced settings**, choose the timestamp format you prefer and whether you want to turn on log sampling. 9. Select **Submit**. The setup of your Logpush integration is now complete. Logpush will send updated logs every five minutes to your selected destination. You can configure multiple destinations and add additional fields to your logs by returning to the **Logpush** page. For more information on supported destinations, refer to [Enable destinations](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/). ## Zero Trust datasets Logpush supports all [dashboard logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/) as well as additional datasets not available in the Cloudflare One dashboard. Refer to [Logpush datasets](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/) for a list of all available fields. | Dataset | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [Access Requests](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/access%5Frequests/) | HTTP requests to sites protected by Cloudflare Access | | [Audit Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/audit%5Flogs/) | Authentication events through Cloudflare Access | | [Browser Isolation User Actions](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/biso%5Fuser%5Factions/) | Data transfer actions performed by a user in the remote browser | | [CASB Findings](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/casb%5Ffindings/) | Security issues detected by Cloudflare CASB | | [Device Posture Results](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/device%5Fposture%5Fresults/) | Device posture status from the Cloudflare One Client | | [DEX Application Tests](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fapplication%5Ftests/) | Device application synthetic test results from the Cloudflare One Client | | [DEX Device State Events](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fdevice%5Fstate%5Fevents/) | Device event data like connectivity, CPU usage, and Disk I/O from the Cloudflare One Client | | [Gateway DNS](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/gateway%5Fdns/) | DNS queries inspected by Cloudflare Gateway | | [Gateway HTTP](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/gateway%5Fhttp/) | HTTP requests inspected by Cloudflare Gateway | | [Gateway Network](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/gateway%5Fnetwork/) | Network packets inspected by Cloudflare Gateway | | [MCP Portal Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/mcp%5Fportal%5Flogs/) | Requests made through [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) | | [SSH Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/ssh%5Flogs/) | SSH command logs for [Access for Infrastructure targets](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) | | [WARP Config Changes](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/warp%5Fconfig%5Fchanges/) | Event logs that Cloudflare generates whenever a device changes [profiles](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) | | [WARP Toggle Events](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/warp%5Ftoggle%5Fchanges/) | Event logs that Cloudflare generates whenever a device toggles the Cloudflare One Client on or off | | [Zero Trust Network Session Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/) | Network session logs for traffic proxied by Cloudflare Gateway | ## Verify regional map application If you are using [Regional Services](https://developers.cloudflare.com/data-localization/regional-services/) with Cloudflare One, you can configure which subset of Cloudflare data centers decrypt and route your traffic. This allows you to accommodate regional restrictions like GDPR or meet compliance requirements that include geographic restrictions on data flows or processing. To verify that your regional map is being applied correctly, check the `IngressColoName` field in your [Zero Trust Network Session logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/#ingresscoloname). This field shows the name of the Cloudflare data center where traffic ingressed. Since regionalization is applied upstream from Gateway, the ingress data center will be located within your configured regional map, confirming that traffic is being processed in the correct region. ## Parse DNS logs Logpush logs the following fields for each DNS query: * Query name * Query type * Query class * Response TTL * Response data DNS query resource records are available in [Base64-encoded binary format ↗](https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.3) and JSON. For example: ``` { "ResourceRecords": [ { "type": "5", "data": "d3d3LmV4YW1wbGUuY29tAAABAAUAAABleGFtcGxlLmNvbQ==" }, { "type": "1", "data": "ZXhhbXBsZS5jb20AAAEAAQAAAQIDBAUGBwgJ" } ], "ResourceRecordsJSON": "[{\"name\":\"www.example.com\",\"type\":\"CNAME\",\"class\":\"IN\",\"ttl\":300,\"rdata\":\"example.com.\"},{\"name\":\"example.com\",\"type\":\"A\",\"class\":\"IN\",\"ttl\":300,\"rdata\":\"203.0.113.0\"}]" } ``` ## Additional Logpush guides * [ Email security logs ](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/) * [ IDS logs ](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/ids-logs/) * [ Network Firewall log filters ](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/network-firewall-log-filters/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/logpush/","name":"Logpush integration"}}]} ``` --- --- title: Email security logs description: Email security allows you to configure Logpush to send detection data to an endpoint of your choice. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/logs/logpush/email-security-logs.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Email security logs Email security allows you to configure Logpush to send detection data to an endpoint of your choice. ## Enable detection logs Detection logs generate logs made by Email security and some of the metadata associated with the detection. To enable detection logs, refer to [Enable destinations](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/). If you enable detection logs using [R2](https://developers.cloudflare.com/r2/), choose **Email security alerts** when configuring the **Dataset**. ## Enable user action logs User action logs allow you to view logs regarding all actions taken via the [API](https://developers.cloudflare.com/api/resources/email%5Fsecurity/) or the dashboard. Before you can enable audit logs for Email security, you will have to enable logpush jobs to your storage destination. Refer to [Enable destinations](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/) to enable logs on destinations such as Cloudflare R2, HTTP, Amazon S3, and more. Once you have configured your destination, you can set up audit logs for user action: 1. In the Cloudflare dashboard, go to the **Logpush** page. [ Go to **Logpush** ](https://dash.cloudflare.com/?to=/:account/logs) 2. Select your storage destination. 3. Select the three dots > **Edit**. 4. Under **Configure logpush job**: * **Job name**: Enter the job name, if it is not already prepopulated. * **If logs match** \> Select **Filtered logs**: * **Field**: Choose `ResourceType`. * **Operator**: Choose `starts with`. * **Value**: Enter `email_security`. 1. Select **Submit**. You can now view logs via the Cloudflare dashboard. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/logpush/","name":"Logpush integration"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/logpush/email-security-logs/","name":"Email security logs"}}]} ``` --- --- title: IDS logs description: You can use Logpush with Cloudflare Network Firewall IDS to log detected risks. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/logs/logpush/ids-logs.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # IDS logs You can use Logpush with [Cloudflare Network Firewall IDS](https://developers.cloudflare.com/cloudflare-network-firewall/about/ids/) to log detected risks. ## Set up Logpush for IDS 1. Consult the [Logpush Destination docs](https://developers.cloudflare.com/logs/logpush/logpush-job/api-configuration/#destination) to learn about what destinations Logpush supports. The documentation will also instruct you on how to correctly format the destination URL for Logpush. 2. Follow the [Manage Logpush with cURL](https://developers.cloudflare.com/logs/logpush/examples/example-logpush-curl/) tutorial to validate your Logpush destination and define a Logpush job. ## Notes on using Logpush with IDS * Magic IDS is an account-scoped dataset. This means the string `/zone/` in the Cloudflare API URLs in the tutorial should be replaced with `/account/`. * Consult the [Magic IDS Detection fields doc](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/magic%5Fids%5Fdetections/) to know what fields you want configured for the job. * When creating the Logpush job, the dataset field should equal `magic_ids_detections`. * Timestamps by default are unixnano. Consult the [Logpush Options docs](https://developers.cloudflare.com/logs/logpush/logpush-job/api-configuration/#options) to learn what format you can choose that will be compatible with your destination and/or expectations. Note that all options must be added _after_ all fields you want from the Logpush job, akin to URL parameters. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/logpush/","name":"Logpush integration"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/logpush/ids-logs/","name":"IDS logs"}}]} ``` --- --- title: Network Firewall log filters description: You can utilize different Log filters to only view specific data from Cloudflare Network Firewall. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/logs/logpush/network-firewall-log-filters.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Network Firewall log filters You can utilize different [Log filters](https://developers.cloudflare.com/logs/logpush/logpush-job/filters/) to only view specific data from Cloudflare Network Firewall. ## Filter by enabled or disabled rules Use the filter examples below to filter your Cloudflare Network Firewall traffic to display events for enabled or disabled rules. The example below [creates a Logpush job](https://developers.cloudflare.com/api/resources/logpush/subresources/jobs/methods/create/) that only displays fields relevant to Cloudflare Network Firewall, and the filter only displays events for disabled rules. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Logs Write` Create Logpush job ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/logpush/jobs" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "destination_conf": "", "output_options": { "field_names": [ "ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol", "IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict" ] }, "filter": "{\"where\":{\"or\":[{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"!eq\",\"value\":\"\"},{\"key\":\"Outcome\",\"operator\":\"eq\",\"value\":\"pass\"},{\"key\":\"Verdict\",\"operator\":\"eq\",\"value\":\"drop\"}]}]}}" }' ``` The example below [creates a Logpush job](https://developers.cloudflare.com/api/resources/logpush/subresources/jobs/methods/create/) that only displays fields relevant to Cloudflare Network Firewall, and the filter only displays events for enabled rules. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Logs Write` Create Logpush job ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/logpush/jobs" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "destination_conf": "", "output_options": { "field_names": [ "ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol", "IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict" ] }, "filter": "{\"where\":{\"or\":[{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"!eq\",\"value\":\"\"},{\"or\":[{\"key\":\"Outcome\",\"operator\":\"eq\",\"value\":\"drop\"},{\"key\":\"Verdict\",\"operator\":\"eq\",\"value\":\"pass\"}]}]}]}}" }' ``` ## Filter by allowed or blocked traffic Use the filter examples below to filter your Cloudflare Network Firewall traffic to display events for allowed or blocked traffic. The example below [creates a Logpush job](https://developers.cloudflare.com/api/resources/logpush/subresources/jobs/methods/create/) that only displays fields relevant to Cloudflare Network Firewall, and the filter only displays events where no explicit action was taken, for example, a packet "fell through" Cloudflare Network Firewall. This example does not have any rules applied. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Logs Write` Create Logpush job ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/logpush/jobs" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "destination_conf": "", "output_options": { "field_names": [ "ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol", "IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict" ] }, "filter": "{\"where\":{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"eq\",\"value\":\"\"}]}}" }' ``` The example below [creates a Logpush job](https://developers.cloudflare.com/api/resources/logpush/subresources/jobs/methods/create/) that only displays fields relevant to Cloudflare Network Firewall, and the filter only displays events where explicit action was taken. The example includes both enabled and disabled Cloudflare Network Firewall rules. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Logs Write` Create Logpush job ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/logpush/jobs" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "destination_conf": "", "output_options": { "field_names": [ "ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol", "IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict" ] }, "filter": "{\"where\":{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"!eq\",\"value\":\"\"}]}}" }' ``` ## Filter by relevant fields to Cloudflare Network Firewall Use the examples below to filter out fields that are not relevant to traffic flowing through Cloudflare Network Firewall. The example below [creates a Logpush job](https://developers.cloudflare.com/api/resources/logpush/subresources/jobs/methods/create/) that only includes Cloudflare Network Firewall events. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Logs Write` Create Logpush job ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/logpush/jobs" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "destination_conf": "", "output_options": { "field_names": [ "ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol", "IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict" ] }, "filter": "{\"where\":{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"}}" }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/logpush/","name":"Logpush integration"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/logpush/network-firewall-log-filters/","name":"Network Firewall log filters"}}]} ``` --- --- title: Network visibility image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/network-visibility/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Network visibility ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/network-visibility/","name":"Network visibility"}}]} ``` --- --- title: Diagnostics description: Cloudflare supports two types of packet captures: full and sample. Full packet captures is the default behavior. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/network-visibility/diagnostics/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Diagnostics Cloudflare supports two types of packet captures: full and sample. Full packet captures is the default behavior. Note The maximum packet capture runtime is 24 hours for sample and full packet captures. ## Sample packet captures Sample packet captures collects historical data on network traffic that has already passed through Cloudflare's network. It will not collect any new traffic sent to Cloudflare's network after the packet capture has started. All sample packet captures will complete immediately after they are started because they query historical traffic data. Sample packet captures can be viewed in the Cloudflare dashboard. They only include the first 160 bytes of data. This is useful for capturing packet headers, but will not provide detailed packet data. The sample data is collected across all Cloudflare's data centers to build a PCAP file. This allows you to get a global picture of traffic across all data centers. You should use full packet captures if you need to collect data on packets that pass through your network less frequently. ## Full packet captures Full packet captures will actively monitor Cloudflare's network for packets that match the selected filters, and will capture the matching packet data. The matching packet data is saved to a cloud storage bucket that is owned and configured by you. Full packet captures will collect new traffic sent to Cloudflare's network after the packet capture has started, and include the full packet data. This type of capture cannot be viewed in the Cloudflare dashboard. You can download them from a cloud storage bucket and analyze them in Wireshark or another packet capture tool. Refer to the articles in this section to learn how to use packet captures. * [ Packet captures ](https://developers.cloudflare.com/cloudflare-one/insights/network-visibility/diagnostics/packet-captures/) * [ Buckets ](https://developers.cloudflare.com/cloudflare-one/insights/network-visibility/diagnostics/buckets/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/network-visibility/","name":"Network visibility"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/network-visibility/diagnostics/","name":"Diagnostics"}}]} ``` --- --- title: Buckets description: Before you can begin a full packet capture, you must first configure a bucket that Cloudflare can use to upload your files. Setting up a bucket is not required for sample packet captures. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/network-visibility/diagnostics/buckets.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Buckets Before you can begin a full packet capture, you must first configure a bucket that Cloudflare can use to upload your files. Setting up a bucket is not required for sample packet captures. You can configure an Amazon S3 or Google Cloud Platform bucket to use as a target. You can also [use R2](#r2) as a target using the API. ## Set up a bucket Learn how to set up a bucket for use with full packet captures. * [ Dashboard ](#tab-panel-3453) * [ API ](#tab-panel-3454) 1. In the [Cloudflare One ↗](https://one.dash.cloudflare.com) dashboard, go to **Network visibility** \> **Diagnostics**. 2. Select the **Buckets** tab > **Add a bucket**. 3. Select a bucket service and select **Next**. 4. Enter the information related to your bucket for your service provider. 5. When you are done, select **Next**. The **Prove ownership** step of the **Bucket configuration** displays. Before you can begin using a bucket, you must first enable destinations. Refer to the [Amazon S3](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/aws-s3/#create-and-get-access-to-an-s3-bucket) or [Google Cloud Storage](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/google-cloud-storage/#create-and-get-access-to-a-gcs-bucket) documentation and follow the steps for those specific services. Next, validate the bucket and confirm ownership. ## Validate a bucket After the initial bucket set up, you need to confirm you own the bucket via an ownership challenge. After you validate your bucket, you can begin using it to collect full packet captures. * [ Dashboard ](#tab-panel-3455) * [ API ](#tab-panel-3456) 1. From the **Prove ownership** step of the **Bucket configuration**, locate the **Ownership token** field. 2. In the **Ownership token** field, enter the ownership token for your service provider. 3. When you are done, select **Create**. The **Packet captures** page displays. The **Buckets** tab displays a list of the buckets associated with your account. Refer to the **Status** column to see the status of your bucket configuration. The `bucket` field should be the URI of the bucket. For Amazon S3, the `bucket` field is in the form `s3:///?region=`, and for Google Cloud Storage the form is `gs:///`. Ownership challenge request example ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ "destination_conf": "'${bucket}'" }' ``` The response has a `"filename"` parameter which contains the content of the `ownership-challenge` text. Find the file in your bucket and copy the contents of the file. Ownership challenge response example ``` { "result": { "id": "cc20c2d6c62e11ecbe646b173af3b6b9", "status": "pending", "submitted": "2022-04-22T18:54:13.397413Z", "validated": "", "destination_conf": "gs://bucket-test", // Ensure you use a bucket that you created and registered in the Cloudflare dashboard. "filename": "ownership-challenge-1234.txt" }, "success": true, "errors": [], "messages": [] } ``` Validate the bucket by inserting the copied text in the `ownership_text` below: Bucket validation example ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership/validate \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ "destination_conf": "'${bucket}'", "ownership_challenge": "'${ownership_text}'" }' ``` Bucket validation response ``` { "result": { "id": "cc20c2d6c62e11ecbe646b173af3b6b9", "status": "success", "submitted": "2022-04-22T18:54:13.397413Z", "validated": "2022-04-27T14:54:46.440548Z", "destination_conf": "gs://", // Ensure you use a bucket that you created and registered in the Cloudflare dashboard "filename": "ownership-challenge-1234.txt" }, "success": true, "errors": [], "messages": [] } ``` If the `status` shows `success`, the bucket is configured and ready to use. The bucket status displays one of the following options: * **Success:** The bucket is fully verified and ready to use. * **Pending:** The challenge response was initiated but is pending verification. Bucket verification can take five to ten minutes to finish processing. * **Failed:** The bucket could not be validated. If this occurs, verify your ownership information. ## List configured buckets View a list of all buckets configured on your account. * [ Dashboard ](#tab-panel-3457) * [ API ](#tab-panel-3458) 1. In the Cloudflare dashboard, go to the **Network health** page. [ Go to **Network health** ](https://dash.cloudflare.com/?to=/:account/networking-insights/health) 2. Go to the **Diagnostics** tab, and select **Buckets**. The list of buckets associated with your account displays. Bucket list request example ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " ``` Bucket list response example ``` { "result": [ { "id": "9a993aa6c58711ec89d3037647342e63", "status": "success", "submitted": "2022-04-26T16:58:24.550762Z", "validated": "2022-04-26T17:01:18.426458Z", "destination_conf": "s3://test-bucket?region=us-east-1", "filename": "ownership-challenge-1234.txt" } ], "success": true, "errors": [], "messages": [] } ``` To learn how to collect packet captures, refer to [Collect packet captures](https://developers.cloudflare.com/cloudflare-network-firewall/packet-captures/collect-pcaps/). ## R2 To start collecting packet captures with R2, you first need to configure it properly. For all the required details, refer to the [Cloudflare R2](https://developers.cloudflare.com/r2/) documentation. ### Create bucket and API token 1. In the Cloudflare One dashboard, go to the **R2** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/r2/overview) 2. Select **Create bucket**. 3. Give your bucket a name > **Create bucket**. 4. Go to the R2 Overview page, and select **Manage R2 API Tokens**. 5. Select **Create API Token**. 6. In **Permissions**, choose **Object Read & Write**. Make sure you also select **Apply to specific buckets only**, and select the bucket you have created for PCAPs from the drop-down menu. 7. Select **Create API Token**. 8. Make sure you copy the **Secret Access Key** and **Access Key ID** values, as you will need them for the next step. ### Create initial request Create your initial request to R2: Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ "destination_conf": "r2://?account-id=&access-key-id=&secret-access-key=" }' ``` The [response](https://developers.cloudflare.com/api/resources/magic%5Ftransit/subresources/pcaps/subresources/ownership/methods/create/) has a `"filename"` parameter with the name of a file that Cloudflare wrote to your R2 bucket. You need to download it for the next step. Example: ``` { "errors": [], "messages": [], "result": { "destination_conf": "", "filename": "ownership-challenge-9883874ecac311ec8475433579a6bf5f.txt", "id": "9883874ecac311ec8475433579a6bf5f", "status": "success", "submitted": "2020-01-01T08:00:00Z", "validated": "2020-01-01T08:00:00Z" }, "success": true } ``` ### Validate bucket ownership Refer to the [Validate a bucket](#validate-a-bucket) API instructions for more details on the entire process to [validate your R2 bucket](https://developers.cloudflare.com/api/resources/magic%5Ftransit/subresources/pcaps/subresources/ownership/methods/validate/). When specifying the R2 destination for this validation, exclude the secret and access keys from the URL. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/network-visibility/","name":"Network visibility"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/network-visibility/diagnostics/","name":"Diagnostics"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/network-visibility/diagnostics/buckets/","name":"Buckets"}}]} ``` --- --- title: Packet captures description: After a packet capture is requested and the capture is collected, the output is contained within one or more files in PCAP file format. Before starting a full type packet capture, you must first follow instructions for configuring a bucket. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/insights/network-visibility/diagnostics/packet-captures.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Packet captures After a packet capture is requested and the capture is collected, the output is contained within one or more files in PCAP file format. Before starting a `full` type packet capture, you must first follow instructions for [configuring a bucket](https://developers.cloudflare.com/cloudflare-network-firewall/packet-captures/pcaps-bucket-setup/). Note Packet captures are available for Cloudflare Advanced Network Firewall users. For access, contact your account team. ## Send a packet capture request Currently, when a packet capture is requested, packets flowing at Cloudflare's global network through the Magic Transit system are captured. The default API field for this is `"system": "magic-transit"`, both for the request and response. Note For help determining which data center to select for a packet capture, go to [https://cloudflare.com/cdn-cgi/trace ↗](https://cloudflare.com/cdn-cgi/trace) and refer to the `colo` field. Note some data centers can be regional such as `ORD` while other names may be more specific like `ord02`. Either of these names can be used for this same field. ### Packet capture limits **Sample and full** * `time_limit`: The minimum value is `1` seconds and maximum value is `300` seconds. * `packet_limit`: The minimum value is `1` packet and maximum value is `10000` packets. **Full** * `byte_limit`: The minimum value is `1` byte and maximum value is `1000000000` bytes. * [ Dashboard ](#tab-panel-3463) * [ API ](#tab-panel-3464) 1. In the Cloudflare dashboard, go to the **Network health** page. [ Go to **Network health** ](https://dash.cloudflare.com/?to=/:account/networking-insights/health) 2. Go to the **Diagnostics** tab. 3. In **Network packet captures**, select **Start a capture**. 4. Choose the type of capture you want to perform, and select **Next**. 5. Fill out the required fields to begin the capture and then select **Start**. The **Network packet captures** page displays a list of captures. The PCAPs API needs both `system` and `type` to be specified to start a capture. A PCAP's `system` is the product or logical subsystem where packets are captured, and a PCAP's `type` is how the captured packets are built into a PCAP file. Currently, you can only send one collect request per minute for sample PCAPs, and you can only have one running or pending full PCAP at a time. Full PCAP For full PCAP requests, refer to the required parameters listed at [Create full PCAP requests](https://developers.cloudflare.com/api/resources/magic%5Ftransit/subresources/pcaps/methods/create/). Note that full packet captures require two more parameters than sample packets. The full PCAP request endpoint also contains optional fields you can use to limit the amount of packets captured. Both full and sample packet requests contain an optional `filter_v1` parameter you can use to filter packets by IPv4 Source address, for example. For a full list of the filter options, refer to the parameter lists above. Leave `filter_v1` empty to collect all packets without any filtering. Full PCAP example request ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ "filter_v1": {}, "time_limit": 300, "packet_limit": 10000, "byte_limit": 100000000, "type": "full", "colo": "ORD", "system": "magic-transit", "destination_conf": "${BUCKET}" }' ``` While the collection is in progress, the response returns the `status` field as `pending`. You must wait for the PCAP collection to complete before downloading the file. When the PCAP is ready to download, the status changes to `success`. Full PCAP example response ``` { "result": { "id": "7d7c88382f0b4d5daa9587aa45a1a877", "submitted": "2022-06-02T18:38:22.269047Z", "filter_v1": {}, "time_limit": 300, "status": "pending", "type": "full", "system": "magic-transit", "packet_limit": 10000, "byte_limit": 100000000, "colo": "ORD", "destination_conf": "gs://" // Ensure you use a bucket that you created and registered in the Cloudflare dashboard }, "success": true, "errors": [], "messages": [] } ``` Sample PCAP To create a sample PCAP request, send a JSON body with the required parameter listed at [Create sample PCAP request](https://developers.cloudflare.com/api/resources/magic%5Ftransit/subresources/pcaps/methods/create/). Leave `filter_v1` to collect all packets without any filtering. Sample PCAP example request ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ "filter_v1": { "source_address": "1.2.3.4", "source_port": 123, "destination_address": "5.6.7.8", "destination_port": 80, "protocol": 6 }, "time_limit": 300, "packet_limit": 10000, "type": "simple", "system": "magic-transit" }' ``` The response is a JSON body that contains the details of the job running to build the packet capture. The response contains a unique identifier for the packet capture request along with the details sent in the request. Sample PCAP example response ``` { "result": { "id": "6d1f0aac13cd40e3900d29f5dd0e8a2b", "submitted": "2021-12-20T17:29:20.641845Z", "filter_v1": { "source_address": "1.2.3.4", "source_port": 123, "destination_address": "5.6.7.8", "destination_port": 80, "protocol": 6 }, "time_limit": 60, "status": "pending", "packets_remaining": 0, "type": "simple", "system": "magic-transit" }, "success": true, "errors": [], "messages": [] } ``` ## Check packet capture status * [ Dashboard ](#tab-panel-3459) * [ API ](#tab-panel-3460) 1. In the Cloudflare dashboard, go to [Network health ↗](https://dash.cloudflare.com/?to=/:account/networking-insights/health). 2. Go to the **Diagnostics** tab. 3. Locate your capture under **Network packet captures**. To check the status of a running job, send a request to the endpoint and specify the PCAP identifier. The PCAP identifier is received in the response of a collect request as shown in the previous step. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/{pcap_id} \ --header 'X-Auth-Email: ' \ --header 'X-Auth-Key: ' ``` The response will be similar to the one received when requesting a PCAP collection. Sample PCAP example result ``` { "result": { "id": "6d1f0aac13cd40e3900d29f5dd0e8a2b", "submitted": "2021-12-20T17:29:20.641845Z", "filter_v1": { "source_address": "1.2.3.4", "source_port": 123, "destination_address": "5.6.7.8", "destination_port": 80, "protocol": 6 }, "time_limit": 120, "status": "success", "packets_remaining": 0, "type": "simple", "system": "magic-transit" }, "success": true, "errors": [], "messages": [] } ``` The capture status displays one of the following options: * **Complete:** The capture request is done and ready for download. * **In progress:** The capture request was captured but still processing. * **Failure:** The capture failed. If this occurs, verify your ownership information. ## Download packet captures After your request finishes processing, you can download your packet captures. * [ Dashboard ](#tab-panel-3461) * [ API ](#tab-panel-3462) 1. In the [Cloudflare One ↗](https://one.dash.cloudflare.com) dashboard, go to **Network visibility** \> **Diagnostics**. 2. In **Packet captures**, select **Start a capture**. 3. Locate your packet capture you want to download, and select **Download**. Packet captures are available to download when the **Status** displays **Success**. For more information on how to process multiple saved capture files into a single output file, refer to [Wireshark's mergecap documentation ↗](https://www.wireshark.org/docs/man-pages/mergecap.html). **Full PCAPs** To obtain full PCAPs, download the files from the bucket specified in `destination_conf` after the PCAP's status is `success`. You may find multiple files named `pcap_.pcap` per capture as captures can occur across multiple machines. **Sample PCAPs** Once the sample PCAP collection is complete, you can download the PCAP by specifying the PCAP identifier used earlier. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/{pcap_id}/download \ --header 'X-Auth-Email: ' \ --header 'X-Auth-Key: ' \ --output download.pcap ``` ## List packet captures * [ Dashboard ](#tab-panel-3465) * [ API ](#tab-panel-3466) 1. In the Cloudflare dashboard, go to the **Network health** page. [ Go to **Network health** ](https://dash.cloudflare.com/?to=/:account/networking-insights/health) 2. Go to the **Diagnostics** tab. The list of packet captures associated with your account displays under **Network packet captures**. To view a list of sent requests, use the following command: List request example ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " ``` The response returns an array that includes up to 50 sent requests, which includes completed and ongoing requests. List response example ``` { "result": [ { "id": "43adab5adeca4dab9c51f4b7f70f2ec3", "submitted": "2021-12-15T03:04:09.277394Z", "filter_v1": {}, "time_limit": 120, "status": "success", "packets_remaining": 0, "type": "simple", "system": "magic-transit" } ], "success": true, "errors": [], "messages": [] } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/network-visibility/","name":"Network visibility"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/network-visibility/diagnostics/","name":"Diagnostics"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/network-visibility/diagnostics/packet-captures/","name":"Packet captures"}}]} ``` --- --- title: Access controls description: Learn how to secure your self-hosted and SaaS applications with Zero Trust policies. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Access controls Learn how to secure your self-hosted and SaaS applications with Zero Trust policies. * [ Applications ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/) * [ Policies ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) * [ AI controls ](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/) * [ Service credentials ](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/) * [ Access settings ](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/) * [ Event subscriptions ](https://developers.cloudflare.com/cloudflare-one/access-controls/event-subscriptions/) * [ Troubleshoot Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/troubleshooting/) ## Troubleshooting For help resolving common issues with Cloudflare Access, refer to [Troubleshoot Access](https://developers.cloudflare.com/cloudflare-one/access-controls/troubleshooting/). Refer to our [reference architecture](https://developers.cloudflare.com/reference-architecture/architectures/sase/) for an understanding on how to architect a Zero Trust and SASE solution. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}}]} ``` --- --- title: App Launcher description: With the Access App Launcher, users can open all applications that they have access to from a single dashboard. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/access-settings/app-launcher.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # App Launcher With the Access App Launcher, users can open all applications that they have access to from a single dashboard. The App Launcher is available at a team domain unique to your Cloudflare Zero Trust account, for example `mycompany.cloudflareaccess.com`. Users log in using one of the identity providers configured for the account. Once Access authenticates the user, the App Launcher displays applications they are authorized to use, in the form of application tiles. Selecting an application tile launches the application's hostname, sending the user to that tool as part of their SSO flow. ![App Launcher portal](https://developers.cloudflare.com/_astro/app-launcher.BA8TF5r4_23joar.webp) ## Enable the App Launcher By default, the App Launcher is disabled. To enable it, you must configure a policy that defines which users can access the App Launcher. To enable the App Launcher: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Access settings**. 2. Under the **Manage your App Launcher** card, select **Manage**. 3. On the **Policies** tab, [build a policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to define who can access your App Launcher portal. These rules do not impact permissions for the applications secured behind Access. 4. On the **Authentication** tab, choose the identity providers users can authenticate with. 5. Select **Save**. The App Launcher is now available at `.cloudflareaccess.com`. You can always edit your App Launcher rules by going to **Access controls** \> **Access settings**. ## Add a tile to the App Launcher Tiles have a one-to-one relationship with each application you create in Access. The tile names displayed in the Access App Launcher portal correspond to the application names listed under **Access controls** \> **Applications**. For example, if you create one application for general access to your Jira deployment and a separate application that restricts requests to a particular Jira path, a user authorized for both will see separate tiles for each. If you add multiple hostnames to a single application, the user will only see the domain selected in the application's **App Launcher** settings. To show an Access application in the App Launcher: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Applications**. 2. Select an application and select **Configure**. 3. Go to **Experience settings**. 4. Select **Show application in App Launcher**. The App Launcher link will only appear for users who are allowed by your Access policies. Blocked users will not see the app in their App Launcher. Note This toggle does not impact the user's ability to reach the application. Allowed users can always reach the application via a direct link, regardless of whether the toggle is enabled. Blocked users will never have access to the application. 5. (Optional) To use a custom logo for the application tile, select **Use custom logo** and enter a link to your desired image. Note If you are having issues specifying a custom logo, check that the image is served from an HTTPS endpoint. For example, `http://www.example.com/upload/logo.png` will not work. However, `https://www.example.com/upload/logo.png` will. 6. In **Application domains**, choose a domain to use for the App Launcher link. 7. (Optional) In **Tags**, add [custom tags](https://developers.cloudflare.com/cloudflare-one/reusable-components/tags/) so that users can more easily find the application in their App Launcher. ## Customize App Launcher appearance To customize the App Launcher with your own branding, messages, and links, refer to the [Custom pages documentation](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/app-launcher-customization/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/access-settings/","name":"Access settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/access-settings/app-launcher/","name":"App Launcher"}}]} ``` --- --- title: Require Access protection description: Cloudflare Access allows you to require Access protection for all hostnames in your account. When this setting is turned on, traffic to any hostname without a matching Access application is automatically blocked. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Security ](https://developers.cloudflare.com/search/?tags=Security) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/access-settings/require-access-protection.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Require Access protection Cloudflare Access allows you to require Access protection for all hostnames in your account. When this setting is turned on, traffic to any hostname without a matching [Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/) is automatically blocked. This deny-by-default approach prevents accidental exposure of internal resources to the public Internet. Without this setting, a developer could deploy a new application or create a DNS record and inadvertently expose the resource before configuring an Access application. ## Turn on Access protection Warning Turning on Access protection blocks traffic to any hostname that does not have an Access application. Before turning on this setting, verify that all publicly accessible hostnames have an [Access application with an Allow or Bypass policy](#allow-traffic-to-a-hostname). 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com) and go to **Zero Trust** \> **Access controls** \> **Access settings**. 2. Turn on **Require Cloudflare Access Protection**. You will see a dialog confirming you understand the scope of this change. Select **Confirm**. Traffic to all hostnames in the account is now blocked unless an Access application exists for the hostname. 3. (Optional) Under **Hostnames to Exempt**, select specific domains to exempt from the **Require Cloudflare Access Protection** setting. Traffic to exempted hostnames is allowed even if no Access application exists. Note Cloudflare recommends limiting exemptions to hostnames that host only public-facing content. Internal applications should have an Access application configured. ## Allow traffic to a hostname To allow traffic to a hostname when **Require Cloudflare Access Protection** is turned on: 1. [Create an Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for the hostname. 2. Add an [Allow policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#allow) to grant access to authorized users. 3. (Optional) Add a [Bypass policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#bypass) if the hostname should be publicly accessible without authentication. ## Blocked request behavior When a user attempts to access a hostname without an Access application, Cloudflare displays a block page with `Error 1050: This resource is blocked by this account's Default-Deny policy.` The user cannot proceed until an administrator creates an Access application for that hostname. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/access-settings/","name":"Access settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/access-settings/require-access-protection/","name":"Require Access protection"}}]} ``` --- --- title: Session management description: A user session determines how long a user can access an Access application without re-authenticating. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ JSON web token (JWT) ](https://developers.cloudflare.com/search/?tags=JSON%20web%20token%20%28JWT%29)[ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Session management A user session determines how long a user can access an Access application without re-authenticating. ## Session durations When a user logs in to an application protected by Access, Access validates their identity against your Access policies and generates two signed JSON Web Tokens (JWTs): | Token | Description | Expiration | Storage | | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | | Global session token | Stores the user's identity from the IdP and provides single sign-on (SSO) functionality for all Access applications. | [Global session duration](#global-session-duration) | Your Cloudflare team domain | | [Application token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) | Allows the user to access a specific Access application. | [Policy session duration](#policy-session-duration), which defaults to the [application session duration](#application-session-duration) | The hostname protected by the Access application | The user can access the application for the entire duration of the application token's lifecycle. When the application token expires, Cloudflare will automatically issue a new application token if the global token is still valid (and the user's identity still passes your Access policies). If the global token has also expired, the user will be prompted to re-authenticate with the IdP. The global token expiration is usually set to equal or exceed the application token expiration. Setting a longer global token provides a more secure way to allow for longer user sessions, since the global token cannot be used to directly access an application. As an analogy, you can think of the global session like a festival where you buy a ticket to enter for the day. For certain rides or areas, the staff may periodically check your ticket to make sure you are authorized to enter. For example, the backstage area may allow ticket holders to go on a 30 minutes tour, after which you need to sign up for another tour. This is analogous to the app session. Now imagine a special policy exists where VIP ticket holders can go backstage for as long as they want. The VIPs have a policy session duration which overrides the default 30 minutes value. Note Access and the Cloudflare One Client will evaluate identity based on a user's last-known state. If a user authenticates via your Identity Provider, but later authenticates with a different method (such as One-Time PIN), Access will no longer evaluate the user's Identity Provider group memberships. Identity Provider group memberships are created and managed by the IdP and group membership data can only persist in an IdP-based authentication. ### Global session duration The global session duration determines how often Cloudflare Access prompts the user to log in to their identity provider. You can set a global session duration between 15 minutes and one month. The default value is 24 hours. To set the global session duration: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Access settings**. 2. Under **Set your global session duration**, select **Edit**, 3. Select the desired timeout duration from the dropdown menu. 4. Select **Save**. The user will be required to re-authenticate with the IdP after this period of time. ### Policy session duration The policy session duration determines how long the user can access a self-hosted Access application. When the user's session expires, Access rechecks their stored user identity against the application's Access policies. By default, the policy session duration is equal to the [application session duration](#application-session-duration). To configure more granular permissions for specific users, you can change the policy session duration to a value ranging from immediate timeout to one month. For example, you may wish to set the application session duration to seven days for engineers, but set a policy session duration to 24 hours for contractors. To set the policy session duration: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Policies**. 2. Choose a policy and select **Configure**. 3. Select a **Session Duration** from the dropdown menu. 4. Save the policy. Users who match this policy will be issued an application token with this expiration time. ### Application session duration The application session duration is the default [policy session duration](#policy-session-duration) for all policies in an Access application. Available session durations range from immediate timeout to one month. The default value is 24 hours. To set the application session duration: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Choose an application and select **Configure**. 3. Select a **Session Duration** from the dropdown menu. 4. Save the application. Users who match a policy configured with a _Same as application session timeout_ duration will be issued an application token with this expiration time. #### SaaS applications Application session durations only control the front door to a SaaS app; Access does not control how long the user can stay in the SaaS app itself. For example, if the user logs out of the SaaS app and then comes back to it, a valid Access application token allows them to re-authenticate without another login. The SaaS app issues its own authorization cookie that manages the user's session within the app. #### SSH, RDP, and VNC Cloudflare does not control the length of an active SSH, VNC, or RDP session. [Application session durations](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/) determine the window in which a user can initiate a new connection or refresh an existing one. ### Cloudflare One Client session duration When [Device authentication identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/#configure-warp-sessions-in-access) is enabled for an Access application, the Cloudflare One Client session duration overrides the application and policy session durations. If the global session expires but the user already has a valid Cloudflare One Client session, the user will not need to reauthenticate with the IdP until the Cloudflare One Client session expires, given the user is running the Cloudflare One Client. ### Order of enforcement The following flowchart illustrates how Access enforces user sessions for a self-hosted application. flowchart TB %% Accessibility accTitle: Access session durations accDescr: Flowchart describing the order of enforcement for Access sessions %% In with user traffic start["User goes to Access application"] start--"Device authentication identity enabled" -->warpsession[Device client session expired?] start-- "Device authentication identity disabled" --> policysession[Policy session expired?] warpsession--"Yes"-->idp[Prompt to log in to IdP] warpsession--"No"-->accessgranted[Access granted] policysession--"Yes"-->globalsession[Global session expired?] policysession--"No"-->accessgranted globalsession--"Yes"-->idp globalsession--"No"-->refreshtoken[Check identity against Access policies] refreshtoken-->accessgranted idp-->refreshtoken ## Revoke user sessions Access provides two options for revoking user sessions: per-application and per-user. ### Per-Application To immediately terminate all active sessions for a specific application: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Locate the application for which you would like to revoke active sessions and select **Configure**. 3. Select **Revoke existing tokens**. Unless there are changes to rules in the policy, users can start a new session if their profile in your identity provider is still active. ### Per-User Access can immediately revoke a single user session across all applications in your account. However, if the user's identity profile is still active, they can generate a new session. If you want to permanently revoke a user's access: 1. Disable their account in your identity provider so that they cannot authenticate. 2. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Team & Resources** \> **Users**. 3. Select the checkbox next to the user you want to revoke. 4. Select **Action** \> **Revoke**. The user will no longer be able to log in to any application protected by Access. The user will still count towards your seat subscription until you [remove the user](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management) from your account. ### Subsequent Logins When administrators revoke a user's Cloudflare Access token, that user will not be able to log in again for up to 1 minute. If they attempt to do so, Cloudflare Access will display an error. ## Log out as a user To log out of Access, the end user can visit either of the following URLs: * `/cdn-cgi/access/logout` * `.cloudflareaccess.com/cdn-cgi/access/logout` This action [revokes the user's session](#per-user) across all applications. Access will immediately clear the authorization cookie from the user's browser, and all previously issued tokens will stop being accepted in 20-30 seconds. The only difference between these two URLs is which domain the authorization cookie is deleted from. For example, going to `/cdn-cgi/access/logout` will remove the application cookie and make the logout action feel more instantaneous. You can use these URLs to create custom logout buttons or links directly within your application. Note At this time, end users cannot log themselves out on a per-application basis. ## AJAX Pages that rely heavily on AJAX or single-page applications can block sub-requests due to an expired Access token without prompting the user to re-authenticate. You can configure Access to provide a `401` response on sub-requests with an expired session token. We recommend using this response code to either force a page refresh or to display a message to the user that their session has expired. In order to receive a `401` for an expired session, add the following header to all AJAX requests: `X-Requested-With: XMLHttpRequest` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/access-settings/","name":"Access settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/access-settings/session-management/","name":"Session management"}}]} ``` --- --- title: Authenticate MCP server to self-hosted apps description: Cloudflare Access can delegate access from any self-hosted application to an Access for SaaS MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ MCP ](https://developers.cloudflare.com/search/?tags=MCP) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/ai-controls/linked-apps.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Authenticate MCP server to self-hosted apps Cloudflare Access can delegate access from any [self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to an [Access for SaaS MCP server](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/saas-mcp/) via [OAuth ↗](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization). The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes. For example, your organization may wish to deploy an MCP server that helps employees interact with internal applications. You can configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors) to ensure that only authorized users can access those applications, either directly or by using an MCP client. flowchart LR accTitle: Link MCP servers and self-hosted applications in Access subgraph SaaS["Access for SaaS
OIDC app"] mcp["MCP server
for internal apps"] end subgraph "Access self-hosted app" app1[Admin dashboard] end subgraph "Access self-hosted app" app2[Company wiki] end User --> client["MCP client"] client --> mcp mcp -- Access token --> app1 mcp -- Access token --> app2 idp[Identity provider] <--> SaaS This guide covers how to use the Cloudflare API to link a self-hosted application to a remote MCP server. The core of this feature is the Linked App Token rule type, which allows an Access policy on one application to accept OAuth access tokens generated for another. ## Prerequisites * A [self-hosted Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) ## 1\. Secure the MCP server with Access for SaaS The first step is to add the MCP server to Cloudflare Access as an OIDC-based SaaS application. For step-by-step instructions on how to add an MCP server, refer to [Secure MCP servers with Access for SaaS](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/saas-mcp/). ## 2\. Create an Access policy with a Linked App Token * [ Dashboard ](#tab-panel-3414) * [ API ](#tab-panel-3415) 1. [Create a new Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/#create-a-policy). 2. Set the policy **Action** to _Service Auth_. 3. For **Selector**, select _Linked App Token_. 4. For **Value**, select the SaaS application created in [step 1](#1-secure-the-mcp-server-with-access-for-saas). For example, | Action | Rule type | Selector | Value | | ------------ | --------- | ---------------- | -------------------- | | Service Auth | Include | Linked App Token | mcp-server-cf-access | Note The Linked App Token selector only works with the [Service Auth](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth) action, similar to service token rules. 1. Get the `id` of the MCP server SaaS application: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Revoke` * `Access: Apps and Policies Write` * `Access: Apps and Policies Read` List Access applications ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` Response ``` { "id": "3537a672-e4d8-4d89-aab9-26cb622918a1", "uid": "3537a672-e4d8-4d89-aab9-26cb622918a1", "type": "saas", "name": "mcp-server-cf-access", ... } ``` 2. Create the following Access policy, replacing the `app_uid` value with the `id` of your SaaS application: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow MCP server", "decision": "non_identity", "include": [ { "linked_app_token": { "app_uid": "3537a672-e4d8-4d89-aab9-26cb622918a1" } } ] }' ``` Note The `linked_app_token` rule type only works with [non\_identity decisions](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth), similar to service token rules. 3. Copy the Access policy `id` returned in the response: Response ``` { "created_at": "2025-08-06T20:06:23Z", "decision": "non_identity", "exclude": [], "id": "a38ab4d4-336d-4f49-9e97-eff8550c13fa", "include": [ { "linked_app_token": { "app_uid": "6cdc3892-f9f1-4813-a5ce-38c2753e1208" } } ], "name": "Allow MCP server", ... } ``` This policy will allow requests if they present a valid OAuth access token that was issued for the specified SaaS application. ## 3\. Update the self-hosted application You can add the Linked App Token policy to any [self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) in your Zero Trust account. Other app types (such as [SaaS applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/)) are [not currently supported](#known-limitations). ## 4\. Configure the MCP server With the policy in place, every API request to the self-hosted application must now include a valid `access_token` from Cloudflare Access. You will need to configure the MCP server to forward the `access_token` in an HTTP request header: ``` Authorization: Bearer ACCESS_TOKEN ``` The end-to-end authorization flow is as follows: 1. The MCP server authenticates against the Access for SaaS app via OAuth. 2. Upon success, the MCP server receives an `access_token`. 3. The MCP server makes an API request to the self-hosted application with the token in the request headers. 4. Cloudflare Access intercepts the request to the self-hosted app, inspects the token, and validates it against the `linked_app_token` rule in the policy. 5. If the token is valid and was issued for the linked SaaS app, the request is allowed. Otherwise, it is blocked. ## Known limitations The MCP OAuth feature only works with self-hosted applications that rely on the [Cloudflare Access JWT](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) to authenticate and identify the user. If the application implements its own layer of authentication after Cloudflare Access, then this feature is at best a partial solution. Requests that are successfully authenticated by Access may still be blocked by the application itself, resulting in an HTTP `401` or `403` error. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/ai-controls/","name":"AI controls"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/ai-controls/linked-apps/","name":"Authenticate MCP server to self-hosted apps"}}]} ``` --- --- title: MCP server portals description: An MCP server portal centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ MCP ](https://developers.cloudflare.com/search/?tags=MCP) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/ai-controls/mcp-portals.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # MCP server portals An MCP server portal centralizes multiple [Model Context Protocol (MCP) servers ↗](https://www.cloudflare.com/learning/ai/what-is-model-context-protocol-mcp/) onto a single HTTP endpoint. ![MCP clients connect through an MCP portal to access internal MCP servers and SaaS MCP servers.](https://developers.cloudflare.com/_astro/mcp-portal.B5web1ii_2x3Bsf.webp) Key benefits include: * **Streamlined access to multiple MCP servers**: MCP server portals support both unauthenticated MCP servers and MCP servers secured using OAuth (for example, via [Access for SaaS](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/saas-mcp/) or a [third-party OAuth provider](https://developers.cloudflare.com/agents/model-context-protocol/authorization/)). Users log in to the portal URL through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth. * **Customized tools per portal**: Admins can tailor an MCP portal to a particular use case by choosing the specific tools and prompt templates that they want to make available to users through the portal. This allows users to access a curated set of tools and prompts — the less external context exposed to the AI model, the better the AI responses tend to be. * **Observability**: Once the user's AI agent is connected to the portal, Cloudflare Access logs the individual requests made using the tools in the portal. This guide explains how to add MCP servers to Cloudflare Access, create an MCP portal with customized tools and policies, and connect users to the portal using an MCP client. ## Prerequisites * An [active domain on Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) * Domain uses either a [full setup](https://developers.cloudflare.com/dns/zone-setups/full-setup/) or a [partial (CNAME) setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/) * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured on Cloudflare Zero Trust ## Add an MCP server Add individual MCP servers to Cloudflare Access to bring them under centralized management. To add an MCP server: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **AI controls**. 2. Go to the **MCP servers** tab. 3. Select **Add an MCP server**. 4. Enter any name for the server. 5. (Optional) Enter a custom string for the **Server ID**. 6. In **HTTP URL**, enter the full URL of your MCP server. For example, if you want to add the [Cloudflare Documentation MCP server ↗](https://github.com/cloudflare/mcp-server-cloudflare/tree/main/apps/docs-vectorize), enter `https://docs.mcp.cloudflare.com/mcp`. 7. Add [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to show or hide the server in an [MCP server portal](#create-a-portal). The MCP server link will only appear in the portal for users who match an Allow policy. Users who do not pass an Allow policy will not see this server through any portals. Warning Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/saas-mcp/). 8. Select **Save and connect server**. 9. If the MCP server supports OAuth, you will be redirected to log in to your OAuth provider. You can log in to any account on the MCP server. The account used to authenticate will serve as the admin credential for that MCP server. You can [configure an MCP portal](#create-a-portal) to use this admin credential to make requests. Cloudflare Access will validate the server connection and fetch a list of tools and prompts. Once the server is successfully connected, the [server status](#server-status) will change to **Ready**. You can now add the MCP server to an [MCP server portal](#create-a-portal). ### Server status The MCP server status indicates the synchronization status of the MCP server to Cloudflare Access. | Status | Description | | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | Error | The server's authentication failed due to expired or incorrect credentials. To fix the issue, [reauthenticate the server](#reauthenticate-the-mcp-server). | | Waiting | The server's tools, prompts, and resources are being synchronized. | | Ready | The server was successfully synchronized and all tools, prompts, and resources are available. | ### Reauthenticate the MCP server To reauthenticate an MCP server in Cloudflare Access: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **AI controls**. 2. Go to the **MCP servers** tab. 3. Select the server that you want to reauthenticate, then select **Edit**. 4. Select **Authenticate server**. You will be redirected to log in to your OAuth provider. The account used to authenticate will serve as the new admin credential for this MCP server. ### Synchronize the MCP server Cloudflare Access automatically synchronizes with your MCP server every 24 hours. To manually refresh the MCP server in Zero Trust: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **AI controls**. 2. Go to the **MCP servers** tab and find the server that you want to refresh. 3. Select the three dots > **Sync capabilities**. The MCP server page will show the updated list of tools and prompts. New tools and prompts are automatically enabled in the MCP server portal. ## Create a portal To create an MCP server portal: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **AI controls**. 2. Select **Add MCP server portal**. 3. Enter any name for the portal. 4. Under **Custom domain**, select a domain for the portal URL. Domains must belong to an active zone in your Cloudflare account. You can optionally specify a subdomain. 5. [Add MCP servers](#add-an-mcp-server) to the portal. 6. (Optional) Under **MCP servers**, configure the tools and prompts available through the portal. 7. (Optional) Configure **Require user auth** for servers that support OAuth: - `Enabled`: (default) User will be prompted to utilize their own login credentials to establish a connection with the MCP server. - `Disabled`: Users who are connected to the portal will automatically have access to the MCP server via its [admin credential](#reauthenticate-the-mcp-server). 8. Add [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to define the users who can connect to the portal URL. 9. Select **Add an MCP server portal**. 10. (Optional) [Customize the login experience](#customize-login-settings) for the portal. Users can now [connect to the portal](#connect-to-a-portal) at `https://./mcp` using an MCP client. ### Customize login settings Cloudflare Access automatically creates an Access application for each MCP server portal. You can customize the portal login experience by updating Access application settings: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Applications**. 2. Find the portal that you want to configure, then select the three dots > **Edit**. 3. To configure identity providers for the portal: 1. Go to the **Login methods** tab. 2. Select the [identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) that you want to enable for your application. 3. (Recommended) If you plan to only allow access via a single identity provider, turn on **Instant Auth**. End users will not be shown the [Cloudflare Access login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. 4. To customize the block page: 1. Go to the **Experience settings** tab. 2. Under **Block page**, choose what end users will see when they are denied access to the application: * **Cloudflare default**: Reload the [login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/) and display a block message below the Cloudflare Access logo. The default message is `That account does not have access`, or you can enter a custom message. * **Redirect URL**: Redirect to the specified website. * **Custom page template**: Display a [custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-block-page/) hosted in Cloudflare One. 5. Select **Save application**. ## Connect to a portal Users can connect to your MCP server running at `https://./mcp` using [Workers AI Playground ↗](https://playground.ai.cloudflare.com/), [MCP inspector ↗](https://github.com/modelcontextprotocol/inspector), or [other MCP clients](https://developers.cloudflare.com/agents/guides/remote-mcp-server/#connect-your-mcp-server-to-claude-and-other-mcp-clients) that support remote MCP servers. To test in Workers AI Playground: 1. Go to [Workers AI Playground ↗](https://playground.ai.cloudflare.com/). 2. Under **MCP Servers**, enter `https://./mcp` for the portal URL. 3. Select **Connect**. 4. In the popup window, log in to your Cloudflare Access identity provider. 5. The popup window will list the MCP servers in the portal that require authentication. For each of these MCP servers, select **Connect** and follow the login prompts. 6. Select **Done** to complete the portal authentication process. Workers AI Playground will show a **Connected** status and list the available tools. You can now ask the AI model to complete a task using an available tool. Requests made to an MCP server will appear in your [portal logs](#view-portal-logs). For MCP clients with server configuration files, we recommend using the `npx` command with the `mcp-remote@latest` argument: MCP client configuration for MCP portals ``` { "mcpServers": { "example-mcp-server": { "command": "npx", "args": [ "-y", "mcp-remote@latest", "https://..com/mcp" ] } } } ``` We do not recommend using the `serverURL` parameter since it may cause issues with portal session creation and management. If you want to force your MCP client to reauthenticate, most MCP clients will refresh a session after removing the existing MCP OAuth sessions. To clear authentication credentials used by your MCP client, open a terminal and run the following command: Note This command will trigger all MCP servers using `mcp-remote@latest` to force reauthenticate, not just MCP portals. Terminal window ``` rm -rf ~/.mcp-auth ``` ## View portal logs Portal logs allow you to monitor user activity through an MCP server portal. You can view logs on a per-portal or per-server basis. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **AI controls**. 2. Find the portal or server that you want to view logs for, then select the three dots > **Edit**. 3. Select **Logs**. ### Log fields | Field | Description | | ---------- | --------------------------------------------------- | | Time | Date and time of the request | | Status | Whether the server successfully returned a response | | Server | Name of the MCP server that handled the request | | Capability | The tool used to process the request | | Duration | Processing time for the request in milliseconds | ### Export logs with Logpush Availability Only available on Enterprise plans. You can automatically export MCP portal logs to third-party storage destinations or security information and event management (SIEM) tools using [Logpush](https://developers.cloudflare.com/logs/logpush/). This allows you to integrate with your existing security workflows and retain logs for as long as your business requires. To set up a Logpush job for MCP portal logs, refer to [Logpush integration](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). For a list of available log fields, refer to [MCP portal logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/mcp%5Fportal%5Flogs/). ## Troubleshooting ### After authenticating to the portal, my user receives the error `No allowed servers available, check your Zero Trust Policies`. 1. An MCP portal and server must both have an attached Access policy. Ensure that all MCP servers assigned to the portal have their own associated policy. 2. The server's admin authentication may be expired. Check that the [server's status](#server-status) is **Ready**. If the status shows an error, [reauthenticate the server](#reauthenticate-the-mcp-server). ### The portal URL does not prompt for authentication when it is added to an MCP client. 1. Verify that the portal has an assigned Access policy. 2. Verify that the portal URL does not have any applied [Workers](https://developers.cloudflare.com/workers/configuration/routing/custom-domains/), [Page Rules](https://developers.cloudflare.com/rules/page-rules/manage/), [custom hostname](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/) definitions, or any other configuration that may interfere with its ability to connect to the MCP client. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/ai-controls/","name":"AI controls"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/ai-controls/mcp-portals/","name":"MCP server portals"}}]} ``` --- --- title: Secure MCP servers with Access for SaaS description: You can secure Model Context Protocol (MCP) servers by using Cloudflare Access as an OAuth Single Sign-On (SSO) provider. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ MCP ](https://developers.cloudflare.com/search/?tags=MCP) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/ai-controls/saas-mcp.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Secure MCP servers with Access for SaaS You can secure [Model Context Protocol (MCP) servers ↗](https://www.cloudflare.com/learning/ai/what-is-model-context-protocol-mcp/) by using Cloudflare Access as an OAuth Single Sign-On (SSO) provider. This guide walks through how to deploy a remote MCP server on [Cloudflare Workers](https://developers.cloudflare.com/workers/) that requires Cloudflare Access for authentication. When users connect to the MCP server using an MCP client, they will be prompted to log in to your [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) and are only granted access if they pass your [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors). ## Prerequisites * Create a [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization). * Configure [One-time PIN](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/) or connect a third-party [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). ## 1\. Deploy an example MCP server To deploy our [example MCP server ↗](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) to your Cloudflare account: * [ Dashboard ](#tab-panel-3416) * [ CLI ](#tab-panel-3417) 1. Select the following button to launch the quickstart flow: [![Deploy to Workers](https://deploy.workers.cloudflare.com/button)](https://deploy.workers.cloudflare.com/?url=https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) 2. Select the account that contains your Zero Trust organization. 3. On the **Create an application** page, configure the following fields: * **Git account**: Select an existing account or connect a new GitHub or GitLab account. * **Create private Git repository**: Choose whether the project repository should be public or private. * **Project name**: `mcp-server-cf-access` * **Select KV namespace**: _Create new_ * **Name your KV namespace**: `OAUTH_KV` We will configure `ACCESS_CLIENT_ID` and the other secret values in a later step. 4. Select **Create and deploy**. The MCP server will be deployed to your `*.workers.dev` subdomain at `mcp-server-cf-access..workers.dev`. A new git repository will be set up on your GitHub or GitLab account for your MCP server, configured to automatically deploy to Cloudflare each time you push a change or merge a pull request to the main branch of the repository. You can use the [Wrangler CLI](https://developers.cloudflare.com/workers/wrangler) to create the MCP server on your local machine and deploy it to Cloudflare. Prerequisites * Install [npm ↗](https://docs.npmjs.com/getting-started) * Install [Node.js ↗](https://nodejs.org/en/) 1. Open a terminal and clone our example project: Terminal window ``` npm create cloudflare@latest -- mcp-server-cf-access --template=cloudflare/ai/demos/remote-mcp-cf-access ``` During setup, select the following options: * For _Do you want to add an AGENTS.md file to help AI coding tools understand Cloudflare APIs?_, choose `No`. * For _Do you want to use git for version control?_, choose `No`. * For _Do you want to deploy your application?_, choose `No` (we will be making some changes before deploying). 2. Go to the project directory: Terminal window ``` cd mcp-server-cf-access ``` 3. Create a [Workers KV namespace](https://developers.cloudflare.com/kv/concepts/kv-namespaces/) to store the key. The binding name should be `OAUTH_KV` if you want to run the example as written. Terminal window ``` npx wrangler kv namespace create "OAUTH_KV" ``` The command will output the binding name and KV namespace ID: ``` { "kv_namespaces": [ { "binding": "OAUTH_KV", "id": "" } ] } ``` 4. Open `wrangler.jsonc` in an editor and insert your `OAUTH_KV` namespace ID: ``` "kv_namespaces": [ { "binding": "OAUTH_KV", "id": "" } ], ``` 5. You can now deploy the Worker to Cloudflare's global network: Terminal window ``` npx wrangler deploy ``` The Worker will be deployed to your `*.workers.dev` subdomain at `mcp-server-cf-access..workers.dev`. ## 2\. Create an Access for SaaS app * [ Dashboard ](#tab-panel-3420) * [ API ](#tab-panel-3421) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application**. 3. Select **SaaS**. 4. In **Application**, enter a custom name (for example, `MCP server`) and select the textbox that appears below. 5. Select **OIDC** as the authentication protocol. 6. Select **Add application**. 7. In **Redirect URLs**, enter the authorization callback URL for your MCP server. The callback URL for our [example MCP server](#1-deploy-an-example-mcp-server) is`https://mcp-server-cf-access..workers.dev/callback`. 8. Copy the following values to input into our example MCP server. Other MCP servers may require different sets of input values. * **Client secret** * **Client ID** * **Token endpoint** * **Authorization endpoint** * **Key endpoint** 9. (Optional) Under **Advanced settings**, turn on [**Refresh tokens**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas/#advanced-settings) if you want to reduce the number of times a user needs to log in to the identity provider. 10. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to define the users who can access the MCP server. 11. Configure how users will authenticate: 1. Select the [**Identity providers**](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) you want to enable for your application. 2. (Recommended) If you plan to only allow access via a single IdP, turn on **Instant Auth**. End users will not be shown the [Cloudflare Access login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. 3. (Optional) Under **Device authentication identity**, allow users to authenticate to the application using their [ Cloudflare One Client session identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/). 12. Save the application. 1. Make a `POST` request to the [Access applications](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/applications/methods/create/) endpoint: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Add an Access application ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "MCP server", "type": "saas", "saas_app": { "auth_type": "oidc", "redirect_uris": [ "https://mcp-server-cf-access..workers.dev/callback" ], "grant_type": [ "authorization_code", "refresh_tokens" ], "refresh_token_options": { "lifetime": "90d" } }, "policies": [ "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" ], "allowed_idps": [] }' ``` 2. Copy the `client_id` and `client_secret` returned in the response. 3. Build the OAuth endpoint URLs using your team name and the `client_id` returned in the response: | Endpoint | URL | | ---------------------- | -------------------------------------------------------------------------------------------- | | Token endpoint | https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//token | | Authorization endpoint | https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//authorization | | Key endpoint | https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//jwks | ## 3\. Configure your MCP server Your MCP server needs to perform an OAuth 2.0 authorization flow to get an `access_token` from the SaaS app created in [Step 1](#1-create-an-access-for-saas-app). When setting up the OAuth client on your MCP server, you will need to paste in the OAuth endpoints and credentials from the Access for SaaS app. To add OAuth endpoints and credentials to our [example MCP server](#1-deploy-an-example-mcp-server): * [ Dashboard ](#tab-panel-3418) * [ CLI ](#tab-panel-3419) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to the **Workers & Pages** page. [ Go to **Workers & Pages** ](https://dash.cloudflare.com/?to=/:account/workers-and-pages) 2. Select the `mcp-server-cf-access` Worker. 3. Go to **Settings**. 4. Under **Variables and Secrets**, update each secret with the corresponding value obtained from the [Access for SaaS app](#2-create-an-access-for-saas-app). | Workers secret | SaaS app field | | -------------------------- | ---------------------- | | ACCESS\_CLIENT\_ID | Client ID | | ACCESS\_CLIENT\_SECRET | Client secret | | ACCESS\_TOKEN\_URL | Token endpoint | | ACCESS\_AUTHORIZATION\_URL | Authorization endpoint | | ACCESS\_JWKS\_URL | Key endpoint | Note Use the Client ID, Client secret, and OAuth endpoints copied from the Cloudflare One dashboard. Do not use the OAuth values from your [third-party identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/). 5. For `COOKIE_ENCRYPTION_KEY`, you can use the following command to generate a random string: Terminal window ``` openssl rand -hex 32 ``` Enter the output of this command into `COOKIE_ENCRYPTION_KEY`. 1. Create the following [Workers secrets](https://developers.cloudflare.com/workers/configuration/secrets/): Terminal window ``` npx wrangler secret put ACCESS_CLIENT_ID npx wrangler secret put ACCESS_CLIENT_SECRET npx wrangler secret put ACCESS_TOKEN_URL npx wrangler secret put ACCESS_AUTHORIZATION_URL npx wrangler secret put ACCESS_JWKS_URL ``` 2. When prompted to enter a secret value, paste the corresponding values obtained from the [Access for SaaS app](#2-create-an-access-for-saas-app). | Workers secret | SaaS app field | | -------------------------- | ---------------------- | | ACCESS\_CLIENT\_ID | Client ID | | ACCESS\_CLIENT\_SECRET | Client secret | | ACCESS\_TOKEN\_URL | Token endpoint | | ACCESS\_AUTHORIZATION\_URL | Authorization endpoint | | ACCESS\_JWKS\_URL | Key endpoint | Note Use the Client ID, Client secret, and OAuth endpoints copied from the Cloudflare One dashboard. Do not use the OAuth values from your [third-party identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/). 3. Generate a random string for the cookie encryption key: Terminal window ``` openssl rand -hex 32 ``` Store the output of this command in a Workers secret: Terminal window ``` npx wrangler secret put COOKIE_ENCRYPTION_KEY ``` ## 4\. Test the connection You can now connect to your MCP server at `https://mcp-server-cf-access..workers.dev/mcp` using [Workers AI Playground ↗](https://playground.ai.cloudflare.com/), [MCP inspector ↗](https://github.com/modelcontextprotocol/inspector), or [other MCP clients](https://developers.cloudflare.com/agents/guides/remote-mcp-server/#connect-your-mcp-server-to-claude-and-other-mcp-clients) that support remote MCP servers. To test in Workers AI Playground: 1. Go to [Workers AI Playground ↗](https://playground.ai.cloudflare.com/). 2. Under **MCP Servers**, enter `https://mcp-server-cf-access..workers.dev/mcp` for the MCP server URL. 3. Select **Connect**. 4. A popup window will appear requesting access to the MCP server. Select **Approve**. 5. Follow the prompts to log in to your identity provider. Workers AI Playground will show a **Connected** status. The MCP server should successfully obtain an `access_token` from Cloudflare Access. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/ai-controls/","name":"AI controls"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/ai-controls/saas-mcp/","name":"Secure MCP servers with Access for SaaS"}}]} ``` --- --- title: Add bookmarks description: With Cloudflare One, you can show applications on the App Launcher even if those applications are not secured behind Access. This way, users can access all the applications they need to work, all in one place — regardless of whether those applications are protected by Access. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/bookmarks.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Add bookmarks With Cloudflare One, you can show applications on the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) even if those applications are not secured behind Access. This way, users can access all the applications they need to work, all in one place — regardless of whether those applications are protected by Access. Links to applications not protected by Access can be added as bookmarks. You can assign [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to control which users see the bookmark in the App Launcher. Users who do not match an Allow policy will not see the bookmark tile. Unlike policies for other Access application types, bookmark policies only affect visibility in the App Launcher and do not control access to the destination URL. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **Bookmark**. 3. Name your application. 4. Enter your **Application URL**, for example `https://mybookmark.com`. 5. (Optional) To restrict who can see the bookmark, select an existing policy or create a new one. If you do not add any policies, the bookmark is visible to all users in your organization. * To use an existing policy, select **Select existing policies** and choose the policies you want to apply. Refer to [supported policies](#supported-policies) for policy limitations. * To create a new policy, select **Create new policy** and [build your policy rules](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). 6. Select **Next**. 7. Turn on **App Launcher visibility** if you want the application to be visible in the App Launcher. The toggle does not impact the ability for users to reach the application. 8. (Optional) To add a custom logo for your application, select **Custom** and enter the image URL. Note If you are having issues specifying a custom logo, check that the image is served from an HTTPS endpoint. For example, `http://www.example.com/upload/logo.png` will not work. However, `https://www.example.com/upload/logo.png` will. 9. Select **Save**. The application will show up on the Applications page labeled as `BOOKMARK`. You can always edit or delete your bookmarks, as you would any other application. ## Authentication logs Bookmark applications do not generate individual [Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/#authentication-logs) when a user selects the bookmark tile. Only the authentication event to the App Launcher itself is logged. ## Supported bookmark policies Bookmark policies support all [Access policy selectors](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors), including * Identity-based selectors (such as emails, email domains, or identity provider groups) * Location-based selectors (such as country or IP ranges) * Device posture checks (requires installing the Cloudflare One Client) The following policy features are not supported for bookmark applications: * [Isolate application](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/) * [Purpose justification](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/require-purpose-justification/) * [Temporary authentication](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/temporary-auth/) If you attempt to assign a policy that uses an unsupported feature, the dashboard will display an error. Device posture policies To show bookmarks only to users on managed devices, assign a policy that requires device posture checks (such as [Require Gateway](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/require-gateway/)). The bookmark will only appear in the App Launcher for users whose devices satisfy the posture requirements. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/bookmarks/","name":"Add bookmarks"}}]} ``` --- --- title: Add web applications description: Cloudflare Access allows you to secure your web applications by acting as an identity aggregator, or proxy. You can use signals from your existing identity providers (IdPs), device posture providers, and other rules to control who can log in to the application. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Add web applications Cloudflare Access allows you to secure your web applications by acting as an identity aggregator, or proxy. You can use signals from your existing identity providers (IdPs), device posture providers, and [other rules](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors) to control who can log in to the application. ![Cloudflare Access verifies a user's identity before granting access to your application.](https://developers.cloudflare.com/_astro/diagram-saas.BmFlwn8e_Z853ac.webp) You can protect the following types of web applications: * [**SaaS applications**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/) consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration. * **Self-hosted applications** consist of internal applications that you host in your own environment. These can be the data center versions of tools like the Atlassian suite or applications created by your own team. Setup requirements for a self-hosted application depend on whether the application is publicly accessible on the Internet or restricted to users on a private network. * [**Public hostname applications**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) are web applications that have public DNS records. Anyone on the Internet can access the application by entering the URL in their browser and authenticating through Cloudflare Access. Securing access to a public website requires a Cloudflare DNS [full setup](https://developers.cloudflare.com/dns/zone-setups/full-setup/) or [partial CNAME setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/). * [**Private network applications**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) do not have public DNS records, meaning they are not reachable from the public Internet. To connect using a private IP or private hostname, the user's traffic must route through Cloudflare Gateway. The preferred method is to install the Cloudflare One Client on the user's device, but you could also forward device traffic from a [network location](https://developers.cloudflare.com/cloudflare-wan/) or use an agentless option such as [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) or [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). * [**Model Context Protocol (MCP) servers**](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/) are web applications that enable generative AI tools to read and write data within your business applications. For example, Salesforce provides an [MCP server ↗](https://github.com/salesforcecli/mcp) for developers to interact with resources in their Salesforce tenant using GitHub Copilot or other AI code editors. * [**Cloudflare Dashboard SSO**](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/) is a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}}]} ``` --- --- title: Authorization cookie description: Learn how Cloudflare Access uses CF_Authorization cookies to secure self-hosted web applications. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Cookies ](https://developers.cloudflare.com/search/?tags=Cookies)[ JSON web token (JWT) ](https://developers.cloudflare.com/search/?tags=JSON%20web%20token%20%28JWT%29) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Authorization cookie When you protect a site with Cloudflare Access, Cloudflare checks every HTTP request bound for that site to ensure that the request has a valid `CF_Authorization` cookie. If a request does not include the cookie, Access will block the request. ## Access JWTs The `CF_Authorization` cookie contains the user's identity in the form of a [JSON Web Token (JWT) ↗](https://www.cloudflare.com/learning/access-management/token-based-authentication/). Cloudflare securely creates these tokens through the OAUTH or SAML integration between Cloudflare Access and the configured identity provider. Access generates two separate `CF_Authorization` tokens depending on the domain: * **Global session token**: Generated when a user logs in to Access. This token is stored as a cookie at your team domain (for example, `https://.cloudflareaccess.com`) and prevents a user from needing to log in to each application. * [**Application token**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/): Generated for each application that a user reaches. This token is stored as a cookie on the protected domain (for example, `https://jira.site.com`) and may be used to [validate requests](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json) on your origin. ### Multi-domain applications Cloudflare Access allows you to protect and manage multiple domains in a single [self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). After a user has successfully authenticated to one domain, Access will automatically issue a `CF_Authorization` cookie when they go to another domain in the same Access application. This means that users only need to authenticate once to a multi-domain application. For Access applications with five or less domains, Access will preemptively set the cookie for all domains through a series of redirects. This allows single-page applications (SPAs) to retrieve data from other subdomains, even if the user has not explicitly visited those subdomains. Note that we cannot set cookies up-front for a wildcarded subdomain, because we do not know which concrete subdomain to redirect to (wildcarded paths are allowed). If the Access application has more than five domains, Access will not preemptively set any cookies. Cookies are only issued as the user visits each domain. This limitation is to avoid latency issues that could affect the user experience. ## Access cookies The following Access cookies are essential to Access functionality. Cookies that are marked as required cannot be opted out of. The following cookies are not used for tracking or analytics. ### CF\_Authorization (team domain) | Details | Expiration | HttpOnly | SameSite | Required? | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------- | --------- | | [JSON web token (JWT)](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#access-jwts) set on the cloudflareaccess.com [team domain](https://developers.cloudflare.com/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) that contains the user's identity and enables Access to perform single sign-on (SSO) | ViewIf set, adheres to [global session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#global-session-duration).If not, adheres to [application session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#application-session-duration).If neither are set, defaults to 24 hours. | Yes | None | Required | ### CF\_Authorization (Access application domain) | Details | Expiration | HttpOnly | SameSite | Required? | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | ---------------------------- | --------- | | [JSON web token (JWT)](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#access-jwts) set on the domain protected by Access that allows Access to confirm that the user has been authenticated and is authorized to reach the origin | ViewIf set, adheres to [policy session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#policy-session-duration).If not, adheres to [application session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#application-session-duration).If neither are set, defaults to 24 hours. | Admin choice (Default: None) | Admin choice (Default: None) | Required | ### CF\_Binding | Details | Expiration | HttpOnly | SameSite | Required? | | ------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------- | --------- | | Refer to [Binding cookie](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#binding-cookie) | ViewIf set, adheres to [policy session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#policy-session-duration).If not, adheres to [application session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#application-session-duration).If neither are set, defaults to 24 hours. | Yes | None | Optional | ### CF\_Session | Details | Expiration | HttpOnly | SameSite | Required? | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -------- | -------- | --------- | | [CSRF ↗](https://www.cloudflare.com/learning/security/threats/cross-site-request-forgery/) token used on the cloudflareaccess.com [team domain](https://developers.cloudflare.com/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) | 4 hours | Yes | None | Required | ### CF\_AppSession | Details | Expiration | HttpOnly | SameSite | Required? | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -------- | -------- | --------- | | [CSRF ↗](https://www.cloudflare.com/learning/security/threats/cross-site-request-forgery/) token used per application domain, scoped to individual applications behind Access | 24 hours | Yes | None | Required | ### CF\_Device | Details | Expiration | HttpOnly | SameSite | Required? | | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------- | -------- | -------- | --------- | | Cookie used to help prevent abuse of the [Access OTP flow ↗](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/) | 30 days | Yes | Strict | Required | ## Cookie settings Cloudflare Access provides optional security settings that can be added to the browser cookies generated by Access for an authenticated user. * [SameSite](#samesite-attribute) * [HttpOnly flag](#httponly) * [Binding cookie](#binding-cookie) * [Cookie path](#cookie-path-attribute) To enable these settings: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Locate the application you would like to configure and select **Configure**. 3. Select **Advanced settings** and scroll down to **Cookie settings**. 4. Configure the desired cookie settings. 5. Select **Save application**. ### SameSite Attribute The [SameSite ↗](https://web.dev/samesite-cookies-explained/) Attribute selector restricts the cookie to only being sent if the cookie's defined site matches the site being requested in the browser. This adds protection against [cross-site request forgery (CSRF) ↗](https://en.wikipedia.org/wiki/Cross-site%5Frequest%5Fforgery). The selector options are: * **None** \- Cookies will be sent in all contexts, including cross-origin requests. * **Lax** \- Cookies are allowed to be sent with top-level navigations and will be sent along with GET requests initiated by third party websites. * **Strict** \- Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites. Refer to the [Mozilla documentation ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value) for more information. Warning If you are receiving the `ERR_TOO_MANY_REDIRECTS` errors, make sure your `SameSite` setting is set to None or Lax. Setting the `SameSite` setting to Strict can result in too many redirects. #### When not to use SameSite Do not enable `SameSite` restrictions if you have additional sites or applications that rely on a specific application's authorization cookie. ### HttpOnly The `HttpOnly` flag is a cookie attribute that prevents the cookie from being accessed by any client-side scripts, reducing the likelihood of Cross-Site Scripting (XSS) attacks. This flag is enabled by default. #### When not to use HttpOnly Do not enable `HttpOnly` if: * You are using the Access application for non-browser based tools (such as SSH or RDP). * You have software that relies on being able to access a user's cookie generated by Access. ### Binding cookie The binding cookie (`CF_Binding`) is an optional cookie issued when a user successfully authenticates. The binding cookie is sent by the user's browser and tied to a specific application's `CF_Authorization` cookie. This cookie is stripped at Cloudflare's network and never forwarded to the origin server. Binding cookies protect users' `CF_Authorization` cookies from possible malicious origins. If a request arrives to Cloudflare's network without the expected binding cookie, Cloudflare rejects the `CF_Authorization` cookie. #### When not to use Binding Cookie Do not enable Binding Cookie if: * You are using the Access application for non-browser based tools (such as SSH or RDP). * You have enabled [incompatible Cloudflare products](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/#product-compatibility) on the application domain. * You have turned on [Device authentication identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/) for the application. ### Cookie Path Attribute The Cookie Path Attribute adds the application's path URL to the `CF_Authorization` cookie. When enabled, a user who logs in to `example.com/path1` must re-authenticate to access `example.com/path2`. When disabled, the `CF_Authorization` cookie is only scoped to the domain and subdomain. ## Allow third-party cookies in the browser By default, some browsers block all third-party cookies in private browsing mode, including the `CF_Authorization` cookie. For XHR requests to work in private windows, you will need to exempt your application and team domain from the browser's tracking protection system. To enable third-party cookies for an Access application: Chrome 1. Go to **Settings** \> **Privacy and security** \> **Cookies and other site data**. 2. Under **Sites that can always use cookies**, add the following URLs: * Hostname of your Access application (for example, `https://jira.site.com`) * `https://.cloudflareaccess.com` Safari 1. Go to **Safari** \> **Settings** \> **Privacy**. 2. Deselect **Block all cookies**. Firefox 1. Go to **Settings** \> **Privacy & Security**. 2. Scroll down to **Cookies and Site Data**. 3. Select **Manage Exceptions**. 4. Enter the URL of your Access application (for example, `https://jira.site.com`) and select **Allow**. 5. Enter `https://.cloudflareaccess.com` and select **Allow**. 6. Select **Save Changes**. Brave 1. Go to `brave://settings/cookies`. 2. Under **Sites that can always use cookies**, add the following URLs: * Hostname of your Access application (for example, `https://jira.site.com`) * `https://.cloudflareaccess.com` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/","name":"Authorization cookie"}}]} ``` --- --- title: Application token description: Learn how Cloudflare Access uses application tokens to secure your origin. Understand JWT structure and payloads. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ JSON web token (JWT) ](https://developers.cloudflare.com/search/?tags=JSON%20web%20token%20%28JWT%29) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Application token Cloudflare Access includes the application token with all authenticated requests to your origin. A typical JWT looks like this: `eyJhbGciOiJSUzI1NiIsImtpZCI6IjkzMzhhYmUxYmFmMmZlNDkyZjY0.eyJhdWQiOlsiOTdlMmFhZ TEyMDEyMWY5MDJkZjhiYzk5ZmMzNDU5MTNh.zLYsHmLEginAQUXdygQo08gLTExWNXsN4jBc6PKdB` As shown above, the JWT contains three Base64-URL values separated by dots: * [Header](#header) * [Payload](#payload) * [Signature](#signature) Unless your application is connected to Access through Cloudflare Tunnel, your application must [validate the token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) to ensure the security of your origin. Validation of the header alone is not sufficient — the JWT and signature must be confirmed to avoid identity spoofing. ## Header ``` { "alg": "RS256", "kid": "9338abe1baf2fe492f646a736f25afbf7b025e35c627be4f60c414d4c73069b8", "typ": "JWT" } ``` * `alg` identifies the encoding algorithm. * `kid` identifies the key used to sign the token. * `typ` designates the token format. ## Payload The payload contains the actual claim and user information to pass to the application. Payload contents vary depending on whether you authenticated to the application with an identity provider or with a [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/). ### Identity-based authentication ``` { "aud": ["32eafc7626e974616deaf0dc3ce63d7bcbed58a2731e84d06bc3cdf1b53c4228"], "email": "user@example.com", "exp": 1659474457, "iat": 1659474397, "nbf": 1659474397, "iss": "https://yourteam.cloudflareaccess.com", "type": "app", "identity_nonce": "6ei69kawdKzMIAPF", "sub": "7335d417-61da-459d-899c-0a01c76a2f94", "country": "US" } ``` | Field | Description | | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | aud | [Application audience (AUD) tag](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#get-your-aud-tag) of the Access application. | | email | The email address of the authenticated user, verified by the identity provider. | | exp | The expiration timestamp for the token (Unix time). | | iat | The issuance timestamp for the token (Unix time). | | nbf | The not-before timestamp for the token (Unix time), used to check if the token was received before it should be used. | | iss | The Cloudflare Access domain URL for the application. | | type | The type of Access token (app for application token or org for global session token). | | identity\_nonce | A cache key used to get the [user's identity](#user-identity). | | sub | The ID of the user. This value is unique to an email address per account. The user would get a different sub if they are [removed](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management/#remove-a-user) and re-added to your Zero Trust organization, or if they log into a different organization. | | country | The country where the user authenticated from. | #### Custom SAML attributes and OIDC claims Access allows you to add custom SAML attributes and OIDC claims to your JWT for enhanced verification, if supported by your identity provider. This is configured when you setup your [SAML](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-saml/) or [OIDC](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/) provider. #### User identity User identity is useful for checking application permissions. For example, your application can validate that a given user is a member of an Okta or Microsoft Entra ID group such as `Finance-Team`. Due to cookie size limits and bandwidth considerations, the application token only contains a subset of the user's identity. To get the user's full identity, send the `CF_Authorization` cookie to `https://.cloudflareaccess.com/cdn-cgi/access/get-identity`. Your request should be structured as follows: Terminal window ``` curl -H 'cookie: CF_Authorization=' https://.cloudflareaccess.com/cdn-cgi/access/get-identity ``` Access will return a JSON structure containing the following data: | Field | Description | | ---------------------- | ------------------------------------------------------------------------------------------ | | email | The email address of the user. | | idp | Data from your identity provider. | | geo | The country where the user authenticated from. | | user\_uuid | The ID of the user. | | devicePosture | The device posture attributes. | | account\_id | The account ID for your organization. | | iat | The timestamp indicating when the user logged in. | | ip | The IP address of the user. | | auth\_status | The status if authenticating with mTLS. | | common\_name | The common name on the mTLS client certificate. | | service\_token\_id | The Client ID of the service token used for authentication. | | service\_token\_status | True if authentication was through a service token instead of an IdP. | | is\_warp | True if the user enabled WARP. | | is\_gateway | True if the user enabled the Cloudflare One Client and authenticated to a Zero Trust team. | | gateway\_account\_id | An ID generated by the Cloudflare One Client when authenticated to a Zero Trust team. | | device\_id | The ID of the device used for authentication. | | version | The version of the get-identity object. | | device\_sessions | A list of all sessions initiated by the user. | ### Service token authentication ``` { "type": "app", "aud": ["32eafc7626e974616deaf0dc3ce63d7bcbed58a2731e84d06bc3cdf1b53c4228"], "exp": 1659474457, "iss": "https://yourteam.cloudflareaccess.com", "common_name": "e367826f93b8d71185e03fe518aff3b4.access", "iat": 1659474397, "sub": "" } ``` | Field | Description | | ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | type | The type of Access token (app for application token or org for global session token). | | aud | The [application audience (AUD) tag](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#get-your-aud-tag) of the Access application. | | exp | The expiration timestamp of the JWT (Unix time). | | iss | The Cloudflare Access domain URL for the application. | | common\_name | The Client ID of the service token (CF-Access-Client-Id). | | iat | The issuance timestamp of the JWT (Unix time). | | sub | Contains an empty string when authentication was through a service token. | ## Signature Cloudflare generates the signature by signing the encoded header and payload using the SHA-256 algorithm (RS256). In RS256, a private key signs the JWTs and a separate [public key](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#access-signing-keys) verifies the signature. For more information on JWTs, refer to [jwt.io ↗](https://jwt.io/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/","name":"Authorization cookie"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/","name":"Application token"}}]} ``` --- --- title: CORS description: Cross-Origin Resource Sharing (CORS) is a mechanism that uses HTTP headers to grant a web application running on one origin permission to reach selected resources in a different origin. The web application executes a cross-origin HTTP request when it requests a resource that has a different origin from its own, including domain, protocol, or port. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ CORS ](https://developers.cloudflare.com/search/?tags=CORS) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # CORS Cross-Origin Resource Sharing ([CORS ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)) is a mechanism that uses HTTP headers to grant a web application running on one origin permission to reach selected resources in a different origin. The web application executes a cross-origin HTTP request when it requests a resource that has a different origin from its own, including domain, protocol, or port. For a CORS request to reach a site protected by Access, the request must include a valid `CF-Authorization` cookie. This may require additional configuration depending on the type of request: * [Simple requests ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple%5Frequests) are sent directly to the origin, without triggering a preflight request. For configuration instructions, refer to [Allow simple requests](#allow-simple-requests). * [Preflighted requests ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#preflighted%5Frequests) cause the browser to send an OPTIONS request before sending the actual request. The OPTIONS request checks which methods and headers are allowed by the origin. For configuration instructions, refer to [Allow preflighted requests](#allow-preflighted-requests). Important * Do not troubleshoot CORS in Incognito mode, as this will cause disruptions with Access due to `CF-Authorization` being blocked as a third-party cookie on cross origin requests. * Safari, in particular Safari 13.1, handles cookies in a unique format. In some cases, this can cause CORS to fail. This will be dependent on Apple releasing a patch for handling cookies. This is known to impact macOS 10.15.4 when running Safari 13.1 (15609.1.20.111.8). ## Allow simple requests If you make a simple CORS request to an Access-protected domain and have not yet logged in, the request will return a `CORS error`. There are two ways you can resolve this error: * **Option 1** — [Log in and refresh the page](#authenticate-manually). * **Option 2** — [Create a Cloudflare Worker which automatically sends an authentication token](#send-authentication-token-with-cloudflare-worker). This method only works if both sites involved in the CORS exchange are behind Access. ### Authenticate manually 1. Visit the target domain in your browser. You will see the Access login page. 2. Log in to the target domain. This generates a `CF-Authorization` cookie. 3. Refresh the page that made the CORS request. The refresh resends the request with the newly generated cookie. ## Allow preflighted requests If you make a preflighted cross-origin request to an Access-protected domain, the OPTIONS request will return a `403` error. This error occurs regardless of whether you have logged in to the domain. This is because the browser never includes cookies with OPTIONS requests, by design. Cloudflare will therefore block the preflight request, causing the CORS exchange to fail. There are three ways you can resolve this error: * **Option 1** — [Bypass OPTIONS requests to origin](#bypass-options-requests-to-origin). * **Option 2** — [Configure Cloudflare to respond to the OPTIONS request](#configure-response-to-preflight-requests). * **Option 3** — [Create a Cloudflare Worker which automatically sends an authentication token](#send-authentication-token-with-cloudflare-worker). This method only works if both sites involved in the CORS exchange are behind Access. ### Bypass OPTIONS requests to origin You can configure Cloudflare to send OPTIONS requests directly to your origin server. To bypass Access for OPTIONS requests: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Locate the origin that will be receiving OPTIONS requests and select **Configure**. 3. Go to **Advanced settings** \> **Cross-Origin Resource Sharing (CORS) settings**. 4. Turn on **Bypass options requests to origin**. This will remove all existing CORS settings for this application. It is still important to enforce CORS for the Access JWT -- this option should only be used if you have CORS enforcement established in your origin server. ### Configure response to preflight requests You can configure Cloudflare to respond to the OPTIONS request on your behalf. The OPTIONS request never reaches your origin. After the preflight exchange resolves, the browser will then send the main request which does include the authentication cookie (assuming you have logged into the Access-protected domain). To configure how Cloudflare responds to preflight requests: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Locate the origin that will be receiving OPTIONS requests and select **Configure**. 3. Go to **Advanced settings** \> **Cross-Origin Resource Sharing (CORS) settings**. 4. Configure these [CORS settings ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#the%5Fhttp%5Fresponse%5Fheaders) to match the response headers sent by your origin. For example, if you have configured `api.mysite.com`to return the following headers: ``` headers: { 'Access-Control-Allow-Origin': 'https://example.com', 'Access-Control-Allow-Credentials' : true, 'Access-Control-Allow-Methods': 'GET, OPTIONS', 'Access-Control-Allow-Headers': 'office', 'Content-Type': 'application/json', } ``` then go to `api.mysite.com` in Access and configure **Access-Control-Allow-Origin**, **Access-Control-Allow-Credentials**, **Access-Control-Allow-Methods**, and **Access-Control-Allow-Headers**.![Example CORS settings configuration in Cloudflare One](https://developers.cloudflare.com/_astro/CORS-settings.C9-43Ja__Zwvcyt.webp) 5. Select **Save application**. 6. (Optional) You can check your configuration by sending an OPTIONS request to the origin with `curl`. For example, Terminal window ``` curl --head --request OPTIONS https://api.mysite.com \ --header 'origin: https://example.com' \ --header 'access-control-request-method: GET' ``` should return a response similar to: ``` HTTP/2 200 date: Tue, 24 May 2022 21:51:21 GMT vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers access-control-allow-origin: https://example.com access-control-allow-methods: GET access-control-allow-credentials: true expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=A%2FbOOWJio%2B%2FjuJv5NC%2FE3%2Bo1zBl2UdjzJssw8gJLC4lE1lzIUPQKqJoLRTaVtFd21JK1d4g%2BnlEGNpx0mGtsR6jerNfr2H5mlQdO6u2RdOaJ6n%2F%2BS%2BF9%2Fa12UromVLcHsSA5Y%2Fj72tM%3D"}],"group":"cf-nel","max_age":604800} nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} server: cloudflare cf-ray: 7109408e6b84efe4-EWR ``` ## Send authentication token with Cloudflare Worker If you have two sites protected by Cloudflare Access, `example.com` and `api.mysite.com`, requests made between the two will be subject to CORS checks. Users who log in to `example.com` will be issued a cookie for `example.com`. When the user's browser requests `api.mysite.com`, Cloudflare Access looks for a cookie specific to `api.mysite.com`. The request will fail if the user has not already logged in to `api.mysite.com`. To avoid having to log in twice, you can create a Cloudflare Worker that automatically sends authentication credentials to `api.mysite.com`. ### Prerequisites * [Workers account](https://developers.cloudflare.com/workers/get-started/guide/) * `wrangler` installation * `example.com` and `api.mysite.com` domains [protected by Access](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/) ### 1\. Generate a service token Follow [these instructions](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) to generate a new Access service token. Copy the `Client ID` and `Client Secret` to a safe place, as you will use them in a later step. ### 2\. Add a Service Auth policy 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Applications**. 2. Find your `api.mysite.com` application and select **Configure**. 3. Select the **Policies** tab. 4. Add the following policy: | Action | Rule type | Selector | | ------------ | --------- | ------------- | | Service Auth | Include | Service Token | ### 3\. Create a new Worker Open a terminal and run the following command: npm yarn pnpm ``` npm create cloudflare@latest -- authentication-worker ``` ``` yarn create cloudflare authentication-worker ``` ``` pnpm create cloudflare@latest authentication-worker ``` This will prompt you to install the [create-cloudflare ↗](https://www.npmjs.com/package/create-cloudflare) package and lead you through setup. For setup, select the following options: * For _What would you like to start with?_, choose `Hello World example`. * For _Which template would you like to use?_, choose `Worker only`. * For _Which language do you want to use?_, choose `JavaScript`. * For _Do you want to use git for version control?_, choose `Yes`. * For _Do you want to deploy your application?_, choose `No` (we will be making some changes before deploying). Go to your project directory. Terminal window ``` cd authentication-worker ``` Open `/src/index.js` and delete the existing code and paste in the following example: JavaScript ``` // The hostname where your API lives const originalAPIHostname = "api.mysite.com"; export default { async fetch(request, env) { // Change just the host. If the request comes in on example.com/api/name, the new URL is api.mysite.com/api/name const url = new URL(request.url); url.hostname = originalAPIHostname; // If your API is located on api.mysite.com/anyname (without "api/" in the path), // remove the "api/" part of example.com/api/name // url.pathname = url.pathname.substring(4) // Best practice is to always use the original request to construct the new request // to clone all the attributes. Applying the URL also requires a constructor // since once a Request has been constructed, its URL is immutable. const newRequest = new Request(url.toString(), request); newRequest.headers.set("cf-access-client-id", env.CF_ACCESS_CLIENT_ID); newRequest.headers.set("cf-access-client-secret", env.CF_ACCESS_CLIENT_SECRET); try { const response = await fetch(newRequest); // Copy over the response const modifiedResponse = new Response(response.body, response); // Delete the set-cookie from the response so it doesn't override existing cookies modifiedResponse.headers.delete("set-cookie"); return modifiedResponse; } catch (e) { return new Response(JSON.stringify({ error: e.message }), { status: 500, }); } }, }; ``` Then, deploy the Worker to your Cloudflare account: Terminal window ``` npx wrangler deploy ``` ### 4\. Configure the Worker 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to the **Workers & Pages** page. [ Go to **Workers & Pages** ](https://dash.cloudflare.com/?to=/:account/workers-and-pages) 2. Select your newly created Worker. 3. In the **Triggers** tab, go to **Routes** and add `example.com/api/*`. The Worker is placed on a subpath of `example.com` to avoid making a cross-origin request. 4. In the **Settings** tab, select **Variables**. 5. Under **Environment Variables**, add the following [secret variables](https://developers.cloudflare.com/workers/configuration/environment-variables/#add-environment-variables-via-the-dashboard): * `CF_ACCESS_CLIENT_ID` \= `` * `CF_ACCESS_CLIENT_SECRET` \= `` The Client ID and Client Secret are copied from your [service token](#1-generate-a-service-token). 1. Enable the **Encrypt** option for each variable and select **Save**. ### 5\. Update HTTP request URLs Modify your `example.com` application to send all requests to `example.com/api/` instead of `api.mysite.com`. HTTP requests should now work seamlessly between two different Access-protected domains. When a user logs in to `example.com`, the browser makes a request to the Worker instead of to `api.mysite.com`. The Worker adds the Access service token to the request headers and then forwards the request to `api.mysite.com`. Since the service token matches a Service Auth policy, the user no longer needs to log in to `api.mysite.com`. ## Troubleshooting In general, we recommend the following steps when troubleshooting CORS issues: 1. Capture a HAR file with the issue described, as well as the JS console log output recorded simultaneously. This is because the HAR file alone will not give full visibility on the reason behind cross-origin issues. 2. Ensure that the application has set `credentials: 'same-origin'` in all fetch or XHR requests. 3. If you are using the [cross-origin setting ↗](https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/crossorigin) on script tags, these must be set to "use-credentials". CORS is failing on the same domain CORS checks do not occur on the same domain. If this error occurs, it is likely the request is being sent without the `CF-Authorization` cookie. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/","name":"Authorization cookie"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/","name":"CORS"}}]} ``` --- --- title: Validate JWTs description: When Cloudflare sends a request to your origin, the request will include an application token as a Cf-Access-Jwt-Assertion request header. Requests made through a browser will also pass the token as a CF_Authorization cookie. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ JSON web token (JWT) ](https://developers.cloudflare.com/search/?tags=JSON%20web%20token%20%28JWT%29) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Validate JWTs When Cloudflare sends a request to your origin, the request will include an [application token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) as a `Cf-Access-Jwt-Assertion` request header. Requests made through a browser will also pass the token as a `CF_Authorization` cookie. Cloudflare signs the token with a key pair unique to your account. You should validate the token with your public key to ensure that the request came from Access and not a malicious third party. We recommend validating the `Cf-Access-Jwt-Assertion` header instead of the `CF_Authorization` cookie, since the cookie is not guaranteed to be passed. ## Access signing keys The public key for the signing key pair is located at `https://.cloudflareaccess.com/cdn-cgi/access/certs`, where `` is your Cloudflare One team name. By default, Access rotates the signing key every 6 weeks. This means you will need to programmatically or manually update your keys as they rotate. Previous keys remain valid for 7 days after rotation to allow time for you to make the update. You can also manually rotate the key using the [API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/keys/methods/rotate/). This can be done for testing or security purposes. As shown in the example below, `https://.cloudflareaccess.com/cdn-cgi/access/certs` contains two public keys: the current key used to sign all new tokens, and the previous key that has been rotated out. * `keys`: both keys in JWK format * `public_cert`: current key in PEM format * `public_certs`: both keys in PEM format ``` { "keys": [ { "kid": "1a1c3986a44ce6390be42ec772b031df8f433fdc71716db821dc0c39af3bce49", "kty": "RSA", "alg": "RS256", "use": "sig", "e": "AQAB", "n": "5PKw-...-AG7MyQ" }, { "kid": "6c3bffef71bb0a90c9cbef3b7c0d4a1c7b4b8b76b80292a623afd9dac45d1c65", "kty": "RSA", "alg": "RS256", "use": "sig", "e": "AQAB", "n": "pwVn...AA6Hw" } ], "public_cert": { "kid": "6c3bffef71bb0a90c9cbef3b7c0d4a1c7b4b8b76b80292a623afd9dac45d1c65", "cert": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- " }, "public_certs": [ { "kid": "1a1c3986a44ce6390be42ec772b031df8f433fdc71716db821dc0c39af3bce49", "cert": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- " }, { "kid": "6c3bffef71bb0a90c9cbef3b7c0d4a1c7b4b8b76b80292a623afd9dac45d1c65", "cert": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- " } ] } ``` Avoid key rotation issues * Validate tokens using the external endpoint rather than saving the public key as a hard-coded value. * Do not fetch the current key from `public_cert`, since your origin may inadvertently read an expired value from an outdated cache. Instead, match the `kid` value in the JWT to the corresponding certificate in `public_certs`. ## Verify the JWT manually To verify the token manually: 1. Copy the JWT from the `Cf-Access-Jwt-Assertion` request header. 2. Go to [jwt.io ↗](https://jwt.io/). 3. Select the RS256 algorithm. 4. Paste the JWT into the **Encoded** box. 5. In the **Payload** box, ensure that the `iss` field points to your team domain (`https://.cloudflareaccess.com`). `jwt.io` uses the `iss` value to fetch the public key for token validation. 6. Ensure that the page says **Signature Verified**. You can now trust that this request was sent by Access. ## Programmatic verification You can run an automated script on your origin server to validate incoming requests. The provided sample code gets the application token from a request and checks its signature against your public key. You will need to insert your own team domain and Application Audience (AUD) tag into the sample code. ### Get your AUD tag Cloudflare Access assigns a unique AUD tag to each application. The `aud` claim in the token payload specifies which application the JWT is valid for. To get the AUD tag: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Applications**. 2. Select **Configure** for your application. 3. From the **Basic information** tab, copy the **Application Audience (AUD) Tag**. You can now paste the AUD tag into your token validation script. The AUD tag will never change unless you delete or recreate the Access application. ### Cloudflare Workers example When Cloudflare Access is in front of your [Worker](https://developers.cloudflare.com/workers), your Worker still needs to validate the JWT that Cloudflare Access adds to the `Cf-Access-Jwt-Assertion` header on the incoming request. The following code will validate the JWT using the [jose NPM package ↗](https://www.npmjs.com/package/jose): * [ JavaScript ](#tab-panel-3422) * [ TypeScript ](#tab-panel-3423) JavaScript ``` import { jwtVerify, createRemoteJWKSet } from "jose"; export default { async fetch(request, env, ctx) { // Verify the POLICY_AUD environment variable is set if (!env.POLICY_AUD) { return new Response("Missing required audience", { status: 403, headers: { "Content-Type": "text/plain" }, }); } // Get the JWT from the request headers const token = request.headers.get("cf-access-jwt-assertion"); // Check if token exists if (!token) { return new Response("Missing required CF Access JWT", { status: 403, headers: { "Content-Type": "text/plain" }, }); } try { // Create JWKS from your team domain const JWKS = createRemoteJWKSet( new URL(`${env.TEAM_DOMAIN}/cdn-cgi/access/certs`), ); // Verify the JWT const { payload } = await jwtVerify(token, JWKS, { issuer: env.TEAM_DOMAIN, audience: env.POLICY_AUD, }); // Token is valid, proceed with your application logic return new Response(`Hello ${payload.email || "authenticated user"}!`, { headers: { "Content-Type": "text/plain" }, }); } catch (error) { // Token verification failed const message = error instanceof Error ? error.message : "Unknown error"; return new Response(`Invalid token: ${message}`, { status: 403, headers: { "Content-Type": "text/plain" }, }); } }, }; ``` TypeScript ``` import { jwtVerify, createRemoteJWKSet } from "jose"; interface Env { POLICY_AUD: string; TEAM_DOMAIN: string; } export default { async fetch(request: Request, env: Env, ctx: ExecutionContext): Promise { // Verify the POLICY_AUD environment variable is set if (!env.POLICY_AUD) { return new Response("Missing required audience", { status: 403, headers: { "Content-Type": "text/plain" }, }); } // Get the JWT from the request headers const token = request.headers.get("cf-access-jwt-assertion"); // Check if token exists if (!token) { return new Response("Missing required CF Access JWT", { status: 403, headers: { "Content-Type": "text/plain" }, }); } try { // Create JWKS from your team domain const JWKS = createRemoteJWKSet( new URL(`${env.TEAM_DOMAIN}/cdn-cgi/access/certs`) ); // Verify the JWT const { payload } = await jwtVerify(token, JWKS, { issuer: env.TEAM_DOMAIN, audience: env.POLICY_AUD, }); // Token is valid, proceed with your application logic return new Response( `Hello ${payload.email || "authenticated user"}!`, { headers: { "Content-Type": "text/plain" }, } ); } catch (error) { // Token verification failed const message = error instanceof Error ? error.message : "Unknown error"; return new Response(`Invalid token: ${message}`, { status: 403, headers: { "Content-Type": "text/plain" }, }); } }, }; ``` #### Required environment variables Add these [environment variables](https://developers.cloudflare.com/workers/configuration/environment-variables/) to your Worker: * `POLICY_AUD`: Your application's [AUD tag](#get-your-aud-tag) * `TEAM_DOMAIN`: `https://.cloudflareaccess.com`, where `` is replaced with your actual team name. You can set these variables by adding them to your Worker's [Wrangler configuration file](https://developers.cloudflare.com/workers/wrangler/configuration/), or via the Cloudflare dashboard under **Workers & Pages** \> **your-worker** \> **Settings** \> **Environment Variables**. ### Golang example ``` package main import ( "context" "fmt" "net/http" "github.com/coreos/go-oidc/v3/oidc" ) var ( ctx = context.TODO() teamDomain = "https://test.cloudflareaccess.com" certsURL = fmt.Sprintf("%s/cdn-cgi/access/certs", teamDomain) // The Application Audience (AUD) tag for your application policyAUD = "4714c1358e65fe4b408ad6d432a5f878f08194bdb4752441fd56faefa9b2b6f2" config = &oidc.Config{ ClientID: policyAUD, } keySet = oidc.NewRemoteKeySet(ctx, certsURL) verifier = oidc.NewVerifier(teamDomain, keySet, config) ) // VerifyToken is a middleware to verify a CF Access token func VerifyToken(next http.Handler) http.Handler { fn := func(w http.ResponseWriter, r *http.Request) { headers := r.Header // Make sure that the incoming request has our token header // Could also look in the cookies for CF_AUTHORIZATION accessJWT := headers.Get("Cf-Access-Jwt-Assertion") if accessJWT == "" { w.WriteHeader(http.StatusUnauthorized) w.Write([]byte("No token on the request")) return } // Verify the access token ctx := r.Context() _, err := verifier.Verify(ctx, accessJWT) if err != nil { w.WriteHeader(http.StatusUnauthorized) w.Write([]byte(fmt.Sprintf("Invalid token: %s", err.Error()))) return } next.ServeHTTP(w, r) } return http.HandlerFunc(fn) } func MainHandler() http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Write([]byte("welcome")) }) } func main() { http.Handle("/", VerifyToken(MainHandler())) http.ListenAndServe(":3000", nil) } ``` ### Python example `pip` install the following: * flask * requests * PyJWT * cryptography Python ``` from flask import Flask, request import requests import jwt import json import os app = Flask(__name__) # The Application Audience (AUD) tag for your application POLICY_AUD = os.getenv("POLICY_AUD") # Your CF Access team domain TEAM_DOMAIN = os.getenv("TEAM_DOMAIN") CERTS_URL = "{}/cdn-cgi/access/certs".format(TEAM_DOMAIN) def _get_public_keys(): """ Returns: List of RSA public keys usable by PyJWT. """ r = requests.get(CERTS_URL) public_keys = [] jwk_set = r.json() for key_dict in jwk_set['keys']: public_key = jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(key_dict)) public_keys.append(public_key) return public_keys def verify_token(f): """ Decorator that wraps a Flask API call to verify the CF Access JWT """ def wrapper(): # Check for the POLICY_AUD environment variable if not POLICY_AUD: return "missing required audience", 403 token = '' if 'CF_Authorization' in request.cookies: token = request.cookies['CF_Authorization'] else: return "missing required cf authorization token", 403 keys = _get_public_keys() # Loop through the keys since we can't pass the key set to the decoder valid_token = False for key in keys: try: # decode returns the claims that has the email when needed jwt.decode(token, key=key, audience=POLICY_AUD, algorithms=['RS256']) valid_token = True break except: pass if not valid_token: return "invalid token", 403 return f() return wrapper @app.route('/') @verify_token def hello_world(): return 'Hello, World!' if __name__ == '__main__': app.run() ``` ### JavaScript (Node.js) example JavaScript ``` const express = require("express"); const jose = require("jose"); // The Application Audience (AUD) tag for your application const AUD = process.env.POLICY_AUD; // Your CF Access team domain const TEAM_DOMAIN = process.env.TEAM_DOMAIN; const CERTS_URL = `${TEAM_DOMAIN}/cdn-cgi/access/certs`; const JWKS = jose.createRemoteJWKSet(new URL(CERTS_URL)); // verifyToken is a middleware to verify a CF authorization token const verifyToken = async (req, res, next) => { // Check for the AUD environment variable if (!AUD) { return res.status(403).send({ status: false, message: "missing required audience", }); } const token = req.headers["cf-access-jwt-assertion"]; // Make sure that the incoming request has our token header if (!token) { return res.status(403).send({ status: false, message: "missing required cf authorization token", }); } try { const result = await jose.jwtVerify(token, JWKS, { issuer: TEAM_DOMAIN, audience: AUD, }); req.user = result.payload; next(); } catch (err) { return res.status(403).send({ status: false, message: "invalid token", }); } }; const app = express(); app.use(verifyToken); app.get("/", (req, res) => { res.send("Hello World!"); }); app.listen(3333); ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/","name":"Authorization cookie"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/","name":"Validate JWTs"}}]} ``` --- --- title: SaaS applications description: Cloudflare Access allows you to add an additional authentication layer to your SaaS applications. When you integrate a SaaS application with Access, users log in to the application with Cloudflare as the Single Sign-On provider. The user is then redirected to the configured identity providers for that application and are only granted access if they pass your Access policies. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # SaaS applications Cloudflare Access allows you to add an additional authentication layer to your SaaS applications. When you integrate a SaaS application with Access, users log in to the application with Cloudflare as the Single Sign-On provider. The user is then redirected to the configured identity providers for that application and are only granted access if they pass your Access policies. Cloudflare integrates with the majority of SaaS applications that support the SAML or OIDC authentication protocol. If you do not see your application listed below, refer to our [generic SAML](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas/) or [generic OIDC](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas/) guide and consult your SaaS application's documentation. * [ Generic OIDC application ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas/) * [ Generic SAML application ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas/) * [ Adobe Acrobat Sign ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/adobe-sign-saas/) * [ Area 1 ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/area-1/) * [ Asana ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/asana-saas/) * [ Atlassian Cloud ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/atlassian-saas/) * [ AWS ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/aws-sso-saas/) * [ Braintree ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/braintree-saas/) * [ Coupa ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/coupa-saas/) * [ Digicert ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/digicert-saas/) * [ DocuSign ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/docusign-access/) * [ Dropbox ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/dropbox-saas/) * [ GitHub Enterprise Cloud ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/github-saas/) * [ Google Cloud ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-cloud-saas/) * [ Google Workspace ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-workspace-saas/) * [ Grafana ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-saas-oidc/) * [ Grafana Cloud ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-cloud-saas-oidc/) * [ Greenhouse Recruiting ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/greenhouse-saas/) * [ Hubspot ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/hubspot-saas/) * [ Ironclad ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/ironclad-saas/) * [ Jamf Pro ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/jamf-pro-saas/) * [ Miro ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/miro-saas/) * [ PagerDuty ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/pagerduty-saml-saas/) * [ Pingboard ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/pingboard-saas/) * [ Salesforce (OIDC) ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-oidc/) * [ Salesforce (SAML) ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-saml/) * [ ServiceNow (OIDC) ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-oidc/) * [ ServiceNow (SAML) ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-saml/) * [ Slack ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/slack-saas/) * [ Smartsheet ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/smartsheet-saas/) * [ SparkPost ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/sparkpost-saas/) * [ Tableau Cloud ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/tableau-saml-saas/) * [ Workday ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/workday-saas/) * [ Zendesk ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/zendesk-sso-saas/) * [ Zoom ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/zoom-saas/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}}]} ``` --- --- title: Adobe Acrobat Sign description: This guide covers how to configure Adobe Acrobat Sign as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/adobe-sign-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Adobe Acrobat Sign **Last reviewed:** over 1 year ago This guide covers how to configure [Adobe Acrobat Sign ↗](https://helpx.adobe.com/sign/using/enable-saml-single-sign-on.html) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Adobe Acrobat Sign account * A [claimed domain ↗](https://helpx.adobe.com/sign/using/claim-domain-names.html) in Adobe Acrobat Sign ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS**. 3. For **Application**, enter `Adobe Sign` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Copy the **Access Entity ID or Issuer**, **Public key**, and **SSO endpoint**. 7. Keep this window open without selecting **Select configuration**. You will finish this configuration in step [3\. Finish adding a SaaS application to Cloudflare One](#3-finish-adding-a-saas-application-to-cloudflare-one). ## 2\. Add a SAML SSO provider to Adobe Sign 1. In Adobe Acrobat Sign, select your profile picture > your name > **Account Settings** \> **SAML Settings**. 2. Turn **SAML Allowed** on. 3. Enter a hostname (for example, `yourcompanyname`). Users can use this URL or `https://secure.adobesign.com/public/login` to sign in via SSO. 4. (Optional) For **Single Sign On Login Message**, enter a custom message (for example, `Log in via SSO`). The default message is **Sign in using your corporate credentials**. 5. Fill in the following fields: * **Entity ID/Issuer URL**: Access Entity ID or Issuer from application configuration in Cloudflare One. * **Login URL/SSO Endpoint**: SSO endpoint from application configuration in Cloudflare One. * **IdP Certificate**: Public key from application configuration in Cloudflare One. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 6. Copy the **Entity ID/SAML Audience** and **Assertion Consumer URL**. 7. Select **Save**. ## 3\. Finish adding a SaaS application to Cloudflare One 1. In your open Cloudflare One window, fill in the following fields: * **Entity ID**: Entity ID/SAML Audience from Adobe Acrobat Sign SAML SSO configuration. * **Assertion Consumer Service URL**: Assertion Consumer URL from Adobe Acrobat Sign SAML SSO configuration. * **Name ID format**: _Email_ 2. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 4\. Test the integration and finalize configuration 1. Open an incognito browser window and go to your Adobe Sign hostname URL or `https://secure.adobesign.com/public/login`. Select the option to sign in via SSO (**Sign in using your corporate credentials** if you have not configured a custom message). You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. Note If you receive an error while testing SSO integration, go to your profile picture > your name > **Account Settings** \> **SAML Errors** for more information. 1. Once this is successful, you can make sign in via SSO mandatory. Select your profile picture > your name > **Account Settings** \> **SAML Settings**, and then turn on **SAML Mandatory**. Keeping **Allow Acrobat Sign Account Administrators to log in using their Acrobat Sign Credentials** turned on will allow administrators to log in even if your account experiences SSO issues. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/adobe-sign-saas/","name":"Adobe Acrobat Sign"}}]} ``` --- --- title: Area 1 description: Cloudflare Area 1 is an email security platform that protects your organization's inbox from phishing, spam, and other malicious messages. This guide covers how to configure Area 1 as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/area-1.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Area 1 **Last reviewed:** over 1 year ago Access to Area 1 Beginning October 1, 2025, access and support for Email Security (formerly Area 1) will only be available through the Cloudflare dashboard. Your Email Security protection will not change, but you will no longer be able to access the Area 1 dashboard or send support requests to `@area1security.com` email addresses. For help accessing the Cloudflare dashboard, reach out to [successteam@cloudflare.com](mailto:successteam@cloudflare.com). [Cloudflare Area 1 ↗](https://www.cloudflare.com/products/zero-trust/email-security/) is an email security platform that protects your organization's inbox from phishing, spam, and other malicious messages. This guide covers how to configure Area 1 as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to your Area 1 account * Your user's email in Area 1 matches their email in Cloudflare One ## 1\. Add Area 1 to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application**. 3. Select **SaaS**. 4. In the **Application** field, enter `Area 1` and select **Area 1**. (Area 1 is not currently listed in the default drop-down menu.) 5. Enter the following values for your application configuration: | **Entity ID** | https://horizon.area1security.com | | ---------------------------------- | ------------------------------------------------ | | **Assertion Consumer Service URL** | https://horizon.area1security.com/api/users/saml | | **Name ID Format** | _Email_ | 6. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 7. Save the application. ## 2\. Configure SSO for Area 1 Finally, you will need to configure Area 1 to allow users to log in through Cloudflare Access. 1. In your [Area 1 portal ↗](https://horizon.area1security.com/), go to **Settings** \> **SSO**. 2. Turn on **Single Sign On**. 3. (Optional) To require users to sign in through Access, set **SSO Enforcement** to _All_. When SSO is enforced, users will no longer be able to sign in with their Area 1 credentials. 4. In **SAML SSO Domain**, enter `.cloudflareaccess.com`. 5. Get your Metadata XML file: 1. In Cloudflare One, copy the **SSO Endpoint** for your application. ![Copy SSO settings for a SaaS application from Cloudflare One](https://developers.cloudflare.com/_astro/saas-sso-endpoint.ubdoNRaM_1plwk8.webp) 2. In a new browser tab, paste the **SSO Endpoint** and append `/saml-metadata` to the end of the URL. For example, `https://.cloudflareaccess.com/cdn-cgi/access/sso/saml//saml-metadata`. 3. Copy the resulting metadata. 6. Return to the Area 1 portal and paste the metadata into **Metadata XML**. ![Configure SSO in the Area 1 portal](https://developers.cloudflare.com/_astro/area1-sso-config.DWq80iDZ_Z1BhExl.webp) 7. Select **Update Settings**. If you added the application to your App Launcher, you can test the integration by going to `.cloudflareaccess.com`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/area-1/","name":"Area 1"}}]} ``` --- --- title: Asana description: This guide covers how to configure Asana as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/asana-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Asana **Last reviewed:** over 1 year ago This guide covers how to configure [Asana ↗](https://help.asana.com/hc/en-us/articles/14075208738587-Authentication-and-access-management-options-for-paid-plans#gl-saml) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Super admin access to an Asana Enterprise, Enterprise+, or Legacy Enterprise account ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS** \> **Select**. 3. For **Application**, select _Asana_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `https://app.asana.com/` * **Assertion Consumer Service URL**: `https://app.asana.com/-/saml/consume` * **Name ID format**: _Email_ 7. Copy the **SSO endpoint** and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Add a SAML SSO provider to Asana 1. In Asana, select your profile picture > **Admin console** \> **Security** \> **SAML authentication**. 2. Under **SAML options**, select _Optional_. 3. Fill in the following fields: * Sign-in page URL: SSO endpoint from application configuration in Cloudflare One. * X.509 certificate: Public key from application configuration in Cloudflare One. Wrap the public key in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 4. Select **Save changes**. ## 3\. Test the integration and require SSO 1. Open an incognito browser window and go to your Asana URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 2. After this is successful, you may want to require users to log in via SSO. In Asana, select your profile picture > **Admin console** \> **Security** \> **SAML authentication**. Under **SAML options**, select **Required for all members, except guest accounts**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/asana-saas/","name":"Asana"}}]} ``` --- --- title: Atlassian Cloud description: This guide covers how to configure Atlassian Cloud as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/atlassian-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Atlassian Cloud **Last reviewed:** almost 2 years ago This guide covers how to configure [Atlassian Cloud ↗](https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-an-identity-provider/) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to an Atlassian Cloud account * Atlassian Guard Standard subscription * A [domain ↗](https://support.atlassian.com/user-management/docs/verify-a-domain-to-manage-accounts/) verified in Atlassian Cloud ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS**. 3. For **Application**, select _Atlassian_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Copy the **Access Entity ID or Issuer**, **Public key**, and **SSO endpoint**. 7. Keep this window open. You will finish this configuration in step [4\. Finish adding a SaaS application to Cloudflare One](#4-finish-adding-a-saas-application-to-cloudflare-one). ## 2\. Create a x.509 certificate 1. Paste the **Public key** in a text editor. 2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. ## 3\. Configure an identity provider and SAML SSO in Atlassian Cloud 1. In Atlassian Cloud, go to **Security** \> **Identity providers**. 2. Select **Other provider** \> **Choose**. 3. For **Directory name**, enter your desired name. For example, you could enter `Cloudflare Access`. 4. Select **Add** \> **Set up SAML single sign-on** \> **Next**. Note This screen will advise you to create an authentication policy before proceeding. You will do this in step [5\. Create an application policy to test integration](#5-create-an-authentication-policy-to-test-integration). 5. Fill in the following fields: * **Identity provider Entity ID**: Access Entity ID or Issuer from application configuration in Cloudflare One. * **Identity provider SSO URL**: SSO endpoint from application configuration in Cloudflare One. * **Public x509 certificate**: Paste the entire x.509 certificate from step [2\. Create a x.509 certificate](#2-create-a-x509-certificate). 6. Select **Next**. 7. Copy the **Service provider entity URL** and **Service provider assertion consumer service URL**. 8. Select **Next**. 9. Under **Link domain**, select the domain you want to use with SAML SSO. 10. Select **Next** \> **Stop and save SAML**. ## 4\. Finish adding a SaaS application to Cloudflare One 1. In your open Cloudflare One window, fill in the following fields: * **Entity ID**: Service provider entity URL from Atlassian Cloud SAML SSO set-up. * **Assertion Consumer Service URL**: Service provider assertion consumer service URL from Atlassian Cloud SAML SSO set-up. * **Name ID format**: _Email_ 2. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 5\. Create an authentication policy to test integration To enable SSO for users in Atlassian Cloud, create an [Atlassian authentication policy ↗](https://support.atlassian.com/security-and-access-policies/docs/configure-authentication-policies-for-your-organization/): 1. In Atlassian Cloud, go to **Security** \> **Authentication policies**. 2. Select **Add policy**. 3. Under **Directory**, select the identity provider you used to configure SAML SSO. 4. For **Policy name**, enter your desired name. 5. Select **Add**. 6. In **Settings**, turn on **Enforce single sign-on**. 7. In **Members**, select **Add members**. 8. In **Individual Users**, select your desired test user(s) in the dropdown, and select **Add members**. 9. In **Settings**, select **Update** \> **Update**. ## 6\. Test the integration Open an incognito browser window and log in with the credentials of the test user you added to the test authentication policy. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. When this is successful, turn on **Enforce single sign-on** in your desired authentication policy, or add the desired users to the application policy created in step [5\. Create an Application Policy to test Integration](#5-create-an-authentication-policy-to-test-integration). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/atlassian-saas/","name":"Atlassian Cloud"}}]} ``` --- --- title: AWS description: This guide covers how to configure AWS as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/aws-sso-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # AWS **Last reviewed:** almost 2 years ago This guide covers how to configure [AWS ↗](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to an AWS account ## 1\. Get AWS URLs 1. In the AWS admin panel, search for `IAM Identity Center`. 2. Go to **IAM Identity Center** \> **Settings**. 3. In the **Identity source** tab, select the **Actions** dropdown and select _Change identity source_. 4. Change the identity source to **External identity provider**. 5. Copy the values shown in **Service provider metadata**. You will need these values when configuring the SaaS application in Cloudflare One. Next, we will obtain **Identity provider metadata** from Cloudflare One. ## 2\. Add a SaaS application to Cloudflare One 1. In a separate tab or window, open [Cloudflare One ↗](https://one.dash.cloudflare.com) and go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS**. 3. For **Application**, select _Amazon AWS_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: IAM Identity Center issuer URL * **Assertion Consumer Service URL**: IAM Identity Center Assertion Consumer Service (ACS) URL * **Name ID format**: _Email_ 7. (Optional) Additional SAML attribute statements can be passed from your IdP to AWS SSO. To learn more about AWS Attribute mapping, refer to [Attribute mappings - AWS Single Sign-On ↗](https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html#supportedidpattributes). 8. AWS supports uploading a metadata XML file. To download your SAML metadata from Access: 1. Copy the **SAML Metadata endpoint**. 2. In a separate browser window, go to the SAML Metadata endpoint (`https://.cloudflareaccess.com/cdn-cgi/access/sso/saml/xxx/saml-metadata`). 3. Save the page as `access_saml_metadata.xml`. 9. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 10. Save the application. ## 3\. Complete AWS configuration 1. Return to the **IAM Identity Center** \> **Settings** \> **Change identity source** tab. 2. Under **IdP SAML metadata**, upload your `access_saml_metadata.xml` file. 3. Select **Next** to review settings, type **ACCEPT** and select **Change identity source** to confirm changes. 4. Confirm that **Provisioning** is set to _Manual_. Important Access for SaaS does not currently support [SCIM provisioning](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/). Make sure that: 1. Users are created in both your identity provider and AWS. 2. Users have matching usernames in your identity provider and AWS. 3. Usernames are email addresses. This is the only format AWS supports with third-party SSO providers. ## 4\. Test the integration To test the connection, go to your **AWS access portal URL**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/aws-sso-saas/","name":"AWS"}}]} ``` --- --- title: Braintree description: This guide covers how to configure Braintree as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/braintree-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Braintree **Last reviewed:** over 1 year ago This guide covers how to configure [Braintree ↗](https://developer.paypal.com/braintree/articles/guides/single-sign-on-sso) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Braintree production or sandbox account ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS** \> **Select**. 3. For **Application**, enter `Braintree` and select the textbox that appears below. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields with temporary values: * **Entity ID**: `placeholder` * **Assertion Consumer Service URL**: `https://www.placeholder.com` * **Name ID format**: _Email_ 7. Copy the **SSO endpoint** and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Enable SSO Configuration in Braintree 1. In Braintree, create a [support ticket ↗](https://developer.paypal.com/braintree/help). 2. In **Search Issues**, enter `Login and password issues` and select the corresponding value. 3. In **Issue Details**, fill in the following: * **Merchant ID**: Your Braintree Merchant ID. This is the 16-digit value that follows `/merchants/`in your Braintree Control Panel URL. * **Email domain(s) to be used in user IDs**: The email domain(s) that should be allowed to sign in to your account via SSO. * **Single Sign-on HTTP POST Binding URL**: SSO endpoint from application configuration in Cloudflare One * **Certificate for validation**: Public key from application configuration in Cloudflare One. 4. Select whether you are using a **Production** or **Sandbox** account. 5. Fill out the **Your contact information** fields and select **Submit a help request**. 6. When you receive an email stating SSO has been successfully configured for your account, you can proceed to the next step. ## 3\. Finish adding a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Braintree** \> **Edit** \> **Overview**. 3. Replace the temporary values for **Entity ID** and **Assertion Consumer Service URL** with the link provided in the successful SSO configuration email from Braintree support. You will use the same link for both values. 4. Select **Save Application**. ## 4\. Test the integration and add SSO users 1. In your Braintree Control Panel, select the **settings** icon > **Team**. 2. Select your desired test user. 3. Under **Single Sign-On**, select **Enable**. 4. Open an incognito browser window. In the address bar, paste `https://id.sandbox.braintreegateway.com` for a sandbox account or`https://id.braintreegateway.com` for a production account. 5. In **Your corporate email address** field, type your test user's email. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 6. Upon successful sign-in, you can enable SSO for other users using steps 4.1 - 4.3. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/braintree-saas/","name":"Braintree"}}]} ``` --- --- title: Coupa description: This guide covers how to configure Coupa as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/coupa-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Coupa **Last reviewed:** over 1 year ago This guide covers how to configure [Coupa ↗](https://compass.coupa.com/en-us/products/product-documentation/integration-technical-documentation/coupa-core-user-authentication/coupa-saml-sso-setup) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Coupa Stage or Production account ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS** \> **Select**. 3. For **Application**, enter `Coupa` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**:`sso-stg1.coupahost.com` for a stage account or `sso-prd1.coupahost.com` for a production account * **Assertion Consumer Service URL**: `https://sso-stg1.coupahost.com/sp/ACS.saml2` for a stage account or `https://sso-prd1.coupahost.com/sp/ACS.saml2` for a production account * **Name ID format**: _Email_ 7. Copy the **Access Entity ID or Issuer** and **SAML Metadata Endpoint**. 8. In **Default relay state**, enter `https://.coupahost.com/sessions/saml_post`. 9. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 10. Save the application. ## 2\. Download the metadata file 1. Paste the SAML metadata endpoint from application configuration in Cloudflare One in a web browser. 2. Follow your browser-specific steps to download the URL's contents as an `.xml` file. ## 3\. Add a SAML SSO provider in Coupa 1. In Coupa, go to **Setup** \> **Company Setup** \> **Security Controls**. 2. Under **Sign in using SAML**, turn on **Sign in using SAML**. 3. In **Upload IdP metadata**, select **Choose File**, and upload the `.xml` file you downloaded in step [2\. Download the metadata file](#2-download-the-metadata-file). 4. Turn on **Advanced Options**. 5. For **Sign in page URL** and **Timeout URL**, enter `https://sso-stg1.coupahost.com/sp/startSSO.ping?PartnerIdpId=&TARGET=https://.coupahost.com/sessions/saml_post` using the Access Entity ID or Issuer from application configuration in Cloudflare One. 6. Select **Save**. ## 3\. Create a test user and test the integration 1. In Coupa, go to **Setup** \> **Company Setup** \> **Users**. 2. Select **Create**, then enter the user details for your test user. For **Login** and **Single Sign-On ID**, enter the user's email address. 3. Select **Save**. 4. Open an incognito browser window and go to your Coupa URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 5. Once the login is successful, you can configure other users for SSO by adding their email to the **Single Sign-On ID** field in **Setup** \> **Company Setup** \> **Users** \> user's name. Note You can use the following URL to bypass SSO and login via a username and password: `https://.coupahost.com/sessions/support_login`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/coupa-saas/","name":"Coupa"}}]} ``` --- --- title: Digicert description: This guide covers how to configure Digicert as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/digicert-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Digicert **Last reviewed:** almost 2 years ago This guide covers how to configure [Digicert ↗](https://docs.digicert.com/en/certcentral/manage-account/saml-admin-single-sign-on-guide/configure-saml-single-sign-on.html) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Digicert account * [SAML ↗](https://docs.digicert.com/en/certcentral/manage-account/saml-admin-single-sign-on-guide/saml-single-sign-on-prerequisites.html) enabled in your Digicert account ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS** \> **Select**. 3. For **Application**, enter `Digicert` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `https://www.digicert.com/account/sso/metadata` * **Assertion Consumer Service URL**: `https://www.digicert.com/account/sso/` * **Name ID format**: _Email_ 7. Copy the **SAML Metadata endpoint**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Add a SAML SSO provider in Digicert 1. In Digicert, select **Settings** \> **Single Sign-On** \> **Set up SAML**. 2. Under **How will you send data from your IDP?**, turn on **Use a dynamic URL**. 3. Under **Use a dynamic URL**, paste the SAML Metadata endpoint from application configuration in Cloudflare One. 4. Under **How will you identify a user?**, turn on **NameID**. 5. Under **Federation Name**, enter a name (for example, `Cloudflare Access`). Your users will select this name when signing in. 6. Select **Save SAML Settings**. ## 3\. Test and Enable SSO in Digicert 1. In Digicert, select **Settings** \> **Single Sign-On**. 2. Copy the **SP Initiated Custom SSO URL**. 3. Paste the URL into an incognito browser window and sign in. Upon successful sign in, SAML SSO is fully enabled. 4. (Optional) By default, users can choose to sign in directly or with SSO. To require SSO sign in, go to **Account** \> **Users**. Turn on **Only allow this user to log in through SAML/OIDC SSO** in the user details of the desired user. Note Users can sign in using service provider initiated SSO by using the **SP Initiated Custom SSO URL**. Alternatively, users can go to `www.digicert.com/account`, select **Sign in with SSO**, and enter the name of the identity provider configured in step [2\. Add a SAML SSO provider in Digicert](#2-add-a-saml-sso-provider-in-digicert). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/digicert-saas/","name":"Digicert"}}]} ``` --- --- title: DocuSign description: This guide covers how to configure Docusign as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/docusign-access.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # DocuSign **Last reviewed:** almost 2 years ago This guide covers how to configure [Docusign ↗](https://support.docusign.com/s/document-item?bundleId=rrf1583359212854&topicId=ozd1583359139126.html) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Docusign account that has Single Sign-On available * A [domain ↗](https://support.docusign.com/s/document-item?bundleId=rrf1583359212854&topicId=gso1583359141256.html) verified in Docusign ## 1\. Create the Access for SaaS application 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an Application**. 3. Select **SaaS**. 4. Use the following configuration: * Set the **Application** to _DocuSign_. * Put placeholder values in **EntityID** and **Assertion Consumer Service URL** (for example, `https://example.com`). We'll come back and update these. * Set **Name ID Format** to: _Unique ID_. 5. DocuSign requires SAML attributes to do Just In Time user provisioning. Ensure you are collecting SAML attributes from your IdP: * Group * username * department * firstName * lastName * phone 6. These IdP SAML values can then be mapped to the following DocuSign SAML attributes: * Email * Surname * Givenname 7. Set an Access policy (for example, create a policy based on _Emails ending in @example.com_). 8. Copy and save the **SSO Endpoint**, **Entity ID** and **Public Key**. 9. Transform the **Public Key** into a fingerprint: 1. Copy the **Public Key** Value. 2. Paste the **Public Key** into VIM or another code editor. 3. Wrap the value in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 4. Set the file extension to `.crt` and save. ## 2\. Configure your DocuSign SSO instance 1. Ensure you have a domain claimed in DocuSign. 2. From the DocuSign Admin dashboard, select **Identity Providers**. 3. On the Identity Providers page, select **ADD IDENTITY PROVIDER**. Use the following mappings from the saved Access Application values: * **Name**: Pick your desired name. * **Identity Provider Issuer**: Entity ID. * **Identity Provider Login URL**: Assertion Consumer Service URL. 4. Save the Identity Provider. 5. Upload your certificate to the _DocuSign Identity Provider_ menu. 6. Configure your SAML Attribute mappings. The Attribute Names should match the values in **IdP Value** in your Access application. 7. Go back to the Identity Provider's screen and select **Actions** \> **Endpoints**. Copy and save the following: * Service Provider Issuer URL. * Service Provider Assertion Consumer Service URL. ## 3\. Finalize your Cloudflare configuration 1. Go back to your DocuSign application under **Access controls** \> **Applications**. 2. Select **Edit**. 3. Use the following mappings: * EntityID->Service Provider Issuer URL. * Assertion Consumer Service URL -> Service Provider Assertion Consumer Service URL. 4. Save the application. When ready, enable the SSO for your DocuSign account and you will be able to login to DocuSign via Cloudflare SSO and your Identity Provider. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/docusign-access/","name":"DocuSign"}}]} ``` --- --- title: Dropbox description: This guide covers how to configure Dropbox as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/dropbox-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Dropbox **Last reviewed:** over 1 year ago This guide covers how to configure [Dropbox ↗](https://help.dropbox.com/security/sso-admin) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Dropbox Advanced, Business Plus, or Enterprise account ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS** \> **Select**. 3. For **Application**, select `Dropbox`. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `Dropbox` * **Assertion Consumer Service URL**: `https://www.dropbox.com/saml_login` * **Name ID format**: _Email_ 7. Copy the **SSO endpoint** and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Create a certificate file 1. Paste the **Public key** in a text editor. 2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 3. Set the file extension as `.pem` and save. ## 3\. Add a SAML SSO provider to Dropbox 1. In Dropbox, go to your profile picture > **Settings** \> **Admin Console** \> **Security** \> **Single sign-on**. 2. For **Single sign-on**, select _Optional_. 3. Select **Add Identity provider sign-in URL**. 4. Paste the SSO endpoint from application configuration in Cloudflare One and select **Done**. 5. Select **Add X.509 certificate** and upload the `.pem` file from step [2\. Create a certificate file](#2-create-a-certificate-file). 6. Copy **SSO sign-in URL**. This is your custom Dropbox SSO URL. 7. Select **Save**. ## 3\. Test the integration and require SSO 1. Open an incognito browser window and go to your custom Dropbox SSO URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 2. After this is successful, you may want to require users to log in via SSO. Go to your profile picture > **Settings** \> **Admin Console** \> **Security** \> **Single sign-on**. For **Single sign-on**, select _Required_. Dropbox will send an email to your users notifying them of the change. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/dropbox-saas/","name":"Dropbox"}}]} ``` --- --- title: Generic OIDC application description: This page provides generic instructions for setting up a SaaS application in Cloudflare Access using the OpenID Connect (OIDC) authentication protocol. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SSO ](https://developers.cloudflare.com/search/?tags=SSO) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Generic OIDC application This page provides generic instructions for setting up a SaaS application in Cloudflare Access using the OpenID Connect (OIDC) authentication protocol. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to the account of the SaaS application ## 1\. Get SaaS application URL In your SaaS application account, obtain the **Redirect URL** (also known as the callback URL). This is the SaaS endpoint where users are redirected to after they authenticate with Cloudflare Access. Some SaaS applications provide the Redirect URL after you [configure the SSO provider](#3-configure-sso-in-your-saas-application). ## 2\. Add your application to Access 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application**. 3. Select **SaaS**. 4. Select your **Application** from the drop-down menu. If your application is not listed, enter a custom name in the **Application** field and select the textbox that appears below. 5. Select **OIDC**. 6. Select **Add application**. 7. In **Scopes**, select the user attributes that you want Access to send in the ID token. For more information about configuring OIDC scopes and claims, refer to [OIDC claims](#oidc-claims). 8. In **Redirect URLs**, enter the callback URL obtained from the SaaS application. 9. (Optional) Enable [Proof of Key Exchange (PKCE) ↗](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. 10. Copy the following values to input into your SaaS application. Different SaaS applications may require different sets of input values. | Field | Description | | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Client secret | Credential used to authorize Access as an SSO provider | | Client ID | Unique identifier for this Access application | | Configuration endpoint | If supported by your SaaS application, you can configure OIDC using this endpoint instead of manually entering the URLs listed below. https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//.well-known/openid-configuration | | Issuer | Base URL for this OIDC integration https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc/ | | Token endpoint | Returns the user's ID token https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//token | | Authorization endpoint | URL where users authenticate with Access https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//authorization | | Key endpoint | Returns the current public keys used to [verify the Access JWT](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//jwks | | User info endpoint | Returns all user claims in JSON format https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//userinfo | 11. Add [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. 12. Configure how users will authenticate: 1. Select the [**Identity providers**](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) you want to enable for your application. 2. (Recommended) If you plan to only allow access via a single IdP, turn on **Instant Auth**. End users will not be shown the [Cloudflare Access login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. 3. (Optional) Under **Device authentication identity**, allow users to authenticate to the application using their [ Cloudflare One Client session identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/). 13. Select **Next**. 14. Configure [App Launcher settings](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. If **Show application in App Launcher** is enabled, then you must enter an **App Launcher URL**. The App Launcher URL is provided by the SaaS application. It may match the base URL portion of **Redirect URL** (`https://.example-app.com`) but could be a different value. 15. Under **Block page**, choose what end users will see when they are denied access to the application: * **Cloudflare default**: Reload the [login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/) and display a block message below the Cloudflare Access logo. The default message is `That account does not have access`, or you can enter a custom message. * **Redirect URL**: Redirect to the specified website. * **Custom page template**: Display a [custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-block-page/) hosted in Cloudflare One. 16. Select **Save application**. ## 3\. Configure SSO in your SaaS application Next, configure your SaaS application to require users to log in through Cloudflare Access. Refer to your SaaS application documentation for instructions on how to configure a third-party OIDC SSO provider. ## 4\. Test the integration Open an incognito browser window and go to the SaaS application's login URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. ## OIDC claims OIDC claims refer to the user identity characteristics that Cloudflare Access shares with your OIDC SaaS application upon successful authentication. An OIDC scope defines a set of OIDC claims. By default, Cloudflare Access passes all [standard claims ↗](https://openid.net/specs/openid-connect-core-1%5F0.html#StandardClaims) that are included in the `openid`, `email`, `profile`, and `groups` scopes (if available). | Scope | Description | | ------- | ----------------------------------------------------------------- | | openid | Includes a unique identifier for the user (required). | | email | Includes the user's email address. | | profile | Includes the user's name and all custom OIDC claims from the IdP. | | groups | Include the user's IdP group membership. | In your Access application, you can configure the OIDC scopes and claims that Access sends to the SaaS provider. For example, you can remove the `groups` scope if your SaaS application does not need to receive user group information. ### Filter groups In **Group filter regex**, you can enter a regular expression to define the identity provider groups that you want to include in the `groups` scope. For example, if you enter the expression `(^TEAM-Engineering-.$)|(^TEAM-Product-.$)`, only groups with names like TEAM-Engineering-A or TEAM-Product-B would get passed to the SaaS application. ### Add claims To add additional OIDC claims onto the ID token sent to your SaaS application, configure the following fields for each claim: * **Name**: OIDC claim name * **Scope**: Select the OIDC scope where this claim should be included. In most cases, we recommend selecting `profile` since it already includes other custom claims from the IdP. * **IdP claim**: The identity provider value that should map to this OIDC claim. You can select any [SAML attribute](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-saml/#saml-headers-and-attributes) or [OIDC claim](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) that was configured in a Zero Trust IdP integration. * **Required**: If a claim is marked as required but is not provided by an IdP, Cloudflare will fail the authentication request and show an error page. * **Add per IdP claim**: (Optional) If you turned on multiple identity providers for the SaaS application, you can choose different attribute mappings for each IdP. These values will override the parent **IdP claim**. ## Advanced settings ### Access token lifetime The OIDC Access token authorizes users to connect to the SaaS application through Cloudflare Access. You can set an **Access token lifetime** to determine the window in which the token can be used to establish authentication with the SaaS application — if it expires, the user must re-authenticate through Cloudflare Access. To balance security and user convenience, Cloudflare recommends configuring a short Access token lifetime in conjunction with a longer **Refresh token lifetime** (if supported by your application). When the access token expires, Cloudflare will use the refresh token to obtain a new access token after checking the user's identity against your Access policies. When the refresh token expires, the user will need to log back in to the identity provider. The refresh token lifetime should be less than your [global session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/), otherwise the global session would take precedence. Note OIDC Access tokens only control the front door to a SaaS app; Access does not control how long the user can stay in the SaaS app itself. For example, if the user logs out of the SaaS app and then comes back to it, a valid Access token allows them to re-authenticate without another login. The SaaS app issues its own authorization cookie that manages the user's session within the app. ### OIDC flows Some SaaS applications require SSO providers to provide tokens to the browser without backend authentication. Access for SaaS supports the following OIDC flows: * **No additional OIDC flows**: (Default) Recommended unless your application requires additional flows. * **Hybrid flows**: Used by applications that require information from the ID token before authenticating the user. * **Implicit flows**: (Not recommended) Typically used by frontend applications that cannot store secrets and which do not support **PKCE without client secret**. Cloudflare allows various `response_type` values in the authorization request depending on the selected flow. For example, the implicit flow allows Cloudflare to return the ID token, Access token, or both the ID token and Access token from the Authorization endpoint. | response\_type values | Default flow | Hybrid flow | Implicit flow | | --------------------- | ------------ | ----------- | ------------- | | code | ✅ | ✅ | ❌ | | id\_token | ❌ | ✅ | ✅ | | token | ❌ | ✅ | ✅ | To include `id_token` in the authorization request, turn on **Return ID Token from Authorization Endpoint**. To include `token`, turn on **Return Access Token from Authorization Endpoint** Note [Refresh tokens](#access-token-lifetime) are not supported with Hybrid or Implicit flows. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas/","name":"Generic OIDC application"}}]} ``` --- --- title: Generic SAML application description: This page provides generic instructions for setting up a SaaS application in Cloudflare Access using the SAML authentication protocol. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Generic SAML application This page provides generic instructions for setting up a SaaS application in Cloudflare Access using the SAML authentication protocol. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to the account of the SaaS application ## 1\. Get SaaS application URLs Obtain the following URLs from your SaaS application account: * **Entity ID**: A unique URL issued for your SaaS application, for example `https://.my.salesforce.com`. * **Assertion Consumer Service URL**: The service provider's endpoint for receiving and parsing SAML assertions. ## 2\. Add your application to Access 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application**. 3. Select **SaaS**. 4. Select your **Application** from the drop-down menu. If your application is not listed, enter a custom name in the **Application** field and select the textbox that appears below. 5. Select **SAML**. 6. Select **Add application**. 7. Enter the **Entity ID** and **Assertion Consumer Service URL** obtained from your SaaS application account. 8. Select the **Name ID Format** expected by your SaaS application (usually _Email_). 9. (Optional) Configure any additional [SAML attribute statements](#saml-attributes) required by your SaaS application. 10. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. IdP groups If you are using Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled `groups` with all of the user's associated groups as attribute values. 1. Add [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. 2. Configure how users will authenticate: 1. Select the [**Identity providers**](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) you want to enable for your application. 2. (Recommended) If you plan to only allow access via a single IdP, turn on **Instant Auth**. End users will not be shown the [Cloudflare Access login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. 3. (Optional) Under **Device authentication identity**, allow users to authenticate to the application using their [ Cloudflare One Client session identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/). 3. Select **Next**. 4. (Optional) Configure [App Launcher settings](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. 5. Under **Block page**, choose what end users will see when they are denied access to the application: * **Cloudflare default**: Reload the [login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/) and display a block message below the Cloudflare Access logo. The default message is `That account does not have access`, or you can enter a custom message. * **Redirect URL**: Redirect to the specified website. * **Custom page template**: Display a [custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-block-page/) hosted in Cloudflare One. 6. Select **Save application**. ## 3\. Configure SSO in your SaaS application Next, configure your SaaS application to require users to log in through Cloudflare Access. Refer to your SaaS application documentation for instructions on how to configure a third-party SAML SSO provider. You will need the following values from the Cloudflare One: * **SSO endpoint** * **Access Entity ID or Issuer** * **Public key** You can either manually enter this data into your SaaS application or upload a metadata XML file. The metadata is available at the URL: `/saml-metadata`. ### Validate SAML Response When acting as a SAML identity provider, Cloudflare will sign both the SAML Response and the SAML Assertion using the SHA-256 algorithm. The SaaS application can validate this signature using the **Public key** that you upload to the SaaS application. ## 4\. Test the integration Open an incognito browser window and go to the SaaS application's login URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. ## SAML attributes [SAML attributes](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-saml/#saml-headers-and-attributes) refer to the user identity characteristics that Cloudflare Access shares with your SAML SaaS application upon successful authentication. By default, Cloudflare Access passes the following attributes (if available) to the SaaS application: * `id` \- UUID of the user's Access identity * `name` \- Full name of the user (for example, `John Doe`) * `email` \- User's email address * `groups` \- Identity provider group membership In Access for SaaS, you can add additional SAML attributes or customize the SAML statement sent to the SaaS application. This allows you to integrate SaaS applications which have specific SAML attribute requirements. ### SAML attribute statements To send additional SAML attributes to your SaaS application, configure the following fields for each attribute: * **Name**: SAML attribute name * **SAML friendly name**: (Optional) A human readable name for the SAML attribute * **Name format**: Specify the **Name** format expected by the SaaS application: * `Unspecified`: (default) No specific format required. * `URI`: Name is in a format such as `urn:ietf:params:scim:schemas:core:2.0:User:userName` or `urn:oid:2.5.4.42`. * `Basic`: Name is a normal string such as `userName`. * **IdP claim**: The identity provider value that should map to this SAML attribute. You can select any [SAML attribute](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-saml/#saml-headers-and-attributes) or [OIDC claim](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) that was configured in a Cloudflare One IdP integration. * **Required**: If an attribute is marked as required but is not provided by an IdP, Cloudflare will fail the authentication request and show an error page. * **Add per IdP claim**: (Optional) If you turned on multiple identity providers for the SaaS application, you can choose different attribute mappings for each IdP. These values will override the parent **IdP claim**. ### JSONata transforms In **Advanced settings** \> **Transformation**, you can enter a [JSONata ↗](https://jsonata.org/) script that modifies a copy of the [User Registry identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/users/). This is useful for setting default values, excluding email addresses, or ensuring usernames meet arbitrary criteria. Access will send the modified user identity to the SaaS application as SAML attributes. Note JSONata transformations are not compatible with [SAML attribute statements](#saml-attribute-statements). JSONata transformations will override any specified SAML attributes. For example, the following JSONata script merges group names into a list and adds an `eduPersonPrincipalName` field which maps to the user email. JSONata expression ``` $merge([$, {"groups": groups.name, 'eduPersonPrincipalName': email}]) ``` Here is an example of a user identity before applying the JSONata transform: User identity before JSONata transform ``` { "account_id": "699d98642c564d2e855e9661899b7252", "amr": [ "pwd" ], "auth_status": "NONE", "common_name": "", "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", "device_sessions": { "49e653db-991e-11ee-af26-2243bf8c3428": { "last_authenticated": 1703004275 } }, "devicePosture": { "8534a230-e85e-4183-8964-a4b7dcf72986": { "rule_name": "Warp", "success": true, "type": "warp" } }, "email": "jdoe@company.com", "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU", "geo": { "country": "US" }, "groups": [ { "id": "12fdf91a-fb23-41b3-995a-de2f72c61d0e", "name": "IdentityProtection-RiskyUser-RiskLevel-low" }, { "id": "12348f47-8234-4860-a03f-c2a1513f267b", "name": "Global Administrator" }, { "id": "11235980-87d7-4917-b0aa-74c01914c40e", "name": "Application Administrator" } ], "iat": 1659474397, "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M", "idp": { "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47", "type": "azureAD" } } ``` Result after applying the example JSONata script: ``` { "account_id": "699d98642c564d2e855e9661899b7252", "amr": [ "pwd" ], "auth_status": "NONE", "common_name": "", "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", "device_sessions": { "49e653db-991e-11ee-af26-2243bf8c3428": { "last_authenticated": 1703004275 } }, "devicePosture": { "8534a230-e85e-4183-8964-a4b7dcf72986": { "rule_name": "Warp", "success": true, "type": "warp" } }, "email": "jdoe@company.com", "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU", "geo": { "country": "US" }, "groups": [ "IdentityProtection-RiskyUser-RiskLevel-low", "Global Administrator", "Application Administrator" ], "iat": 1659474397, "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M", "idp": { "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47", "type": "azureAD" }, "eduPersonPrincipalName": "jdoe@company.com" } ``` For more JSONata transform use cases, refer to the following examples. Remove groups attribute The following JSONata script removes the `groups` SAML attribute. This can be useful if your SaaS application does not need to receive user group information. JSONata expression ``` $ ~> |$|{}, ['groups']| ``` Result after applying the JSONata transform: ``` { "account_id": "699d98642c564d2e855e9661899b7252", "amr": [ "pwd" ], "auth_status": "NONE", "common_name": "", "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", "device_sessions": { "49e653db-991e-11ee-af26-2243bf8c3428": { "last_authenticated": 1703004275 } }, "devicePosture": { "8534a230-e85e-4183-8964-a4b7dcf72986": { "rule_name": "Warp", "success": true, "type": "warp" } }, "email": "jdoe@company.com", "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU", "geo": { "country": "US" }, "iat": 1659474397, "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M", "idp": { "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47", "type": "azureAD" } } ``` Rename groups field and remove group ID The following JSONata script changes the `groups.name` field from `name` to `group_name` and removes the `groups.id` field: JSONata expression ``` { "account_id": account_id, "amr": amr, "auth_status": auth_status, "common_name": common_name, "devicePosture": devicePosture, "device_id": device_id, "device_sessions": device_sessions, "email": email, "gateway_account_id": gateway_account_id, "geo": geo, "groups": $map($.groups, function($group) { {"group_name": $group.name}}), "iat": iat, "id": id, "idp": idp } ``` Result after applying the JSONata transform: ``` { "account_id": "699d98642c564d2e855e9661899b7252", "amr": [ "pwd" ], "auth_status": "NONE", "common_name": "", "devicePosture": { "8534a230-e85e-4183-8964-a4b7dcf72986": { "rule_name": "Warp", "success": true, "type": "warp" } }, "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", "device_sessions": { "49e653db-991e-11ee-af26-2210bf8c3428": { "last_authenticated": 1703004275 } }, "email": "jdoe@company.com", "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU", "geo": { "country": "US" }, "groups": [ { "group_name": "IdentityProtection-RiskyUser-RiskLevel-low" }, { "group_name": "Global Administrator" }, { "group_name": "Application Administrator" } ], "iat": 1659474397, "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M", "idp": { "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47", "type": "azureAD" } } ``` Filter groups by name The following JSONata script filters groups to those that match a regular expression. JSONata expression ``` $merge([$, { "groups": $filter(groups, function($v) { $contains($v.name, /Administrator/) }) }]) ``` Result after applying the JSONata transform: ``` { "account_id": "699d98642c564d2e855e9661899b7252", "amr": [ "pwd" ], "auth_status": "NONE", "common_name": "", "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", "device_sessions": { "49e653db-991e-11ee-af26-2243bf8c3428": { "last_authenticated": 1703004275 } }, "devicePosture": { "8534a230-e85e-4183-8964-a4b7dcf72986": { "rule_name": "Warp", "success": true, "type": "warp" } }, "email": "jdoe@company.com", "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU", "geo": { "country": "US" }, "groups": [ { "id": "12348f47-8234-4860-a03f-c2a1513f267b", "name": "Global Administrator" }, { "id": "11235980-87d7-4917-b0aa-74c01914c40e", "name": "Application Administrator" } ], "iat": 1659474397, "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M", "idp": { "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47", "type": "azureAD" } } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas/","name":"Generic SAML application"}}]} ``` --- --- title: GitHub Enterprise Cloud description: This guide covers how to configure GitHub Enterprise Cloud as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/github-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # GitHub Enterprise Cloud **Last reviewed:** over 1 year ago This guide covers how to configure [GitHub Enterprise Cloud ↗](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * A GitHub Enterprise Cloud subscription * Access to a GitHub account as an organization owner ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS** \> **Select**. 3. For **Application**, select _GitHub_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `https://github.com/orgs/` * **Assertion Consumer Service URL**: `https://github.com/orgs//saml/consume` * **Name ID format**: _Email_ 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Create an X.509 certificate 1. Paste the **Public key** in a text editor. 2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. ## 3\. Configure an identity provider and SAML SSO in GitHub Enterprise Cloud 1. In your GitHub organization page, go to **Settings** \> **Authentication security**. 2. Under **SAML single sign-on**, turn on **Enable SAML authentication**. 3. Fill in the following fields: * **Sign on URL**: SSO endpoint from application configuration in Cloudflare One. * **Issuer**: Access Entity ID or Issuer from application configuration in Cloudflare One. * **Public certificate**: Paste the entire x.509 certificate from step [2\. Create a x.509 certificate](#2-create-a-x509-certificate). ## 4\. Test the integration Select **Test SAML configuration**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. When this is successful, select **Save**. You can also turn on **Require SAML SSO authentication for all members of your organization** if you want to enforce SSO login with Cloudflare Access. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/github-saas/","name":"GitHub Enterprise Cloud"}}]} ``` --- --- title: Google Cloud description: This guide covers how to configure Google Cloud as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-cloud-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Google Cloud **Last reviewed:** almost 2 years ago This guide covers how to configure [Google Cloud ↗](https://support.google.com/cloudidentity/topic/7558767) as a SAML application in Cloudflare One. Warning When configuring Google Cloud with Access, the following limitations apply: * Users will not be able to log in using [Google](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/google/) or [Google Workspace](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/google-workspace/) as an identity provider after Google Cloud is configured with Access. * The integration of Access as a single sign-on provider for your Google Cloud account does not work for Google super admins. It will work for other users. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Google Workspace account * [Cloud Identity Free or Premium ↗](https://support.google.com/cloudidentity/answer/7389973) set up in your organization's Google Cloud account ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS** \> **Select**. 3. For **Application**, select _Google Cloud_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `google.com` * **Assertion Consumer Service URL**: `https://www.google.com/a//acs` * **Name ID format**: _Email_ 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Create a x.509 certificate 1. Paste the Public key from application configuration in Cloudflare One into a text editor. 2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 3. Set the file extension as `.crt` and save. ## 3\. Create an SSO provider in Google Cloud 1. In your [Google Admin console ↗](https://admin.google.com/), go to **Security** \> **Authentication** \> **SSO with third party IdP**. 2. Select **Third-party SSO profile for your organization** \> **Add SSO Profile**. 3. Turn on **Set up SSO with third-party identity provider**. 4. Fill in the following information: * **Sign-in page URL**: SSO endpoint from application configuration in Cloudflare One. * **Sign-out page URL**: `https://.cloudflareaccess.com/cdn-cgi/access/logout`, where `` is your Cloudflare One team name. * **Verification certificate**: Upload the `.crt` certificate file from step [2\. Create a x.509 certificate](#2-create-a-x509-certificate). 5. (Optional) Turn on **Use a domain specific issuer**. If you select this option, Google will send an issuer specific to your Google Cloud domain (`google.com/a/` instead of the standard `google.com`). ## 4\. Test the integration Open an incognito browser window and go to your Google Cloud URL (`https://console.cloud.google.com/a/`). Sign in using credentials that do not belong to a super admin account. ## Troubleshooting `Error: "G Suite - This account cannot be accessed because the login credentials could not be verified."` If you see this error, it is likely that the public key and private key do not match. Confirm that your certificate file includes the correct public key. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-cloud-saas/","name":"Google Cloud"}}]} ``` --- --- title: Google Workspace description: This guide covers how to configure Google Workspace as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-workspace-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Google Workspace **Last reviewed:** almost 2 years ago This guide covers how to configure [Google Workspace ↗](https://support.google.com/a/topic/7579248?ref%5Ftopic=7556686&sjid=14539485562330725560-NA) as a SAML application in Cloudflare One. Note The integration of Access as a single sign-on provider for your Google Workspace account does not work for Google super admins. It will work for other users. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Google Workspace account ## 1\. Create an application in Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Applications**. 2. Select **Add an application**. 3. Select **SaaS**. 4. Fill in the following information: * **Application**: _Google_. * **Entity ID**: Use the value provided to you by Google when [configuring your SAML SSO provider ↗](https://saml-doc.okta.com/SAML%5FDocs/How-to-Enable-SAML-2.0-in-Google-Apps.html). * **Assertion Consumer Service URL**: `https://www.google.com/a//acs`, where `` is your Google Workspace domain. * **Name ID Format**: _Email_. Warning When you put your Google Workspace behind Access, users will not be able to log in using [Google](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/google/) or [Google Workspace](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/google-workspace/) as an identity provider. To secure Google Workspace behind Access and avoid an [authentication loop](https://developers.cloudflare.com/cloudflare-one/access-controls/troubleshooting/#google-workspace-redirect-loop), you must configure a different identity provider (not Google or Google Workspace) for authentication. 1. [Create an Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for your application. For example, you could allow users with an `@your_domain.com` email address. 2. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. These values will be used to configure Google Workspace. 3. Save the application. ## 2\. Create a certificate from your public key 1. Copy and then paste your **Public key** into a text editor. 2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. For example, ``` -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ``` 3. Set the file extension as `.crt` and save. ## 3\. Create an SSO provider in Google Workspace 1. Log in to your [Google Admin console ↗](https://admin.google.com/). 2. Go to **Security** \> **Authentication** \> **SSO with third party IdP**. 3. Select **Third-party SSO profile for your organization**. 4. Enable **Set up SSO with third-party identity provider**. 5. Fill in the following information: * **Sign-in page URL**: Copy and then paste your **SSO endpoint** from Cloudflare One. * **Sign-out page URL**: `https://.cloudflareaccess.com/cdn-cgi/access/logout`, where `` is your Cloudflare One team name. * **Verification certificate**: Upload the certificate file containing your public key. 6. (Optional) Enable **Use a domain specific issuer**. If you select this option, Google will send an issuer specific to your Google Workspace domain (`google.com/a/` instead of the standard `google.com`). ## 4\. Test the integration 1. In your [Google Admin console ↗](https://admin.google.com/), go to **Apps** \> **Google Workspace** \> **Gmail** \> **Setup**. 2. Copy your Gmail **Web address**. 3. Open an incognito browser window and go to your Gmail web address (for example, `https://mail.google.com/a/`). An Access login screen should appear. ## Troubleshooting `Error: "G Suite - This account cannot be accessed because the login credentials could not be verified."` If you see this error, it is likely that the public key and private key do not match. Confirm that your certificate file includes the correct public key. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-workspace-saas/","name":"Google Workspace"}}]} ``` --- --- title: Grafana Cloud description: This guide covers how to configure Grafana Cloud as an OIDC application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SSO ](https://developers.cloudflare.com/search/?tags=SSO) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-cloud-saas-oidc.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Grafana Cloud **Last reviewed:** over 1 year ago This guide covers how to configure [Grafana Cloud ↗](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/authorization/#configure-oauth-20-with-generic-oauth) as an OIDC application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Grafana Cloud account ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application**. 3. Select **SaaS**. 4. For **Application**, enter `Grafana Cloud` and select the corresponding textbox that appears. 5. For the authentication protocol, select **OIDC**. 6. Select **Add application**. 7. In **Scopes**, select the attributes that you want Access to send in the ID token. 8. In **Redirect URLs**, enter `https:///login/generic_oauth`. 9. (Optional) Enable [Proof of Key Exchange (PKCE) ↗](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. 10. Copy the **Client secret**, **Client ID**, **Token endpoint**, and **Authorization endpoint**. 11. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 12. (Optional) In **Experience settings**, configure [App Launcher settings](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https:///login`. 13. Save the application. ## 2\. Add a SSO provider to Grafana Cloud 1. In Grafana Cloud, select the **menu** icon > **Administration** \> **Authentication** \> **Generic OAuth**. 2. (Optional) For **Display name**, enter a new display name (for example, `Cloudflare Access`). Users will select **Sign in with (display name)** when signing in via SSO. 3. Fill in the following fields: * **Client Id**: Client ID from application configuration in Cloudflare One * **Client secret**: Client secret from application configuration in Cloudflare One * **Scopes**: Delete `user:email` and enter the scopes configured in Cloudflare One * **Auth URL**: Authorization endpoint from application configuration in Cloudflare One * **Token URL**: Token endpoint from application configuration in Cloudflare One 4. Select **Save**. ## 3\. Test the integration Open an incognito browser window and go to your Grafana domain (`https:///login`). Select **Sign in with (display name)**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-cloud-saas-oidc/","name":"Grafana Cloud"}}]} ``` --- --- title: Grafana description: This guide covers how to configure Grafana as an OIDC application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SSO ](https://developers.cloudflare.com/search/?tags=SSO) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-saas-oidc.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Grafana **Last reviewed:** over 1 year ago This guide covers how to configure [Grafana ↗](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/) as an OIDC application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Grafana account Note You can also configure OIDC SSO for Grafana using a [configuration file ↗](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/#configure-generic-oauth-authentication-client-using-the-grafana-configuration-file) instead of using Grafana's user interface (UI), as documented in this guide. ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application**. 3. Select **SaaS**. 4. For **Application**, select _Grafana_. 5. For the authentication protocol, select **OIDC**. 6. Select **Add application**. 7. In **Scopes**, select the attributes that you want Access to send in the ID token. 8. In **Redirect URLs**, enter `https:///login/generic_oauth`. 9. (Optional) Enable [Proof of Key Exchange (PKCE) ↗](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. 10. Copy the **Client secret**, **Client ID**, **Token endpoint**, and **Authorization endpoint**. 11. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 12. (Optional) In **Experience settings**, configure [App Launcher settings](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https:///login`. 13. Save the application. ## 2\. Add a SSO provider to Grafana 1. In Grafana, select the **menu** icon > **Administration** \> **Authentication** \> **Generic OAuth**. 2. (Optional) For **Display name**, enter a new display name (for example, `Cloudflare Access`). Users will select **Sign in with (display name)** when signing in via SSO. 3. Fill in the following fields: * **Client Id**: Client ID from application configuration in Cloudflare One * **Client secret**: Client secret from application configuration in Cloudflare One * **Scopes**: Delete `user:email` and enter the scopes configured in Cloudflare One * **Auth URL**: Authorization endpoint from application configuration in Cloudflare One * **Token URL**: Token endpoint from application configuration in Cloudflare One 4. Select **Save**. ## 3\. Test the integration Log out, then select **Sign in with (display name)**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-saas-oidc/","name":"Grafana"}}]} ``` --- --- title: Greenhouse Recruiting description: This guide covers how to configure Greenhouse Recruiting as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/greenhouse-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Greenhouse Recruiting **Last reviewed:** over 1 year ago This guide covers how to configure [Greenhouse Recruiting ↗](https://support.greenhouse.io/hc/en-us/articles/360040753811-Configure-single-sign-on-SSO-for-Greenhouse-Recruiting) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to an Advanced or Expert Greenhouse Recruiting site ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS**. 3. For **Application**, enter `Greenhouse` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Copy the **SAML Metadata endpoint**. 7. Keep this window open. You will finish this configuration in step [4\. Finish adding a SaaS application to Cloudflare One](#4-finish-adding-a-saas-application-to-cloudflare-one). ## 2\. Download the metadata file 1. Paste the SAML Metadata endpoint from application configuration in Cloudflare One in a web browser. 2. Follow your browser-specific steps to download the URL's contents as an `.xml` file. ## 3\. Add a SAML SSO provider to Greenhouse 1. In Greenhouse Recruiting, go to the **Configure** icon > **Dev Center** \> **Single sign-on**. 2. Copy the **SSO Assertion Consumer URL**. 3. Under **Upload XML file**, select **Choose a file**, and upload the `.xml` file created in step [2\. Download the metadata file](#2-download-the-metadata-file). 4. Change the **Entity ID** to `greenhouse.io`. 5. Keep this window open without selecting **Begin testing**. You will finish this configuration in step [5\. Test the integration and finalize configuration](#5-test-the-integration-and-finalize-configuration). ## 4\. Finish adding a SaaS application to Cloudflare One 1. In your open Cloudflare One window, fill in the following fields: * **Entity ID**: `greenhouse.io` * **Assertion Consumer Service URL**: SSO Assertion Consumer URL from SSO configuration in Greenhouse Recruiting. * **Name ID format**: _Email_ 2. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 5\. Test the integration and finalize configuration 1. In your open Greenhouse Recruiting window, select **Begin Testing** \> **Proceed**. 2. Open an incognito browser window and go to your Greenhouse Recruiting URL. Choose the SSO login option. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 3. Once SSO sign in is successful, go to the **Configure** icon > **Dev Center** \> **Single sign-on**. 4. Select **Finalize Configuration**. 5. In the text field, enter `CONFIGURE`. 6. Select **Finalize**. Now, users will only be able to sign in with SSO. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/greenhouse-saas/","name":"Greenhouse Recruiting"}}]} ``` --- --- title: Hubspot description: This guide covers how to configure Hubspot as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/hubspot-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Hubspot **Last reviewed:** almost 2 years ago This guide covers how to configure [Hubspot ↗](https://knowledge.hubspot.com/account-security/set-up-single-sign-on-sso) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Hubspot Enterprise plan account ## 1\. Configure Hubspot 1. Go to **Settings** \> **Account**, then go to **Defaults** \> **Security**. 2. Select _Single Sign-on_. 3. Copy the values for _Audience URI_ and _Sign on URL_. ## 2\. Configure Cloudflare Access 1. In Cloudflare One, go to **Access controls** \> **Applications** and create a SaaS application. 2. Set the **Application type** to _Hubspot_. 3. Use the following Hubspot field mappings: | Hubspot values | Cloudflare values | | -------------- | ------------------------------ | | Audience URI | Entity ID | | Sign On URL | Assertion Consumer Service URL | 4. Set **NameID** to _Email_. 5. Add any desired [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to your application. 6. Copy the **SSO endpoint** and **Access Entity ID**. 7. Save the application. ## 3\. Create a x.509 certificate 1. Paste the **Public key** in a text editor. 2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. ## 4\. Finalize Hubspot configuration 1. Use the following field mappings: | Cloudflare value | Hubspot value | | ---------------- | ------------------------------------ | | SSO endpoint | Identity Provider Single Sign-on URL | | Entity ID | Identity Provider Identifier | | Public key | Certificate | 2. Select **Verify** to validate the integration. Your configuration is now complete. Hubspot SSO can be switched on for specific users or the entire account. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/hubspot-saas/","name":"Hubspot"}}]} ``` --- --- title: Ironclad description: This guide covers how to configure Ironclad as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/ironclad-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Ironclad **Last reviewed:** over 1 year ago This guide covers how to configure [Ironclad ↗](https://support.ironcladapp.com/hc/articles/12286012625559-Set-Up-Generic-SSO-SAML-Integration) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Ironclad site ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS**. 3. For **Application**, enter `Ironclad` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Copy the **SSO Endpoint** and **Public key**. 7. Keep this window open. You will finish this configuration in step [3\. Finish adding a SaaS application to Cloudflare One](#3-finish-adding-a-saas-application-to-cloudflare-one). ## 2\. Add a SAML SSO provider to Ironclad 1. In Ironclad, select your profile picture > **Company settings** \> **Integrations** \> **SAML**. 2. Select **Add SAML Configuration** \> **Show Additional IdP Settings**. 3. Copy the **Callback** value. 4. Fill in the following fields: * **Entry Point**: SSO endpoint from application configuration in Cloudflare One. * **Identity Provider Certificate**: Public key from application configuration in Cloudflare One. The key will automatically be wrapped in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 5. Select **Save**. ## 3\. Finish adding a SaaS application to Cloudflare One 1. In your open Cloudflare One window, fill in the following fields: * **Entity ID**: `ironcladapp.com` * **Assertion Consumer Service URL**: Callback from Ironclad SAML SSO set-up. * **Name ID format**: _Email_ 2. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 4\. Add a test user to Ironclad and test the integration 1. In Ironclad, select your profile picture > **Company settings** \> **Users & Groups**. 2. Select **Invite User**. 3. For **Email addresses**, add your desired email address for your test user. 4. For **Sign-in Method**, ensure **Sign in with (your-team-domain.cloudflareaccess.com)** is selected 5. Select **Invite**. 6. In the invitation email sent to the test user, select **Join now**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 7. Once this is successful, you can contact your account team or `support@ironcladapp.com` to migrate existing users to SSO login. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/ironclad-saas/","name":"Ironclad"}}]} ``` --- --- title: Jamf Pro description: This guide covers how to configure Jamf Pro as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/jamf-pro-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Jamf Pro **Last reviewed:** almost 2 years ago This guide covers how to configure [Jamf Pro ↗](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Single%5FSign-On.html) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Jamf Pro account ## 1\. Collect Jamf Pro information 1. In Jamf Pro, go to **Settings** \> **Systems** \> **Single Sign-On** \> **Edit**. 2. Copy the pre-populated URL in **Entity ID**. 3. Paste the URL in a web browser to download the Jamf metadata file. 4. Open the `metadata.xml` file in a text editor, and copy the values for **Entity ID** and **Assertion Consumer Service**. ## 2\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS**. 3. For **Application**, enter `Jamf` or `Jamf Pro` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: Entity ID value from Jamf Pro metadata file. * **Assertion Consumer Service URL**: Assertion Consumer Service value from Jamf Pro metadata file. * **Name ID format**: _Email_ 7. Copy the **SAML Metadata endpoint**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 3\. Edit Access SAML Metadata 1. Paste the **SAML Metadata endpoint** from application configuration in Cloudflare One into a browser. 2. Copy the file and paste it into a text editor. 3. Change `WantAuthnRequestsSigned="true"` to `WantAuthnRequestsSigned="false"`. 4. Set the file extension as `.xml` and save. ## 4\. Add a SAML SSO provider to Jamf Pro 1. In Jamf Pro, go to **Settings** \> **Single Sign-On** \> **Edit**. 2. In Identity Provider menu, select **Other**. 3. Label **Other provider** as `Cloudflare`. 4. Fill in the following fields: * **Entity ID**: Entity ID from Jamf Pro metadata file. * **Identity Provider Metadata Source**: Select **Metadata File** and upload the `.xml` file from step [2\. Edit Access SAML Metadata](#2-add-a-saas-application-to-cloudflare-one). * **Identity Provider User Mapping**: _Name ID_ * **Jamf Pro User Mapping**: _Email_ 5. Turn on **Single Sign On**. Note The Failover Login URL located on this page can be used to log in if your SSO does not work. ## 5\. Test the Integration Log out of Jamf Pro and open an incognito browser window. Go to your Jamf Pro URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/jamf-pro-saas/","name":"Jamf Pro"}}]} ``` --- --- title: Miro description: This guide covers how to configure Miro as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/miro-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Miro **Last reviewed:** over 1 year ago This guide covers how to configure [Miro ↗](https://help.miro.com/hc/articles/360017571414-Single-sign-on-SSO) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Miro Business or Enterprise plan account * A [verified domain ↗](https://help.miro.com/hc/articles/360034831793-Domain-control) added to your Miro account (Enterprise plan), or be prepared to do so during SSO configuration (Business or Enterprise plan) ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS**. 3. For **Application**, enter `Miro` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `https://miro.com/` * **Assertion Consumer Service URL**: `https://miro.com/sso/saml` * **Name ID format**: _Email_ 7. Copy the **SSO endpoint** and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Add a SAML SSO provider to Miro * [ business plan ](#tab-panel-3424) * [ enterprise plan ](#tab-panel-3425) 1. In Miro, select your profile picture > **Settings** \> **\*\*Security\*\***. 2. Turn on **SSO/SAML**. 3. Fill in the following fields: * **SAML Sign-in URL**: SSO endpoint from application configuration in Cloudflare One * **Key x509 Certificate**: Public key from application configuration in Cloudflare One 4. In **Domain**, enter the domain you want to configure SSO for and select **Enter**. 5. Enter an email address from that domain and select **send verification**. 6. Once you receive a verification email, select the link in the email, then select **Save**. When the domain is successfully configured, the **VERIFY EMAIL** label next to the domain in the SSO/SAML configuration page will disappear. 7. If you have additional domains you want to configure SSO for, repeat steps 4-6 for each domain. 1. In Miro, select your profile picture > **Settings** \> **\*\*Security and Compliance\*\* > \*\*Authentication\*\* > \*\*Single sign-on\*\***. 2. Turn on **SSO/SAML**. 3. Fill in the following fields: * **SAML Sign-in URL**: SSO endpoint from application configuration in Cloudflare One * **Key x509 Certificate**: Public key from application configuration in Cloudflare One 4. In **Domain**, enter the domain you want to configure SSO for and select **Enter**. 5. If you have not previously \[verified the domain\](https://help.miro.com/hc/articles/360034831793-Domain-control), enter an email address from that domain and select **send verification**. 6. Once you receive a verification email, select the link in the email, then select **Save**. When the domain is successfully configured, the **VERIFY EMAIL** label next to the domain in the SSO/SAML configuration page will disappear. 7. If you have additional domains you want to configure SSO for, repeat steps 4-6 for each domain. ## 3\. Test the integration In the Miro SAML/SSO configuration page, select **Test SSO Configuration**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. If the login is successful, you will receive a **SSO configuration test was successful** message. Note When testing the integration, you do not have to use an email from a domain you have configured for SSO or a user configured in Miro. The only requirement is that the user is already configured in your identity provider. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/miro-saas/","name":"Miro"}}]} ``` --- --- title: PagerDuty description: This guide covers how to configure PagerDuty as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/pagerduty-saml-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # PagerDuty **Last reviewed:** over 1 year ago This guide covers how to configure [PagerDuty ↗](https://support.pagerduty.com/docs/sso) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a PagerDuty site ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS**. 3. For **Application**, select _PagerDuty_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `https://.pagerduty.com` * **Assertion Consumer Service URL**: ` https://.pagerduty.com/sso/saml/consume` * **Name ID format**: _Email_ 7. Copy the **SSO endpoint** and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Create a x.509 certificate 1. Paste the **Public key** in a text editor. 2. Amend the public key so each row is a maximum of 64 characters long. Originally, each full row of the public key is 65 characters long. 3. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. ## 3\. Add a SAML SSO provider to PagerDuty 1. In PagerDuty, select your profile picture and go to **Account Settings** \> **Single Sign-on**. 2. Turn on **SAML**. 3. In **X.509 Certificate**, paste the entire x.509 certificate from step [2\. Create a x.509 certificate](#2-create-a-x509-certificate). 4. In **Login URL**, paste the SSO endpoint from application configuration in Cloudflare One. 5. Select **Save Changes**. ## 4\. Test the integration and finalize SSO configuration 1. Open an incognito window and paste your PagerDuty URL into the address bar. Select **Sign In With Single Sign-On**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 2. In an incognito window, paste your PagerDuty URL and select **Sign In With Single Sign-On**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 3. Once SSO sign in is successful, select your profile picture and go to **Account Settings** \> **Single Sign-on**. 4. Turn off **Allow username/password login** and select **Save Changes**. Now, users will only be able to sign in with SSO. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/pagerduty-saml-saas/","name":"PagerDuty"}}]} ``` --- --- title: Pingboard description: This guide covers how to configure Pingboard as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/pingboard-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Pingboard **Last reviewed:** over 1 year ago This guide covers how to configure [Pingboard ↗](https://support.pingboard.com/hc/en-us/articles/360046585994-Set-Up-a-Custom-SSO-Solution) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Pingboard account ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS** \> **Select**. 3. For **Application**, enter `Pingboard` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `http://app.pingboard.com/sp` * **Assertion Consumer Service URL**: `https://sso-demo.pingboard.com/auth/saml/consume` * **Name ID format**: _Email_ 7. Copy the **SAML Metadata endpoint**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Add a SAML SSO provider to Pingboard 1. In Pingboard, go to **Account** \> **Add-Ons**. 2. Under **Third-Party Integrations**, select **Custom SSO**. 3. In a web browser, paste the SAML Metadata endpoint you copied from the application configuration in Cloudflare One. Next, copy the contents of the displayed page. 4. In Pingboard, under **IdP Metadata**, paste the contents from the SAML Metadata endpoint. 5. (Optional) Under **Sign in with**, enter a name (for example, `Cloudflare Access`). Your users will select this name when signing in. ## 3\. Test the integration Open an incognito browser window and go to your Pingboard URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/pingboard-saas/","name":"Pingboard"}}]} ``` --- --- title: Salesforce (OIDC) description: This guide covers how to configure Salesforce as an OpenID Connect (OIDC) application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Salesforce ](https://developers.cloudflare.com/search/?tags=Salesforce) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-oidc.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Salesforce (OIDC) **Last reviewed:** over 1 year ago This guide covers how to configure [Salesforce ↗](https://help.salesforce.com/s/articleView?id=sf.sso%5Fprovider%5Fopenid%5Fconnect.htm&type=5) as an OpenID Connect (OIDC) application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Salesforce account ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS**. 3. For **Application**, select _Salesforce_. 4. For the authentication protocol, select **OIDC**. 5. Select **Add application**. 6. In **Scopes**, select the attributes that you want Access to send in the ID token. 7. In **Redirect URLs**, enter the callback URL obtained from Salesforce (`https://.my.salesforce.com/services/authcallback/`). Refer to [Add a SSO provider to Salesforce](#2-add-a-sso-provider-to-salesforce) for instructions on obtaining this value. 8. (Optional) Enable [Proof of Key Exchange (PKCE) ↗](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. 9. Copy the following values: * **Client ID** * **Client Secret** * **Authorization endpoint** * **Token endpoint** * **User info endpoint** 10. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 11. (Optional) In **Experience settings**, configure [App Launcher settings](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://.my.salesforce.com`. 12. Save the application. ## 2\. Add a SSO provider to Salesforce 1. In Salesforce, go to **Setup**. 2. In the **Quick Find** box, enter `auth` and select **Auth providers**. 3. Select **New**. 4. For the provider type, select **OpenID Connect**. 5. Enter a name for the SSO provider (for example, `Cloudflare Access`). 6. Fill in the following fields with values obtained from Cloudflare Access: * **Consumer Key**: Client ID * **Consumer Secret**: Client Secret * **Authorize Endpoint URL**: Authorization endpoint * **Token endpoint URL**: Token endpoint * **User Info Endpoint URL**: User info endpoint * **Token Issuer**: Issuer 7. (Optional) Enable **Use Proof Key for Code Exchange** if you enabled it in Access. 8. In **Default Scopes**, enter a space-separated list of the scopes you configured in Access (for example, `openid email profile groups`). 9. Select **Save**. 10. Copy the **Callback URL**: ``` https://.my.salesforce.com/services/authcallback/ ``` 11. In Cloudflare One, paste the Callback URL into the **Redirect URL** field. To test the integration, open an incognito browser window and go to the **Test-Only Initialization URL** ( `https://.my.salesforce.com/services/auth/test/`) ## 3\. Enable Single Sign-On in Salesforce 1. Enable Cloudflare Access as an identity provider on your Salesforce domain: 1. In the **Quick Find** box, enter `domain` and select **My Domain**. 2. In **Authentication Configuration**, select **Edit**. 3. In **Authentication Service**, turn on the Cloudflare Access provider. 2. (Optional) To require users to login with Cloudflare Access: 1. In the **Quick Find** box, enter `single sign-on` and select **Single Sign-On Settings**. 2. Turn on **Disable login with Salesforce credentials**. To test, open an incognito browser window and go to your Salesforce domain (`https://.my.salesforce.com`). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-oidc/","name":"Salesforce (OIDC)"}}]} ``` --- --- title: Salesforce (SAML) description: Learn to configure Salesforce as a SAML app in Cloudflare One. Follow step-by-step instructions for adding SaaS apps and enabling SSO. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML)[ Salesforce ](https://developers.cloudflare.com/search/?tags=Salesforce) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-saml.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Salesforce (SAML) **Last reviewed:** over 1 year ago This guide covers how to configure [Salesforce ↗](https://help.salesforce.com/s/articleView?id=sf.sso%5Fsaml.htm&type=5) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Salesforce account ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS**. 3. For **Application**, select _Salesforce_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `https://.my.salesforce.com` or `https://.my.salesforce.com?so=`, if your account was created before summer 2019 or does not have a My Domain subdomain. * **Assertion Consumer Service URL**: `https://.my.salesforce.com` or `https://.my.salesforce.com?so=`, if your account was created before summer 2019 or does not have a My Domain subdomain. * **Name ID format**: _Email_ Note If you are unsure of which URL to use in the **Entity ID** and **Assertion Consumer Service URL** fields, you can check your Salesforce account's metadata. In Salesforce, go to the **Single Sign-On Settings** page and select **Download Metadata**. In this file, you will find the correct URLs to use. 1. Copy the **SSO endpoint**, **Public key**, and **Access Entity ID or Issuer**. 2. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 2\. Create a certificate file 1. Paste the **Public key** in a text editor. 2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 3. Set the file extension as `.crt` and save. ## 3\. Add a SAML SSO provider to Salesforce 1. In Salesforce, go to **Setup**. 2. In the **Quick Find** box, enter `single sign-on` and select **Single Sign-On Settings**. 3. In **SAML Single Sign-On Settings**, select **New**. 4. Fill in the following fields: * **Name:** Name of the SSO provider (for example, `Cloudflare Access`). Users will select this name when signing in to Salesforce. * **API name:** (this will pre-populate) * **Issuer:** Paste the Access Entity ID or Issuer from application configuration in Cloudflare One. * **Identity Provider Certificate**: Upload the `.crt` certificate file from [2\. Create a certificate file](#2-create-a-certificate-file). * **Entity ID**: `https://.my.salesforce.com` * **SAML Identity type:** If the user's Salesforce username is their email address, select _Assertion contains the User's Salesforce username_. Otherwise, select _Assertion contains the Federation ID from the User object_ and make sure the user's Federation ID matches their email address. Configure Federation IDs 1. In the **Quick Find** box, enter `users` and select **Users**. 2\. Select the user. 3\. Verify that the user's **Federation ID** matches the email address used to authenticate to Cloudflare Access. * **Identity Provider Login URL**: SSO endpoint provided in Cloudflare One for this application. 5. Select **Save**. ## 4\. Enable Single Sign-On in Salesforce 1. Configure Single Sign-On settings: 1. In the **Quick Find** box, enter `single sign-on` and select **Single Sign-On Settings**. 2. (Optional) To require users to login with Cloudflare Access, turn on **Disable login with Salesforce credentials**. 3. Turn on **SAML Enabled**. 4. Turn on **Make federation ID case-insensitive**. 2. Enable Cloudflare Access as an identity provider on your Salesforce domain: 1. In the **Quick Find** box, enter `domain` and select **My Domain**. 2. In **Authentication Configuration**, select **Edit**. 3. In **Authentication Service**, turn on the Cloudflare Access provider. To test, open an incognito browser window and go to your Salesforce domain (`https://.my.salesforce.com`). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-saml/","name":"Salesforce (SAML)"}}]} ``` --- --- title: ServiceNow (OIDC) description: This guide covers how to configure ServiceNow as an OIDC application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ ServiceNow ](https://developers.cloudflare.com/search/?tags=ServiceNow) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-oidc.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # ServiceNow (OIDC) **Last reviewed:** almost 2 years ago This guide covers how to configure [ServiceNow ↗](https://docs.servicenow.com/bundle/washingtondc-platform-security/page/integrate/single-sign-on/task/create-OIDC-configuration-SSO.html) as an OIDC application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a ServiceNow account ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS**. 3. For **Application**, enter `ServiceNow` and select the corresponding textbox that appears. 4. For the authentication protocol, select **OIDC**. 5. Select **Add application**. 6. In **Scopes**, select the attributes that you want Access to send in the ID token. 7. In **Redirect URLs**, enter `https://.service-now.com/navpage.do`. 8. (Optional) Enable [Proof of Key Exchange (PKCE) ↗](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. 9. Copy the **Client secret** and **Client ID**. 10. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 11. (Optional) In **Experience settings**, configure [App Launcher settings](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://.service-now.com`. 12. Save the application. ## 2\. Add the Multiple Provider Single Sign-On Installer Plugin to ServiceNow 1. In ServiceNow, select **All**. 2. In the search bar, enter `System Applications`, and under **All Available Applications**, select **All**. 3. In the search bar, enter `Integration - Multiple Provider Single Sign-On Installer`. 4. Select **Install**. 5. Ensure that **Install now** is selected, and select **Install**. ## 3\. Add and Test an OIDC SSO provider in ServiceNow 1. Select **All**. 2. In the search bar enter `Multi-Provider SSO`, and select **Identity Providers**. 3. Select **New** \> **OpenID Connect**. 4. In the pop-up, fill in the following fields: * **Name**: Name of the SSO (for example, `Cloudflare Access`). Unless otherwise configured, users will select this name when signing in to ServiceNow. * **Client ID**: **Client ID** from application configuration in Cloudflare One. * **Client Secret**: **Client Secret** from application configuration in Cloudflare One. * **Well Known Configuration URL**: `https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//.well-known/openid-configuration`. 5. Select **Import**. 6. Ensure **Active** is turned on 7. Turn on **Show as Login option**, and for **SSO label** enter a label for the user login screen, if desired. 8. Select **Update**. ## 4\. Test the integration For SSO to appear on the login screen, you must have [account recovery ↗](https://docs.servicenow.com/bundle/washingtondc-platform-security/page/integrate/single-sign-on/concept/sso-acct-recovery.html) enabled and configured for at least one admin account. After account recovery is configured, log out of ServiceNow and open an incognito browser window. Go to your ServiceNow URL. Select the SSO name you just configured, which will prompt you to sign in with your identity provider. When the integration is successful, you can go back to the OIDC configuration screen to turn on **Default** and/or **Auto Redirect IDP**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-oidc/","name":"ServiceNow (OIDC)"}}]} ``` --- --- title: ServiceNow (SAML) description: This guide covers how to configure ServiceNow as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML)[ ServiceNow ](https://developers.cloudflare.com/search/?tags=ServiceNow) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-saml.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # ServiceNow (SAML) **Last reviewed:** almost 2 years ago This guide covers how to configure [ServiceNow ↗](https://docs.servicenow.com/bundle/washingtondc-platform-security/page/integrate/single-sign-on/task/t%5FCreateASAML2Upd1SSOConfigMultiSSO.html) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a ServiceNow account ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS** \> **Select**. 3. For **Application**, enter `ServiceNow` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `https://.service-now.com` * **Assertion Consumer Service URL**: `https://.service-now.com/navpage.do` * **Name ID format**: _Email_ 7. Copy the **SAML Metadata endpoint**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Add the Multiple Provider Single Sign-On Installer Plugin to ServiceNow 1. In ServiceNow, select **All**. 2. In the search bar, enter `System Applications`, and under **All Available Applications**, select **All**. 3. In the search bar, enter `Integration - Multiple Provider Single Sign-On Installer`. 4. Select **Install**. 5. Ensure that **Install now** is selected, and select **Install**. ## 3\. Add and Test a SAML SSO provider in ServiceNow 1. Select **All**. 2. In the search bar enter `Multi-Provider SSO`, and select **Identity Providers**. 3. Select **New** \> **SAML**. 4. In the pop-up, ensure that **URL** is selected. 5. Paste the **SAML Metadata endpoint** from application configuration in Cloudflare One in the empty field. 6. Select **Import**. 7. (Optional) Change the **Name** field to a more recognizable name. 8. Turn off **Sign AuthnRequest**. 9. Select **Update**. 10. In the pop-up, select **Cancel** and then **\>**. 11. Select the **Name** of the configuration you just completed. 12. Select **Test Connection**. 13. If the test succeeds, select **Activate**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-saml/","name":"ServiceNow (SAML)"}}]} ``` --- --- title: Slack description: This guide covers how to configure Slack as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML)[ Slack ](https://developers.cloudflare.com/search/?tags=Slack) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/slack-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Slack **Last reviewed:** almost 2 years ago This guide covers how to configure [Slack ↗](https://slack.com/help/articles/203772216-SAML-single-sign-on) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Slack Business+ or Enterprise Grid plan account ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS**. 3. For **Application**, select _Slack_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `https://slack.com` * **Assertion Consumer Service URL**: `https://.slack.com/sso/saml` * **Name ID format**: The format expected by Slack, usually _Email_ 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Create a x.509 certificate 1. Paste the **Public key** in a text editor. 2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. ## 3\. Add a SAML SSO provider to Slack * [ business+ plan ](#tab-panel-3426) * [ enterprise grid plan ](#tab-panel-3427) 1. In Slack, go to **Settings & administrations** \> **Workspace settings** \> **Authentication**. 2. Select **Configure**. 3. Turn on **Test**. Configuration changes will not apply until **Configure** is turned on. 4. Fill in the following fields: * **Service Provider Issuer URL**: Ensure set to `https://slack.com`. * **SAML SSO URL**: SSO endpoint from application configuration in Cloudflare One. * **Identity Provider Issuer**: Access Entity ID or Issuer from application configuration in Cloudflare One. * **Public Certificate**: Paste the entire x.509 certificate from step [2\. Create a x.509 certificate](#2-create-a-x509-certificate). 5. Under **Advanced Options**, select **Expand**. 6. For **AuthnContextClassRef**, ensure _urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport_ is selected. 7. Ensure **Sign the AuthnRequest** is turned off. 8. For **SAML Response Signing**, turn on **Sign the Response** and **Sign the Assertion**. 9. In the main configuration page under **Settings**, choose whether SSO is _required_, _partially required_, or _optional_ for workspace members. 10. (Optional) Under **Customize**, enter a **Sign in Button Label**. 11. Test your set-up. If all works well, turn **Test** to **Configure**. 1. In Slack, go to **Settings & administration** \> **Organization settings** \> **Security** \> **SSO Settings**. 2. For **SSO name**, enter your desired name. 3. Fill in the following fields: * **SAML 2.0 Endpoint URL**: SSO endpoint from application configuration in Cloudflare One. * **Identity Provider Issuer URL**: Access Entity ID or Issuer from application configuration in Cloudflare One. * **Service Provider Issuer URL**: Ensure set to `https://slack.com`. * **x.509 Certificate**: Paste the entire x.509 certificate from step [2\. Create a x.509 certificate](#2-create-a-x509-certificate). 4. For **AuthnContextClassRef**, ensure _urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport_ is selected. 5. Ensure **Sign the AuthnRequest** is turned off. 6. For **SAML Response Signing**, turn on **Sign the Response** and **Sign the Assertion**. 7. Select **Test Configuration**. 8. If all works well, select **Turn on SSO** or **Add SSO**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/slack-saas/","name":"Slack"}}]} ``` --- --- title: Smartsheet description: This guide covers how to configure Smartsheet as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/smartsheet-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Smartsheet **Last reviewed:** over 1 year ago This guide covers how to configure [Smartsheet ↗](https://help.smartsheet.com/articles/2483123-domain-level-saml-configuration) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Smartsheet Enterprise account * A [domain ↗](https://help.smartsheet.com/articles/2483051-domain-management) verified in Smartsheet Note In Smartsheet, SSO is configured for a domain. If you have multiple plans using the same domain, the SSO configuration will apply to all Smartsheet users in that domain, regardless of their plan type. ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS** \> **Select**. 3. For **Application**, enter `Smartsheet` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `urn:amazon:cognito:sp:us-east-1_xww1cbP43` * **Assertion Consumer Service URL**: `https://saml.authn.smartsheet.com/saml2/idpresponse` * **Name ID format**: _Unique ID_ 7. Copy the **SAML Metadata endpoint**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Create and test a SAML SSO provider in Smartsheet 1. In your Smartsheet Admin Center, go to **Settings** \> **Authentication** \> **Add a SAML IdP**. 2. In **Other IdP (Customize)**, select **Configure**. 3. Select **Next**. 4. Under **XML URL**, paste the SAML Metadata endpoint from application configuration in Cloudflare One. 5. Under **Name SAML IdP**, enter a name (for example, `Cloudflare Access`). 6. Select **Save & Next**. 7. Select **Verify connection** and sign in via Access. If validation is successful, you will see a **SAML IdP Successfully Connected!** message. Close the configuration verification page. 8. Turn on **I have successfully verified the connection**. 9. Select **Save & Next**. 10. Under **Assign domains to SAML IdP**, select your desired domain. 11. Select **Save and Next** and then **Finish**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/smartsheet-saas/","name":"Smartsheet"}}]} ``` --- --- title: SparkPost description: This guide covers how to configure SparkPost or SparkPost EU as a SAML application in Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/sparkpost-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # SparkPost **Last reviewed:** about 2 years ago This guide covers how to configure [SparkPost or SparkPost EU ↗](https://support.sparkpost.com/docs/my-account-and-profile/sso) as a SAML application in Cloudflare Zero Trust. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a SparkPost or SparkPost EU account ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS** \> **Select**. 3. For **Application**, enter `SparkPost` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: * `https://api.sparkpost.com` for SparkPost accounts * `https://api.eu.sparkpost.com` for SparkPost EU accounts * `https://` for SparkPost accounts with dedicated tenants * **Assertion Consumer Service URL**: * `https://api.sparkpost.com/api/v1/users/saml/consume` for SparkPost accounts * `https://api.eu.sparkpost.com/api/v1/users/saml/consume` for SparkPost EU accounts * `https:///api/v1/users/saml/consume` for SparkPost accounts with dedicated tenants * **Name ID format**: _Email_ 7. Copy the **SAML Metadata endpoint**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Download the metadata file 1. Paste the SAML metadata endpoint from application configuration in Cloudflare One in a web browser. 2. Follow your browser-specific steps to download the URL's contents as an `.xml` file. ## 3\. Add a SAML SSO provider to SparkPost 1. In SparkPost, select your profile picture > **Account Settings**. 2. Under **Single Sign-On**, select **Provision SSO**. 3. Under **Upload your Security Assertion Markup Language (SAML)**, select **select a file** and upload the `.xml` file you created in step [2\. Download the metadata file](#2-download-the-metadata-file). 4. Select **Provision SSO**. 5. Select **Enable SSO**. ## 4\. Add a test user and test the integration 1. In SparkPost, current users must be deleted and re-invited to use SSO. To create a test user, select your profile picture > **Users** \> name of the user > **Delete User**. Then, select **Invite User** and fill in the necessary information. Alternatively, invite a new user. An invitation email will be sent. 2. Go to the link sent in the invitation email. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 3. Once SSO is successful, you can turn on SSO for the rest of your current users by deleting and then re-inviting them. Note The SparkPost SSO login link is `https://app.sparkpost.com/auth/sso`. Alternatively, you can go to the usual sign in page and select **Log in with Single Sign-On**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/sparkpost-saas/","name":"SparkPost"}}]} ``` --- --- title: Tableau Cloud description: This guide covers how to configure Tableau Cloud as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/tableau-saml-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Tableau Cloud **Last reviewed:** almost 2 years ago This guide covers how to configure [Tableau Cloud ↗](https://help.tableau.com/current/online/en-us/saml%5Fconfig%5Fsite.htm) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Tableau Cloud site ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS**. 3. For **Application**, select _Tableau_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Copy the **SAML Metadata endpoint**. 7. Keep this window open. You will finish this configuration in step [4\. Finish adding a SaaS application to Cloudflare One](#4-finish-adding-a-saas-application-to-cloudflare-one). ## 2\. Download the metadata file 1. Paste the SAML Metadata endpoint from application configuration in Cloudflare One in a web browser. 2. Follow your browser-specific steps to download the URL's contents as an `.xml` file. ## 3\. Add a SAML SSO provider to Tableau Cloud 1. In Tableau Cloud, go to **Settings** \> **Authentication**. 2. Turn on **Enable an additional authentication method**. For **select authentication type**, select _SAML_. 3. Under **1\. Get Tableau Cloud metadata**, copy the **Tableau Cloud entity ID** and **Tableau Cloud ACS URL**. 4. Under **4\. Upload metadata to Tableau**, select **Choose a file**, and upload the `.xml` file created in step [2\. Download the metadata file](#2-download-the-metadata-file) 5. Under **5\. Map attributes**, turn on **Full name**. For **Name (full name)**, enter `name`. 6. (Optional) Choose whether users who are accessing embedded views will **Authenticate in a separate pop-up window** or **Authenticate using an inline frame**. 7. Select **Save Changes**. ## 4\. Finish adding a SaaS application to Cloudflare One 1. In your open Cloudflare One window, fill in the following fields: * **Entity ID**: Tableau Cloud entity ID from Tableau Cloud SAML SSO set-up. * **Assertion Consumer Service URL**: Tableau Cloud ACS URL from Tableau Cloud SAML SSO set-up. * **Name ID format**: _Email_ 2. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 5\. Test the integration and set default authentication type 1. In Tableau Cloud, go to **Settings** \> **Authentication**. 2. Under **7\. Test Configuration**, select **Test Configuration**. 3. Sign in. If your sign-in is successful, **You are now signed in as (username)** will appear at the top of the page. 4. Close the pop-up window. 5. (Optional) Under **Default Authentication Type for Embedded Views**, turn on **cloudflareaccess.com (SAML)**. You can also configure the default authentication type for individual users under **Users** \> **Actions** \> **Authentication**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/tableau-saml-saas/","name":"Tableau Cloud"}}]} ``` --- --- title: Workday description: This guide covers how to configure Workday as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/workday-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Workday **Last reviewed:** over 1 year ago This guide covers how to configure [Workday ↗](https://doc.workday.com/admin-guide/en-us/authentication-and-security/authentication/saml/dan1370796470811.html?toc=1.5.1) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Workday account ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS** \> **Select**. 3. For **Application**, enter `Workday` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `http://www.workday.com` * **Assertion Consumer Service URL**: `https://.myworkday.com//login-saml.flex` for a production account or `https://-impl.myworkday.com//login-saml.flex` for a preview sandbox account * **Name ID format**: _Email_ 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Download the metadata file 1. Paste the SAML Metadata endpoint from application configuration in Cloudflare One in a web browser. 2. Follow your browser-specific steps to download the URL's contents as an `.xml` file. ## 3\. Add a SAML SSO provider to Workday 1. In Workday, go to **Account Administration** \> **Actions** \> **Edit Tenant Setup - Security**. 2. Under **SAML Setup**, turn on **Enable SAML Authentication**. 3. In the **SAML Identity Providers** table, select **+**. 4. Fill in the following fields: * **Identity Provider Name**: Your desired name for the identity provider (for example, `Cloudflare Access`) * **Issuer**: Access Entity ID or Issuer from application configuration in Cloudflare One * **IdP SSO Service URL**: SSO endpoint from application configuration in Cloudflare One 5. Under **x509 Certificate**, select the menu icon > **Create x509 Public Key**. 6. Under **Name**, enter a unique name (for example, `access`). 7. Under **Certificate**, paste the Public key from application configuration in Cloudflare One. 8. Select **OK**. 9. If you want to enable SP-initiated login (login initiated by going to your Workday URL), fill in the following fields: * **SP Initiated**: Turn on. * **Service Provider ID**: `http://www.workday.com` * **Sign SP-initiated request**: Turn off. 10. Under **Single Sign-On**, add one or both of the following entries to the **Redirection URLs** grid. For each entry, if your user groups will use the same authentication option to sign in, select **Single URL**. If they will use different authentication options, select **Authentication selector**. * IdP-initiated SSO: Under **Login Redirect URL**, enter `.cloudflareaccess.com`. * SP-initiated SSO: Under **Login Redirect URL**, enter `https:////login.flex?redirect=n`. 1. In Workday, create an [authentication rule ↗](https://doc.workday.com/admin-guide/en-us/authentication-and-security/authentication/authentication-policies/dan1370796466772.html). 2. Under **Authentication Conditions**, add conditions that will apply only to your test user. 3. Under **Allowed Authentication Types**, select **Specific**, then **SAML**. 4. Select **Done**. 5. Complete the following step: * **If you have enabled SP-initiated login**: Open an incognito browser window, go to your Workday URL, and enter your test user's email. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. * **If you have not enabled SP-initiated login**: Go to your App Launcher at `https://.cloudflareaccess.com`. Select the **Workday** tile. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 6. Once login is successful, you can configure your security settings further, such as adding [user groups ↗](https://doc.workday.com/admin-guide/en-us/authentication-and-security/configurable-security/security-groups/user-based-security-groups/dan1370796695367.html?toc=2.2.12.0) or [authentication rules ↗](https://doc.workday.com/admin-guide/en-us/authentication-and-security/authentication/authentication-policies/dan1370796466772.html) to configure different login rules for different groups of users. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/workday-saas/","name":"Workday"}}]} ``` --- --- title: Zendesk description: This guide covers how to configure Zendesk as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/zendesk-sso-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Zendesk **Last reviewed:** almost 2 years ago This guide covers how to configure [Zendesk ↗](https://support.zendesk.com/hc/en-us/articles/4408887505690-Enabling-SAML-single-sign-on#topic%5Fu54%5Fwc3%5Fz2b) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to your Zendesk account ## Configure Zendesk and Cloudflare 1. Go to your Zendesk administrator dashboard, typically available at `.zendesk.com/admin/security/sso`. 2. In a separate tab or window, open [Cloudflare One ↗](https://one.dash.cloudflare.com), select your account, and go to **Access controls** \> **Applications**. 3. Select **Add an application**, then choose _SaaS_. 4. Input the following values in the Cloudflare One application configuration: | Cloudflare One field | Value | | ---------------------------------- | ----------------------------------------------- | | **Entity ID** | https://.zendesk.com | | **Assertion Consumer Service URL** | contents of **SAML SSO URL** in Zendesk account | | **Name ID Format** | _Email_ | 5. (Optional) Configure these Attribute Statements to include a user's first and last name: | Cloudflare attribute name | IdP attribute value | | ------------------------- | --------------------------------------------------------------- | | | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | | | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Zendesk will [use the user's email address as their name ↗](https://support.zendesk.com/hc/en-us/articles/203663676#topic%5Fdzb%5Fgl5%5F2v) if the name is not provided. 6. To determine who can access Zendesk, [create an Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). 7. Copy the **SSO Endpoint** and **Public Key**. 8. Transform the public key into a fingerprint: 1. Open a [fingerprint calculator ↗](https://www.samltool.com/fingerprint.php). 2. Paste the **Public Key** into **X.509 cert**. 3. Wrap the value with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 4. Set **Algorithm** to _SHA256_ and select **Calculate Fingerprint**. 5. Copy the **Formatted FingerPrint** value. 9. Add the Cloudflare values to the following Zendesk fields: | Cloudflare IdP field | Zendesk field | | ------------------------------------------- | --------------------------- | | **SSO Endpoint** | **SAML SSO URL** | | **Public Key** (transformed to fingerprint) | **Certificate Fingerprint** | 10. Go to `https://.zendesk.com/admin/security/staff_members` and enable **External Authentication** \> **Single Sign On**. Users should now be able to log in to Zendesk if their Email address exists in the Zendesk user list. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/zendesk-sso-saas/","name":"Zendesk"}}]} ``` --- --- title: Zoom description: This guide covers how to configure Zoom as a SAML application in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/zoom-saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Zoom **Last reviewed:** over 1 year ago This guide covers how to configure [Zoom ↗](https://support.zoom.com/hc/en/article?id=zm%5Fkb&sysparm%5Farticle=KB0060673) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Zoom Business, Education, or Enterprise account * An [associated domain ↗](https://support.zoom.com/hc/en/article?id=zm%5Fkb&sysparm%5Farticle=KB0066259) configured in your Zoom account * A [vanity URL ↗](https://support.zoom.com/hc/en/article?id=zm%5Fkb&sysparm%5Farticle=KB0061540) configured in your Zoom account ## 1\. Add a SaaS application to Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application** \> **SaaS** \> **Select**. 3. For **Application**, select _Zoom_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: ` https://.zoom.us` * **Assertion Consumer Service URL**: `https://.zoom.us/saml/SSO` * **Name ID format**: _Email_ 7. Copy the **Access Entity ID or Issuer**, **Public key**, and **SSO endpoint**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Add a SAML SSO provider in Zoom 1. In Zoom, go to **Advanced** \> **Single Sign-On**. 2. For **Vanity URL**, select the vanity URL you want to configure SSO for. 3. Fill out the following fields: * **Sign in page URL**: SSO endpoint from application configuration in Cloudflare One * **Identity Provider Certificate**: Public key from application configuration in Cloudflare One * **Service Provider (SP) Entity ID**: `yourvanityurl.zoom.us` (no `https://`) * **Issuer (DP Entity ID)**: Access Entity ID or Issuer from application configuration in Cloudflare One 4. For **Binding**, select _http-redirect_. 5. For **Signature Hash Algorithm**, ensure **SHA-256** is selected. 6. Under **Security**, turn off **Sign SAML request** and **Sign SAML logout request**. 7. Select **Save Changes**. 8. Go to **Advanced** \> **Security**. 9. Under **Sign-in Methods**, ensure **Allow users to sign in with Single Sign-On (SSO)** is turned on. ## 3\. Test the integration Open an incognito browser window, go to your Zoom vanity URL, and select **Sign in**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. Once this is successful, you can require SSO for users in your associated domain(s) by completing the following steps: 1. In Zoom, go to **Advanced** \> **Security**. 2. Under **Sign-in Methods**, turn on **Require users to sign in with SSO if their e-mail address belongs to one of the domains below**. 3. Under **Select Domains**, turn on the domains that you want to require SSO for. 4. (Optional) Under **Specify users who can bypass SSO sign-in**, add your desired users. 5. Select **Save**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/zoom-saas/","name":"Zoom"}}]} ``` --- --- title: Publish a self-hosted application to the Internet description: You can securely publish internal tools and applications by adding Cloudflare Access as an authentication layer between the end user and your origin server. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Publish a self-hosted application to the Internet You can securely publish internal tools and applications by adding Cloudflare Access as an authentication layer between the end user and your origin server. This guide covers how to make a web application accessible to anyone on the Internet via a public hostname. If you would like to make the application available over a private IP or hostname, refer to [Add a self-hosted private application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). ## Prerequisites * An [active domain on Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) * Domain uses either a [full setup](https://developers.cloudflare.com/dns/zone-setups/full-setup/) or a [partial (CNAME) setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/) ## 1\. Add your application to Access 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application**. 3. Select **Self-hosted**. 4. Enter any name for the application. 5. In **Session Duration**, choose how often the user's [application token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) should expire. Cloudflare checks every HTTP request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to [Session management](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/). 1. Select **Add public hostname**. 2. In the **Domain** dropdown, select the domain that will represent the application. Domains must belong to an active zone in your Cloudflare account. You can use [wildcards](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/app-paths/) to protect multiple parts of an application that share a root path. Alternatively, to use a [Cloudflare for SaaS custom hostname](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access/), set **Input method** to _Custom_ and enter your custom hostname. 3. (Optional) Configure **Browser rendering settings**: * [Automatic cloudflared authentication](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication/) * [Browser rendering for SSH, VNC, or RDP](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/browser-rendering/) 4. Add [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. 5. Configure how users will authenticate: 1. Select the [**Identity providers**](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) you want to enable for your application. 2. (Recommended) If you plan to only allow access via a single IdP, turn on **Instant Auth**. End users will not be shown the [Cloudflare Access login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. 3. (Optional) Under **Device authentication identity**, allow users to authenticate to the application using their [ Cloudflare One Client session identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/). 6. Select **Next**. 7. (Optional) Configure [App Launcher settings](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. 8. Under **Block page**, choose what end users will see when they are denied access to the application: * **Cloudflare default**: Reload the [login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/) and display a block message below the Cloudflare Access logo. The default message is `That account does not have access`, or you can enter a custom message. * **Redirect URL**: Redirect to the specified website. * **Custom page template**: Display a [custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-block-page/) hosted in Cloudflare One. 9. Select **Next**. 10. (Optional) Configure advanced settings: * [**Cross-Origin Resource Sharing (CORS) settings**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/) * [**Cookie settings**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#cookie-settings) * **401 Response for Service Auth policies**: Return a `401` response code when a user (or machine) makes a request to the application without the correct [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/). 11. Select **Save**. ## 2\. Connect your origin to Cloudflare [Set up a Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/) to publish your internal application. Only users who match your Access policies will be granted access. Note We recommend [creating an Access application](#1-add-your-application-to-access) before setting up the tunnel route. If you do not have an Access application in place, the published application will be available to anyone on the Internet. If your application is already publicly routable, a Tunnel is not strictly required. However, you will then need to protect your origin IP using [other methods](https://developers.cloudflare.com/fundamentals/security/protect-your-origin-server/). ## 3\. Validate the Access token To secure your origin, you must validate the [application token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/) issued by Cloudflare Access. Token validation ensures that any requests which bypass Cloudflare Access (for example, due to a network misconfiguration) are rejected. One option is to configure the Cloudflare Tunnel daemon, `cloudflared`, to validate the token on your behalf. This is done by enabling [**Protect with Access**](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/origin-parameters/#access) in your Cloudflare Tunnel settings. Alternatively, if you do not wish to perform automatic validation with Cloudflare Tunnel, you can instead [manually configure your origin](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) to check all requests for a valid token. Users can now connect to your self-hosted application after authenticating with Cloudflare Access. ## Product compatibility When using Access self-hosted applications, the majority of Cloudflare products will be compatible with your application. However, the following products are not supported: * [Automatic Platform Optimization](https://developers.cloudflare.com/automatic-platform-optimization) * [Zaraz](https://developers.cloudflare.com/zaraz) You can disable Zaraz for a specific application - instead of across your entire zone - using a [Configuration Rule](https://developers.cloudflare.com/rules/configuration-rules/) scoped to the application domain. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/","name":"Publish a self-hosted application to the Internet"}}]} ``` --- --- title: Non-HTTP applications description: Cloudflare offers both client-based and clientless ways to grant secure access to non-HTTP applications. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SSH ](https://developers.cloudflare.com/search/?tags=SSH)[ RDP ](https://developers.cloudflare.com/search/?tags=RDP)[ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/non-http/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Non-HTTP applications Cloudflare offers both client-based and clientless ways to grant secure access to non-HTTP applications. Note Non-HTTP applications require [connecting your private network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/) to Cloudflare. For more details, refer to our [Replace your VPN](https://developers.cloudflare.com/learning-paths/replace-vpn/connect-private-network/) implementation guide. ## Cloudflare One Client Users can connect by installing the Cloudflare One Client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access any private route unless they are protected by an Access policy or Gateway firewall rule. To secure the application, you can [create a self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) for a private IP range, port range, and/or hostname and build [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) that allow or block specific users. If you would like to define how users access specific infrastructure servers within your network, [create an infrastructure application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) in Access for Infrastructure. Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including: * Define fine-grained policies to govern who has access to specific servers and exactly how a user may access that server. * Eliminate SSH keys by using short-lived certificates to authenticate users. * Export SSH command logs to a storage service or SIEM solution using [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ## Clientless access Clientless access methods are suited for organizations that cannot deploy the Cloudflare One Client or need to support third-party contractors where installing a client is not possible. Clientless access requires onboarding a domain to Cloudflare and configuring a public hostname in order to make the server reachable. Command logging is not supported. ### Browser-rendered terminal Cloudflare's [browser-based terminal](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/browser-rendering/) allows users to connect over SSH, RDP, and VNC without any configuration. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser. For RDP connections, users must authenticate to the Windows server using their Windows username and password in addition to being authenticated by Cloudflare Access. ### Client-side cloudflared Users can log in to the application by installing `cloudflared` on their device and running a hostname-specific command in their terminal. For more information, refer to [cloudflared authentication](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/). ## Related resources To connect to an application over a specific protocol, refer to these tutorials: * [SSH](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/) * [SMB](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb/) * [RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}}]} ``` --- --- title: Browser-rendered terminal description: Cloudflare can render SSH, VNC, and RDP applications in a browser without the need for client software or end-user configuration changes. For SSH and VNC, user email prefixes must match their username on the server. RDP leverages your existing Windows usernames and passwords for authenticating to the Windows server; Cloudflare does not manage any credentials on the Windows server. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SSH ](https://developers.cloudflare.com/search/?tags=SSH)[ RDP ](https://developers.cloudflare.com/search/?tags=RDP) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/non-http/browser-rendering.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Browser-rendered terminal Cloudflare can render SSH, VNC, and RDP applications in a browser without the need for client software or end-user configuration changes. For SSH and VNC, user email prefixes must match their username on the server. RDP leverages your existing Windows usernames and passwords for authenticating to the Windows server; Cloudflare does not manage any credentials on the Windows server. ## Limitations * Browser rendering is only supported for [self-hosted public applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/), not private IPs or hostnames. * You can only render a browser-rendered terminal on domains and subdomains, not on specific paths. * Cloudflare does not control the length of an active SSH, VNC, or RDP session. [Application session durations](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/) determine the window in which a user can initiate a new connection or refresh an existing one. * Cloudflare uses TLS to secure the egress RDP connection to your Windows server. We do not currently validate the chain of trust. ## Turn on browser rendering ### SSH and VNC To turn on browser rendering for an SSH or VNC application: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/). Select **Configure**. 3. In **Browser rendering settings**, set **Browser rendering** to _SSH_ or _VNC_. Note Ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications. 4. Select **Save application**. When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser. ### RDP To set up browser-rendering for RDP, refer to our [browser-based RDP guide](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/). ### SSH key exchange algorithms Cloudflare's browser-rendered SSH terminal supports the following Key Exchange (KEX) algorithms: * `curve25519-sha256@libssh.org` * `curve25519-sha256` * `ecdh-sha2-nistp256` * `ecdh-sha2-nistp384` * `ecdh-sha2-nistp521` For browser-rendered SSH connections to work, you may need to update the `sshd_config` file on your server to accept these algorithms. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/browser-rendering/","name":"Browser-rendered terminal"}}]} ``` --- --- title: Client-side cloudflared description: With Cloudflare Zero Trust, users can connect to non-HTTP applications via a public hostname without installing the Cloudflare One Client. This method requires you to onboard a domain to Cloudflare and install cloudflared on both the server and the user's device. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Copy page # Client-side cloudflared With Cloudflare Zero Trust, users can connect to non-HTTP applications via a public hostname without installing the Cloudflare One Client. This method requires you to onboard a domain to Cloudflare and install `cloudflared` on both the server and the user's device. Users log in to the application by running a `cloudflared access` command in their terminal. `cloudflared` will launch a browser window and prompt the user to authenticate with your identity provider. Note Automated services should only authenticate with `cloudflared` if they cannot use a [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/). Cloudflared authentication relies on WebSockets to establish a connection. WebSockets have a known limitation where persistent connections may close unexpectedly. We recommend either a [Service Auth policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth) or using [Warp to Tunnel routing](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/) in these instances. For examples of how to connect to Access applications with client-side `cloudflared`, refer to these tutorials: * [Connect through Access using a CLI](https://developers.cloudflare.com/cloudflare-one/tutorials/cli/) * [Connect through Access using kubectl](https://developers.cloudflare.com/cloudflare-one/tutorials/kubectl/) * [Connect to SSH with client-side cloudflared](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-cloudflared-authentication/) * [Connect over RDP with cloudflared](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/#connect-to-rdp-server-with-cloudflared-access) * [Connect over SMB with cloudflared](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb/) * [Connect over arbitrary TCP with cloudflared](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/arbitrary-tcp/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/","name":"Client-side cloudflared"}}]} ``` --- --- title: Arbitrary TCP description: Cloudflare Access provides a mechanism for end users to authenticate with their single sign-on (SSO) provider and connect to resources over arbitrary TCP without being on a virtual private network (VPN). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ TCP ](https://developers.cloudflare.com/search/?tags=TCP)[ SSH ](https://developers.cloudflare.com/search/?tags=SSH) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/arbitrary-tcp.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Arbitrary TCP Cloudflare Access provides a mechanism for end users to authenticate with their single sign-on (SSO) provider and connect to resources over arbitrary TCP without being on a virtual private network (VPN). ## Requirements * A Cloudflare account * A site active on Cloudflare * The `cloudflared` daemon installed on the host and client machines > Cloudflare Access requires you to first [add a site ↗](https://dash.cloudflare.com/sign-up) to Cloudflare. You can use any site you have registered; the site does not need to be the same one you use for customer traffic and it does not need to match sites in your internal DNS. > > Adding the site to Cloudflare requires changing your domain's authoritative DNS to point to Cloudflare's nameservers. Once configured, all requests to that hostname will be sent to Cloudflare's network first, where Access policies can be applied. ## **Connect the host to Cloudflare** ### 1\. Install the Cloudflare daemon on the host machine The Cloudflare daemon, `cloudflared`, will maintain a secure, persistent, outbound-only connection from the machine to Cloudflare. Arbitrary TCP traffic will be proxied over this connection using [Cloudflare Tunnel ↗](https://www.cloudflare.com/products/tunnel/). Follow [these instructions](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/) to download and install `cloudflared` on the machine hosting the resource. ### 2\. Authenticate the Cloudflare daemon Run the following command to authenticate `cloudflared` into your Cloudflare account. Terminal window ``` cloudflared tunnel login ``` `cloudflared` will open a browser window and prompt you to login to your Cloudflare account. If you are working on a machine that does not have a browser, or a browser window does not launch, you can copy the URL from the command-line output and visit the URL in a browser on any machine. Once you login, Cloudflare will display the sites that you added to your account. Select the site where you will create a subdomain to represent the resource. For example, if you plan to share the service at `tcp.site.com` select `site.com` from the list. Once selected, `cloudflared` will download a wildcard certificate for the site. This certificate will allow `cloudflared` to create a DNS record for a subdomain of the site. ### 3\. Secure the subdomain with Cloudflare Access Next, protect the subdomain you plan to register with a Cloudflare Access policy. Follow [these instructions](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to build a new policy to control who can connect to the resource. For example, if you share the resource at `tcp.site.com`, build a policy to only allow your team members to connect to that subdomain. ### 4\. Connect the resource to Cloudflare `cloudflared` can proxy connections to nonstandard ports. Run the following command to connect the resource to Cloudflare, replacing the `tcp.site.com` and `7870` values with your site and port. Terminal window ``` cloudflared tunnel --hostname tcp.site.com --url tcp://localhost:7870 ``` `cloudflared` will confirm that the connection has been established. The process needs to be configured to stay alive and autostart. If the process is terminated, end users will not be able to connect. ## **Connect from a client machine** ### 1\. Install the Cloudflare daemon on the client machine Follow the same steps above to download and install `cloudflared` on the client desktop that will connect to the resource. `cloudflared` will need to be installed on each user device that will connect. ### 2\. Connect to the resource Run the following command to create a connection from the device to Cloudflare. Any available port can be specified. Terminal window ``` cloudflared access tcp --hostname tcp.site.com --url localhost:9210 ``` This command can be wrapped as a desktop shortcut so that end users do not need to use the command line. Point the client application to the selected port. When the client launches, `cloudflared` will launch a browser window and prompt the user to authenticate with your SSO provider. **Common issues** * Ensure that the machine's firewall permits egress on ports 80 and 443, otherwise `cloudflared` will return an error. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/","name":"Client-side cloudflared"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/arbitrary-tcp/","name":"Arbitrary TCP"}}]} ``` --- --- title: Enable automatic cloudflared authentication description: When users connect to an Access application through cloudflared, the browser prompts them to allow access by displaying this page: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Enable automatic cloudflared authentication When users connect to an Access application through `cloudflared`, the browser prompts them to allow access by displaying this page: ![Access request prompt page displayed after logging in with cloudflared.](https://developers.cloudflare.com/_astro/access-screen.BXZJ23p9_Mn6VE.webp) Automatic `cloudflared` authentication allows users to skip this login page if they already have an active IdP session. To enable automatic `cloudflared` authentication: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Locate your application and select **Configure**. 3. Go to **Basic information** \> **Browser rendering settings**. 4. Turn on **Allow automatic Cloudflared authentication**. 5. Select **Save application**. This option will still prompt a browser window in the background, but authentication will now happen automatically. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/","name":"Client-side cloudflared"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication/","name":"Enable automatic cloudflared authentication"}}]} ``` --- --- title: Add an infrastructure application description: Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SSH ](https://developers.cloudflare.com/search/?tags=SSH)[ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Add an infrastructure application Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | All plans | | System | Availability | | -------- | ------------ | | Windows | ✅ | | macOS | ✅ | | Linux | ✅ | | iOS | ✅ | | Android | ✅ | | ChromeOS | ✅ | Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach. Note Access for Infrastructure currently only supports [SSH](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). To connect using other protocols, [add a self-hosted private application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). For browser-based SSH, RDP, or VNC, refer to [browser-rendered terminal](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/browser-rendering/). ## Prerequisites * [Connect your infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/) to Cloudflare using `cloudflared` or WARP Connector. * [Deploy the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) on user devices in Traffic and DNS mode. ## 1\. Add a target A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare. Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server. To create a new target: * [ Dashboard ](#tab-panel-3428) * [ API ](#tab-panel-3429) * [ Terraform ](#tab-panel-3430) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Targets**. 2. Select **Add a target**. 3. In **Target hostname**, enter a user-friendly name for the target. We recommend using the server hostname, for example `production-server`. The target hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the targets secured by an Access application; they are not used for DNS address resolution. Hostname format restrictions * Case insensitive * Contain no more than 253 characters * Contain only alphanumeric characters, `-`, or `.` (no spaces allowed) * Start and end with an alphanumeric character 4. In **IP addresses**, enter the IPv4 and/or IPv6 address of the target resource. The dropdown menu will not populate until you type in the full IP address. Note If the target IP does not appear in the dropdown, go to **Networks** \> **Routes** and confirm that the IP routes through Cloudflare Tunnel. 1. In the dropdown menu, select the IP address and [virtual network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) where the resource is located. This IP address and virtual network pairing is now assigned to this target and cannot be reused in another target by design. 2. Select **Add target**. Make a `POST` request to the [Infrastructure Access Targets](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/infrastructure/subresources/targets/methods/create/) endpoint: Create new target ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } } }' ``` Provider versions The following example requires Cloudflare provider version `>=4.45.0`. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/api%5Ftoken): * `Zero Trust Write` 2. Configure the [cloudflare\_zero\_trust\_infrastructure\_access\_target ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero%5Ftrust%5Finfrastructure%5Faccess%5Ftarget) resource: ``` resource "cloudflare_zero_trust_infrastructure_access_target" "infra-ssh-target" { account_id = var.cloudflare_account_id hostname = "infra-access-target" ip = { ipv4 = { ip_addr = "187.26.29.249" virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55" } ipv6 = { ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0" virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55" } } } ``` Next, create an Access application to secure the target. ## 2\. Add an infrastructure application * [ Dashboard ](#tab-panel-3431) * [ API ](#tab-panel-3432) * [ Terraform (v4) ](#tab-panel-3433) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Applications**. 2. Select **Add an application**. 3. Select **Infrastructure**. 4. Enter any name for the application. 5. In **Target criteria**, select the target hostname(s) that you want to secure. This application definition will apply to all targets that share the selected hostname, including any targets added in the future. Similarly, if you later decide to change the hostname for a target, the renamed target will no longer be covered by this application. 6. Enter the **Protocol** and **Port** that will be used to connect to the server. 7. (Optional) If a protocol runs on more than one port, select **Add new target criteria** and reconfigure the same target hostname and protocol with a different port number. Note Access for Infrastructure only supports assigning one protocol per port. You can reuse a port/protocol pairing across infrastructure applications, but the port cannot be reassigned to another protocol. 8. Select **Next**. 9. To secure your targets, configure a policy that defines who can connect and how they can connect: 1. Enter any name for your policy. 2. Create a rule that matches the users who are allowed to reach the targets. For more information, refer to [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) and review the list of [infrastructure policy selectors](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#infrastructure-policy-selectors). 3. In **Connection context**, configure the following settings: * **SSH user**: Enter the UNIX usernames that users can log in as (for example, `root` or `ec2-user`). * **Allow users to log in as their email alias**: (Optional) When selected, users who match your policy definition will be able to access the target using their lowercased email address prefix. For example, `Jdoe@company.com` could log in as `jdoe`. Note Cloudflare will not create new users on the target. UNIX users must already be present on the server. 10. Select **Add application**. Make a `POST` request to the [Access applications](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/applications/methods/create/) endpoint: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Add an Access application ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Example infrastructure app", "type": "infrastructure", "target_criteria": [ { "target_attributes": { "hostname": [ "infra-access-target" ] }, "port": 22, "protocol": "SSH" } ], "policies": [ { "name": "Allow a specific email", "decision": "allow", "include": [ { "email": { "email": "jdoe@company.com" } } ], "connection_rules": { "ssh": { "usernames": [ "root", "ec2-user" ] } } } ] }' ``` Provider versions The following example requires Cloudflare provider version `>=4.45.0`. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/api%5Ftoken): * `Access: Apps and Policies Write` 2. Use the [cloudflare\_zero\_trust\_access\_application ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero%5Ftrust%5Faccess%5Fapplication) resource to create an infrastructure application: ``` resource "cloudflare_zero_trust_access_application" "infra-app" { account_id = var.cloudflare_account_id name = "Example infrastructure app" type = "infrastructure" target_criteria { port = 22 protocol = "SSH" target_attributes { name = "hostname" values = ["infra-access-target"] } } } ``` 3. Use the [cloudflare\_zero\_trust\_access\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero%5Ftrust%5Faccess%5Fpolicy) resource to add an infrastructure policy to the application: ``` resource "cloudflare_zero_trust_access_policy" "infra-app-policy" { application_id = cloudflare_zero_trust_access_application.infra-app.id account_id = var.cloudflare_account_id name = "Allow a specific email" decision = "allow" precedence = 1 include { email = ["jdoe@company.com"] } connection_rules { ssh { usernames = ["root", "ec2-user"] } } } ``` The targets in this application are now secured by your infrastructure policies. ## 3\. (Recommended) Modify order of precedence in Gateway By default, Cloudflare will evaluate Access application policies after evaluating all [Gateway network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/). To evaluate Access applications before or after specific Gateway policies: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Firewall policies**. In **Network**, [create a Network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) with the following configuration: | Selector | Operator | Value | Action | | ---------------------------- | -------- | --------- | ------ | | Access Infrastructure Target | is | _Present_ | Allow | 2. Update the policy's [order of precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence)using the dashboard or API. This Gateway policy will apply to all Access for Infrastructure targets, including RDP and SSH. Note Users must pass the policies in your Access application before they are granted access. The Gateway Allow policy is strictly for routing and connectivity purposes. ## 4\. Configure the server Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial: * [SSH](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#6-configure-ssh-server) ## 5\. Connect as a user Users connect to the target's IP address using their preferred client software. The user must be logged into the Cloudflare One Client on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) to allow connections to the target's private hostname. ### Connect to different VNET To connect to targets that are in different VNETS, users will need to [switch their connected virtual network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/#connect-to-a-virtual-network) in the Cloudflare One Client. Note If a user is connected to a target in VNET-A and needs to connect to a target in VNET-B, switching their VNET will not break any existing connections to targets within VNET-A. At present, connections are maintained between VNETs. ### Display available targets Feature availability | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2024.9.346.0 | | macOS | ✅ | 2024.9.346.0 | | Linux | ✅ | 2024.9.346.0 | | iOS | ❌ | | | Android | ❌ | | | ChromeOS | ❌ | | Users can use `warp-cli` to display a list of targets they can access. On the device, open a terminal and run the following command: Terminal window ``` warp-cli target list ``` ``` ╭──────────────────────────────────────┬──────────┬───────┬───────────────────────┬──────────────────────┬────────────╮ │ Target ID │ Protocol │ Port │ Attributes │ IP (Virtual Network) │ Usernames │ ├──────────────────────────────────────┼──────────┼───────┼───────────────────────┼──────────────────────┼────────────┤ │ 0193f22a-9df3-78e3-b5bb-7ab631903306 │ SSH │ 22 │ hostname: do-target │ 10.116.0.3 (a1net) │ alice │ ├──────────────────────────────────────┼──────────┼───────┼───────────────────────┼──────────────────────┼────────────┤ │ 0193f22a-9df3-78e3-b5bb-7ab631903306 │ SSH │ 23 │ hostname: do-target │ 10.116.0.3 (a1net) │ root │ ├──────────────────────────────────────┼──────────┼───────┼───────────────────────┼──────────────────────┼────────────┤ │ 01943cff-6130-7989-8bff-cbc02b59a2b1 │ SSH │ 80 │ hostname: az-target │ 172.16.0.0 (b1net) │ alice, bob │ ╰──────────────────────────────────────┴──────────┴───────┴───────────────────────┴──────────────────────┴────────────╯ ``` You can optionally add flags to filter the output. For example: Terminal window ``` warp-cli target list --attribute hostname=do-target --username root ``` To view all available filters, type `warp-cli target list --help`. ## Revoke a user's session To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target. ## Infrastructure policy selectors The following [Access policy selectors](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors) are available for securing infrastructure applications: * Email * Emails ending in * SAML group * Country * Authentication method * Device posture * Entra group, GitHub organization, Google Workspace group, Okta group ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/","name":"Add an infrastructure application"}}]} ``` --- --- title: Private network applications (legacy) description: You can configure a Private Network application to manage access to specific applications on your private network. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Private network applications (legacy) Note Not recommended for new deployments. We recommend using a [self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) to secure a private IP address. You can configure a **Private Network** application to manage access to specific applications on your private network. To create a private network application: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications** \> **Add an application**. 2. Select **Private Network**. 3. Name your application. 4. For **Application type**, select _Destination IP_. 5. For **Value**, enter the IP address for your application (for example, `10.128.0.7`). Note If you would like to create a policy for an IP/CIDR range instead of a specific IP address, you can build a [Gateway Network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) using the **Destination IP** selector. 6. Configure your [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) visibility and logo. 7. Select **Next**. You will see two auto-generated Gateway Network policies: one that allows access to the destination IP and another that blocks access. 8. Modify the policies to include additional identity-based conditions. For example: * **Policy 1** | Selector | Operator | Value | Logic | Action | | -------------- | ------------- | --------------- | ----- | ------ | | Destination IP | in | 10.128.0.7 | And | Allow | | User Email | matches regex | .\*@example.com | | | * **Policy 2** | Selector | Operator | Value | Action | | -------------- | -------- | ---------- | ------ | | Destination IP | in | 10.128.0.7 | Block | Policies are evaluated in [numerical order](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence), so a user with an email ending in @example.com will be able to access `10.128.0.7` while all others will be blocked. For more information on building network policies, refer to our [dedicated documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/). 9. Select **Add application**. Your application will appear on the **Applications** page. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app/","name":"Private network applications (legacy)"}}]} ``` --- --- title: Secure a private IP or hostname description: You can configure a self-hosted Access application to manage access to specific IPs or hostnames on your private network. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Secure a private IP or hostname You can configure a self-hosted Access application to manage access to specific IPs or hostnames on your private network. Note This feature replaces the legacy [private network app type](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app/). ## Prerequisites * Private IPs and hostnames are reachable over the Cloudflare One Client, Cloudflare WAN (formerly Magic WAN) or Browser Isolation. For more details, refer to [Connect a private network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/). * Private hostnames route to your custom DNS resolver through [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) or [Gateway resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/). * Public IPs and hostnames can be used to define a private application, however the IP or hostname must route through Cloudflare via [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/), [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/), or [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/how-to/configure-routes/). * (Optional) Turn on [Gateway TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) if you want to use Access JWTs to manage [HTTPS application sessions](#https-applications). ## Add your application to Access 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application**. 3. Select **Self-hosted**. 4. Enter any name for the application. 5. In **Session Duration**, choose how often the user's [application token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) should expire. Cloudflare checks every HTTP request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to [Session management](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/). If the application is non-HTTPS or you do not have TLS decryption turned on, the session is tracked by the Cloudflare One Client per application. 1. To add an application using its private IP: 1. Select **Add private IP**. 2. In **IP address**, enter the private IP or CIDR range that represents the application (for example, `10.0.0.1` or `172.16.0.0/12`). 3. In **Port**, enter a single port or a port range used by your application (for example, `22` or `8000-8099`). Comma-separated lists of ports (such as `80, 443`) are not supported. To add multiple ports for a specific IP, you can select **Add private IP** and repeat the IP address with the other port. Alternatively, create a new Access application for the other port. 2. To add an application using its private hostname: 1. Select **Add private hostname**. 2. In **Hostname**, enter the private hostname of the application (for example, `wiki.internal.local`). You can use [wildcards](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/app-paths/) with private hostnames to protect multiple parts of an application that share a root path. 3. In **Port**, enter a single port or a port range used by your application (for example, `22` or `8000-8099`). Note * **HTTPS applications**: Private hostnames explicitly set to port `443` (not including port ranges such as `441-444`) must have a valid Server Name Indicator (SNI). * **Non-HTTPS applications**: Private hostnames on non-`443` ports do not require a valid SNI value will be assigned an initial resolved IP in the CGNAT space. Ensure that the following IP addresses are not blocked by any firewalls or excluded from Gateway traffic: * **IPv4**: `100.80.0.0/16` * **IPv6**: `2606:4700:0cf1:4000::/64` For more details on private hostname routing, refer to [Connect a private hostname](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/#prerequisites) 3. Add [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. 4. Configure how users will authenticate: 1. Select the [**Identity providers**](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) you want to enable for your application. 2. (Recommended) If you plan to only allow access via a single IdP, turn on **Instant Auth**. End users will not be shown the [Cloudflare Access login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. 3. (Recommended) Turn on **Device authentication identity** to allow users to authenticate to the application using their [Cloudflare One Client session identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/). We recommend turning this on if your application is not in the browser and cannot handle a `302` redirect. 5. Select **Next**. 6. (Optional) Configure [App Launcher settings](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. 7. (Optional) Turn on **Allow clientless access** to allow users to access this private hostname or IP without the Cloudflare One Client. Users who pass your Access policies will see a tile in their App Launcher which points to a prefixed URL such as `https://.cloudflareaccess.com/browser/https://wiki.internal.local/`. The link will route traffic to the application through [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). This setting is useful for users on unmanaged devices or contractors who cannot install a device client. Note Ensure your [remote browser permissions](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) allow users of this application to open Clientless Web Isolation links. 8. Under **Block page**, choose what end users will see when they are denied access to the application: * **Cloudflare default**: Reload the [login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/) and display a block message below the Cloudflare Access logo. The default message is `That account does not have access`, or you can enter a custom message. * **Redirect URL**: Redirect to the specified website. * **Custom page template**: Display a [custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-block-page/) hosted in Cloudflare One. 9. Select **Next**. 10. (Optional) Configure advanced settings: * [**Cross-Origin Resource Sharing (CORS) settings**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/) * [**Cookie settings**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#cookie-settings) * **401 Response for Service Auth policies**: Return a `401` response code when a user (or machine) makes a request to the application without the correct [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/). These settings only apply to private hostnames and require [Gateway TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/). 11. Select **Save**. Users can now connect to your private application after authenticating with Cloudflare Access. ## Authentication flow ### HTTPS applications If [Gateway TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is turned on and a user is accessing an HTTPS application on port `443`, Cloudflare Access will present a login page in the browser and issue an [application token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) to your origin. This is the same cookie-based authentication flow used by [self-hosted public apps](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). If [Gateway TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is turned off, session management is [handled in the Cloudflare One Client](#non-https-applications) instead of in the browser. ### Non-HTTPS applications The Cloudflare One Client manages sessions for all non-HTTPS applications. Users will receive an `Authentication required` pop-up notification from the Cloudflare One Client. When the user selects the notification, the Cloudflare One Client will open a browser window with your Access login page. Ensure that your operating system allows notifications for the Cloudflare One Client. Your device may not display notifications if focus, do not disturb, or screen sharing settings are turned on. To turn on client notifications on macOS devices running DisplayLink software, you may have to allow system notifications when mirroring your display. For more information, refer to the [macOS documentation ↗](https://support.apple.com/guide/mac-help/change-notifications-settings-mh40583/mac). ## Order of precedence ### Access vs Gateway policies By default, Cloudflare will evaluate Access application policies after evaluating all [Gateway network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/). To evaluate Access applications before or after specific Gateway policies: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Firewall policies**. In **Network**, [create a Network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) with the following configuration: | Selector | Operator | Value | Action | | ------------------ | -------- | --------- | ------ | | Access Private App | is | _Present_ | Allow | 2. Update the policy's [order of precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence)using the dashboard or API. Note Users must pass the policies in your Access application before they are granted access. The Gateway Allow policy is strictly for routing and connectivity purposes. ### Private hostname vs private IP An Access application defined by a private hostname takes precedence over an Access application defined by a private IP. For example, assume App-1 points to `wiki.internal.local` and App-2 points to `10.0.0.1`, but `wiki.internal.local` resolves to `10.0.0.1`. Users who go to `wiki.internal.local` will never match App-2; they will be allowed or blocked strictly based on App-1 Access policies (and [Gateway policies](#access-vs-gateway-policies)). ## Limitations ### Browser Isolation is not compatible with apps on non-`443` ports Browser Isolation is not compatible with [self-hosted private applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) that use private IPs or hostnames on ports other than `443`. Trying to access self-hosted applications on non-`443` ports will result in a Gateway block page. To use Browser Isolation for an application on a private IP address with a non-`443` port, configure a [private network application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app/) instead. ### Google Chrome restricts access to private hostnames Starting with [Chrome 142 ↗](https://developer.chrome.com/release-notes/142), the browser restricts requests from websites to local IP addresses, including the Gateway initial resolved IP CGNAT range (`100.80.0.0/16`). Because this range falls within `100.64.0.0/10`, Chrome categorizes these addresses as belonging to a local network. When a website loaded from a public IP makes subrequests to a domain resolved through an initial resolved IP, Chrome treats this as a public-to-local network request and displays a prompt asking the user to allow access to devices on the local network. Chrome will block requests to these domains until the user accepts this prompt. This commonly occurs when an Egress policy matches broadly used domains (such as `cloudfront.net` or `github.com`), causing subrequests from public pages to resolve to the `100.80.0.0/16` range. #### Iframes If the affected request originates from within an iframe (for example, an application embedded in a third-party portal), the iframe must declare the `local-network-access` permission for the browser prompt to appear in the parent frame: * **Chrome 142-144**: Use the `allow="local-network-access"` attribute on the iframe element. * **Chrome 145+**: The permission was split into `allow="local-network"` and `allow="loopback-network"`. If iframes are nested, every iframe in the chain must include the appropriate attribute. Since third-party applications control their own iframe attributes, this may not be configurable by the end user. #### Workarounds To avoid this issue, choose one of the following options: * **Override IP address space classification (Chrome 146+)**: Use the [LocalNetworkAccessIpAddressSpaceOverrides ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessIpAddressSpaceOverrides) Chrome Enterprise policy to reclassify the `100.80.0.0/16` range as public. This is the most targeted fix because it only changes the classification for the initial resolved IP range rather than disabling security checks entirely. * **Allow specific URLs (Chrome 140+)**: Use the [LocalNetworkAccessAllowedForUrls ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessAllowedForUrls) Chrome Enterprise policy to exempt specific websites from Local Network Access checks. Note that `https://*` is a valid entry to disable checks for all URLs. * **Allow specific URLs (Chrome 146+)**: Use the [LocalNetworkAllowedForUrls ↗](https://chromeenterprise.google/policies/#LocalNetworkAllowedForUrls) Chrome Enterprise policy, which replaces `LocalNetworkAccessAllowedForUrls` starting in Chrome 146. * **Opt out of Local Network Access restrictions (Chrome 142-152)**: Use the [LocalNetworkAccessRestrictionsTemporaryOptOut ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessRestrictionsTemporaryOptOut) Chrome Enterprise policy to completely opt out of Local Network Access restrictions. This is a temporary policy and will be removed after Chrome 152. * **Disable the Chrome feature flag**: Go to `chrome://flags` and set the **Local Network Access Checks** flag to _Disabled_. This approach is suitable for individual users but not for enterprise-wide deployment. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/","name":"Secure a private IP or hostname"}}]} ``` --- --- title: Short-lived certificates (legacy) description: Cloudflare Access can replace traditional SSH keys with short-lived certificates issued to your users based on the token generated by their Access login. In traditional models, users generate an SSH key pair and administrators grant access to individual SSH servers by deploying their users' public keys to those servers. These SSH keys can remain unchanged on these servers for months or years. Cloudflare Access removes the burden of managing SSH keys, while also improving security by replacing long-lived SSH keys with ephemeral SSH certificates. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SSH ](https://developers.cloudflare.com/search/?tags=SSH) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Short-lived certificates (legacy) Note Not recommended for new deployments. We recommend using [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) to configure short-lived certificates for SSH. Cloudflare Access can replace traditional SSH keys with short-lived certificates issued to your users based on the token generated by their Access login. In traditional models, users generate an SSH key pair and administrators grant access to individual SSH servers by deploying their users' public keys to those servers. These SSH keys can remain unchanged on these servers for months or years. Cloudflare Access removes the burden of managing SSH keys, while also improving security by replacing long-lived SSH keys with ephemeral SSH certificates. ## 1\. Secure the server behind Cloudflare Access Cloudflare Access short-lived certificates can work with any modern SSH server, whether it is behind Access or not. However, we recommend putting your server behind Access for added security and features, such as auditability and browser-based terminals. To secure your server behind Cloudflare Access: 1. [Connect the server to Cloudflare](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/) as a published application. 2. Create a [self-hosted Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for the server. Note If you do not wish to use Access, refer instead to our [SSH proxy instructions](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/ssh-logging/). ## 2\. Ensure Unix usernames match user SSO identities Cloudflare Access will take the identity from a token and, using short-lived certificates, authorize the user on the target infrastructure. The simplest setup is one where a user's Unix username matches their email address prefix. Issued short-lived certificates will be valid for the user's email address prefix. For example, if a user in your Okta or GSuite organization is registered as `jdoe@example.com`, they would log in to the SSH server as `jdoe`. For testing purposes, you can run the following command to generate a Unix user on the machine: Terminal window ``` sudo adduser jdoe ``` Advanced setup: Differing usernames SSH certificates include one or more `principals` in their signature which indicate the Unix usernames the certificate is allowed to log in as. Cloudflare Access will always set the principal to the user's email address prefix. For example, when `jdoe@example.com` tries to connect, Access issues a short-lived certificate authorized for the principal `jdoe`. By default, SSH servers authenticate the Unix username against the principals listed in the user's certificate. You can configure your SSH server to accept principals that do not match the Unix username. Note If you would like to use short-lived certificates with the browser-based terminal, the user's email address prefix needs to matches their Unix username. **Username matches a different email** To allow `jdoe@example.com` to log in as the user `johndoe`, add the following to the server's `/etc/ssh/sshd_config`: ``` Match user johndoe AuthorizedPrincipalsCommand /bin/echo 'jdoe' AuthorizedPrincipalsCommandUser nobody ``` This tells the SSH server that, when someone tries to authenticate as the user `johndoe`, check their certificate for the principal `jdoe`. This would allow the user `jdoe@example.com` to sign into the server with a command such as: Terminal window ``` ssh johndoe@server ``` **Username matches multiple emails** To allow multiple email addresses to log in as `vmuser`, add the following to the server's `/etc/ssh/sshd_config`: ``` Match user vmuser AuthorizedPrincipalsFile /etc/ssh/vmusers-list.txt ``` This tells the SSH server to load a list of principles from a file. Then, in `/etc/ssh/vmusers-list.txt`, list the email prefixes that can log in as `vmuser`, one per line: ``` jdoe bwayne robin ``` **Username matches all users** To allow any Access user to log in as `vmuser`, add the following command to the server's `/etc/ssh/sshd_config`: ``` Match user vmuser AuthorizedPrincipalsCommand /bin/bash -c "echo '%t %k' | ssh-keygen -L -f - | grep -A1 Principals" AuthorizedPrincipalsCommandUser nobody ``` This command takes the certificate presented by the user and authorizes whatever principal is listed on it. **Allow all users** To allow any Access user to log in with any username, add the following to the server's `/etc/ssh/sshd_config`: ``` AuthorizedPrincipalsCommand /bin/bash -c "echo '%t %k' | ssh-keygen -L -f - | grep -A1 Principals" AuthorizedPrincipalsCommandUser nobody ``` Since this will put the security of your server entirely dependent on your Access configuration, make sure your [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/) are correctly configured. ## 3\. Generate a short-lived certificate public key 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Service credentials** \> **SSH**. 2. Select **Add a certificate**. 3. In the **Application** dropdown, choose the Access application that represents your SSH server. 4. Select **Generate certificate**. A new row will appear in the short-lived certificates table with the name of your Access application. 5. Select the short-lived certificate for your application. 6. Copy its **CA public key**. You can return to copy this public key at any time. ## 4\. Save your public key 1. Copy the public key generated from the dashboard in Step 3. 1. Use the following command to change directories to the SSH configuration directory on the remote target machine: Terminal window ``` cd /etc/ssh ``` 2. Once there, you can use the following command to both generate the file and open a text editor to input/paste the public key. Terminal window ``` vim ca.pub ``` 3. In the `ca.pub` file, paste the public key without any modifications. ca.pub ``` ecdsa-sha2-nistp256 open-ssh-ca@cloudflareaccess.org ``` The `ca.pub` file can hold multiple keys, listed one per line. Empty lines and comments starting with `#` are also allowed. 4. Save the `ca.pub` file. In some systems, you may need to use the following command to force the file to save depending on your permissions: Terminal window ``` :w !sudo tee % :q! ``` ## 5\. Modify your `sshd_config` file Configure your SSH server to trust the Cloudflare SSH CA by updating the `sshd_config` file on the remote target machine. 1. While in the `/etc/ssh` directory on the remote machine, open the `sshd_config` file. Terminal window ``` sudo vim /etc/ssh/sshd_config ``` 2. Press `i` to enter insert mode, then add the following lines at the top of the file, above all other directives: ``` PubkeyAuthentication yes TrustedUserCAKeys /etc/ssh/ca.pub ``` Be aware of your include statements If there are any include statements below these lines, the configurations in those files will not take precedence. 3. Press `esc` and then type `:x` and press `Enter` to save and exit. ## 6\. Restart your SSH server Once you have modified your `sshd` configuration, reload the SSH service on the remote machine for the changes to take effect. * [ Debian/Ubuntu ](#tab-panel-3434) * [ CentOS/RHEL ](#tab-panel-3435) For Debian/Ubuntu: Terminal window ``` sudo systemctl reload ssh ``` For CentOS/RHEL 7 and newer: Terminal window ``` sudo systemctl reload sshd ``` ## 7\. Connect as a user ### Configure your client SSH config On the client side, [configure your device](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/) to use Cloudflare Access to reach the protected machine. To use short-lived certificates, you must include the following settings in your SSH config file (`~/.ssh/config`). To save time, you can use the following cloudflared command to print the required configuration command: Terminal window ``` cloudflared access ssh-config --hostname vm.example.com --short-lived-cert ``` If you prefer to configure manually, this is an example of the generated SSH config: ``` Match host vm.example.com exec "/usr/local/bin/cloudflared access ssh-gen --hostname %h" HostName vm.example.com ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h IdentityFile ~/.cloudflared/vm.example.com-cf_key CertificateFile ~/.cloudflared/vm.example.com-cf_key-cert.pub ``` ### Connect through a browser-based terminal End users can connect to the SSH session without any configuration by using Cloudflare's browser-based terminal. To enable, refer to [Browser-rendered terminal](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/browser-rendering/). By default, the browser-based terminal prompts the user for a username/password login. If you would like to use certificate based authentication, make sure you have [created a short-lived certificate](#3-generate-a-short-lived-certificate-public-key) for the specific Access application configured for browser-rendered SSH. --- Your SSH server is now protected behind Cloudflare Access — users will be prompted to authenticate with your identity provider before they can connect. You can also enable SSH command logging by configuring a [Gateway Audit SSH policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/ssh-logging/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy/","name":"Short-lived certificates (legacy)"}}]} ``` --- --- title: Event subscriptions description: Event subscriptions allow you to receive messages when events occur across your Cloudflare account. Cloudflare products (e.g., KV, Workers AI, Workers) can publish structured events to a queue, which you can then consume with Workers or HTTP pull consumers to build custom workflows, integrations, or logic. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/event-subscriptions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Event subscriptions [Event subscriptions](https://developers.cloudflare.com/queues/event-subscriptions/) allow you to receive messages when events occur across your Cloudflare account. Cloudflare products (e.g., [KV](https://developers.cloudflare.com/kv/), [Workers AI](https://developers.cloudflare.com/workers-ai/), [Workers](https://developers.cloudflare.com/workers/)) can publish structured events to a [queue](https://developers.cloudflare.com/queues/), which you can then consume with Workers or [HTTP pull consumers](https://developers.cloudflare.com/queues/configuration/pull-consumers/) to build custom workflows, integrations, or logic. For more information on [Event Subscriptions](https://developers.cloudflare.com/queues/event-subscriptions/), refer to the [management guide](https://developers.cloudflare.com/queues/event-subscriptions/manage-event-subscriptions/). ## Available Access events #### `application.created` Triggered when an application is created. **Example:** ``` { "type": "cf.access.application.created", "source": { "type": "access" }, "payload": { "id": "app-12345678-90ab-cdef-1234-567890abcdef", "name": "My Application" }, "metadata": { "accountId": "f9f79265f388666de8122cfb508d7776", "eventSubscriptionId": "1830c4bb612e43c3af7f4cada31fbf3f", "eventSchemaVersion": 1, "eventTimestamp": "2025-05-01T02:48:57.132Z" } } ``` #### `application.deleted` Triggered when an application is deleted. **Example:** ``` { "type": "cf.access.application.deleted", "source": { "type": "access" }, "payload": { "id": "app-12345678-90ab-cdef-1234-567890abcdef", "name": "My Application" }, "metadata": { "accountId": "f9f79265f388666de8122cfb508d7776", "eventSubscriptionId": "1830c4bb612e43c3af7f4cada31fbf3f", "eventSchemaVersion": 1, "eventTimestamp": "2025-05-01T02:48:57.132Z" } } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/event-subscriptions/","name":"Event subscriptions"}}]} ``` --- --- title: Policies description: Cloudflare Access determines who can reach your application by applying the Access policies you configure. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/policies/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Policies Cloudflare Access determines who can reach your application by applying the Access policies you configure. An Access policy consists of an **Action** as well as rules which determine the scope of the action. To build a rule, you need to choose a **Rule type**, **Selector**, and a **Value** for the selector. * [Actions](#actions) * [Rule types](#rule-types) * [Selectors](#selectors) * [Connection context](#connection-context) ## Actions Actions let you grant or deny permission to a certain user or user group. You can set only one action per policy. ### Allow The Allow action allows users that meet certain criteria to reach an application behind Access. The following example lets any user with an `@example.com` email address, as validated against an IdP, reach the application: | Action | Rule type | Selector | Value | | ------ | --------- | ----------------- | ------------ | | Allow | Include | Emails Ending In: | @example.com | You can add a Require rule in the same policy action to enforce additional checks. Finally, if the policy contains an Exclude rule, users meeting that definition are prevented from reaching the application. For example, this second configuration lets any user from Portugal with a `@team.com` email address, as validated against an IdP, reach the application, except for `user-1` and `user-2`: | Action | Rule type | Selector | Value | | ------- | ---------------- | -------------------------------- | -------- | | Allow | Include | Country | Portugal | | Require | Emails Ending In | @team.com | | | Exclude | Email | user-1@team.com, user-2@team.com | | ### Block The Block action prevents users who meet certain critera from reaching an application behind Access. For example, the following policy blocks requests from Russian source IPs that are not on your [list of approved IPs](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). | Action | Rule type | Selector | Value | | ------- | --------- | ---------------------- | ------------------ | | Block | Include | Country | Russian Federation | | Exclude | IP list | Corporate IP allowlist | | Block policies are best used in conjunction with [Allow policies](#allow) as a way to carve out exceptions in those Allow policies. Since Access is deny by default, users who do not match a Block policy will still be denied access unless they explicitly match an Allow policy. ### Bypass Warning Bypass does not enforce any Access security controls and requests are not logged. Bypass policies should be tested before deploying to production. Consider using [Service Auth](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth) if you would like to enforce policies and maintain logging without requiring user authentication. As Bypass does not enforce Access security controls, Bypass policies do not support identity-based [rule types](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#rule-types). When making Bypass policies, you will not be able to apply certain identity-based [selectors](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors) (such as email). The Bypass action disables any Access enforcement for traffic that meets the defined rule criteria. Bypass is typically used to enable applications that require specific endpoints to be public. For example, some applications have an endpoint under the `/admin` route that must be publicly routable. In this situation, you could create an Access application for the domain `test.example.com/admin/` and add the following Bypass policy: | Action | Rule type | Selector | Value | | ------ | --------- | -------- | -------- | | Bypass | Include | Everyone | Everyone | As part of implementing a Zero Trust security model, Cloudflare does not recommend using Bypass to grant direct permanent access to your internal applications. To enable seamless and secure access for on-network employees, use Cloudflare Tunnel to [connect your private network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/) and have users connect through the Cloudflare One Client. Note When applying a Bypass action, security settings revert to the defaults configured for the zone and any configured Page Rules. If **Always use HTTPS** is enabled for the site, then traffic to the bypassed destination continues in HTTPS. If **Always use HTTPS** is disabled, traffic is HTTP. #### Product compatibility Bypass policies which contain [device posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/) rules will not function when [Zaraz](https://developers.cloudflare.com/zaraz/) is enabled for the zone protected by Access, or if a [Worker](https://developers.cloudflare.com/workers/) intercepts the request. To work around this limitation and bypass Access, change the policy action to [Service Auth](#service-auth). ### Service Auth Service Auth rules enforce authentication flows that do not require an identity provider IdP login, such as service tokens and mutual TLS. | Action | Rule type | Selector | | ------------ | --------- | ----------------- | | Service Auth | Include | Valid certificate | ## Rule types Rules work like logical operators. They help you define which categories of users your policy will affect. All Access policies must contain an Include rule. This is what defines the initial pool of eligible users who can access an application. You can then add Exclude and Require rules to enforce specific policies for those users. ### Include The Include rule is similar to an OR logical operator. In case more than one Include rule is specified, users need to meet only one of the criteria. ### Exclude The Exclude rule works like a NOT logical operator. A user meeting any Exclusion criteria will not be allowed access to the application. ### Require The Require rule works like an AND logical operator. A user must meet all specified Require rules to be allowed access. #### Require rules with OR operators By default, any values added to a Require rule are concatenated by an AND operator. For example, let's say you want to grant access to an application to both the full-time employees and the contractors, and only the ones based in specific countries — say Portugal and the United States. If you set up a rule with the following configuration: | Action | Rule type | Selector | Value | | ------- | ---------------- | --------------------------------- | ----------------------- | | Allow | Require | Country | United States, Portugal | | Require | Emails ending in | @cloudflare.com, @contractors.com | | the policy will only grant access to people reaching the application from both the United States AND Portugal, and who have both an email ending in `@cloudflare.com` AND in `@contractors.com`. Therefore, nobody will have access to the application. To require only one country and one email ending: 1. [Create a rule group](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/) that includes users in Portugal OR in the United States: | Rule type | Selector | Value | | --------- | -------- | ----------------------- | | Include | Country | United States, Portugal | 2. Create a policy that requires the rule group, and that also includes users with emails ending in either `@cloudflare.com` OR `@contractors.com`: | Action | Rule type | Selector | Value | | ------- | ---------------- | --------------------------------- | -------------------- | | Allow | Require | Rule group | Country requirements | | Include | Emails ending in | @cloudflare.com, @contractors.com | | ## Selectors When you add a rule to your policy, you will be asked to specify the criteria/attributes you want users to meet. These attributes are available for all Access application types, including [SaaS](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/), [self-hosted](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/), and [non-HTTP](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/) applications. Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/). If you have configured [SCIM provisioning](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership. | Selector | Description | Checked at login | Checked continuously1 | Identity-based selector? | | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------- | --------------------- | ------------------------ | | Emails | you@company.com | ✅ | ❌ | ✅ | | Emails ending in | @company.com | ✅ | ❌ | ✅ | | External Evaluation | Allows or denies access based on [custom logic](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/external-evaluation/) in an external API. | ✅ | ❌ | ✅ | | IP ranges | 192.168.100.1/24 (supports IPv4/IPv6 addresses and CIDR ranges) | ✅ | ✅ | ❌ | | Country | Uses the IP address to determine country. | ✅ | ✅ | ❌ | | Everyone | Allows, denies, or bypasses access to everyone. | ✅ | ❌ | ❌ | | Common Name | The request will need to present a valid certificate with an expected common name. | ✅ | ✅ | ❌ | | Valid Certificate | The request will need to present any valid client certificate. | ✅ | ✅ | ❌ | | Service Token | The request will need to present the correct service token headers configured for the specific application. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | | Any Access Service Token | The request will need to present the headers for any [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) created for this account. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | | User Risk Score | The user's current [risk score](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/) (Low, Medium, or High). Acts as a threshold — users with a score at or below the specified level pass the check. This selector only displays for Enterprise plans. | ✅ | ✅ | ✅ | | Linked App Token | Checks for a valid [OAuth access token](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/linked-apps/) issued to a specific Access for SaaS application. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | | Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ | ✅ | | Authentication Method | Checks the [multifactor authentication](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/mfa-requirements/) method used by the user, if supported by the identity provider. | ✅ | ❌ | ✅ | | Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/). | ✅ | ❌ | ✅ | | SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-saml/) identity provider. | ✅ | ❌ | ✅ | | OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/) identity provider. | ✅ | ❌ | ✅ | | Device posture | Checks device posture signals from the Cloudflare One Client or a third-party service provider. This selector only displays after you create a [device posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). | ✅ | ✅ | ❌ | | Warp | Checks that the device is connected to the Cloudflare One Client, including the consumer version. This selector only displays after you enable the [WARP posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/require-warp/). | ✅ | ✅ | ❌ | | Gateway | Checks that the device is connected to your Zero Trust instance through the Cloudflare One Client. This selector only displays after you enable the [Gateway posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/require-gateway/). | ✅ | ✅ | ❌ | 1 For SaaS applications, Access can only enforce policies at the time of initial sign on and when reissuing the SaaS session. Once the user has authenticated to the SaaS app, session management falls solely within the purview of the SaaS app. ## Connection context Connection context settings allow you to control how users interact with an application after they have been granted access. While [selectors](#selectors) determine who can access an application, connection context settings determine what actions users can take during their session. Connection context is configured per policy, allowing you to grant different permissions to different groups of users. For example, you could allow full-time employees to copy data from a remote RDP session while restricting contractors to read-only access. The available connection context settings depend on the application type: | Application type | Available settings | | --------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------- | | [Infrastructure (SSH)](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) | Allowed UNIX usernames | | [Browser-based RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/#clipboard-controls) | Clipboard controls (copy/paste restrictions) | ## Order of execution Policies are evaluated based on their action type and ordering. Bypass and Service Auth policies are evaluated first, from top to bottom as shown in the UI. Then, Block and Allow policies are evaluated based on their order. For example, if you have a list of policies arranged as follows: * Allow A * Block B * Service Auth C * Bypass D * Allow E The policies will execute in this order: Service Auth C > Bypass D > Allow A > Block B > Allow E. Once a user matches an Allow or Block policy, evaluation stops and no subsequent policies can override the decision. ## Common misconfigurations If you add any of the following rules to an Allow policy, anyone will be able to access your application. ### Include everyone | Rule type | Selector | Value | | --------- | -------- | -------- | | Include | Everyone | Everyone | ### Include all valid emails | Rule type | Selector | Value | | --------- | ------------- | ------------ | | Include | Login Methods | One-time PIN | ## Additional resources * [API and Terraform](https://developers.cloudflare.com/cloudflare-one/api-terraform/) provide programmatic ways to manage your Access policies and configurations. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}}]} ``` --- --- title: Application paths description: Application paths define the URLs protected by an Access policy. When adding a self-hosted application to Access, you can choose to protect the entire website by entering its apex domain, or alternatively, protect specific subdomains and paths. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/policies/app-paths.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Application paths Application paths define the URLs protected by an Access policy. When adding a self-hosted application to Access, you can choose to protect the entire website by entering its apex domain, or alternatively, protect specific subdomains and paths. ## Policy inheritance Cloudflare Zero Trust allows you to create unique rules for parts of an application that share a root path. Imagine an example application is deployed at `dashboard.com/eng` that anyone on the engineering team should be able to access. However, a tool deployed at `dashboard.com/eng/exec` should only be accessed by the executive team. When multiple rules are set for a common root path, the more specific rule takes precedence. For example, when setting rules for `dashboard.com/eng` and `dashboard.com/eng/exec` separately, the more specific rule for `dashboard.com/eng/exec` takes precedence, and no rule is inherited from `dashboard.com/eng`. If no separate, specific rule is set for `dashboard.com/eng/exec`, it will inherit any rules set for `dashboard.com/eng`. ## Wildcards When you create an application for a specific subdomain or path, you can use asterisks (`*`) as wildcards. Wildcards allow you to extend the application you are creating to multiple subdomains or paths in a given apex domain. ### Examples #### Match all subdomains of an apex domain A wildcard in the **Subdomain** field only matches that specific subdomain level. It does not cover the apex domain or multiple levels of the subdomain. If you want to cover multiple subdomain levels, you can use multiple wildcards. | Application | Covers | Does not cover | | -------------- | ---------------------------------- | ------------------------------- | | \*.example.com | alpha.example.com beta.example.com | example.com foo.bar.example.com | #### Match all paths of an apex domain To protect an apex domain and all of the paths under it, leave the **Path** field empty. Alternatively, use a wildcard in the **Path** field. | Application | Covers | Does not cover | | ------------------------------ | ---------------------------------------------- | ----------------- | | example.com or example.com/\* | example.com example.com/alpha example.com/beta | alpha.example.com | #### Match multi-level subdomains Using a wildcard in the **Subdomain** field does not cover the parent subdomain nor the apex domain. | Application | Covers | Does not cover | | ------------------- | -------------------------------------------- | ---------------------------- | | \*.test.example.com | alpha.test.example.com beta.test.example.com | test.example.com example.com | #### Partially match subdomains Using a wildcard at the beginning or end of the **Subdomain** field does not cover multiple levels of the subdomain. | Application | Covers | Does not cover | | ------------------ | -------------------------------------- | --------------------- | | \*test.example.com | test.example.com alphatest.example.com | beta.test.example.com | #### Match multi-level paths Using a wildcard in the **Path** field does not cover the parent path nor the apex domain. | Application | Covers | Does not cover | | -------------------- | ------------------------------------------- | ----------------------------- | | example.com/alpha/\* | example.com/alpha/one example.com/alpha/two | example.com/alpha example.com | #### Partially match paths Using a wildcard in the middle of the **Path** field covers multiple segments of the URL. | Application | Covers | | --------------------- | ------------------------------------------------------------------- | | example.com/foo\*/bar | example.com/foo/bar example.com/food/bar example.com/food/stuff/bar | ### Limitations * At most one wildcard in between each dot in the **Subdomain**. For example, `foo*bar*baz.example.com` is not allowed. * At most one wildcard in between each slash in the **Path**. For example, `example.com/foo*bar*baz` is not allowed. ## Subdomain setups [Subdomain setups](https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/) allow you to manage a child domain separately from its parent domain. In Access application paths, your configured child domains will appear in the **Domain** dropdown menu. If you [split out a subdomain](https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/setup/) which already has an Access application, you will need to re-save the Access application to associate it with the new child domain. ## Unsupported URLs ### Port numbers Port numbers are not supported in Access application paths. If a request includes a port number in the URL, Access will strip the port number and redirect the request to the default HTTP/HTTPS port. ### Query strings Query strings (such as`?foo=bar`) are not supported in Access application paths. ### Anchor links Since anchor links are processed by the browser and not the server, Access applications do not support `#` characters in the URL. For example, requests to `dashboard.com/#settings` will redirect to `dashboard.com`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/app-paths/","name":"Application paths"}}]} ``` --- --- title: External Evaluation rules description: With Cloudflare Access, you can create Allow or Block policies which evaluate the user based on custom criteria. This is done by adding an External Evaluation rule to your policy. The External Evaluation selector requires two values: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ JavaScript ](https://developers.cloudflare.com/search/?tags=JavaScript)[ JSON web token (JWT) ](https://developers.cloudflare.com/search/?tags=JSON%20web%20token%20%28JWT%29) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/policies/external-evaluation.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # External Evaluation rules With Cloudflare Access, you can create Allow or Block policies which evaluate the user based on custom criteria. This is done by adding an **External Evaluation** rule to your policy. The **External Evaluation** selector requires two values: * **Evaluate URL** — the API endpoint containing your business logic. * **Keys URL** — the key that Access uses to verify that the response came from your API After the user authenticates with your identity provider, Access sends the user's identity to the external API at **Evaluate URL**. The external API returns a True or False response to Access, which will then allow or deny access to the user. To protect against man-in-the-middle attacks, Access signs all requests with your Access account key and checks that responses are signed by the key at **Keys URL**. You can set up External Evaluation rules using any API service, but to get started quickly we recommend using [Cloudflare Workers](https://developers.cloudflare.com/workers/). ## Set up external API and key with Cloudflare Workers ### Prerequisites * [Workers account](https://developers.cloudflare.com/workers/get-started/guide/) * Install [npm ↗](https://docs.npmjs.com/getting-started) * Install [Node.js ↗](https://nodejs.org/en/) * Application protected by Access ### 1\. Create a new Worker 1. Open a terminal and clone our example project. Terminal window ``` npm create cloudflare@latest my-worker -- --template https://github.com/cloudflare/workers-access-external-auth-example ``` 2. Go to the project directory. Terminal window ``` cd my-worker ``` 3. Create a [Workers KV namespace](https://developers.cloudflare.com/kv/concepts/kv-namespaces/) to store the key. The binding name should be `KV` if you want to run the example as written. Terminal window ``` npx wrangler kv namespace create "KV" ``` The command will output the binding name and KV namespace ID, for example ``` [[kv_namespaces]] binding = "KV" id = "YOUR_KV_NAMESPACE_ID" ``` 4. Open the [Wrangler configuration file](https://developers.cloudflare.com/workers/wrangler/configuration/) in an editor and insert the following: * `[[kv_namespaces]]`: Add the output generated in the previous step. * ``: your Cloudflare One team name. * [ wrangler.jsonc ](#tab-panel-3436) * [ wrangler.toml ](#tab-panel-3437) ``` { "$schema": "./node_modules/wrangler/config-schema.json", "name": "my-worker", "workers_dev": true, // Set this to today's date "compatibility_date": "2026-04-03", "main": "index.js", "kv_namespaces": [ { "binding": "KV", "id": "YOUR_KV_NAMESPACE_ID" } ], "vars": { "TEAM_DOMAIN": ".cloudflareaccess.com", "DEBUG": false } } ``` ``` "$schema" = "./node_modules/wrangler/config-schema.json" name = "my-worker" workers_dev = true # Set this to today's date compatibility_date = "2026-04-03" main = "index.js" [[kv_namespaces]] binding = "KV" id = "YOUR_KV_NAMESPACE_ID" [vars] TEAM_DOMAIN = ".cloudflareaccess.com" DEBUG = false ``` ### 2\. Program your business logic 1. Open `index.js` and modify the `externalEvaluation` function to perform logic on any identity-based data sent by Access. Note * Sample code is available in our [GitHub repository ↗](https://github.com/cloudflare/workers-access-external-auth-example). * To view a list of identity-based data fields, log in to your Access application and append `/cdn-cgi/access/get-identity` to the URL. For example, if `www.example.com` is behind Access, visit `https://www.example.com/cdn-cgi/access/get-identity`. 1. Deploy the Worker to Cloudflare's global network. Terminal window ``` npx wrangler deploy ``` The Worker will be deployed to your `*.workers.dev` subdomain at `my-worker..workers.dev`. ### 3\. Generate a key To generate an RSA private/public key pair: 1. Open a browser and go to `https://my-worker..workers.dev/keys`. 2. (Optional) Verify that the key has been stored in the `KV` namespace: 1. In the Cloudflare dashboard, go to the **Workers KV** page.[ Go to **Workers KV** ](https://dash.cloudflare.com/?to=/:account/workers/kv/namespaces) 2. Select **View** next to `my-worker-KV`. Other key formats (such as DSA) are not supported at this time. ### 4\. Create an External Evaluation rule 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Policies**. 2. Edit an existing policy or select **Add a policy**. 3. Add the following rule to your policy: | Rule Type | Selector | Evaluate URL | Keys URL | | --------- | ------------------- | ------------------------------------------------ | ----------------------------------------------------- | | Include | External Evaluation | https://my-worker..workers.dev/ | https://my-worker..workers.dev/keys/ | 1. Save the policy. 2. Go to **Access controls** \> **Applications** and edit the application for which you want to apply the External Evaluation rule. 3. In the **Policies** tab, add the policy that contains the External Evaluation rule. 4. Select **Save application**. When a user logs in to your application, Access will now check their email, device, location, and other identity-based data against your business logic. ### Troubleshooting the Worker To debug your External Evaluation rule: 1. Go to your Worker directory. Terminal window ``` cd my-worker ``` 2. Open the [Wrangler configuration file](https://developers.cloudflare.com/workers/wrangler/configuration/) in an editor and set the `debug` variable to `TRUE`. 3. Deploy your changes. Terminal window ``` npx wrangler deploy ``` 4. Next, start a session to output realtime logs from your Worker. Terminal window ``` wrangler tail -f pretty ``` 5. Log in to your Access application. The session logs should show an incoming and outgoing JWT. The incoming JWT was sent by Access to the Worker API, while the outgoing JWT was sent by the Worker back to Access. 6. To decode the contents of a JWT, you can copy the token into [jwt.io ↗](https://jwt.io/). The incoming JWT should contain the user's identity data. The outgoing JWT should look similar to: JavaScript ``` { "success": true, "iat": 1655409315, "exp": 1655409375, "nonce": "9J2E9Xg6wYj8tlnA5MV4Zgp6t8rzmS0Q" } ``` Access checks the outgoing JWT for all of the following criteria: * Token was signed by **Keys URL**. * Expiration date has not elapsed. * API returns `"success": true`. * `nonce` is unchanged from the incoming JWT. The `nonce` value is unique per request. If any condition fails, the External Evaluation rule evaluates to false. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/external-evaluation/","name":"External Evaluation rules"}}]} ``` --- --- title: Rule groups description: A rule group is a collection of Access rules that can be configured once and then quickly applied across many Access policies. Rule groups use the same rule types and selectors shown in the Access policy builder. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/policies/groups.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Rule groups A rule group is a collection of Access rules that can be configured once and then quickly applied across many Access policies. Rule groups use the same [rule types](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#rule-types) and [selectors](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors) shown in the Access policy builder. Note Rule groups are distinct from groups in your identity provider, like Okta groups. Rule groups can contain a mix of individual users, groups from identity providers, and service authentication options like service tokens. ## Create a rule group To create an Access rule group: * [ Dashboard ](#tab-panel-3438) * [ API ](#tab-panel-3439) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Policies**, and select the **Rule groups** tab. 2. Select **Add a group**. 3. Enter a name for the group (for example, `Lisbon-team`). 4. Specify as many rules as needed to define your user group. For example, the following rules define a team based in Lisbon, Portugal: | Rule type | Selector | Value | | --------- | ---------------- | --------- | | Include | Country | Portugal | | Require | Emails Ending In | @team.com | 5. Select **Save**. Send a `POST` request to the [/access/groups](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/groups/methods/create/) endpoint: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Organizations, Identity Providers, and Groups Write` Create an Access group ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/groups" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Lisbon-team", "include": [ { "geo": { "country_code": "PT" } } ], "exclude": [], "require": [ { "email_domain": { "domain": "team.com" } } ], "is_default": false }' ``` You can now add this group to an Access policy using the _Rule groups_ selector. ## Use cases ### IP-based rules We recommend using rule groups to define any IP address-based rules you configure in policies. Keeping IP addresses in one place allows you to modify or remove addresses once, rather than in each policy, and reduces the potential for mistakes. Note If adding more than one IP address or range to a rule group, use an Include rule for the IPs. If you do not use an Include rule, the policy will require traffic to originate from all ranges. ### Country requirements You can create a rule group that consists of countries to allow or block. Access will treat the countries in the Include rule with an OR logical operator. When building policies for an Access application, you can assign this rule group to a Require policy to require at least one of the countries inside of the group. For an example policy, refer to [Require rules with OR operators](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#require-rules-with-or-operators). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/groups/","name":"Rule groups"}}]} ``` --- --- title: Isolate self-hosted application description: With Access policies, you can require users to open self-hosted applications in a secure remote browser. Because the remote browser is directly integrated into our Secure Web Gateway platform, HTTP policies can be applied to isolated applications without needing to install the Cloudflare One Client. This allows you to distribute internal applications to unmanaged users while retaining control over sensitive data. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Isolate self-hosted application Note Requires [Cloudflare Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/). With Access policies, you can require users to open self-hosted applications in a secure [remote browser](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/). Because the remote browser is directly integrated into our Secure Web Gateway platform, [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) can be applied to isolated applications without needing to install the Cloudflare One Client. This allows you to distribute internal applications to unmanaged users while retaining control over sensitive data. ## Prerequisites Your browser must [allow third-party cookies](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#allow-third-party-cookies-in-the-browser) on the application domain. ## Enable Browser Isolation 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Browser isolation** \> **Browser isolation settings**. 2. Under **Manage remote browser permissions**, select **Manage**. 3. Enable **Clientless Web Isolation**. 1. Go to **Access controls** \> **Applications**. 2. Choose a [self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) and select **Configure**. 3. Go to **Policies**. 4. Choose an [Allow policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) and select **Configure**. 5. Under **Additional settings**, turn on **Isolate application**. 6. Save the policy. Browser Isolation is now enabled for users who match this policy. After the user logs into Access, the application will launch in a remote browser. To confirm that the application is isolated, refer to [Check if a web page is isolated](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/#3-check-if-a-web-page-is-isolated). You can optionally add another Allow policy for users on managed devices who do not require isolation. ## Policies for isolated applications Traffic to the isolated Access application is filtered by your Gateway [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). Useful policies include: * [Identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) to allow or block requests based on user identity. * [Data Loss Prevention policies](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) to log or block transmission of sensitive data. * [Isolation policies](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) to disable browser actions such as copy/paste, printing, or file downloads. For example, if your application is hosted on `internal.site.com`, the following policy blocks users from uploading and downloading credit card numbers within the remote browser: | Selector | Operator | Value | Logic | Action | | ----------- | -------- | --------------------- | ----- | ------ | | Domain | in | internal.site.com | And | Block | | DLP Profile | in | Financial Information | | | ## Product compatibility For a list of products that are incompatible with the **Isolate application** feature, refer to [Product Compatibility](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/#product-compatibility) . ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/isolate-application/","name":"Isolate self-hosted application"}}]} ``` --- --- title: Enforce MFA description: With Zero Trust policies, you can require that users log in to certain applications with specific types of multifactor authentication (MFA) methods. For example, you can create rules that only allow users to reach a given application if they authenticate with a physical hard key. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML)[ JSON web token (JWT) ](https://developers.cloudflare.com/search/?tags=JSON%20web%20token%20%28JWT%29)[ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Enforce MFA With Zero Trust policies, you can require that users log in to certain applications with specific types of multifactor authentication (MFA) methods. For example, you can create rules that only allow users to reach a given application if they authenticate with a physical hard key. This feature is only available if you are using the following identity providers: * Okta * Microsoft Entra ID (formerly Azure AD) * OpenID Connect (OIDC) * SAML To enforce an MFA requirement to an application: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Applications**. 2. Find the application for which you want to enforce MFA and select **Configure**. Alternatively, [create a new application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/). 3. Go to **Policies**. 4. If your application already has a policy containing an identity requirement, find it and select **Configure**. Note The policy should contain an Include rule that uses identity-based selectors. For example, the Include rule could allow users who are part of a [rule group](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/), email domain, or identity provider group. 5. Add the following rule to the policy: | Rule type | Selector | Value | | --------- | --------------------- | ------------------------------------ | | Require | Authentication method | mfa - multiple-factor authentication | 6. Save the policy. Important **What happens if the user fails to present the required MFA method?** Cloudflare Access will reject the user, even if they successfully login to the identity provider with an alternative method. ## Adding authentication methods into the JWT When users authenticate with their identity provider, the identity provider then shares their username with Cloudflare Access. Cloudflare Access then writes that value into the JSON Web Token (JWT) generated for the user. Certain identity providers can also share the multifactor authentication (MFA) method presented by the user to login. Cloudflare Access can add these values into the JWT and force. For example, if the user authenticated with their password and a physical hard key, the identity provider can send a confirmation to Cloudflare Access. Cloudflare Access then stores that method into the same JWT issued to the user. Cloudflare Access follows [RFC 8176 ↗](https://tools.ietf.org/html/rfc8176), Authentication Method Reference Values, to define authentication methods. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/mfa-requirements/","name":"Enforce MFA"}}]} ``` --- --- title: Manage Access policies description: Access policies define the users who can log in to your Access applications. You can create, edit, or delete policies at any time and reuse policies across multiple applications. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Manage Access policies Access policies define the users who can log in to your Access applications. You can create, edit, or delete policies at any time and reuse policies across multiple applications. ## Create a policy To create a reusable Access policy: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Policies**. 2. Select **Add a policy**. 3. Enter a **Policy name**. 4. Choose an [**Action**](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#actions) for the policy. 5. Choose a [**Session duration**](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/) for the policy. 6. Configure as many [**Rules**](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#rule-types) as needed. 7. (Optional) Configure additional settings for users who match this policy: * [Isolate application](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/). * [Purpose justificaton](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/require-purpose-justification/) * [Temporary authentication](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/temporary-auth/) 8. Select **Save**. You can now add this policy to an [Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/). ## Edit a policy To make changes to an existing Access policy: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Policies**. 2. Locate the policy you want to update and select **Configure**. 3. Once you have made the necessary changes, select **Save**. The updated policy is now in effect for all associated Access applications. ## Delete a policy To delete a reusable Access policy: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Policies** and locate the policy you want to delete. 2. If the policy is used by an application, remove the policy from all associated applications. 3. Select **Delete**. 4. A pop-up message will ask you to confirm your decision to delete the policy. Select **Delete**. ## Test your policies You can test your Access policies against all existing user identities in your Zero Trust organization. For the policy tester to work, users must have logged into the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) or any other Access application at some point in time. Cloudflare will use the most recent device that was authenticated with Access to test your policies. ### Test a single policy The Access policy builder allows you to test your rules before saving any changes. To test an individual Access policy: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Policies**. 2. Locate the policy you want to test and select **Configure**. 3. Go to **Policy tester** and select **Test policies**. The policy tester reports the percentage of active users who are allowed or denied access to an application based on this policy. You can expand the test results to view a list of allowed or blocked users. ### Test all policies in an application You can test your Access application policies against your user population before deploying changes to your users. After saving your changes, you can also perform a more detailed policy test for a specific user. To test if users have access to an application: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Applications**. 2. Locate the application you want to test and select **Configure**. 3. Go to **Policies** \> **Policy tester**. 4. To test all active users in your organization, select **Test policies**. The policy tester reports the percentage of users who are allowed or denied access to this application based on all configured policies. You can expand the test results to view a list of allowed or blocked users. 5. To perform a detailed test on a single user: a. If you made any changes to your policies, first save the application. b. Select **testing a single user**. c. Enter their email address and select **Test policies**. The single user test results will show: * Whether the user is allowed or denied access to this application based on all configured policies. * The user's identity from their most recent Access login attempt. * Whether the user matches individual Allow, Block, or Bypass policies. ## Legacy policies Legacy policies are scoped to a specific application and cannot be added to newly created Access applications. ### Migrate to reusable policies To migrate legacy policies to reusable policies: 1. [Create a reusable policy](#create-a-policy) that will replace the legacy policy. 2. Go to the Access application associated with the legacy policy. 3. Add the reusable policy to the application and remove the legacy policy. 4. Repeat these steps for each legacy policy. If you have duplicate legacy policies, you can replace them with a single reusable policy. ### Convert a legacy policy You can use the API to convert a legacy policy into a reusable policy. To convert a legacy policy, make a `PUT` request with an empty request body: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Convert an Access application policy to a reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_ID/policies/$POLICY_ID/make_reusable" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` The policy is now removed from the applications endpoint (`/access/apps/$APP_ID/policies`) and managed using the [reusable policies endpoints](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/policies/)(`/access/policies/$POLICY_ID`). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/policy-management/","name":"Manage Access policies"}}]} ``` --- --- title: Require purpose justification description: Cloudflare Access allows security and IT teams to present users with a purpose justification screen directly after they log in to an Access application. This allows organizations to audit not only for who is accessing their resources, but also for why they are requesting access. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/policies/require-purpose-justification.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Require purpose justification Cloudflare Access allows security and IT teams to present users with a purpose justification screen directly after they log in to an Access application. This allows organizations to audit not only for who is accessing their resources, but also for why they are requesting access. The purpose justification screen will show for any new sessions of an application. For example, if an Access application has a session time of eight hours, a user will see the purpose justification screen once every eight hours. Configuring a purpose justification screen is done as part of configuring an Access policy. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Choose an application and select **Configure**. 3. Go to **Policies**. 4. Choose an **Allow** policy and select **Configure**. 5. Under **Additional settings**, turn on **Purpose justification**. 6. (Optional) Set a custom purpose justification message. This will appear on the purpose justification screen and will be visible to the user. 7. Save the policy. Users who match this policy will see the following screen: ![Finalized purpose justification screen displaying custom message.](https://developers.cloudflare.com/_astro/purpose-justification.Bgv25E7i_nwUeM.webp) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/require-purpose-justification/","name":"Require purpose justification"}}]} ``` --- --- title: Temporary authentication description: With Cloudflare Access, you can require that users obtain approval before they can access a specific self-hosted application or SaaS application. The administrator will receive an email notification to approve or deny the request. Unlike a typical Allow policy, the user will have to request access at the end of each session. This allows you to define the users who should have persistent access and those who must request temporary access. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/policies/temporary-auth.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Temporary authentication With Cloudflare Access, you can require that users obtain approval before they can access a specific self-hosted application or SaaS application. The administrator will receive an email notification to approve or deny the request. Unlike a typical Allow policy, the user will have to request access at the end of each session. This allows you to define the users who should have persistent access and those who must request temporary access. ## Set up temporary authentication 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Choose a **Self-hosted** or **SaaS** application and select **Configure**. 3. Choose an **Allow** policy and select **Configure**. 4. Under **Additional settings**, turn on [**Purpose justification**](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/require-purpose-justification/). 5. Turn on **Temporary authentication**. 6. Enter the **Email addresses of the approvers**. Note Your approvers must be authenticated by Access. If they do not have an active session, Access will verify their identity against your [App Launcher Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/). 7. Save the policy. Temporary authentication is now enabled for users who match this policy. You can optionally add a second **Allow** policy for users who should have persistent access. Be sure the policy order is set to allow persistent users through. ## Temporary authentication requests ![Temporary authentication request page shown to users](https://developers.cloudflare.com/_astro/temp-auth-request.WnwXx8ul_1vy5pt.webp) Approvers will receive a request similar to the example below. The approver can then grant access for a set amount of time, up to a maximum of 24 hours. ![Temporary authentication approval page shown to administrators](https://developers.cloudflare.com/_astro/temp-auth-approval.D0-hjStz_1KlkRx.webp) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/temporary-auth/","name":"Temporary authentication"}}]} ``` --- --- title: Mutual TLS description: Mutual TLS (mTLS) authentication ensures that traffic is both secure and trusted in both directions between a client and server. It allows requests that do not log in with an identity provider (like IoT devices) to demonstrate that they can reach a given resource. Client certificate authentication is also a second layer of security for team members who both log in with an identity provider (IdP) and present a valid client certificate. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ mTLS ](https://developers.cloudflare.com/search/?tags=mTLS) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Mutual TLS [Mutual TLS (mTLS) authentication ↗](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/) ensures that traffic is both secure and trusted in both directions between a client and server. It allows requests that do not log in with an identity provider (like IoT devices) to demonstrate that they can reach a given resource. Client certificate authentication is also a second layer of security for team members who both log in with an identity provider (IdP) and present a valid client certificate. With a root certificate authority (CA) in place, Access only allows requests from devices with a corresponding client certificate. When a request reaches the application, Access responds with a request for the client to present a certificate. If the device fails to present the certificate, the request is not allowed to proceed. If the client does have a certificate, Access completes a key exchange to verify. ![mTLS handshake diagram](https://developers.cloudflare.com/_astro/mtls.BbZYLY1o_tux4L.webp) Important The mTLS certificate is used only to verify the client certificate. It does not control the SSL certificate presented during the [server hello ↗](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/). ## Enforce mTLS authentication ### Prerequisites * An [Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for the hostname that you would like to secure with mTLS. * A CA that issues client certificates for your devices. * The CA certificate can be from a publicly trusted CA or self-signed. * In the certificate `Basic Constraints`, the attribute `CA` must be set to `TRUE`. * The certificate must use one of the signature algorithms listed below: Allowed signature algorithms `x509.SHA1WithRSA` `x509.SHA256WithRSA` `x509.SHA384WithRSA` `x509.SHA512WithRSA` `x509.ECDSAWithSHA1` `x509.ECDSAWithSHA256` `x509.ECDSAWithSHA384` `x509.ECDSAWithSHA512` ### Add mTLS to your Access application 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Service credentials** \> **Mutual TLS**. 2. Select **Add mTLS Certificate**. 3. Enter any name for the root CA. 4. In **Certificate content**, paste the contents of your root CA. If the client certificate is directly signed by the root CA, you only need to upload the root. If the client certificate is signed by an intermediate certificate, you must upload the entire CA chain (intermediate and root). For example: ``` -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ``` Do not include any SSL/TLS server certificates; Access only uses the CA chain to verify the connection between the user's device and Cloudflare. 1. In **Associated hostnames**, enter the fully-qualified domain names (FQDN) that will use this certificate. These FQDNs will be the hostnames used for the resources being protected in the [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). You must associate the Root CA with the FQDN that the application being protected uses. 2. Save the policy. 3. Go to **Access controls** \> **Policies**. 4. [Create an Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/#create-a-policy) using one of the following [selectors](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors): * **Valid Certificate**: Any client certificate that can authenticate with the Root CA will be allowed to proceed. * **Common Name**: Only client certificates with a specific common name will be allowed to proceed. 5. If this is for a client who does not need to log in through an IdP, set the policy **Action** to _Service Auth_. **Example mTLS policy** | Action | Rule type | Selector | Value | | ------------ | --------- | ----------- | -------- | | Service Auth | Include | Common Name | John Doe | 6. Save the policy, then go to **Access controls** \> **Applications**. 7. Select the application you would like to enforce mTLS on and select **Configure**. The application must be included in the **Associated hostnames** list from Step 5. 8. In the **Policies** tab, add your mTLS policy. 9. Save the application. You can now authenticate to the application using a client certificate. For instructions on how to present a client certificate, refer to [Test mTLS](#test-mtls). ## Test mTLS ### Test using cURL To test the application protected by an mTLS policy: 1. First, attempt to curl the site without a client certificate. This curl command example is for the site `example.com` that has an [Access application and policy](#add-mtls-to-your-access-application) set for `https://auth.example.com`: Terminal window ``` curl -sv https://auth.example.com ``` Without a client certificate in the request, a `403 forbidden` response displays and the site cannot be accessed. 2. Now, add your client certificate and key to the request: Terminal window ``` curl -sv https://auth.example.com --cert example.pem --key key.pem ``` When the authentication process completes successfully, a `CF_Authorization Set-Cookie` header returns in the response. Warning Cloudflare Gateway cannot inspect traffic to mTLS-protected domains. If a device has the Cloudflare One Client turned on and passes HTTP requests through Gateway, access will be blocked unless you [bypass HTTP inspection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) for the domain. ### Test in a browser To access an mTLS-protected application in a browser, the client certificate must be imported into your browser's certificate manager. Instructions vary depending on the browser. Your browser may use the operating system's root store or its own internal trust store. The following example demonstrates how to add a client certificate to the macOS system keychain: Important The command adds the client certificate to the trusted store on your device. Only proceed if you are comfortable doing so and intend to keep these testing certificates safeguarded. 1. Navigate to the directory containing the client certificate and key. 1. Open the `client.pem` file in Keychain Access. If prompted, enter your local password. 2. In **Keychain**, choose the access option that suits your needs and select **Add**. 3. In the list of certificates, locate the newly installed certificate. Keychain Access will mark this certificate as not trusted. Right-click the certificate and select **Get Info**. 4. Select **Trust**. Under **When using this certificate**, select _Always Trust_. Assuming your browser uses the macOS system store, you can now connect to the mTLS application through the browser. ## Generate mTLS certificates You can use open source private key infrastructure (PKI) tools to generate certificates to test the mTLS feature in Cloudflare Access. ### OpenSSL This section covers how to use [OpenSSL ↗](https://www.openssl.org/) to generate a root and intermediate certificate, and then issue client certificates that can authenticate against the CA chain. #### Generate the root CA 1. Generate the root CA private key: Terminal window ``` openssl genrsa -aes256 -out rootCA.key 4096 ``` When prompted, enter a password to use with `rootCA.key`. 2. Create a self-signed root certificate called `rootCA.pem`: Terminal window ``` openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem ``` You will be prompted to enter your private key password and fill in some optional fields. For testing purposes, you can leave the optional fields blank. #### Generate an intermediate certificate 1. Generate the intermediate CA private key: Terminal window ``` openssl genrsa -aes256 -out intermediate.key 4096 ``` When prompted, enter a password to use with `intermediate.key`. 2. Create a certificate signing request (CSR) for the intermediate certificate: Terminal window ``` openssl req -new -sha256 -key intermediate.key -out intermediate.csr ``` You will be prompted to enter your private key password and fill in some optional fields. For testing purposes, you can leave the optional fields blank. 3. Create a CA Extension file called `v3_intermediate_ca.ext`. For example, ``` subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, cRLSign, keyCertSign ``` Make sure that `basicConstraints` includes the `CA:true` property. This property allows the intermediate certificate to act as a CA and sign client certificates. 4. Sign the intermediate certificate with the root CA: Terminal window ``` openssl x509 -req -in intermediate.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out intermediate.pem -days 1825 -sha256 -extfile v3_intermediate_ca.ext ``` #### Create a CA chain file 1. Combine the intermediate and root certificates into a single file: Terminal window ``` cat intermediate.pem rootCA.pem > ca-chain.pem ``` The intermediate certificate should be at the top of the file, followed by its signing certificate. 2. Upload the contents of `ca-chain.pem` to Cloudflare Access. For instructions, refer to [Add mTLS to your Access application](#add-mtls-to-your-access-application). #### Generate a client certificate 1. Generate a private key for the client: Terminal window ``` openssl genrsa -out client.key 2048 ``` 2. Create a CSR for the client certificate: Terminal window ``` openssl req -new -key client.key -out client.csr ``` You will be prompted to fill in some optional fields. For testing purposes, you can set **Common Name** to something like `John Doe`. 3. Sign the client certificate with the intermediate certificate: Terminal window ``` openssl x509 -req -in client.csr -CA intermediate.pem -CAkey intermediate.key -CAcreateserial -out client.pem -days 365 -sha256 ``` 4. Validate the client certificate against the certificate chain: Terminal window ``` openssl verify -CAfile ca-chain.pem client.pem ``` ``` client.pem: OK ``` You can now use the client certificate (`client.pem`) and its key (`client.key`) to [test mTLS](#test-mtls). ### Cloudflare PKI This guide uses [Cloudflare's PKI toolkit ↗](https://github.com/cloudflare/cfssl) to generate a root CA and client certificates from JSON files. #### 1\. Install dependencies The process requires two packages from Cloudflare's PKI toolkit: * `cf-ssl` * `cfssljson` You can install these packages from the [Cloudflare SSL GitHub repository ↗](https://github.com/cloudflare/cfssl). You will need a working installation of Go, version 1.12 or later. Alternatively, you can [download the packages ↗](https://github.com/cloudflare/cfssl) directly. Use the instructions under Installation to install the toolkit, and ensure that you install all of the utility programs in the toolkit. #### 2\. Generate the root CA 1. Create a new directory to store the root CA. 2. Within that directory, create two new files: * **CSR**. Create a file named `ca-csr.json` and add the following JSON blob, then save the file. ``` { "CN": "Access Testing CA", "key": { "algo": "rsa", "size": 4096 }, "names": [ { "C": "US", "L": "Austin", "O": "Access Testing", "OU": "TX", "ST": "Texas" } ] } ``` * **config**. Create a file named `ca-config.json` and add the following JSON blob, then save the file. ``` { "signing": { "default": { "expiry": "8760h" }, "profiles": { "server": { "usages": ["signing", "key encipherment", "server auth"], "expiry": "8760h" }, "client": { "usages": ["signing", "key encipherment", "client auth"], "expiry": "8760h" } } } } ``` 3. Now, run the following command to generate the root CA with those files. Terminal window ``` cfssl gencert -initca ca-csr.json | cfssljson -bare ca ``` 4. The command will output a root certificate (`ca.pem`) and its key (`ca-key.pem`). Terminal window ``` ls ``` ``` ca-config.json ca-csr.json ca-key.pem ca.csr ca.pem ``` 5. Upload the contents of `ca.pem` to Cloudflare Access. For instructions, refer to [Add mTLS to your Access application](#add-mtls-to-your-access-application). #### 3\. Generate a client certificate To generate a client certificate that will authenticate against the uploaded root CA: 1. Create a file named `client-csr.json` and add the following JSON blob: ``` { "CN": "James Royal", "hosts": [""], "key": { "algo": "rsa", "size": 4096 }, "names": [ { "C": "US", "L": "Austin", "O": "Access", "OU": "Access Admins", "ST": "Texas" } ] } ``` 2. Now, use the following command to generate a client certificate with the Cloudflare PKI toolkit: Terminal window ``` cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json | cfssljson -bare client ``` The command will output a client certificate file (`client.pem`) and its key (`client-key.pem`). You can now use these files to [test mTLS](#test-mtls). #### Create a certificate revocation list You can use the Cloudflare PKI toolkit to generate a certificate revocation list (CRL), as well. This list will contain client certificates that are revoked. 1. Get the serial number from the client certificate generated earlier. Add that serial number, or any others you intend to revoke, in hex format in a text file. This example uses a file named `serials.txt`. 2. Create the CRL with the following command. Terminal window ``` cfssl gencrl serials.txt ../mtls-test/ca.pem ../mtls-test/ca-key.pem | base64 -D > ca.crl ``` You will need to add the CRL to your server or enforce the revocation in a Cloudflare Worker. An example Worker Script can be found on the [Cloudflare GitHub repository ↗](https://github.com/cloudflare/access-crl-worker-template). ## Add Client-Cert and Client-Cert-Chain headers (RFC 9440) [RFC 9440 ↗](https://datatracker.ietf.org/doc/html/rfc9440) defines the `Client-Cert` and `Client-Cert-Chain` HTTP header fields for passing client certificate information to origin servers. You can construct these headers using [request header modification rules](https://developers.cloudflare.com/rules/transform/request-header-modification/) with the following Ruleset Engine fields: * [cf.tls\_client\_auth.cert\_rfc9440](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Frfc9440/) — The client leaf certificate encoded in RFC 9440 formatting (see reference). * [cf.tls\_client\_auth.cert\_chain\_rfc9440](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fchain%5Frfc9440/) — The certificate chain (excluding the leaf certificate) encoded in RFC 9440 formatting (see reference). As indicated in field definitions, the fields may be set to either an empty string or a valid RFC 9440 encoding. Proper usage depends on a couple of factors discussed in the following sections. ### Security considerations Important Before constructing `Client-Cert` or `Client-Cert-Chain` headers, you must address the following security concerns. Failing to do so can expose your origin server to forged or unverified certificate data. The `cert_rfc9440` and `cert_chain_rfc9440` fields are populated **regardless of the certificate validation result**. This means a client can present an invalid, expired, or self-signed certificate, and the fields will still contain the encoded certificate data. Always check the following fields before trusting the values: * [cf.tls\_client\_auth.cert\_verified](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fverified/) — Returns `true` when the client certificate is valid. * [cf.tls\_client\_auth.cert\_revoked](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Frevoked/) — Returns `true` when the client certificate has been revoked. A client can also include its own `Client-Cert` or `Client-Cert-Chain` headers on a request to inject arbitrary values. As described in the [RFC 9440 security considerations ↗](https://datatracker.ietf.org/doc/html/rfc9440#name-security-considerations), you must unconditionally remove any existing `Client-Cert` and `Client-Cert-Chain` headers from incoming requests, regardless of certificate validity. This prevents a client from injecting forged certificate data that your origin would trust. See [Enable mTLS](https://developers.cloudflare.com/ssl/client-certificates/enable-mtls/) for details on how to configure mTLS and certificate validation. ### Size limits The encoded leaf certificate is limited to 10 KiB and the encoded chain is limited to 16 KiB. If the encoded value exceeds the limit, the corresponding field contains an empty string. Use the following fields to check for this condition: * [cf.tls\_client\_auth.cert\_rfc9440\_too\_large](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Frfc9440%5Ftoo%5Flarge/) — Returns `true` when the encoded certificate exceeds 10 KiB. * [cf.tls\_client\_auth.cert\_chain\_rfc9440\_too\_large](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fchain%5Frfc9440%5Ftoo%5Flarge/) — Returns `true` when the encoded chain exceeds 16 KiB. ### Example Transform Rules Here we provide an example on how to securely use these fields to construct trusted `Client-Cert` and `Client-Cert-Chain` headers to be forwarded to your origin. The origin can then rely on the presence of the headers to be certain the client presented a valid certificate. Note: the `Client-Cert-Chain` header may be omitted when the client did not present any intermediates (only a leaf certificate). You need to create the following request header modification rules. The **Remove** rules must be placed before the **Set dynamic** rules so that client-injected headers are stripped on every request before the validated values are set. #### Rule 1 — Remove Client-Cert header This rule unconditionally removes any `Client-Cert` header sent by the client. Text in **Expression Editor**: ``` true ``` Selected operation under **Modify request header**: _Remove_ **Header name**: `Client-Cert` #### Rule 2 — Remove Client-Cert-Chain header This rule unconditionally removes any `Client-Cert-Chain` header sent by the client. Text in **Expression Editor**: ``` true ``` Selected operation under **Modify request header**: _Remove_ **Header name**: `Client-Cert-Chain` #### Rule 3 — Set Client-Cert header This rule sets the `Client-Cert` header only when the client presented a valid, non-revoked certificate that is within the size limit. Text in **Expression Editor**: ``` cf.tls_client_auth.cert_verified and not cf.tls_client_auth.cert_revoked and not cf.tls_client_auth.cert_rfc9440_too_large ``` Selected operation under **Modify request header**: _Set dynamic_ **Header name**: `Client-Cert` **Value**: `cf.tls_client_auth.cert_rfc9440` #### Rule 4 — Set Client-Cert-Chain header This rule sets the `Client-Cert-Chain` header only when the client presented a valid, non-revoked certificate and the chain is non-empty and within the size limit. Text in **Expression Editor**: ``` cf.tls_client_auth.cert_verified and not cf.tls_client_auth.cert_revoked and cf.tls_client_auth.cert_chain_rfc9440 ne "" and not cf.tls_client_auth.cert_chain_rfc9440_too_large ``` Selected operation under **Modify request header**: _Set dynamic_ **Header name**: `Client-Cert-Chain` **Value**: `cf.tls_client_auth.cert_chain_rfc9440` ### Cloudflare Workers You can also construct RFC 9440 headers in a [Cloudflare Worker](https://developers.cloudflare.com/workers/)using the [tlsClientAuth](https://developers.cloudflare.com/ssl/client-certificates/client-certificate-variables/#workers-variables)properties on the incoming request. The same security considerations mentioned above apply. ## Forward a client certificate (legacy) In addition to enforcing mTLS authentication for your host, you can also forward a client certificate to your origin server as an HTTP header. This setup is often helpful for server logging. To avoid adding the certificate to every single request, the certificate is only forwarded on the first request of an mTLS connection. Warning This process is only available on accounts with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/). ### Cloudflare API The most common approach to forwarding a certificate is to use the Cloudflare API to [update an mTLS certificate's hostname settings](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/certificates/subresources/settings/methods/update/). Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Mutual TLS Certificates Write` Update an mTLS certificate's hostname settings ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/access/certificates/settings" \ --request PUT \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" \ --json '{ "settings": [ { "hostname": "", "china_network": false, "client_certificate_forwarding": true } ] }' ``` Once `client_certificate_forwarding` is set to `true`, every request within an mTLS connection will now include the following headers: * `Cf-Client-Cert-Der-Base64` * `Cf-Client-Cert-Sha256` Note The `Cf-Client-Cert-Der-Base64` and `Cf-Client-Cert-Sha256` headers are a Cloudflare-proprietary mechanism. For a standardized approach, use [RFC 9440 Client-Cert and Client-Cert-Chain headers](https://developers.cloudflare.com/ssl/client-certificates/forward-a-client-certificate/#add-client-cert-and-client-cert-chain-headers-rfc-9440). ### Managed Transforms You can also [modify HTTP response headers](https://developers.cloudflare.com/rules/transform/response-header-modification/) using Managed Transforms to pass along **TLS client auth headers**. ### Cloudflare Workers Additionally, Workers can provide details around the [client certificate](https://developers.cloudflare.com/workers/runtime-apis/bindings/mtls/). JavaScript ``` const tlsHeaders = { "X-CERT-ISSUER-DN": request.cf.tlsClientAuth.certIssuerDN, "X-CERT-SUBJECT-DN": request.cf.tlsClientAuth.certSubjectDN, "X-CERT-ISSUER-DN-L": request.cf.tlsClientAuth.certIssuerDNLegacy, "X-CERT-SUBJECT-DN-L": request.cf.tlsClientAuth.certSubjectDNLegacy, "X-CERT-SERIAL": request.cf.tlsClientAuth.certSerial, "X-CERT-FINGER": request.cf.tlsClientAuth.certFingerprintSHA1, "X-CERT-VERIFY": request.cf.tlsClientAuth.certVerify, "X-CERT-NOTBE": request.cf.tlsClientAuth.certNotBefore, "X-CERT-NOTAF": request.cf.tlsClientAuth.certNotAfter, }; ``` ## Known limitations mTLS does not currently work for: * Cloudflare Pages site served on a [custom domain](https://developers.cloudflare.com/pages/configuration/custom-domains/) * Cloudflare R2 public bucket served on a [custom domain](https://developers.cloudflare.com/r2/buckets/public-buckets/#connect-a-bucket-to-a-custom-domain) ## Notifications for mutual TLS certificates Cloudflare will send the following [notifications](https://developers.cloudflare.com/notifications/) before your mutual TLS certificates expire: Access mTLS Certificate Expiration Alert **Who is it for?** [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) customers that use client certificates for mutual TLS authentication. This notification will be sent 30 and 14 days before the expiration of the certificate. **Other options / filters** None. **Included with** Purchase of [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) and/or [Cloudflare for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/). **What should you do if you receive one?** Upload a [renewed certificate](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/service-credentials/","name":"Service credentials"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/","name":"Mutual TLS"}}]} ``` --- --- title: Service tokens description: You can provide automated systems with service tokens to authenticate against your Cloudflare One policies. Cloudflare Access will generate service tokens that consist of a Client ID and a Client Secret. Automated systems or applications can then use these values to reach an application protected by Access. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ JSON web token (JWT) ](https://developers.cloudflare.com/search/?tags=JSON%20web%20token%20%28JWT%29)[ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/service-credentials/service-tokens.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Service tokens You can provide automated systems with service tokens to authenticate against your Cloudflare One policies. Cloudflare Access will generate service tokens that consist of a Client ID and a Client Secret. Automated systems or applications can then use these values to reach an application protected by Access. This section covers how to create, renew, and revoke a service token. ## Create a service token * [ Dashboard ](#tab-panel-3440) * [ API ](#tab-panel-3441) * [ Terraform (v5) ](#tab-panel-3442) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Service credentials** \> **Service Tokens**. 2. Select **Create Service Token**. 3. Name the service token. The name allows you to easily identify events related to the token in the logs and to revoke the token individually. 4. Choose a **Service Token Duration**. This sets the expiration date for the token. 5. Select **Generate token**. You will see the generated Client ID and Client Secret for the service token, as well as their respective request headers. 6. Copy the Client Secret. Warning This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token. 1. Make a `POST` request to the [Access Service Tokens](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/service%5Ftokens/methods/create/) endpoint: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Service Tokens Write` Create a service token ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/service_tokens" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "CI/CD token", "duration": "8760h" }' ``` 2. Copy the `client_id` and `client_secret` values returned in the response. Response ``` "result": { "client_id": "88bf3b6d86161464f6509f7219099e57.access", "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5", "created_at": "2025-09-25T22:26:26Z", "expires_at": "2026-09-25T22:26:26Z", "id": "3537a672-e4d8-4d89-aab9-26cb622918a1", "name": "CI/CD token", "updated_at": "2025-09-25T22:26:26Z", "duration": "8760h", "client_secret_version": 1 } ``` Warning This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api%5Ftoken): * `Access: Service Tokens Write` 2. Configure the [cloudflare\_zero\_trust\_access\_service\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fservice%5Ftoken) resource: ``` resource "cloudflare_zero_trust_access_service_token" "example_service_token" { account_id = var.cloudflare_account_id name = "Example service token" duration = "8760h" lifecycle { create_before_destroy = true } } ``` 3. Get the Client ID and Client Secret of the service token: Example: Output to CLI 1. Output the Client ID and Client Secret to the Terraform state file: ``` output "example_service_token_client_id" { value = cloudflare_zero_trust_access_service_token.example_service_token.client_id } output "example_service_token_client_secret" { value = cloudflare_zero_trust_access_service_token.example_service_token.client_secret sensitive = true } ``` 2. Apply the configuration: Terminal window ``` terraform apply ``` 3. Read the Client ID and Client Secret: Terminal window ``` terraform output -raw example_service_token_client_id ``` Terminal window ``` terraform output -raw example_service_token_client_secret ``` Example: Store in HashiCorp Vault ``` resource "vault_generic_secret" "example_service_token" { path = "kv/cloudflare/example_service_token" data_json = jsonencode({ "CLIENT_ID" = cloudflare_access_service_token.example_service_token.client_id "CLIENT_SECRET" = cloudflare_access_service_token.example_service_token.client_secret }) } ``` You can now configure your Access applications and [device enrollment permissions](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/device-enrollment/#check-for-service-token) to accept this service token. Make sure to set the policy action to [**Service Auth**](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth); otherwise, Access will prompt for an identity provider login. ## Connect your service to Access ### Initial request To authenticate to an Access application using your service token, add the following to the headers of any HTTP request: `CF-Access-Client-Id: ` `CF-Access-Client-Secret: ` For example, Terminal window ``` curl -H "CF-Access-Client-Id: " -H "CF-Access-Client-Secret: " https://app.example.com ``` If the service token is valid, Access generates a JWT scoped to the application in the form of a [CF\_Authorization cookie](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/). You can use this cookie to authenticate [subsequent requests](#subsequent-requests) to the application. #### Authenticate with a single header You can configure a self-hosted Access application to accept a service token in a single HTTP header, as an alternative to the `CF-Access-Client-Id` and `CF-Access-Client-Secret` pair of headers. This is useful for authenticating SaaS services that only support sending one custom header in a request (for example, the `Authorization` header). To authenticate using a single header: 1. Get your existing Access application configuration: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` * `Access: Apps and Policies Read` Get an Access application ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_ID" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 2. Make a `PUT` request with the name of the header you want to use for service token authentication. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Update an Access application ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_ID" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "domain": "app.example.com", "type": "self_hosted", "read_service_tokens_from_header": "Authorization" }' ``` 3. Add the header to any HTTP request. For example, Terminal window ``` curl -H "Authorization: {\"cf-access-client-id\": \"\", \"cf-access-client-secret\": \"\"}" https://app.example.com ``` ### Subsequent requests After you have [authenticated to the application](#initial-request) using the service token, add the resulting `CF_Authorization` cookie to the headers of all subsequent requests: Terminal window ``` curl -H "cookie: CF_Authorization=" https://app.example.com ``` If you prefer to use a raw header, send the value as `cf-access-token`: Terminal window ``` curl -H "cf-access-token: " https://app.example.com ``` All requests with this cookie will succeed until the JWT expires. Note If your Access application only has Service Auth policies, you must send the service token on every subsequent request. You can only use the JWT if the application has at least one Allow policy. ## Renew service tokens Service tokens expire according to the token duration you selected when you created the token. To renew the service token: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Service credentials** \> **Service Tokens**. 2. Locate the token you want to renew. 3. To extend the token's lifetime by one year, select **Refresh**. 4. To extend the token's lifetime by more than a year: 1. Select **Edit**. 2. Choose a new **Service Token Duration**. 3. Select **Save**. The expiration date will be extended by the selected amount of time. ## Revoke service tokens If you need to revoke access before the token expires, simply delete the token. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Service credentials** \> **Service Tokens**. 2. **Delete** the token you need to revoke. Services that rely on a deleted service token can no longer reach your application. Note When editing an Access application, selecting **Revoke existing tokens** revokes existing sessions but does not prevent the user from starting a new session. As long as the Client ID and Client Secret are still valid, they can be exchanged for a new token on the next request. To revoke access, you must delete the service token. ## Set a token expiration alert An alert can be configured to notify a week before a service token expires to allow an administrator to invoke a token refresh. Expiring Access Service Token Alert **Who is it for?** [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) customers who want to receive a notification when their service token is about to expire. **Other options / filters** None. **Included with** Purchase of Access **What should you do if you receive one?** Extend the expiration date of the service token. For more details, refer to [Renew your service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/#renew-service-tokens). To configure a service token expiration alert: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com), go to the **Notifications** page.[ Go to **Notifications** ](https://dash.cloudflare.com/?to=/:account/notifications) 2. Select **Add**. 3. Select _Expiring Access Service Token_. 4. Enter a name for your alert and an optional description. 5. (Optional) Add other recipients for the notification email. 6. Select **Save**. Your alert has been set and is now visible on the **Notifications** page. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/service-credentials/","name":"Service credentials"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/service-credentials/service-tokens/","name":"Service tokens"}}]} ``` --- --- title: Troubleshoot Access description: Resolve common issues with Cloudflare Access, including authentication loops, CORS errors, and identity provider integration problems. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/access-controls/troubleshooting.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshoot Access Review common troubleshooting scenarios for Cloudflare Access. ## Authentication and login ### AJAX/CORS errors Cloudflare Access requires that the `credentials: same-origin` parameter be added to JavaScript when using the Fetch API to include cookies. AJAX requests fail if this parameter is missing, resulting in an error such as `No Access-Control-Allow-Origin header is present on the requested resource`. For more information, refer to [CORS settings](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/). ### SAML verification failure The error `SAML Verify: Invalid SAML response, SAML Verify: No certificate selected to verify` occurs when the identity provider (IdP) does not include the signing public key in the SAML response. Cloudflare Access requires the public key to match the **Signing certificate** uploaded to Zero Trust. Configure your IdP to include the public key in the response. ### Identity provider user/group info error The error `Failed to fetch user/group information from the identity provider` occurs when Cloudflare lacks the necessary API permissions to communicate with your IdP. Review the [SSO integration guide](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) for your specific IdP and ensure the application has the correct permissions (for example, Microsoft Entra or Okta). ### Google Workspace redirect loop If you place your Google Workspace behind Access, you cannot use Google or Google Workspace as an identity provider for that application. This creates an infinite redirect cycle because both systems depend on each other to complete the login. ### Invalid session error The error `Invalid session. Please try logging in again` indicates that Access was unable to validate your `CF_Session` cookie. This can happen if software or a firewall on your device interferes with requests to Access. Ensure that the same browser instance is used to both initiate and complete the sign-in. ### Firefox Private Window Firefox's default tracking prevention in Private Windows may prevent the `CF_authorization` cookie from being sent, especially for XHR requests. To resolve this, you may need to exempt your application domain and your [team domain](https://developers.cloudflare.com/cloudflare-one/glossary/#team-name) from tracking protection. ### Workers routes on the login path If you have a Cloudflare Worker route assigned to your application's login path, the Worker may overwrite the `cf-authorization` cookie. To prevent this, ensure your Worker script does not modify or strip the `Set-Cookie` header for Access cookies. ## Identity providers ### OTP email not received If a user does not receive a one-time PIN (OTP) email: * **Policy denial**: If the user's email address does not match any **Allow** policies for the application, Cloudflare will not send an OTP email. The login page will still display a message saying the email was sent to prevent account enumeration. * **Email suppression**: The user's email may be on a suppression list due to previous delivery failures. Check your email logs or contact Support to clear suppressions. ### OTP code already used The error `This One-Time PIN has already been used` occurs when the OTP code has already been redeemed before the user enters it. OTP codes are single-use and expire 10 minutes after the initial request. This error most commonly occurs when an email security or anti-phishing tool on your network automatically follows links in emails, consuming the code before you have a chance to enter it. To resolve the issue, select **Request new code** on the login page. If the error recurs consistently, add `noreply@notify.cloudflare.com` to your email security tool's allowlist to prevent it from scanning Cloudflare authentication emails. For setup instructions, refer to [One-time PIN login](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/). ### Google Super Admin login If you use Access as the SSO provider for your Google Workspace, Google Super Admins cannot sign in via Access when accessing `admin.google.com`. Google requires Super Admins to use their original Google password to ensure they can always access the admin console. ### Missing SAML attributes If you receive a `Required attributes are missing` error during SAML authentication, verify that your IdP is sending the mandatory **email** attribute. Additionally, check for typos in attribute names (for example, `groups` vs `gropus`) in your [IdP configuration](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). ## Applications and certificates ### SSH short-lived certificates The error `Error 0: Bad Request. Please create a ca for application` appears if a certificate has not been generated for the Access application. Refer to [SSH short-lived certificates](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy/) to generate a CA for the application. ### SSH "Origin auth failed" This error often indicates a configuration issue on the target server's SSH daemon (`sshd`): * **SSHD config**: Verify that `PubkeyAuthentication` is set to `yes` and `TrustedUserCAKeys` points to the correct Cloudflare CA file. * **Multiple auth methods**: Cloudflare Access for Infrastructure currently does not support `AuthenticationMethods` with multiple comma-separated requirements (for example, `publickey,keyboard-interactive`). ### Team domain change error The error `Access api error auth_domain_cannot_be_updated_dash_sso` occurs if you try to change your team domain while [Cloudflare dashboard SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/) is enabled. Dashboard SSO does not currently support team domain changes. ### Long-lived SSH sessions disconnect All connections proxied through Cloudflare Gateway, including traffic to [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) SSH targets, have a maximum guaranteed duration of 10 hours. If a connection is active during a Gateway release, it will be terminated 10 hours later. To prevent unexpected disconnects, we recommend terminating sessions on a predefined schedule (for example, an 8-hour idle timeout). You can configure this using `ChannelTimeout` in your SSH server or client configuration. --- ## How to contact Support If you cannot resolve the issue, [open a support case](https://developers.cloudflare.com/support/contacting-cloudflare-support/). Please provide a [HAR file](https://developers.cloudflare.com/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#generate-a-har-file) captured while reproducing the error and the **Ray ID** if an error page is displayed. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/troubleshooting/","name":"Troubleshoot Access"}}]} ``` --- --- title: Traffic policies description: Every organization needs a way to control what users can reach on the Internet — blocking malware sites, restricting risky applications, and deciding how traffic exits the corporate network. Think of traffic policies as a set of security checkpoints, each inspecting a different layer of your traffic before it is allowed through. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Traffic policies Every organization needs a way to control what users can reach on the Internet — blocking malware sites, restricting risky applications, and deciding how traffic exits the corporate network. Think of traffic policies as a set of security checkpoints, each inspecting a different layer of your traffic before it is allowed through. Cloudflare Gateway, a [Secure Web Gateway ↗](https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/) (a cloud service that sits between your users and the Internet to enforce security rules), allows you to set up policies that inspect and filter your organization's Internet traffic. Traffic policies control which websites, applications, and services your users can access — and how that traffic leaves your network. Gateway supports several policy types because network traffic can be inspected at different layers — from raw packets up to full HTTP requests. Each policy type gives you control at a specific layer: Packet filtering **[Packet filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/network-firewall-overview/)** inspects raw network packets and blocks traffic based on properties like source IP address or protocol. It does not need to know who the user is or what session they belong to. Use packet filtering to drop unwanted traffic before it reaches any other policy. DNS policies **[DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/)** check every DNS query your users make. When a query matches a policy rule, Gateway can block the domain from resolving — the site never loads because the domain name is never translated to an IP address. DNS policies act at the earliest stage of a connection, before any content is fetched. This makes them the fastest policy type to deploy and the broadest in scope. For more information on [DNS filtering ↗](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/), refer to the Cloudflare Learning Center. Use DNS policies to block malicious domains, restrict content categories, or prevent entire sites from loading. For full threat protection, pair DNS policies with HTTP policies — DNS blocks known bad domains, while HTTP catches threats hidden in allowed traffic. Network policies **[Network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/)** inspect individual TCP, UDP, and Generic Routing Encapsulation (GRE) packets. They can match on IP addresses, ports, protocols, and the server name sent at the start of an encrypted connection (Server Name Indication, or SNI). Use network policies to block access to specific ports or non-HTTP services such as SSH and RDP. HTTP policies **[HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/)** inspect the full content of web requests — including URLs, headers, and uploaded or downloaded files. Gateway decrypts HTTPS traffic so it can examine what DNS and network policies cannot see. This requires installing a [Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) on user devices. Use HTTP policies to block specific URLs, scan file uploads for sensitive data, block malware in downloads, and control which accounts users can sign in to — for example, allow your company Google Workspace account but block personal Gmail. Egress policies **[Egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/)** control how traffic leaves your network by assigning fixed IP addresses that belong to your organization. Third-party services can recognize these IPs as yours. Use egress policies to connect to partners or services that only allow traffic from a known list of IP addresses. Resolver policies **[Resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/)** send DNS queries to specific DNS servers instead of the default Cloudflare resolver. Use resolver policies to resolve private hostnames on your internal network, route queries to your own DNS servers for compliance, or reach internal resources while connected through Cloudflare One. Note When creating or editing policies, it may take up to 60 seconds for that policy to be updated across all of Cloudflare's data centers. ## Get started For each policy type, follow this workflow: 1. Connect the devices or networks you want to protect. 2. Verify that Gateway is receiving traffic from your devices. 3. Set up recommended security policies — for example, block all [security threat categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) with a DNS policy. 4. Add policies specific to your organization's needs. For example, if your goal is to prevent employees from accessing known malware domains, you would start by enrolling devices with the Cloudflare One Client (step 1), confirm DNS queries appear in your Gateway logs (step 2), then create a DNS policy that blocks all security-risk categories (step 3). For step-by-step setup guides, refer to [DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/dns/), [Network](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/network/), and [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) policies. ### Select a policy type The right policy type depends on the traffic you want to filter: | Goal | Policy type | Why | | -------------------------------------- | ---------------- | ---------------------------------------------------------------------- | | Block websites by URL | HTTP | Inspects the full URL path, not just the domain | | Block domains (all pages) | DNS | Prevents the domain from resolving | | Block non-HTTP traffic (SSH, RDP) | Network | Inspects TCP/UDP packets on any port | | Block malware and threats | DNS _and_ HTTP | DNS blocks known-bad domains. HTTP catches threats in allowed traffic. | | Assign static egress IPs | Egress | Lets third-party services identify your organization | | Drop traffic before other policies run | Packet filtering | Blocks by packet attributes without user context | | Route DNS to custom nameservers | Resolver | Overrides the default Cloudflare resolver | ## Troubleshooting For help resolving common issues with Gateway policies, refer to [Troubleshooting](https://developers.cloudflare.com/cloudflare-one/traffic-policies/troubleshooting/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}}]} ``` --- --- title: Applications and app types description: Gateway allows you to create DNS, Network, and HTTP policies based on applications and application types. Because a single application often spans multiple hostnames, selecting an application by name is easier than writing separate rules for each hostname. You can select individual applications or application types to filter specific traffic on your network. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Applications and app types Gateway allows you to create DNS, Network, and HTTP policies based on applications and application types. Because a single application often spans multiple hostnames, selecting an application by name is easier than writing separate rules for each hostname. You can select individual applications or application types to filter specific traffic on your network. ## Applications When you choose the _Application_ selector in a Gateway policy builder, the **Value** field will include all supported applications and their respective app types. Alternatively, you can use the [Gateway API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/app%5Ftypes/methods/list/) to fetch a list of applications, app types, and ID numbers. To manage a consolidated list of applications across Cloudflare One, you can use the [Application Library](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/). ## App types Gateway sorts applications into the following app type groups: | Value | Definition | | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Artificial Intelligence | AI assistance applications | | Business | Applications used for general business purposes | | Collaboration & Online Meetings | Business communication and collaboration applications | | Dating | Online dating applications | | Development | Software development and development operations applications | | Education | Applications used for educational purposes and e-learning | | Email | Email applications | | Entertainment & Events | Applications used for entertainment content and event information | | Encrypted DNS | DNS encryption applications | | File Sharing | File sharing applications | | Finance & Accounting | Financial and accounting applications | | Food & Drink | Applications related to food delivery and recipe services | | Gaming | Games and gaming applications | | Health & Fitness | Applications used for health monitoring and fitness tracking | | Human Resources | Employee management applications and workforce tools | | Instant Messaging | Instant messaging applications | | IT Management | IT deployment management applications | | Legal | Legal tools and applications | | Lifestyle | Applications related to lifestyle and personal interests | | Music & Audio Streaming | Applications used for streaming music and audio | | Navigation | Applications used for maps and navigation services | | News, Books, & Magazines | Applications delivering news, books, and magazine content | | Photography & Graphic Design | Applications used for photography and graphic design | | Productivity | Business and productivity applications | | Public Cloud | Public cloud infrastructure management applications | | Sales & Marketing | Sales and marketing applications | | Search Engines | Web search engines and applications | | Security | Information security applications, including shadow IT | | Shopping | Online shopping applications | | Social Networking | Social networking applications | | Sports | Sports streaming and news applications | | Travel | Travel related applications | | Video Streaming & Editing | Applications used for streaming and editing video | | [Do Not Inspect](#do-not-inspect-applications) | Applications incompatible with the TLS certificate required by the [Gateway proxy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/) | ## Application hostnames An application like Google Drive uses its own hostnames (for example, `drive.google.com`) and shared resources used by other applications (for example, `accounts.google.com` for login). Gateway separates these into [hostnames](#hostnames) and [support hostnames](#support-hostnames) so you can control the behavior of each application independently. ### Hostnames Hostnames are domains that are core to the application and not [used by other applications](#overlapping-hostnames). These are the domains that Gateway blocks when you block an application. The App Library surfaces these hostnames in the [Hostnames table](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/#overview) for an application. ### Support hostnames Support hostnames are shared resources that applications depend on for content delivery, authentication, or third-party integrations. Because multiple applications share these hostnames, blocking them can cause unexpected side effects. For example, assume that `file-sharing-service.com` relies on `content-delivery.com`. If you allow access to `file-sharing-service.com` and its associated subdomains but not `content-delivery.com`, some of the functionality of `file-sharing-service.com` may break when Gateway matches the traffic. To prevent this, Gateway only uses support hostnames in Allow policies — it will allow support hostname connections but will not block them. For example, many Google applications use `accounts.google.com` for authentication. If you create an Allow policy for an application that lists `accounts.google.com` as a support hostname, Gateway will allow both `accounts.google.com` and the application's own domains. ## Application controls When you use the [_Application_ selector](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#granular-controls) in an HTTP policy with the _is_ operator, you can choose specific actions and operations to match application traffic. Supported applications and operations include: Artificial Intelligence * ChatGPT * Google Gemini * Claude * Perplexity File Sharing * Hightail * Dropbox * WeTransfer * Google Drive * ShareFile * Box * Smash For more information, refer to [Application Granular Controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/granular-controls/). ## Usage ### Overlapping hostnames Overlapping hostnames are most common for vendors with many applications, such as Google or Meta. When you use the Application selector in Gateway policies, actions taken by Gateway will be limited to the specific application defined. Gateway will also log other applications that use the same hostnames, but it will not take action unless the application was matched by the policy. For example, both the Facebook and Facebook Messenger apps use the `chat-e2ee.facebook.com` hostname. When evaluating traffic to the Facebook Messenger app, Gateway will only take action on Facebook Messenger traffic but may log both the Facebook and Facebook Messenger apps. To ensure Gateway evaluates traffic with your desired precedence, order your most specific policies with the highest priority according to [order of precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#priority-within-a-policy-builder). ### Do Not Inspect applications Gateway automatically groups applications incompatible with TLS decryption into the _Do Not Inspect_ app type. As Cloudflare identifies incompatible applications, Gateway will periodically update this app type to add new applications. To ensure Gateway does not intercept any current or future incompatible traffic, you can [create a Do Not Inspect HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) with the entire _Do Not Inspect_ app type selected. When managing applications with the [Application Library](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/), Do Not Inspect applications will appear under the corresponding application. For example, the App Library will group _Google Drive (Do Not Inspect)_ under **Google Drive**. Install Cloudflare certificate manually to allow TLS decryption Instead of creating a Do Not Inspect policy for an application, you may be able to configure the application to [trust a Cloudflare certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications). Doing so will allow the application to function without losing visibility into your traffic. #### TLS decryption limitations Applications can be incompatible with [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) for various reasons: * **Certificate pinning**: Certificate pinning is a security mechanism used to prevent on-path attacks on the Internet by hardcoding information about the certificate that the application expects to receive. If the wrong certificate is received, even if it is trusted by the system, the application will refuse to connect. * **Non-web traffic**: Some applications send non-web traffic over TLS, such as Session Initiation Protocol (SIP) for voice and video calls and Extensible Messaging and Presence Protocol (XMPP) for chat. Gateway cannot inspect these protocols. #### Microsoft 365 integration To optimize performance for Microsoft 365 applications and services, you can bypass TLS decryption by turning on the Microsoft 365 traffic integration. This will create a [Do Not Inspect policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) for all [Microsoft 365 domains and IP addresses ↗](https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-ip-web-service) specified by Microsoft. This policy also uses Cloudflare intelligence to identify other Microsoft 365 traffic not explicitly defined. To turn on the Microsoft 365 integration: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Traffic settings** \> **Policy settings**. 2. In **Bypass decryption of Microsoft 365 traffic**, select **Create policy**. 3. To verify the policy was created, select **View policy**. Alternatively, go to **Traffic policies** \> **HTTP policies**. A policy named Microsoft 365 Auto Generated will be enabled in your list. All future Microsoft 365 traffic will bypass Gateway logging and filtering. To disable this behavior, turn off or delete the policy. ### Terraform Terraform users can retrieve the app types list with the `cloudflare_zero_trust_gateway_app_types_list` data source. This allows you to create Gateway policies with the application's name rather than its numeric ID. For example: ``` data "cloudflare_zero_trust_gateway_app_types_list" "gateway_apptypes" { account_id = var.cloudflare_account_id } locals { apptypes_map = merge([ for c in data.cloudflare_zero_trust_gateway_app_types_list.gateway_apptypes.result : { (c.name) = c.id } ]...) } resource "cloudflare_zero_trust_gateway_policy" "zt_block_dns_apps" { account_id = var.cloudflare_account_id name = "DNS Blocked apps" action = "block" traffic = "any(app.ids[*] in {${join(" ", [ local.apptypes_map["Discord"], local.apptypes_map["GoToMeeting"], local.apptypes_map["Greenhouse"], local.apptypes_map["Zelle"], local.apptypes_map["Microsoft Visual Studio"] ])}})" } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/application-app-types/","name":"Applications and app types"}}]} ``` --- --- title: DNS policies description: DNS policies let you control which websites and services your users can reach by inspecting their DNS queries — the lookups that translate domain names into IP addresses. Because DNS policies act at the lookup stage, they work across all protocols and applications, not just web browsers. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/dns-policies/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # DNS policies DNS policies let you control which websites and services your users can reach by inspecting their DNS queries — the lookups that translate domain names into IP addresses. Because DNS policies act at the lookup stage, they work across all protocols and applications, not just web browsers. When a user makes a DNS request, [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) matches the request against the DNS policies you have set up for your organization. If the domain does not belong to any blocked categories, or if it matches an Allow or Override policy, the user's client receives an address based on DNS resolution from Cloudflare's public DNS resolver (1.1.1.1). You can also use a [resolver policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) to redirect DNS requests to a custom server. A DNS policy consists of an **Action** as well as a logical expression that determines the scope of the action. To build an expression, you need to choose a **Selector** and an **Operator**, and enter a value or range of values in the **Value** field. You can use **And** and **Or** logical operators to evaluate multiple conditions. * [Actions](#actions) * [Selectors](#selectors) * [Comparison operators](#comparison-operators) * [Value](#value) * [Logical operators](#logical-operators) When creating a DNS policy, you can select as many security risk categories and content categories as needed to fully secure your network. Unless a more specific selector is configured in a policy (for example, _User Email_ or _Source IP_), then the policy will be evaluated against all DNS queries that reach Gateway from your organization. If a condition in an expression joins a query attribute (such as _Source IP_) and a response attribute (such as _Resolved IP_), then the condition will be evaluated when the response is received. Terraform provider v4 precedence limitation To avoid conflicts, version 4 of the Terraform Cloudflare provider applies a hash calculation to policy precedence. For example, a precedence of `1000` may become `1000901`. This can cause errors when reordering policies. To avoid this issue, manually set the precedence of policies created with Terraform using the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint. To ensure your precedence is set correctly, Cloudflare recommends [upgrading your Terraform provider to version 5 ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade). ## Actions The action determines what Gateway does when a DNS query matches your policy conditions. You can assign one action per policy. These are the action types you can choose from: * [Allow](#allow) * [Block](#block) * [Override](#override) * [Safe Search](#safe-search) * [YouTube Restricted Mode](#youtube-restricted-mode) ### Allow API value: `allow` Available selectors **Traffic** * [Application](#application) * [Authoritative Nameserver IP](#authoritative-nameserver-ip) * [Content Categories](#content-categories) * [DNS CNAME Response Value](#dns-cname-record) * [DNS MX Response Value](#dns-mx-record) * [DNS PTR Response Value](#dns-ptr-record) * [DNS Resolver IP](#dns-resolver-ip) * [DNS TXT Response Value](#dns-txt-record) * [DOH Subdomain](#doh-subdomain) * [Domain](#domain) * [Host](#host) * [Indicator Feeds](#indicator-feeds) * [Location](#location) * [Query Record Type](#query-record-type) * [Resolved Continent IP Geolocation](#resolved-continent) * [Resolved Country IP Geolocation](#resolved-country) * [Resolved IP](#resolved-ip) * [Request Context Categories](#request-context-categories) * [Security Categories](#security-categories) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source IP](#source-ip) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) Policies with Allow actions explicitly permit DNS queries to resolve. Gateway uses a [first-match principle](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence), which means that if an Allow policy matches a query at a higher precedence than a Block policy, the query will be allowed to resolve. For example, the following configuration allows DNS queries to reach domains categorized as belonging to the Education content category: | Selector | Operator | Value | Action | | ------------------ | -------- | ----------- | ------ | | Content Categories | in | _Education_ | Allow | #### Disable DNSSEC validation DNSSEC (Domain Name System Security Extensions) verifies that DNS responses have not been tampered with by checking a cryptographic signature attached to the record. When you select **Disable DNSSEC validation**, Gateway will resolve DNS queries even if the signature cannot be validated. We do not recommend disabling DNSSEC validation unless you know that the validation failure is due to DNSSEC configuration issues and not malicious attacks. ### Block API value: `block` Available selectors **Traffic** * [Application](#application) * [Authoritative Nameserver IP](#authoritative-nameserver-ip) * [Content Categories](#content-categories) * [DNS CNAME Response Value](#dns-cname-record) * [DNS MX Response Value](#dns-mx-record) * [DNS PTR Response Value](#dns-ptr-record) * [DNS Resolver IP](#dns-resolver-ip) * [DNS TXT Response Value](#dns-txt-record) * [DOH Subdomain](#doh-subdomain) * [Domain](#domain) * [Host](#host) * [Indicator Feeds](#indicator-feeds) * [Location](#location) * [Query Record Type](#query-record-type) * [Resolved Continent IP Geolocation](#resolved-continent) * [Resolved Country IP Geolocation](#resolved-country) * [Resolved IP](#resolved-ip) * [Request Context Categories](#request-context-categories) * [Security Categories](#security-categories) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source IP](#source-ip) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) Policies with Block actions prevent DNS queries from resolving for destinations you specify within the Selector and Value fields. For example, the following configuration blocks DNS queries from reaching domains categorized as belonging to the Adult Themes content category: | Selector | Operator | Value | Action | | ------------------ | -------- | -------------- | ------ | | Content Categories | in | _Adult Themes_ | Block | #### Custom block page When choosing the Block action, turn on **Modify Gateway block behavior** to respond to queries with a block page to display to users who go to blocked websites. Optionally, you can override your global block page setting with a URL redirect for the specific DNS policy. For more information, refer to [Block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). If the block page is turned off for a policy, Gateway will respond to blocked queries with an `A` record (IPv4) of `0.0.0.0` or an `AAAA` record (IPv6) of `::`. Because no server responds at these addresses, the browser will display its default connection error page. To block the resolution of queries for DNS records with types other than `A` or `AAAA`, Gateway will respond with the `REFUSED (RCODE:5)` DNS return code. Gateway will block the request but will not display a block page. #### Cloudflare One Client block notifications Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/plans/zero-trust-services/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | Enterprise | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2024.1.159.0 | | macOS | ✅ | 2024.1.160.0 | | Linux | ❌ | | | iOS | ✅ | 1.7 | | Android | ✅ | 1.4 | | ChromeOS | ✅ | 1.4 | Turn on **Display block notification for Cloudflare One Client** to display notifications for Gateway block events. Blocked users will receive an operating system notification from the Cloudflare One Client with a custom message you set. If you do not set a custom message, the Cloudflare One Client will display a default message. Custom messages must be 100 characters or less. The Cloudflare One Client will only display one notification per minute. Upon selecting the notification, the Cloudflare One Client will direct your users to the [Gateway block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) you have configured. Optionally, you can direct users to a custom URL, such as an internal support form. When you turn on **Send policy context**, Gateway will append details of the matching request to the redirected URL as a query string. Not every context field will be included. Potential policy context fields include: Policy context fields | Field | Definition | Example | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------- | | User email | Email of the user that made the query. | &cf\_user\_email=user@example.com | | Site URL | Full URL of the original HTTP request or domain name in DNS query. | &cf\_site\_uri=https%3A%2F%2Fmalware.testcategory.com%2F | | URL category | [Domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) of the URL to be redirected. | &cf\_request\_categories=New%20Domains,Newly%20Seen%20Domains | | Original HTTP referer | For HTTP traffic, the original HTTP referer header of the HTTP request. | &cf\_referer=https%3A%2F%2Fexample.com%2F | | Rule ID | ID of the Gateway policy that matched the request. | &cf\_rule\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Source IP | Source IP address of the device that matched the policy. | &cf\_source\_ip=203.0.113.5 | | Device ID | UUID of the device that matched the policy. | &cf\_device\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Application names | Name of the application the redirected domain corresponds to, if any. | &cf\_application\_name=Salesforce | | Filter | The traffic type filter that triggered the block. | &cf\_filter=http, &cf\_filter=dns, &cf\_filter=av, or &cf\_filter=l4 | | Account ID | [Cloudflare account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) of the associated Zero Trust account. | &cf\_account\_id=d57c3de47a013c03ca7e237dd3e61d7d | | Query ID | ID of the DNS query for which the redirect took effect. | &cf\_query\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Connection ID | ID of the proxy connection for which the redirect took effect. | &cf\_connection\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Request ID | ID of the HTTP request for which the redirect took effect. | &cf\_request\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | Ensure that your operating system allows notifications for the Cloudflare One Client. Your device may not display notifications if focus, do not disturb, or screen sharing settings are turned on. To turn on client notifications on macOS devices running DisplayLink software, you may have to allow system notifications when mirroring your display. For more information, refer to the [macOS documentation ↗](https://support.apple.com/guide/mac-help/change-notifications-settings-mh40583/mac). ### Override API value: `override` Available selectors The Override action cannot be used with selectors evaluated during or after DNS resolution. **Traffic** * [Application](#application) * [Content Categories](#content-categories) * [DNS Resolver IP](#dns-resolver-ip) * [DOH Subdomain](#doh-subdomain) * [Domain](#domain) * [Host](#host) * [Location](#location) * [Query Record Type](#query-record-type) * [Resolved Continent IP Geolocation](#resolved-continent) * [Resolved Country IP Geolocation](#resolved-country) * [Security Categories](#security-categories) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source IP](#source-ip) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) Policies with Override actions replace the real DNS answer with a destination you specify. When a user queries a domain that matches the policy, Gateway returns your custom IP address or hostname instead of the actual DNS record. For example, you can provide a custom response IP of `1.2.3.4` for all queries to `www.example.com` with the following policy: | Selector | Operator | Value | Action | Override Hostname | | -------- | -------- | --------------- | -------- | ----------------- | | Hostname | is | www.example.com | Override | 1.2.3.4 | ### Safe Search API value: `safesearch` Available selectors **Traffic** * [Application](#application) * [Content Categories](#content-categories) * [DNS Resolver IP](#dns-resolver-ip) * [DOH Subdomain](#doh-subdomain) * [Domain](#domain) * [Host](#host) * [Location](#location) * [Query Record Type](#query-record-type) * [Resolved Continent IP Geolocation](#resolved-continent) * [Resolved Country IP Geolocation](#resolved-country) * [Security Categories](#security-categories) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source IP](#source-ip) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) SafeSearch is a feature of search engines that helps you filter explicit or offensive content. When you enable SafeSearch, the search engine filters explicit or offensive content and returns search results that are safe for children or at work. You can use Cloudflare Gateway to enable SafeSearch on search engines like Google, Bing, Yandex, YouTube and DuckDuckGo. For example, to enable SafeSearch for Google, you can create the following policy: | Selector | Operator | Value | Action | | -------- | -------- | ---------- | ----------- | | Domain | is | google.com | Safe Search | ### YouTube Restricted Mode API value: `ytrestricted` Available selectors **Traffic** * [Application](#application) * [Content Categories](#content-categories) * [DNS Resolver IP](#dns-resolver-ip) * [DOH Subdomain](#doh-subdomain) * [Domain](#domain) * [Host](#host) * [Location](#location) * [Query Record Type](#query-record-type) * [Resolved Continent IP Geolocation](#resolved-continent) * [Resolved Country IP Geolocation](#resolved-country) * [Security Categories](#security-categories) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source IP](#source-ip) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) Similarly, you can enforce YouTube Restricted mode by choosing the _YouTube Restricted_ action. YouTube Restricted Mode is an automated filter for adult and offensive content built into YouTube. To enable YouTube Restricted Mode, you could set up a policy like the following: | Selector | Operator | Value | Action | | ---------- | -------- | ----------- | ------------------ | | DNS Domain | is | youtube.com | YouTube Restricted | This setup ensures users will be blocked from accessing offensive sites using DNS. ## Selectors Gateway matches DNS queries against the following selectors, or criteria. Each selector is evaluated during a specific phase of the DNS resolution process: * **Before DNS resolution** — Gateway inspects properties of the incoming query (for example, the domain name or source IP) before looking up the answer. * **During DNS resolution** — Gateway inspects information discovered while resolving the query (for example, the authoritative nameserver IP). * **After DNS resolution** — Gateway inspects the DNS answer (for example, the resolved IP or CNAME record) after resolution completes. The Override action cannot be used with selectors evaluated during or after DNS resolution, because the override must be applied before the answer is returned. For more information on how evaluation phase interacts with precedence, refer to [order of enforcement](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#dns-policies). ### Application You can apply DNS policies to a growing list of popular web applications. Refer to [Application and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/) for more information. | UI name | API example | Evaluation phase | | ----------- | --------------------------- | --------------------- | | Application | any(app.ids\[\*\] in {505}) | Before DNS resolution | ### Authoritative Nameserver IP Use this selector to match against the IP address of the authoritative nameserver IP address. | UI name | API example | Evaluation phase | | --------------------------- | ------------------------------------------ | --------------------- | | Authoritative Nameserver IP | dns.authoritative\_ns\_ips == 198.51.100.0 | During DNS resolution | ### Content Categories Use this selector to filter domains belonging to specific [content categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#content-categories). | UI name | API example | Evaluation phase | | ------------------ | --------------------------------------- | --------------------- | | Content Categories | any(dns.content\_category\[\*\] in {1}) | Before DNS resolution | When using an Allow or Block action, you can optionally [block IP addresses](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#filter-traffic-by-resolved-ip-category) or [filter categories for CNAME records](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#ignore-cname-domain-categories). ### DNS CNAME Record Use this selector to filter DNS responses by their `CNAME` records. | UI name | API example | Evaluation phase | | ------------------------ | -------------------------------------------------------------- | -------------------- | | DNS CNAME Response Value | any(dns.response.cname\[\*\] in {"www.apple.com.edgekey.net"}) | After DNS resolution | Note If one CNAME record points to another CNAME record, each record in the chain will be evaluated. For example, if `abc.example.com` points to `xyz.example.com`, then your DNS policy will evaluate both `abc.example.com` and `xyz.example.com`. ### DNS MX Record Use this selector to filter DNS responses by their `MX` records. | UI name | API example | Evaluation phase | | --------------------- | ------------------------------------------------------------ | -------------------- | | DNS MX Response Value | any(dns.response.mx\[\*\] in {"gmail-smtp-in.l.google.com"}) | After DNS resolution | ### DNS PTR Record Use this selector to filter DNS responses by their `PTR` records. | UI name | API example | Evaluation phase | | ---------------------- | ----------------------------------------------------------- | -------------------- | | DNS PTR Response Value | any(dns.response.ptr\[\*\] in {"255.2.0.192.in-addr.arpa"}) | After DNS resolution | ### DNS Resolver IP Use this selector to apply policies to DNS queries that arrived to your Gateway Resolver IP address aligned with a registered DNS location. For most Gateway customers, this is an IPv4 anycast address and policies created using this IPv4 address will apply to all DNS locations. However, each DNS location has a dedicated IPv6 address and some Gateway customers have been supplied with a dedicated IPv4 address — these both can be used to apply policies to specific registered DNS locations. | UI name | API example | Evaluation phase | | --------------- | ------------------------------------------- | --------------------- | | DNS Resolver IP | any(dns.resolved\_ip\[\*\] == 198.51.100.0) | Before DNS resolution | ### DNS TXT Record Use this selector to filter DNS responses by their `TXT` records. | UI name | API example | Evaluation phase | | ---------------------- | --------------------------------------------- | -------------------- | | DNS TXT Response Value | any(dns.response.txt\[\*\] in {"your\_text"}) | After DNS resolution | ### DoH Subdomain (DNS over HTTPS) Use this selector to match against DNS queries that arrive via DNS-over-HTTPS (DoH) destined for the DoH endpoint configured for each DNS location. For example, you can use a DNS location with a DoH endpoint of `abcdefg.cloudflare-gateway.com` by choosing the DoH Subdomain selector and inputting a value of `abcdefg`. | UI name | API example | Evaluation phase | | ------------- | ------------------------------- | --------------------- | | DOH Subdomain | dns.doh\_subdomain == "abcdefg" | Before DNS resolution | ### Domain Use this selector to match against a domain and all subdomains. For example, you can match `example.com` and its subdomains, such as `www.example.com`. | UI name | API example | Evaluation phase | | ------- | --------------------------------------- | --------------------- | | Domain | any(dns.domains\[\*\] == "example.com") | Before DNS resolution | Gateway policies do not support domains with non-Latin characters directly. To use a domain with non-Latin characters, add it to a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). ### Host Use this selector to match against only the hostname specified. For example, you can match `test.example.com` but not `example.com` or `www.test.example.com`. | UI name | API example | Evaluation phase | | ------- | ------------------------- | --------------------- | | Host | dns.fqdn == "example.com" | Before DNS resolution | Gateway policies do not support hostnames with non-Latin characters directly. To use a hostname with non-Latin characters, add it to a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). Note Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`www.example.com`). To match this type of website, use the [Domain](#domain) selector instead of the Host selector. ### Indicator Feeds Use this selector to match against custom indicator feeds. You can use a [publicly available indicator feed](https://developers.cloudflare.com/security-center/indicator-feeds/#publicly-available-feeds) or a custom indicator feed assigned to your account by a designated third-party vendor. For more information on indicator feeds, refer to [Custom Indicator Feeds](https://developers.cloudflare.com/security-center/indicator-feeds/). | UI name | API example | Evaluation phase | | --------------- | ------------------- | --------------------- | | Indicator Feeds | dns.indicator\_feed | Before DNS resolution | When using an Allow or Block action, you can optionally [block IP addresses](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#filter-traffic-by-resolved-ip-category) or [filter categories for CNAME records](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#ignore-cname-domain-categories). ### Location Use this selector to apply policies to a specific [Gateway DNS location](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) or set of locations. | UI name | API example | Evaluation phase | | -------- | --------------------------------------------------------- | --------------------- | | Location | dns.location in {"location\_uuid\_1" "location\_uuid\_2"} | Before DNS resolution | ### Query Record Type Use this selector to choose the DNS resource record type that you would like to apply policies against. For example, you can match `A` records for a domain but not `MX` records. | UI name | API example | Evaluation phase | | ----------------- | ------------------------- | --------------------- | | Query Record Type | dns.query\_rtype == "TXT" | Before DNS resolution | ### Resolved Continent Use this selector to filter based on the continent that the query resolves to. Geolocation is determined from the IP address in the response. To specify a continent, enter its two-letter code into the **Value** field: * AF - Africa * AN - Antarctica * AS - Asia * EU - Europe * NA - North America * OC - Oceania * SA - South America * T1 - Tor network | UI name | API example | Evaluation phase | | --------------------------------- | ----------------------------- | -------------------- | | Resolved Continent IP Geolocation | dns.dst.geo.continent == "EU" | After DNS resolution | ### Resolved Country Use this selector to filter based on the country that the query resolves to. Geolocation is determined from the IP address in the response. To specify a country, enter its [ISO 3166-1 Alpha 2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | Evaluation phase | | ------------------------------- | --------------------------- | -------------------- | | Resolved Country IP Geolocation | dns.dst.geo.country == "RU" | After DNS resolution | ### Resolved IP Use this selector to filter based on the IP addresses that the query resolves to. | UI name | API example | Evaluation phase | | ----------- | -------------------------------------------- | -------------------- | | Resolved IP | any(dns.resolved\_ips\[\*\] == 198.51.100.0) | After DNS resolution | ### Request Context Categories Use this selector to match a dynamic list of [category IDs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#category-and-subcategory-ids) sent in the [EDNS (Extension Mechanisms for DNS) ↗](https://datatracker.ietf.org/doc/html/rfc6891) portion of a DNS query. EDNS allows extra metadata to be attached to a DNS query beyond the standard fields. Gateway reads category IDs from the EDNS OPT code `65050`. | UI name | API example | Evaluation phase | | -------------------------- | --------------------------------------------- | --------------------- | | Request Context Categories | dns.categories\_in\_request\_context\_matches | Before DNS resolution | ### Security Categories Use this selector to match domains (and optionally, [IP addresses](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#filter-traffic-by-resolved-ip-category)) belonging to specific [security categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories). | UI name | API example | Evaluation phase | | ------------------- | ---------------------------------------- | --------------------- | | Security Categories | any(dns.security\_category\[\*\] in {1}) | Before DNS resolution | When using an Allow or Block action, you can optionally [block IP addresses](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#filter-traffic-by-resolved-ip-category) or [filter categories for CNAME records](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#ignore-cname-domain-categories). ### Source Continent Use this selector to filter based on the continent where the query arrived to Gateway from. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a continent, enter its two-letter code into the **Value** field: | Continent | Code | | ------------- | ---- | | Africa | AF | | Antarctica | AN | | Asia | AS | | Europe | EU | | North America | NA | | Oceania | OC | | South America | SA | | Tor network | T1 | | UI name | API example | Evaluation phase | | ------------------------------- | ---------------------------------------- | --------------------- | | Source Continent IP Geolocation | dns.src.geo.continent == "North America" | Before DNS resolution | ### Source Country Use this selector to filter based on the country where the query arrived to Gateway from. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a country, enter its [ISO 3166-1 Alpha-2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | Evaluation phase | | ----------------------------- | --------------------------- | --------------------- | | Source Country IP Geolocation | dns.src.geo.country == "RU" | Before DNS resolution | ### Source IP Use this selector to apply policies to the source IP address of DNS queries. For example, this could be the WAN IP address of the stub resolver used by your organization to send queries to Gateway. | UI name | API example | Evaluation phase | | --------- | --------------------------- | --------------------- | | Source IP | dns.src\_ip == 198.51.100.0 | Before DNS resolution | ### Source Internal IP Use this selector to apply policies to the source internal IP address of a DNS query. For example, this could be the private IP address of the hosts behind [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/) (formerly Magic WAN) or [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) used by your organization to send queries to Gateway. | UI name | API example | Evaluation phase | | ------------------ | ---------------------------------- | --------------------- | | Source Internal IP | dns.src\_internal\_ip == 10.10.0.1 | Before DNS resolution | ### Users Use these selectors to match against identity attributes. | UI name | API example | Evaluation phase | | ----------------- | --------------------------------------------------------------------------------------------------------------- | --------------------- | | User Email | identity.email == "user@example.com" | Before DNS resolution | | User Name | identity.name == "Test User" | Before DNS resolution | | User Group IDs | any(identity.groups\[\*\].id in {"group\_id"}) | Before DNS resolution | | User Group Names | any(identity.groups\[\*\].name in {"group\_name"}) | Before DNS resolution | | User Group Emails | any(identity.groups\[\*\].email in {"group@example.com"}) | Before DNS resolution | | SAML Attributes | any(identity.saml\_attributes\["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"\] in {"Test User"}) | Before DNS resolution | ## Comparison operators Comparison operators are the way Gateway matches traffic to a selector. When you choose a **Selector** in the dashboard policy builder, the **Operator** dropdown menu will display the available options for that selector. | Operator | Meaning | | ------------------------ | ------------------------------------------------------------------------------------------------------------------ | | is | equals the defined value | | is not | does not equal the defined value | | in | matches at least one of the defined values | | not in | does not match any of the defined values | | in list | in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | not in list | not in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | matches regex | regex evaluates to true | | does not match regex | regex evaluates to false | | greater than | exceeds the defined number | | greater than or equal to | exceeds or equals the defined number | | less than | below the defined number | | less than or equal to | below or equals the defined number | ## Value In the **Value** field, you can input a single value when using an equality comparison operator (such as _is_) or multiple values when using a containment comparison operator (such as _in_). Additionally, you can use [regular expressions](#regular-expressions) (or regex) to specify a range of values for supported selectors. ### Regular expressions Regular expressions are evaluated using Rust. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for [Wildcards](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/app-paths/#wildcards). To evaluate if your regex matches, you can use [Rustexp ↗](https://rustexp.lpil.uk/). If you want to match multiple values, you can use the pipe symbol (`|`) as an OR operator. You do not need to use an escape character (`\`) before the pipe symbol. For example, the following expression evaluates to true when the hostname matches either `.*whispersystems.org` or `.*signal.org`: | Selector | Operator | Value | | -------- | ------------- | ------------------------------------ | | Host | matches regex | .\*whispersystems.org\|.\*signal.org | In addition to regular expressions, you can use [logical operators](#logical-operators) to match multiple values. ## Logical operators To evaluate multiple conditions in an expression, select the **And** logical operator. These expressions can be compared further with the **Or** logical operator. | Operator | Meaning | | -------- | --------------------------------------------- | | And | match all of the conditions in the expression | | Or | match any of the conditions in the expression | The **Or** operator will only work with conditions in the same expression group. For example, you cannot compare conditions in **Traffic** with conditions in Identity. ## Limitations ### Third-party filtering conflict Gateway will not properly filter traffic sent through third-party VPNs or other Internet filtering software, such as [iCloud Private Relay ↗](https://support.apple.com/102602) or [Google Chrome IP Protection ↗](https://github.com/GoogleChrome/ip-protection#ip-protection). To ensure your DNS policies apply to your traffic, Cloudflare recommends turning off software that may interfere with Gateway. To turn off iCloud Private Relay, refer to the Apple user guides for [macOS ↗](https://support.apple.com/guide/mac-help/use-icloud-private-relay-mchlecadabe0/) or [iOS ↗](https://support.apple.com/guide/iphone/protect-web-browsing-icloud-private-relay-iph499d287c2/). ### Cloudflare WAN forwarding To apply DNS policies to queries forwarded through [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/), you can either point your organization's DNS resolver to an IPv6, DNS over HTTPS (DoH), or DNS over TLS (DoT) endpoint or request a dedicated resolver IPv4 address. For more information, refer to [DNS resolver IPs and hostnames](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/). ### Fallback DNS Some applications (for example, WhatsApp and Android Studio) have backup DNS servers built into their code. If their primary DNS query is blocked by Gateway, these apps automatically retry the query against their built-in DNS servers (for example, Google's `8.8.8.8`), which bypasses your policies entirely. To mitigate this behavior, you create a [Gateway Network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) to block outbound DNS traffic on TCP/UDP port `53` to the fallback DNS servers. For example, to block Google's fallback DNS servers: | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ---------------- | ----- | ------ | | Protocol | in | _TCP_, _UDP_ | And | Block | | Destination Port | in | 53 | And | | | Destination IP | in | 8.8.8.8, 8.8.4.4 | | | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/dns-policies/","name":"DNS policies"}}]} ``` --- --- title: Common policies description: The following Cloudflare Gateway DNS policies are commonly used to secure DNS traffic. Each example includes both dashboard and API instructions that you can adapt for your organization. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/dns-policies/common-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Common policies The following Cloudflare Gateway DNS policies are commonly used to secure DNS traffic. Each example includes both dashboard and API instructions that you can adapt for your organization. For a baseline set of recommended policies, refer to [Secure your Internet traffic and SaaS apps](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies/). Refer to the [DNS policies page](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/) for a comprehensive list of other selectors, operators, and actions. ## Allow corporate domains This policy allows users to access official corporate domains. By deploying the policy with high [order of precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence), you ensure that employees can access trusted domains even if they fall under a blocked category like _Newly seen domains_ or _Login pages_. * [ Dashboard ](#tab-panel-3798) * [ API ](#tab-panel-3799) | Selector | Operator | Value | Action | Precedence | | -------- | -------- | ----------------- | ------ | ---------- | | Domain | in list | _Allowed domains_ | Allow | 1 | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow corporate domains", "description": "Allow any internal corporate domains added to a list", "precedence": 0, "enabled": true, "action": "allow", "filters": [ "dns" ], "traffic": "any(dns.domains[*] in $)", "identity": "" }' ``` To get the UUIDs of your lists, use the [List Zero Trust lists](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/lists/methods/list/) endpoint. ## Block security threats Block [security categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. * [ Dashboard ](#tab-panel-3822) * [ API ](#tab-panel-3823) * [ Terraform ](#tab-panel-3824) | Selector | Operator | Value | Action | | ------------------- | -------- | -------------------- | ------ | | Security Categories | in | _All security risks_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "All-DNS-SecurityCategories-Blocklist", "description": "Block security categories based on Cloudflare'\''s threat intelligence", "precedence": 20, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", "identity": "" }' ``` ``` resource "cloudflare_zero_trust_gateway_policy" "block_security_threats" { account_id = var.cloudflare_account_id name = "All-DNS-SecurityCategories-Blocklist" description = "Block security categories based on Cloudflare's threat intelligence" precedence = 20 enabled = true action = "block" filters = ["dns"] traffic = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})" } ``` ## Block content categories The categories included in this policy are not always a security threat, but blocking them can help minimize the risk that your organization is exposed to. For more information, refer to [domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/). * [ Dashboard ](#tab-panel-3825) * [ API ](#tab-panel-3826) * [ Terraform ](#tab-panel-3827) | Selector | Operator | Value | Action | | ------------------ | -------- | --------------------------------------------------------- | ------ | | Content Categories | in | _Questionable Content_, _Security Risks_, _Miscellaneous_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "All-DNS-ContentCategories-Blocklist", "description": "Block common content categories that may pose a risk", "precedence": 30, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})", "identity": "" }' ``` ``` resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" { account_id = var.cloudflare_account_id name = "All-DNS-ContentCategories-Blocklist" description = "Block common content categories that may pose a risk" enabled = true action = "block" filters = ["dns"] traffic = "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})" identity = "" } ``` ## Block a dynamic list of categories You can add a list of category IDs to the [EDNS (Extension Mechanisms for DNS) ↗](https://datatracker.ietf.org/doc/html/rfc6891) header of a request sent to Gateway as a JSON object using OPT code `65050`. EDNS allows extra metadata to be attached to a DNS query beyond the standard fields. For example: ``` { "categories": [2, 67, 125, 133] } ``` With the [Request Context Categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#request-context-categories) selector, you can block the category IDs sent with EDNS. This is useful to filter by categories not known at the time of creating a policy, or to enforce device-specific DNS content filtering without reaching your account limit. When Gateway uses this selector to block a DNS query, the request will return an Extended DNS Error (EDE) Code 15 (`Blocked`), along with a field containing an array of the matched categories. * [ Dashboard ](#tab-panel-3793) * [ API ](#tab-panel-3794) * [ Terraform ](#tab-panel-3795) | Selector | Operator | Value | Action | | ------------------------ | -------- | --------- | ------ | | Request Context Category | is | _Present_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "All-DNS-Bock-Category-Matches-In-Request", "description": "Block all category matches in the request EDNS context", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "dns.categories_in_request_context_matches", "identity": "" }' ``` ``` resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" { account_id = var.cloudflare_account_id name = "All-DNS-Bock-Category-Matches-In-Request" description = "Block all category matches in the request EDNS context" enabled = true action = "block" filters = ["dns"] traffic = "dns.categories_in_request_context_matches" identity = "" } ``` ## Block unauthorized applications Note After seven days, view your [Shadow IT SaaS Analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/shadow-it-discovery/) and block additional applications based on what your users are accessing. To minimize the risk of [shadow IT](https://www.cloudflare.com/learning/access-management/what-is-shadow-it/), some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools: * [ Dashboard ](#tab-panel-3828) * [ API ](#tab-panel-3829) * [ Terraform ](#tab-panel-3830) | Selector | Operator | Value | Action | | ----------- | -------- | ------------------------- | ------ | | Application | in | _Artificial Intelligence_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "All-DNS-Application-Blocklist", "description": "Block access to unauthorized AI applications", "precedence": 40, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(app.type.ids[*] in {25})", "identity": "" }' ``` ``` resource "cloudflare_zero_trust_gateway_policy" "block_unauthorized_apps" { account_id = var.cloudflare_account_id name = "All-DNS-Application-Blocklist" description = "Block access to unauthorized AI applications" enabled = true action = "block" filters = ["dns"] traffic = "any(app.type.ids[*] in {25})" identity = "" } ``` ## Block banned countries You can implement policies to block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization's requirements or through regulations including [EAR (Export Administration Regulations) ↗](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries), [OFAC (Office of Foreign Assets Control) ↗](https://orpa.princeton.edu/export-controls/sanctioned-countries), and [ITAR (International Traffic in Arms Regulations) ↗](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries). This policy blocks DNS queries that resolve to IP addresses geolocated in the countries you specify. * [ Dashboard ](#tab-panel-3796) * [ API ](#tab-panel-3797) | Selector | Operator | Value | Action | | ------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | | Resolved Country IP Geolocation | in | _Afghanistan_, _Belarus_, _Congo (Kinshasa)_, _Cuba_, _Iran_, _Iraq_, _Korea, North_, _Myanmar_, _Russian Federation_, _Sudan_, _Syria_, _Ukraine_, _Zimbabwe_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block banned countries", "description": "Block access to banned countries", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})", "identity": "" }' ``` ## Block top-level domains Blocking [frequently misused ↗](https://www.spamhaus.org/statistics/tlds/) top-level domains (TLDs) — the last segment of a domain name, such as `.com` or `.ru` — can reduce security risks, especially when there is no discernible advantage to be gained from allowing access. Similarly, restricting access to specific country-level TLDs may be necessary to comply with regulations like [ITAR ↗](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries) or [OFAC ↗](https://orpa.princeton.edu/export-controls/sanctioned-countries). * [ Dashboard ](#tab-panel-3800) * [ API ](#tab-panel-3801) | Selector | Operator | Value | Logic | Action | | -------- | ------------- | ------------------------------------------------------------- | ----- | ------ | | Domain | matches regex | \[.\](cn\|ru)$ | Or | Block | | Domain | matches regex | \[.\](rest\|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ | Or | | | Domain | matches regex | \[.\](zip\|mobi)$ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block top-level domains", "description": "Block top-level domains that are frequently used for malicious practices", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.domains[*] matches \"[.](cn|ru)$\") or any(dns.domains[*] matches \"[.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$\") or any(dns.domains[*] matches \"[.](zip|mobi)$\")", "identity": "" }' ``` ## Block phishing attacks To protect against [sophisticated phishing attacks ↗](https://blog.cloudflare.com/2022-07-sms-phishing-attacks/), you could prevent users from accessing phishing domains that are specifically targeting your organization. The following policy blocks specific keywords associated with an organization or its authentication services (such as _okta_, _2fa_, _cloudflare_ or _sso_), while still allowing access to official corporate domains. * [ Dashboard ](#tab-panel-3802) * [ API ](#tab-panel-3803) | Selector | Operator | Value | Logic | Action | | -------- | ------------- | ---------------------------------------------- | ----- | ------ | | Domain | not in list | _Corporate Domains_ | And | Block | | Domain | matches regex | .\*okta.\*\|.\*cloudflare.\*|.\*mfa.\*|.sso.\* | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block phishing attacks", "description": "Block attempts to phish specific domains targeting your organization", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "not(any(dns.domains[*] in $)) and any(dns.domains[*] matches \".*okta.*\\|.*cloudflare.*\\|.*mfa.*\\|.sso.*\")", "identity": "" }' ``` To get the UUIDs of your lists, use the [List Zero Trust lists](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/lists/methods/list/) endpoint. ## Block online tracking To safeguard user privacy, some organizations will block tracking domains such as `dig.whatsapp.com` as well as other tracking domains embedded at the OS level. This policy is implemented by creating a custom blocklist. Refer to [this repository ↗](https://github.com/nextdns/native-tracking-domains/tree/28991a0d5b2ab6d35588a74af82162ea7caff420/domains) for a list of widespread tracking domains that you can add to your blocklist. * [ Dashboard ](#tab-panel-3804) * [ API ](#tab-panel-3805) | Selector | Operator | Value | Action | | -------- | -------- | ---------------------- | ------ | | Domain | in list | _Top tracking domains_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block online tracking", "description": "Block domains used for tracking at an OS level", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.domains[*] in $)", "identity": "" }' ``` To get the UUIDs of your lists, use the [List Zero Trust lists](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/lists/methods/list/) endpoint. ## Block malicious IPs Block specific IP addresses that are known to be malicious or pose a threat to your organization. This policy is usually implemented by creating custom blocklists or by using blocklists provided by threat intelligence partners or regional Computer Emergency and Response Teams (CERTs). * [ Dashboard ](#tab-panel-3808) * [ API ](#tab-panel-3809) | Selector | Operator | Value | Action | | ----------- | -------- | --------- | ------ | | Resolved IP | in list | _DShield_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block malicious IPs", "description": "Block specific IP addresses that are known to be malicious or pose a threat to your organization", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.resolved_ips[*] in $)", "identity": "" }' ``` To get the UUIDs of your lists, use the [List Zero Trust lists](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/lists/methods/list/) endpoint. ## Turn on CIPA filter The CIPA (Children's Internet Protection Act) Filter is a collection of subcategories that encompass a wide range of topics that could be harmful or inappropriate for minors. It is used as a part of [Project Cybersafe Schools](https://developers.cloudflare.com/fundamentals/reference/policies-compliances/cybersafe/) to block access to unwanted or harmful online content. Upon creating this policy, your organization will have minimum [CIPA compliance ↗](https://www.fcc.gov/consumers/guides/childrens-internet-protection-act). * [ Dashboard ](#tab-panel-3806) * [ API ](#tab-panel-3807) | Selector | Operator | Value | Action | | ------------------ | -------- | ------------- | ------ | | Content Categories | in | _CIPA Filter_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Turn on CIPA filter", "description": "Block access to unwanted or harmful online content for children", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.content_category[*] in {182})", "identity": "" }' ``` ## Hide explicit search results SafeSearch is a feature of search engines that helps you filter explicit or offensive content. You can force SafeSearch on search engines like Google, Bing, Yandex, YouTube, and DuckDuckGo: * [ Dashboard ](#tab-panel-3810) * [ API ](#tab-panel-3811) | Selector | Operator | Value | Action | | ------------------ | -------- | ---------------- | ----------- | | Content Categories | in | _Search Engines_ | Safe Search | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Hide explicit search results", "description": "Force SafeSearch on search engines to filter explicit or offensive content", "enabled": true, "action": "safesearch", "filters": [ "dns" ], "traffic": "any(dns.content_category[*] in {145})", "identity": "" }' ``` ## Check user identity Configure access on a per user or group basis by adding [identity-based conditions](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) to your policies. * [ Dashboard ](#tab-panel-3812) * [ API ](#tab-panel-3813) | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ------------ | ----- | ------ | | Application | in | _Salesforce_ | And | Block | | User Group Names | in | Contractors | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Check user identity", "description": "Filter traffic based on a user identity group name", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(app.ids[*] in {606})", "identity": "any(identity.groups.name[*] in {\"Contractors\"})" }' ``` ## Restrict access to specific groups Filter DNS queries to allow only specific users access. The following example includes two policies. The first policy allows the specified group, while the second policy blocks all other users. To ensure the policies are evaluated properly, place the Allow policy above the Block policy. For more information, refer to the [order of precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence). ### 1\. Allow a group * [ Dashboard ](#tab-panel-3814) * [ API ](#tab-panel-3815) | Selector | Operator | Value | Logic | Action | | ------------------ | -------- | ----------------- | ----- | ------ | | Content Categories | in | _Social Networks_ | And | Allow | | User Group Names | in | Marketing | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow social media for Marketing", "description": "Allow access to social media sites for users in the Marketing group", "precedence": 1, "enabled": true, "action": "allow", "filters": [ "dns" ], "traffic": "any(dns.content_category[*] in {149})", "identity": "any(identity.groups.name[*] in {\"Marketing\"})" }' ``` ### 2\. Block all other users * [ Dashboard ](#tab-panel-3816) * [ API ](#tab-panel-3817) | Selector | Operator | Value | Action | | ------------------ | -------- | ----------------- | ------ | | Content Categories | in | _Social Networks_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block social media", "description": "Block social media for all other users", "precedence": 2, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.content_category[*] in {149})", "identity": "" }' ``` ## Control IP version Enterprise users can pair these policies with an [egress policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/) to control which IP version is used when Gateway connects to the destination server. Optionally, you can use the Domain selector to control the IP version for specific sites. Note To ensure traffic routes through your preferred IP version, turn off **Modify Gateway block behavior**. ### Force IPv4 Force users to connect with IPv4 by blocking `AAAA` (IPv6) record resolution. * [ Dashboard ](#tab-panel-3818) * [ API ](#tab-panel-3819) | Selector | Operator | Value | Action | | ----------------- | -------- | ------ | ------ | | Query Record Type | is | _AAAA_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Force IPv4", "description": "Force users to connect with IPv4 by blocking IPv6 resolution", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "dns.query_rtype == \"AAAA\"", "identity": "" }' ``` ### Force IPv6 Force users to connect with IPv6 by blocking `A` (IPv4) record resolution. * [ Dashboard ](#tab-panel-3820) * [ API ](#tab-panel-3821) | Selector | Operator | Value | Action | | ----------------- | -------- | ----- | ------ | | Query Record Type | is | _A_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Force IPv6", "description": "Force users to connect with IPv6 by blocking IPv4 resolution", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "dns.query_rtype == \"A\"", "identity": "" }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/dns-policies/","name":"DNS policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/dns-policies/common-policies/","name":"Common policies"}}]} ``` --- --- title: Test DNS filtering description: This section covers how to validate your Gateway DNS configuration. Testing your policies after setup helps confirm that queries are being filtered as expected before you rely on them in production. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Test DNS filtering This section covers how to validate your Gateway DNS configuration. Testing your policies after setup helps confirm that queries are being filtered as expected before you rely on them in production. ## Prerequisites Before you start, make sure your device is sending DNS queries to Gateway. You can do this in one of two ways: * **Cloudflare One Client** — If your device runs the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/), DNS queries route through Gateway automatically. * **DNS location** — If you are using a DNS-only deployment (without the Cloudflare One Client), verify that your network's DNS resolver points to your [Gateway DNS location's](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) IP address. ## Test a DNS policy Once you have created a DNS policy to block a domain, you can use either `dig` (a command-line DNS lookup tool, available on macOS and Linux) or `nslookup` (available on Windows) to see if the policy is working as intended. For example, if you created a policy to block `example.com`, you can do the following to see if Gateway is successfully blocking `example.com`: 1. Open your terminal. 2. Type `dig example.com` (`nslookup example.com` if you are using Windows) and press **Enter**. 3. In the `dig` output, check the `status:` field in the header line (the line starting with `;; ->>HEADER<<-`). If the [block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) is turned off for the policy, you should see `REFUSED` — a DNS response code meaning the server declined to answer the query: Terminal window ``` dig example.com ``` ``` ; <<>> DiG 9.10.6 <<>> example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 6503 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;example.com. IN A ;; Query time: 46 msec ;; SERVER: 172.64.36.1#53(172.64.36.1) ;; WHEN: Tue Mar 10 20:22:18 CDT 2020 ;; MSG SIZE rcvd: 29 ``` If the [block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) is enabled for the policy, you should see `NOERROR` (meaning the query was resolved) in the header with `162.159.36.12` and `162.159.46.12` as the answers. These are Cloudflare's block page IP addresses: Terminal window ``` dig example.com ``` ``` ; <<>> DiG 9.10.6 <<>> example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR id: 14531 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1452 ;; QUESTION SECTION: ;example.com. IN A ;;ANSWER SECTION: example.com. 60 IN A 162.159.36.12 example.com. 60 IN A 162.159.46.12 ;; Query time: 53 msec ;; SERVER: 172.64.36.1#53(172.64.36.1) ;; WHEN: Tue Mar 10 20:19:52 CDT 2020 ;; MSG SIZE rcvd: 83 ``` ### Test a security or content category If you are blocking a [security category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#security-categories) or a [content category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#content-categories), you can test that the policy is working by using the [test domain](#common-test-domains) associated with each category. Once you have configured your Gateway policy to block the category, the test domain will show a block page when you attempt to visit the domain in your browser, or will return `REFUSED` when you perform `dig` using the command-line interface. #### Test domain format * **One-word category** — For categories with one-word names (for example, _Malware_), the test domain uses the following format: ``` .testcategory.com ``` * **Multi-word category** — For categories with multiple words in the name (for example, _Parked & For Sale Domains_), the test domain uses the following format: * Remove any spaces between the words * Replace `&` with `and` * Lowercase all letters #### Common test domains | Category | Test domain | | ------------------------------- | -------------------------------------------- | | _Anonymizer_ | anonymizer.testcategory.com | | _Command and Control & Botnet_ | commandandcontrolandbotnet.testcategory.com | | _compromised Domain_ | compromiseddomain.testcategory.com | | _Cryptomining_ | cryptomining.testcategory.com | | _Malware_ | malware.testcategory.com | | _New Domains_ | newdomains.testcategory.com | | _Parked & For Sale Domains_ | parkedandforsaledomains.testcategory.com | | _Phishing_ | phishing.testcategory.com | | _Potentially Unwanted Software_ | potentiallyunwantedsoftware.testcategory.com | | _Private IP Address_ | privateipaddress.testcategory.com | | _Spam_ | spam.testcategory.com | | _Spyware_ | spyware.testcategory.com | | _Unreachable_ | unreachable.testcategory.com | ## Test EDNS configuration EDNS client subnet (ECS) is a DNS extension that sends a portion of the user's IP address to authoritative DNS nameservers, allowing them to return geographically optimal answers. Cloudflare sends the first `/24` of the user's IP address to preserve privacy while still providing location information. If you [enabled EDNS client subnet](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) for your DNS location, you can validate it as follows: 1. Obtain your DNS location's DoH (DNS over HTTPS) subdomain: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Networks** \> **Resolvers & Proxies** \> **DNS locations**. 2. Select the DNS location you are testing. 3. Note the value of **DNS over HTTPS**. 2. Open a terminal and run the following command: Terminal window ``` curl 'https://.cloudflare-gateway.com/dns-query?type=TXT&name=o-o.myaddr.google.com' -H 'Accept: application/dns-json' | json_pp ``` The output should contain your EDNS client subnet: ``` { "AD": false, "Answer": [ { "TTL": 60, "data": "\"108.162.218.211\"", "name": "o-o.myaddr.google.com", "type": 16 }, { "TTL": 60, "data": "\"edns0-client-subnet 136.62.0.0/24\"", "name": "o-o.myaddr.google.com", "type": 16 } ], "CD": false, "Question": [ { "name": "o-o.myaddr.google.com", "type": 16 } ], "RA": true, "RD": true, "Status": 0, "TC": false } ``` 3. To verify your EDNS client subnet, obtain your source IP address: Terminal window ``` curl ifconfig.me ``` ``` 136.62.12.156% ``` The source IP address should fall within the /24 range specified by your EDNS client subnet. ## Clear DNS cache Modern web browsers and operating systems are designed to cache DNS records for a set amount of time. When a request is made for a DNS record, the browser cache is the first location checked for the requested record. A DNS policy may not appear to work if the response is already cached. To clear your DNS cache: ChromeOS 1. Go to `chrome://net-internals/#dns`. 2. Select **Clear host cache**. Windows 1. Open the admin command prompt or PowerShell. 2. Run the following command: Terminal window ``` ipconfig /flushdns ``` macOS 1. Open Terminal. 2. Run the following commands: Terminal window ``` sudo killall -HUP mDNSResponder sudo killall mDNSResponderHelper sudo dscacheutil -flushcache ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/dns-policies/","name":"DNS policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering/","name":"Test DNS filtering"}}]} ``` --- --- title: Timed DNS policies description: By default, Cloudflare Gateway policies apply at all times when turned on. With timed DNS policies, you can control when DNS policies are active — for example, to block social media only during work hours or to temporarily allow access to a restricted site for a maintenance window. You can configure a policy to be active during specific time periods or set the policy to expire after a certain duration. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/dns-policies/timed-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Timed DNS policies By default, Cloudflare Gateway policies apply at all times when turned on. With timed DNS policies, you can control when DNS policies are active — for example, to block social media only during work hours or to temporarily allow access to a restricted site for a maintenance window. You can configure a policy to be active during specific time periods or set the policy to expire after a certain duration. There are two timed DNS policy options: * [Policy duration](#policy-duration): The policy is active for a specific amount of time after being turned on (for example, 30 minutes). * [Policy schedule](#policy-schedule): The policy is active during a recurring weekly schedule (for example, weekdays from 9 AM to 5 PM). ## Policy duration You can use a time-based policy duration to set a specific time frame for the policy to turn on or configure an exact time for the policy to turn off. To set a duration for a DNS policy: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Firewall policies** \> **DNS**. 2. Create a new DNS policy or choose an existing policy and select **Edit**. 3. In **Apply durations and schedules**, turn on **Policy duration**. 4. In **Input method**, choose the type of duration: * Choose _Duration_ and enter a specific amount of time until the policy turns off. * Choose _Exact end date_ and enter a specific date and time in your account's time zone for the policy to turn off. 5. Select **Save policy**. When a policy turns off, it will remain off until you turn it back on. Warning The duration timer does not pause when you turn the policy off. It is calculated as an absolute end time from when the policy was first turned on. For example, you can create a policy at 12:00 PM and set it to turn off after six hours. If you turn the policy off at 3:00 PM and turn it back on at 4:00 PM, the policy will still turn off at 6:00 PM — six hours after the original activation time, not six hours of cumulative active time. ### Reset a policy's duration When a policy's time duration expires, you can turn the policy back on for the duration you originally configured. To reset a policy's duration, select the policy and choose **Reset policy duration**. For policies with an exact end time, you can change the time before the policy turns off. Once the policy reaches its exact end time, you will need to edit the policy and set a new end time. To set a new exact end time: 1. Select the policy. 2. Choose **Edit**. 3. Turn on **Set a policy duration**. 4. In **Input method**, choose _Exact end date_. In **Date and time**, enter a new date and time for the policy to turn off. 5. Select **Save policy**. ## Policy schedule You can use Gateway to create a new DNS policy with a schedule or add a schedule to an existing policy. * [ Dashboard ](#tab-panel-3831) * [ API ](#tab-panel-3832) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Firewall policies** \> **DNS**. 2. Create a new DNS policy or choose an existing policy and select **Edit**. 3. In **Apply durations and schedules**, turn on **Policy schedule**. 4. (Optional) In **Time Zone**, choose a time zone to apply the policy based on the time zone you select, regardless of the user's location. By default, Gateway will use the end user's time zone to apply the policy based on the local time of the user making the DNS query. 5. In **Schedule template**, choose a preset schedule, or choose _Custom schedule_ to define a custom schedule. You can choose up to three non-overlapping time ranges of 15 minute intervals. 6. Select **Save policy**. To schedule a policy with the API, use the [Create a Zero Trust Gateway rule endpoint](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/create/) with the `schedule` parameter set to your desired days of the week, times of day, and an optional time zone. For example: Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "action": "block", "name": "Block gambling sites on weekends", "traffic": "any(dns.content_category[*] in {\"Gambling\"})", "schedule": { "sat": "08:00-17:00", "sun": "08:00-17:00", "timezone": "Europe/Paris" } }' ``` The policy's schedule will appear in Cloudflare One under **Traffic policies** \> **Firewall policies** \> **DNS** when you select the policy. ### How Gateway determines time zone If you [assign a time zone](#example-fixed-time-zone) to your schedule, Gateway will always use the current time at that time zone regardless of the user's location. This allows you to enable a policy during a certain fixed time period. If you [do not specify a time zone](#example-users-time-zone), Gateway will enable the DNS policy based on the user's local time zone. The user's time zone is inferred from the IP geolocation of their source IP address. If Gateway is unable to determine the time zone from the source IP, it will fall back to the time zone of the data center where the query was received. Note Users on VPNs or corporate proxies may have their time zone inferred incorrectly, because their source IP geolocates to the VPN exit point rather than their physical location. If consistent enforcement is important, assign a fixed time zone to the schedule. #### Example: Fixed time zone The following command creates a DNS policy to block `facebook.com` only on weekdays from 8:00 AM - 12:30 PM and 1:30 PM - 5:00 PM in the Chicago, USA time zone. Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "office-no-facebook-policy", "action": "block", "traffic": "dns.fqdn == \"facebook.com\"", "enabled": true, "schedule": { "time_zone": "America/Chicago", "mon": "08:00-12:30,13:30-17:00", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "fri": "08:00-12:30,13:30-17:00" } }' ``` Refer to [this table ↗](https://en.wikipedia.org/wiki/List%5Fof%5Ftz%5Fdatabase%5Ftime%5Fzones#List) for a list of all time zone identifiers. #### Example: User's time zone The following command creates a DNS policy to block `clockin.com` only on weekends in the time zone where the user is currently located. Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "clock-in-policy", "action": "block", "traffic": "dns.fqdn == \"clockin.com\"", "enabled": true, "schedule": { "sat": "00:00-24:00", "sun": "00:00-24:00" } }' ``` Note Gateway will not change the policy's `enabled` status when inside or outside of the time period specified. When enabled, Gateway activates or deactivates the policy according to its schedule. When disabled, the policy is always deactivated. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/dns-policies/","name":"DNS policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/dns-policies/timed-policies/","name":"Timed DNS policies"}}]} ``` --- --- title: Domain categories description: Cloudflare Gateway allows you to block known and potential security risks on the public Internet, as well as specific categories of content. Domains are categorized by Cloudforce One, Cloudflare's threat intelligence solution. To review the categories for a specific domain, use Cloudflare Radar. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/domain-categories.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Domain categories Cloudflare Gateway allows you to block known and potential security risks on the public Internet, as well as specific categories of content. Domains are categorized by [Cloudforce One](https://developers.cloudflare.com/security-center/cloudforce-one/), Cloudflare's threat intelligence solution. To review the categories for a specific domain, use [Cloudflare Radar](https://developers.cloudflare.com/radar/glossary/#content-categories). Cloudflare categorizes domains into content categories and security categories, which cover security risks and security threats: * **Content categories**: An upstream vendor supplies content categories for domains. These categories help us organize domains into broad topic areas. However, the specific criteria and methods used by our vendor may not be disclosed. * **Security risks**: Cloudflare determines security risks for domains using internal models. These models analyze various factors, including the age of a domain and its reputation. This allows us to identify potentially risky domains. * **Security threats**: To identify malicious domains that pose security threats, Cloudflare employs a mix of internal data sources, machine learning models, commercial feeds, and open-source threat intelligence. You can block security and content categories by creating DNS or HTTP policies. Once you have configured your policies, you will be able to inspect network activity and the associated categories in your Gateway logs. To request changes to a domain's categorization, refer to [Change categorization](https://developers.cloudflare.com/security-center/investigate/change-categorization/). For more information on investigating potentially risky domains, refer to [Investigate threats](https://developers.cloudflare.com/security-center/investigate/investigate-threats/#domain). Subdomain category Subdomains that have not been assigned a category will inherit the category of their parent domain. When Gateway categorizes a subdomain, the subdomain will carry only its own category. Categorized subdomains will not inherit their parent domain's categories. ## Security categories | Category | Definition | | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Anonymizer | Sites that allow users to surf the Internet anonymously. | | Brand Embedding | Sites that imitate a verified brand, for example facobook.com. | | Command and Control & Botnet | Sites that are queried by compromised devices to exfiltrate information or potentially infect other devices in a network. | | Compromised Domain | Sites where a legitimate domain has been compromised or taken over and had malicious content planted or injected. | | Cryptomining | Sites that mine cryptocurrency by taking over the user's computing resources. | | DGA Domains | Domains generated programmatically by Domain Generation Algorithms (DGA) associated with malware. These algorithmically created domain names change frequently, making them harder to block individually. | | DNS Tunneling | Domains with detected DNS tunneling activity, including attempts to encode or exfiltrate data in DNS queries and responses (for example, in TXT records) or to use DNS for command-and-control (C2) communications. | | Malware | Sites hosting malicious content and other compromised websites. | | Phishing | Domains that are known for stealing personal information. | | Potentially Unwanted Software | Domains that distribute software that may come bundled with other less legitimate software or functionality, like toolbars, adware, and grayware. | | Private IP Address | Domains that resolve to private IP Addresses. | | Scam | Fraudulent websites and schemes designed to trick victims into giving away money or personal information. | | Spam | Sites that are known for targeting users with unwanted sweepstakes, surveys, and advertisements. | | Spyware | Sites that are known to distribute or contain code that displays unwanted advertisements or that gathers user information without the user's knowledge. | ## Content categories | Category | Definition | | ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Ads | Sites that are hosting content related to advertising. | | Adult Themes | Sites that are hosting content related to pornography, nudity, sexuality, and other adult themes. | | Business & Economy | Sites that are related to business, economy, finance, education, science and technology. | | Child Abuse | Sites hosting child abuse content. | | CIPA | Sites related to aiding schools and organizations in abiding by Children's Internet Protection Act (CIPA) requirements. | | Education | Sites hosting educational content that are not included in other categories like Science, Technology or Educational institutions. | | Entertainment | Sites that are hosting entertaining content that are not included in other categories like Comic books, Audio streaming, Video streaming etc. | | Gambling | Sites that are providing online gambling or are related to gambling. | | Government & Politics | Sites related to government and politics. | | Health | Sites containing information about health and fitness. | | Information Technology | Sites related to information technology. | | Internet Communication | Sites hosting applications that are used for communication like chat, mail etc. | | Job Search & Careers | Sites that facilitate searching for jobs and careers. | | Miscellaneous | Sites that are not included in the listed security and content categories. | | Questionable Content | Sites hosting content that are related to hacking, piracy, profanity and other questionable activities. | | Real Estate | Sites related to real estate. | | Religion | Sites hosting content about religion, alternative religion, religious teachings, religious groups, and spirituality. | | Security Risks | Sites that are [new or misconfigured](#security-risk-subcategories). We recommend that you allow or isolate this content category to avoid accidentally blocking trusted domains. | | Shopping & Auctions | Sites that are hosting content related to ecommerce, coupons, shopping, auctions and marketplaces. | | Social & Family | Sites related to society and lifestyle. | | Society & Lifestyle | Sites hosting information about lifestyle that are not included in other categories like fashion, food & drink etc. | | Sports | Sites related to sports & recreation. | | Technology | Sites hosting information about technology that are not included in the science category. | | Travel | Sites that contain information about listings, reservations, services for travel. | | Vehicles | Sites related vehicles, automobiles, including news, reviews, and other hobbyist information. | | Violence | Sites hosting and/or promoting violent content. | | Weather | Sites related to weather. | ### Miscellaneous subcategories | Category | Definition | | ------------- | ---------------------------------------------------------------------------- | | Login Screens | Sites hosting login screens that might also be included in other categories. | | Miscellaneous | Sites that do not belong to other content categories. | | No Content | Sites that have no content. | | Redirect | Domains that redirect to other sites. | | Unreachable | Domains that resolve to unreachable IP addresses. | ### Security risk subcategories | Category | Definition | | ------------------------- | ---------------------------------------------------------------------- | | New Domains | Domains registered within the past 30 days. | | Newly Seen Domains | Domains that were resolved for the first time within the past 30 days. | | Parked & For Sale Domains | Domains that are not connected to a hosting service. | ### Category and subcategory IDs | Category ID | Category Name | Subcategory ID | Subcategory Name | | ----------- | ---------------------- | -------------- | ------------------------------------------ | | 1 | Ads | 66 | Advertisements | | 2 | Adult Themes | 67 | Adult Themes | | 2 | Adult Themes | 125 | Nudity | | 2 | Adult Themes | 133 | Pornography | | 3 | Business & Economy | 186 | Brokerage & Investing | | 3 | Business & Economy | 75 | Business | | 3 | Business & Economy | 89 | Economy & Finance | | 3 | Business & Economy | 183 | Cryptocurrency | | 3 | Business & Economy | 185 | Personal Finance | | 6 | Education | 90 | Education | | 6 | Education | 91 | Educational Institutions | | 6 | Education | 189 | Reference | | 6 | Education | 144 | Science | | 6 | Education | 150 | Space & Astronomy | | 7 | Entertainment | 70 | Arts | | 7 | Entertainment | 74 | Audio Streaming | | 7 | Entertainment | 76 | Cartoons & Anime | | 7 | Entertainment | 79 | Comic Books | | 7 | Entertainment | 92 | Entertainment | | 7 | Entertainment | 96 | Fine Art | | 7 | Entertainment | 100 | Gaming | | 7 | Entertainment | 106 | Home Video/DVD | | 7 | Entertainment | 107 | Humor | | 7 | Entertainment | 116 | Magazines | | 7 | Entertainment | 120 | Movies | | 7 | Entertainment | 121 | Music | | 7 | Entertainment | 122 | News & Media | | 7 | Entertainment | 127 | Paranormal | | 7 | Entertainment | 139 | Radio | | 7 | Entertainment | 156 | Television | | 7 | Entertainment | 164 | Video Streaming | | 8 | Gambling | 99 | Gambling | | 9 | Government & Politics | 190 | Charity and Non-profit | | 9 | Government & Politics | 101 | Government/Legal | | 9 | Government & Politics | 137 | Politics, Advocacy, and Government-Related | | 10 | Health | 103 | Health & Fitness | | 10 | Health | 146 | Sex Education | | 12 | Internet Communication | 77 | Chat | | 12 | Internet Communication | 98 | Forums | | 12 | Internet Communication | 108 | Information Security | | 12 | Internet Communication | 110 | Instant Messengers | | 12 | Internet Communication | 111 | Internet Phone & VOIP | | 12 | Internet Communication | 118 | Messaging | | 12 | Internet Communication | 126 | P2P | | 12 | Internet Communication | 129 | Personal Blogs | | 12 | Internet Communication | 168 | Webmail | | 12 | Internet Communication | 172 | Photo Sharing | | 13 | Job Search & Careers | 113 | Job Search & Careers | | 15 | Miscellaneous | 115 | Login Screens | | 15 | Miscellaneous | 119 | Miscellaneous | | 15 | Miscellaneous | 124 | No Content | | 15 | Miscellaneous | 141 | URL Alias/Redirect | | 15 | Miscellaneous | 161 | Unreachable | | 17 | Questionable Content | 85 | Deceptive Ads | | 17 | Questionable Content | 87 | Drugs | | 17 | Questionable Content | 102 | Hacking | | 17 | Questionable Content | 135 | Profanity | | 17 | Questionable Content | 138 | Questionable Activities | | 17 | Questionable Content | 157 | Militancy, Hate & Extremism | | 17 | Questionable Content | 162 | Unreliable Information | | 18 | Real Estate | 140 | Real Estate | | 19 | Religion | 142 | Religion & Spirituality | | 20 | Safe for Kids | 143 | Safe for Kids | | 21 | Security threats | 68 | Anonymizer | | 21 | Security threats | 80 | Command and Control & Botnet | | 21 | Security threats | 187 | Compromised Domain | | 21 | Security threats | 83 | Cryptomining | | 21 | Security threats | 117 | Malware | | 21 | Security threats | 131 | Phishing | | 21 | Security threats | 188 | Potentially unwanted software | | 21 | Security threats | 134 | Private IP Address | | 21 | Security threats | 151 | Spam | | 21 | Security threats | 153 | Spyware | | 21 | Security threats | 175 | DNS Tunneling | | 21 | Security threats | 176 | Domain Generation Algorithm | | 21 | Security threats | 178 | Brand Embedding | | 21 | Security threats | 191 | Scam | | 22 | Shopping & Auctions | 73 | Auctions & Marketplaces | | 22 | Shopping & Auctions | 82 | Coupons | | 22 | Shopping & Auctions | 88 | Ecommerce | | 22 | Shopping & Auctions | 148 | Shopping | | 24 | Society & Lifestyle | 71 | Arts & Crafts | | 24 | Society & Lifestyle | 72 | Astrology | | 24 | Society & Lifestyle | 78 | Clothing | | 24 | Society & Lifestyle | 84 | Dating & Relationships | | 24 | Society & Lifestyle | 86 | Digital Postcards | | 24 | Society & Lifestyle | 93 | Parenting | | 24 | Society & Lifestyle | 94 | Fashion | | 24 | Society & Lifestyle | 97 | Food & Drink | | 24 | Society & Lifestyle | 104 | Hobbies & Interests | | 24 | Society & Lifestyle | 105 | Home & Garden | | 24 | Society & Lifestyle | 114 | Lifestyle | | 24 | Society & Lifestyle | 130 | Pets | | 24 | Society & Lifestyle | 132 | Photography | | 24 | Society & Lifestyle | 136 | Professional Networking | | 24 | Society & Lifestyle | 147 | Sexuality | | 24 | Society & Lifestyle | 149 | Social Networks | | 24 | Society & Lifestyle | 154 | Swimsuits | | 24 | Society & Lifestyle | 158 | Tobacco | | 24 | Society & Lifestyle | 173 | Body Art | | 24 | Society & Lifestyle | 174 | Lingerie & Bikini | | 24 | Society & Lifestyle | 181 | Alcohol | | 25 | Sports | 152 | Sports | | 26 | Technology | 69 | APIs | | 26 | Technology | 81 | Content Servers | | 26 | Technology | 95 | File Sharing | | 26 | Technology | 109 | Information Technology | | 26 | Technology | 123 | News, Portal & Search | | 26 | Technology | 145 | Search Engines | | 26 | Technology | 155 | Technology | | 26 | Technology | 159 | Translator | | 26 | Technology | 184 | Artificial Intelligence | | 26 | Technology | 192 | Remote Access | | 26 | Technology | 193 | Shareware/Freeware | | 26 | Technology | 194 | Keep Awake Software | | 27 | Travel | 160 | Travel | | 28 | Vehicles | 163 | Vehicles | | 29 | Violence | 165 | Violence | | 29 | Violence | 166 | Weapons | | 30 | Weather | 167 | Weather | | 31 | Always blocked | 170 | Child Abuse | | 32 | Security Risks | 128 | Parked & For Sale Domains | | 32 | Security Risks | 169 | New Domains | | 32 | Security Risks | 177 | Newly Seen Domains | | 34 | CIPA | 182 | CIPA Filter | ## Filtering options ### Filter traffic by resolved IP category When creating a DNS policy for security or content categories, you can optionally turn on **Filter traffic by resolved IP category** in the policy settings. When turned on, Gateway will block queries based on their resolved IP address in addition to the domain name. This setting may increase the number of false positives because domains in the blocked category can share IP addresses with legitimate domains. ### Ignore `CNAME` domain categories The categories for a site's Canonical Name (`CNAME`) records may differ from its `A` record. For example, `blog.example.com` may be categorized under Personal Blogs, while `example.com` is categorized under Technology. To limit matches for a DNS policy to only the root domain's categories, turn on **Ignore CNAME domain categories**. Regardless of this setting, `CNAME` domain categories will still appear in your Gateway [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/) logs. ## Categorization process Cloudflare's domain categorization engine begins with multiple data sources, including: 1. Cloudflare's proprietary data using our global network. 2. Third-party intelligence feeds. Cloudflare uses data from over 30 open-source intelligence feeds and premium commercial feeds, such as Avira and Zvelo. Then, the initial categorization is refined via: 1. Machine learning models. Our algorithms, including DGA Domains, DNS tunneling, and phishing detection models analyze patterns and behaviors to detect new and evolving threats. 2. Community feedback. Through a review process, Cloudflare assesses feedback by both our internal models and threat analysts. This ensures that our categorizations reflect the most current and accurate threat intelligence. ## Terraform Terraform users can retrieve the category list with the `cloudflare_zero_trust_gateway_categories_list` data source. This allows you to create Gateway policies with the category's name rather than its numeric ID. For example: ``` data "cloudflare_zero_trust_gateway_categories_list" "categories" { account_id = var.cloudflare_account_id } locals { main_categories_map = { for idx, c in data.cloudflare_zero_trust_gateway_categories_list.categories.result : c.name => c.id } subcategories_map = merge(flatten([ for idx, c in data.cloudflare_zero_trust_gateway_categories_list.categories.result : { for k, v in coalesce(c.subcategories, []) : v.name => v.id } ])...) } resource "cloudflare_zero_trust_gateway_policy" "zt_block_dns_tech_categories" { account_id = var.cloudflare_account_id name = "DNS Blocked" action = "block" traffic = "any(dns.content_category[*] in {${join(" ", [ local.main_categories_map["Technology"], local.subcategories_map["APIs"], local.subcategories_map["Artificial Intelligence"], local.subcategories_map["Content Servers"], local.subcategories_map["Translator"] ])}})" } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/domain-categories/","name":"Domain categories"}}]} ``` --- --- title: Egress policies description: Many third-party services (for example, a bank or partner API) only allow connections from a known list of IP addresses. By default, traffic that exits through Cloudflare Gateway shares a source IP address with all other Cloudflare One Client users, so upstream services cannot identify your organization by IP alone. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/egress-policies/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Egress policies Note Only available on Enterprise plans. Many third-party services (for example, a bank or partner API) only allow connections from a known list of IP addresses. By default, traffic that exits through Cloudflare Gateway shares a source IP address with all other Cloudflare One Client users, so upstream services cannot identify your organization by IP alone. [Dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) solve this problem. They are static IP addresses assigned only to your account, which you can add to upstream allowlists. Egress policies control which dedicated egress IP is used for a given connection. You can match traffic on attributes such as user identity, source or destination IP address, and geolocation. Traffic that does not match an egress policy defaults to the most performant dedicated egress IP. Cloudflare does not publish Cloudflare One Client egress IP ranges. Cloudflare One Client egress IPs are not listed at [Cloudflare's IP Ranges ↗](https://cloudflare.com/ips). To obtain a dedicated Cloudflare One Client egress IP, contact your account team. Terraform provider v4 precedence limitation To avoid conflicts, version 4 of the Terraform Cloudflare provider applies a hash calculation to policy precedence. For example, a precedence of `1000` may become `1000901`. This can cause errors when reordering policies. To avoid this issue, manually set the precedence of policies created with Terraform using the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint. To ensure your precedence is set correctly, Cloudflare recommends [upgrading your Terraform provider to version 5 ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade). ## Load balancing Traffic that does not match any egress policy exits from the closest Cloudflare data center using a default Gateway egress IP. This applies whether your account uses dedicated egress IPs or the default shared IPs. If two data centers are equally close to the user, Gateway splits traffic between them. The load balancer keeps each user on the same egress IP regardless of which data center handles the request. ## Force IP version Some upstream services only accept connections over a specific IP version. To force all egress traffic to use IPv4 or IPv6 only, first verify you are [filtering DNS traffic](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/dns/), then create a DNS policy to [block AAAA or A records](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/common-policies/#control-ip-version). ## Example policies The following egress policy configures all traffic destined for a third-party network to use a static source IP: | Policy name | Selector | Operator | Value | Egress method | | --------------------------- | -------------- | -------- | -------------- | ------------------------------- | | Access third-party provider | Destination IP | is | 198.51.100.158 | Dedicated Cloudflare egress IPs | | Primary IPv4 address | IPv6 address | | -------------------- | ------------- | | 203.0.113.88 | 2001:db8::/32 | ### Catch-all policy Without a catch-all policy, any traffic that does not match an explicit egress policy will attempt to use the closest dedicated egress IP location. To avoid unexpected IP assignments and maintain the best performance, create a catch-all policy that routes remaining traffic through the default Zero Trust IP range: | Policy name | Selector | Operator | Value | Egress method | | --------------------- | -------- | -------- | ---------------------- | -------------------------------- | | Default egress policy | Protocol | in | All options (Protocol) | Cloudflare default egress method | Gateway policies evaluate from [top to bottom](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) in the UI. Place the catch-all policy at the bottom of the list so that more specific policies are evaluated first. ## Egress methods When you configure your egress policy, you can choose whether to egress traffic using the default Cloudflare egress method or dedicated egress IPs. ### Use default Cloudflare egress method **Use default Cloudflare egress method** routes traffic through the default source IP range shared across all Zero Trust accounts. Traffic exits from the nearest Cloudflare data center, which provides the best performance. ### Use dedicated egress IPs **Use dedicated egress IPs (Cloudflare or BYOIP)** routes traffic through the primary IPv4 address and IPv6 range you select in the dropdown menus. When creating egress policies with dedicated egress IPs, you must set a secondary IPv4 address to ensure traffic resilience. You can set the secondary IPv4 address to `0.0.0.0` or a specific Cloudflare location different from your primary IPv4 address. If you set the secondary IPv4 address to `0.0.0.0`, Gateway will route traffic to the location closest to the user. If the physical location of your primary IPv4 address is not available, Gateway will route traffic to either the default Cloudflare egress range or the secondary location specified. If the data center associated with your primary IPv4 address goes down, Gateway fails over to the secondary data center to prevent traffic drops. A secondary IPv6 address is not required because IPv6 traffic can exit from any Cloudflare data center. You can use IPs provided by Cloudflare or [bring your own IP addresses (BYOIP)](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). To learn more about IPv4 and IPv6 egress behavior, refer to [Egress locations](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#egress-location). ## Selectors Selectors are the criteria that Gateway uses to match egress traffic against a policy. Gateway evaluates the following selectors: ### Application Beta You can apply egress policies to a growing list of popular web applications. Refer to [Application and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/) for more information. | UI name | API example | | ----------- | --------------------------- | | Application | any(app.ids\[\*\] in {505}) | This selector is only available for traffic onboarded to Traffic and DNS mode, PAC files, or Browser Isolation. For more information, refer to [Selector prerequisites](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). ### Content Categories Beta Applications within a specific [security category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#content-categories) as categorized by [Cloudflare Radar](https://developers.cloudflare.com/radar/glossary/#content-categories). | UI name | API example | | ------------------ | -------------------------------------------- | | Content Categories | any(net.fqdn.content\_category\[\*\] in {1}) | This selector is only available for traffic onboarded to Traffic and DNS mode, PAC files, or Browser Isolation. For more information, refer to [Selector prerequisites](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). ### Destination Continent The continent where the request is destined. Geolocation is determined from the target IP address. To specify a continent, enter its two-letter code into the **Value** field: | Continent | Code | | ------------- | ---- | | Africa | AF | | Antarctica | AN | | Asia | AS | | Europe | EU | | North America | NA | | Oceania | OC | | South America | SA | | Tor network | T1 | | UI name | API example | | ------------------------------------ | ----------------------------- | | Destination Continent IP Geolocation | net.dst.geo.continent == "EU" | ### Destination Country The country that the request is destined for. Geolocation is determined from the target IP address. To specify a country, enter its [ISO 3166-1 Alpha 2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | | ---------------------------------- | --------------------------- | | Destination Country IP Geolocation | net.dst.geo.country == "RU" | ### Destination IP The IP address of the request's target. | UI name | API example | | -------------- | ------------------------------------- | | Destination IP | any(net.dst.ip\[\*\] in {10.0.0.0/8}) | ### Destination Port The port number of the request's target. | UI name | API example | | ---------------- | -------------------- | | Destination Port | net.dst.port == 2222 | ### Device Posture With the Device Posture selector, admins can use signals from end-user devices to secure access to their internal and external resources. For example, a security admin can choose to limit all access to internal applications based on whether specific software is installed on a device and/or if the device or software are configured in a particular way. For more information on device posture checks, refer to [Device posture](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). | UI name | API example | | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Passed Device Posture Checks | any(device\_posture.checks.failed\[\*\] in {"1308749e-fcfb-4ebc-b051-fe022b632644"}), any(device\_posture.checks.passed\[\*\] in {"1308749e-fcfb-4ebc-b051-fe022b632644"})" | ### Domain Beta Use this selector to match against a domain and all subdomains. For example, you can match `example.com` and its subdomains, such as `www.example.com`. | UI name | API example | | ------- | -------------------------------------------- | | Domain | any(net.fqdn.domains\[\*\] == "example.com") | Gateway policies do not support domains with non-Latin characters directly. To use a domain with non-Latin characters, add it to a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). This selector is only available for traffic onboarded to Traffic and DNS mode, PAC files, or Browser Isolation. For more information, refer to [Selector prerequisites](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). ### Host Beta Use this selector to match against only the hostname specified. For example, you can match `test.example.com` but not `example.com` or `www.test.example.com`. | UI name | API example | | ------- | ------------------------------ | | Host | net.fqdn.host == "example.com" | Gateway policies do not support hostnames with non-Latin characters directly. To use a hostname with non-Latin characters, add it to a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). Note Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`www.example.com`). To match this type of website, use the [Domain](#domain) selector instead of the Host selector. This selector is only available for traffic onboarded to Traffic and DNS mode, PAC files, or Browser Isolation. For more information, refer to [Selector prerequisites](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). ### Protocol The protocol used to send the packet. | UI name | API example | | -------- | --------------------- | | Protocol | net.protocol == "tcp" | ### Proxy Endpoint The [proxy server](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) where your browser forwards HTTP traffic. | UI name | API example | | -------------- | ----------------------------------------------------------- | | Proxy Endpoint | proxy.endpoint == "3ele0ss56t.proxy.cloudflare-gateway.com" | ### Source Continent The continent of the user making the request. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a continent, enter its two-letter code into the **Value** field: | Continent | Code | | ------------- | ---- | | Africa | AF | | Antarctica | AN | | Asia | AS | | Europe | EU | | North America | NA | | Oceania | OC | | South America | SA | | Tor network | T1 | | UI name | API example | | ------------------------------- | ---------------------------------------- | | Source Continent IP Geolocation | net.src.geo.continent == "North America" | ### Source Country The country of the user making the request. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a country, enter its [ISO 3166-1 Alpha-2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | | ----------------------------- | --------------------------- | | Source Country IP Geolocation | net.src.geo.country == "RU" | ### Source Internal IP Use this selector to apply egress policies to a private IP address, assigned by a user's local network, that requests arrive to Gateway from. | UI name | API example | | ------------------ | ---------------------------------------------- | | Source Internal IP | net.src.internal\_src\_ip == "192.168.86.0/27" | ### Source IP The originating IP address or addresses of a device proxied by Gateway. | UI name | API example | | --------- | -------------------------------- | | Source IP | net.src.ip\[\*\] in {10.0.0.0/8} | ### Source Port The originating port of a device proxied by Gateway. | UI name | API example | | ----------- | ---------------------- | | Source Port | net.src.port == "2222" | ### Users Use these selectors to match against identity attributes. | UI name | API example | | ----------------- | --------------------------------------------------------------------------------------------------------------- | | User Email | identity.email == "user@example.com" | | User Name | identity.name == "Test User" | | User Group IDs | any(identity.groups\[\*\].id in {"group\_id"}) | | User Group Names | any(identity.groups\[\*\].name in {"group\_name"}) | | User Group Emails | any(identity.groups\[\*\].email in {"group@example.com"}) | | SAML Attributes | any(identity.saml\_attributes\["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"\] in {"Test User"}) | ### Virtual Network Use this selector to match all traffic routed through a specific [Virtual Network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) via the Cloudflare One Client. | UI name | API example | | --------------- | ------------------------------------------------------ | | Virtual Network | net.vnet\_id == "957fc748-591a-e96s-a15d-1j90204a7923" | ## Comparison operators Comparison operators are the way Gateway matches traffic to a selector. When you choose a **Selector** in the dashboard policy builder, the **Operator** dropdown menu will display the available options for that selector. | Operator | Meaning | | ------------------------ | ------------------------------------------------------------------------------------------------------------------ | | is | equals the defined value | | is not | does not equal the defined value | | in | matches at least one of the defined values | | not in | does not match any of the defined values | | in list | in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | not in list | not in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | matches regex | regex evaluates to true | | does not match regex | regex evaluates to false | | greater than | exceeds the defined number | | greater than or equal to | exceeds or equals the defined number | | less than | below the defined number | | less than or equal to | below or equals the defined number | ## Value You can input a single value or use regular expressions to specify a range of values. Gateway uses Rust to evaluate regular expressions. The Rust implementation is slightly different than regex libraries used elsewhere. To evaluate if your regex matches, you can use [Rustexp ↗](https://rustexp.lpil.uk/). ## Logical operators To evaluate multiple conditions in an expression, select the **And** logical operator. These expressions can be compared further with the **Or** logical operator. | Operator | Meaning | | -------- | --------------------------------------------- | | And | match all of the conditions in the expression | | Or | match any of the conditions in the expression | The **Or** operator will only work with conditions in the same expression group. For example, you cannot compare conditions in **Traffic** with conditions in **Identity** or **Device Posture**. ## Limitations ### Selector prerequisites The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors require additional setup before they work in egress policies. Before deploying policies with these selectors, refer to [Host selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/host-selectors). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/egress-policies/","name":"Egress policies"}}]} ``` --- --- title: Dedicated egress IPs description: Many third-party services require you to allowlist specific source IP addresses before they accept connections. Dedicated egress IPs are static IP addresses assigned exclusively to your account — no other Cloudflare customer shares them. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Dedicated egress IPs Note Only available as an add-on to Zero Trust Enterprise plans. Many third-party services require you to allowlist specific source IP addresses before they accept connections. Dedicated egress IPs are static IP addresses assigned exclusively to your account — no other Cloudflare customer shares them. Each dedicated egress IP consists of an IPv4 address and an IPv6 range, both tied to a specific Cloudflare data center. Cloudflare provisions your account with at least two dedicated egress IPs in two different cities. You can request additional dedicated egress IPs at any time. Contact your account team to schedule a service window. ## Turn on egress IPs To start routing traffic through dedicated egress IPs: 1. Contact your account team to obtain a dedicated egress IP. 2. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Traffic settings**. 3. Turn on **Allow Secure Web Gateway to proxy traffic**. 4. Select **TCP**. 5. (Optional) Select **UDP**. This will allow HTTP/3 traffic to egress with your dedicated IPs. Dedicated egress IPs are now turned on for all network and HTTP traffic proxied by Gateway. To selectively turn on dedicated egress IPs for a subset of your traffic, refer to [egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/). ## Verify egress IPs To check if your device is using the correct dedicated egress IP: 1. Verify that the device is connected to your Zero Trust organization through the Cloudflare One Client. 2. Determine the source IPv4 address of your device by going to `https://ipv4.icanhazip.com/`. 3. Determine the source IPv6 address of your device by going to `https://ipv6.icanhazip.com/`. 4. Verify that the source IPv4 and IPv6 addresses match your dedicated egress IP. When testing against another origin, you may see either an IPv4 or IPv6 address. Gateway does not control which protocol is used — some origins only support one protocol, and when both are available, the client operating system and browser decide. For example, Windows [favors IPv6 by default ↗](https://learn.microsoft.com/troubleshoot/windows-server/networking/configure-ipv6-in-windows). ## IPs ### Bring your own IP address (BYOIP) If your organization already owns IPv4 or IPv6 addresses from a regional Internet registry, you can use them as dedicated egress IPs instead of Cloudflare-provided addresses. To obtain an IPv6 range, refer to [American Registry for Internet Numbers (ARIN) ↗](https://www.arin.net/resources/guide/ipv6/first%5Frequest/) or [Regional Internet Registry for Europe, Middle East and Central Asia (RIPE NCC) ↗](https://www.ripe.net/manage-ips-and-asns/ipv6/request-ipv6/). After you onboard your IP addresses, they appear as options when you create an [egress policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/) and choose **Use dedicated egress IPs (Cloudflare or BYOIP)** as the [egress method](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#egress-methods). BYOIP dedicated egress IPs do not support [IP geolocation](#ip-geolocation). For more information, refer to [Cloudflare BYOIP](https://developers.cloudflare.com/byoip/) or contact your account team. ### Cloudflare IPs If you do not have your own authority-provided IPv4 and IPv6 addresses, you can use dedicated egress IPs with a Cloudflare IP address. You can find your leased Gateway dedicated egress IPs on the dashboard under [**Address space** \> **Leased IPs** ↗](https://dash.cloudflare.com/?to=/:account/ip-addresses/address-space). ## Limitations ### Concurrent connections Each dedicated egress IP supports up to 40,000 concurrent connections per unique combination of destination IP and destination port. You can configure multiple origins for each combination of dedicated egress IP and source port. ### Unsupported traffic Dedicated egress IPs do not apply to the following traffic types. These connections use the default shared IPs because Cloudflare identifies them by other means (for example, tunnel ID or account context) rather than source IP. * DNS queries resolved through Gateway * Private networks connected to Zero Trust via Cloudflare Tunnel * Traffic destined for private networks connected to Zero Trust via [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/) * ICMP traffic (for example, `ping`) ### Traffic resilience To improve traffic resilience, assign your dedicated egress IPs to different Cloudflare data center locations. If you have multiple IPs in the same city, choose different data centers within that city. For more information, contact your account team. When creating egress policies with dedicated egress IPs, you must set a secondary IPv4 address to ensure traffic resilience. You can set the secondary IPv4 address to `0.0.0.0` or a specific Cloudflare location different from your primary IPv4 address. If you set the secondary IPv4 address to `0.0.0.0`, Gateway will route traffic to the location closest to the user. If the physical location of your primary IPv4 address is not available, Gateway will route traffic to either the default Cloudflare egress range or the secondary location specified. Fallback egress IPs If the location for your primary egress IPs goes down and there is no secondary backup IP address configured in the egress policy, Gateway will not properly route your traffic. Cloudflare recommends you always configure a fallback egress IP for every egress policy. ### IP geolocation Note IP geolocation will take at least six weeks to update across databases. Websites and services use third-party IP geolocation databases to determine where a visitor is located. When you turn on dedicated egress IPs, Gateway updates these databases so they associate your new IPs with the correct city. Until the databases finish updating, services like Google Search may show incorrect regional content — for example, directing users in India to the United States landing page. Your egress traffic geolocates to the city selected in your [egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/). Traffic that does not match an egress policy defaults to the closest dedicated egress location. Create a [catch-all egress policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#catch-all-policy) before dedicated egress IPs are assigned to your account to prevent incorrect geolocation while databases update. To verify that the IP geolocation has updated, check your dedicated egress IP in one of the supported databases: Supported IP geolocation databases * [Google ↗](https://developers.google.com/maps/documentation/geolocation/overview) * [MaxMind GeoIP ↗](https://www.maxmind.com/en/geoip-databases) * [TransUnion Neustar TruValidate IP Intelligence ↗](https://www.transunion.com/solution/truvalidate/digital-insights/ip-intelligence) * [Abstract IP Geolocation API ↗](https://www.abstractapi.com/ip-geolocation-api) * [DB-IP ↗](https://db-ip.com/) * [Digital Element ↗](https://www.digitalelement.com/) * [Geo Targetly ↗](https://geotargetly.com/) * [IP-API.com ↗](https://ip-api.com/) * [IP2Location ↗](https://lite.ip2location.com/) * [IPinfo.io ↗](https://ipinfo.io/) * [ip2c.org ↗](https://ip2c.org/) * [ipapi ↗](https://ipapi.com/) * [ipgeolocation.io ↗](https://ipgeolocation.io/) * [ipify ↗](https://www.ipify.org/) * [Ipstack ↗](https://ipstack.com/) ### Egress location Where your users' traffic physically exits the Cloudflare network depends on whether the connection uses IPv4 or IPv6. | Protocol | Destination proxied by Cloudflare | Physical egress location | IP geolocation | | -------- | --------------------------------- | ------------------------------------ | ------------------------------------ | | IPv4 | No | Data center with dedicated egress IP | Matches dedicated egress IP location | | IPv4 | Yes | Locally connected data center | Matches dedicated egress IP location | | IPv6 | No | Locally connected data center | Matches dedicated egress IP location | | IPv6 | Yes | Locally connected data center | Matches dedicated egress IP location | #### IPv4 IPv4 addresses are scarce, so Cloudflare must physically route IPv4 traffic to the data center where your dedicated address is provisioned. The user connects to the nearest Cloudflare data center, and Cloudflare internally routes the traffic to the dedicated egress location configured in your [egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/). As a result, the data center shown in the user's Cloudflare One Client preferences may differ from the actual egress location. Performance is better when users visit domains proxied by Cloudflare ([orange-clouded](https://developers.cloudflare.com/dns/proxy-status/) domains). In this case, IPv4 traffic physically exits from the most performant data center while still appearing to originate from your dedicated egress location. For example, assume you have a primary dedicated egress IP in Los Angeles and a secondary dedicated egress IP in New York. A user in Las Vegas would see Las Vegas as their connected data center. If they go to a site not proxied by Cloudflare ([gray-clouded](https://developers.cloudflare.com/dns/proxy-status/#dns-only-records)), such as `espn.com`, they will egress from Los Angeles (or whichever city is in the matching egress policy). If they go to an orange-clouded site such as `cloudflare.com`, they will physically egress from Las Vegas but use Los Angeles as their IP geolocation. IPv4 and IPv6 behavior IPv4 addresses are limited, so Cloudflare must physically route traffic to the data center where your dedicated IPv4 address is provisioned. IPv6 has virtually unlimited address space, so Cloudflare can assign IPv6 ranges from all geolocations to every data center. This means IPv6 traffic can egress locally while still appearing to originate from your configured geolocation. #### IPv6 Unlike IPv4, IPv6 traffic physically exits from the user's connected data center while still appearing to originate from the dedicated egress IP geolocation. This works because IPv6 has enough address space for Cloudflare to assign IPv6 ranges from all possible geolocations to every data center. Each account receives a /64 IPv6 range. In the example above, the Las Vegas user would physically egress from Las Vegas but their traffic would IP geolocate to Los Angeles. This means: | Attribute | Value | | --------------- | ------------------------------------------------------------------------------------------------------------- | | Physical egress | User's closest Cloudflare data center (Las Vegas) | | IP geolocation | Dedicated egress IP location configured in your egress policy (Los Angeles) | | Logs | Correct IP geolocation (Los Angeles) even though the physical egress is from a different location (Las Vegas) | ## Frequently asked questions (FAQ) ### Can I provision the same egress IP address to multiple data centers? No, egress IPs are limited to a single data center. ### Can my users in different locations egress from their closest data center via a single egress IP? No, traffic exits from the data center where the egress IP is provisioned. If your users are spread across multiple regions, reserve multiple egress IPs in different data centers and assign each user group to the closest one. ### Can I use dedicated egress IPs with traffic proxied via [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/)? Yes, your users will egress via their provisioned IP address. ### What happens when I use dedicated egress IPs with [Cloudflare Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/)? Your users will connect to the nearest data center, where the remote browser session will load. The remote browser will then egress via the data center with their provisioned egress IP. ### Do dedicated egress IPs work on the [Cloudflare China Network](https://developers.cloudflare.com/china-network/)? No, Gateway does not support dedicated egress IPs on the China Network. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/egress-policies/","name":"Egress policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/","name":"Dedicated egress IPs"}}]} ``` --- --- title: Egress through Cloudflare Tunnel description: Some third-party services only accept connections from specific source IPs listed in an Access Control List (ACL). If a non-Cloudflare IP (for example, an IP from your ISP or a cloud provider like AWS) is already on their allowlist, you can route traffic through a Cloudflare Tunnel so that it exits using that same IP. This is called source IP anchoring — it allows you to keep your existing egress IPs without purchasing Cloudflare dedicated egress IPs. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Egress through Cloudflare Tunnel Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | | ---------------------------------------------------------------------------------------------------------------------------------- | | Traffic and DNS mode | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2025.4.929.0 | | macOS | ✅ | 2025.4.929.0 | | Linux | ✅ | 2025.4.929.0 | | iOS | ✅ | 1.11 | | Android | ✅ | 2.4.2 | | ChromeOS | ✅ | 2.4.2 | Some third-party services only accept connections from specific source IPs listed in an Access Control List (ACL). If a non-Cloudflare IP (for example, an IP from your ISP or a cloud provider like AWS) is already on their allowlist, you can route traffic through a Cloudflare Tunnel so that it exits using that same IP. This is called source IP anchoring — it allows you to keep your existing egress IPs without purchasing [Cloudflare dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). For example, assume your banking service at `app.bank.com` expects traffic from an AWS IP. You install `cloudflared` in your AWS environment and add a public hostname route for `app.bank.com`. When users connect to `app.bank.com` through the Cloudflare One Client, Gateway applies your network policies and routes the filtered traffic through the Cloudflare Tunnel to AWS. The traffic then exits to the public Internet using your AWS egress IP. flowchart LR subgraph aws["AWS VPC"] cloudflared["cloudflared"] end subgraph cloudflare[Cloudflare] gateway["Gateway"] end subgraph internet[Internet] resolver[1.1.1.1] app[Application] end warp["Cloudflare One Client"]--"app.bank.com"-->gateway--"Network traffic"-->cloudflared gateway<-.DNS lookup.->resolver aws--AWS egress IP -->app To learn more about how Gateway applies hostname-based egress policies, refer to the [Cloudflare blog ↗](https://blog.cloudflare.com/egress-policies-by-hostname/). ## Prerequisites User traffic must be on-ramped to Gateway using one of the following methods: | On-ramp method | Compatibility | | ------------------------------------------------------------------------------------------------------------------------------------ | ------------------------- | | [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) | ✅ | | [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) | ✅ | | [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) | ✅ | | [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) | ✅ | | [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/) | 🚧[1](#user-content-fn-1) | Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | | ---------------------------------------------------------------------------------------------------------------------------------- | | Traffic and DNS mode | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2025.4.929.0 | | macOS | ✅ | 2025.4.929.0 | | Linux | ✅ | 2025.4.929.0 | | iOS | ✅ | 1.11 | | Android | ✅ | 2.4.2 | | ChromeOS | ✅ | 2.4.2 | ## Footnotes 1. Not compatible with [ECMP routing](https://developers.cloudflare.com/cloudflare-wan/reference/traffic-steering/#equal-cost-multi-path-routing). For hostname-based routing to work, DNS queries and the resulting network traffic must reach Cloudflare over the same IPsec/GRE tunnel. [↩](#user-content-fnref-1) ## 1\. Connect your private network [Connect your private network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/) to Cloudflare using `cloudflared`. For example, if you want traffic to egress from AWS, connect the private CIDR block of your AWS VPC. Note Requires `cloudflared` version 2025.7.0 or later. ## 2\. Add a public hostname route To route a public hostname through Cloudflare Tunnel: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Networks** \> **Routes** \> **Hostname routes**. 2. Select **Create hostname route**. 3. In **Hostname**, enter the public hostname that represents the application (for example, `app.bank.com`). The hostname should be accessible from the public Internet. 4. For **Tunnel**, select the Cloudflare Tunnel that is being used to connect the private network to Cloudflare. 5. Select **Create route**. ## 3\. Route network traffic through the Cloudflare One Client In your WARP [Split Tunnels](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) configuration, route the following IP addresses through the WARP tunnel to Gateway. ### Initial resolved IPs When users connect to a public hostname route, Gateway will assign an initial resolved IP to the DNS query from the following range: Gateway's network engine operates at Layer 3/Layer 4 of the [OSI model ↗](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/), where only IP addresses are available — not hostnames. The initial resolved IP acts as a signal: when a packet's destination IP falls within the `100.80.0.0/16` Carrier-Grade NAT (CGNAT) range, Gateway recognizes that the IP maps to a public hostname route and sends the traffic through the corresponding Cloudflare Tunnel. To route initial resolved IPs through the Cloudflare One Client: In your WARP [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/), configure [Split Tunnels](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) such that the initial resolved IPs route through the WARP tunnel. Configuration depends on your [Split Tunnels mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/#change-split-tunnels-mode): * **Exclude mode**: Delete `100.64.0.0/10` from your Split Tunnels list. We recommend [adding back the IP ranges](https://developers.cloudflare.com/cloudflare-one/networks/routes/reserved-ips/#split-tunnel-configuration) that are not explicitly used for Cloudflare One services. This reduces the risk of conflicts with existing private network configurations that may use the CGNAT address space. * **Include mode**: Add Split Tunnel entries for the following IP addresses: * **IPv4**: `100.80.0.0/16` * **IPv6**: `2606:4700:0cf1:4000::/64` ### Private network IPs Your private network's CIDR block should also route through the WARP tunnel. For a detailed configuration example, refer to [Connect a private network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-the-cloudflare-one-client). ## 4\. (Optional) Configure network policies You can build [Gateway network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) to filter HTTPS traffic to your public hostname on port `443`. For example, to restrict `app.bank.com` so that only certain users or groups can access it through your AWS egress IP, create two policies: one to allow authorized users, and one to block everyone else. 1. Allow company employees: | Selector | Operator | Value | Logic | Action | | ---------- | ------------- | --------------- | ----- | ------ | | SNI | in | app.bank.com | And | Allow | | User Email | matches regex | .\*@example.com | | | 2. Block everyone else on port `443`: | Selector | Operator | Value | Action | | -------- | -------- | ------------ | ------ | | SNI | in | app.bank.com | Block | Gateway does not support hostname-based filtering for traffic on non-`443` ports. To block traffic to `app.bank.com` on all ports, use the [Destination IP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/#destination-ip) selector and specify the public IP range of `app.bank.com`. ## 5\. Test the connection From a device, open a browser and go to `app.bank.com`. You can search for `app.bank.com` in your [Gateway DNS logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/); the **DNS response details** section should show the public resolved IPs as well as an initial resolved IP. You can also check your [Cloudflare Tunnel logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) to confirm that requests are routing through the tunnel to the public resolved IPs. ## Limitations ### Google Chrome restricts local network access Starting with [Chrome 142 ↗](https://developer.chrome.com/release-notes/142), the browser restricts requests from websites to local IP addresses, including the Gateway initial resolved IP CGNAT range (`100.80.0.0/16`). Because this range falls within `100.64.0.0/10`, Chrome categorizes these addresses as belonging to a local network. When a website loaded from a public IP makes subrequests to a domain resolved through an initial resolved IP, Chrome treats this as a public-to-local network request and displays a prompt asking the user to allow access to devices on the local network. Chrome will block requests to these domains until the user accepts this prompt. This commonly occurs when an Egress policy matches broadly used domains (such as `cloudfront.net` or `github.com`), causing subrequests from public pages to resolve to the `100.80.0.0/16` range. #### Iframes If the affected request originates from within an iframe (for example, an application embedded in a third-party portal), the iframe must declare the `local-network-access` permission for the browser prompt to appear in the parent frame: * **Chrome 142-144**: Use the `allow="local-network-access"` attribute on the iframe element. * **Chrome 145+**: The permission was split into `allow="local-network"` and `allow="loopback-network"`. If iframes are nested, every iframe in the chain must include the appropriate attribute. Since third-party applications control their own iframe attributes, this may not be configurable by the end user. #### Workarounds To avoid this issue, choose one of the following options: * **Override IP address space classification (Chrome 146+)**: Use the [LocalNetworkAccessIpAddressSpaceOverrides ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessIpAddressSpaceOverrides) Chrome Enterprise policy to reclassify the `100.80.0.0/16` range as public. This is the most targeted fix because it only changes the classification for the initial resolved IP range rather than disabling security checks entirely. * **Allow specific URLs (Chrome 140+)**: Use the [LocalNetworkAccessAllowedForUrls ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessAllowedForUrls) Chrome Enterprise policy to exempt specific websites from Local Network Access checks. Note that `https://*` is a valid entry to disable checks for all URLs. * **Allow specific URLs (Chrome 146+)**: Use the [LocalNetworkAllowedForUrls ↗](https://chromeenterprise.google/policies/#LocalNetworkAllowedForUrls) Chrome Enterprise policy, which replaces `LocalNetworkAccessAllowedForUrls` starting in Chrome 146. * **Opt out of Local Network Access restrictions (Chrome 142-152)**: Use the [LocalNetworkAccessRestrictionsTemporaryOptOut ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessRestrictionsTemporaryOptOut) Chrome Enterprise policy to completely opt out of Local Network Access restrictions. This is a temporary policy and will be removed after Chrome 152. * **Disable the Chrome feature flag**: Go to `chrome://flags` and set the **Local Network Access Checks** flag to _Disabled_. This approach is suitable for individual users but not for enterprise-wide deployment. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/egress-policies/","name":"Egress policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared/","name":"Egress through Cloudflare Tunnel"}}]} ``` --- --- title: Host selectors description: Egress policies are evaluated at Layer 4 (https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/) of the OSI model, where only IP addresses are available — not hostnames. The Application, Content Categories, Domain, and Host selectors need to match traffic by hostname, so Gateway uses a two-step process: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Host selectors Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Traffic and DNS mode | Enterprise | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2025.4.929.0 | | macOS | ✅ | 2025.4.929.0 | | Linux | ✅ | 2025.4.929.0 | | iOS | ✅ | 1.11 | | Android | ✅ | 2.4.2 | | ChromeOS | ✅ | 2.4.2 | Egress policies are evaluated at Layer 4 ([https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/ ↗](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/)) of the OSI model, where only IP addresses are available — not hostnames. The [Application](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#application), [Content Categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#content-categories), [Domain](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#domain), and [Host](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#host) selectors need to match traffic by hostname, so Gateway uses a two-step process: 1. When Gateway receives a DNS query for a hostname that matches one of these selectors, it initially resolves the query to a temporary IP in the `100.80.0.0/16` or `2606:4700:0cf1:4000::/64` range. 2. When traffic arrives with this temporary destination IP, Gateway can identify which hostname the connection belongs to, apply the correct egress policy, then replace the temporary IP with the real destination IP before forwarding the traffic. ![Example egress policy flow](https://developers.cloudflare.com/_astro/host-selector-diagram.MWSMsbT4_1rAw7C.webp) These selectors require additional configuration before they work. ## Turn on Host selectors To turn on the selectors for your account: * [ Dashboard ](#tab-panel-3833) * [ API ](#tab-panel-3834) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Traffic settings**. 2. In **Policy settings**, turn on **Allow egress policy host selectors**. Use the [Patch Zero Trust account configuration](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/configurations/methods/edit/) endpoint to update your Zero Trust configuration. For example: Patch Zero Trust account configuration ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "settings": { "host_selector": { "enabled": true } } }' ``` ## Prerequisites Traffic must be on-ramped to Gateway with the following methods: | On-ramp method | Compatibility | | ------------------------------------------------------------------------------------------------------------------------------------ | ------------- | | [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) | ✅ | | [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) | ✅ | | [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) | ✅ | | [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) | ❌ | | [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/) | ✅ | Traffic from unsupported on-ramp methods resolves using your default Gateway settings. If you use DNS locations to send DNS queries to Gateway (over IPv4, IPv6, DNS over TLS, or DNS over HTTPS), Gateway does not return the initial resolved IP and the host selectors do not apply. ### Configuration changes To configure your Zero Trust organization to use Host selectors with Egress policies: 1. Make sure you deploy the following version of the Cloudflare One Client on your users' devices: * **Desktop**: [Cloudflare One Client version 2025.4.929.0](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/) or later * **iOS**: [Cloudflare One Client version 1.11](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/#ios) or later * **Android and Chrome OS**: [Cloudflare One Client version 2.4.2](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/#android) or later. If you need to support devices running prior versions of WARP, add and deploy the following key-value pair to your devices' [WARP configuration file](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/) (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS): ``` doh_in_tunnel ``` 1. In your WARP [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/), configure [Split Tunnels](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) such that the initial resolved IPs route through the WARP tunnel. Configuration depends on your [Split Tunnels mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/#change-split-tunnels-mode): * **Exclude mode**: Delete `100.64.0.0/10` from your Split Tunnels list. We recommend [adding back the IP ranges](https://developers.cloudflare.com/cloudflare-one/networks/routes/reserved-ips/#split-tunnel-configuration) that are not explicitly used for Cloudflare One services. This reduces the risk of conflicts with existing private network configurations that may use the CGNAT address space. * **Include mode**: Add Split Tunnel entries for the following IP addresses: * **IPv4**: `100.80.0.0/16` * **IPv6**: `2606:4700:0cf1:4000::/64` The Cloudflare One Client must be set to _Traffic and DNS mode_ for traffic affected by these selectors to route correctly. ## Known issues ### Google Chrome restricts local network access Starting with [Chrome 142 ↗](https://developer.chrome.com/release-notes/142), the browser restricts requests from websites to local IP addresses, including the Gateway initial resolved IP CGNAT range (`100.80.0.0/16`). Because this range falls within `100.64.0.0/10`, Chrome categorizes these addresses as belonging to a local network. When a website loaded from a public IP makes subrequests to a domain resolved through an initial resolved IP, Chrome treats this as a public-to-local network request and displays a prompt asking the user to allow access to devices on the local network. Chrome will block requests to these domains until the user accepts this prompt. This commonly occurs when an Egress policy matches broadly used domains (such as `cloudfront.net` or `github.com`), causing subrequests from public pages to resolve to the `100.80.0.0/16` range. #### Iframes If the affected request originates from within an iframe (for example, an application embedded in a third-party portal), the iframe must declare the `local-network-access` permission for the browser prompt to appear in the parent frame: * **Chrome 142-144**: Use the `allow="local-network-access"` attribute on the iframe element. * **Chrome 145+**: The permission was split into `allow="local-network"` and `allow="loopback-network"`. If iframes are nested, every iframe in the chain must include the appropriate attribute. Since third-party applications control their own iframe attributes, this may not be configurable by the end user. #### Workarounds To avoid this issue, choose one of the following options: * **Override IP address space classification (Chrome 146+)**: Use the [LocalNetworkAccessIpAddressSpaceOverrides ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessIpAddressSpaceOverrides) Chrome Enterprise policy to reclassify the `100.80.0.0/16` range as public. This is the most targeted fix because it only changes the classification for the initial resolved IP range rather than disabling security checks entirely. * **Allow specific URLs (Chrome 140+)**: Use the [LocalNetworkAccessAllowedForUrls ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessAllowedForUrls) Chrome Enterprise policy to exempt specific websites from Local Network Access checks. Note that `https://*` is a valid entry to disable checks for all URLs. * **Allow specific URLs (Chrome 146+)**: Use the [LocalNetworkAllowedForUrls ↗](https://chromeenterprise.google/policies/#LocalNetworkAllowedForUrls) Chrome Enterprise policy, which replaces `LocalNetworkAccessAllowedForUrls` starting in Chrome 146. * **Opt out of Local Network Access restrictions (Chrome 142-152)**: Use the [LocalNetworkAccessRestrictionsTemporaryOptOut ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessRestrictionsTemporaryOptOut) Chrome Enterprise policy to completely opt out of Local Network Access restrictions. This is a temporary policy and will be removed after Chrome 152. * **Disable the Chrome feature flag**: Go to `chrome://flags` and set the **Local Network Access Checks** flag to _Disabled_. This approach is suitable for individual users but not for enterprise-wide deployment. ### DNS Override policies bypass host selectors If a domain matches a [DNS Override policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#override), Gateway will not apply the initial resolved IP mapping for that domain. This means host-based egress selectors (Application, Content Categories, Domain, and Host) will not evaluate against traffic to the overridden domain. Traffic to these domains will use the default Cloudflare egress method. ### HTTPS DNS records not supported Host selectors do not support HTTPS DNS record types. When a domain uses HTTPS records for connection establishment, Gateway cannot map the DNS query to a hostname for egress policy evaluation. Traffic to these domains will use the default Cloudflare egress method instead of matching a host-based egress policy. If you need to apply egress policies to a domain that uses HTTPS records, use an IP-based selector (such as [Destination IP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#destination-ip)) instead. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/egress-policies/","name":"Egress policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/egress-policies/host-selectors/","name":"Host selectors"}}]} ``` --- --- title: Enable IDS description: Cloudflare's Intrusion Detection System (IDS) is a Cloudflare Advanced Network Firewall feature you can use to actively monitor for a wide range of known threat signatures in your traffic. An IDS expands the security coverage of a firewall to analyze traffic against a broader threat database, detecting a variety of sophisticated attacks such as ransomware, data exfiltration, and network scanning based on signatures or “fingerprints” in network traffic. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/enable-ids.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Enable IDS Cloudflare's Intrusion Detection System (IDS) is a Cloudflare Advanced Network Firewall feature you can use to actively monitor for a wide range of known threat signatures in your traffic. An IDS expands the security coverage of a firewall to analyze traffic against a broader threat database, detecting a variety of sophisticated attacks such as ransomware, data exfiltration, and network scanning based on signatures or “fingerprints” in network traffic. With Cloudflare's global anycast network, you get: * Cloudflare's entire global network capacity is now the capacity of your IDS. * Built-in redundancy and failover. Every server runs Cloudflare's IDS software, and traffic is automatically attracted to the closest network location to its source. * Continuous deployment for improvements to Cloudflare's IDS capabilities. Refer to [Enable IDS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/enable-ids/#enable-ids) for more information on enabling IDS and creating new rulesets. After IDS is enabled, your traffic will be scanned to find malicious traffic. The detections are logged to destinations that can be configured from the dashboard. Refer to [IDS logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/ids-logs/) for instructions on configuring a destination to receive the detections. Additionally, all traffic that is analyzed can be accessed via [network analytics](https://developers.cloudflare.com/analytics/network-analytics/). Refer to [GraphQL Analytics](https://developers.cloudflare.com/cloudflare-network-firewall/tutorials/graphql-analytics/) to query the analytics data. Cloudflare's IDS takes advantage of the threat intelligence powered by our global network and extends the capabilities of the Cloudflare Firewall to monitor and protect your network from malicious actors. ## Enable IDS You can enable IDS through the dashboard or via the API. Note This feature is available for Cloudflare Advanced Network Firewall users. For access, contact your account team. * [ Dashboard ](#tab-panel-3835) * [ API ](#tab-panel-3836) 1. In the [Cloudflare One ↗](https://one.dash.cloudflare.com) dashboard, go to **Traffic policies**. 2. Select **Policy settings** and turn on **IDS**. To start using IDS via the API, first create a new ruleset in the `magic-transit-ids-managed` phase with a rule which is enabled. 1. Follow instructions in the [Rulesets Engine Page](https://developers.cloudflare.com/ruleset-engine/basic-operations/view-rulesets/) to view all rulesets for your account. You must see a ruleset with phase `magic-transit-ids-managed` and kind `managed`. If not, please contact your account team. The managed ruleset ID will be used in the next step. 2. Create a new root ruleset with a single rule in the `magic_transit_ids_managed` phase by running: Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "IDS Execute ruleset", "description": "Ruleset to enable IDS", "kind": "root", "phase": "magic_transit_ids_managed", "rules": [ { "enabled": true, "expression": "true", "action": "execute", "description": "enable ids", "action_parameters": { "id": "${managed_ruleset_id}" } } ] }' ``` With this ruleset added, IDS will start inspecting packets and report any anomalous traffic. Next, you can [configure Logpush](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/use-logpush-with-ids/) to start receiving details about the anomalous traffic. 1. Use the rule created in the previous step to enable or disable IDS. The Rulesets API documentation describes [how to patch a rule](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update-rule/). For example, the following patch request to set the `enabled` field to `false` will disable IDS. The ruleset and rule ID from the ruleset created in the previous step are used below. Terminal window ``` curl --request PATCH \ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{root_ruleset_id}/rules/{rule_id} \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "enabled": false, "expression": "true", "action": "execute", "action_parameters": { "id": "${managed_ruleset_id}" } }' ``` Similarly, sending a patch request with the `enabled` field set to `true` will enable IDS. ## IDS rules IDS rules are run on a subset of packets. IDS also supports the current flows: * Cloudflare WAN to Cloudflare WAN. * Magic Transit ingress traffic (when egress traffic is handled through direct server return). * Magic Transit ingress and egress traffic when Magic Transit has the [Egress option enabled](https://developers.cloudflare.com/reference-architecture/architectures/magic-transit/#magic-transit-with-egress-option-enabled). ## Next steps You must configure Logpush to log detected risks. Refer to [Configure a Logpush destination](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/use-logpush-with-ids/) for more information. Additionally, all traffic that is analyzed can be accessed via [network analytics](https://developers.cloudflare.com/analytics/network-analytics/). Refer to [GraphQL Analytics](https://developers.cloudflare.com/cloudflare-network-firewall/tutorials/graphql-analytics/) to query the analytics data. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/enable-ids/","name":"Enable IDS"}}]} ``` --- --- title: Get started description: This section covers best practices for setting up the following Gateway policy types: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/get-started/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Get started This section covers best practices for setting up the following Gateway policy types: * [ DNS filtering ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/dns/) * [ Network filtering ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/network/) * [ HTTP filtering ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) For each type of policy, we recommend the following workflow: 1. Connect the devices and/or networks that you want to apply policies to. 2. Verify that Gateway is successfully proxying traffic from your devices. 3. Set up basic security and compatibility policies (recommended for most use cases). 4. Customize your configuration to the unique needs of your organization. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/get-started/","name":"Get started"}}]} ``` --- --- title: DNS filtering description: Secure Web Gateway allows you to inspect DNS traffic — the queries your devices make to translate domain names like example.com into IP addresses — and control which websites users can visit. Because every connection starts with a DNS lookup, DNS filtering blocks threats at the earliest stage of a connection, before the device ever reaches the destination. Use DNS policies to block malware domains, phishing sites, or entire content categories across your organization. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/get-started/dns.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # DNS filtering Secure Web Gateway allows you to inspect DNS traffic — the queries your devices make to translate domain names like `example.com` into IP addresses — and control which websites users can visit. Because every connection starts with a DNS lookup, DNS filtering blocks threats at the earliest stage of a connection, before the device ever reaches the destination. Use DNS policies to block malware domains, phishing sites, or entire content categories across your organization. Note For a more detailed guide to filtering DNS queries and other traffic for your organization, refer to the [Secure your Internet traffic and SaaS apps](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/concepts/) implementation guide. ## 1\. Connect to Gateway You can filter DNS queries from individual devices (for example, employee laptops) or from entire network locations (for example, an office router). Choose the option that matches your deployment. ### Connect devices To filter DNS requests from an individual device such as a laptop or phone: 1. [Install the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/) on your device. The Cloudflare One Client is a lightweight agent that routes the device's DNS queries through Cloudflare so Gateway can inspect and filter them. 2. [Enroll the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/) in your organization's Zero Trust instance \[^1\]. This tells WARP which Gateway policies to enforce. 3. (Optional) If you want to display a [custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) instead of a generic browser error when a request is blocked, [install a Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device. ### Connect DNS locations To filter DNS requests from a network location such as an office or data center without installing software on each device: 1. [Add the location](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) to your Cloudflare One settings. A DNS location represents a network (such as an office) whose DNS queries you want to filter. 2. On your router, browser, or OS, change the DNS server setting to point to the Cloudflare address shown in the location setup UI. This forwards all DNS queries from that network through Gateway. Note Gateway uses different methods to identify which location a query comes from, depending on the protocol: * **IPv4 queries** — Gateway matches the query to a location based on the source IP address of your network. Under **Networks** \> **Resolvers & Proxies** \> **DNS locations**, verify that the **Source IPv4 Address** matches the public IP of the network you want to protect. * **IPv6, DNS over TLS (DOT), or DNS over HTTPS (DOH) queries** — Because these protocols may obscure the source IP, Gateway instead matches queries using the unique DNS forwarding address assigned to each location. Make sure your resolver is configured with the correct forwarding address for the location you want policies to apply to. ## 2\. Verify device connectivity To confirm that your device's DNS queries are flowing through Gateway: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Traffic settings**. 2. Under **Log traffic activity**, enable activity logging for all DNS logs. 3. On your device, open a browser and go to any website. 4. In Cloudflare One, go to **Insights** \> **Logs** \> **DNS**. 5. Make sure DNS queries from your device appear. ## 3\. Create your first DNS policy A DNS policy has two parts: a **traffic condition** that defines which queries to match (for example, all queries to gambling sites) and an **action** that defines what to do with matching queries (for example, block them). To create a new DNS policy: * [ Dashboard ](#tab-panel-3837) * [ API ](#tab-panel-3838) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Firewall policies**. 2. In the **DNS** tab, select **Add a policy**. 3. Name the policy. 4. Under **Traffic**, use the condition builder to define which DNS queries this policy applies to. Select a selector (such as **Security Categories**), an operator (such as **in**), and one or more values. 5. Choose an **Action** to take when traffic matches the condition. For example, we recommend adding a policy to block all [security categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories): | Selector | Operator | Value | Action | | ------------------- | -------- | -------------------- | ------ | | Security Categories | in | _All security risks_ | Block | 6. Select **Create policy**. 1. [Create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with the following permissions: | Type | Item | Permission | | ------- | ---------- | ---------- | | Account | Zero Trust | Edit | 2. (Optional) Configure your API environment variables to include your [account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) and API token. 3. Send a `POST` request to the [Create a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, the following request creates a policy that blocks all default [security categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories). The numeric IDs in the `traffic` field (such as `68`, `178`, `80`) correspond to Cloudflare's predefined security threat categories — refer to [domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) for the full mapping. The `precedence` field controls evaluation order when multiple policies match (`0` means this policy is evaluated first). Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block security threats", "description": "Block all default Cloudflare DNS security categories", "precedence": 0, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", "identity": "" }' ``` ``` { "success": true, "errors": [], "messages": [] } ``` The API will respond with a summary of the policy and the result of your request. For more information, refer to [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/). ## 4\. Add optional policies Once your first policy is active, refer to [common DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/common-policies) for other policies you may want to add. Common additions include blocking specific content categories (such as social media or streaming), enabling SafeSearch on search engines, and restricting DNS queries so devices can only use resolvers that you have approved. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/get-started/","name":"Get started"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/get-started/dns/","name":"DNS filtering"}}]} ``` --- --- title: HTTP filtering description: Secure Web Gateway allows you to inspect HTTP traffic and control which websites users can visit. DNS filtering can only block or allow entire domains (for example, all of dropbox.com). HTTP filtering goes deeper — it inspects full URLs and request content, so you can block a specific page like dropbox.com/shared-folder, scan file uploads for sensitive data, or enforce acceptable use policies based on what users are actually doing on a site. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/get-started/http.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # HTTP filtering Secure Web Gateway allows you to inspect HTTP traffic and control which websites users can visit. DNS filtering can only block or allow entire domains (for example, all of `dropbox.com`). HTTP filtering goes deeper — it inspects full URLs and request content, so you can block a specific page like `dropbox.com/shared-folder`, scan file uploads for sensitive data, or enforce acceptable use policies based on what users are actually doing on a site. Note For a more detailed guide to filtering HTTP requests and other traffic for your organization, refer to the [Secure your Internet traffic and SaaS apps](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/concepts/) implementation guide. ## 1\. Connect to Gateway HTTP filtering requires three components working together: the Cloudflare One Client routes device traffic through Cloudflare, a root certificate lets Gateway decrypt HTTPS traffic so it can inspect URLs and content, and the Gateway proxy enables Gateway to intercept and evaluate HTTP requests. Without the certificate, Gateway can only see the domain name — not the full URL or request body. To filter HTTP requests from a device: 1. [Install the Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device. 2. [Install the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) on your device. 3. In the Cloudflare One Client Settings, log in to your organization's Cloudflare One instance. 4. [Enable the Gateway proxy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP. Optionally, enable the UDP proxy to also inspect QUIC traffic on port 443 — this covers HTTP/3, a newer protocol some browsers use by default. 5. To inspect HTTPS traffic, [enable TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption). TLS decryption allows Gateway to read encrypted requests. Without it, Gateway can see that a user visited `example.com` but not which specific page or what they uploaded. 6. (Optional) To scan file uploads and downloads for malware, [enable anti-virus scanning](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/). ## 2\. Verify device connectivity To verify your device is connected to Cloudflare One and traffic is flowing through Gateway: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Traffic settings**. 2. Under **Log traffic activity**, enable activity logging for all HTTP logs. 3. On your device, open a browser and go to any website. 4. In Cloudflare One, go to **Insights** \> **Logs** \> **HTTP**. 5. Make sure HTTP requests from your device appear. After creating your first HTTP policy in the next step, you can test it by visiting a URL that your policy should block and confirming the request is denied. ## 3\. Create your first HTTP policy An HTTP policy defines which requests to match (for example, uploads to file-sharing sites) and the action to take (for example, block). To create a new HTTP policy: * [ Dashboard ](#tab-panel-3839) * [ API ](#tab-panel-3840) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Firewall policies**. 2. In the **HTTP** tab, select **Add a policy**. 3. Name the policy. 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. 5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have configured TLS decryption, some applications that use [embedded certificates](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: | Selector | Operator | Value | Action | | ----------- | -------- | ---------------- | -------------- | | Application | in | _Do Not Inspect_ | Do Not Inspect | Cloudflare also recommends adding a policy to block [known threats](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence: | Selector | Operator | Value | Action | | ------------------- | -------- | -------------------- | ------ | | Security Categories | in | _All security risks_ | Block | 6. Select **Create policy**. 1. [Create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with the following permissions: | Type | Item | Permission | | ------- | ---------- | ---------- | | Account | Zero Trust | Edit | 2. (Optional) Configure your API environment variables to include your [account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) and API token. 3. Send a `POST` request to the [Create a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, if you have configured TLS decryption, some applications that use [embedded certificates](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Do not inspect applications", "description": "Bypass TLS decryption for unsupported applications", "precedence": 0, "enabled": true, "action": "off", "filters": [ "http" ], "traffic": "any(app.type.ids[*] in {16})", "identity": "", "device_posture": "" }' ``` ``` { "success": true, "errors": [], "messages": [] } ``` The API will respond with a summary of the policy and the result of your request. Cloudflare also recommends adding a policy to block [known threats](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence: Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block known risks", "description": "Block all default Cloudflare HTTP security categories", "precedence": 0, "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", "identity": "", "device_posture": "" }' ``` For more information, refer to [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). ## 4\. Add optional policies Refer to our list of [common HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/common-policies) for other policies you may want to create. Common additions include blocking file downloads by type, isolating risky websites in a [remote browser](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/), and adding Do Not Inspect rules for applications that break under TLS decryption (for example, apps that use certificate pinning to enforce their own certificates). Do Not Inspect rules tell Gateway to skip decryption for specific destinations so those applications continue to work. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/get-started/","name":"Get started"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/get-started/http/","name":"HTTP filtering"}}]} ``` --- --- title: Network filtering description: Secure Web Gateway allows you to apply policies at the network level to control which websites and non-HTTP applications users can access. This is useful when you need to control traffic that is not web browsing — for example, blocking remote desktop connections or restricting file-transfer tools across your organization. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/get-started/network.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Network filtering Secure Web Gateway allows you to apply policies at the network level to control which websites and non-HTTP applications users can access. This is useful when you need to control traffic that is not web browsing — for example, blocking remote desktop connections or restricting file-transfer tools across your organization. Network policies inspect individual TCP and UDP packets (the low-level data units that carry all Internet traffic), which means you can filter traffic that [DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/dns/) and [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) policies cannot reach. DNS policies only see domain lookups, and HTTP policies only see web requests — network policies go deeper and can catch protocols like SSH (remote terminal access), RDP (remote desktop), and custom applications running on non-standard ports. Note For a more detailed guide to filtering network traffic and more for your organization, refer to the [Secure your Internet traffic and SaaS apps](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/concepts/) implementation guide. ## 1\. Connect to Gateway ### Connect devices To filter network traffic from a device such as a laptop or phone: 1. [Install the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) on your device. 2. In the Cloudflare One Client Settings, log in to your organization's Cloudflare One instance. 3. (Optional) If you want to display a [custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) when users are blocked, [install the Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device. Without the certificate, blocked users will see a generic browser connection error instead of an informative page. 4. [Enable the Gateway proxy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP. The Gateway proxy is what routes your device's traffic through Cloudflare so network policies can inspect it — without it enabled, your policies will have no effect. Optionally, enable the UDP proxy to also inspect QUIC traffic (a newer protocol used by HTTP/3 connections) on port 443. ### Connect private networks To filter traffic from private networks (internal corporate networks not exposed to the public Internet), refer to the [Cloudflare Tunnel guide](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). ## 2\. Verify device connectivity Verifying connectivity ensures that traffic from your device is actually flowing through Cloudflare before you build policies against it. To verify your device is connected to Cloudflare One: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Traffic settings**. 2. Under **Log traffic activity**, enable activity logging for all Network logs. This tells Cloudflare to record network-level traffic so you can confirm your device appears in the logs. 3. On your Cloudflare One Client device, open a browser and visit any website. This generates traffic that should appear in the logs. 4. Determine the **Source IP** for your device (the public-facing address Cloudflare sees for your connection): * [ Version 2026.2+ ](#tab-panel-3841) * [ Version 2026.1 and earlier ](#tab-panel-3842) 1. Open the Cloudflare One Client. 2. Go to **Profile**. 3. Note the **Client Interface IP**. This is the same address that will appear as the Source IP in your network logs. 1. Open the Cloudflare One Client. 2. Go to **Settings** (gear icon) **Preferences** \> **General**. 3. Note the **Public IP**. This is the same address that will appear as the Source IP in your network logs. 1. In Cloudflare One, go to **Insights** \> **Logs** \> **Network logs**. Before building network policies, make sure you see network logs from the Source IP assigned to your device. If no logs appear after a few minutes, check two things: first, verify that the [Gateway proxy is turned on](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy). Second, confirm that the device is enrolled in your Zero Trust organization by checking the Cloudflare One Client connection status. ## 3\. Create your first network policy A network policy has two parts: a matcher that selects which traffic to act on (for example, all packets destined for port 22, the default port for SSH) and an action that decides what to do with it (for example, block the connection). To create a new network policy: * [ Dashboard ](#tab-panel-3843) * [ API ](#tab-panel-3844) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Firewall policies**. 2. In the **Network** tab, select **Add a network policy**. 3. Name the policy. 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. 5. Choose an **Action** to take when traffic matches the logical expression. For example, you can use a list of [device serial numbers](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/corp-device/) to ensure users can only access an application if they connect with the Cloudflare One Client from a company device: | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | ----------------------- | ----- | ------ | | SNI Domain | is | internalapp.com | And | Block | | Passed Device Posture Checks | not in | _Device serial numbers_ | | | 6. Select **Create policy**. 1. [Create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with the following permissions: | Type | Item | Permission | | ------- | ---------- | ---------- | | Account | Zero Trust | Edit | 2. (Optional) Configure your API environment variables to include your [account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) and API token. 3. Send a `POST` request to the [Create a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, you can use a list of [device serial numbers](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/corp-device/) to ensure users can only access an application if they connect with the Cloudflare One Client from a company device: Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Enforce device posture", "description": "Ensure only devices in Zero Trust organization can connect to application", "precedence": 0, "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "any(net.sni.domains[*] == \"internalapp.com\")", "identity": "", "device_posture": "not(any(device_posture.checks.passed[*] in {\"LIST_UUID\"}))" }' ``` ``` { "success": true, "errors": [], "messages": [] } ``` The API will respond with a summary of the policy and the result of your request. For more information, refer to [network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/). ## 4\. Add optional policies Refer to our list of [common network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/common-policies) for policies you may want to create. Common additions include blocking traffic to specific IP ranges, restricting access to non-standard ports (ports other than well-known ones like 80 for HTTP and 443 for HTTPS), and using protocol detection to identify applications like BitTorrent based on their traffic patterns rather than port numbers alone. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/get-started/","name":"Get started"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/get-started/network/","name":"Network filtering"}}]} ``` --- --- title: Global policies description: Cloudflare Zero Trust applies a set of global policies to all accounts. These policies prevent you from accidentally blocking Cloudflare services that Zero Trust depends on, such as the dashboard, API, and client registration. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/global-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Global policies Cloudflare Zero Trust applies a set of global policies to all accounts. These policies prevent you from accidentally blocking Cloudflare services that Zero Trust depends on, such as the dashboard, API, and client registration. Zero Trust logs prepend an identifier to global policy names. For example, matches for the global policy **Allow Zero Trust Services** will appear in your logs with the name **Global Policy - Allow Zero Trust Services**. The following policies are sorted by [order of precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) within each policy type. ## DNS resolution policies Gateway enforces global DNS and resolver policies before any other policies. This ensures the traffic is not blocked by user policies and gets resolved with Cloudflare's public DNS resolver, [1.1.1.1](https://developers.cloudflare.com/1.1.1.1/). Each global DNS policy evaluates traffic based on the domain in the query. | Name | ID | Value | Action | | ----------------------------------------------------------------------------------------- | ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | | Allow DNS queries for cloudflareclient.com domain | 00000001-e139-4a1b-90d5-698d8fa371e0 | cloudflareclient.com | allow | | Resolve cloudflareclient.com through 1.1.1.1 | 00000001-e738-4554-823b-0b2c75af2c66 | cloudflareclient.com | resolve | | Allow DNS queries for content.browser.run domain | 00000001-9bff-4d83-a9e4-e5ed321fe0b9 | content.browser.run | allow | | Resolve content.browser.run through 1.1.1.1 | 00000001-0df5-472b-80c0-02888e7167ee | content.browser.run | resolve | | Allow DNS queries for edge.browser.run and cloudflarebrowser.com domains | 00000001-e2f1-4e99-bab3-91df88879587 | edge.browser.run and cloudflarebrowser.com | allow | | Resolve edge.browser.run and cloudflarebrowser.com through 1.1.1.1 | 00000001-b103-44c6-a114-7a784cdf3fb7 | edge.browser.run and cloudflarebrowser.com | resolve | | Allow DNS queries for help.teams.cloudflare.com and help.one.cloudflare.com domains | 00000001-b2fc-46db-b0f1-69ef3553bd7a | help.teams.cloudflare.com and help.one.cloudflare.com | allow | | Resolve help.teams.cloudflare.com and help.one.cloudflare.com through 1.1.1.1 | 00000001-ce13-486a-b006-ba0435ccb013 | help.teams.cloudflare.com and help.one.cloudflare.com | resolve | | Allow DNS queries for cloudflare-gateway.com domain | 00000001-e83d-492b-995e-351970cd5e8e | cloudflare-gateway.com | allow | | Resolve cloudflare-gateway.com through 1.1.1.1 | 00000001-d9bc-4913-a2f5-905dbb3ecf9a | cloudflare-gateway.com | resolve | | Allow DNS queries for cloudflarestatus.com domain | 00000001-78da-4f8a-b9ee-76563f1ec46b | cloudflarestatus.com | allow | | Resolve cloudflarestatus.com through 1.1.1.1 | 00000001-4d1d-43a3-9015-c49fc3a6da31 | cloudflarestatus.com | resolve | | Allow DNS queries for nel.cloudflare.com domain | 00000001-af28-4afa-8987-eadc21187e14 | nel.cloudflare.com | allow | | Resolve nel.cloudflare.com through 1.1.1.1 | 00000001-0034-45a0-8333-f339451fba46 | nel.cloudflare.com | resolve | | Allow DNS queries for api.cloudflare.com domain | 00000001-5eea-4932-8dd5-8e1ec9770396 | api.cloudflare.com | allow | | Resolve api.cloudflare.com through 1.1.1.1 | 00000001-4f0c-4f86-9b96-5d26123a194b | api.cloudflare.com | resolve | | Allow DNS queries for one.dash.cloudflare.com domain | 00000001-0f75-48a9-b3e1-925a974d2b65 | one.dash.cloudflare.com | allow | | Resolve one.dash.cloudflare.com through 1.1.1.1 | 00000001-3d84-41a6-bc84-3014685c0d81 | one.dash.cloudflare.com | resolve | | Allow DNS queries for one.dash.cloudflare.com domain | 00000001-a9fd-40de-a662-51d3a3ae0ad8 | one.dash.cloudflare.com and one.dash.fed.cloudflare.com | allow | | Resolve one.dash.cloudflare.com through 1.1.1.1 | 00000001-70f2-4eea-b711-201bca434ed4 | one.dash.cloudflare.com and one.dash.fed.cloudflare.com | resolve | | Allow DNS queries for dash.cloudflare.com domain | 00000001-0c2a-4b31-8606-3e5a1d87c1bf | dash.cloudflare.com and dash.fed.cloudflare.com | allow | | Resolve dash.cloudflare.com through 1.1.1.1 | 00000001-c47f-41f3-b234-d66c82b8d422 | dash.cloudflare.com and dash.fed.cloudflare.com | resolve | | Allow DNS queries for cloudflareportal.com, cloudflareok.com and cloudflarecp.com domains | 00000001-1c6c-4793-b48f-799eee6e0e31 | cloudflareportal.com, cloudflareok.com, and cloudflarecp.com | allow | | Resolve cloudflareportal.com, cloudflareok.com and cloudflarecp.com through 1.1.1.1 | 00000001-8c35-4d7d-9dbb-cb7350375b7b | cloudflareportal.com, cloudflareok.com, and cloudflarecp.com | resolve | | Allow DNS queries for cloudflareaccess.com domain | 00000001-d738-4dad-bac4-1a50201d9503 | cloudflareaccess.com | allow | | Resolve cloudflareaccess.com through 1.1.1.1 | 00000001-4404-4572-80f6-f7b098909460 | cloudflareaccess.com | resolve | | Allow DNS queries for blocked.teams.cloudflare.com domain | 00000001-76f4-4438-b8ab-a9da53f4a2f1 | blocked.teams.cloudflare.com and blocked.teams.fed.cloudflare.com | allow | | Resolve blocked.teams.cloudflare.com through 1.1.1.1 | 00000001-af3c-458f-aeb2-b3bb5d3fe1d5 | blocked.teams.cloudflare.com and blocked.teams.fed.cloudflare.com | resolve | | Allow DNS queries for developers.cloudflare.com domain | 00000001-4263-4808-8457-4d4329c91f66 | developers.cloudflare.com | allow | | Resolve developers.cloudflare.com through 1.1.1.1 | 00000001-9f91-4462-9270-78beca5b4dbc | developers.cloudflare.com | resolve | | Allow DNS queries for speed.cloudflare.com domain | 00000001-4fc0-4286-b783-6c442adda171 | speed.cloudflare.com | allow | | Resolve speed.cloudflare.com through 1.1.1.1 | 00000001-ec51-4471-9e78-bd47d46a3002 | speed.cloudflare.com | resolve | | Allow DNS requests to browser-rendered Access Apps | 00000001-1232-4a9f-a165-1e8ed59483c4 | \*.zero-trust-apps.cfdata.org, \*.zero-trust-apps-staging.cfdata.org, \*.zero-trust-apps.fed.cfdata.org, or \*.zero-trust-apps-staging.fed.cfdata.org | allow | | Resolve browser-rendered Access Apps domains through 1.1.1.1 | 00000001-9461-43c7-ba63-d0fdf9376bd4 | \*.zero-trust-apps.cfdata.org, \*.zero-trust-apps-staging.cfdata.org, \*.zero-trust-apps.fed.cfdata.org, or \*.zero-trust-apps-staging.fed.cfdata.org | resolve | ## Network proxy policies | Name | ID | Criteria | Value | Action | Description | | --------------------------------------------------- | ------------------------------------ | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Allow CF Network Error Logging L4 | 00000001-e4af-4b82-8f8c-c79c1d5d212e | Hostname | \*.nel.cloudflare.com | allow | Allows SNI domains for Cloudflare One Client registration. | | Allow CF Client | 00000001-8c3d-4e27-a01b-af8418000077 | Hostname | \*.cloudflareclient.com and \*.fed.cloudflareclient.com | allow | Allows Zero Trust client. | | Allow Gateway Proxy PAC | 00000001-776e-438d-9856-987d7053762b | Hostname | \*.cloudflare-gateway.com and \*.fed.cloudflare-gateway.com | allow | Allows Gateway proxy with [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/). | | Allow Zero Trust Services | 00000001-e1e8-421b-a0fe-895397489f28 | Hostname | one.dash.cloudflare.com, help.teams.cloudflare.com, blocked.teams.cloudflare.com, blocked.teams.fed.cloudflare.com, api.cloudflare.com, api.fed.cloudflare.com, cloudflarestatus.com, www.cloudflarestatus.com, one.dash.cloudflare.com, one.dash.fed.cloudflare.com, help.one.cloudflare.com, dash.cloudflare.com, dash.fed.cloudflare.com, and developers.cloudflare.com | allow | Allows Cloudflare Zero Trust services. | | Allow Access Apps L4 | 00000001-daa2-41e2-8a88-698af4066951 | Hostname | \*.cloudflareaccess.com and \*.fed.cloudflareaccess.com | allow | Allows [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) applications. | | Allow HTTP requests to browser-rendered Access Apps | 00000001-1f93-4476-8f92-9aa4407d1c5f | Hostname | \*.zero-trust-apps.cfdata.org, \*.zero-trust-apps-staging.cfdata.org, \*.zero-trust-apps.fed.cfdata.org, or \*.zero-trust-apps-staging.fed.cfdata.org | allow | Allows Cloudflare Access terminal applications [rendered in a browser](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/browser-rendering/#ssh-and-vnc). | ## HTTP inspection policies | Name | ID | Criteria | Value | Action | Description | | -------------------------------------- | ------------------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | | Prevent Account Change Block | 00000001-d1f2-461a-8253-501c8d882a15 | Hostname | \*.cloudflareclient.com and \*.fed.cloudflareclient.com; not notifications.cloudflareclient.com or notifications.fed.cloudflareclient.com | bypass | Ensures users cannot accidentally block themselves from making account changes. | | Bypass RBI Assets | 00000001-df61-4068-aa6c-0f684c3cd4e6 | Hostname | \*.content.browser.run | bypass | Required for [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/). | | Inspect RBI Urls | 00000001-3faa-4f59-98d4-0f6d6af4b6d0 | Hostname | \*.edge.browser.run and \*.cloudflarebrowser.com | bypass | Required for Browser Isolation. | | Allow Gateway Help Page | 00000001-8e9a-4429-b3c2-d267d0ce6114 | Hostname | help.teams.cloudflare.com and help.one.cloudflare.com | allow | Used by the Cloudflare One Client to check if Gateway is on by inspecting the certificate and checking if it is properly installed on the client device. | | Bypass Gateway DNS | 00000001-d9c0-46b0-8704-2ea5b9d7bdfc | Hostname | \*.cloudflare-gateway.com and \*.fed.cloudflare-gateway.com | bypass | Ensures requests to the cloudflare-gateway.com DNS endpoint will not be inspected. | | Bypass CF Status | 00000001-5399-4b71-a9fc-d4d90ccf0758 | Hostname | \*.cloudflarestatus.com | bypass | Bypasses cloudflarestatus.com so users can reach the status page in case of a Gateway outage. | | Bypass CF Network Error Logging | 00000001-dfe0-4737-8d1e-8191e8f637df | Hostname | \*.nel.cloudflare.com | bypass | Bypasses \*.nel.cloudflarestatus.com for Cloudflare's network error logging feature. | | Bypass CF API | 00000001-a424-43fb-b1f1-d3eb35ed7ddd | Hostname | api.cloudflare.com and api.fed.cloudflare.com | bypass | Bypasses Cloudflare's API endpoint. | | Prevent ZT Dashboard Lockout | 00000001-d38e-42db-96fe-60613b6b308f | Hostname | dash.teams.cloudflare.com, one.dash.cloudflare.com, and one.dash.fed.cloudflare.com | bypass | Prevents users from being locked out of the Zero Trust dashboard. | | Bypass CF Dashboard | 00000001-d343-4ded-908e-b3fe43c5e61e | Hostname | \*.dash.cloudflare.com and \*.dash.fed.cloudflare.com | bypass | Bypasses the Cloudflare dashboard and subdomains. | | Bypass Zero Trust Captive Portal Sites | 00000001-8b62-4367-919e-5c160a06ddf7 | Hostname | cloudflareportal.com, cloudflareok.com, and cloudflarecp.com | bypass | Bypasses the Zero Trust captive portal detection sites. | | Bypass OCSP | 00000001-34ce-47c7-ad0f-199f46eba194 | Application | Online Certificate Status Protocol | bypass | Enables OCSP stapling. | | Allow Access Apps L7 | 00000001-8d6b-4951-8a18-3bbc9010976c | Hostname | \*.cloudflareaccess.com and \*.fed.cloudflareaccess.com | allow | Allows Cloudflare Access applications. | | Prevent Block Page Loop | 00000001-48b1-4ade-93c1-f0f3759dc19c | Hostname | blocked.teams.cloudflare.com and blocked.teams.fed.cloudflare.com | bypass | Prevents an infinite loop on the Gateway block page. | | Always Blocked Categories | 00000001-bed5-462e-b0f1-2e2c3555e9f7 | Content Category | [Child Abuse category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#category-and-subcategory-ids) | block | Blocks child abuse materials (CSAM). | | Don't Isolate RBI Help Pages | 00000001-1a18-431f-9c9d-bce431f1002a | Hostname | developers.cloudflare.com and help.cloudflarebrowser.com | noisolate | Prevents browser isolation of Cloudflare developer docs and help pages to help users troubleshoot configuration issues. | | Don't AV Scan CF Speed | 00000001-c194-408f-87dd-9a366ce76e12 | Hostname | speed.cloudflare.com | noscan | Allows files transferred by the Cloudflare speed test. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/global-policies/","name":"Global policies"}}]} ``` --- --- title: HTTP policies description: HTTP policies allow you to filter all HTTP and HTTPS requests based on URLs, hostnames, HTTP methods, file types, and other request attributes. Unlike network policies which operate at Layer 4 (TCP/UDP), HTTP policies operate at Layer 7 and can inspect the full content of web traffic. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # HTTP policies Note To use HTTP policies, install a [Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) or a [custom certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/). HTTP policies allow you to filter all HTTP and HTTPS requests based on URLs, hostnames, HTTP methods, file types, and other request attributes. Unlike [network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) which operate at Layer 4 (TCP/UDP), HTTP policies operate at Layer 7 and can inspect the full content of web traffic. By default, Gateway inspects HTTP traffic on port `80` and, with [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) turned on, HTTPS traffic on port `443`. You can also configure Gateway to [inspect HTTP/HTTPS traffic on all ports](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). Gateway supports HTTP/3 inspection with the [UDP proxy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/http3/) turned on. An HTTP policy consists of an **Action** and a logical expression that determines the scope of the policy. To build an expression, choose a **Selector** and an **Operator**, then enter a value or range of values in the **Value** field. You can use **And** and **Or** logical operators to evaluate multiple conditions. * [Actions](#actions) * [Selectors](#selectors) * [Comparison operators](#comparison-operators) * [Value](#value) * [Logical operators](#logical-operators) If a condition in an expression joins a query attribute (such as _Source IP_) and a response attribute (such as _Resolved IP_), then the condition will be evaluated when the response is received. Terraform provider v4 precedence limitation To avoid conflicts, version 4 of the Terraform Cloudflare provider applies a hash calculation to policy precedence. For example, a precedence of `1000` may become `1000901`. This can cause errors when reordering policies. To avoid this issue, manually set the precedence of policies created with Terraform using the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint. To ensure your precedence is set correctly, Cloudflare recommends [upgrading your Terraform provider to version 5 ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade). ## Actions Actions in HTTP policies allow you to choose what to do with a given set of elements (domains, IP addresses, file types, and so on). You can assign one action per policy. ### Allow API value: `allow` Available selectors **Traffic** * [Access Infrastructure Target](#access-infrastructure-target) * [Access Private App](#access-private-app) * [Application](#application) * [Content Categories](#content-categories) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [DLP Profile](#dlp-profile) * [Domain](#domain) * [Download File Types](#download-and-upload-file-types) * [Download Mime Type](#download-and-upload-mime-type) * [Host](#host) * [HTTP Method](#http-method) * [HTTP Response](#http-response) * [Proxy Endpoint](#proxy-endpoint) * [Security Categories](#security-risks) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [Upload File Types](#download-and-upload-file-types) * [Upload Mime Type](#download-and-upload-mime-type) * [URL](#url) * [URL Path](#url-path) * [URL Path & Query](#url-path-and-query) * [URL Query](#url-query) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) The Allow action allows outbound traffic to reach destinations you specify within the [Selectors](#selectors) and [Value](#value) fields. For example, the following configuration allows traffic to reach all websites we categorize as belonging to the Education content category: | Selector | Operator | Value | Action | | ------------------ | -------- | ----------- | ------ | | Content Categories | in | _Education_ | Allow | #### Untrusted certificates The **Untrusted certificate action** determines how to handle insecure requests. | Option | Action | | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Error | Display Gateway error page. Matches the default behavior when no action is configured. | | Block | Display [block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) as set in Cloudflare One. | | Pass through | Bypass insecure connection warnings and seamlessly connect to the upstream. For more information on what statuses are bypassed, refer to [Troubleshooting Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/troubleshooting/#error-526-invalid-ssl-certificate). | ### Block API value: `block` Available selectors **Traffic** * [Access Infrastructure Target](#access-infrastructure-target) * [Access Private App](#access-private-app) * [Application](#application) * [Content Categories](#content-categories) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [DLP Profile](#dlp-profile) * [Domain](#domain) * [Download File Types](#download-and-upload-file-types) * [Download Mime Type](#download-and-upload-mime-type) * [Host](#host) * [HTTP Method](#http-method) * [HTTP Response](#http-response) * [Proxy Endpoint](#proxy-endpoint) * [Security Categories](#security-risks) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [Upload File Types](#download-and-upload-file-types) * [Upload Mime Type](#download-and-upload-mime-type) * [URL](#url) * [URL Path](#url-path) * [URL Path & Query](#url-path-and-query) * [URL Query](#url-query) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) The Block action blocks outbound traffic from reaching destinations you specify within the [Selectors](#selectors) and [Value](#value) fields. For example, the following configuration blocks users from being able to upload any file type to Google Drive: | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | ------------ | ----- | ------ | | Application | in | Google Drive | And | Block | | Upload Mime Type | matches regex | .\* | | | #### Cloudflare One Client block notifications Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/plans/zero-trust-services/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | Enterprise | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2024.1.159.0 | | macOS | ✅ | 2024.1.160.0 | | Linux | ❌ | | | iOS | ✅ | 1.7 | | Android | ✅ | 1.4 | | ChromeOS | ✅ | 1.4 | Turn on **Display block notification for Cloudflare One Client** to display notifications for Gateway block events. Blocked users will receive an operating system notification from the Cloudflare One Client with a custom message you set. If you do not set a custom message, the Cloudflare One Client will display a default message. Custom messages must be 100 characters or less. The Cloudflare One Client will only display one notification per minute. Upon selecting the notification, the Cloudflare One Client will direct your users to the [Gateway block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) you have configured. Optionally, you can direct users to a custom URL, such as an internal support form. When you turn on **Send policy context**, Gateway will append details of the matching request to the redirected URL as a query string. Not every context field will be included. Potential policy context fields include: Policy context fields | Field | Definition | Example | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------- | | User email | Email of the user that made the query. | &cf\_user\_email=user@example.com | | Site URL | Full URL of the original HTTP request or domain name in DNS query. | &cf\_site\_uri=https%3A%2F%2Fmalware.testcategory.com%2F | | URL category | [Domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) of the URL to be redirected. | &cf\_request\_categories=New%20Domains,Newly%20Seen%20Domains | | Original HTTP referer | For HTTP traffic, the original HTTP referer header of the HTTP request. | &cf\_referer=https%3A%2F%2Fexample.com%2F | | Rule ID | ID of the Gateway policy that matched the request. | &cf\_rule\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Source IP | Source IP address of the device that matched the policy. | &cf\_source\_ip=203.0.113.5 | | Device ID | UUID of the device that matched the policy. | &cf\_device\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Application names | Name of the application the redirected domain corresponds to, if any. | &cf\_application\_name=Salesforce | | Filter | The traffic type filter that triggered the block. | &cf\_filter=http, &cf\_filter=dns, &cf\_filter=av, or &cf\_filter=l4 | | Account ID | [Cloudflare account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) of the associated Zero Trust account. | &cf\_account\_id=d57c3de47a013c03ca7e237dd3e61d7d | | Query ID | ID of the DNS query for which the redirect took effect. | &cf\_query\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Connection ID | ID of the proxy connection for which the redirect took effect. | &cf\_connection\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Request ID | ID of the HTTP request for which the redirect took effect. | &cf\_request\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | Ensure that your operating system allows notifications for the Cloudflare One Client. Your device may not display notifications if focus, do not disturb, or screen sharing settings are turned on. To turn on client notifications on macOS devices running DisplayLink software, you may have to allow system notifications when mirroring your display. For more information, refer to the [macOS documentation ↗](https://support.apple.com/guide/mac-help/change-notifications-settings-mh40583/mac). ### Redirect API value: `redirect` Available selectors **Traffic** * [Access Infrastructure Target](#access-infrastructure-target) * [Application](#application) * [Content Categories](#content-categories) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [Domain](#domain) * [Host](#host) * [HTTP Method](#http-method) * [Proxy Endpoint](#proxy-endpoint) * [Security Risks](#security-risks) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [URL](#url) * [URL Path](#url-path) * [URL Path & Query](#url-path-and-query) * [URL Query](#url-query) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) The Redirect action allows you to redirect matched HTTP requests to a different URL you specify. For example, if your users browse to the public web page of a SaaS app, you can redirect them to your own self-hosted instance, a single sign-on page, or an internal policy page. To redirect URLs with a Block action and the block page, refer to [Redirect to a block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page). #### Policy settings In **Policy URL redirect**, you can define what URL to redirect matched requests to. The redirect URL can contain paths and queries. For example, you can redirect `example.com` to `cloudflare.com/path/to/page?querystring=x`. When you turn on **Send policy context**, Gateway will append details of the matching request to the redirected URL as a query string. Not every context field will be included. Potential policy context fields include: Policy context fields | Field | Definition | Example | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------- | | User email | Email of the user that made the query. | &cf\_user\_email=user@example.com | | Site URL | Full URL of the original HTTP request or domain name in DNS query. | &cf\_site\_uri=https%3A%2F%2Fmalware.testcategory.com%2F | | URL category | [Domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) of the URL to be redirected. | &cf\_request\_categories=New%20Domains,Newly%20Seen%20Domains | | Original HTTP referer | For HTTP traffic, the original HTTP referer header of the HTTP request. | &cf\_referer=https%3A%2F%2Fexample.com%2F | | Rule ID | ID of the Gateway policy that matched the request. | &cf\_rule\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Source IP | Source IP address of the device that matched the policy. | &cf\_source\_ip=203.0.113.5 | | Device ID | UUID of the device that matched the policy. | &cf\_device\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Application names | Name of the application the redirected domain corresponds to, if any. | &cf\_application\_name=Salesforce | | Filter | The traffic type filter that triggered the block. | &cf\_filter=http, &cf\_filter=dns, &cf\_filter=av, or &cf\_filter=l4 | | Account ID | [Cloudflare account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) of the associated Zero Trust account. | &cf\_account\_id=d57c3de47a013c03ca7e237dd3e61d7d | | Query ID | ID of the DNS query for which the redirect took effect. | &cf\_query\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Connection ID | ID of the proxy connection for which the redirect took effect. | &cf\_connection\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Request ID | ID of the HTTP request for which the redirect took effect. | &cf\_request\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | When you turn on **Preserve original path and query string**, Gateway will append the original path and query string to the redirected URL. Paths and queries in the redirect URL take precedence over the original URL. For example, if the original URL is `example.com/path/to/page?querystring=X` and the redirect URL is `cloudflare.com/redirect-path?querystring=Y`, Gateway will redirect requests to: ``` cloudflare.com/redirect-path/path/to/page?querystring=Y ``` When you turn on both options, Gateway will preserve the original path and query string, then append policy context to the end of the redirect URL. For example, if the original URL is `example.com/path/to/page?querystring=X&k=1` and the redirect URL is `cloudflare.com/redirect-path?querystring=Y`, Gateway will redirect requests to: ``` cloudflare.com/redirect-path/path/to/page?querystring=Y&k=1&cf_user_email=user@example.com ``` ### Isolate API value: `isolate` Available selectors **Traffic** * [Application](#application) * [Content Categories](#content-categories) * [Domain](#domain) * [Host](#host) * [HTTP Method](#http-method) * [Security Risks](#security-risks) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [URL](#url) * [URL Path](#url-path) * [URL Path & Query](#url-path-and-query) * [URL Query](#url-query) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) The Isolate action serves matched traffic to users via [Cloudflare Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/). For more information on this action, refer to [Isolation policies](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#isolate). ### Do Not Inspect API value: `off` Available selectors **Traffic** * [Application](#application) * [Content Categories](#content-categories) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [Domain](#domain) * [Host](#host) * [Proxy Endpoint](#proxy-endpoint) * [Security Risks](#security-risks) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) Visibility limitation When you create a Do Not Inspect policy for a given hostname, application, or app type, you will lose the ability to log or block HTTP requests, apply DLP policies, and perform AV scanning. Information contained within HTTPS encryption, such as the full requested URL, will not be visible if it bypasses Gateway inspection. However, you can still apply [network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) to this traffic. For more information, refer to [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/). Do Not Inspect lets you bypass certain elements from inspection. To prevent Gateway from decrypting and inspecting HTTPS traffic, your policy must match against the Server Name Indication (SNI) in the TLS header. When accessing a Do Not Inspect site in the browser, your browser may display a **Your connection is not private** warning, which you can proceed through to connect. For more information about applications which may require a Do Not Inspect policy, refer to [TLS decryption limitations](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#inspection-limitations). Note All Do Not Inspect policies are evaluated before any Allow or Block policies, regardless of their position in the policy list. For more information, refer to [Order of enforcement](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#http-policies). ### Do Not Isolate API value: `noisolate` Available selectors **Traffic** * [Application](#application) * [Content Categories](#content-categories) * [Domain](#domain) * [Host](#host) * [HTTP Method](#http-method) * [Security Risks](#security-risks) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [URL](#url) * [URL Path](#url-path) * [URL Path & Query](#url-path-and-query) * [URL Query](#url-query) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) The Do Not Isolate action turns off browser isolation for matched traffic. For more information on this action, refer to [Isolation policies](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#do-not-isolate). ### Do Not Scan API value: `noscan` Available selectors **Traffic** * [Application](#application) * [Content Categories](#content-categories) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [Domain](#domain) * [Host](#host) * [HTTP Method](#http-method) * [Proxy Endpoint](#proxy-endpoint) * [Security Risks](#security-risks) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [URL](#url) * [URL Path](#url-path) * [URL Path & Query](#url-path-and-query) * [URL Query](#url-query) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) When an admin enables AV scanning for uploads and/or downloads, Gateway will scan every supported file. Admins can selectively choose to disable scanning by leveraging the HTTP rules. For example, to prevent AV scanning of files uploaded to or downloaded from `example.com`, an admin would configure the following rule: | Selector | Operator | Value | Action | | -------- | ------------- | -------------- | ----------- | | Hostname | matches regex | .\*example.com | Do Not Scan | When a Do Not Scan rule matches, nothing is scanned, regardless of file size or whether the file type is supported or not. ### Quarantine API value: `quarantine` Available selectors **Traffic** * [Application](#application) * [Content Categories](#content-categories) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [Domain](#domain) * [Host](#host) * [HTTP Method](#http-method) * [Proxy Endpoint](#proxy-endpoint) * [Security Risks](#security-risks) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [URL](#url) * [URL Path](#url-path) * [URL Path & Query](#url-path-and-query) * [URL Query](#url-query) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) The Quarantine action sends files in matching requests to a file sandbox to scan for malware. Gateway will only quarantine files not previously seen in the file sandbox. For more information on this action, refer to [File sandboxing](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/file-sandboxing/). #### Sandbox file types In **Sandbox file types**, you can select which file types to quarantine with your policy. You must select at least one file type. File sandboxing supports scanning the following file types: Supported sandboxing file types * `.exe` * `.pdf` * `.doc` * `.docm` * `.docx` * `.rtf` * `.ppt` * `.pptx` * `.xls` * `.xlsm` * `.xlsx` * `.zip` * `.rar` ## Selectors Note Policies created using the URL selector are case-sensitive. Gateway matches HTTP traffic against the following selectors, or criteria: ### Access Infrastructure Target All [targets](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#1-add-a-target) secured by an [Access infrastructure application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/). | UI name | API example | | ---------------------------- | ------------- | | Access Infrastructure Target | access.target | ### Access Private App All destination IPs and hostnames secured by an [Access self-hosted private application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). | UI name | API example | | ------------------------------------------- | ------------------- | | Self-hosted Access App with Private Address | access.private\_app | ### Application Approval Status The review approval status of an application from [Shadow IT Discovery](https://developers.cloudflare.com/cloudflare-one/insights/analytics/shadow-it-discovery/) or the [Application Library](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/). For more information, refer to [Review applications](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/#review-applications). | UI name | API example | | ------------------ | ------------------------------------- | | Application Status | any(app.statuses\[\*\] == "approved") | ### Application You can apply HTTP policies to a growing list of popular web applications. Refer to [Application and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/) for more information. | UI name | API example | | ----------- | --------------------------- | | Application | any(app.ids\[\*\] in {505}) | Multiple API selectors required for Terraform When using Terraform to create a policy with the [Do Not Inspect](#do-not-inspect) action, you must use the `app.hosts_ids` and `app.supports_ids` selectors. For example, to create a Do Not Inspect policy for Google Cloud Platform traffic, create a policy with both `any(app.hosts_ids[*] in {1245})` and `any(app.supports_ids[*] in {1245})`. #### Granular controls When using the _is_ operator with the _Application_ selector, you can use Application Granular Controls to choose specific actions and operations to match application traffic. For example, you can block file uploads to ChatGPT without blocking all ChatGPT traffic: | Selector | Operator | Value | Controls | Action | | ----------- | -------- | --------- | -------- | ------ | | Application | is | _ChatGPT_ | _Upload_ | Block | You can match traffic based on **Application Controls**, which group multiple user actions together, or **Operations**, which allow for granular control of supported API-level actions for an application. For more information, refer to [Application Granular Controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/granular-controls/). ### Body Phase The phase of an HTTP request. You can use this selector to specify whether to scan either the data sent in an HTTP request to your user's device or from your user's device to a destination. Policies without this selector will scan both the HTTP request and response bodies. | UI name | API example | | ---------- | ---------------------------------- | | Body Phase | http.body\_phase == \\"download\\" | Body phase mismatch When combining this selector with the [Download and Upload File Types selectors](#download-and-upload-file-types), ensure you use the matching phase together. For example, use the `download` body phase with the Download File Types selector. If body phase and file type selector logic do not match, the policy may not filter traffic as intended. ### Content Categories Applications within a specific [security category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#content-categories) as categorized by [Cloudflare Radar](https://developers.cloudflare.com/radar/glossary/#content-categories). | UI name | API example | | ------------------ | ---------------------------------------------------- | | Content Categories | any(http.request.uri.content\_category\[\*\] in {1}) | ### Destination Continent Note Only applies to traffic sent through the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/set-up/#gateway-with-warp-default). The continent where the request is destined. Geolocation is determined from the target IP address. To specify a continent, enter its two-letter code into the **Value** field: | Continent | Code | | ------------- | ---- | | Africa | AF | | Antarctica | AN | | Asia | AS | | Europe | EU | | North America | NA | | Oceania | OC | | South America | SA | | Tor network | T1 | | UI name | API example | | ------------------------------------ | ---------------------------------- | | Destination Continent IP Geolocation | http.dst\_ip.geo.continent == "EU" | ### Destination Country Note Only applies to traffic sent through the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/set-up/#gateway-with-warp-default). The country that the request is destined for. Geolocation is determined from the target IP address. To specify a country, enter its [ISO 3166-1 Alpha 2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | | ---------------------------------- | -------------------------------- | | Destination Country IP Geolocation | http.dst\_ip.geo.country == "RU" | ### Destination IP Note Only applies to traffic sent through the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/set-up/#gateway-with-warp-default). The IP address of the request's target. | UI name | API example | | -------------- | -------------------------------------------- | | Destination IP | any(http.conn.dst\_ip\[\*\] in {10.0.0.0/8}) | ### Device Posture With the Device Posture selector, admins can use signals from end-user devices to secure access to their internal and external resources. For example, a security admin can choose to limit all access to internal applications based on whether specific software is installed on a device and/or if the device or software are configured in a particular way. For more information on device posture checks, refer to [Device posture](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). | UI name | API example | | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Passed Device Posture Checks | any(device\_posture.checks.failed\[\*\] in {"1308749e-fcfb-4ebc-b051-fe022b632644"}), any(device\_posture.checks.passed\[\*\] in {"1308749e-fcfb-4ebc-b051-fe022b632644"})" | ### Domain Use this selector to match against a domain and all subdomains. For example, you can match `example.com` and its subdomains, such as `www.example.com`. | UI name | API example | | ------- | ------------------------------------------------ | | Domain | any(http.request.domains\[\*\] == "example.com") | Gateway policies do not support domains with non-Latin characters directly. To use a domain with non-Latin characters, add it to a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). ### Download and Upload File Size Use these selectors to limit the file size of upload or download transactions. File sizes are measured in mebibytes (MiB). | UI name | API example | | ------------------------ | ----------------------------- | | Download File Size (MiB) | http.download.file.size >= 10 | | UI name | API example | | ---------------------- | -------------------------- | | Upload File Size (MiB) | http.upload.file.size < 10 | ### Download and Upload File Types Deprecated selectors The _Download File Types_ and _Upload File Types_ selectors supersede the _Download File Type_ and _Upload File Type_ selectors. Gateway will still evaluate policies with the previous selectors. However, Cloudflare recommends migrating any policies with deprecated selectors to the new corresponding selectors. These selectors will scan file signatures in the HTTP body. You can select from file categories or [specific file types](#supported-file-types), such as executables, archives and compressed files, unscannable files, Microsoft 365/Office documents, and Adobe files. | UI name | API example | | ------------------- | ---------------------------------------------------- | | Download File Types | any(http.download.file.types\[\*\] in {"docx" "7z"}) | | UI name | API example | | ----------------- | --------------------------------------------------- | | Upload File Types | any(http.upload.file.types\[\*\] in {"compressed"}) | #### Supported file types Gateway supports the following file types for use with the _Download File Types_ and _Upload File Types_ selectors: Compressed * 7-Zip archive (`.7z`) * `bzip2` archive (`.bz2`) * GNU Gzip archive (`.gz`) * Microsoft Cabinet file (`.cab`) * Microsoft Compiled HTML Help file (`.chm`) * RAR archive (`.rar`) * `xz` archive (`.xz`) * ZIP archive (`.zip`) Documents * Microsoft Office/365 files * Word document (`.doc`, `.docx`, `.docm`) * Excel spreadsheet (`.xls`, `.xlsx`, `.xlsm`) * PowerPoint presentation (`.ppt`, `.pptx`, `.pptm`) * PDF document (`.pdf`) Executable * Apple Software Package (`.pkg`) * Dynamic-link library (DLL) file (`.dll`) * Executable and Linkable Format (ELF) file (`.elf`) * Java archive (JAR) package (`.jar`) * Java class file (`.class`) * Mach object (Mach-O) file (`.macho`) * Microsoft Windows installer (`.msi`) * Microsoft Software Installer (`.msix`, `.appx`) * Microsoft Windows executable (`.exe`) Image * Adobe Photoshop document (`.psd`) * Bitmap image (`.bmp`) * GIF image (`.gif`) * Icon file (`.ico`) * JPEG image (`.jpg`, `.jpeg`) * PNG image (`.png`) * WebP image (`.webp`) Other * BitTorrent file (`.torrent`) System * Apple Disk Image (`.dmg`) Unscannable * Password-protected Microsoft Office document * Password-protected PDF * Password-protected ZIP archive * Unscannable ZIP archive ### Download and Upload Mime Type These selectors depend on the `Content-Type` header being present in the request (for uploads) or response (for downloads). The MIME type value must match the format used in the `Content-Type` header (for example, `image/png`, `application/pdf`). | UI name | API example | | ------------------ | --------------------------------- | | Download Mime Type | http.download.mime == "image/png" | | UI name | API example | | ---------------- | ------------------------------- | | Upload Mime Type | http.upload.mime == "image/png" | ### DLP Profile Use [Cloudflare Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) to scan HTTP traffic for the presence of sensitive data such as personally identifiable information (PII) or source code. You must configure a [DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/) before you can use this selector in a policy. | UI name | API example | | ----------- | ----------------------------------------------------------------------- | | DLP Profile | any(dlp.profiles\[\*\] in {\\"a0cabf16-7491-4c9a-ac02-f64cabc66394\\"}) | ### Host Use this selector to match against only the hostname specified. For example, you can match `test.example.com` but not `example.com` or `www.test.example.com`. | UI name | API example | | ------- | ---------------------------------- | | Host | http.request.host == "example.com" | Gateway policies do not support hostnames with non-Latin characters directly. To use a hostname with non-Latin characters, add it to a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). Note Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`www.example.com`). To match this type of website, use the [Domain](#domain) selector instead of the Host selector. ### HTTP Method The HTTP request method used in the traffic. | UI name | API example | | ----------- | ---------------------------- | | HTTP Method | http.request.method == "GET" | ### HTTP Response The HTTP response status code received by the traffic. | UI name | API example | | ------- | ----------------------------------- | | URL | http.response.status\_code == "200" | ### Proxy Endpoint The [proxy server](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) where your browser forwards HTTP traffic. | UI name | API example | | -------------- | ----------------------------------------------------------- | | Proxy Endpoint | proxy.endpoint == "3ele0ss56t.proxy.cloudflare-gateway.com" | ### Security Risks Applications within a specific [security category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) as categorized by [Cloudflare Radar](https://developers.cloudflare.com/radar/glossary/#content-categories). | UI name | API example | | ------------------- | ----------------------------------------------------- | | Security Categories | any(http.request.uri.security\_category\[\*\] in {1}) | ### Source Continent The continent of the user making the request. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a continent, enter its two-letter code into the **Value** field: | Continent | Code | | ------------- | ---- | | Africa | AF | | Antarctica | AN | | Asia | AS | | Europe | EU | | North America | NA | | Oceania | OC | | South America | SA | | Tor network | T1 | | UI name | API example | | ------------------------------- | --------------------------------------------- | | Source Continent IP Geolocation | http.src\_ip.geo.continent == "North America" | ### Source Country The country of the user making the request. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a country, enter its [ISO 3166-1 Alpha-2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | | ----------------------------- | -------------------------------- | | Source Country IP Geolocation | http.src\_ip.geo.country == "RU" | ### Source Internal IP Use this selector to apply HTTP policies to a private IP address, assigned by a user's local network, that requests arrive to Gateway from. | UI name | API example | | ------------------ | ------------------------------------------------ | | Source Internal IP | http.conn.internal\_src\_ip == "192.168.86.0/27" | ### Source IP The originating IP address or addresses of a device proxied by Gateway. | UI name | API example | | --------- | --------------------------------------- | | Source IP | http.conn.src\_ip\[\*\] in {10.0.0.0/8} | ### URL Gateway ignores trailing forward slashes (`/`) in URLs. For example, `https://example.com` and `https://example.com/` will count as the same URL and may return a duplicate error. | UI name | API example | | ------- | ------------------------------------ | | URL | http.request.uri matches "/r/gaming" | ### URL Path The pathname of a webpage's URL. | UI name | API example | | -------- | --------------------------------------- | | URL Path | http.request.uri.path == \\"/foo/bar\\" | ### URL Path and Query The pathname and query of a webpage's URL. | UI name | API example | | ------------------ | ----------------------------------------------------------------- | | URL Path and Query | http.request.uri.path\_and\_query == \\"/foo/bar?ab%242=%2A342\\" | ### URL Query The query of a webpage's URL. | UI name | API example | | --------- | ----------------------------------------- | | URL Query | http.request.uri.query == "ab%242=%2A342" | ### Users Use these selectors to match against identity attributes. | UI name | API example | | ----------------- | --------------------------------------------------------------------------------------------------------------- | | User Email | identity.email == "user@example.com" | | User Name | identity.name == "Test User" | | User Group IDs | any(identity.groups\[\*\].id in {"group\_id"}) | | User Group Names | any(identity.groups\[\*\].name in {"group\_name"}) | | User Group Emails | any(identity.groups\[\*\].email in {"group@example.com"}) | | SAML Attributes | any(identity.saml\_attributes\["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"\] in {"Test User"}) | ### Virtual Network Use this selector to match all traffic routed through a specific [Virtual Network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) via the Cloudflare One Client. | UI name | API example | | --------------- | ------------------------------------------------------------ | | Virtual Network | http.conn.vnet\_id == "957fc748-591a-e96s-a15d-1j90204a7923" | ## Comparison operators Comparison operators are the way Gateway matches traffic to a selector. When you choose a **Selector** in the dashboard policy builder, the **Operator** dropdown menu will display the available options for that selector. | Operator | Meaning | | ------------------------ | ------------------------------------------------------------------------------------------------------------------ | | is | equals the defined value | | is not | does not equal the defined value | | in | matches at least one of the defined values | | not in | does not match any of the defined values | | in list | in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | not in list | not in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | matches regex | regex evaluates to true | | does not match regex | regex evaluates to false | | greater than | exceeds the defined number | | greater than or equal to | exceeds or equals the defined number | | less than | below the defined number | | less than or equal to | below or equals the defined number | ## Value In the **Value** field, you can input a single value when using an equality comparison operator (such as _is_) or multiple values when using a containment comparison operator (such as _in_). Additionally, you can use [regular expressions](#regular-expressions) (or regex) to specify a range of values for supported selectors. ### Regular expressions Regular expressions are evaluated using Rust. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for [Wildcards](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/app-paths/#wildcards). To evaluate if your regex matches, you can use [Rustexp ↗](https://rustexp.lpil.uk/). If you want to match multiple values, you can use the pipe symbol (`|`) as an OR operator. You do not need to use an escape character (`\`) before the pipe symbol. For example, the following expression evaluates to true when the hostname matches either `.*whispersystems.org` or `.*signal.org`: | Selector | Operator | Value | | -------- | ------------- | ------------------------------------ | | Host | matches regex | .\*whispersystems.org\|.\*signal.org | In addition to regular expressions, you can use [logical operators](#logical-operators) to match multiple values. ## Logical operators To evaluate multiple conditions in an expression, select the **And** logical operator. These expressions can be compared further with the **Or** logical operator. | Operator | Meaning | | -------- | --------------------------------------------- | | And | match all of the conditions in the expression | | Or | match any of the conditions in the expression | The **Or** operator will only work with conditions in the same expression group. For example, you cannot compare conditions in **Traffic** with conditions in **Identity** or **Device Posture**. If a condition in an expression joins a request attribute (such as _Source IP_) and a response attribute (such as _a DLP Profile_), then the condition will be evaluated when the response is received. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/","name":"HTTP policies"}}]} ``` --- --- title: AV scanning description: Cloudflare Gateway can scan files for malware as users upload or download them. Anti-virus (AV) scanning runs inline — Gateway inspects files as they pass through the proxy and blocks any file that contains a known malicious payload. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/http-policies/antivirus-scanning.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # AV scanning Cloudflare Gateway can scan files for malware as users upload or download them. Anti-virus (AV) scanning runs inline — Gateway inspects files as they pass through the proxy and blocks any file that contains a known malicious payload. In addition to AV scanning, Gateway can quarantine previously unseen files into a sandbox to detect zero-day threats not yet in anti-virus databases. For more information, refer to [File sandboxing](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/file-sandboxing/). ## Get started To turn on AV scanning: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Traffic settings**. 2. In **Policy settings**, turn on **Scan files for malware**. 3. Choose whether to scan files for malicious payloads during uploads, downloads, or both. You can also block requests containing [non-scannable files](#non-scannable-files). 4. (Optional) Turn on **Display AV block notification for Cloudflare One Client** to send [block notifications](#cloudflare-one-client-block-notifications) to users connected to Gateway with the Cloudflare One Client when AV inspection blocks a file. When a request is blocked due to the presence of malware, Gateway will log the match as a Block decision in your [HTTP logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/#http-logs). ### Cloudflare One Client block notifications Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/plans/zero-trust-services/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | Enterprise | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2024.1.159.0 | | macOS | ✅ | 2024.1.160.0 | | Linux | ❌ | | | iOS | ✅ | 1.7 | | Android | ✅ | 1.4 | | ChromeOS | ✅ | 1.4 | Turn on **Display AV block notification for Cloudflare One Client** to display notifications for Gateway block events. Blocked users will receive an operating system notification from the Cloudflare One Client with a custom message you set. If you do not set a custom message, the Cloudflare One Client will display a default message. Custom messages must be 100 characters or less. The Cloudflare One Client will only display one notification per minute. Upon selecting the notification, the Cloudflare One Client will direct your users to the [Gateway block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) you have configured. Optionally, you can direct users to a custom URL, such as an internal support form. When you turn on **Send policy context**, Gateway will append details of the matching request to the redirected URL as a query string. Not every context field will be included. Potential policy context fields include: Policy context fields | Field | Definition | Example | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------- | | User email | Email of the user that made the query. | &cf\_user\_email=user@example.com | | Site URL | Full URL of the original HTTP request or domain name in DNS query. | &cf\_site\_uri=https%3A%2F%2Fmalware.testcategory.com%2F | | URL category | [Domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) of the URL to be redirected. | &cf\_request\_categories=New%20Domains,Newly%20Seen%20Domains | | Original HTTP referer | For HTTP traffic, the original HTTP referer header of the HTTP request. | &cf\_referer=https%3A%2F%2Fexample.com%2F | | Rule ID | ID of the Gateway policy that matched the request. | &cf\_rule\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Source IP | Source IP address of the device that matched the policy. | &cf\_source\_ip=203.0.113.5 | | Device ID | UUID of the device that matched the policy. | &cf\_device\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Application names | Name of the application the redirected domain corresponds to, if any. | &cf\_application\_name=Salesforce | | Filter | The traffic type filter that triggered the block. | &cf\_filter=http, &cf\_filter=dns, &cf\_filter=av, or &cf\_filter=l4 | | Account ID | [Cloudflare account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) of the associated Zero Trust account. | &cf\_account\_id=d57c3de47a013c03ca7e237dd3e61d7d | | Query ID | ID of the DNS query for which the redirect took effect. | &cf\_query\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Connection ID | ID of the proxy connection for which the redirect took effect. | &cf\_connection\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Request ID | ID of the HTTP request for which the redirect took effect. | &cf\_request\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | Ensure that your operating system allows notifications for the Cloudflare One Client. Your device may not display notifications if focus, do not disturb, or screen sharing settings are turned on. To turn on client notifications on macOS devices running DisplayLink software, you may have to allow system notifications when mirroring your display. For more information, refer to the [macOS documentation ↗](https://support.apple.com/guide/mac-help/change-notifications-settings-mh40583/mac). ## File scan criteria If AV scanning is turned on, Gateway uses the following criteria (in order) to detect and scan files. The first match triggers a scan: 1. The `Content-Disposition` HTTP header is set to `Attachment`. 2. The byte signature of the request or response body matches a known file type: * **Executable** (for example, `.exe`, `.bat`, `.dll`, and `.wasm`) * **Documents** (for example, `.doc`, `.docx`, `.pdf`, `.ppt`, and `.xls`) * **Compressed** (for example, `.7z`, `.gz`, `.zip`, and `.rar`) 3. The file name in the `Content-Disposition` header contains a file extension matching one of the above categories. If none of these conditions match, Gateway falls back to the origin's `Content-Type` header. Gateway will not scan files it determines to be image, video, or audio files. All other files default to being scanned. ## Opt content out from scanning When an admin turns on AV scanning for uploads and/or downloads, Gateway will scan every supported file. Admins can selectively choose to disable scanning using HTTP policies. All [HTTP selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#selectors) can opt HTTP traffic out from AV scanning using the **Do Not Scan** action. When traffic matches a Do Not Scan policy, nothing is scanned, regardless of file size or whether the file type is supported or not. For example, to prevent AV scanning of files uploaded to or downloaded from `example.com`, you can create the following policy: | Selector | Operator | Value | Action | | -------- | ------------- | ----------- | ----------- | | Hostname | matches regex | example.com | Do Not Scan | Opting out of AV scanning applies to uploads and/or downloads of files, matching your account's global AV scanning setting. For example, if you have configured Gateway to globally scan uploads only, then opting out of AV scanning will only apply to uploads. ## Compatibility ### Supported compressed file types In addition to standard object files like PDFs, Zero Trust supports AV scanning for the following archive types: Supported compressed file types * 7-Zip * 7-Zip SFX * ACE * ACE SFX * AutoHotkey * AutoIt * BASE64 * BZ2 * CHM Help Files * CPIO SVR4 * Chrome Extension (CRX) Package Format * eXtensible ARchive format (XAR) * GZIP compressed files * ISO 9660 * Inno Setup * Indigo Rose Setup Factory * Java ARchive * LZH/LHA * MacBinary * MIME base64 * MSCOMPRESS * Microsoft CAB * Microsoft TNEF * NSIS Nullsoft Installer * Office Legacy XML * PGP signed message, document, etc. * RPM * RAR * SAPCar * Self-extracting ARJ * Self-extracting CA * Self-extracting LZH/LHA * Self-extracting RAR * Self-extracting ZIP * Smart Install Maker * TAR * UUE and XXE compressed files * Windows Imaging File (WIM) * XE compressed files (UUE and XXE) * XZ file format * ZIP * ZOO Gateway cannot scan [certain archive files](#non-scannable-files) regardless of file type, such as large or encrypted files. ### Non-scannable files Gateway cannot scan all files for malware. When Gateway encounters a non-scannable file, you can configure AV scanning to either fail open (allow the file to pass through unscanned) or fail closed (deny the file transfer). Gateway cannot scan requests containing the following files: * Files larger than: * 15 MB on Free plans * 25 MB on Pay-as-you-go plans * 100 MB on Enterprise plans * PGP encrypted files * Password protected archives * Archives with more than three recursion levels * Archives with more than 300 files ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/","name":"HTTP policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/","name":"AV scanning"}}]} ``` --- --- title: Common policies description: The following policies are commonly used to secure HTTP traffic. HTTP policies are evaluated in order from top to bottom, and the first matching policy applies — except for Do Not Inspect policies, which are always evaluated first. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/http-policies/common-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Common policies The following policies are commonly used to secure HTTP traffic. HTTP policies are evaluated in order from top to bottom, and the first matching policy applies — except for [Do Not Inspect](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policies, which are always evaluated first. For a baseline set of recommended policies, refer to [Secure your Internet traffic and SaaS apps](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies/). Refer to the [HTTP policies page](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) for a comprehensive list of other selectors, operators, and actions. ## Block sites Block attempts to reach sites by hostname or URL paths. Different approaches may be required based on how a site is organized. ### Block sites by hostname Block all subdomains that use a host. * [ Dashboard ](#tab-panel-3847) * [ API ](#tab-panel-3848) | Selector | Operator | Value | Action | | -------- | ------------- | ---------------- | ------ | | Host | matches regex | .\*example\\.com | Block | In the following API examples, `filters: ["http"]` indicates that this is an HTTP (Layer 7) policy. Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block sites by hostname", "description": "Block all subdomains that use a specific hostname", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "http.request.host matches \".*example.com\"", "identity": "", "device_posture": "" }' ``` ### Block sites by URL Block a section of a site without blocking the entire site. For example, you can block a specific subreddit, such as `reddit.com/r/gaming`, without blocking `reddit.com`. * [ Dashboard ](#tab-panel-3845) * [ API ](#tab-panel-3846) | Selector | Operator | Value | Action | | -------- | ------------- | --------- | ------ | | URL | matches regex | /r/gaming | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block sites by URL", "description": "Block specific parts of a site without blocking the hostname", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "http.request.uri matches \"/r/gaming\"", "identity": "", "device_posture": "" }' ``` ## Block content categories Block content categories which go against your organization's acceptable use policy. * [ Dashboard ](#tab-panel-3875) * [ API ](#tab-panel-3876) * [ Terraform ](#tab-panel-3877) | Selector | Operator | Value | Action | | ------------------ | -------- | ------------------------------------------------------------------------------------- | ------ | | Content Categories | in | _Questionable Content_, _Security Risks_, _Miscellaneous_, _Adult Themes_, _Gambling_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "All-HTTP-ContentCategories-Blocklist", "description": "Block access to questionable content and potential security risks", "precedence": 40, "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(http.request.uri.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161 2 67 125 133 99})", "identity": "", "device_posture": "" }' ``` ``` resource "cloudflare_zero_trust_gateway_policy" "block_unauthorized_apps" { account_id = var.cloudflare_account_id name = "All-HTTP-ContentCategories-Blocklist" description = "Block access to questionable content and potential security risks" precedence = 40 enabled = true action = "block" filters = ["http"] traffic = "any(http.request.uri.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161 2 67 125 133 99})" identity = "" device_posture = "" } ``` ## Block unauthorized applications Note After seven days, view your [Shadow IT SaaS Analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/shadow-it-discovery/) and block additional applications based on what your users are accessing. To minimize the risk of [shadow IT](https://www.cloudflare.com/learning/access-management/what-is-shadow-it/), some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools: * [ Dashboard ](#tab-panel-3878) * [ API ](#tab-panel-3879) * [ Terraform ](#tab-panel-3880) | Selector | Operator | Value | Action | | ----------- | -------- | ------------------------- | ------ | | Application | in | _Artificial Intelligence_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "All-HTTP-Application-Blocklist", "description": "Limit access to shadow IT by blocking web-based tools and applications", "precedence": 60, "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(app.type.ids[*] in {25})", "identity": "", "device_posture": "" }' ``` ``` resource "cloudflare_zero_trust_gateway_policy" "all_http_application_blocklist" { account_id = var.cloudflare_account_id name = "All-HTTP-Application-Blocklist" description = "Limit access to shadow IT by blocking web-based tools and applications" precedence = 60 enabled = true action = "block" filters = ["http"] traffic = "any(app.type.ids[*] in {25})" identity = "" device_posture = "" } ``` ## Check user identity Configure access on a per user or group basis by adding [identity-based conditions](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) to your policies. * [ Dashboard ](#tab-panel-3849) * [ API ](#tab-panel-3850) | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ------------- | ----- | ------ | | Application | in | _Salesforce_ | And | Block | | User Group Names | in | _Contractors_ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Check user identity", "description": "Block access to Salesforce by temporary employees and contractors", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(app.ids[] in {606})", "identity": "any(identity.groups.name[] in {\"Contractors\"})", "device_posture": "" }' ``` ## Skip inspection for groups of applications Certain client applications, such as Zoom or Apple services, rely on certificate pinning. These applications verify they are connecting directly to their own servers and will reject Gateway's TLS inspection certificate. To avoid connection errors, you must add a Do Not Inspect HTTP policy for these applications. Gateway [evaluates Do Not Inspect policies first](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#http-policies), regardless of their position in the policy list. Cloudflare recommends moving your Do Not Inspect policies to the top of the list to reduce confusion. * [ Dashboard ](#tab-panel-3851) * [ API ](#tab-panel-3852) | Selector | Operator | Value | Action | | ----------- | -------- | ---------------- | -------------- | | Application | in | _Do Not Inspect_ | Do Not Inspect | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Bypass incompatible applications", "description": "Skip TLS decryption for applications that are incompatible with Gateway", "enabled": true, "action": "off", "filters": [ "http" ], "traffic": "any(app.type.ids[*] in {16})", "identity": "", "device_posture": "" }' ``` Note You can select either individual applications or the entire Do Not Inspect set, which will update as new applications are added. ## Check device posture Require devices to have certain software installed or other configuration attributes. For instructions on setting up a device posture check, refer to [Enforce device posture](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). ### Enforce a minimum OS version Perform an [OS version check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/os-version/) to ensure users are running at least a minimum version. * [ Dashboard ](#tab-panel-3853) * [ API ](#tab-panel-3854) | Selector | Operator | Value | Action | | ---------------------------- | -------- | -------------------- | ------ | | Passed Device Posture Checks | in | _Minimum OS version_ | Allow | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Require OS version", "description": "Perform an OS version check for minimum version", "enabled": true, "action": "allow", "filters": [ "http" ], "traffic": "", "identity": "", "device_posture": "any(device_posture.checks.passed[*] in {\"\"})" }' ``` To get the UUIDs of your device posture checks, use the [List device posture rules](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/devices/subresources/posture/methods/list/) endpoint. ### Check for a specific file Perform a [file check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/file-check/) to ensure users have a certain file on their device. Since the file path will be different for each operating system, you can configure a file check for each system and use the **Or** logical operator to only require one of the checks to pass. * [ Dashboard ](#tab-panel-3857) * [ API ](#tab-panel-3858) | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | ------------------ | ----- | ------ | | Passed Device Posture Checks | in | _macOS File Check_ | Or | Allow | | Passed Device Posture Checks | in | _Linux File Check_ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Check for specific file", "description": "Ensure users have a specific file on their device regardless of operating system", "enabled": true, "action": "allow", "filters": [ "http" ], "traffic": "", "identity": "", "device_posture": "any(device_posture.checks.passed[] in {\"\"}) or any(device_posture.checks.passed[] in {\"\"})" }' ``` To get the UUIDs of your device posture checks, use the [List device posture rules](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/devices/subresources/posture/methods/list/) endpoint. ## Enforce session duration [Require users to re-authenticate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/) after a certain amount of time has elapsed. ## Isolate high risk sites in remote browser If you are using the [Browser Isolation add-on](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/), refer to our list of [common Isolate policies](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#common-policies). ## Bypass inspection for self-signed certificates When accessing origin servers with certificates not signed by a public certificate authority, you must bypass TLS decryption. * [ Dashboard ](#tab-panel-3855) * [ API ](#tab-panel-3856) | Selector | Operator | Value | Action | | -------- | -------- | -------------------- | -------------- | | Domain | in | internal.example.com | Do Not Inspect | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Bypass internal site inspection", "description": "Bypass TLS decryption for internal sites with self-signed certificates", "enabled": true, "action": "off", "filters": [ "http" ], "traffic": "any(http.request.domains[*] in {\"internal.example.com\"})", "identity": "", "device_posture": "" }' ``` ## Block file types Block the upload or download of files based on their type. * [ Dashboard ](#tab-panel-3873) * [ API ](#tab-panel-3874) | Selector | Operator | Value | Logic | Action | | ------------------- | -------- | --------------------------------------- | ----- | ------ | | Upload File Types | in | _Microsoft Office Word Document (docx)_ | And | Block | | Download File Types | in | _PDF (pdf)_ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block file types", "description": "Block the upload or download of files based on their type", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(http.upload.file.types[*] in {\"docx\"}) and any(http.download.file.types[*] in {\"pdf\"})", "identity": "", "device_posture": "" }' ``` For more information on supported file types, refer to [Download and Upload File Types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types). ## Isolate or block shadow IT applications Isolate shadow IT applications discovered by the [Application Library](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/) that have not been reviewed yet or are currently under review, and block applications that are not approved by your organization. For more information on reviewing shadow IT applications, refer to [Review applications](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/#review-applications). ### 1\. Isolate unreviewed or in review applications Isolate applications if their approval status is _Unreviewed_ or _In review_. * [ Dashboard ](#tab-panel-3859) * [ API ](#tab-panel-3860) | Selector | Operator | Value | Logic | Action | | ------------------ | -------- | ------------ | ----- | ------- | | Application Status | is | _Unreviewed_ | Or | Isolate | | Application Status | is | _In review_ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Isolate unreviewed or in review application status", "description": "Isolate Shadow IT applications that have not been reviewed or are in review in the Application Library", "enabled": true, "action": "isolate", "filters": [ "http" ], "traffic": "any(app.statuses[*] == \"unreviewed\") or any(app.statuses[*] == \"in review\")", "identity": "", "device_posture": "" }' ``` ### 2\. Block unapproved applications Block applications if their approval status is _Unapproved_. * [ Dashboard ](#tab-panel-3861) * [ API ](#tab-panel-3862) | Selector | Operator | Value | Action | | ------------------ | -------- | ------------ | ------ | | Application Status | is | _Unapproved_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block unapproved application status", "description": "Block Shadow IT applications that have been marked as unapproved in the Application Library", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(app.statuses[*] == \"unapproved\")", "identity": "", "device_posture": "" }' ``` ## Block Google services To enable Gateway inspection for Google Drive traffic, you must [add a Cloudflare certificate to Google Drive](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#google-drive). ### Block Google Drive downloads Block file downloads from Google Drive. * [ Dashboard ](#tab-panel-3863) * [ API ](#tab-panel-3864) | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | -------------------------- | ----- | ------ | | Application | in | _Google Drive_ | And | Block | | URL Path & Query | matches regex | .\*(e=download\|export).\* | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block Google Drive downloads", "description": "Block file downloads from Google Drive", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(app.ids[] in {554}) and http.request.uri.path_and_query matches \".(e=download|export).*\"", "identity": "", "device_posture": "" }' ``` ### Block Google Drive uploads Block file uploads from Google Drive. * [ Dashboard ](#tab-panel-3865) * [ API ](#tab-panel-3866) | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | ------------------------------------ | ----- | ------ | | Application | in | _Google Drive_ | And | Block | | Upload Mime Type | matches regex | .\* | And | | | Host | is not | drivefrontend-pa.clients6.google.com | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block Google Drive uploads", "description": "Block file uploads to Google Drive", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(app.ids[] in {554}) and http.upload.mime matches \".\" and not(http.request.host == \"drivefrontend-pa.clients6.google.com\")", "identity": "", "device_posture": "" }' ``` ### Block Gmail downloads Block file downloads from Gmail. * [ Dashboard ](#tab-panel-3867) * [ API ](#tab-panel-3868) | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ------------------------------------- | ----- | ------ | | Host | is | mail-attachment.googleusercontent.com | And | Block | | URL Path & Query | is | /attachment/u/0 | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block Gmail downloads", "description": "Block file downloads from Gmail", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "http.request.host == \"mail-attachment.googleusercontent.com\" and http.request.uri.path_and_query matches \"/attachment/u/0\"", "identity": "", "device_posture": "" }' ``` ### Block Google Translate proxy Block use of Google Translate to translate entire webpages. When translating a website, Google Translate proxies webpages with the `translate.goog` domain. Your users may be able to use this service to bypass other Gateway policies. If you block `translate.goog`, users will still be able to access other Google Translate features. * [ Dashboard ](#tab-panel-3869) * [ API ](#tab-panel-3870) | Selector | Operator | Value | Action | | -------- | ------------- | -------------------------- | ------ | | Domain | matches regex | ^(.+\\.)?translate\\.goog$ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block Google Translate for websites", "description": "Block use of Google Translate to translate entire webpages", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(http.request.domains[*] matches \"^(.+\\.)?translate\\.goog$\")", "identity": "", "device_posture": "" }' ``` ## Filter WebSocket traffic Gateway does not inspect or log [WebSocket ↗](https://datatracker.ietf.org/doc/html/rfc6455) traffic. Instead, Gateway will only log the HTTP details used to make the WebSocket connection, as well as [network session information](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/). To filter your WebSocket traffic, create a policy with the `101` HTTP response code. * [ Dashboard ](#tab-panel-3871) * [ API ](#tab-panel-3872) | Selector | Operator | Value | Action | | ------------- | -------- | -------------------------- | ------ | | HTTP Response | is | _101 SWITCHING\_PROTOCOLS_ | Allow | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Filter WebSocket", "description": "Filter WebSocket traffic with HTTP response code 101", "enabled": true, "action": "allow", "filters": [ "http" ], "traffic": "http.response.status_code == 101", "identity": "", "device_posture": "" }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/","name":"HTTP policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/common-policies/","name":"Common policies"}}]} ``` --- --- title: File sandboxing description: In addition to anti-virus (AV) scanning, Gateway can quarantine previously unseen files downloaded by your users into a sandbox and scan them for malware. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/http-policies/file-sandboxing.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # File sandboxing Note Available as an add-on to Zero Trust Enterprise plans. For more information, contact your account team. In addition to [anti-virus (AV) scanning](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), Gateway can quarantine previously unseen files downloaded by your users into a sandbox and scan them for malware. When a file download passes AV scanning without a malware detection, Gateway quarantines the file in the [sandbox](#sandbox-environment). If the file has not been downloaded before, Gateway monitors the file's behavior and compares it to known malware patterns. During this process, Gateway displays an interstitial page in the user's browser. If the sandbox does not detect malicious activity, Gateway releases the file and downloads it to the user's device. If the sandbox detects malicious activity, Gateway blocks the download. For any subsequent downloads of the same file, Gateway remembers and applies its previous allow/block decision. Gateway will log any file sandbox decisions in your [HTTP logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/#http-logs). flowchart TD A(["User starts file download"]) --> B["File sent to AV scanner"] B --> C["Malicious file detected?"] C -- Yes --> D["Download blocked"] C -- No --> G["File sent to sandbox"] G --> n1["First time file downloaded?"] K["Malicious activity detected?"] -- Yes --> N["Download blocked"] K -- No --> n3["Download allowed"] n2["Interstitial page displayed for user during scan"] --> n4["File activity monitored"] n1 -- Yes --> n2 n4 --> K n1 -- No --> K B@{ shape: subproc} C@{ shape: hex} D@{ shape: terminal} n1@{ shape: hex} K@{ shape: hex} N@{ shape: terminal} n3@{ shape: terminal} n2@{ shape: display} n4@{ shape: rect} style D stroke:#D50000 style N stroke:#D50000 style n3 stroke:#00C853 ## Get started To begin quarantining downloaded files, turn on file sandboxing: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Traffic settings**. 2. In **Policy settings**, turn on **Open previously unseen files in a sandbox environment**. 3. (Optional) To block requests containing [non-scannable files](#non-scannable-files), select **Block requests for files that cannot be scanned**. You can now create [Quarantine HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#quarantine) to determine what files to scan in the sandbox. ## Create test policy To test if file sandboxing is working, you can create a Quarantine policy that matches the [Cloudflare Sandbox Test ↗](https://sandbox.cloudflaredemos.com/): 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Firewall policies** \> **HTTP**. 2. Select **Add a policy**. 3. Add the following expression: | Selector | Operator | Value | Action | | -------- | -------- | --------------------------- | ---------- | | Host | is | sandbox.cloudflaredemos.com | Quarantine | 4. In **Sandbox file types**, select _ZIP Archive (zip)_. 5. From a device [connected to your Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/), open a browser and go to the [Cloudflare Sandbox Test ↗](https://sandbox.cloudflaredemos.com/). 6. Select **Download Test File**. Gateway will quarantine and scan the file, display an interstitial status page in the browser, then release the file for download. ## Sandbox environment Gateway executes quarantined files in a sandboxed Windows operating system environment. Using machine learning, the sandbox compares how files of a certain type behave compared to how these files should behave. The sandbox detects file actions down to the kernel level and compares them against a real-time malware database. In addition, Gateway checks the sandbox's network activity for malicious behavior and data exfiltration. ## Compatibility ### Supported file types File sandboxing supports scanning the following file types: Supported sandboxing file types * `.exe` * `.pdf` * `.doc` * `.docm` * `.docx` * `.rtf` * `.ppt` * `.pptx` * `.xls` * `.xlsm` * `.xlsx` * `.zip` * `.rar` ### Non-scannable files Gateway cannot scan requests containing the following files: * Files larger than 100 MB * PGP encrypted files ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/","name":"HTTP policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/file-sandboxing/","name":"File sandboxing"}}]} ``` --- --- title: Application Granular Controls description: With Application Granular Controls, you can create Gateway HTTP policies to control specific user actions within supported SaaS applications. This allows you to give users access to an application while restricting the actions that they can take within the application. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/http-policies/granular-controls.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Application Granular Controls With Application Granular Controls, you can create [Gateway HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to control specific user actions within supported SaaS applications. This allows you to give users access to an application while restricting the actions that they can take within the application. ## Prerequisites To use Application Granular Controls, you must: * Install a [Cloudflare certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) or a [custom certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) on your users' devices. * Turn on [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/). * Turn on the [Gateway proxy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy). * (Optional) If an application uses HTTP/3, turn on the [Gateway proxy for UDP traffic](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/http3/#enable-http3-inspection). * (Optional) To turn on [AI prompt logging](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content), create a [DLP payload encryption public key](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#set-a-dlp-payload-encryption-public-key). ## Create a policy with Application Granular Controls To create a Gateway HTTP policy with Application Granular Controls: * [ Dashboard ](#tab-panel-3881) * [ API ](#tab-panel-3882) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Firewall policies** \> **HTTP**. 2. Select **Add a policy**. 3. Name the policy. 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. Because granular controls are specific to each application, you must use the _Application_ selector with the _is_ operator. 5. In **Value**, select your desired application. 6. In **Controls**, choose one or more Application Controls or individual Operations. For example, you can create a policy to block file uploads to ChatGPT: | Selector | Operator | Value | Controls | Action | | ----------- | -------- | --------- | -------- | ------ | | Application | is | _ChatGPT_ | _Upload_ | Block | 7. Select **Create policy**. Use the [Create a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/create/) endpoint to create a policy. For example, you can create a policy to block file uploads to ChatGPT: Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block ChatGPT uploads", "description": "Block file uploads to ChatGPT while allowing other usage", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(app.ids[*] == 1199) and any(app_control.controls[*] in {1653})", "identity": "", "device_posture": "" }' ``` For more information, refer to [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). ## Control definitions Gateway defines Application Granular Controls at different levels of granularity, including Application Controls and Operations. ### Application Controls Application Controls are pre-defined controls that represent user intent, such as uploads or downloads. Cloudflare organizes sets of related operations into Application Controls for each supported application. Use Application Controls when a pre-defined grouping matches your intent. ### Operations Operations are the individual API-level actions that an application uses. Use Operations for more fine-grained control than Application Controls provide — for example, blocking only certain types of downloads or blocking comments where no Application Control exists. Because each SaaS application uses a unique set of operations with its own scope and behaviors, operation-level controls may require analysis for each use case. Cloudflare provides Operations based on the [available APIs for an application](#application-apis). For more information on how Operations map to [Application Controls](#application-controls), refer to [Compatible applications](#compatible-applications). #### Operation Groups Operation Groups are groupings of operations defined by the application vendor. Operation Groups are typically based on a categorization of the different functional areas of the application, such as signature requests, or the entities that the application defines, such as files or folders. These definitions vary by application. Gateway groups operations into these operation groups to match the operations with the corresponding vendor API documentation. ### DLP payloads You can use Application Granular Controls with [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) for operations that contain scannable content. This includes operations that contain the content of uploaded or downloaded files or AI prompts. For example, when a user performs a file upload, a sequence of API operations may result, such as setting up the file metadata, uploading the file content, and finalizing the upload. When applying DLP to your Zero Trust traffic, it can be helpful to specifically target an operation that contains file content. ## Application APIs SaaS applications typically provide multiple APIs to interact with. For each application, Application Granular Controls may support the following API types: * Web Application API: These APIs are consumed by the web application that users interact with through their browser. * Platform API: These APIs are exposed to users to allow for programmatic interaction with the SaaS application. These are typically used by automations, scripts, or other applications. [Application Controls](#application-controls) include Operations of both API types. If both API types are available when creating HTTP policies using [Operations](#operations), you should select the Operations that align to the API being used, or include both for wider coverage. ## Compatible applications Application Granular Controls supports the following applications: Artificial Intelligence * ChatGPT * Google Gemini * Claude * Perplexity File Sharing * Hightail * Dropbox * WeTransfer * Google Drive * ShareFile * Box * Smash ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/","name":"HTTP policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/granular-controls/","name":"Application Granular Controls"}}]} ``` --- --- title: HTTP/3 inspection description: HTTP/3 uses the QUIC protocol over UDP instead of TCP. Because Gateway's default proxy only handles TCP traffic, HTTP/3 inspection requires turning on the UDP proxy. Without it, HTTP/3 traffic bypasses HTTP inspection. Network policies still apply to the underlying UDP traffic. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/http-policies/http3.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # HTTP/3 inspection HTTP/3 uses the QUIC protocol over UDP instead of TCP. Because Gateway's default proxy only handles TCP traffic, HTTP/3 inspection requires turning on the UDP proxy. Without it, HTTP/3 traffic bypasses HTTP inspection. [Network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) still apply to the underlying UDP traffic. Gateway applies HTTP policies to HTTP/3 traffic last. For more information, refer to the [order of enforcement](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#http3-traffic). ## Turn on HTTP/3 inspection Before you can inspect any HTTPS traffic, you must deploy a [user-side certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) to your devices and turn on [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/). To inspect HTTP/3 traffic, you must also turn on the [Gateway proxy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/) for UDP. To turn on the Gateway proxy for UDP and TLS decryption: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Traffic settings**. 2. In **Proxy and inspection**, turn on **Allow Secure Web Gateway to proxy traffic**. 3. Select **TCP** and **UDP**. 4. Turn on **TLS decryption**. ### Application limitations Gateway can inspect HTTP/3 traffic from Mozilla Firefox and Microsoft Edge by establishing an HTTP/3 proxy connection. Gateway will then terminate the HTTP/3 connection, decrypt and inspect the traffic, and connect to the destination server over HTTP/2\. Gateway can also inspect other HTTP applications, such as cURL. If both the UDP proxy and TLS decryption are turned on, Google Chrome will automatically cancel HTTP/3 connections and retry them over HTTP/2, which Gateway can inspect. If either the UDP proxy or TLS decryption is turned off, HTTP/3 traffic from Chrome bypasses inspection entirely. Warning If you do not turn on the UDP proxy, HTTP/3 traffic from browsers other than Chrome will bypass HTTP policy enforcement. Network policies still apply. ## Exempt HTTP/3 traffic from inspection If you require HTTP/3 traffic with end-to-end encryption from the client to the origin while still using the Gateway proxy, you can create a [Do Not Inspect HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) to match the desired traffic. Using a Do Not Inspect policy allows HTTP/3 traffic to preserve proxy performance and end-to-end encryption by bypassing Gateway's TLS decryption and inspection. ## Force HTTP/2 traffic To apply Gateway policies to HTTP traffic without turning on the UDP proxy, you must turn off QUIC in your users' browsers to ensure only HTTP/2 traffic reaches Gateway. Google Chrome 1. Go to `chrome://flags` 2. Set **Experimental QUIC protocol** to _Disabled_. 3. Relaunch Chrome. Safari You cannot turn off QUIC in Safari. All traffic will be sent over HTTP/3. Firefox 1. Go to `about:config`. 2. If you receive a warning, select **Accept the Risk and Continue**. 3. Set **network.http.http3.enable** to _false_. 4. Relaunch Firefox. Microsoft Edge 1. Go to `edge://flags` 2. Set **Experimental QUIC protocol** to _Disabled_. 3. Relaunch Edge. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/","name":"HTTP policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/http3/","name":"HTTP/3 inspection"}}]} ``` --- --- title: Tenant control description: Tenant control allows your users to access corporate SaaS applications while blocking access to personal accounts on the same service. For example, you can allow access to your company's Google Workspace while blocking personal Gmail logins. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/http-policies/tenant-control.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Tenant control Tenant control allows your users to access corporate SaaS applications while blocking access to personal accounts on the same service. For example, you can allow access to your company's Google Workspace while blocking personal Gmail logins. Gateway implements tenant control by injecting custom HTTP headers into matching requests. These headers tell the SaaS application which tenant (organization) is authorized. If the user attempts to authenticate with a personal account, the SaaS application reads the header and rejects the request. ## Add custom headers for a SaaS application To create an HTTP policy with custom headers: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Firewall policies** \> **HTTP**. 2. Select **Add a policy**. 3. Build an expression to match the SaaS traffic you want to control. 4. In **Action**, select _Allow_. In **Untrusted certificate action**, select _Block_. 5. Under **Add headers to matched requests**, select **Add a header**. 6. Add any custom header names and values corresponding to your [SaaS application](#common-policy-configurations). 7. Select **Create policy**. Your policy is now displayed in your list of HTTP policies. When your users attempt to authenticate your configured SaaS application with a personal account, authentication will fail. ### Verify custom headers If you save a HAR (HTTP Archive) file from a browser to analyze your web traffic, custom headers defined with Gateway will not appear in the file. This is because Gateway injects the header after the request leaves the browser. To verify Gateway is applying a custom header: 1. In your policy with custom headers, add a selector to match traffic for [HTTPBin ↗](https://httpbin.org/), an open-source site for testing HTTP requests. For example: | Selector | Operator | Value | Logic | Action | Untrusted certificate action | | ----------- | -------- | ------------------ | ----- | ------ | ---------------------------- | | Application | in | _Google Workspace_ | And | Allow | Block | | Domain | in | httpbin.org | | | | 2. On your device, go to [httpbin.org/anything ↗](https://httpbin.org/anything). Your custom header will appear in the list of headers. 3. (Optional) Remove the HTTPBin expression from your policy. ## Common policy configurations Depending on which SaaS application your organization needs access to, different tenant control policies are required. ### Microsoft 365 Microsoft 365 tenant control requires two policies. When you order your policies, make sure they follow [order of precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence). | Precedence | Selector | Operator | Value | Action | Untrusted certificate action | | ---------- | -------- | -------- | -------------- | ------ | ---------------------------- | | 1 | Domain | is | login.live.com | Allow | Block | | Custom header name | Custom header value | | --------------------------------- | ------------------- | | Sec-Restrict-Tenant-Access-Policy | restrict-msa | | Precedence | Selector | Operator | Value | Action | Untrusted certificate action | | ---------- | ----------- | -------- | --------------------- | ------ | ---------------------------- | | 2 | Application | in | _Microsoft Office365_ | Allow | Block | | Custom header name | Custom header value | | --------------------------------------------------- | -------------------------- | | Restrict-Access-To-Tenants, Restrict-Access-Context | Your organization's domain | For more information, refer to the [Microsoft Entra ID documentation ↗](https://learn.microsoft.com/entra/identity/enterprise-apps/tenant-restrictions). ### Google Workspace | Selector | Operator | Value | Action | Untrusted certificate action | | ----------- | -------- | ------------------ | ------ | ---------------------------- | | Application | in | _Google Workspace_ | Allow | Block | | Custom header name | Custom header value | | -------------------------- | -------------------------- | | X-GooGApps-Allowed-Domains | Your organization's domain | For more information, refer to the [Google Workspace documentation ↗](https://support.google.com/a/answer/1668854). ### Slack | Selector | Operator | Value | Action | Untrusted certificate action | | ----------- | -------- | ------- | ------ | ---------------------------- | | Application | in | _Slack_ | Allow | Block | | Custom header name | Custom header value | | ---------------------------------------------------------------- | ----------------------------- | | X-Slack-Allowed-Workspaces-Requester, X-Slack-Allowed-Workspaces | Your organization's workspace | For more information, refer to the [Slack documentation ↗](https://slack.com/help/articles/360024821873-Approve-Slack-workspaces-for-your-network). ### Dropbox | Selector | Operator | Value | Action | Untrusted certificate action | | ----------- | -------- | --------- | ------ | ---------------------------- | | Application | in | _Dropbox_ | Allow | Block | | Custom header name | Custom header value | | -------------------------- | ---------------------- | | X-Dropbox-allowed-Team-Ids | Your organization's ID | For more information, refer to the [Dropbox documentation ↗](https://help.dropbox.com/security/network-control). ### ChatGPT | Selector | Operator | Value | Action | Untrusted certificate action | | ----------- | -------- | --------- | ------ | ---------------------------- | | Application | in | _ChatGPT_ | Allow | Block | | Custom header name | Custom header value | | ---------------------------- | -------------------------------- | | Chatgpt-Allowed-Workspace-Id | Your organization's workspace ID | For more information, refer to the [OpenAI documentation ↗](https://help.openai.com/articles/8798594-what-is-a-workspace-how-do-i-access-my-chatgpt-business-workspace). ## Exempt users in Cloudflare WAF You can include custom headers in an HTTP policy to allow your users through [Cloudflare WAF](https://developers.cloudflare.com/waf/). This is useful for allowing only Cloudflare One Client users through your WAF. 1. Create an Allow policy for an internal domain behind your WAF with a custom header. | Selector | Operator | Value | Action | | -------- | -------- | --------------- | ------ | | Domain | in | internalapp.com | Allow | | Custom header name | Custom header value | | ------------------ | ------------------- | | X-Example-Header | example-value | 2. In Cloudflare WAF, [create a custom rule](https://developers.cloudflare.com/waf/custom-rules/) to [require the same HTTP header](https://developers.cloudflare.com/waf/custom-rules/use-cases/require-specific-headers/#example-2-require-http-header-with-a-specific-value). ## Use tenant control with Browser Isolation You can configure [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) to send custom headers. This is useful for implementing tenant control for isolated SaaS applications or sending arbitrary custom request headers to isolated websites. To use custom headers with Browser Isolation, create two HTTP policies targeting the same domain or application group. For example, you can create policies for [HTTPBin ↗](https://httpbin.org/), an open-source site for testing HTTP requests: 1. Create an Isolate policy for `httpbin.org`. | Selector | Operator | Value | Action | | -------- | -------- | ----------- | ------- | | Domain | in | httpbin.org | Isolate | 2. Create an Allow policy for `httpbin.org` with a custom header. | Selector | Operator | Value | Action | | -------- | -------- | ----------- | ------ | | Domain | in | httpbin.org | Allow | | Custom header name | Custom header value | | ------------------ | ------------------- | | Example-Header | example-value | 3. Go to [httpbin.org/anything ↗](https://httpbin.org/anything). Cloudflare will render the site in an isolated browser. Your custom header will appear in the list of headers. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/","name":"HTTP policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/tenant-control/","name":"Tenant control"}}]} ``` --- --- title: TLS decryption description: Cloudflare Gateway can perform SSL/TLS decryption to inspect HTTPS traffic for malware and other security risks. TLS decryption is required for HTTP policies to inspect HTTPS traffic. Without it, information contained within HTTPS encryption, such as the full URL, headers, and request body, will not be visible to Gateway. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ TLS ](https://developers.cloudflare.com/search/?tags=TLS) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/http-policies/tls-decryption.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # TLS decryption Cloudflare Gateway can perform [SSL/TLS decryption ↗](https://www.cloudflare.com/learning/security/what-is-https-inspection/) to inspect HTTPS traffic for malware and other security risks. TLS decryption is required for HTTP policies to inspect HTTPS traffic. Without it, information contained within HTTPS encryption, such as the full URL, headers, and request body, [will not be visible to Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect). When you turn on TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a [user-side certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/). Cloudflare prevents traffic interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](https://developers.cloudflare.com/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](https://developers.cloudflare.com/data-localization/). To further control what data centers traffic egresses from, you can use [dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). Cloudflare supports connections from users to Gateway over TLS 1.1, 1.2, and 1.3. ## Turn on TLS decryption Prerequisite Before you turn on TLS decryption, ensure you have installed either a [Cloudflare-generated certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) or [custom certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) on your users' devices. To turn on TLS decryption: * [ Dashboard ](#tab-panel-3886) * [ Terraform (v5) ](#tab-panel-3887) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Traffic settings**. 2. In **Proxy and inspection**, turn on **Inspect HTTPS requests with TLS decryption**. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api%5Ftoken): * `Zero Trust Write` 2. Configure the `tls_decrypt` argument in [cloudflare\_zero\_trust\_gateway\_settings ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Fgateway%5Fsettings): ``` resource "cloudflare_zero_trust_gateway_settings" "team_name" { account_id = var.cloudflare_account_id settings = { tls_decrypt = { enabled = true } } } ``` ## Inspection limitations Gateway does not support TLS decryption for applications which use: * [Certificate pinning](#incompatible-certificates) * [Self-signed certificates](#incompatible-certificates) * [Mutual TLS (mTLS) authentication](#incompatible-certificates) * [ESNI and ECH handshake encryption](#esni-and-ech) * [Automatic HTTPS upgrades](#google-chrome-automatic-https-upgrades) ### Inspect on all ports Beta By default, Gateway will only inspect HTTP traffic through port `80`. Additionally, if you [turn on TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption), Gateway will inspect HTTPS traffic through port `443`. To detect and inspect HTTP and HTTPS traffic on ports in addition to `80` and `443`, you can turn on [protocol detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/) and configure Gateway to [inspect traffic on all ports](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). ### Incompatible certificates Applications that use certificate pinning and mTLS authentication do not trust Cloudflare certificates. For example, most mobile applications use [certificate pinning](https://developers.cloudflare.com/ssl/reference/certificate-pinning/). Cloudflare does not trust applications that use self-signed certificates instead of certificates signed by a public CA. If you try to perform TLS decryption on an application with an incompatible certificate configuration, the application may return an SSL or trust error and/or fail to load. To resolve this issue, you can: * Add a [Cloudflare certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to supported applications. * Create a [Do Not Inspect policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) to exempt applications from inspection. The [Application selector](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#application) provides a list of trusted applications that are known to use embedded certificates. Note that if you create a Do Not Inspect policy for an application or website, you will lose the ability to log or block HTTP requests, apply DLP policies, and perform AV scanning. * Configure a [Split Tunnel](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) in Include mode to ensure Gateway will only inspect traffic destined for your IPs or domains. This is useful for organizations that deploy Zero Trust on users' personal devices or otherwise expect personal applications to be used. Alternatively, to allow HTTP filtering while accessing a site with an insecure certificate, set your [Untrusted certificate action](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#untrusted-certificates) to _Pass through_. ### Google Chrome automatic HTTPS upgrades Google Chrome can automatically upgrade HTTP requests to HTTPS requests, even when you select a link that explicitly declares `http://`. When you use Gateway to proxy and filter your traffic, this upgrade can interrupt the connection between your Zero Trust users and Gateway. You can turn off automatic HTTPS upgrades via a Gateway pass through policy, a Chrome browser flag, or a Chrome Enterprise policy. * [ Pass through policy ](#tab-panel-3883) * [ Chrome browser flag ](#tab-panel-3884) * [ Chrome enterprise policy ](#tab-panel-3885) To disable automatic HTTPS upgrades for a URL across your Zero Trust organization, create a Gateway pass through policy. 1. Deploy a [custom root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/). 2. Create an [HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to match the domain of the URL being automatically upgraded. For example: | Selector | Operator | Value | Action | | -------- | -------- | ----------- | ------ | | URL | in | example.com | Allow | 3. In **Untrusted certificate action**, choose _Pass through_. 4. Select **Create policy**. The pass through policy will bypass insecure connection upgrades for any device connected to your Zero Trust organization. For more information, refer to [Untrusted certificates](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#untrusted-certificates). To disable automatic HTTPS upgrades on a per-browser basis, go to [Chrome flags](chrome://flags/#https-upgrades) and turn off **HTTPS Upgrades**. Chrome Enterprise users can turn off automatic HTTPS upgrades for all URLs with a [HttpsUpgradesEnabled management policy ↗](https://chromeenterprise.google/policies/#HttpsUpgradesEnabled). ### Mutual TLS (mTLS) In mutual TLS (mTLS), both the client and server present certificates to verify each other's identity. When Gateway decrypts TLS traffic, it terminates the connection from the client and creates a new connection to the origin server. Because Gateway cannot forward the client's certificate to the origin, the mTLS handshake fails. To prevent connection failures, create a [Do Not Inspect policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) for this traffic. ### ESNI and ECH Websites that adhere to [ESNI or Encrypted Client Hello (ECH) standards ↗](https://blog.cloudflare.com/encrypted-client-hello/) encrypt the Server Name Indication (SNI) during the TLS handshake and are therefore incompatible with HTTP inspection. Gateway relies on the SNI to match an HTTP request to a policy — if the SNI is encrypted, Gateway cannot determine which policy to apply. If the ECH fails, browsers will retry the TLS handshake using the unencrypted SNI from the initial request. To avoid this behavior, you can disable ECH in your users' browsers. You can still apply all [network policy filters](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/#selectors) except for SNI and SNI Domain. To restrict ESNI and ECH traffic, an option is to filter out all port `80` and `443` traffic that does not include an SNI header. ## Post-quantum support Gateway supports post-quantum cryptography using a hybrid key exchange with X25519 and MLKEM768 over TLS 1.3\. Once the key exchange is complete, Gateway uses AES-128-GCM to encrypt traffic. Refer to [Post-quantum cryptography](https://developers.cloudflare.com/ssl/post-quantum-cryptography/) to learn more. ## FIPS compliance By default, TLS decryption can use both TLS version 1.2 and 1.3\. However, some environments such as FedRAMP may require cipher suites and TLS versions compliant with FIPS 140-2\. FIPS compliance currently requires TLS version 1.2. ### Enable FIPS compliance * [ Dashboard ](#tab-panel-3888) * [ Terraform (v5) ](#tab-panel-3889) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Traffic settings**. 2. In **Proxy and inspection**, turn on **Inspect HTTPS requests with TLS decryption**. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api%5Ftoken): * `Zero Trust Write` 2. Configure the `tls_decrypt` argument in [cloudflare\_zero\_trust\_gateway\_settings ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Fgateway%5Fsettings): ``` resource "cloudflare_zero_trust_gateway_settings" "team_name" { account_id = var.cloudflare_account_id settings = { tls_decrypt = { enabled = true } } } ``` 1. Select **Enable only cipher suites and TLS versions compliant with FIPS 140-2**. ### Limitations When FIPS compliance is enabled, Gateway will only choose [FIPS-compliant cipher suites](#cipher-suites) when connecting to the origin. If the origin does not support FIPS-compliant ciphers, the request will fail. FIPS-compliant traffic defaults to [HTTP/3](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/http3/). To enforce HTTP policies for UDP traffic, you must turn on the [Gateway proxy for UDP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/http3/#enable-http3-inspection). ## FedRAMP compliance When you use [Cloudflare Regional Services](https://developers.cloudflare.com/data-localization/regional-services/) in the United States and the Cloudflare One Client to on-ramp TLS traffic to Gateway, traffic will egress from a Cloudflare data center within Cloudflare's FedRAMP boundary. If a user's closest data center is non-FedRAMP compliant, their traffic will still egress from a FedRAMP compliant data center, maintaining FedRAMP compliance for the traffic. flowchart LR %% Accessibility accTitle: How Gateway routes FedRAMP compliant traffic with Regional Services accDescr: Flowchart describing how the Cloudflare One Client with Gateway routes traffic to egress from a FedRAMP compliant data center when used with Regional Services in the United States. %% Flowchart subgraph s1["Non-FedRAMP data center"] n2["WARP TLS encryption terminated"] end subgraph s2["FedRAMP data center"] n3["Gateway TLS encryption (FIPS) terminated"] end subgraph s3["Private internal network"] n5["FedRAMP compliant cloudflared"] n6(["Private server"]) end n1(["User near non-FedRAMP compliant data center"]) -- Gateway TLS connection wrapped with WARP TLS (MASQUE) --> n2 n2 -- Gateway TLS connection --> n3 n3 <-- FIPS tunnel --> n5 n5 --> n6 n5@{ shape: rect} ## Cipher suites A cipher suite is a set of encryption algorithms for establishing a secure communications connection. There are several cipher suites in wide use, and a client and server agree on the cipher suite to use when establishing the TLS connection. Support of multiple cipher suites allows compatibility across various clients. The following table lists the default cipher suites Gateway uses for TLS decryption. | Name (OpenSSL) | Name (IANA) | FIPS-compliant | | ----------------------------- | ---------------------------------------------- | -------------- | | ECDHE-ECDSA-AES128-GCM-SHA256 | TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 | ✅ | | ECDHE-ECDSA-AES256-GCM-SHA384 | TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 | ✅ | | ECDHE-RSA-AES128-GCM-SHA256 | TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | ✅ | | ECDHE-RSA-AES256-GCM-SHA384 | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | ✅ | | ECDHE-RSA-AES128-SHA | TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | ❌ | | ECDHE-RSA-AES256-SHA384 | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 | ✅ | | AES128-GCM-SHA256 | TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | ✅ | | AES256-GCM-SHA384 | TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | ✅ | | AES128-SHA | TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA | ❌ | | AES256-SHA | TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA | ❌ | For more information on cipher suites, refer to [Cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/","name":"HTTP policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/tls-decryption/","name":"TLS decryption"}}]} ``` --- --- title: Identity-based policies description: With Cloudflare One, you can create Secure Web Gateway policies that filter outbound traffic down to the user identity level. To do that, you can build DNS, HTTP or Network policies using a set of identity-based selectors. These selectors require you to deploy the Cloudflare One Client in Traffic and DNS mode. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/identity-selectors.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Identity-based policies With Cloudflare One, you can create Secure Web Gateway policies that filter outbound traffic down to the user identity level. To do that, you can build DNS, HTTP or Network policies using a set of [identity-based selectors](#identity-based-selectors). These selectors require you to deploy the Cloudflare One Client in [Traffic and DNS mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/). For example, you can create different security rules for different teams — block social media for contractors but allow it for marketing. You may also filter outbound traffic based on additional signals from [device posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). ## Gateway identity checks Gateway checks identity when a user logs in or re-authenticates. To check your users' identities and require re-authentication at regular intervals, you can [enforce a Cloudflare One Client session duration](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/). Warning Unless you use an [identity provider (IdP) that supports SCIM provisioning](#automatic-scim-idp-updates), Gateway will not detect when you add or remove a user from a group in your IdP until the user re-authenticates to your Zero Trust instance. There are two ways a user can re-authenticate: * Log out from an Access-protected application and log back in. * In the Cloudflare One Client, re-authenticate the session by going to **Profile** \> **Account information** \> **Re-authenticate** [1](#user-content-fn-1). This will open a browser window and prompt the user to log in. To view the identity that Gateway will use when evaluating policies, check the [user registry](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/users/). ### Automatic SCIM IdP updates Gateway will automatically detect changes in user name, title, and group membership for IdPs configured with System for Cross-domain Identity Management (SCIM) provisioning. For more information, refer to [SCIM provisioning](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/). ### Extended email addresses Extended email addresses (also known as plus addresses) are variants of an existing email address with `+` or `.` modifiers. Many email providers, such as Gmail and Outlook, deliver emails intended for an extended address to its original address. For example, providers will deliver emails sent to `contact+123@example.com` or `con.tact@example.com` to `contact@example.com`. By default, Gateway will either filter only exact matches or all extended variants depending on the type of policy and action used: DNS policies | Action | Behavior | | ------------------ | ------------------------------------ | | Allow | Match exact address only | | Block | Match exact address and all variants | | Override | Match exact address and all variants | | Safe Search | Match exact address and all variants | | YouTube Restricted | Match exact address and all variants | Network policies | Action | Behavior | | ---------------- | ------------------------------------ | | Allow | Match exact address only | | Audit SSH | Match exact address and all variants | | Block | Match exact address and all variants | | Network Override | Match exact address only | HTTP policies | Action | Behavior | | -------------- | ------------------------------------ | | Allow | Match exact address only | | Block | Match exact address and all variants | | Do Not Inspect | Match exact address only | | Do Not Isolate | Match exact address only | | Do Not Scan | Match exact address only | | Isolate | Match exact address and all variants | Other policies | Policy type | Behavior | | --------------- | ------------------------ | | Egress policy | Match exact address only | | Resolver policy | Match exact address only | To force Gateway to match all email address variants, go to **Traffic policies** \> **Traffic settings** \> **Policy settings** and turn on **Match extended email addresses**. This setting applies to all firewall, egress, and resolver policies. ## Identity-based selectors ### OIDC Claims Specify a value from a [custom OIDC claim](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) configured on your identity provider. Note This selector is only available for the [Generic OIDC](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/) identity provider integration. Named OIDC providers such as Okta and Microsoft Entra ID do not support custom OIDC claims in Gateway policies — use the [User Group Names](#user-group-names) or [User Group IDs](#user-group-ids) selectors for those providers instead. | UI name | API example | | ----------- | ------------------------------------------------------------------ | | OIDC Claims | any(identity.oidc\_claims\[\*\] == "\\"department=engineering\\"") | ### SAML Attributes Specify a value from the SAML Attribute Assertion. | UI name | API example | | --------------- | -------------------------------------------------- | | SAML Attributes | identity.saml\_attributes == "\\"group=finance\\"" | ### User Email Use this selector to create identity-based Gateway policies based on a user's email. | UI name | API example value | | ---------- | ----------------------------------------- | | User Email | identity.email == "user-name@company.com" | ### User Group IDs Use this selector to create identity-based Gateway policies based on an IdP group ID of which the user is configured as a member in the IdP. | UI name | API example | | -------------- | -------------------------------------------- | | User Group IDs | identity.groups.id == "12jf495bhjd7893ml09o" | ### User Group Email Use this selector to create identity-based Gateway policies based on an IdP group email address of which the user is configured as a member in the IdP. | UI name | API example | | ---------------- | -------------------------------------------------- | | User Group Email | identity.groups.email == "contractors@company.com" | ### User Group Names Use this selector to create identity-based Gateway policies based on an IdP group name of which the user is configured as a member in the IdP. | UI name | API example | | ---------------- | --------------------------------------- | | User Group Names | identity.groups.name == "\\"finance\\"" | ### User Name Use this selector to create identity-based Gateway policies based on an IdP username for a particular user in the IdP. | UI name | API example | | --------- | ---------------------------- | | User Name | identity.name == "user-name" | Gateway groups vs. Access rule groups In Gateway, a **User Group** refers to a group in your IdP (for example, an Okta group). Gateway does not currently support applying DNS, HTTP, and Network policies to [Access rule groups](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/). This is because Access rule groups may include criteria not available through the IdP, such as device location or IP address. ## IdP groups in Gateway Cloudflare Gateway can integrate with your organization's identity providers (IdPs). Before building a Gateway policy for IdP users or groups, be sure to [add the IdP as an authentication method](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). Because IdPs expose user groups in different formats, reference the list below to choose the appropriate identity-based selector. ### Microsoft Entra ID | Selector | Value | | -------------- | ----------------------------------- | | User Group IDs | 61503835-b6fe-4630-af88-de551dd59a2 | **Value** is the [Object Id](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/entra-id/#entra-groups-in-zero-trust-policies) for an Entra group. If you enabled user and group synchronization with [SCIM](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/entra-id/#synchronize-users-and-groups), the synchronized groups will appear under _User Group Names_: | Selector | Value | | ---------------- | ---------- | | User Group Names | SCIM group | ### GitHub | Selector | Value | | ---------------- | --------- | | User Group Names | Marketing | ### Google | Selector | Value | | ---------------- | --------- | | User Group Names | Marketing | ### Okta (OIDC) If you added Okta as an [OIDC provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/okta/), use the User Group Names selector: | Selector | Value | | ---------------- | --------- | | User Group Names | Marketing | The Okta OIDC integration supports user and group synchronization with [SCIM](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/okta/#synchronize-users-and-groups). ### Okta (SAML) If you added Okta as a [SAML provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/okta-saml/), use the SAML Attributes selector: | Selector | Attribute name | Attribute value | | --------------- | -------------- | --------------- | | SAML Attributes | groups | Marketing | ### Generic SAML IdP For a [generic SAML provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-saml/), use the SAML Attribute selector: | Selector | Attribute name | Attribute value | | --------------- | -------------- | --------------- | | SAML Attributes | department | Marketing | ### Generic OIDC IdP For a [generic OIDC provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/), use the OIDC Claims selector to filter traffic based on [custom OIDC claims](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) configured on your IdP: | Selector | Claim name | Claim value | | ----------- | ---------- | ----------- | | OIDC Claims | department | Engineering | ## Footnotes 1. In Cloudflare One Client version 2026.1 and earlier, select **Preferences** \> **Account** \> **Re-Authenticate Session**. [↩](#user-content-fnref-1) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/identity-selectors/","name":"Identity-based policies"}}]} ``` --- --- title: Managed service providers (MSPs) description: Gateway supports the Cloudflare Tenant API, which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or individual account level. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/managed-service-providers.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Managed service providers (MSPs) Note Only available on Enterprise plans. For more information, contact your account team. Gateway supports the [Cloudflare Tenant API](https://developers.cloudflare.com/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or individual account level. Warning The Tenant platform only supports [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/). HTTP, network, egress, and resolver policies are not available through the Tenant API. For more information, refer to the [Cloudflare Zero Trust for managed service providers ↗](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post. ## Get started To set up the Tenant API, refer to [Get started](https://developers.cloudflare.com/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/). ## Account types The Gateway Tenant platform supports tiered and siloed account configurations. ### Tiered accounts In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still being managed by the parent account. MSPs can also configure child accounts independently from the parent account, including: * Configuring a [custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) * Generating or uploading [root certificates](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) * Mapping [DNS locations](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) * Creating [lists](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) Each child account is subject to the default Zero Trust [account limits](https://developers.cloudflare.com/cloudflare-one/account-limits/). Gateway evaluates parent account policies before any child account policies. To allow a child account to override a specific parent account policy, you can use the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint to set the policy's `allow_child_bypass` rule setting to `true`. flowchart TD %% Accessibility accTitle: How Gateway policies work in a tiered account configuration accDescr: Flowchart describing the order of precedence Gateway applies policies in a tiered account configuration. %% Flowchart subgraph s1["Parent account"] n1["Block malware"] n2["Block DNS tunnel"] n3["Block spyware"] end subgraph s2["Child account A"] n4["Block social media"] end subgraph s3["Child account B"] n5["Block instant messaging"] end n1 ~~~ n2 n2 ~~~ n3 A["Tenant"] --Administers--> s1 s1 -- "Applies policies to" --> s2 & s3 n1@{ shape: lean-l} n2@{ shape: lean-l} n3@{ shape: lean-l} n4@{ shape: lean-l} n5@{ shape: lean-l} ### Siloed accounts In a siloed account configuration, each account operates independently within the same tenant. MSPs manage each account's own security policies, resources, and configurations separately. flowchart TD %% Accessibility accTitle: How Gateway policies work in a siloed account configuration accDescr: Flowchart describing the order of precedence Gateway applies policies in a siloed account configuration. %% Flowchart subgraph s1["Siloed account A"] n1["Block social media"] end subgraph s2["Siloed account C"] n2["Block instant messaging"] end subgraph s3["Siloed account B"] n3["Block news"] end A["Tenant"] -- Administers --> s1 & s3 & s2 n1@{ shape: lean-l} n2@{ shape: lean-l} n3@{ shape: lean-l} ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/managed-service-providers/","name":"Managed service providers (MSPs)"}}]} ``` --- --- title: Network policies description: Network policies control TCP and UDP traffic between your users and network destinations. Use them to allow or block non-HTTP traffic such as SSH, RDP, and database connections based on IP addresses, ports, and protocols. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Geolocation ](https://developers.cloudflare.com/search/?tags=Geolocation) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/network-policies/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Network policies Note To enable this feature, download and deploy the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) on your devices. Network policies control TCP and UDP traffic between your users and network destinations. Use them to allow or block non-HTTP traffic such as SSH, RDP, and database connections based on IP addresses, ports, and protocols. Because Cloudflare One [integrates with your identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/), you can also create identity-based network policies. This allows you to control access to non-HTTP resources on a per-user basis regardless of the user's location or device. A network policy consists of an **Action** and a logical expression that determines the scope of the action. To build an expression, choose a **Selector** and an **Operator**, then enter a value or range of values in the **Value** field. You can use **And** and **Or** logical operators to evaluate multiple conditions. * [Actions](#actions) * [Selectors](#selectors) * [Comparison operators](#comparison-operators) * [Value](#value) * [Logical operators](#logical-operators) If a condition in an expression joins a query attribute (such as _Source IP_) and a response attribute (such as _Resolved IP_), then the condition will be evaluated when the response is received. Terraform provider v4 precedence limitation To avoid conflicts, version 4 of the Terraform Cloudflare provider applies a hash calculation to policy precedence. For example, a precedence of `1000` may become `1000901`. This can cause errors when reordering policies. To avoid this issue, manually set the precedence of policies created with Terraform using the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint. To ensure your precedence is set correctly, Cloudflare recommends [upgrading your Terraform provider to version 5 ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade). ## Actions Like actions in DNS and HTTP policies, actions in network policies define which decision you want to apply to a given set of elements. You can assign one action per policy. ### Allow API value: `allow` Available selectors **Traffic** * [Access Infrastructure Target](#access-infrastructure-target) * [Access Private App](#access-private-app) * [Application](#application) * [Content Categories](#content-categories) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [Destination Port](#destination-port) * [Detected Protocol](#detected-protocol) * [Protocol](#protocol) * [Proxy Endpoint](#proxy-endpoint) * [Security Risks](#security-risks) * [SNI](#sni) * [SNI Domain](#sni-domain) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [Source Port](#source-port) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) Policies with Allow actions allow network traffic to reach certain IPs or ports. In a default-block configuration, Allow policies define the exceptions — traffic that does not match an Allow policy will be blocked by a lower-priority catch-all Block policy. For example, the following configuration allows specific users to reach a given IP address: | Selector | Operator | Value | Logic | Action | | -------------- | -------- | -------------- | ----- | ------ | | Destination IP | in | 92.100.02.102 | And | Allow | | Email | in | \*@example.com | | | ### Audit SSH Deprecated API value: `audit_ssh` Available selectors **Traffic** * [Application](#application) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [Source Port](#source-port) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) Warning Gateway no longer supports the Audit SSH action for new policies. To log your SSH traffic, Cloudflare recommends deploying [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) for your SSH server and configuring [SSH command logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#ssh-command-logs). Policies with Audit SSH actions allow administrators to log SSH traffic. Gateway will detect SSH traffic over port `22`. For example, the following configuration logs SSH commands sent to a given IP address: | Selector | Operator | Value | Action | | -------------- | -------- | ------------ | --------- | | Destination IP | in | 203.0.113.83 | Audit SSH | Gateway only audits SSH traffic over port `22`. Non-standard ports, including those specified with the [Destination Port selector](#destination-port), are not supported. For more information on SSH logging, refer to [Configure SSH proxy and command logs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/ssh-logging/). ### Block API value: `block` Available selectors **Traffic** * [Access Infrastructure Target](#access-infrastructure-target) * [Access Private App](#access-private-app) * [Application](#application) * [Content Categories](#content-categories) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [Destination Port](#destination-port) * [Detected Protocol](#detected-protocol) * [Protocol](#protocol) * [Proxy Endpoint](#proxy-endpoint) * [Security Risks](#security-risks) * [SNI](#sni) * [SNI Domain](#sni-domain) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [Source Port](#source-port) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) Policies with Block actions block network traffic from reaching certain IPs or ports. For example, the following configuration blocks all traffic directed to port 443: | Selector | Operator | Value | Action | | ---------------- | -------- | ----- | ------ | | Destination Port | in | 443 | Block | #### Cloudflare One Client block notifications Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/plans/zero-trust-services/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | Enterprise | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2024.1.159.0 | | macOS | ✅ | 2024.1.160.0 | | Linux | ❌ | | | iOS | ✅ | 1.7 | | Android | ✅ | 1.4 | | ChromeOS | ✅ | 1.4 | Turn on **Display block notification for Cloudflare One Client** to display notifications for Gateway block events. Blocked users will receive an operating system notification from the Cloudflare One Client with a custom message you set. If you do not set a custom message, the Cloudflare One Client will display a default message. Custom messages must be 100 characters or less. The Cloudflare One Client will only display one notification per minute. Upon selecting the notification, the Cloudflare One Client will direct your users to the [Gateway block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) you have configured. Optionally, you can direct users to a custom URL, such as an internal support form. When you turn on **Send policy context**, Gateway will append details of the matching request to the redirected URL as a query string. Not every context field will be included. Potential policy context fields include: Policy context fields | Field | Definition | Example | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------- | | User email | Email of the user that made the query. | &cf\_user\_email=user@example.com | | Site URL | Full URL of the original HTTP request or domain name in DNS query. | &cf\_site\_uri=https%3A%2F%2Fmalware.testcategory.com%2F | | URL category | [Domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) of the URL to be redirected. | &cf\_request\_categories=New%20Domains,Newly%20Seen%20Domains | | Original HTTP referer | For HTTP traffic, the original HTTP referer header of the HTTP request. | &cf\_referer=https%3A%2F%2Fexample.com%2F | | Rule ID | ID of the Gateway policy that matched the request. | &cf\_rule\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Source IP | Source IP address of the device that matched the policy. | &cf\_source\_ip=203.0.113.5 | | Device ID | UUID of the device that matched the policy. | &cf\_device\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Application names | Name of the application the redirected domain corresponds to, if any. | &cf\_application\_name=Salesforce | | Filter | The traffic type filter that triggered the block. | &cf\_filter=http, &cf\_filter=dns, &cf\_filter=av, or &cf\_filter=l4 | | Account ID | [Cloudflare account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) of the associated Zero Trust account. | &cf\_account\_id=d57c3de47a013c03ca7e237dd3e61d7d | | Query ID | ID of the DNS query for which the redirect took effect. | &cf\_query\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Connection ID | ID of the proxy connection for which the redirect took effect. | &cf\_connection\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Request ID | ID of the HTTP request for which the redirect took effect. | &cf\_request\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | Ensure that your operating system allows notifications for the Cloudflare One Client. Your device may not display notifications if focus, do not disturb, or screen sharing settings are turned on. To turn on client notifications on macOS devices running DisplayLink software, you may have to allow system notifications when mirroring your display. For more information, refer to the [macOS documentation ↗](https://support.apple.com/guide/mac-help/change-notifications-settings-mh40583/mac). ### Network Override API value: `l4_override` Available selectors **Traffic** * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [Destination Port](#destination-port) * [Protocol](#protocol) * [SNI](#sni) * [SNI Domain](#sni-domain) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [Source Port](#source-port) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) Policies with Network Override actions override traffic directed to or coming from certain IPv4/IPv6 addresses or ports. Destination IPs can be public IPs or private IPs connected to your Zero Trust network. For example, the following configuration overrides traffic sent to a public IP with a private IP based on a user's identity: | Selector | Operator | Value | Logic | Action | | -------------- | -------- | -------------- | ----- | ---------------- | | Destination IP | in | 95.92.143.151 | And | Network Override | | User Email | in | \*@example.com | And | | | Override IP | 10.0.0.1 | | | | Warning If the override destination IP is unreachable, Gateway still rewrites the destination but does not log the connection. The traffic fails silently with no log entry. Verify that your override IP is reachable before deploying this policy. Gateway will only log successful override connections in your [network logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/#network-logs). ## Selectors Gateway matches network traffic against the following selectors, or criteria. ### Access Infrastructure Target All [targets](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#1-add-a-target) secured by an [Access infrastructure application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/). | UI name | API example | | ---------------------------- | ------------- | | Access Infrastructure Target | access.target | ### Access Private App All destination IPs and hostnames secured by an [Access self-hosted private application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). | UI name | API example | | ------------------------------------------- | ------------------- | | Self-hosted Access App with Private Address | access.private\_app | ### Application You can apply network policies to a growing list of popular web applications. Refer to [Application and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/) for more information. | UI name | API example | | ----------- | --------------------------- | | Application | any(app.ids\[\*\] in {505}) | ### Content Categories Applications within a specific [security category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#content-categories) as categorized by [Cloudflare Radar](https://developers.cloudflare.com/radar/glossary/#content-categories). | UI name | API example | | ------------------ | -------------------------------------------- | | Content Categories | any(net.fqdn.content\_category\[\*\] in {1}) | ### Destination Continent The continent where the request is destined. Geolocation is determined from the target IP address. To specify a continent, enter its two-letter code into the **Value** field: | Continent | Code | | ------------- | ---- | | Africa | AF | | Antarctica | AN | | Asia | AS | | Europe | EU | | North America | NA | | Oceania | OC | | South America | SA | | Tor network | T1 | | UI name | API example | | ------------------------------------ | ----------------------------- | | Destination Continent IP Geolocation | net.dst.geo.continent == "EU" | ### Destination Country The country that the request is destined for. Geolocation is determined from the target IP address. To specify a country, enter its [ISO 3166-1 Alpha 2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | | ---------------------------------- | --------------------------- | | Destination Country IP Geolocation | net.dst.geo.country == "RU" | ### Destination IP The IP address of the request's target. | UI name | API example | | -------------- | ------------------------------------- | | Destination IP | any(net.dst.ip\[\*\] in {10.0.0.0/8}) | ### Destination Port The port number of the request's target. | UI name | API example | | ---------------- | -------------------- | | Destination Port | net.dst.port == 2222 | ### Detected Protocol The inferred network protocol based on Cloudflare's [protocol detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/). | UI name | API example | | ----------------- | ------------------------------- | | Detected Protocol | net.protocol.detection == "ssh" | ### Device Posture With the Device Posture selector, admins can use signals from end-user devices to secure access to their internal and external resources. For example, a security admin can choose to limit all access to internal applications based on whether specific software is installed on a device and/or if the device or software are configured in a particular way. For more information on device posture checks, refer to [Device posture](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). | UI name | API example | | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Passed Device Posture Checks | any(device\_posture.checks.failed\[\*\] in {"1308749e-fcfb-4ebc-b051-fe022b632644"}), any(device\_posture.checks.passed\[\*\] in {"1308749e-fcfb-4ebc-b051-fe022b632644"})" | ### Protocol The protocol used to send the packet. | UI name | API example | | -------- | --------------------- | | Protocol | net.protocol == "tcp" | Note To enable Gateway filtering on TCP and UDP, go to **Traffic policies** \> **Traffic settings** \> **Allow Secure Web Gateway to proxy traffic**. Network policies apply to all enabled protocols unless you use the **Protocol** selector within a policy. ### Proxy Endpoint The [proxy server](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) where your browser forwards HTTP traffic. | UI name | API example | | -------------- | ----------------------------------------------------------- | | Proxy Endpoint | proxy.endpoint == "3ele0ss56t.proxy.cloudflare-gateway.com" | ### Security Categories Applications within a specific [security category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) as categorized by [Cloudflare Radar](https://developers.cloudflare.com/radar/glossary/#content-categories). | UI name | API example | | ------------------- | --------------------------------------------- | | Security Categories | any(net.fqdn.security\_category\[\*\] in {1}) | ### SNI Server Name Indication (SNI) is the hostname a client sends during the TLS handshake, before encryption begins. Gateway reads the SNI to identify the destination of encrypted traffic. The SNI selector matches the exact hostname. By default, SNI selectors only apply to HTTPS traffic on port `443`. To inspect traffic on every port, turn on [protocol detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/) and choose to [inspect on all ports](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). | UI name | API example | | ------- | --------------------------------- | | SNI | net.sni.host == "www.example.com" | ### SNI Domain The domain whose Server Name Indication (SNI) header Gateway will filter traffic against. For example, a rule for `example.com` will match `example.com`, `www.example.com`, and `my.test.example.com`. By default, SNI selectors only apply to HTTPS traffic on port `443`. To inspect traffic on every port, turn on [protocol detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/) and choose to [inspect on all ports](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). | UI name | API example | | ---------- | -------------------------------- | | SNI Domain | net.sni.domains == "example.com" | ### Source Continent The continent of the user making the request. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a continent, enter its two-letter code into the **Value** field: | Continent | Code | | ------------- | ---- | | Africa | AF | | Antarctica | AN | | Asia | AS | | Europe | EU | | North America | NA | | Oceania | OC | | South America | SA | | Tor network | T1 | | UI name | API example | | ------------------------------- | ---------------------------------------- | | Source Continent IP Geolocation | net.src.geo.continent == "North America" | ### Source Country The country of the user making the request. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a country, enter its [ISO 3166-1 Alpha-2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | | ----------------------------- | --------------------------- | | Source Country IP Geolocation | net.src.geo.country == "RU" | ### Source Internal IP Use this selector to apply network policies to a private IP address, assigned by a user's local network, that requests arrive to Gateway from. | UI name | API example | | ------------------ | ---------------------------------------------- | | Source Internal IP | net.src.internal\_src\_ip == "192.168.86.0/27" | ### Source IP The originating IP address or addresses of a device proxied by Gateway. | UI name | API example | | --------- | -------------------------------- | | Source IP | net.src.ip\[\*\] in {10.0.0.0/8} | ### Source Port The originating port of a device proxied by Gateway. | UI name | API example | | ----------- | ---------------------- | | Source Port | net.src.port == "2222" | ### Users Use these selectors to match against identity attributes. | UI name | API example | | ----------------- | --------------------------------------------------------------------------------------------------------------- | | User Email | identity.email == "user@example.com" | | User Name | identity.name == "Test User" | | User Group IDs | any(identity.groups\[\*\].id in {"group\_id"}) | | User Group Names | any(identity.groups\[\*\].name in {"group\_name"}) | | User Group Emails | any(identity.groups\[\*\].email in {"group@example.com"}) | | SAML Attributes | any(identity.saml\_attributes\["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"\] in {"Test User"}) | ### Virtual Network Use this selector to match all traffic routed through a specific [Virtual Network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) via the Cloudflare One Client. | UI name | API example | | --------------- | ------------------------------------------------------ | | Virtual Network | net.vnet\_id == "957fc748-591a-e96s-a15d-1j90204a7923" | ## Comparison operators Comparison operators are the way Gateway matches traffic to a selector. When you choose a **Selector** in the dashboard policy builder, the **Operator** dropdown menu will display the available options for that selector. | Operator | Meaning | | ------------------------ | ------------------------------------------------------------------------------------------------------------------ | | is | equals the defined value | | is not | does not equal the defined value | | in | matches at least one of the defined values | | not in | does not match any of the defined values | | in list | in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | not in list | not in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | matches regex | regex evaluates to true | | does not match regex | regex evaluates to false | | greater than | exceeds the defined number | | greater than or equal to | exceeds or equals the defined number | | less than | below the defined number | | less than or equal to | below or equals the defined number | Note The _in_ operator allows you to specify IP addresses or networks using CIDR notation (for example, `10.0.0.0/8` matches all IPs from `10.0.0.0` to `10.255.255.255`). ## Value In the **Value** field, you can input a single value when using an equality comparison operator (such as _is_) or multiple values when using a containment comparison operator (such as _in_). Additionally, you can use [regular expressions](#regular-expressions) (or regex) to specify a range of values for supported selectors. ### Regular expressions Regular expressions are evaluated using Rust. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for [Wildcards](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/app-paths/#wildcards). To evaluate if your regex matches, you can use [Rustexp ↗](https://rustexp.lpil.uk/). If you want to match multiple values, you can use the pipe symbol (`|`) as an OR operator. You do not need to use an escape character (`\`) before the pipe symbol. For example, the following expression evaluates to true when the SNI host matches either `.*whispersystems.org` or `.*signal.org`: | Selector | Operator | Value | | -------- | ------------- | ------------------------------------ | | SNI | matches regex | .\*whispersystems.org\|.\*signal.org | In addition to regular expressions, you can use [logical operators](#logical-operators) to match multiple values. ## Logical operators To evaluate multiple conditions in an expression, select the **And** logical operator. These expressions can be compared further with the **Or** logical operator. | Operator | Meaning | | -------- | --------------------------------------------- | | And | match all of the conditions in the expression | | Or | match any of the conditions in the expression | The **Or** operator will only work with conditions in the same expression group. For example, you cannot compare conditions in **Traffic** with conditions in **Identity** or **Device Posture**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/network-policies/","name":"Network policies"}}]} ``` --- --- title: Common policies description: The following policies are commonly used to secure network traffic. Network policies are evaluated in order from top to bottom, and the first matching policy applies. Place more specific Allow policies above broader Block policies. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/network-policies/common-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Common policies The following policies are commonly used to secure network traffic. Network policies are evaluated in order from top to bottom, and the first matching policy applies. Place more specific Allow policies above broader Block policies. For a baseline set of recommended policies, refer to [Secure your Internet traffic and SaaS apps](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies/). Refer to the [network policies page](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) for a comprehensive list of other selectors, operators, and actions. ## Block unauthorized applications Note After seven days, view your [Shadow IT SaaS Analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/shadow-it-discovery/) and block additional applications based on what your users are accessing. To minimize the risk of [shadow IT](https://www.cloudflare.com/learning/access-management/what-is-shadow-it/), some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools: * [ Dashboard ](#tab-panel-3892) * [ API ](#tab-panel-3893) | Selector | Operator | Value | Action | | ----------- | -------- | ------------------------- | ------ | | Application | in | _Artificial Intelligence_ | Block | In the following API examples, `filters: ["l4"]` indicates that this is a network (Layer 4) policy. Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block unauthorized applications", "description": "Block access to unauthorized AI applications", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "any(app.type.ids[*] in {25})", "identity": "", "device_posture": "" }' ``` ## Check user identity Configure access on a per user or group basis by adding [identity-based conditions](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) to your policies. * [ Dashboard ](#tab-panel-3890) * [ API ](#tab-panel-3891) | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ------------- | ----- | ------ | | Application | in | _Salesforce_ | And | Block | | User Group Names | in | _Contractors_ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Check user identity", "description": "Block access to Salesforce by temporary employees and contractors", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "any(app.ids[*] in {606})", "identity": "any(identity.groups.name[*] in {\"Contractors\"})", "device_posture": "" }' ``` ## Enforce device posture Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the [device posture section](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). For example, you can use a list of [device serial numbers](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/corp-device/) to ensure users can only access an application if they connect with the Cloudflare One Client from a company device: In the following example, you can use a list of [device serial numbers](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/corp-device/) to ensure users can only access an application if they connect with the Cloudflare One Client from a company device: * [ Dashboard ](#tab-panel-3914) * [ API ](#tab-panel-3915) * [ Terraform ](#tab-panel-3916) | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | ----------------------- | ----- | ------ | | SNI Domain | is | internalapp.com | And | Block | | Passed Device Posture Checks | not in | _Device serial numbers_ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "All-NET-ApplicationAccess-Allow", "description": "Ensure access to the application comes from authorized WARP clients", "precedence": 70, "enabled": false, "action": "block", "filters": [ "l4" ], "traffic": "any(net.sni.domains[*] == \"internalapp.com\")", "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))" }' ``` To get the UUIDs of your device posture checks, use the [List device posture rules](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/devices/subresources/posture/methods/list/) endpoint. ``` resource "cloudflare_zero_trust_gateway_policy" "all_net_applicationaccess_allow" { account_id = var.cloudflare_account_id name = "All-NET-ApplicationAccess-Allow" description = "Ensure access to the application comes from authorized WARP clients" precedence = 70 enabled = false action = "block" filters = ["l4"] traffic = "any(net.sni.domains[*] == \"internalapp.com\")" posture = "not(any(device_posture.checks.passed[*] in {\"${"$"}${cloudflare_zero_trust_list.allowed_devices_sn_list.id}\"}))" } ``` ## Enforce session duration To require users to re-authenticate after a certain amount of time has elapsed, configure [Cloudflare One Client sessions](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/). ## Allow only approved traffic Restrict user access to only the specific sites or applications configured in your [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). This pattern uses two policies: an Allow policy to permit HTTP/HTTPS traffic, followed by a Block policy to deny everything else. Place the Allow policy above the Block policy so that matching traffic is allowed before the catch-all block applies. ### 1\. Allow HTTP and HTTPS traffic * [ Dashboard ](#tab-panel-3894) * [ API ](#tab-panel-3895) | Selector | Operator | Value | Logic | Action | | ----------------- | -------- | ------- | ----- | ------ | | Detected Protocol | is | _TLS_ | And | Allow | | Destination Port | in | 80, 443 | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow HTTP and HTTPS traffic", "description": "Restrict traffic to HTTP and HTTPS traffic", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.detected_protocol == \"tls\" and net.dst.port in {80 443}", "identity": "", "device_posture": "" }' ``` ### 2\. Block all other traffic * [ Dashboard ](#tab-panel-3896) * [ API ](#tab-panel-3897) | Selector | Operator | Value | Action | | -------- | -------- | ------------ | ------ | | Protocol | in | _TCP_, _UDP_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block all other traffic", "description": "Block all other traffic that is not HTTP or HTTPS", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "net.protocol in {\"tcp\" \"udp\"}", "identity": "", "device_posture": "" }' ``` ## Filter HTTPS traffic when inspecting on all ports If your organization blocks traffic by default with a Network policy and you want to [inspect HTTP traffic on all ports](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports), you need to explicitly allow HTTP and TLS traffic to filter it. * [ Dashboard ](#tab-panel-3898) * [ API ](#tab-panel-3899) | Selector | Operator | Value | Logic | Action | | ----------------- | -------- | ------ | ----- | ------ | | Detected Protocol | is | _TLS_ | Or | Allow | | Detected Protocol | is | _HTTP_ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow on inspect all ports", "description": "Filter HTTPS traffic when using inspect all ports", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.detected_protocol == \"tls\" or net.detected_protocol == \"http\"", "identity": "", "device_posture": "" }' ``` ## Restrict private network access to proxy endpoint users When using proxy endpoints, by default all devices added to the proxy endpoint can access your internal applications and services connected through [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). To restrict access and add an additional layer of security, create the following policies. ### Source IP proxy endpoints When using [source IP proxy endpoints](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#source-ip-endpoint), restrict access to only users connecting through the proxy endpoint from specific source IPs. #### 1\. Allow proxy endpoint traffic from specific source IPs * [ Dashboard ](#tab-panel-3900) * [ API ](#tab-panel-3901) | Selector | Operator | Value | Logic | Action | | -------------- | -------- | ---------------- | ----- | ------ | | Proxy Endpoint | in | _Proxy Endpoint_ | And | Allow | | Source IP | in | 203.0.113.0/24 | And | | | Destination IP | in | 10.0.0.0/8 | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow proxy endpoint traffic from specific source IPs", "description": "Allow traffic from proxy endpoint users with specific source IPs to reach private network", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.proxy_endpoint.ids[*] in {\"\"} and net.src.ip in {203.0.113.0/24} and net.dst.ip in {10.0.0.0/8}", "identity": "", "device_posture": "" }' ``` Replace `` with your proxy endpoint ID. #### 2\. Block all other proxy endpoint traffic to private network * [ Dashboard ](#tab-panel-3902) * [ API ](#tab-panel-3903) | Selector | Operator | Value | Logic | Action | | -------------- | -------- | ---------------- | ----- | ------ | | Proxy Endpoint | in | _Proxy Endpoint_ | And | Block | | Destination IP | in | 10.0.0.0/8 | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block all other proxy endpoint traffic", "description": "Block any other proxy endpoint traffic from accessing the private network", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "net.proxy_endpoint.ids[*] in {\"\"} and net.dst.ip in {10.0.0.0/8}", "identity": "", "device_posture": "" }' ``` Replace `` with your proxy endpoint ID. ### Authorization proxy endpoints When using [authorization proxy endpoints](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#authorization-endpoint), add an additional layer of security by restricting access to only users connecting from specific source IPs. This prevents unauthorized access even if user credentials are compromised. #### 1\. Allow proxy endpoint traffic from specific source IPs * [ Dashboard ](#tab-panel-3904) * [ API ](#tab-panel-3905) | Selector | Operator | Value | Logic | Action | | -------------- | -------- | ---------------- | ----- | ------ | | Proxy Endpoint | in | _Proxy Endpoint_ | And | Allow | | Source IP | in | 203.0.113.0/24 | And | | | Destination IP | in | 10.0.0.0/8 | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow authorized proxy endpoint traffic from specific source IPs", "description": "Allow traffic from authorization proxy endpoint users with specific source IPs to reach private network", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.proxy_endpoint.ids[*] in {\"\"} and net.src.ip in {203.0.113.0/24} and net.dst.ip in {10.0.0.0/8}", "identity": "", "device_posture": "" }' ``` Replace `` with your proxy endpoint ID. #### 2\. Block all other proxy endpoint traffic to private network * [ Dashboard ](#tab-panel-3908) * [ API ](#tab-panel-3909) | Selector | Operator | Value | Logic | Action | | -------------- | -------- | ---------------- | ----- | ------ | | Proxy Endpoint | in | _Proxy Endpoint_ | And | Block | | Destination IP | in | 10.0.0.0/8 | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block all other authorized proxy endpoint traffic", "description": "Block any other authorization proxy endpoint traffic from accessing the private network", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "net.proxy_endpoint.ids[*] in {\"\"} and net.dst.ip in {10.0.0.0/8}", "identity": "", "device_posture": "" }' ``` Replace `` with your proxy endpoint ID. ## Restrict access to private networks Restrict access to resources which you have connected through [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic. ### 1\. Allow company employees * [ Dashboard ](#tab-panel-3906) * [ API ](#tab-panel-3907) | Selector | Operator | Value | Logic | Action | | -------------- | ------------- | --------------- | ----- | ------ | | Destination IP | in | 10.0.0.0/8 | And | Allow | | User Email | matches regex | .\*@example.com | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow company employees", "description": "Allow any users with an organization email to reach the application", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.dst.ip in {10.0.0.0/8}", "identity": "identity.email matches \".*@example.com\"", "device_posture": "" }' ``` ### 2\. Block everyone else * [ Dashboard ](#tab-panel-3910) * [ API ](#tab-panel-3911) | Selector | Operator | Value | Action | | -------------- | -------- | ---------- | ------ | | Destination IP | in | 10.0.0.0/8 | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block everyone else", "description": "Block any other users from accessing the application", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "net.dst.ip in {10.0.0.0/8}", "identity": "", "device_posture": "" }' ``` ## Override IP address Override traffic directed toward a specific IP address with a different IP address. * [ Dashboard ](#tab-panel-3912) * [ API ](#tab-panel-3913) | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ------------ | ----- | ---------------- | | Destination IP | in | 203.0.113.17 | And | Network Override | | Destination Port | is | 80 | | | | Override IP | Override Port | | ----------- | ------------- | | 1.1.1.1 | 80 | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Override example.com with 1.1.1.1", "description": "Override a site'\''s IP address with another IP", "enabled": true, "action": "l4_override", "filters": [ "l4" ], "traffic": "net.dst.ip in {203.0.113.17} and net.dst.port == 80", "identity": "", "device_posture": "", "rule_settings": { "l4override": { "ip": "1.1.1.1", "port": 80 }, "override_host": "", "override_ips": null } }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/network-policies/","name":"Network policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/network-policies/common-policies/","name":"Common policies"}}]} ``` --- --- title: Protocol detection description: Gateway supports the detection, logging, and filtering of network protocols using packet attributes. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/network-policies/protocol-detection.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Protocol detection Gateway supports the detection, logging, and filtering of network protocols using packet attributes. Protocol detection only applies to devices connected to Cloudflare One via the Cloudflare One Client in [Traffic and DNS mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-and-dns-mode-default) mode. ## Turn on protocol detection To turn on protocol detection: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Traffic settings** \> **Proxy and inspection settings**. 2. Turn on **Allow protocol detection**. You can now use _Detected Protocol_ as a selector in a [Network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/#detected-protocol). ### Inspect on all ports Beta By default, Gateway will only inspect HTTP traffic through port `80`. Additionally, if you [turn on TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption), Gateway will inspect HTTPS traffic through port `443`. To detect and inspect HTTP and HTTPS traffic on ports in addition to `80` and `443`, under **Manage HTTP inspection by port**, choose _Inspect on all ports_. #### Important considerations **TLS interception on all ports**: When you turn on this setting, Gateway will attempt to intercept TLS traffic on every port, not just port `443`. This means all applications using TLS on non-standard ports will have their traffic intercepted by the Gateway proxy. If you only want to turn on SNI detection for Network policy filtering without full TLS interception, you will need to create [Do Not Inspect policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#do-not-inspect) for the specific applications or domains that use TLS on non-standard ports. Non-HTTP protocols inside TLS bypass network policy filtering Once a Network policy allows a TLS connection at Layer 4, Gateway decrypts the TLS traffic. However, Gateway cannot filter non-HTTP protocols inside the TLS connection. All non-HTTPS traffic inside TLS (such as SSH over TLS, database protocols, or custom protocols) is allowed by default with no further filtering applied. If your organization uses a default-block Network policy, Gateway will still allow all non-HTTPS TLS traffic through. To use HTTP policies to filter all HTTPS traffic on all ports when using a default Block Network policy, [create a Network policy to explicitly allow HTTP and TLS traffic](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/common-policies/#filter-https-traffic-when-inspecting-on-all-ports). ## Supported protocols Gateway supports detection and filtering of the following protocols: | Protocol | Notes | | ----------------- | -------------------------------------------------------------------------------------------- | | HTTP | Hypertext Transfer Protocol (HTTP/1.1). | | HTTP2 | Hypertext Transfer Protocol Version 2. | | SSH | Secure Shell Protocol — remote login and command execution. | | TLS | Transport Layer Security. Gateway detects TLS versions 1.1 through 1.3 with the _TLS_ value. | | DCERPC | Distributed Computing Environment / Remote Procedure Call. | | MQTT | Message Queuing Telemetry Transport — lightweight IoT messaging protocol. | | TPKT | TPKT commonly initiates RDP sessions, so you can use it to identify and filter RDP traffic. | | IMAP Beta | Internet Message Access Protocol — email retrieval. | | POP3 Beta | Post Office Protocol v3 — email retrieval. | | SMTP Beta | Simple Mail Transfer Protocol — email sending. | | MYSQL Beta | MySQL database wire protocol. | | RSYNC-DAEMON Beta | rsync daemon protocol. | | LDAP Beta | Lightweight Directory Access Protocol. | | NTP Beta | Network Time Protocol. | ## Example network policy You can create network policies that filter traffic based on protocol detections rather than common ports. For example, you can block all SSH traffic on your network without blocking port 22 or any other non-default ports: | Selector | Operator | Value | Action | | ----------------- | -------- | ----- | ------ | | Detected Protocol | in | _SSH_ | Block | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/network-policies/","name":"Network policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/network-policies/protocol-detection/","name":"Protocol detection"}}]} ``` --- --- title: SSH proxy and command logs (legacy) description: Cloudflare One supports SSH proxying and command logging using Secure Web Gateway and the Cloudflare One Client. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SSH ](https://developers.cloudflare.com/search/?tags=SSH) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/network-policies/ssh-logging.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # SSH proxy and command logs (legacy) Legacy feature — not recommended for new deployments This SSH proxy and command logging method is deprecated. For new deployments, use [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) to manage SSH sessions and log SSH commands. Cloudflare One supports SSH proxying and command logging using Secure Web Gateway and the Cloudflare One Client. You can create network policies to manage and monitor SSH access to your applications. When a device connects to your origin server over SSH, a session log will be generated showing which user connected, the session duration, and optionally a full replay of all commands run during the session. ## Prerequisites * [Install the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/set-up/) on end-user devices. * [Install the Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) on end-user devices. ## 1\. Ensure Unix usernames match user SSO identities Cloudflare Gateway will take the identity from a token and, using short-lived certificates, authorize the user on the target infrastructure. The simplest setup is one where a user's Unix username matches their email address prefix. Issued short-lived certificates will be valid for the user's email address prefix. For example, if a user in your Okta or GSuite organization is registered as `jdoe@example.com`, they would log in to the SSH server as `jdoe`. For testing purposes, you can run the following command to generate a Unix user on the machine: Terminal window ``` sudo adduser jdoe ``` Advanced setup: Differing usernames SSH certificates include one or more `principals` in their signature which indicate the Unix usernames the certificate is allowed to log in as. Cloudflare Access will always set the principal to the user's email address prefix. For example, when `jdoe@example.com` tries to connect, Access issues a short-lived certificate authorized for the principal `jdoe`. By default, SSH servers authenticate the Unix username against the principals listed in the user's certificate. You can configure your SSH server to accept principals that do not match the Unix username. Note If you would like to use short-lived certificates with the browser-based terminal, the user's email address prefix needs to matches their Unix username. **Username matches a different email** To allow `jdoe@example.com` to log in as the user `johndoe`, add the following to the server's `/etc/ssh/sshd_config`: ``` Match user johndoe AuthorizedPrincipalsCommand /bin/echo 'jdoe' AuthorizedPrincipalsCommandUser nobody ``` This tells the SSH server that, when someone tries to authenticate as the user `johndoe`, check their certificate for the principal `jdoe`. This would allow the user `jdoe@example.com` to sign into the server with a command such as: Terminal window ``` ssh johndoe@server ``` **Username matches multiple emails** To allow multiple email addresses to log in as `vmuser`, add the following to the server's `/etc/ssh/sshd_config`: ``` Match user vmuser AuthorizedPrincipalsFile /etc/ssh/vmusers-list.txt ``` This tells the SSH server to load a list of principles from a file. Then, in `/etc/ssh/vmusers-list.txt`, list the email prefixes that can log in as `vmuser`, one per line: ``` jdoe bwayne robin ``` **Username matches all users** To allow any Access user to log in as `vmuser`, add the following command to the server's `/etc/ssh/sshd_config`: ``` Match user vmuser AuthorizedPrincipalsCommand /bin/bash -c "echo '%t %k' | ssh-keygen -L -f - | grep -A1 Principals" AuthorizedPrincipalsCommandUser nobody ``` This command takes the certificate presented by the user and authorizes whatever principal is listed on it. **Allow all users** To allow any Access user to log in with any username, add the following to the server's `/etc/ssh/sshd_config`: ``` AuthorizedPrincipalsCommand /bin/bash -c "echo '%t %k' | ssh-keygen -L -f - | grep -A1 Principals" AuthorizedPrincipalsCommandUser nobody ``` Since this will put the security of your server entirely dependent on your Access configuration, make sure your [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/) are correctly configured. ## 2\. Generate a Gateway SSH proxy CA Instead of traditional SSH keys, Gateway uses short-lived certificates to authenticate traffic between Cloudflare and your origin. Note Other short-lived CAs, such as those used to [secure SSH servers behind Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy/), are incompatible with the Gateway SSH proxy. For SSH logging to work, you must create a new CA using the `gateway_ca` API endpoint. To generate a Gateway SSH proxy CA and get its public key: * [ Dashboard ](#tab-panel-3919) * [ API ](#tab-panel-3920) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Service credentials** \> **SSH**. 2. Select **Add a certificate**. 3. Under **SSH with Access for Infrastructure**, select **Generate SSH CA**. A new row will appear in the short-lived certificates table called **SSH with Access for Infrastructure**. 4. Select the **SSH with Access for Infrastructure** certificate. 5. Copy its **CA public key**. You can return to copy this public key at any time. 1. [Create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with the following permissions: | Type | Item | Permission | | ------- | -------------------- | ---------- | | Account | Access: SSH Auditing | Edit | 2. If you have not yet generated a Cloudflare SSH CA, make a `POST` request to the Cloudflare API: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: SSH Auditing Write` Add a new SSH Certificate Authority (CA) ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 1. If you have already created a Cloudflare SSH CA or receive the error message `access.api.error.gateway_ca_already_exists`, make a `GET` request instead: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: SSH Auditing Write` * `Access: SSH Auditing Read` List SSH Certificate Authorities (CA) ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 1. Copy the `public_key` value returned in the response. ## 3\. Save the public key 1. Use the following command to change directories to the SSH configuration directory on the remote target machine: Terminal window ``` cd /etc/ssh ``` 2. Once there, you can use the following command to both generate the file and open a text editor to input/paste the public key. Terminal window ``` vim ca.pub ``` 3. In the `ca.pub` file, paste the public key without any modifications. ca.pub ``` ecdsa-sha2-nistp256 open-ssh-ca@cloudflareaccess.org ``` The `ca.pub` file can hold multiple keys, listed one per line. Empty lines and comments starting with `#` are also allowed. 4. Save the `ca.pub` file. In some systems, you may need to use the following command to force the file to save depending on your permissions: Terminal window ``` :w !sudo tee % :q! ``` ## 4\. Modify your `sshd_config` file Configure your SSH server to trust the Cloudflare SSH CA by updating the `sshd_config` file on the remote target machine. 1. While in the `/etc/ssh` directory on the remote machine, open the `sshd_config` file. Terminal window ``` sudo vim /etc/ssh/sshd_config ``` 2. Press `i` to enter insert mode, then add the following lines at the top of the file, above all other directives: ``` PubkeyAuthentication yes TrustedUserCAKeys /etc/ssh/ca.pub ``` Be aware of your include statements If there are any include statements below these lines, the configurations in those files will not take precedence. 3. Press `esc` and then type `:x` and press `Enter` to save and exit. ## 5\. Check your SSH port number Cloudflare's SSH proxy only works with servers running on the default port 22\. Open the `sshd_config` file and verify that no other `Port` values are specified. Terminal window ``` cat /etc/ssh/sshd_config ``` ## 6\. Restart your SSH server Once you have modified your `sshd` configuration, reload the SSH service on the remote machine for the changes to take effect. * [ Debian/Ubuntu ](#tab-panel-3917) * [ CentOS/RHEL ](#tab-panel-3918) For Debian/Ubuntu: Terminal window ``` sudo systemctl reload ssh ``` For CentOS/RHEL 7 and newer: Terminal window ``` sudo systemctl reload sshd ``` ## 7\. Create an Audit SSH policy 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Firewall policies**. 2. In the **Network** tab, select **Add a network policy**. 3. Name the policy and specify the [Destination IP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/#destination-ip) for your origin server. You can enter either a public or private IP. To use a private IP, refer to [Connect private networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/). 4. Add any other conditions to your policy. If a user does not meet the criteria, they will be blocked by default. 5. In the **Action** dropdown, select _Audit SSH_. 6. (Optional) Enable **SSH Command Logging**. If you have not already uploaded an SSH encryption public key, follow the steps in [Configure SSH Command Logging](#optional-configure-ssh-command-logging). 7. Save the policy. ## 8\. Connect as a user Users can use any SSH client to connect to the target resource, as long as they are logged into the Cloudflare One Client on their device. Cloudflare One will authenticate, proxy, and optionally encrypt and record all SSH traffic through Gateway. Users must specify their desired username to connect with as part of the SSH command: Terminal window ``` ssh @ ``` Note If the target resource is already in a user's `.ssh/known_hosts` file, the user must first remove existing SSH keys before attempting to connect: Terminal window ``` ssh-keygen -R ``` ## (Optional) Configure SSH Command Logging To log SSH commands, you will need to generate an HPKE key pair and upload the public key to Cloudflare. 1. [Download ↗](https://github.com/cloudflare/ssh-log-cli/releases/latest/) the Cloudflare `ssh-log-cli` utility. 2. Using the `ssh-log-cli` utility, generate a public and private key pair. Terminal window ``` ./ssh-log-cli generate-key-pair -o sshkey ls ``` ``` README.md ssh-log-cli sshkey sshkey.pub ``` This command outputs two files, an `sshkey.pub` public key and a matching `sshkey` private key. 3. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Traffic settings**. 4. In **SSH log encryption public key**, paste the contents of `sshkey.pub` and select **Save**. Note that this a different public key from the `ca.pub` file you used to configure the SSH server. All proxied SSH commands are immediately encrypted using this public key. The matching private key is required to view logs. ## View SSH Logs 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Insights** \>**Logs** \> **SSH command logs**. 2. If you enabled the **SSH Command Logging** feature, you can **Download** a session's command log. 3. To decrypt the log, follow the instructions in the [SSH Logging CLI repository ↗](https://github.com/cloudflare/ssh-log-cli/). In the following example, `sshkey` is the private key that matches the public key uploaded to Cloudflare. Terminal window ``` ./ssh-log-cli decrypt -i sshlog -k sshkey ``` This command outputs a `sshlog-decrypted.zip` file with the decrypted logs. ## Limitations SSH Command Logging does not support SFTP since it cannot be inspected and logged. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/network-policies/","name":"Network policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/network-policies/ssh-logging/","name":"SSH proxy and command logs (legacy)"}}]} ``` --- --- title: Order of enforcement description: With Cloudflare Gateway, you can enable and configure any combination of DNS, network, and HTTP policies. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/order-of-enforcement.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Order of enforcement With Cloudflare Gateway, you can [enable and configure](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/) any combination of DNS, network, and HTTP policies. flowchart TB %% Accessibility accTitle: Gateway order of enforcement accDescr: Flowchart describing the order of enforcement for Gateway policies. subgraph Resolution["Resolution"] dns2["1.1.1.1"] dns4["Custom resolver"] dns3["Resolver policies
(Enterprise users only)"] internal["Internal DNS"] end subgraph DNS["DNS"] dns1["DNS policies"] Resolution end subgraph HTTP["HTTP policies"] http1{{"Do Not Inspect policies"}} http2["Isolate policies
(with Browser Isolation add-on)"] http3["Allow, Block, Do Not Scan, Quarantine, and Redirect policies, DLP, and anti-virus scanning"] https["HTTP or HTTPS?"] end subgraph Proxy["Proxy"] HTTP network1["Network policies"] nonhttp["Non-HTTP(S) traffic"] end subgraph Egress["Egress"] egress1["Egress policies
(Enterprise users only)"] end start(["Traffic"]) --> dns0[/"DNS query"/] & http0["Network connections"] dns0 ----> dns1 dns1 -- Resolved by --> dns2 dns1 --> dns3 dns3 -- Resolved by --> dns4 dns2 -----> internet(["Internet"]) dns4 -----> internet dns4 ---> cloudflare["Private network services
(Cloudflare Tunnel, Cloudflare WAN, WARP Connector)"] http1 -- Do Not Inspect --> internet http1 -- Inspect --> http2 http2 --> http3 http0 --> magic["Cloudflare Network Firewall (Enterprise users only)"] magic --> egress1 egress1 --> tcp["Check for origin availability (TCP SYN)"] tcp --> network1 http3 --> internet https -- HTTPS --> http1 https -- HTTP --> http2 network1 --> https & nonhttp dns3 -- Resolved by --> internal & dns2 nonhttp -----> internet https@{ shape: hex} http0@{ shape: lean-r} Order of enforcement change on 2025-07-14 On 2025-07-14, Gateway began evaluating network-level policies before application-level policies and verify the network path to an origin server before accepting a connection. This only affects your policies if you are applying HTTP policies in your account. For example: Comparison of old and new order of enforcement | Old order of enforcement | New order of enforcement | | | ---------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | | **Network Block policy and HTTP Block policy** | Gateway blocks traffic and displays the block page and/or follows the client notification settings on the HTTP policy. | Gateway blocks traffic. Gateway does not display the block page but will follow the client notification settings on the Network policy. | | **Network Allow policy and HTTP Block policy** | Gateway blocks traffic and displays the block page and follows the client notification settings on the HTTP policy. | No change. | | **Network Block policy and HTTP Allow policy** | Gateway blocks traffic and follows the client notification settings on the Network policy. | No change. | ## Connection establishment When a user connects to a server with Gateway, Gateway first establishes a TCP connection with the destination server on the port the user requested. Because TCP traffic is proxied by Cloudflare, the connection Gateway establishes with the origin is independent from the connection users establish with Gateway. This means Gateway assigns a new source IP and port to the user's connection and no details from the user's TCP handshake are included in the TCP handshake with the origin server. If the TCP connection to the destination server is successful, Gateway will apply policies. If Gateway policies allow the connection, Gateway will connect the user to the destination server. If Gateway policies block the connection, Gateway will end the connection and will not send any data between the user and the destination server. If the TCP connection to the destination server is unsuccessful, Gateway will not run any policies and retry TCP connections from the user to the server. flowchart TD %% Accessibility accTitle: How Gateway proxy works accDescr: Flowchart describing how the Gateway proxy uses the Happy Eyeballs algorithm to establish TCP connections and proxy user traffic. %% Flowchart A[User's device sends TCP SYN to Gateway] --> B[Gateway sends TCP SYN to origin server] B --> C{{Origin server responds with TCP SYN-ACK?}} C -->|Yes| E[TCP handshakes completed] C -->|No| D[Connection fails] E --> F{{Connection allowed?}} F -->|Allow policy| G[Gateway proxies traffic bidirectionally] F -->|Block policy| H[Connection blocked by firewall policies] %% Styling style D stroke:#D50000 style G stroke:#00C853 style H stroke:#D50000 Connections to Zero Trust will always appear in your [Zero Trust network session logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/) regardless of connection success. Because Gateway does not inspect failed connections, they will not appear in your [Gateway activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). ### Filter TCP SYN packets with Cloudflare Network Firewall Because Gateway sends a TCP SYN to the destination server before evaluating policies, Gateway Network or HTTP Block policies do not prevent the initial TCP SYN from reaching the destination server. If you need to prevent TCP SYN packets from being sent to specific destination IP addresses, you can create a [Cloudflare Network Firewall](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/) rule to block traffic at the packet level. As shown in the [enforcement flowchart](#order-of-enforcement), Cloudflare Network Firewall evaluates traffic before Gateway checks for origin availability. Note Cloudflare Network Firewall is available to Enterprise users only. To block TCP SYN packets to a specific destination: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Firewall policies** \> **Custom policies**. 2. Select **Add a policy**. 3. Create a rule with the destination IP address or CIDR range you want to block. For example, to block all traffic to `10.0.0.0/8`, use the expression `ip.dst in {10.0.0.0/8}` with a **Block** action. 4. Select **Add new policy**. For more information on creating packet filtering rules, refer to [Add policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/add-policies/). ## Priority between policy builders Gateway applies your policies in the following order: 1. DNS policies with selectors evaluated before resolution 2. Resolver policies (if applicable) 3. DNS policies with selectors evaluated after resolution 4. Egress policies (if applicable) 5. Network policies 6. HTTP policies DNS and resolver policies are standalone. For example, if you block a site with a DNS policy but do not create a corresponding HTTP policy, users can still access the site if they know its IP address. ### HTTP/3 traffic For proxied [HTTP/3 traffic](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/http3/), Gateway applies your policies in the following order: 1. DNS policies 2. Network policies 3. HTTP policies ## Priority within a policy builder ### DNS policies Gateway evaluates DNS policies first in order of DNS resolution, then in [order of precedence](#order-of-precedence). When DNS queries are received, Gateway evaluates policies with pre-resolution selectors, resolves the DNS query, then evaluates policies with post-resolution selectors. This means policies with selectors evaluated before DNS resolution take precedence. For example, the following set of policies will block `example.com`: | Precedence | Selector | Operator | Value | Action | | ---------- | ------------------------------- | -------- | ------------- | ------ | | 1 | Resolved Country IP Geolocation | is | United States | Allow | | 2 | Domain | is | example.com | Block | Despite an explicit Allow policy ordered first, policy 2 takes precedence because the _Domain_ selector is evaluated before DNS resolution. If a policy contains both pre-resolution and post-resolution selectors, Gateway will evaluate the entire policy after DNS resolution. For information on when each selector is evaluated, refer to the [list of DNS selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#selectors). ### Network policies Gateway evaluates network policies in [order of precedence](#order-of-precedence). ### HTTP policies Gateway applies HTTP policies based on a combination of [action type](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#actions) and [order of precedence](#order-of-precedence): 1. All Do Not Inspect policies are evaluated first, in order of precedence. 2. If no policies match, all Isolate policies are evaluated in order of precedence. 3. All Allow, Block and Do Not Scan policies are evaluated in order of precedence. 4. The body of the HTTP request, including Data Loss Prevention (DLP), AV scanning, and file sandboxing, is evaluated. This order of enforcement allows Gateway to first determine whether decryption should occur. If a site matches a Do Not Inspect policy, it is automatically allowed through Gateway and bypasses all other HTTP policies. Note The only exception is if you are using [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) — all sites within the clientless remote browser are implicitly isolated even if they match a Do Not Inspect policy. Next, Gateway checks decrypted traffic against your Isolate policies. When a user makes a request which triggers an Isolate policy, the request will be rerouted to a [remote browser](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/). Next, Gateway evaluates all Allow, Block, and Do Not Scan policies. These policies apply to both isolated and non-isolated traffic. For example, if `example.com` is isolated and `example.com/subpage` is blocked, Gateway will block the subpage (`example.com/subpage`) inside of the remote browser. Lastly, Gateway inspects the body of the HTTP request by evaluating it against DLP policies, and running anti-virus scanning and file sandboxing. If DLP Block policies are present, the action Gateway ultimately takes may not match the action it initially logs. For more information, refer to [DLP policy precedence](#dlp-policy-precedence). ### Resolver policies When [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) are present, Gateway first evaluates any DNS policies with pre-resolution selectors, then routes any DNS queries according to the [order of precedence](#order-of-precedence) of your resolver policies, and lastly evaluates any DNS policies with post-resolution selectors. ### Order of precedence Order of precedence refers to the priority of individual policies within the DNS, network, or HTTP policy builder. Gateway evaluates policies in ascending order beginning with the lowest value. The order of precedence follows the first match principle. Once traffic matches an Allow or Block policy, evaluation stops and no subsequent policies can override the decision. Therefore, Cloudflare recommends assigning the most specific policies and exceptions with the highest precedence and the most general policies with the lowest precedence. #### Cloudflare One In Cloudflare One, policies are in order of precedence from top to bottom of the list. Policies begin with precedence `1` and count upward. You can modify the order of precedence by dragging and dropping individual policies in the dashboard. #### Cloudflare API To update the precedence of a policy with the Cloudflare API, use the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint to update the `precedence` field. #### DLP policy precedence For Gateway configurations with DLP policies, Gateway will filter and log traffic based on first match, then scan the body of the HTTP request for matching content. Because of the first match principle, Gateway may perform and log a decision for traffic, then perform a contradicting decision. For example, if traffic is first allowed with an Allow HTTP policy, then blocked with a DLP Block policy, Gateway will log the initial Allow action despite ultimately blocking the request. #### Access applications If Gateway traffic is headed to a private IP address protected as an Access application, that traffic will still be evaluated by the destination application's Access policies, even if a Gateway Allow policy matched first. Gateway Block policies that match traffic will terminate any other policy evaluation. This is expected behavior. A Gateway Allow policy does not override or bypass Access policies. Terraform provider v4 precedence limitation To avoid conflicts, version 4 of the Terraform Cloudflare provider applies a hash calculation to policy precedence. For example, a precedence of `1000` may become `1000901`. This can cause errors when reordering policies. To avoid this issue, manually set the precedence of policies created with Terraform using the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint. To ensure your precedence is set correctly, Cloudflare recommends [upgrading your Terraform provider to version 5 ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade). ## Example Suppose you have a list of policies arranged in the following order of precedence: * DNS policies: | Precedence | Selector | Operator | Value | Action | | ---------- | -------- | ------------- | ---------------- | ------ | | 1 | Host | is | example.com | Block | | 2 | Host | is | test.example.com | Allow | | 3 | Domain | matches regex | .\\ | Block | * HTTP policies: | Precedence | Selector | Operator | Value | Action | | ---------- | -------- | -------- | ----------------- | -------------- | | 1 | Host | is | example.com | Block | | 2 | Host | is | test2.example.com | Do Not Inspect | * Network policies: | Precedence | Selector | Operator | Value | Action | | ---------- | ---------------- | -------- | ---------------- | ------ | | 1 | Destination Port | is | 80 | Block | | 2 | Destination port | is | 443 | Allow | | 3 | SNI Domain | is | test.example.com | Block | When a user goes to `https://test.example.com`, Gateway performs the following operations: 1. Evaluate DNS request against DNS policies: 1. Policy #1 does not match `test.example.com` — move on to check Policy #2. 2. Policy #2 matches, so DNS resolution is allowed. 3. Policy #3 is not evaluated because there has already been an explicit match. 2. Evaluate HTTPS request against network policies: 1. Policy #1 does not match because port 80 is used for standard HTTP, not HTTPS. 2. Policy #2 matches, so the request is allowed and proxied to the upstream server. 3. Policy #3 is not evaluated because there has already been an explicit match. 3. Evaluate HTTPS request against HTTP policies: 1. Policy #2 is evaluated first because Do Not Inspect [always takes precedence](#http-policies) over Allow and Block. Since there is no match, move on to check Policy #1. 2. Policy #1 does not match `test.example.com`. Since there are no matching Block policies, the request passes the HTTP filter. Therefore, the user is able to connect to `https://test.example.com`. ## Precedence calculations When arranging policies in [Cloudflare One ↗](https://one.dash.cloudflare.com/), Gateway automatically calculates the precedence for rearranged policies. When using the API to create a policy, unless the precedence is explicitly defined in the policy, Gateway will assign precedence to policies starting at `1000`. Every time a new policy is added to the bottom of the order, Gateway will calculate the current highest precedence in the account and add a random integer between 1 and 100 to `1000` so that it now claims the maximum precedence in the account. To manually update a policy's precedence, use the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint. You can set a policy's precedence to any value that is not already in use. Changing the order within Cloudflare One or API may result in configuration issues when using [Terraform](#manage-precedence-with-terraform). ## Manage precedence with Terraform You can manage the order of execution of your Gateway policies using Terraform. With version 5 of the Terraform Cloudflare provider, Gateway users can list their policies in a Terraform file with any desired integer precedence value. Cloudflare recommends starting with a precedence of `1000` and adding extra space between each policy's precedence for any future policies. For example: ``` resource "cloudflare_zero_trust_gateway_policy" "policy_1" { account_id = var.cloudflare_account_id # other attributes... precedence = 1000 } resource "cloudflare_zero_trust_gateway_policy" "policy_2" { account_id = var.cloudflare_account_id # other attributes... precedence = 2000 } resource "cloudflare_zero_trust_gateway_policy" "policy_3" { account_id = var.cloudflare_account_id # other attributes... precedence = 3000 } ``` To avoid precedence calculation errors when reordering policies with Terraform, you should move one policy at a time before running `terraform plan` and `terraform apply`. If you use both Terraform and Cloudflare One or API, sync your polices with `terraform refresh` before reordering policies in Terraform. Alternatively, you can set your account to [read-only in Cloudflare One](https://developers.cloudflare.com/cloudflare-one/api-terraform/#set-dashboard-to-read-only), only allowing changes using the API or Terraform. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/order-of-enforcement/","name":"Order of enforcement"}}]} ``` --- --- title: Packet filtering description: Packet filtering lets you inspect individual pieces of network traffic (packets) and apply rules to allow or block them before they reach your network. Use the pages in this section to create and manage filtering policies. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Packet filtering Packet filtering lets you inspect individual pieces of network traffic (packets) and apply rules to allow or block them before they reach your network. Use the pages in this section to create and manage filtering policies. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}}]} ``` --- --- title: Add policies description: A root ruleset is the top-level container that holds all your firewall policies. You can check for an existing root ruleset from the dashboard or via the Account rulesets API. If you are a new Magic Transit customer, you may not have a root ruleset created for your account. To view examples for root rulesets, review the Cloudflare Network Firewall Terraform documentation. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/add-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Add policies A root ruleset is the top-level container that holds all your firewall policies. You can check for an existing root ruleset from the dashboard or via the [Account rulesets API](https://developers.cloudflare.com/api/resources/rulesets/methods/list/). If you are a new Magic Transit customer, you may not have a root ruleset created for your account. To view examples for root rulesets, review the [Cloudflare Network Firewall Terraform documentation ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/magic%5Ffirewall%5Fruleset). By default, you can create a maximum of 200 policies. Contact your account team to request a higher limit if needed. We recommend you create lists of IP addresses to reference within policies to streamline policy management. ## Add a policy 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. Select **Add a policy**. 3. Fill out the information for your new policy. All existing policies apply to IPv4 traffic only. You can use a [Managed IP List](https://developers.cloudflare.com/waf/tools/lists/managed-lists/#managed-ip-lists) when populating the **Value**. 4. When you are done, select **Add new policy**. ## Create a disabled policy When you add a new policy, the policy is **Enabled** by default. To create a **Disabled** policy, follow the steps in [Add a policy](#add-a-policy) above and toggle **Enabled** to off. When a policy is in the disabled state, the policy will not perform the action until it is set to **Enabled**. To disable an existing policy, from the **Custom policies** tab, set the **Enabled** toggle to off. ## Update a policy 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. Locate the policy you want to edit and select the three dots > **Edit**. 3. Update the policy with your changes and select **Save**. ## Delete an existing policy 1. Locate the policy you want to delete in the list. 2. From the end of the row, select **Delete**. 3. Select **Delete** again to confirm the deletion. ## API Below, you can find examples of how to use the API to perform certain actions. Warning The examples on this page all use the `https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets` endpoint. This endpoint creates policies from scratch and **will replace all existing policies in the ruleset**. If you have a ruleset already deployed, consider using the `https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{ruleset_id}/rules` endpoint instead. Refer to [Add a rule to a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/add-rule/) and [Create an account ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/create/) for more information. ### Skip action A skip action tells the firewall to stop evaluating the current ruleset for matching traffic, effectively allowing it through. Rules in a ruleset evaluate in order from top to bottom. In the example below, the skip rule must appear before the block rule so that matching traffic (port `8080`) is allowed through before the catch-all block applies. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "Example ruleset", "kind": "root", "phase": "magic_transit", "description": "Example ruleset description", "rules": [ { "action": "skip", "action_parameters": { "ruleset": "current" }, "expression": "tcp.dstport in { 8080 } ", "description": "Allow port 8080" }, { "action": "block", "expression": "tcp.dstport in { 1..65535 }", "description": "Block all TCP ports" } ] }' ``` ### Block a country The example below blocks all packets with a source or destination IP address coming from Brazil by using its 2-letter country code in [ISO 3166-1 Alpha 2 ↗](https://www.iso.org/obp/ui/#search/code/) format. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "Example ruleset", "kind": "root", "phase": "magic_transit", "description": "Example ruleset description", "rules": [ { "action": "block", "expression": "ip.src.country == \"BR\"", "description": "Block traffic from Brazil" } ] }' ``` ### Use an IP list Cloudflare Network Firewall supports [using lists in expressions](https://developers.cloudflare.com/waf/tools/lists/use-in-expressions/) for the `ip.src` and `ip.dst` fields. The supported lists are: * `$cf.anonymizer` \- Anonymizer proxies * `$cf.botnetcc` \- Botnet command and control channel * `$cf.malware` \- Sources of malware * `$` \- The name of an account-level IP list Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "Example ruleset", "kind": "root", "phase": "magic_transit", "description": "Example ruleset description", "rules": [ { "action": "block", "expression": "ip.src in $cf.anonymizer", "description": "Block traffic from anonymizer proxies" } ] }' ``` ## Next steps Refer to [Form expressions](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/form-expressions/) for more information on how to write rule expressions. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/add-policies/","name":"Add policies"}}]} ``` --- --- title: Best practices description: By default, Cloudflare Network Firewall allows all incoming (ingress) traffic that has passed through Cloudflare's core DDoS mitigations. To reduce your exposure to attacks and prevent unwanted traffic from reaching your network, configure rules using the following guidelines. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Best practices By default, Cloudflare Network Firewall allows all incoming (ingress) traffic that has passed through Cloudflare's core DDoS mitigations. To reduce your exposure to attacks and prevent unwanted traffic from reaching your network, configure rules using the following guidelines. If you are setting up firewall rules for the first time, start with the [Minimal ruleset](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset/). If you have existing on-premises or edge firewall rules, the best approach is to replicate those rules in Network Firewall. If you are unable to export your current firewall rules, contact your Cloudflare Implementation Manager for help translating the rules into Network Firewall rules. * [ Minimal ruleset ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset/) * [ Extended ruleset ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/best-practices/extended-ruleset/) * [ Magic Transit egress ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/best-practices/magic-transit-egress/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/best-practices/","name":"Best practices"}}]} ``` --- --- title: Extended ruleset description: The extended ruleset builds on the Minimal ruleset by creating targeted rules for different types of systems on your network. Before creating these rules, you must create IP lists for each category. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/extended-ruleset.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Extended ruleset The extended ruleset builds on the [Minimal ruleset](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset/) by creating targeted rules for different types of systems on your network. Before creating these rules, you must [create IP lists](https://developers.cloudflare.com/waf/tools/lists/custom-lists/#ip-lists) for each category. If you are unable to export your current perimeter firewall rules, consider identifying categories of systems or user groups that reside on your Magic Transit prefixes. For example: * [Endpoints (user devices)](#endpoints-user-devices) * [Internal routers](#internal-routerfirewall-ip-addresses) * [Web servers](#web-servers) * [Non-web servers](#non-web-servers) For each item above, consider the requirements in terms of their permitted Internet access. For example, permit what is required for legitimate traffic and block the rest. ## Create lists for using Cloudflare Network Firewall rules For more information on lists, refer to [Use rule lists](https://developers.cloudflare.com/cloudflare-one/reusable-components/use-rules-list/). You can also create a list from the dashboard from **Configurations** \> **Lists** on your **Account Home**. ## Endpoints (User devices) Endpoint devices do not operate as servers, which means: * They receive traffic from standard common ports — for example `80` or `443` — towards their ephemeral ports (temporary ports assigned by the OS for outbound connections, typically above `32768` in modern operating systems). * Connections flow outwards, not inwards, and therefore do not receive unsolicited inbound TCP connections. * They typically only need client TCP and UDP, with no requirement for ingress ICMP. For example, you can create a list for the combination of generic client TCP and client UDP that allows external pings or traceroutes and a catchall rule for all other protocols and traffic. Create a list named **Endpoints** and specify the list of endpoints or user IP addresses to reference within the rules. Warning Rule 10 in the example ruleset below is a catch-all (a final rule that matches any remaining traffic) that blocks all traffic not permitted in rules 1-3 towards your list of Endpoint IP addresses. If you want to permit other traffic to these destination IP addresses, the new rule must be added before rule 10. ### Suggested rules **Rule ID**: 1**Description**: Allows return traffic (responses to outbound requests) to ephemeral ports while blocking unsolicited inbound connections. Blocks inbound SYN-only traffic (meaning SYN-ACKs are permitted).**Match**: `ip.proto eq "tcp" and ip.dst in $endpoints and tcp.dstport in {32768..60999} and not (tcp.flags.syn and not tcp.flags.ack)` **Action**: Allow **Rule ID**: 2**Description**: Endpoints (clients) will receive traffic destined for ephemeral ports**Match**: `ip.proto eq "udp" and ip.dst in $endpoints and udp.dstport in {32768..60999}` **Action**: Allow **Rule ID**: 3**Description**: Permits ICMP traffic to destination IP addresses in `$endpoints` list with ICMP Types: * Type 0 = Echo Reply * Type 3 = Destination Unreachable * Type 11 = Time Exceeded **Match**: `ip.proto eq "icmp" and ip.dst in $endpoints and (icmp.type eq 0 or icmp.type eq 3 or icmp.type eq 11)` **Action**: Allow **Rule ID**: 10**Description**: Otherwise deny all traffic to IP's in `$endpoints` list**Match**: `ip.dst in $endpoints` **Action**: Block ## Internal router/Firewall IP addresses Follow the best practices for internal routers or firewall interface IP addresses on your MT prefixes below. 1. Create [an IP list](https://developers.cloudflare.com/waf/tools/lists/custom-lists/#ip-lists), **Internal routers** for example, with your IP addresses. 2. Block ICMP if it is not needed. 3. Permit GRE/ESP as needed if the devices have GRE/IPsec tunnels via the Internet. ### Suggested rules **Rule ID**: 1**Description**: Permit limited ICMP traffic inbound, including: * Type 0 - Echo Reply * Type 3 - Destination Unreachable * Type 8 - Echo * Type 11 - Time Exceeded **Match**: `ip.proto eq "icmp" and ip.dst in $internal_routers and ( (icmp.type eq 0 or icmp.type eq 3) or (icmp.type eq 11) or (icmp.type eq 8) )` **Action**: Allow **Rule ID**: 2**Description**: Block all other traffic destined to these IP addresses**Match**: `ip.dst in $internal_routers` **Action**: Block ## Web Servers Web servers require careful consideration of necessary traffic flows. Traffic for the **web server** functionality is required in addition to traffic flows where the web server is acting as a client. Where possible, permit the required destination IP addresses and ports for web servers and block everything else. Additional services, for example NTP/DNS, may be required along with the ports for the web traffic. The following is an example of suggested rules, but you should only make changes based on your specific requirements. For example, if you are not proxied by Cloudflare Layer 7 protection and you expect traffic sourced from the web towards your web servers: 1. Create [an IP list](https://developers.cloudflare.com/waf/tools/lists/custom-lists/#ip-lists), **web servers** for example, to list IP addresses for your web servers. 2. Permit traffic for the web server traffic inbound from the Internet. 3. Permit traffic for the infrastructure or client traffic flows from the Internet, for example DNS and NTP. 4. Block all other traffic destined for the web server IP addresses. ### Suggested rules **Rule ID**: 1**Description**: Allows inbound HTTP/S traffic from the Internet with SYN-only or ACK-only flag (not SYN/ACKs)**Match**: `ip.proto eq "tcp" and tcp.srcport in {32768..60999} and ip.dst in $web_servers and tcp.dstport in {80 443} and not (tcp.flags.syn and tcp.flags.ack)` **Action**: Allow **Rule ID**: 2**Description**: Allows UDP replies for DNS and NTP to web servers**Match**: `ip.dst in $web_servers and ip.proto eq "udp" and udp.srcport in {53 123} and udp.dstport in {1024..65535}` **Action**: Allow if necessary but Disable if under attack **Rule ID**: 3**Description**: Catch-all to block all other traffic destined for web server IP addresses**Match**: `ip.dst in $web_servers` **Action**: Block Alternatively, if you have Cloudflare Layer 7 protection, the Cloudflare public IP addresses can be permitted as the source IP addresses to the destination IP addresses for the HTTP/HTTPS inbound traffic. This recommendation effectively replaces Rule 1 in the example above. Warning Cloudflare's IP ranges may change. Refer to [Cloudflare's IP addresses ↗](https://www.cloudflare.com/ips/) for the current list, or use an [IP list](https://developers.cloudflare.com/waf/tools/lists/custom-lists/#ip-lists) that you update periodically rather than hardcoding ranges in your rules. ### Suggested rules for Cloudflare proxied traffic **Description**: Allow inbound HTTP/S traffic from Cloudflare with SYN or ACK**Match**: `ip.proto eq "tcp" and ip.dst in $web_servers and tcp.dstport in {80 443} and not (tcp.flags.syn and tcp.flags.ack) and ip.src in {173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22}` **Action**: Allow ## Non-web servers Restrict the source based on whether the server is expecting traffic from the general Internet or from only specific users. 1. Apply rules based on source IP or ports if possible. 2. Restrict permitted destination ports to only those that are required. 3. Block incoming SYN to the closed ports. ### Suggested rules * `IP Destination Address { non-web server } and TCP dst port in \ — Permit` * `IP Destination Address { non-web server } and UDP dst port in \ — Permit` * `IP Destination Address { web server } — Block` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/best-practices/","name":"Best practices"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/best-practices/extended-ruleset/","name":"Extended ruleset"}}]} ``` --- --- title: Magic Transit egress description: The suggestions in the Minimal ruleset and Extended ruleset are recommendations for ingress (incoming) traffic. This page covers the additional consideration needed for egress (outgoing) traffic. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/magic-transit-egress.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Magic Transit egress The suggestions in the [Minimal ruleset](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset) and [Extended ruleset](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/best-practices/extended-ruleset) are recommendations for ingress (incoming) traffic. This page covers the additional consideration needed for egress (outgoing) traffic. Cloudflare Network Firewall does not track connection state (it is not "stateful"). A stateful firewall automatically allows return traffic for active connections — for example, if you send a request outbound, the response is allowed back in. Because Network Firewall is not stateful, each packet — whether ingress or egress — is evaluated independently against your rules. This means ingress block rules can inadvertently block egress traffic. For Magic Transit egress traffic, consider the following: * Network Firewall rules apply to both Magic Transit ingress and egress traffic passing through Cloudflare. * If you have a "default drop" catchall rule (a final rule that blocks all traffic not matched by earlier rules) for ingress traffic, you must add an earlier rule to permit traffic sourced from your Magic Transit prefix with the destination as **any** to allow outbound egress traffic. For example, place the following allow rule before any default-drop catchall rule: **Match**: `ip.src in {}` **Action**: Allow ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/best-practices/","name":"Best practices"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/best-practices/magic-transit-egress/","name":"Magic Transit egress"}}]} ``` --- --- title: Minimal ruleset description: The suggested minimal ruleset blocks some known common vectors for DDoS attacks and permits all other ESP (Encapsulating Security Payload, used in IPsec VPNs), TCP, UDP, GRE (Generic Routing Encapsulation, used for tunnels), and ICMP traffic. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Minimal ruleset The suggested minimal ruleset blocks some known common vectors for DDoS attacks and permits all other ESP (Encapsulating Security Payload, used in IPsec VPNs), TCP, UDP, GRE (Generic Routing Encapsulation, used for tunnels), and ICMP traffic. This is a suggested list and not an exhaustive list. Check which ports and protocols your infrastructure uses (for example, VPN, NTP, or database services) and ensure they are not blocked by these rules. ## Recommended rules **Rule ID**: 1 **Description**: Single rule that blocks all traffic with UDP source ports which are used in attacks or invalid in Magic Transit ingress. **Match**: `(udp.srcport in {1900 11211 389 111 19 1194 3702 10001 20800 161 162 137 27005 520 0})` **Action**: Block **Rule ID**: 2 **Description**: Blocks TCP traffic with source port `0` and common ports used in TCP SYN/ACK reflection attacks (attacks that exploit TCP handshake responses to flood a target). **Match**: `(tcp.srcport in {21 0 3306})` **Action**: Block **Rule ID**: 3 **Description**: Blocks HOPOPT (Hop-by-Hop Options, IP protocol 0), which has no legitimate use in most environments, and blocks any protocol that is not ESP, TCP, UDP, GRE, or ICMP. Permit the relevant protocols for your environment. **Match**: `(ip.proto eq "hopopt") or (not ip.proto in {"esp" "tcp" "udp" "gre" "icmp"})` **Action**: Block These rules are also available as [managed rules](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/enable-managed-rulesets/) that you can enable without manual configuration. The rules above are provided for reference and customization. ## Traffic and port types The information below covers traffic type, how the port is used, and reasons for blocking the port. | Traffic | Port use | Reason to block | | ---------------------------- | ----------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | | UDP source port 0 | Reserved port. Should not be used by applications. | Invalid as a legitimate traffic source port. Commonly used in DDoS attacks. | | UDP source port 1900 | Simple Service Discovery Protocol (SSDP). Allows universal plug and play devices to send and receive information. | [SSDP DDoS attacks ↗](https://www.cloudflare.com/learning/ddos/ssdp-ddos-attack/) exploit Universal Plug and Play protocols. | | UDP source port 11211 | Memcached. A database caching system designed to speed up websites and networks. | [Memcached DDoS Attacks ↗](https://www.cloudflare.com/learning/ddos/memcached-ddos-attack/). | | UDP source port 389 | Connection-less Lightweight Directory Access Protocol (CLDAP). | [Used in reflection attacks ↗](https://blog.cloudflare.com/reflections-on-reflections/). | | UDP source port 111 | SunRPC | Common attack vector. [Used in reflection attacks ↗](https://blog.cloudflare.com/reflections-on-reflections/). | | UDP source port 19 | CHARGEN | [Amplification attack vector ↗](https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/). | | UDP source port 1194 | OpenVPN | Unless this is an authorized VPN in your environment, this common VPN should be blocked. | | UDP source port 3702 | Web Services Dynamic Discovery Multicast discovery protocol (WS-Discovery) | Vulnerable to exploiting for DDoS attacks. | | UDP source port 10001 | Ubiquiti UniFi discovery protocol | Ubiquiti devices were exploited and used to conduct DDoS attacks on this port. | | UDP source port 20800 | Call of Duty | [Commonly used in attacks ↗](https://blog.cloudflare.com/reflections-on-reflections/). | | UDP source ports 161 and 162 | SNMP | Vulnerable to exploiting for DDoS attacks. | | UDP source port 137 | NetBIOS | NetBIOS allows file sharing over networks. If configured improperly, can expose file systems. | | UDP source port 27005 | SRCDS | Used in [amplication attacks ↗](https://blog.cloudflare.com/reflections-on-reflections/). | | UDP source port 520 | Routing Information Protocol (RIP) | Internal routing protocol. Not required on Internet WAN access. | | TCP source port 0 | Reserved port. Should not be used by applications. | Commonly used in DDoS attacks. Invalid as a legitimate traffic source port. | | TCP source port 21 | FTP | Commonly used for attacks. | | TCP source port 3306 | MYSQL open source database | Used as attack vector in DDoS attacks. | ## Other common traffic to consider The list below is a common list of traffic types you should also consider blocking or restricting inbound. * SFTP, TFTP * SSH, Telnet * RDP * RCP * SMCP * NTP * Common vector for reflection attacks. Consider using [Cloudflare One traffic policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/), [1.1.1.1's DNS over HTTPS (DoH)](https://developers.cloudflare.com/1.1.1.1/), or an internal DNS service if possible. Consider restricting your firewall rules to only allow the source and destination of DNS traffic. * MS-SQL * Common vector and [increasingly used as vector for DDoS attacks ↗](https://blog.cloudflare.com/ddos-attack-trends-for-2021-q4/). Block if unused or consider restricting only to the required source IP addresses. * HTTP and HTTPS * If you only have servers on your Magic Transit prefixes, consider blocking ingress traffic on TCP source ports 80 and 443 from outside. If you have endpoints on your Magic Transit prefixes, you can allow traffic on the source ports but consider creating a disabled rule you can activate to respond to reflection attacks as needed. If relevant to your environment, consider blocking based on geolocation data, which blocks traffic based on the country or user when an end user's IP address is registered in the geolocation database. If you are interested in participating in the beta for [Session Initiation Protocol (SIP) Validation ↗](https://blog.cloudflare.com/programmable-packet-filtering-with-magic-firewall/), contact your Implementation Manager. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/best-practices/","name":"Best practices"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset/","name":"Minimal ruleset"}}]} ``` --- --- title: Create Rate Limiting policies (beta) description: Rate limiting policies (beta) allow you to set maximum traffic thresholds - measured in packets or bits per second — for incoming traffic destined for your network as it arrives at specific Cloudflare data centers. When traffic to a location exceeds your defined limit, the policy takes action. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/create-rate-limiting-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Create Rate Limiting policies (beta) Rate limiting policies (beta) allow you to set maximum traffic thresholds - measured in packets or bits per second — for incoming traffic destined for your network as it arrives at specific Cloudflare data centers. When traffic to a location exceeds your defined limit, the policy takes action. This guide walks you through creating a policy that matches incoming packets and triggers when the traffic rate exceeds your configured threshold. Note For Cloudflare Advanced Network Firewall customers, rate limiting (beta) is available by request through the account team. ## Add a policy To add a policy: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. In the **Rate limiting** tab, select **Add a policy**. 3. Fill out the information for your new policy: * Select the **Field**: At the moment, you can only choose a [data center name](https://developers.cloudflare.com/cloudflare-network-firewall/reference/network-firewall-fields/) (for example, `ORD` for Chicago). * Select the **Operator**: Choose among **equals** or **is in**. * Select the **Value**. 4. When you are done, select **Save policy**. ## Edit an existing policy To edit a policy: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. Select the **Rate limiting** tab. 3. Locate the policy you want to edit in the list and select **Edit**. 4. Edit the policy with your changes and select **Edit policy**. ## Delete an existing policy To delete an existing policy: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. Select the **Rate limiting** tab. 3. Locate the policy you want to delete from the list. 4. Select the three dots, then select **Remove**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/create-rate-limiting-policies/","name":"Create Rate Limiting policies (beta)"}}]} ``` --- --- title: Enable Managed Rulesets description: With managed rulesets, you can quickly deploy pre-built firewall rules maintained by Cloudflare. You use Cloudflare Network Firewall to control which managed rules are enabled. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/enable-managed-rulesets.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Enable Managed Rulesets With [managed rulesets](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/), you can quickly deploy pre-built firewall rules maintained by Cloudflare. You use Cloudflare Network Firewall to control which managed rules are enabled. In addition to enabling managed rulesets, you can also add and enable custom policies. Refer to [add policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/add-policies/). Note Before you can use managed rulesets with Cloudflare Network Firewall, your account must have managed rulesets enabled. Contact your account team to request access. To enable or disable a rule, you specify which properties should be overridden. Overrides are configured in the root ruleset of the Managed phase (the top-level ruleset that controls which managed rules are active). This root ruleset can contain only one rule, but that single rule can include multiple overrides for different managed rules. Cloudflare recommends starting with the `action` set to `log` to evaluate impact before switching to block. You have multiple options for enabling rules: * Select an individual rule and enable it. * Enable multiple rules by enabling by category in the `magic-transit-phase`. * Enable an entire ruleset. ## API ### 1\. Create a Managed phase Managed kind ruleset To create a managed ruleset, you must first build a request with the following: * `managed_ruleset_id`: The ID of the Managed phase Managed kind ruleset that contains the rule you want to enable. To find this ID, list available managed rulesets using `GET /accounts/{account_id}/rulesets?kind=managed&phase=magic_transit_managed`. * `managed_rule_id`: The ID of the rule you want to enable. Additionally, you need the properties you want to override. The properties you can override include: * `enabled`: This value can be set to `true` or `false`. When set to `true`, the rule matches packets and applies the rule's default action if the action is not overridden. When set to `false`, the rule is disabled and does not match any packets. * `action`: The value can be set to `log` so the rule only produces logs instead of applying the rule's default action. The `enabled` and `action` properties for a rule are set in the Managed phase Managed kind ruleset. All rules in the Managed phase are currently disabled by default. The example below contains a request for a Managed phase Managed Kind ruleset. Example request - Create a Managed phase Managed Kind ruleset ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "execute ruleset", "description": "Ruleset containing execute rules", "kind": "root", "phase": "magic_transit_managed", "rules": [ { "expression": "true", "action": "execute", "description": "Enable one rule ", "action_parameters": { "id": "", "version": "latest", "overrides": { "rules": [ { "id": "", "enabled": true, "action": "log" } ] } } } ] }' ``` ### 2\. Patch a Managed phase Managed kind ruleset Because the root ruleset can only contain one rule, you must PATCH that existing rule (rather than adding new rules) when you want to enable additional managed rules. Building off the example from the previous step, the example below enables a category to select multiple rules instead of a single rule. The category will be set to `log` mode, which means the rule can produce logs but will not accept or drop packets. Example request - Patch a Managed phase Managed kind ruleset ``` curl --request PATCH \ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{root_kind_ruleset}/rules/{root_kind_rule} \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "expression": "true", "action": "execute", "action_parameters": { "id": "", "version": "latest", "overrides": { "rules": [ { "id": "", "enabled": true } ], "categories": [ { "category": "simple", "enabled": true, "action": "log" } ] } } }' ``` ### 3\. Enable all rules To enable the complete ruleset or enable all rules, send the request below. Example request to enable all rules ``` curl --request PATCH \ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{root_kind_ruleset}/rules/{root_kind_rule} \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "expression": "true", "action": "execute", "action_parameters": { "id": "", "version": "latest", "overrides": { "enabled": true } } }' ``` ### 4\. Delete a ruleset To delete a ruleset, refer to [Delete a rule in a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/delete-rule/). ## Cloudflare One dashboard ### Enable rules You can also use the dashboard to enable managed rulesets: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. Select **Managed rulesets**. This is where the dashboard lists all your managed rules. 3. To enable a rule, turn **Status** on. ### Edit rules To edit a rule: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. Select **Managed rulesets**. This is where the dashboard lists all your managed rules. 3. Select the three dots > **Edit**. 4. Make the necessary changes, then select **Save**. ### View rules To view basic information about your rules: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. Select **Managed rulesets**. This is where the dashboard lists all your managed rules. 3. Locate your managed rule, select the three dots > **View**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/enable-managed-rulesets/","name":"Enable Managed Rulesets"}}]} ``` --- --- title: Form expressions description: Rules are written using the Cloudflare Rules language - a domain-specific language (DSL) intended to mimic Wireshark semantics. For more information, refer to the Rules language documentation. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/form-expressions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Form expressions Rules are written using the Cloudflare Rules language - a domain-specific language (DSL) intended to mimic Wireshark semantics. For more information, refer to the [Rules language](https://developers.cloudflare.com/ruleset-engine/rules-language/) documentation. To start with a simple case, review below how you would match a source IP. In this expression, `ip.src` refers to the source IP address of the incoming packet, and `==` means "equals": ``` ip.src == 192.0.2.0 ``` Expressions can be more complex by joining multiple clauses via a logical operator (`&&` means AND, `||` means OR). The following expression matches packets from `192.0.2.1` that also have the TCP push or reset flag set: ``` ip.src == 192.0.2.1 && (tcp.flags.push || tcp.flags.reset) ``` ## Capabilities You can use Cloudflare Network Firewall to skip or block packets based on source or destination IP, source or destination port, protocol, packet length, or bit field match. ## Restrictions The expression engine supports CIDR notation (IP address ranges like `192.0.2.0/24`), but only inside curly-brace sets. A bare comparison will not work as expected: ``` ip.src == 192.0.2.0/24 # bad ip.src in { 192.0.2.0/24 } # good ``` Expressions have a complexity limit that is easily reached when many joined or nested clauses are in the expression. Here's an example: ``` (tcp.dstport == 1000 || tcp.dstport == 1001) && (tcp.dstport == 1002 || tcp.dstport == 1003) && (tcp.dstport == 1004 || tcp.dstport == 1005) && (tcp.dstport == 1006 || tcp.dstport == 1007) && (tcp.dstport == 1008 || tcp.dstport == 1009) && (tcp.dstport == 1010 || tcp.dstport == 1011) && (tcp.dstport == 1012 || tcp.dstport == 1013) && (tcp.dstport == 1014 || tcp.dstport == 1015) && (tcp.dstport == 1016 || tcp.dstport == 1017) ``` If the limit is reached, the response will have a `400` status code and an error message of `ruleset exceeds complexity constraints`. Split the expression across multiple rules and try again. Each rule can handle a subset of the conditions, and the firewall evaluates them in order. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/form-expressions/","name":"Form expressions"}}]} ``` --- --- title: Overview description: Unwanted network traffic — from DDoS floods to unauthorized scans — can overwhelm your infrastructure. Cloudflare Network Firewall is a firewall-as-a-service (FWaaS) delivered from the Cloudflare global network, meaning Cloudflare runs the firewall for you in the cloud instead of on your own hardware. You can apply filter rules on a variety of criteria, such as protocol (for example, TCP or UDP) and packet length, to filter unwanted traffic before it reaches your network. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/network-firewall-overview.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Overview Protect your cloud infrastructure or network offices with advanced, scalable firewall-as-a-service protection. Enterprise-only Unwanted network traffic — from DDoS floods to unauthorized scans — can overwhelm your infrastructure. Cloudflare Network Firewall is a firewall-as-a-service (FWaaS) delivered from the Cloudflare global network, meaning Cloudflare runs the firewall for you in the cloud instead of on your own hardware. You can apply filter rules on a variety of criteria, such as protocol (for example, TCP or UDP) and packet length, to filter unwanted traffic before it reaches your network. Cloudflare Network Firewall uses Wireshark display filter syntax — a rule language originally from the popular network analysis tool [Wireshark ↗](https://www.wireshark.org/), widely used in networking and the same syntax used across other Cloudflare products. With this syntax, you can craft rules to precisely allow or deny any traffic in or out of your network. Cloudflare Network Firewall is available with the purchase of [Magic Transit](https://developers.cloudflare.com/magic-transit/) or [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/). --- ## Features ### Intrusion Detection System (IDS) Actively monitor for a wide range of known threat signatures in your traffic. IDS scans packets for patterns that match known attacks (such as malware signatures or exploit attempts) and alerts you when it finds a match. [ Use Intrusion Detection System (IDS) ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/ids/) --- ## Related products **[Cloudflare Magic Transit](https://developers.cloudflare.com/magic-transit/)** Secure your network from incoming Internet traffic, and improve performance at Cloudflare scale. **[Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/)** Improve security and performance for your entire corporate networking, reducing cost and operation complexity. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/network-firewall-overview/","name":"Overview"}}]} ``` --- --- title: Protocol validation rules description: Cloudflare Network Firewall can validate Session Initiation Protocol (SIP) traffic — the protocol used to set up voice and video calls over IP networks (VoIP). This lets you inspect whether SIP packets are properly formatted and enforce a positive security model (only allow well-formed SIP traffic, block everything else). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/protocol-validation-rules.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Protocol validation rules Cloudflare Network Firewall can validate [Session Initiation Protocol (SIP) ↗](https://datatracker.ietf.org/doc/html/rfc2543) traffic — the protocol used to set up voice and video calls over IP networks (VoIP). This lets you inspect whether SIP packets are properly formatted and enforce a positive security model (only allow well-formed SIP traffic, block everything else). You can use the `sip` field when creating a rule to check whether packets contain valid SIP data, a Layer 7 (L7) protocol. The `sip` field evaluates to `true` for well-formed SIP packets. Refer to [Cloudflare Network Firewall fields](https://developers.cloudflare.com/cloudflare-network-firewall/reference/network-firewall-fields/), specifically the `sip` field, for more information on this topic. Currently, SIP is the only protocol supported for deep validation. Contact your account manager if you need Cloudflare Network Firewall to support additional protocols. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/protocol-validation-rules/","name":"Protocol validation rules"}}]} ``` --- --- title: Ruleset logic description: Cloudflare Network Firewall rules are performed after Cloudflare's DDoS mitigations have been applied. The two systems are independent, and therefore, permitting traffic inside Cloudflare Network Firewall does not allow it within our DDoS mitigations. Traffic can still be blocked by DDoS mitigations that are applied first in the flow through Cloudflare's systems. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/ruleset-logic.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Ruleset logic Cloudflare Network Firewall rules are performed after Cloudflare's DDoS mitigations have been applied. The two systems are independent, and therefore, permitting traffic inside Cloudflare Network Firewall does not allow it within our DDoS mitigations. Traffic can still be blocked by DDoS mitigations that are applied first in the flow through Cloudflare's systems. By default, Cloudflare Network Firewall policies allow all traffic until explicitly blocked by a rule. If no policy is configured, all traffic is permitted after DDoS mitigations have been applied. ## Security policy You have two options for configuring a security policy: * Enforce a positive security model, which blocks everything and creates allow rules for specific required traffic. * Begin with a minimal ruleset to block specific traffic and, by default, everything else is permitted. Traffic is matched in order of the configured rules. As soon as traffic is matched by an enabled rule, it is no longer validated against the later rules. Disabled rules are skipped entirely — traffic is not evaluated against them. In the dashboard under **Traffic policies** \> **Firewall policies**, rule order begins from the top and flows down your list of rules. For example, permitting all TCP traffic in a rule #4 would mean all TCP traffic is permitted. A rule #5 to block traffic for IP address `x.x.x.x` would not be checked. For best practices when configuring your security policy, refer to [Best practices](https://developers.cloudflare.com/cloudflare-network-firewall/best-practices/). ## Packet filtering policies and Magic Transit endpoint health checks Cloudflare-sourced traffic is also subject to the Cloudflare Network Firewall rules you configure. If you block all ICMP traffic, you will also block Cloudflare's [endpoint health checks](https://developers.cloudflare.com/magic-transit/reference/tunnel-health-checks/#endpoint-health-checks). When blocking ICMP traffic, ensure your rules first allow ICMP sourced from Cloudflare public IPs to your prefix endpoint IPs before applying a block ICMP rule. For a list of Cloudflare's public IPs, refer to [IP Ranges ↗](https://www.cloudflare.com/ips/). ## Cloudflare Network Firewall phases Traffic is processed in two phases: first against your Custom rules, then against Cloudflare's Managed rules. ### Custom phase ruleset The Custom phase is a set of rules you define and control. You can customize the expression, order, and actions of these rules. Cloudflare Network Firewall evaluates custom policies before managed policies in the order of precedence. Therefore, if traffic meets the conditions from a custom policy first, that is the action Cloudflare Network Firewall will take. The actions available for a custom rule are **Block** or **Skip** (allow). ### Managed phase ruleset Managed phase rulesets are maintained by Cloudflare and contain rules based on best practices, known malicious patterns, and other threat intelligence. Cloudflare maintains the expressions and order of execution for rules in the Managed phase. You can enable, disable, or set individual rules to log matching packets. Refer to [Enable managed rulesets](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/enable-managed-rulesets/) for more information. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/ruleset-logic/","name":"Ruleset logic"}}]} ``` --- --- title: Traffic types description: Cloudflare Network Firewall enables you to allow or block traffic on a variety of packet characteristics, including: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/traffic-types.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Traffic types Cloudflare Network Firewall enables you to allow or block traffic on a variety of packet characteristics, including: * **Source and destination IP** — the sender's and receiver's IP addresses * **Source and destination port** — the numeric port identifying the specific service (for example, port 80 for HTTP) * **Protocol** — the communication method, such as TCP or UDP * **Packet length** — the size of the packet in bytes * **Bit field match** — inspect individual flags within packet headers Cloudflare Network Firewall operates at OSI layers 3 and 4 — the network layer (IP addressing and routing) and transport layer (port-based connections). It supports protocols such as TCP (reliable, ordered connections), UDP (fast, connectionless messages), and ICMP (network diagnostic messages like ping). You can write rules against any layer 3 or 4 protocol, not only TCP and UDP. To see the full list of fields you can use when writing filter expressions, refer to [Cloudflare Network Firewall fields](https://developers.cloudflare.com/cloudflare-network-firewall/reference/network-firewall-fields/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/traffic-types/","name":"Traffic types"}}]} ``` --- --- title: Proxy description: You can forward HTTP and network traffic to Gateway for logging and filtering. Gateway can proxy both outbound traffic and traffic directed to resources connected via a Cloudflare Tunnel, Generic Routing Encapsulation (GRE) tunnel, or IPsec tunnel. When a user connects to the Gateway proxy, Gateway will accept the connection and establish a new, separate connection to the origin server. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Proxy You can forward [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) and [network](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/network/) traffic to Gateway for logging and filtering. Gateway can proxy both outbound traffic and traffic directed to resources connected via a Cloudflare Tunnel, Generic Routing Encapsulation (GRE) tunnel, or IPsec tunnel. When a user connects to the Gateway proxy, Gateway will accept the connection and establish a new, separate connection to the origin server. The Gateway proxy is required for filtering HTTP and network traffic via the Cloudflare One Client in Traffic and DNS mode. To proxy HTTP traffic without deploying the Cloudflare One Client, you can configure [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) on your devices. ## Proxy algorithm Gateway uses the [Happy Eyeballs algorithm ↗](https://datatracker.ietf.org/doc/html/rfc6555), which tries IPv4 and IPv6 connections with a staggered fallback and uses whichever address family responds first, to proxy traffic in the following order: 1. The user's browser initiates the TCP handshake by sending Gateway a TCP SYN segment. 2. Gateway sends a SYN segment to the origin server. 3. If the origin server sends a SYN-ACK segment back, Gateway establishes separate TCP connections between the user and Gateway and between Gateway and the origin server. 4. Gateway inspects and filters traffic received from the user. 5. If the traffic passes inspection, Gateway proxies traffic bidirectionally between the user and the origin server. flowchart TD %% Accessibility accTitle: How Gateway proxy works accDescr: Flowchart describing how the Gateway proxy uses the Happy Eyeballs algorithm to establish TCP connections and proxy user traffic. %% Flowchart A[User's device sends TCP SYN to Gateway] --> B[Gateway sends TCP SYN to origin server] B --> C{{Origin server responds with TCP SYN-ACK?}} C -->|Yes| E[TCP handshakes completed] C -->|No| D[Connection fails] E --> F{{Connection allowed?}} F -->|Allow policy| G[Gateway proxies traffic bidirectionally] F -->|Block policy| H[Connection blocked by firewall policies] %% Styling style D stroke:#D50000 style G stroke:#00C853 style H stroke:#D50000 ## Supported protocols Gateway supports proxying TCP, UDP, and ICMP traffic. ### TCP When the proxy is enabled, Gateway will always forward TCP traffic. By default, TCP connection attempts will timeout after 30 seconds and idle connections will disconnect after 8 hours. ### UDP The UDP proxy forwards UDP traffic such as VoIP, [internal DNS requests](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns/), and thick client applications. HTTP/3 uses the QUIC protocol over UDP. To inspect HTTP/3 traffic, turn on both TLS decryption and the UDP proxy. Gateway will then intercept the HTTP/3 connection and connect to the origin server over HTTP/2\. Otherwise, HTTP/3 traffic will bypass inspection. For more information on browser-specific behavior, refer to [HTTP/3 inspection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/http3/). ### ICMP (Internet Control Message Protocol) Beta The ICMP proxy allows ICMP traffic to reach your private network through Gateway. For example, this would allow a Cloudflare One Client user to run diagnostic commands such as `ping` and `traceroute` to an internal server IP. Limitation Gateway cannot log or filter ICMP traffic. #### Allow ICMP traffic through `cloudflared` To use the ICMP proxy with Cloudflare Tunnel, you may need to configure the `cloudflared` host to allow ICMP traffic through `cloudflared`. * [ Linux ](#tab-panel-3921) * [ Docker ](#tab-panel-3922) 1. Ensure that `ping_group_range` includes the Group ID (GID) of the user running `cloudflared`: a. Find the user that owns the `cloudflared` process: Terminal window ``` ps -aux | grep cloudflared ``` ``` johndoe 407 0.8 1.7 1259904 35296 ? Ssl 21:02 0:00 /usr/bin/cloudflared --no-autoupdate tunnel run --token eyJhI... ``` b. Get the Group ID of the `cloudflared` user: Terminal window ``` id -g johndoe ``` ``` 10001 ``` c. Determine the Group IDs that are allowed to use ICMP: Terminal window ``` sudo sysctl net.ipv4.ping_group_range ``` ``` net.ipv4.ping_group_range= 0 10000 ``` d. Either add the user to a group within that range, or update the range to encompass a group the user is already in. To update `ping_group_range`: Terminal window ``` echo 0 10001 | sudo tee /proc/sys/net/ipv4/ping_group_range ``` e. If you need to make the change apply to an already running process, you need to restart `cloudflared`. To make the change persist on reboot, update your `systcl` parameters: Terminal window ``` echo "net.ipv4.ping_group_range = 0 10001" | sudo tee -a /etc/sysctl.d/99-cloudflared.conf ``` 2. If you are running multiple network interfaces (for example, `eth0` and `eth1`), configure `cloudflared` to use the external Internet-facing interface: Terminal window ``` cloudflared tunnel run --icmpv4-src ``` In your environment, modify the `ping_group_range` parameter to include the Group ID (GID) of the user running `cloudflared`. By default the [cloudflared Docker container ↗](https://github.com/cloudflare/cloudflared/blob/master/Dockerfile#L29C6-L29C13) executes as a user called `nonroot` inside of the container. `nonroot` is a specific user that exists in the [base image ↗](https://github.com/GoogleContainerTools/distroless/blob/859eeea1f9b3b7d59bdcd7e24a977f721e4a406c/base/base.bzl#L8) we use, and its Group ID is hardcoded to 65532. ## Turn on the Gateway proxy The Gateway proxy toggle only applies to traffic from Cloudflare One Client devices. Gateway will always proxy traffic sent with [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) or [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) regardless of this setting. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Traffic settings**. 2. In **Proxy and inspection settings**, turn on **Allow Secure Web Gateway to proxy traffic**. 3. Select **TCP**. 4. (Optional) Depending on your use case, you can select **UDP** and/or **ICMP**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/proxy/","name":"Proxy"}}]} ``` --- --- title: Resolver policies description: By default, Gateway sends DNS requests to 1.1.1.1, Cloudflare's public DNS resolver, for resolution. Enterprise users can instead create Gateway policies to route DNS queries to custom resolvers. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/resolver-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Resolver policies Note Only available on Enterprise plans. By default, Gateway sends DNS requests to [1.1.1.1](https://developers.cloudflare.com/1.1.1.1/), Cloudflare's public DNS resolver, for resolution. Enterprise users can instead create Gateway policies to route DNS queries to custom resolvers. flowchart TD %% Accessibility accTitle: How Gateway routes DNS queries accDescr: Flowchart describing the order Cloudflare Gateway routes a DNS query from an endpoint through DNS and resolver policies back to the user. %% Flowchart user(["User"])-->endpoint[/"Gateway DNS endpoint"/] endpoint-->query["DNS policy (query)"] query-->resolver["Resolver policy"] resolver--"Routes to
custom resolver"-->response["DNS policy (response)"] response--"Returns response"-->user Gateway will route user traffic to your configured DNS resolver based on the matching policy, even if your resolvers' IP addresses overlap. ## Use cases You may use resolver policies if you require access to non-publicly routed domains, such as private network services or internal resources. You may also use resolver policies if you need to access a protected DNS service or want to simplify DNS management for multiple locations. ### Internal DNS Beta [Cloudflare Internal DNS](https://developers.cloudflare.com/dns/internal-dns/) allows you to manage DNS records for internal resources on a private network. DNS zones configured in Internal DNS can only be queried by the Gateway resolver. With resolver policies, you can determine how Gateway resolves your organization's DNS queries to resolve to internal resources based on the context of the query, such as known source IPs for a geographic location. To get started with resolving internal DNS queries with resolver policies, refer to [Get started](https://developers.cloudflare.com/dns/internal-dns/get-started/). ### Local Domain Fallback Use resolver policies when your DNS server is reachable from Cloudflare's network — for example, through a Cloudflare Tunnel, IPsec/GRE tunnel, or the public Internet. Use [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) when the DNS server is only reachable from the user's device. If both Local Domain Fallback and resolver policies are configured for the same device, Cloudflare will apply your client-side Local Domain Fallback rules first. If you onboard DNS queries to Gateway with the Cloudflare One Client and route them with resolver policies, the source IP of the queries will be the IP address assigned by the Cloudflare One Client. Local Domain Fallback or Gateway Resolver policies? If your DNS server can be configured to connect to a Cloudflare on-ramp, Cloudflare recommends using Gateway Resolver policies rather than Local Domain Fallback. Gateway Resolver policies provide more visibility by allowing you to log and review DNS traffic. ## Resolver connections Resolver policies support TCP and UDP connections. Custom resolvers can point to the Internet via IPv4 or IPv6, or to a private network service, such as a [Magic tunnel](https://developers.cloudflare.com/magic-transit/how-to/configure-tunnel-endpoints/). Policies default to port `53`. You can change which port your resolver uses by customizing it in your policy. You can protect your authoritative nameservers from DDoS attacks by enabling [DNS Firewall](https://developers.cloudflare.com/dns/dns-firewall/). ### Cloudflare Tunnel You can configure connections to a private resolver connected to Cloudflare with [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). To ensure `cloudflared` can route UDP traffic to your resolver, connect your tunnel via [QUIC](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#protocol). For more information on connecting a private DNS resolver to Cloudflare with Cloudflare Tunnel, refer to [Private DNS](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns/). ### Cloudflare WAN To enable connections to a private resolver connected to Cloudflare via [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/), contact your account team. ### Available DNS endpoints Resolver policies can route queries for resolution from the following DNS endpoints: * IPv4 * IPv6 * [DNS over HTTPS (DoH)](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-https/) * [DNS over TLS (DoT)](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-tls/) * DNS queries generated by Cloudflare [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) and [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) * DNS queries generated by [proxy endpoints](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) Gateway will filter, resolve, and log your queries regardless of endpoint. ## Create a resolver policy Virtual network limitation Resolver policies do not automatically update when you change the virtual networks associated with a route. If you move a route from one virtual network to another, the resolver policy will still reference the old virtual network. You will need to manually remove and recreate the resolver policy to update the route. To create a resolver policy: * [ Dashboard ](#tab-panel-3923) * [ Terraform (v5) ](#tab-panel-3924) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Resolver policies**. 2. Select **Add a policy**. 3. Create an expression for your desired traffic. For example, you can resolve a hostname for an internal service: | Selector | Operator | Value | | -------- | -------- | -------------------- | | Host | in | internal.example.com | Make sure your destination is not subject to [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#manage-local-domains). 4. In **Select DNS resolver**, choose _Configure custom DNS resolvers_. 5. Enter the IP addresses of your custom DNS resolver. As you enter an IP address, Gateway will search through your [virtual networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) configured in Zero Trust. 6. In **Network**, choose whether to route queries publicly (to the Internet) or privately (to a private network service). 7. (Optional) Enter a custom port for each IP address. 8. Select **Create policy**. Custom resolvers are saved to your account for future use. You can add up to 10 IPv4 and 10 IPv6 addresses to a policy. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api%5Ftoken): * `Zero Trust Write` 2. Create a resolver policy using the [cloudflare\_zero\_trust\_gateway\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Fgateway%5Fpolicy) resource: ``` resource "cloudflare_zero_trust_gateway_policy" "resolver_policy" { name = "Example resolver policy" enabled = true account_id = var.cloudflare_account_id description = "TERRAFORM MANAGED resolver policy" action = "resolve" traffic = "dns.fqdn in {\"internal.example.com\"}" identity = "identity.email in {\"jdoe@example.com\"}" precedence = 1 rule_settings = { dns_resolvers = { # You can add up to 10 IPv4 and 10 IPv6 addresses to a policy. ipv4 = [{ ip = "192.0.2.24" port = 53 route_through_private_network = true vnet_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network.staging_vnet.id }] ipv6 = [{ ip = "2001:DB8::" port = 53 route_through_private_network = true vnet_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network.staging_vnet.id }] } } } ``` When a user's query matches a resolver policy, Gateway will send the query to your listed resolvers in the following order: 1. Public resolvers 2. Private resolvers behind the default virtual network for your account 3. Private resolvers behind a custom virtual network Gateway will cache the fastest resolver for use in subsequent queries. Resolver priority is cached on a per user basis for each data center. For more information on creating a DNS policy, refer to [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/). Terraform provider v4 precedence limitation To avoid conflicts, version 4 of the Terraform Cloudflare provider applies a hash calculation to policy precedence. For example, a precedence of `1000` may become `1000901`. This can cause errors when reordering policies. To avoid this issue, manually set the precedence of policies created with Terraform using the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint. To ensure your precedence is set correctly, Cloudflare recommends [upgrading your Terraform provider to version 5 ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade). ## Selectors ### Content Categories Use this selector to filter domains belonging to specific [content categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#content-categories). | UI name | API example | Evaluation phase | | ------------------ | --------------------------------------- | --------------------- | | Content Categories | any(dns.content\_category\[\*\] in {1}) | Before DNS resolution | ### DNS Resolver IP Use this selector to apply policies to DNS queries that arrived to your Gateway Resolver IP address aligned with a registered DNS location. For most Gateway customers, this is an IPv4 anycast address and policies created using this IPv4 address will apply to all DNS locations. However, each DNS location has a dedicated IPv6 address and some Gateway customers have been supplied with a dedicated IPv4 address — these both can be used to apply policies to specific registered DNS locations. | UI name | API example | Evaluation phase | | --------------- | ------------------------------------------- | --------------------- | | DNS Resolver IP | any(dns.resolved\_ip\[\*\] == 198.51.100.0) | Before DNS resolution | ### DoH Subdomain Use this selector to match against DNS queries that arrive via DNS-over-HTTPS (DoH) destined for the DoH endpoint configured for each DNS location. For example, you can use a DNS location with a DoH endpoint of `abcdefg.cloudflare-gateway.com` by choosing the DoH Subdomain selector and inputting a value of `abcdefg`. | UI name | API example | Evaluation phase | | ------------- | ------------------------------- | --------------------- | | DOH Subdomain | dns.doh\_subdomain == "abcdefg" | Before DNS resolution | ### Domain Use this selector to match against a domain and all subdomains. For example, you can match `example.com` and its subdomains, such as `www.example.com`. | UI name | API example | Evaluation phase | | ------- | --------------------------------------- | --------------------- | | Domain | any(dns.domains\[\*\] == "example.com") | Before DNS resolution | Gateway policies do not support domains with non-Latin characters directly. To use a domain with non-Latin characters, add it to a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). ### Host Use this selector to match against only the hostname specified. For example, you can match `test.example.com` but not `example.com` or `www.test.example.com`. | UI name | API example | Evaluation phase | | ------- | ------------------------- | --------------------- | | Host | dns.fqdn == "example.com" | Before DNS resolution | Gateway policies do not support hostnames with non-Latin characters directly. To use a hostname with non-Latin characters, add it to a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). Note Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`www.example.com`). To match this type of website, use the [Domain](#domain) selector instead of the Host selector. ### Location Use this selector to apply policies to a specific [Gateway DNS location](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) or set of locations. | UI name | API example | Evaluation phase | | -------- | --------------------------------------------------------- | --------------------- | | Location | dns.location in {"location\_uuid\_1" "location\_uuid\_2"} | Before DNS resolution | ### Query Record Type Use this selector to choose the DNS resource record type that you would like to apply policies against. For example, you can match `A` records for a domain but not `MX` records. | UI name | API example | Evaluation phase | | ----------------- | ------------------------- | --------------------- | | Query Record Type | dns.query\_rtype == "TXT" | Before DNS resolution | ### Security Categories Use this selector to match domains (and optionally, [IP addresses](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#filter-traffic-by-resolved-ip-category)) belonging to specific [security categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories). | UI name | API example | Evaluation phase | | ------------------- | ---------------------------------------- | --------------------- | | Security Categories | any(dns.security\_category\[\*\] in {1}) | Before DNS resolution | ### Source Continent Use this selector to filter based on the continent where the query arrived to Gateway from. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a continent, enter its two-letter code into the **Value** field: | Continent | Code | | ------------- | ---- | | Africa | AF | | Antarctica | AN | | Asia | AS | | Europe | EU | | North America | NA | | Oceania | OC | | South America | SA | | Tor network | T1 | | UI name | API example | Evaluation phase | | ------------------------------- | ---------------------------------------- | --------------------- | | Source Continent IP Geolocation | dns.src.geo.continent == "North America" | Before DNS resolution | ### Source Country Use this selector to filter based on the country where the query arrived to Gateway from. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a country, enter its [ISO 3166-1 Alpha-2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | Evaluation phase | | ----------------------------- | --------------------------- | --------------------- | | Source Country IP Geolocation | dns.src.geo.country == "RU" | Before DNS resolution | ### Source IP Use this selector to apply policies to the source IP address of DNS queries. For example, this could be the WAN IP address of the stub resolver used by your organization to send queries to Gateway. | UI name | API example | Evaluation phase | | --------- | --------------------------- | --------------------- | | Source IP | dns.src\_ip == 198.51.100.0 | Before DNS resolution | ### Users Use these selectors to match against identity attributes. | UI name | API example | Evaluation phase | | ----------------- | --------------------------------------------------------------------------------------------------------------- | --------------------- | | User Email | identity.email == "user@example.com" | Before DNS resolution | | User Name | identity.name == "Test User" | Before DNS resolution | | User Group IDs | any(identity.groups\[\*\].id in {"group\_id"}) | Before DNS resolution | | User Group Names | any(identity.groups\[\*\].name in {"group\_name"}) | Before DNS resolution | | User Group Emails | any(identity.groups\[\*\].email in {"group@example.com"}) | Before DNS resolution | | SAML Attributes | any(identity.saml\_attributes\["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"\] in {"Test User"}) | Before DNS resolution | ## Comparison operators Comparison operators are the way Gateway matches traffic to a selector. When you choose a **Selector** in the dashboard policy builder, the **Operator** dropdown menu will display the available options for that selector. | Operator | Meaning | | ------------------------ | ------------------------------------------------------------------------------------------------------------------ | | is | equals the defined value | | is not | does not equal the defined value | | in | matches at least one of the defined values | | not in | does not match any of the defined values | | in list | in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | not in list | not in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | matches regex | regex evaluates to true | | does not match regex | regex evaluates to false | | greater than | exceeds the defined number | | greater than or equal to | exceeds or equals the defined number | | less than | below the defined number | | less than or equal to | below or equals the defined number | ## Value In the **Value** field, you can input a single value when using an equality comparison operator (such as _is_) or multiple values when using a containment comparison operator (such as _in_). Additionally, you can use [regular expressions](#regular-expressions) (or regex) to specify a range of values for supported selectors. ### Regular expressions Regular expressions are evaluated using Rust. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for [Wildcards](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/app-paths/#wildcards). To evaluate if your regex matches, you can use [Rustexp ↗](https://rustexp.lpil.uk/). If you want to match multiple values, you can use the pipe symbol (`|`) as an OR operator. You do not need to use an escape character (`\`) before the pipe symbol. For example, the following expression evaluates to true when the hostname matches either `.*whispersystems.org` or `.*signal.org`: | Selector | Operator | Value | | -------- | ------------- | ------------------------------------ | | Host | matches regex | .\*whispersystems.org\|.\*signal.org | In addition to regular expressions, you can use [logical operators](#logical-operators) to match multiple values. ## Logical operators To evaluate multiple conditions in an expression, select the **And** logical operator. These expressions can be compared further with the **Or** logical operator. | Operator | Meaning | | -------- | --------------------------------------------- | | And | match all of the conditions in the expression | | Or | match any of the conditions in the expression | The **Or** operator will only work with conditions in the same expression group. For example, you cannot compare conditions in **Traffic** with conditions in Identity. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/resolver-policies/","name":"Resolver policies"}}]} ``` --- --- title: Troubleshoot Gateway description: This guide helps you troubleshoot common issues with Cloudflare Gateway policies. The issues are ordered by the most frequent problems. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/troubleshoot-gateway.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshoot Gateway This guide helps you troubleshoot common issues with Cloudflare Gateway policies. The issues are ordered by the most frequent problems. ## Egress policies do not work as expected Egress policies are the most common category of issues for Gateway. Symptoms include traffic not using your dedicated egress IP, incorrect failover behavior, or high latency due to Gateway routing traffic through a distant data center. ### Symptom: traffic is not using your dedicated egress IP Even with an active egress policy, you may find that traffic is egressing from a default Cloudflare IP address instead of your dedicated egress IP. | Common cause | Solution | | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | DNS resolution to CGNAT (carrier-grade NAT) | When an egress policy uses a _Domain_ or _Host_ selector, Gateway must first resolve that domain. For traffic proxied through Cloudflare, this often resolves to a CGNAT IP address from the 100.64.0.0/10 range. Because this IP is internal to Cloudflare's network, it may not be subject to egress policies, which apply to traffic leaving the network. Change the selector in your egress policy from _Domain_ or _Host_ to _Destination IP_. Use the public IP addresses of the service you are trying to reach. | | Policy precedence | A different egress policy with a higher precedence (a lower number) is matching the traffic first. Remember that egress policies follow the same first-match-wins logic. | | Split Tunnel configuration | The destination IP or domain is excluded from the WARP tunnel via your [Split Tunnel](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) configuration (which controls whether traffic for specific IPs or domains is sent through or excluded from the WARP tunnel). Traffic that is excluded from the tunnel will not be subject to any Gateway policies, including egress. | | No egress logs | Egress logging is available via Logpush with the Gateway Egress dataset. This is essential for troubleshooting. You can also use a third-party IP check service to verify the egress IP from a test device. | ### Symptom: failover is not working or is using the wrong IP Your primary dedicated egress IP becomes unavailable, but instead of using your configured secondary dedicated IP, traffic fails over to a default Cloudflare shared IP. | Common cause | Solution | | ----------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Routing or configuration issue on the Cloudflare side | Document the time of the incident and collect Request IDs from Gateway HTTP or DNS logs for affected users. Open a support ticket and provide this information. Temporarily, you can edit the egress policy to set your secondary IP as the primary to restore service. | ### Symptom: users are egressing from a geographically distant location Gateway routes your users in one country (such as Australia) through a dedicated egress IP located in another region (such as Germany), causing high latency and breaking access to geo-restricted content. Common causes and solutions: | Common cause | Solution | | -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Single egress policy | You may have one broad egress policy that applies to all users regardless of their location. Create location-aware egress policies. Use the _User Location_ selector in your policy to tie specific user locations to their nearest dedicated egress IP. For example, create one policy for when _User Location_ is United Kingdom, egress via London IP; create a second policy for when _User Location_ is Australia, egress via Sydney IP. | | Incorrect geolocation data | The IP address of the user's ISP may not be correctly geolocated. Check the user's location as seen by Cloudflare in the Gateway logs. If it appears incorrect, you can report it to Cloudflare Support. | ## Gateway does not apply policies in the correct order A common point of confusion is how Gateway evaluates its different policy types and the rules within them. ### Symptom: a Block policy is overriding a more specific Allow or Do Not Scan policy You have a high-precedence Allow or Do Not Scan policy for a specific application (such as Allow finance.example.com), but Gateway still block traffic with a low-precedence Block policy (such as Block All High-Risk Sites). The most important concept is [Gateway policy precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/), which Gateway enforces based on the policy's order number. A lower order number in the list means a higher precedence. Gateway stops processing further policies when it encounters the first rule that matches. To resolve Gateway policy precedence issues: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Firewall policies**. 2. Review the order of your DNS, Network, and HTTP policies. 3. Ensure that your most specific Allow, Do Not Scan, or Do Not Inspect policies have a lower order number than your general Block policies. 4. Drag and drop policies to reorder them as needed. An Allow policy for `teams.microsoft.com` should be placed before a general Block policy for all file sharing applications. ## TLS decryption breaks applications Turning on [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is required for Gateway features such as Data Loss Prevention (DLP), Browser Isolation, and application-aware HTTP policies. However, it can cause issues with certain types of software. ### Symptom: command-line tools (CLI tools) or native applications fail with certificate errors If after turning on TLS decryption, command-line tools (such as `git`, `aws`, `kubectl`, and `terraform`) or desktop applications (such as ChatGPT or Docker) stop working, this may be due to certificate errors. Applications may return errors such as `SSL: CERTIFICATE_VERIFY_FAILED`, `self-signed certificate in certificate chain`, or similar TLS errors. These applications do not use the operating system's trust store and therefore do not trust the Cloudflare root certificate that you installed. They often have their own certificate trust store or use certificate pinning, which expects the server's original certificate, not one re-signed by Cloudflare. To resolve this issue: * [ Recommended ](#tab-panel-3925) * [ Workaround ](#tab-panel-3926) Create a targeted HTTP policy to bypass decryption for the specific domains these tools need to access. Place this policy at a higher precedence (lower order number) than your main TLS decryption policy. Create a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) that includes hosts such as `github.com`, `*.amazonaws.com`, and `*.docker.io`. | Selector | Operator | Value | Action | | -------- | -------- | ------------------ | -------------- | | Domain | in list | _CLI Tool Domains_ | Do Not Inspect | You can configure some tools to trust a custom CA or disable SSL verification. This is less secure and harder to manage at scale. For more information, refer to [Install certificate manually](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/). ### Symptom: the custom block page is not displayed When an HTTP policy blocks a user's request, their browser will return a generic error (`ERR_SSL_PROTOCOL_ERROR`) instead of your configured Gateway block page. This happens because the browser does not trust the certificate presented by the block page, which is signed by the Cloudflare root certificate. This means the certificate is not installed or not trusted on the user's device. To resolve this issue: 1. Confirm that a [Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) is installed on the device. 2. Ensure the certificate is placed in the correct system-level trust store (such as, Keychain's System store on macOS, or Trusted Root Certification Authorities for the Local Computer on Windows). 3. If you are using a mobile device management (MDM) tool, verify that your deployment script correctly installs and trusts the certificate. ## Private DNS and internal resources are not working You have configured Gateway to resolve internal hostnames, but users are unable to access them. For example, a user connected to the Cloudflare One Client tries to access an internal service like `jira.mycompany.local`, but the DNS query fails. | Common causes | Solution | | ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Missing or incorrect resolver policy | Go to **Traffic policies** \> **Resolver policies**. Create a policy that matches your internal domain suffix and forwards queries to your internal DNS servers' IP addresses. | | Split Tunnel excludes the private IP range | If your internal resources are in a private IP range (such as 10.0.0.0/8), that range must be included in the tunnel. If it is in the Exclude list of your Split Tunnel configuration, the Cloudflare One Client will not proxy the traffic. | | Local Domain Fallback misconfiguration | Use resolver policies for corporate DNS. Only use Local Domain Fallback for domains specific to a user's immediate physical network. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/troubleshoot-gateway/","name":"Troubleshoot Gateway"}}]} ``` --- --- title: Troubleshooting description: This guide helps you troubleshoot common issues with Cloudflare Gateway policies. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/traffic-policies/troubleshooting.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshooting This guide helps you troubleshoot common issues with Cloudflare Gateway policies. ## Blocked websites and connectivity ### A website is blocked incorrectly If you believe a domain has been incorrectly blocked by Gateway's security categories or threat intelligence, you can use the [Cloudflare Radar categorization feedback form ↗](https://radar.cloudflare.com/categorization-feedback/) to request a review. ### Error 526: Invalid SSL certificate Gateway presents a **526** error page when it cannot establish a secure connection to the origin. This typically occurs in two cases: * **Untrusted origin certificate**: The certificate presented by the origin server is expired, revoked, or issued by an unknown authority. * **Insecure origin connection**: The origin does not support modern cipher suites or redirects all HTTPS requests to HTTP. For more information, refer to [Error 526](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/). ### Error 502: Bad Gateway This issue can occur when communicating with an origin that partially supports HTTP/2\. If the origin requests a downgrade to HTTP/1.1 (for example, via a `RST_STREAM` frame with `HTTP_1_1_REQUIRED`), Gateway will not automatically reissue the request over HTTP/1.1 and will instead return a `502 Bad Gateway`. To resolve this, disable HTTP/2 at the origin server. ### Untrusted certificate warnings If users see certificate warnings for every page, ensure that the [Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) is installed and trusted on their devices. This is required for Gateway to inspect HTTPS traffic. ## Dashboard and analytics ### Gateway analytics not displayed If you do not see analytics on the Gateway Overview page: * **Verify DNS traffic**: Ensure your devices are actually sending queries to Gateway. Check your [DNS locations](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) and verify the source IPv4 address. * **Check other resolvers**: Ensure that no other DNS resolvers are configured on the device, as they might be bypassing Gateway. * **Wait for processing**: It can take up to 5 minutes for analytics to appear in the dashboard. ## Egress policies Egress policies symptoms include traffic not using your dedicated egress IP, incorrect failover behavior, or high latency due to Gateway routing traffic through a distant data center. ### Symptom: traffic is not using your dedicated egress IP Even with an active egress policy, you may find that traffic is egressing from a default Cloudflare IP address instead of your dedicated egress IP. | Common cause | Solution | | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | DNS resolution to CGNAT (carrier-grade NAT) | When an egress policy uses a _Domain_ or _Host_ selector, Gateway must first resolve that domain. For traffic proxied through Cloudflare, this often resolves to a CGNAT IP address from the 100.64.0.0/10 range. Because this IP is internal to Cloudflare's network, it may not be subject to egress policies, which apply to traffic leaving the network. Change the selector in your egress policy from _Domain_ or _Host_ to _Destination IP_. Use the public IP addresses of the service you are trying to reach. | | Policy precedence | A different egress policy with a higher precedence (a lower number) is matching the traffic first. Remember that egress policies follow the same first-match-wins logic. | | Split Tunnel configuration | The destination IP or domain is excluded from the WARP tunnel via your Split Tunnel configuration. Traffic that is excluded from the tunnel will not be subject to any Gateway policies, including egress. | | No egress logs | Egress logging is available via Logpush with the Gateway Egress dataset. This is essential for troubleshooting. You can also use a third-party IP check service to verify the egress IP from a test device. | ### Symptom: failover is not working or is using the wrong IP Your primary dedicated egress IP becomes unavailable, but instead of using your configured secondary dedicated IP, traffic fails over to a default Cloudflare shared IP. | Common cause | Solution | | ----------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Routing or configuration issue on the Cloudflare side | Document the time of the incident and collect Request IDs from Gateway HTTP or DNS logs for affected users. Open a support ticket and provide this information. Temporarily, you can edit the egress policy to set your secondary IP as the primary to restore service. | ### Symptom: users are egressing from a geographically distant location Gateway routes your users in one country (such as Australia) through a dedicated egress IP located in another region (such as Germany), causing high latency and breaking access to geo-restricted content. | Common cause | Solution | | -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Single egress policy | You may have one broad egress policy that applies to all users regardless of their location. Create location-aware egress policies. Use the _User Location_ selector in your policy to tie specific user locations to their nearest dedicated egress IP. For example, create one policy for when _User Location_ is United Kingdom, egress via London IP; create a second policy for when _User Location_ is Australia, egress via Sydney IP. | | Incorrect geolocation data | The IP address of the user's ISP may not be correctly geolocated. Check the user's location as seen by Cloudflare in the Gateway logs. If it appears incorrect, you can report it to Cloudflare Support. | ## Policy precedence A common point of confusion is how Gateway evaluates its different policy types and the rules within them. ### Symptom: a Block policy is overriding a more specific Allow or Do Not Scan policy You have a high-precedence Allow or Do Not Scan policy for a specific application (such as Allow finance.example.com), but Gateway still block traffic with a low-precedence Block policy (such as Block All High-Risk Sites). The most important concept is [Gateway policy precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/), which Gateway enforces based on the policy's order number. A lower order number in the list means a higher precedence. Gateway stops processing further policies when it encounters the first rule that matches. To resolve Gateway policy precedence issues: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Firewall policies**. 2. Review the order of your DNS, Network, and HTTP policies. 3. Ensure that your most specific Allow, Do Not Scan, or Do Not Inspect policies have a lower order number than your general Block policies. 4. Drag and drop policies to reorder them as needed. An Allow policy for `teams.microsoft.com` should be placed before a general Block policy for all file sharing applications. ## TLS decryption breaks applications Turning on [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is required for Gateway features such as Data Loss Prevention (DLP), Browser Isolation, and application-aware HTTP policies. However, it can cause issues with certain types of software. ### Symptom: command-line tools (CLI tools) or native applications fail with certificate errors If after turning on TLS decryption, command-line tools (such as `git`, `aws`, `kubectl`, and `terraform`) or desktop applications (such as ChatGPT or Docker) stop working, this may be due to certificate errors. Applications may return errors such as `SSL: CERTIFICATE_VERIFY_FAILED`, `self-signed certificate in certificate chain`, or similar TLS errors. These applications do not use the operating system's trust store and therefore do not trust the Cloudflare root certificate that you installed. They often have their own certificate trust store or use certificate pinning, which expects the server's original certificate, not one re-signed by Cloudflare. To resolve this issue: * [ Recommended ](#tab-panel-3927) * [ Workaround ](#tab-panel-3928) Create a targeted HTTP policy to bypass decryption for the specific domains these tools need to access. Place this policy at a higher precedence (lower order number) than your main TLS decryption policy. Create a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) that includes hosts such as `github.com`, `*.amazonaws.com`, and `*.docker.io`. | Selector | Operator | Value | Action | | -------- | -------- | ------------------ | -------------- | | Domain | in list | _CLI Tool Domains_ | Do Not Inspect | You can configure some tools to trust a custom CA or disable SSL verification. This is less secure and harder to manage at scale. For more information, refer to [Install certificate manually](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/). ### Symptom: the custom block page is not displayed When an HTTP policy blocks a user's request, their browser will return a generic error (`ERR_SSL_PROTOCOL_ERROR`) instead of your configured Gateway block page. This happens because the browser does not trust the certificate presented by the block page, which is signed by the Cloudflare root certificate. This means the certificate is not installed or not trusted on the user's device. To resolve this issue: 1. Confirm that a [Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) is installed on the device. 2. Ensure the certificate is placed in the correct system-level trust store (such as, Keychain's System store on macOS, or Trusted Root Certification Authorities for the Local Computer on Windows). 3. If you are using an MDM, verify that your deployment script correctly installs and trusts the certificate. ## Private DNS and internal resources are not working You have configured Gateway to resolve internal hostnames, but users are unable to access them. For example, a user connected to the Cloudflare One Client tries to access an internal service like `jira.mycompany.local`, but the DNS query fails. | Common causes | Solution | | ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Missing or incorrect resolver policy | Go to **Traffic policies** \> **Resolver policies**. Create a policy that matches your internal domain suffix and forwards queries to your internal DNS servers' IP addresses. | | Split Tunnel excludes the private IP range | If your internal resources are in a private IP range (such as 10.0.0.0/8), that range must be included in the tunnel. If it is in the Exclude list of your Split Tunnel configuration, the Cloudflare One Client will not proxy the traffic. | | Local Domain Fallback misconfiguration | Use resolver policies for corporate DNS. Only use Local Domain Fallback for domains specific to a user's immediate physical network. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/troubleshooting/","name":"Troubleshooting"}}]} ``` --- --- title: Cloud and SaaS findings description: Cloudflare's API-driven Cloud Access Security Broker (CASB) integrates with SaaS applications and cloud environments to scan for misconfigurations, unauthorized user activity, shadow IT, and other data security issues that can occur after a user has successfully logged in. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/cloud-and-saas-findings/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloud and SaaS findings Availability Available for all Zero Trust users. Free users can configure up to two CASB integrations. You must upgrade to an Enterprise plan to view the details of a finding instance. Cloudflare's API-driven [Cloud Access Security Broker ↗](https://www.cloudflare.com/learning/access-management/what-is-a-casb/) (CASB) integrates with SaaS applications and cloud environments to scan for misconfigurations, unauthorized user activity, [shadow IT](https://www.cloudflare.com/learning/access-management/what-is-shadow-it/), and other data security issues that can occur after a user has successfully logged in. For a list of available findings, refer to [Cloud and SaaS integrations](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/). ## Manage CASB integrations When you integrate a third-party SaaS application or cloud environment with Cloudflare CASB, you allow CASB to make API calls to its endpoint and read relevant data on your behalf. The CASB integration permissions are read-only and follow the least privileged model. In other words, only the minimum access required to perform a scan is granted. ### Prerequisites Before you can integrate a SaaS application or cloud environment with CASB, your account with that integration must meet certain requirements. Refer to the SaaS application or cloud environment's [integration guide](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) to learn more about the prerequisites and permissions. ### Add an integration 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Cloud & SaaS findings** \> **Integrations**. 2. Select **Connect an integration** or **Add integration**. 3. Browse the available integrations and select the application you would like to add. 4. Follow the step-by-step integration instructions in the UI. 5. To run your first scan, select **Save integration**. After the first scan, CASB will automatically scan your SaaS application or cloud environment on a frequent basis to keep up with any changes. Scan intervals will vary due to each application having their own set of requirements, but the frequency is typically between every 1 hour and every 24 hours. Once CASB detects at least one finding, you can [view and manage your findings](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/manage-findings/). ### Pause an integration 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Cloud & SaaS findings** \> **Integrations**. 2. Find the integration you would like to pause and select **Configure**. 3. To stop scanning the application, turn off **Scan for findings**. 4. Select **Save integration**. You can resume CASB scanning at any time by turning on **Scan for findings**. ### Delete an integration Warning When you delete an integration, all keys and OAuth data will be deleted. This means you cannot restore a deleted integration or its scanned data. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Cloud & SaaS findings** \> **Integrations**. 2. Find the integration you would like to delete and select **Configure**. 3. Select **Disenroll**. To resume scanning the integration for findings, you will need to [add the integration](#add-an-integration) again. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/cloud-and-saas-findings/","name":"Cloud and SaaS findings"}}]} ``` --- --- title: Scan for sensitive data description: You can use Cloudflare Data Loss Prevention (DLP) to discover if files stored in a SaaS application contains sensitive data. To perform DLP scans in a SaaS app, first configure a DLP profile with the data patterns you want to detect, then add the profile to a CASB integration. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/cloud-and-saas-findings/casb-dlp.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Scan for sensitive data Note Requires Cloudflare CASB and Cloudflare DLP. You can use [Cloudflare Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) to discover if files stored in a SaaS application contains sensitive data. To perform DLP scans in a SaaS app, first configure a [DLP profile](#configure-a-dlp-profile) with the data patterns you want to detect, then [add the profile](#enable-dlp-scans-in-casb) to a CASB integration. ## Supported integrations * [Amazon Web Services (AWS) S3](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/aws-s3/) * [Box](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/box/) * [Dropbox](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/dropbox/) * [Google Cloud Platform (GCP) Cloud Storage](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/gcp-cloud-storage) * [Google Drive](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/google-workspace/google-drive/) * [Microsoft OneDrive](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/onedrive/) * [Microsoft SharePoint](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/sharepoint/) * [Microsoft 365 Copilot](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/m365-copilot/) * [OpenAI](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/openai/) * [Anthropic](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/anthropic/) ## Configure a DLP profile You may either use DLP profiles predefined by Cloudflare, or create your own custom profiles based on regex, predefined detection entries, datasets, and document fingerprints. ### Configure a predefined profile 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Data loss prevention** \> **Profiles**. 2. Choose a [predefined profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/) and select **Edit**. 3. Enable one or more **Detection entries** according to your preferences. The DLP Profile matches using the OR logical operator — if multiple entries are enabled, your data needs to match only one of the entries. 4. Select **Save profile**. Your DLP profile is now ready to use with CASB. ### Build a custom profile 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Data loss prevention** \> **Profiles**. 2. Select **Create profile**. 3. Enter a name and optional description for the profile. 4. Add custom or existing detection entries. Add a custom entry 1. Select **Add custom entry** and give it a name. 2. In **Value**, enter a regular expression (or regex) that defines the text pattern you want to detect. For example, `test\d\d` will detect the word `test` followed by two digits. * Regular expressions are written in Rust. We recommend validating your regex with [Rustexp ↗](https://rustexp.lpil.uk/). * DLP detects UTF-8 characters, which can be up to 4 bytes each. Custom text pattern detections are limited to 1024 bytes in length. * DLP does not support regular expressions with `+` or `*` operators because they are prone to exceeding the length limit. For example, the regex pattern `a+` can detect an infinite number of `a` characters. We recommend using `a{min,max}` instead, such as `a{1,1024}`. 3. To save the detection entry, select **Done**. Add existing entries Existing entries include [predefined](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/) and [user-defined](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/) detection entries. 1. Select **Add existing entries**. 2. Choose which entries you want to add, then select **Confirm**. 3. To save the detection entry, select **Done**. 5. (Optional) Configure [**profile settings**](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/) for the profile. 6. Select **Save profile**. Your DLP profile is now ready to use with CASB. For more information, refer to [Configure a DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/). ## Enable DLP scans in CASB ### Add a new integration 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Cloud & SaaS findings** \> **Integrations**. 2. Select **Connect an integration** and choose a [supported integration](#supported-integrations). 3. During the setup process, you will be prompted to select DLP profiles for the integration. 4. Select **Save integration**. CASB will scan every publicly accessible file in the integration for text that matches the DLP profile. The initial scan may take up to a few hours to complete. ### Modify an existing integration 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Cloud & SaaS findings** \> **Integrations**. 2. Choose a [supported integration](#supported-integrations) and select **Configure**. 3. Under **DLP profiles**, select the profiles that you want the integration to scan for. 4. Select **Save integration**. If you enable a DLP profile from the **Manage integrations** page, CASB will only scan publicly accessible files that have had a modification event since enabling the DLP profile. Modification events include changes to the following attributes: * Contents of the file * Name of the file * Visibility of the file (only if changed to publicly accessible) * Owner of the file * Location of the file (for example, moved to a different folder) In order to scan historical data, you must enable the DLP profile during the [integration setup flow](#add-a-new-integration). ## Limitations DLP in CASB will only scan: * [Text-based files](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/#supported-file-types) such as documents, spreadsheets, and PDFs. Images are not supported. * Files less than or equal 100 MB in size. * Source code with a minimum size of 5 KB for Java and R. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/cloud-and-saas-findings/","name":"Cloud and SaaS findings"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/cloud-and-saas-findings/casb-dlp/","name":"Scan for sensitive data"}}]} ``` --- --- title: Manage findings description: Findings are security issues detected within SaaS and cloud applications that involve users, data at rest, and other configuration settings. With Cloudflare CASB, you can review a comprehensive list of findings in Cloudflare One and immediately start taking action on the issues found. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/cloud-and-saas-findings/manage-findings.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Manage findings Findings are security issues detected within SaaS and cloud applications that involve users, data at rest, and other configuration settings. With Cloudflare CASB, you can review a comprehensive list of findings in Cloudflare One and immediately start taking action on the issues found. ## Prerequisites * You have added a [Cloud and SaaS integration](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/). * Your scan has surfaced at least one security finding. ## Posture findings Posture findings include misconfigurations, unauthorized user activity, and other data security issues. To view details about the posture findings that CASB found: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Posture Findings**. 2. Choose **SaaS** or **Cloud**. 3. To view details about a finding, select the finding's name Cloud & SaaS findings will display details about your posture finding, including the finding type, [severity level](#severity-levels), number of instances, associated integration, current status, and date detected. For more information on each instance of the finding, select **Manage**. To manage the finding's visibility, you can update the finding's [severity level](#severity-levels) or [hide the finding](#hide-findings) from view. Additionally, some findings provide a remediation guide to resolve the issue or support [creating a Gateway HTTP policy](#resolve-finding-with-a-gateway-policy) to block the traffic. ### Severity levels Cloudflare CASB labels each finding with one of the following severity levels: | Severity level | Urgency | | -------------- | ---------------------------------------------------------------------------- | | Critical | Suggests the finding is something your team should act on today. | | High | Suggests the finding is something your team should act on this week. | | Medium | Suggests the finding should be reviewed sometime this month. | | Low | Suggests the finding is informational or part of a scheduled review process. | #### Change the severity level You can change the severity level for a finding at any time in case the default assignment does not suit your environment: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Posture Findings**. 2. Locate the finding you want to modify and select **Manage**. 3. In the severity level drop-down menu, choose your desired setting (_Critical_, _High_, _Medium_, or _Low_). The new severity level will only apply to the posture finding within this specific integration. If you added multiple integrations of the same application, the other integrations will not be impacted by this change. ## Content findings Content findings include instances of potential data exposure as identified by [DLP](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/). To view details about the content findings that CASB found: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Content Findings**. 2. Choose **SaaS** or **Cloud**. 3. To view details about a finding, select the finding's name. Cloud & SaaS findings will display details about your content finding, including the file name, a link to the file, matching DLP profiles, associated integration, and date detected. AWS users can configure a [compute account](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/aws-s3/#compute-account) to scan for data security resources within their S3 resources. ## View shared files File findings for some integrations (such as [Microsoft 365](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/#file-sharing) and [Box](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/box/#file-sharing)) may link to an inaccessible file. To access the actual shared file: * [ Posture finding ](#tab-panel-3445) * [ Content finding ](#tab-panel-3446) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Posture Findings**. 2. Choose **SaaS** or **Cloud**. 3. Locate the individual finding, then select **Manage**. 4. In **Active Instances**, select the file name. 5. In **Shared Links**, select the linked file instance. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Content Findings**. 2. Choose **SaaS** or **Cloud**. 3. Select the file name of the detected asset. 4. In **Sharing details**, select the linked file instance. ## Hide findings After reviewing your findings, you may decide that certain posture findings are not applicable to your organization. Cloudflare CASB allows you to remove findings or individual instances of findings from your list of active issues. CASB will continue to scan for these issues, but any detections will appear in a separate tab. ### Ignore a finding 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Posture Findings**. 2. Locate the active finding you want to hide. 3. In the three-dot menu, select **Move to ignore**. The finding's status will change from **Active** to **Ignored**. CASB will continue to scan for these findings and report detections. You can change ignored findings back to **Active** with the same process at any time. ### Hide an instance of a finding 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Posture Findings**. 2. Choose the active finding you want to hide, then select **Manage**. 3. In **Active**, find the instance you want to hide. 4. In the three-dot menu, select **Move to hidden**. The instance will be moved from **Active** to **Hidden** within the finding. If the finding occurs again for the same user, CASB will report the new instance quietly in the **Hidden** tab. You can move hidden instances back to the **Active** tab at any time. ## Remediate findings In addition to detecting and surfacing misconfigurations or issues with SaaS and cloud applications, CASB can also remediate findings directly in applications. ### Configure remediation permissions Before you can remediate findings, [add a new integration](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) and choose _Read-Write mode_ during setup. Alternatively, you can update an existing integration: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Cloud & SaaS findings** \> **Integrations**. 2. Choose your integration, then select **Configure**. 3. In **Integration permissions**, choose _Read-Write mode_. 4. Select **Update integration**. CASB will redirect you to your Microsoft 365 configuration. 5. Sign in to your organization, then select **Accept**. CASB can now remediate supported findings directly. ### Remediate a finding To remediate a supported finding: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Cloud & SaaS findings** \> **Posture Findings**. 2. Choose a supported finding type, then select **Manage**. 3. In **Active Instances**, select an instance. 4. In **Remediation details**, choose a remediation action to take. CASB will begin remediating the instance. ### Manage remediated findings Remediated findings will appear in **Cloud & SaaS findings** \> **Posture Findings**. The status of the finding will change depending on what action CASB has taken: | Status | Description | | ---------- | --------------------------------------------------------------------------------------------------------------- | | Pending | CASB has set the finding to be remediated. | | Queued | CASB has queued the finding for remediation. | | Processing | CASB is currently remediating the finding. | | Validating | CASB successfully completed the remediation and is waiting for confirmation that the finding has been resolved. | | Completed | CASB successfully remediated the finding and validated that the finding has been resolved. | | Failed | CASB unsuccessfully remediated the finding. | | Rejected | CASB does not have the correct permissions to remediate the finding. | If the status is **Completed**, remediation succeeded. If the status is **Failed** or **Rejected**, remediation failed, and you can select the finding to take action again. CASB will log remediation actions in **Logs** \> **Admin**. For more information, refer to [Cloudflare One Logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/). ## Resolve finding with a Gateway policy Using the security findings from CASB allows for fine-grained Gateway policies which prevent future unwanted behavior while still allowing usage that aligns to your organization's security policy. You can view a CASB finding, like the use of an unapproved application, then immediately prevent or control access with Gateway. CASB supports creating a Gateway policy for findings from the [Google Workspace integration](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/google-workspace/): Supported CASB findings for Gateway policies * Google Workspace: File publicly accessible with edit access * Google Workspace: File publicly accessible with view access * Google Workspace: File shared outside company with edit access * Google Workspace: File shared outside company with view access Before you begin Ensure that you have [enabled HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) for your organization. To create a Gateway policy directly from a CASB finding: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Posture Findings** or **Cloud & SaaS findings** \> **Content Findings**. 2. Choose **SaaS** or **Cloud**. 3. Choose the finding you want to modify, then select **Manage**. 4. Find the instance you want to block and select its three-dot menu. 5. Select **Block with Gateway HTTP policy**. A new browser tab will open with a pre-filled HTTP policy. Note Not all CASB findings will have the **Block with Gateway HTTP policy** option. Unsupported findings can only be resolved from your application dashboard or through your domain provider. 6. (Optional) [Configure the HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). For example, if the policy blocks an unsanctioned third-party app, you can apply the policy to some or all users, or only block uploads or downloads. 7. Select **Save**. Your HTTP policy will now prevent future instances of the security finding. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/cloud-and-saas-findings/","name":"Cloud and SaaS findings"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/cloud-and-saas-findings/manage-findings/","name":"Manage findings"}}]} ``` --- --- title: Troubleshoot CASB description: Use this guide to troubleshoot common issues with Cloud Access Security Broker (CASB). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/cloud-and-saas-findings/troubleshoot-casb.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshoot CASB Use this guide to troubleshoot common issues with Cloud Access Security Broker (CASB). This guide covers troubleshooting steps for the Microsoft 365, Google Workspace, and GitHub integrations. For other integrations, refer to the integration's documentation. ## Integration fails to connect or returns an error Integration connection problems are the most common issue during CASB setup. If you receive an error such as "There was an error creating the integration" or are redirected back to the dashboard without the integration appearing, follow these steps. ### Check permissions in the third-party application Ensure the account you are using to authorize the integration has the necessary administrative privileges in the third-party application (for example, **Global Administrator** for Microsoft 365, **Super Admin** for Google Workspace, or **Organization Owner** for GitHub). Insufficient permissions are the leading cause of setup failures. ### Clear previous installations If the SaaS application was previously integrated with a different Cloudflare account, you must manually revoke the old Cloudflare application from within the SaaS provider's admin console. * **For Microsoft 365**: Go to **Microsoft 365 admin center** \> **Enterprise applications** and delete the existing Cloudflare One application. * **For Google Workspace**: Go to **Google Admin Console** \> **Security** \> **Access and data control** \> **API controls** and remove the Cloudflare app from third-party app access. * **For GitHub**: Go to your organization's **Settings** \> **Third-party access** and revoke the Cloudflare CASB application. After cleaning up the old app, wait a few minutes and then try the integration process again from the Cloudflare One dashboard. ### Verify OAuth permissions During setup, CASB will ask you to approve a set of permissions. The permissions requested are required for the CASB service to scan for misconfigurations and, if you choose, to take remediation actions. While some permissions may seem broad (for example, `write` access), they are necessary for actions like quarantining a file or modifying sharing settings. Refer to the specific integration guide for a detailed list of required permissions. ## Findings are stale or not updating after remediation A common point of confusion is when a resolved issue (for example, when a file is made private, or when a user is suspended) continues to appear as an active finding in the CASB dashboard. ### Understand scan frequency CASB integrations do not provide real-time updates. Scans are performed periodically to discover new findings and validate the status of existing ones. The initial scan can take several hours, and subsequent scans run approximately every 24-48 hours. ### Force a re-scan To trigger a new scan: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Integrations** \> **Cloud & SaaS**. 2. Find your integration and select **Configure**. 3. Go to **CASB**. 4. Turn off **Findings scanning**. 5. After a few minutes, turn on **Findings scanning** again. This action will queue a fresh scan of your integration. Allow several hours for your findings to reflect the new results. ## Remediation action fails in the dashboard If you attempt to use a one-click remediation action (such as "Make private") on a finding, it may result in a **Failed** status, often with a timeout error. ### Verify permissions The remediation failure may be due to the permissions for the Cloudflare app being changed or revoked in the SaaS application after the initial setup. Re-validate the integration to ensure all required permissions are still granted. ### Remediate manually As a workaround, remediate the finding directly within the SaaS application (for example, change the file's sharing settings in Google Drive). CASB will clear the finding from the dashboard after the next successful scan. ## CASB is generating false positives CASB may incorrectly flag items, such as flagging internally-shared files as public or archived Google Workspace users as inactive. ### Review finding details Carefully examine the evidence provided in the finding. An object's status in the SaaS platform may not be accurate. ### Report the issue If you confirm the finding is a false positive, report the behavior to Cloudflare Support. Provide the finding ID and as much detail as possible. This helps the Support team refine the detection logic for all customers. ### Suppress the finding While Cloudflare investigates the issue, you can use the **Suppress** action on the finding to remove it from your active list and reduce noise. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/cloud-and-saas-findings/","name":"Cloud and SaaS findings"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/cloud-and-saas-findings/troubleshoot-casb/","name":"Troubleshoot CASB"}}]} ``` --- --- title: Email security description: Cloudflare Email Security uses AI, threat intelligence, and security rules to analyze every incoming email, protecting your organization from phishing, malware, Business Email Compromise (where attackers impersonate executives or authority figures to commit fraud), vendor email fraud, and spam. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Email security Important Refer to [Area 1](https://developers.cloudflare.com/email-security/) if you are looking for the Area 1 documentation. Note If you have not yet purchased Email security, you can try Email security with Retro Scan. Refer to [Retro Scan](https://developers.cloudflare.com/cloudflare-one/email-security/retro-scan/) to learn more. Protect your email inbox with Email security. Cloudflare Email Security uses AI, threat intelligence, and security rules to analyze every incoming email, protecting your organization from phishing, malware, [Business Email Compromise ↗](https://www.cloudflare.com/en-gb/learning/email-security/business-email-compromise-bec/) (where attackers impersonate executives or authority figures to commit fraud), vendor email fraud, and spam. It integrates with your existing email provider (such as Outlook or Gmail) and can be deployed via [API](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/), [BCC](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/gmail-bcc-setup/)/[Journaling](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/m365-journaling/), or [MX/Inline](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/). When you complete the [setup process](https://developers.cloudflare.com/cloudflare-one/email-security/setup/), the Cloudflare dashboard will display the Email security overview page. The Email security overview provides you with: * **Quick actions**, where you can: * View [submissions](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/) * Manage detection settings: manage [allow policies](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/), [blocked senders](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/blocked-senders/), [trusted domains](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/trusted-domains/), [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) and [additional detections](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/additional-detections/). * [Run screens](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#screen-criteria): Search, filter, reclassify, and bulk-move emails * **Recommendations**: Suggested next steps to improve your configuration. For example, submitting misclassified emails for reclassification, creating policies, or protecting users at risk of [impersonation](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/). * **Email security metrics**: Activity from the last seven days. * **Recently modified policies**: A list of recently changed policies. * **Education and resources**: Links to [implementation guides](https://developers.cloudflare.com/cloudflare-one/implementation-guides/), [Email security changelogs](https://developers.cloudflare.com/cloudflare-one/changelog/email-security/), and [API documentation ↗](https://developers.cloudflare.com/api/resources/email%5Fsecurity/subresources/investigate/methods/get/) To access the Email security overview: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Go to **Email security** \> **Overview**. --- ## Troubleshooting For help resolving common issues with Email Security, refer to [Troubleshoot Email Security](https://developers.cloudflare.com/cloudflare-one/email-security/troubleshooting/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}}]} ``` --- --- title: Directories description: Directories are folders to store user data. Email security allows you to manage directories from the Cloudflare dashboard. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/directories/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Directories Directories are folders to store user data. Email security allows you to manage directories from the Cloudflare dashboard. To add a directory: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Email security**. 2. Select **Directories**. 3. Select **Add a directory** \> **Connect an integration**. 4. Select either **Google Workspace CASB + EMAIL** or **Microsoft CASB+EMAIL**. 5. Refer to [Enable Gmail BCC integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/#enable-gmail-bcc-integration) if you choose Google Workspace. Refer to [Enable Microsoft integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/#enable-microsoft-integration) if you choose Microsoft 365. To sync a directory: 1. Locate the directory you want to sync. 2. Select the three dots, then select **Sync now**. Note The **Auto sync** option is on by default. It is recommended to keep this option on at all times to ensure directories are always synchronized. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/directories/","name":"Directories"}}]} ``` --- --- title: Manage Email security directories description: You can manage your Email security directory by editing and deleting added users. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/directories/manage-es-directories.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Manage Email security directories You can manage your Email security directory by editing and deleting added users. Registered users The Email security directory contains registered users only. A registered user is a user added to the [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/). To modify or delete users in the Email security directory: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security** \> **Directories**. 2. Select **Email security Directory**. ## Add a user To manually add a user to the Email security directory: 1. On the sidebar, go to **Settings** \> **Impersonation registry** \> **View**. 2. Select **Add a user**: * Choose **Manual input** as the **Input method**. * Under **User info**, enter the **Display name**. * Under **User email**, enter the **Email addresses**. 1. Select **Save**. To view users you manually added: 1. Go to **Directories**. 2. Select **Email security Directory**. 3. Any manually added user will be displayed under the table as **REGISTERED**. ## Edit a user To edit a user in the Email security directory: 1. Select the user you want to edit. 2. Select the three dots > **Edit**. 3. Enter a user name and/or email. 4. Select **Save**. ## Delete a user To delete a user from the Email security directory: 1. Select the user you want to delete. 2. Select the three dots > **Delete**. 3. Read the pop-up message, and then select **Delete user**. To delete multiple users from the registry at once: 1. Select the users you want to delete. 2. Select the **Action** dropdown list > **Delete**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/directories/","name":"Directories"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/directories/manage-es-directories/","name":"Manage Email security directories"}}]} ``` --- --- title: Manage integrated directories description: To manage an integrated directory: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/directories/manage-integrated-directories/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Manage integrated directories To manage an integrated directory: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Directories**. 4. Under **Directory name**, select your directory. 5. You will be redirected to a page where you can manage [Groups](https://developers.cloudflare.com/cloudflare-one/email-security/directories/manage-integrated-directories/manage-groups-directory/) or [Users](https://developers.cloudflare.com/cloudflare-one/email-security/directories/manage-integrated-directories/manage-users-directory/) directories. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/directories/","name":"Directories"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/directories/manage-integrated-directories/","name":"Manage integrated directories"}}]} ``` --- --- title: Manage groups in your directory description: Email security allows you to view and manage your groups directory and their impersonation registry. When a group is added to the registry, all members are registered by default. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/directories/manage-integrated-directories/manage-groups-directory.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Manage groups in your directory Email security allows you to view and manage your groups directory and their [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/). When a group is added to the registry, all members are registered by default. To manage a group directory: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security** \> **Directories**. 2. Locate your directory, select the three dots > **View details**. 3. Select **Groups**. ## Add groups to registry Email security allows you to add group names to the registry. To add a single group to the registry: 1. Select the group name you want to add. 2. Select the three dots > **Add to registry**. To add multiple groups to the registry at once: 1. Select the group names you want to add to the registry. 2. Select the **Action** dropdown list. 3. Select **Add to registry**. ## Remove groups from registry Email security allows you to remove group names from the registry. To remove a single group from the registry: 1. Select the group name you want to remove. 2. Select the three dots > **Remove from registry**. To remove multiple groups from the registry at once: 1. Select the group names you want to remove from registry. 2. Select the **Action** dropdown list. 3. Select **Remove from registry**. ## Filter impersonation registry You can filter the list of group names by registered and unregistered. A group name is registered when it is part of the [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/). A group name is unregistered when they are not part of the impersonation registry. To filter the list: 1. Select **Show filters** \> **Impersonation registry**. 2. Select one of the following: * **All**: To view registered and unregistered groups. * **Registered**: To view registered groups. * **Unregistered**: To view unregistered groups. 3. Select **Apply filters**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/directories/","name":"Directories"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/directories/manage-integrated-directories/","name":"Manage integrated directories"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/directories/manage-integrated-directories/manage-groups-directory/","name":"Manage groups in your directory"}}]} ``` --- --- title: Manage users in your directory description: Email security allows you to view and manage the impersonation registry status of your users directory. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/directories/manage-integrated-directories/manage-users-directory.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Manage users in your directory Email security allows you to view and manage the [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) status of your users directory. To manage users directory: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security** \> **Directories**. 2. Locate your directory, select the three dots > **View details**. 3. Select **Users**. ## Add users to registry To add a single user to the registry: 1. Select the name you want to add. 2. Select the three dots > **Add to registry**. To add multiple users to the registry at once: 1. Select the names you want to add to the registry. 2. Select the **Action** dropdown list. 3. Select **Add to registry**. ## Remove users from registry Email security allows you to remove users from the registry. To remove a single user from the registry: 1. Select the name you want to remove. 2. Select the three dots > **Remove from registry**. To remove multiple users from the registry at once: 1. Select the names you want to remove from the registry. 2. Select the **Action** dropdown list. 3. Select **Remove from registry**. ## Edit a user To edit a user: 1. Under **Display name**, locate the user you want to edit. 2. Select the three dots > **Edit**. 3. Edit the user, then select **Save**. ## Filter a user You can filter the list of users by registered and unregistered. A user is registered when they are added to the [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/). A user is unregistered when they are not part of the impersonation registry. To filter the impersonation registry: 1. Select **Show filters** \> **Impersonation registry**. 2. Choose one of the following: * **All**: To view registered and unregistered users. * **Registered**: To view registered users. * **Unregistered**: To view unregistered users. 3. Select **Apply filters**. To filter users: 1. Select **Show filters** \> **Users**. 2. Choose one of the following: * **All**: To view users in groups and not in groups. * **Users in groups**: To view users in groups. * **Users not in groups**: To view users not in groups. 3. Select **Apply filters**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/directories/","name":"Directories"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/directories/manage-integrated-directories/","name":"Manage integrated directories"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/directories/manage-integrated-directories/manage-users-directory/","name":"Manage users in your directory"}}]} ``` --- --- title: Email security API image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/email-security-api-docs.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Email security API ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/email-security-api-docs/","name":"Email security API"}}]} ``` --- --- title: Search email description: With Email security, you can use different screen criteria to search through your email, reclassify and move a certain volume of messages, find similar emails, and export messages. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/investigation/search-email.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Search email With Email security, you can use different screen criteria to search through your email, reclassify and move a certain volume of messages, find similar emails, and export messages. ## Screen criteria Email security allows you to use popular, regular, and advanced screening criteria to search through your inbox. Advanced screening will give you the most in-depth investigation of your inbox. To screen through your email traffic: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Investigation**, then **Run new screen**. 4. Choose between **Popular**, **Regular**, and **Advanced** screen methods. Refer to the explanation below to learn what each method does. The results will be displayed on a table. The table allows you to review and take action on the messages that match your chosen screening criteria. ### Popular screen A popular screen allows you to view messages based on common pre-defined criteria. To use a popular screen criteria: 1. Under **Method**, select **Popular screens**. 2. Select one of the following criteria: * **Moved emails**: View emails automatically or manually moved within the last seven days. * **Reclassified emails**: Emails that had their disposition reclassified within the last seven days. * **Malicious emails**: Emails assigned the malicious disposition within the last seven days. * **Spoof emails**: Emails assigned the spoof disposition within the last seven days. * **Suspicious emails**: Emails assigned the suspicious disposition within the last seven days. * **Spam emails**: Emails assigned to the spam disposition within the last seven days. 3. Select **Run screen**. To modify your screening criteria, under **Active screen criteria**, select **Modify**. ### Regular screen A regular screen allows you to investigate your inbox by inserting a term to screen across all criteria. To use a regular screen criteria: 1. Under **Method**, select **Regular screen**. 2. Select a **Date range**. 3. Enter a keyword. 4. Select **Run screen**. To include all emails as part of the search, enable **Include all mail**. To modify your screening criteria, under **Active screen criteria**, select **Modify**. To reset your screening criteria, select **Reset**. ### Advanced screen The advanced screen criteria gives you the option to narrow message results based on specific criteria. The advanced screen has several options (such as keywords, subject keywords, sender domain, and more) to scan your inbox. To use advanced screen criteria: 1. Under **Method**, select **Advanced screen**. 2. (Required) Select a date range. 3. (Optional) Fill in the other fields. All fields, except for Subject, must be filled with one value only. 4. Select **Run screen**. To include all emails as part of the search, enable **Include all mail**. To modify your screening criteria, under **Active screen criteria**, select **Modify**. To reset your screening criteria, select **Reset**. ## Move messages Moving messages allows you to move messages to a specific folder. You can move up to 1,000 messages at a time. To move messages: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security**, and select **Investigation**. 2. On the Investigation page, select all the messages you want to move. 3. Select the **Action** dropdown, then select **Move**. 4. Select among one of the following folders: * **Inbox**: Move messages to the primary email folder. * **Junk email**: Move messages to the junk or spam folder. * **Trash**: Move messages to the trash or deleted items email folder. * **Soft delete (user recoverable)**: Move messages to the user's Deleted Items folder. This option is for Microsoft 365 only. * **Hard delete (admin recoverable)**: Delete messages from a user's inbox. 5. Select **Save**. To move messages in bulk, select **Select all messages** \> **Action** \> **Move**. ## Find similar emails Each detection has an Email Detection Fingerprint (EDF) hash that Email security sends to the Search API to retrieve similar detections. To find similar detection results: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security**, and select **Investigation**. 2. On the Investigation page, under **Your matching messages**, search for the **Similar emails** column. 3. Select the number of similar emails. Selecting the number will show you a list of similar emails. ## Export messages With Email security, you can export messages to a CSV file. To export messages: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security**, and select **Investigation**. 2. On the Investigation page, under **Your matching messages**, select **Export to CSV**. 3. Select **Export messages** on the pop-up message. You can export up to 500 messages from the dashboard. To export up to 1,000 matching messages, use the [API](https://developers.cloudflare.com/api/resources/email%5Fsecurity/subresources/investigate/methods/get/). To export messages in bulk, select **Select all messages** \> **Export to CSV**. ## Email status Email security allows you to review the status and actions of each email. To view status and actions for each email: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security**, and select **Investigation**. 2. On the Investigation page, select the three dots. 3. Selecting the three dots will show you the following options: * If the email is quarantined: * **View details**: Refer to [Email details](#email-details) to learn more. * **View similar emails**: Find similar emails based on the `value_edf_hash` (Electronic Detection Fingerprint hash). * **Release**: Email security will no longer quarantine your chosen messages. * **Submit for review**: Choose the dispositions of your messages if they are incorrect. Refer to [Reclassify messages](#reclassify-messages) to learn more. * If the email is not quarantined: * **View details**. * **View similar emails**. * **View submission detail**. * **[Move](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/)** (only available if you authorized moves). * **[Submit for review](#reclassify-messages)**. ## Email details Email security shows you the following email detail information: * Details * Action log * Raw message * Mail trace ### Details Email security displays the following details: 1. **Threat type**: Threat type of the email, for example, [credential harvester](https://developers.cloudflare.com/cloudflare-one/email-security/reference/how-es-detects-phish/), and [IP-based spam](https://developers.cloudflare.com/cloudflare-one/email-security/reference/how-es-detects-phish/). 2. **Validation**: Email validation methods [SPF ↗](https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/), [DKIM ↗](https://www.cloudflare.com/learning/dns/dns-records/dns-dkim-record/), [DMARC ↗](https://www.cloudflare.com/learning/dns/dns-records/dns-dmarc-record/). The dashboard will display Pass if SPF, DKIM and DMARC checks have passed. 3. **Sender details**: Information include: * IP address * Registered domain * Autonomous sys number: This number identifies your [autonomous system (AS) ↗](https://www.cloudflare.com/en-gb/learning/network-layer/what-is-an-autonomous-system/). * Autonomous sys name: This name identifies your autonomous system (AS). * Country 4. **Links identified**: A list of malicious links identified by Email security. Refer to [Open links](#open-links) to open links in Security Center, Browser Isolation or an external tool of your choice. 5. **Attachments**: If an email has an attachment, the Cloudflare dashboard will display the filename, and the disposition assigned. You can open attachments in [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/). Only PDF files are currently supported. 6. **Reasons for disposition**: Description of why the email was deemed as malicious, suspicious, or spam. The dashboard also displays [Cloudy summaries](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#cloudy-summaries). #### Cloudy summaries The Cloudflare dashboard uses [Cloudy](https://developers.cloudflare.com/fundamentals/reference/cloudy-ai-agent/) to explain why an email was classified as unwanted. Cloudy analyzes the underlying detection code and generates a description of the specific detection logic that led to an email final disposition. Each summary provides a rating option that allows you to provide feedback to the Email security team. Cloudy summaries are only available for emails with a final [disposition](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#available-values). **View all signatures** allows you to view all the detections that triggered on the email, including detections that did not determine the final disposition. #### Open links You can open links in Security Center or [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/), or copy and paste the link so you can investigate content in external tools. When you select a link in a suspicious email, you risk exposing your device and your company's network to malware, ransomware, and credential harvesting. Browser Isolation eliminates any risk of your device being compromised by opening all web content from unverified or suspicious sources in a safe, disposable remote browser session hosted by Cloudflare. To open links in Security Center: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Email security** \> **Investigation**. 2. Locate the message you want to open links for, select the three dots, then select **View details**. 3. Under **Details**, go to **Links identified**. 4. Locate the link you want to open, and select **Open in Security Center**. 5. You will be redirected to Investigate in the Cloudflare dashboard. 6. Select **Scan now**. 7. The dashboard will generate a report for your link. To open links in Browser Isolation: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Email security** \> **Investigation**. 2. Locate the message you want to open links for, select the three dots, then select **View details**. 3. Under **Details**, go to **Links identified**. 4. Locate the link you want to open, and select **Open in Browser Isolation**. 5. The link will open in a separate window where you will be able to browse the content securely. Alternatively, you can directly [open links in Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/#open-links-in-browser-isolation). When you open a link from an email, Cloudflare will present you with a blue bar. This indicates that the page is isolated and that you are protected from any potential malicious content on that page. Note If you purchased Gateway and [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/), you can perform more actions when opening links. To open and investigate a link in an external tool: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Email security** \> **Investigation**. 2. Locate the message you want to open links for, select the three dots, then select **View details**. 3. Under **Details**, go to **Links identified**. 4. Locate the link you want to open, and select **Copy URL**. 5. Paste the link in your external tool. Warning You may encounter a `400 Bad Request` error after turning Clientless Web Isolation on. If you encounter this error: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Settings** \> **Resources**. 2. Select **Generate certificate**. 3. Choose the **Expiration** (5 years is recommended), then select **Generate certificate**. Your certificate is now generated, and the dashboard will display its Deployment Status as INACTIVE. 4. Select the three dots, and then select **Activate** to activate your certificate. 5. Select the three dots, and then select **Mark as in-use**. 6. Your certificate deployment status should display AVAILABLE IN-USE. ### Action log Action log allows you to review post-delivery actions performed on your selected message. The action log displays: * **Date**: Date when the post-delivery action was performed. * **Activity**: The activity taken on an email. For example, moving the email to the trash folder, releasing a quarantined email, and more. ### Raw message Raw message allows you to view the raw details of the message. You can also choose to download the email message. To download the message, select **Download .EML**. ### Mail trace Mail trace allows you to track the path your selected message took from the sender to the recipient. Mail trace displays: * **Date**: The date and time when the mail was tracked. * **Type**: An email can be inbound (email sent to you from another email), or outbound (emails sent from your email address). * **Activity**: The activity taken on an email. For example, moving the email to the trash folder, releasing a quarantined email, and more. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/investigation/","name":"Investigation"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/investigation/search-email/","name":"Search email"}}]} ``` --- --- title: Monitoring description: Once you have chosen a domain to scan, Email security allows you to monitor the traffic scanned from your email inboxes. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/monitoring/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Monitoring Once you have chosen a domain to scan, Email security allows you to monitor the traffic scanned from your email inboxes. Note With Email security, you can enable logs to send detection data to an endpoint of your choice. Refer to [Enable Email security logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/) for more information. To monitor your inbox: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Under **Email security**, select **Monitoring**. The dashboard will display the following metrics: * Email activity * [Disposition evaluation](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/) * Detection details * [Impersonations](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) * [Phish submissions](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/) * [Auto-move events](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) * [Detection settings metrics](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/) ## Email activity Email activity aggregates statistics about emails scanned and dispositions assigned (the number of email flagged due to a detection) within a given timeframe. To view the live number of email scanned and dispositions scanned, enable **Live mode**. ## Disposition evaluation Email traffic that flows through Email security is given a final disposition, which represents Email security's evaluation of that specific message. Disposition evaluation displays the following dispositions: * **Malicious**: Traffic associated with active threat campaigns. Malicious messages invoked multiple phishing verdict triggers and met thresholds for bad behavior. * **Recommendation**: Block. * **Spam**: Traffic associated with non-malicious, commercial campaigns. * **Recommendation**: Route to existing Spam quarantine folder. * **Bulk**: Traffic often associated with newsletters or marketing campaigns. Refer to [Graymail ↗](https://en.wikipedia.org/wiki/Graymail%5F%28email%29) for more details. * **Recommendation**: Monitor or tag. * **Suspicious**: Traffic associated with phishing campaigns (and is under further analysis by our automated systems). * **Recommendation**: Research these messages internally to evaluate legitimacy. * **Spoof**: Traffic associated with phishing campaigns that is either non-compliant with your email authentication policies ([SPF ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-spf-record/), [DKIM ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dkim-record/), [DMARC ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dmarc-record/)) or has mismatching `Envelope From` and `Header From` values. * **Recommendation**: Block after investigating (can be triggered by third-party mail services). ## Detection details Detection details displays information about: * **Malicious** disposition: * **Email threat types**: Top malicious threat types, and their number relative to the total amount of malicious threats received. * **Targeted users**: Top number of emails targeted, and their number relative to the total amount of malicious targets. * **Malicious links**: A graph displaying the total number of malicious links and their distribution throughout the month. * **Malicious attachments**: Number of malicious attachments, and the top types of malicious files received. * **Suspicious** disposition: * **Suspicious threat types**: Top suspicious threat types, and their number relative to the total amount of threats received. * **Suspicious targets**: Top number of emails targeted, and their number relative to the total amount of malicious targets. * **Suspicious links**: A graph displaying the total number of suspicious links and their distribution throughout the month. * **Spoof** disposition: * **Spoof users (impersonated names)**: Top number of impersonated names, and their number relative to the total number of detection received. * **Spoof targets**: Top number of targeted emails. * **Sender v. envelope mismatch**: This field indicates the number of mismatches between the email address the message was sent from, and the email address the message was _actually_ sent from. ## Impersonations Impersonations are a form of phishing attack where the actor pretends to be someone else to steal sensitive information. **Impersonations** displays the number of targeted users, and a chart describing the total number of impersonation attempts. * To view all targeted users, select **View all targeted users**. * To view all impersonation emails, select **View all impersonation emails**. * To view impersonated users, select **View impersonated users**. Refer to [Trusted domains](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/trusted-domains/) to add a trusted domain, and [Impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) to add a user to the impersonation registry. ## Phish submissions Phishing is a type of attack that involves stealing sensitive information with the aim of using and selling the information. A phish submission happens when a user or an administrator reports a phishing attack. Refer to [Phish submissions](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/) to learn how to submit a phish. Phish submissions displays the following information: * **All submissions**: The total number of phish submissions. * **User submissions**: The number of phish submissions reported by your users. * **Admin submissions**: The number of phish submissions reported by an administrator. Select **Review submissions** to review a filtered list of phish submissions reported by your team. ## Auto-move events Auto-move events are emails moved to different inboxes based on the disposition Email security assigned. This panel shows you the total number of auto-moves and the source folder from which these retractions are originating from. Refer to [Auto-moves](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) to configure auto-move events. ## Detection settings metrics Detection settings metric displays information about: * **Allowed traffic**: Traffic that Email security will exempt emails that match certain patterns from normal detection scanning. Allowed traffic shows metrics on emails that were allowed to go through user inboxes. * **Blocked traffic**: Traffic that Email security automatically blocks from senders. Blocked traffic shows metrics on emails that were blocked from user inboxes. * **Domain age**: The number of days since domain registration. Select **Configure** to configure policy and rules for [allowed traffic](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/), [blocked traffic](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/blocked-senders/) and [domain age](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/additional-detections/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/monitoring/","name":"Monitoring"}}]} ``` --- --- title: Download a report description: Email security allows you to download three types of reports: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/monitoring/download-report.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Download a report Email security allows you to download three types of reports: * Disposition report * Retro scan report * Security report ## Download a disposition report A disposition report shows you all the email messages based on the type of disposition you selected. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Select **Monitoring** \> **Download report**. 3. In **Report type**, select **Email disposition report**. 4. Under **Email disposition report**, select the **Date Range** (required), and the **Disposition**. 5. Select **Export to CSV**. Refer to [Dispositions and attributes](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/) to learn more. ## Download a retro scan report Retro scan scans the last 14 days of your emails, and gives you a report on bulk, spam, spoof, suspicious and malicious emails. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Select **Monitoring** \> **Download report**. 3. In **Report type**, select **Retro Scan report**. 4. Select **View report** to view a report of your last 14 days of emails. Refer to [Retro Scan](https://developers.cloudflare.com/cloudflare-one/email-security/retro-scan/) to learn more. ## Download a security report A security report provides an overview of your email traffic. The report can be generated on the last 30, 60, 90 days, or a timeframe of your choice. The reports contains: * An executive summary: A summary of the threats detected in your organization's email traffic in the last 30 days. * Threat detection: Review metrics regarding dispositions, policy detection, and impersonation attempts. * Submissions: Review the metrics of emails your security team or users have requested to reclassify. To download a security report: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Select **Monitoring** \> **Download report**. 3. In **Report type**, select **Security report** and the **Date range**. 4. Select **Generate report**. 5. Your security report is being generated. You will receive an email with the security report attached once it is ready. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/monitoring/","name":"Monitoring"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/monitoring/download-report/","name":"Download a report"}}]} ``` --- --- title: Outbound Data Loss Prevention (DLP) description: Outbound Data Loss Prevention ensures the protection of sensitive information in outbound emails with Cloudflare Data Loss Prevention (DLP). Outbound Data Loss Prevention integrates with your inbox, and it proactively monitors your email to prevent unauthorized data leaks. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/outbound-dlp.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Outbound Data Loss Prevention (DLP) Compatibility Outbound DLP is only compatible with Microsoft 365\. You need to have Microsoft E3 or E5 license to enable Outbound DLP. Outbound Data Loss Prevention ensures the protection of sensitive information in outbound emails with [Cloudflare Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/). Outbound Data Loss Prevention integrates with your inbox, and it proactively monitors your email to prevent unauthorized data leaks. To enable Outbound DLP: 1. [Create an outbound policy](https://developers.cloudflare.com/cloudflare-one/email-security/outbound-dlp/#1-create-an-outbound-policy). 2. [Set up DLP Assist add-in](https://developers.cloudflare.com/cloudflare-one/email-security/outbound-dlp/#2-dlp-assist-add-in). ## 1\. Create an outbound policy An outbound policy allows you to control outbound email flow. To create an outbound DLP policy: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Email security** \> **Outbound DLP**. 2. Select **Add a policy**. 3. Name your policy. 4. Build an expression to match specific email traffic. For example, you can create a policy that blocks outbound emails containing identifying numbers: | Selector | Operator | Value | Logic | Action | | ------------------- | -------- | --------------------------------------------------------- | ----- | ------ | | Recipient email | not in | example.com | And | Block | | Matched DLP profile | in | _Social Security, Insurance, Tax, and Identifier Numbers_ | | | 5. (Optional) Choose whether to use the default block message or a custom message. 6. Select **Create policy**. After creating your policy, you can modify or reorder your policies in **Email security** \> **Outbound DLP**. ### Selectors | Selector | Description | | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | | Recipient email | The intended recipient of an outbound email. | | Email sender | The user in your organization sending an email. | | Matched DLP profile | The [DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/) that content of an email matches upon scan. | ## 2\. DLP Assist add-in The Data Loss Prevention (DLP) Assist add-in allows Microsoft 365 users to deploy a DLP solution for free using Cloudflare's Email security. DLP Assist add-in protects your data egress from Outlook web and dekstop client. To set up DLP Assist add-in: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Email security** \> **Outbound DLP**. 2. Select **View Microsoft add-in instructions** \> Select **Download add-in**. This downloads a `.xml` file necessary to install the add-in on the client side. 3. Set up the add-in in Microsoft 365: * Log in to the [Microsoft admin panel ↗](https://security.microsoft.com/homepage) and go to **Microsoft 365 Admin Center** \> **Settings** \> **Integrated Apps**. * Choose **Upload custom apps** and select **Office Add-in** for the application type. * Select **Upload manifest file (.xml) from device**. * Upload the Cloudflare add-in file you downloaded in step three. Then, verify and complete the wizard. It can take up to 24 hours for an add-in to propagate. The add-in works by inserting headers into the [EML ↗](https://en.wikipedia.org/wiki/EML) on the client side before the message is sent out. To block, encrypt, or send approval, you can configure rules within Microsoft Purview DLP: 1. Go to [Microsoft Purview ↗](https://purview.microsoft.com/datalossprevention/overview?tid=11648e1c-3d60-40e2-bf07-f8d481e48e2d). 2. Select **Policies** \> **Create policy**. 3. Do not choose any templates or custom policy. Select **Next**. 4. Choose a name and description for the policy: You can choose any name. However, this guide will use `Cloudflare Assist Block`. 5. Select **Next** on **Admin Units**: * Choose to only apply to **Exchange Email**. * Choose **Create or customize advanced DLP Rules**. 6. Select **Create rule**: * Create a policy name. * Add the following conditions: * **Header contains words or phrases**: `Key: cf_outbound_dlp with Value: BLOCK` * Select **AND**. * **Content is shared from Microsoft 365**: Select **with people from outside my organization**. 7. Under **Actions**, the admin can choose what to do with the message. You can use the **Restrict access or encrypt the content in Microsoft 365 locations** to block the message or encrypt it. 8. Under **User notifications**, turn on notifications. Admins can also edit the message if they want to. You can also configure if the admin wants to receive a notification under **Incident reports** \> **Use this severity level in admin alerts and reports**. 9. Select **Save**. 10. Select **Turn the Policy On Immediately**. Note The Cloudflare add-in can take up to 24 hours to propagate after install. ### Limitations Outbound DLP presents its limitations: * Outbound DLP only protects user-managed inboxes. * Outbound DLP offers the most consistent experience on Outlook Web App and Outlook desktop, due to limitations imposed by Microsoft. | Platform | Status | | ------------------------------------ | -------------------------------------------------------- | | Web client | Stable | | New Outlook desktop client - Windows | Stable | | Desktop client - macOS | Can cause scanning to be delayed due to Apple limitation | | Old Outlook desktop client | Does not work due to Microsoft limitation | | Mobile client - iOS | Unstable due to Apple limitation | | Mobile client - Android | Unstable due to Microsoft limitation | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/outbound-dlp/","name":"Outbound Data Loss Prevention (DLP)"}}]} ``` --- --- title: PhishGuard description: PhishGuard is a team of analysts that routinely inspects your email environment and responds to threats that come through your email inbox. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/phishguard.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # PhishGuard PhishGuard is a team of analysts that routinely inspects your email environment and responds to threats that come through your email inbox. While Email security uses advanced technologies to protect your email inbox, PhishGuard offers an additional human component to protect your email environment against impersonation events, suspicious items, false negatives/false positives, and any new event that automated intelligent systems may miss due to a lack of context (for example, a compromised account activity). PhishGuard only works on a post-delivery environment (only emails that have already landed in your email inbox are reviewed). As a result, PhishGuard analysts may [submit a message for review](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/#submit-messages-for-review) or [auto-move](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) based on their findings. Warning Auto-moves are mandatory for PhishGuard customers. PhishGuard coordinates with the email detections team, allowing you to directly request immediate detection for specific items and implement custom detections unique to your needs. An example of this is requesting to block all PayPal traffic if you do not use PayPal for invoicing. This capability allows you to take ownership over the rules governing your email environment through PhishGuard's human intervention. Additionally, PhishGuard analysts: * Use real-time threat data to identify malicious activity. Email-based threats are responded to rapidly, and immediately reported and documented. * Review every [user](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#user-submissions) and [team](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#team-submissions) submission so your security team can focus on more critical activites. * Help you detect and mitigate threats faster, reducing the time attacks have access to your network. This also helps reducing business impact, because it prevents data breaches, financial loss, and reputational damage. To use PhishGuard: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **PhishGuard**. The dashboard will display the following metrics: * ROI Calculator * Insider threat defense * Email threat hunting * Actions * API Status * Managed email security operations * Reports ## ROI Calculator Use the ROI Calculator to compare triage durations and hourly rates to calculate PhishGuard's return on investment. The ROI Calculator displays: * Total aggregated saved number in USD dollars. * Triage duration: The amount of time in minutes spent triaging the message. * Hourly rate. ## Insider threat defense An [insider threat ↗](https://www.cloudflare.com/en-gb/learning/access-management/what-is-an-insider-threat/) is a risk to an organization's security stemming from someone associated with the organization. PhishGuard looks for threat actor groups. Insider threat defense on the dashboard displays **Insider leads** and **Insider reports generated**. **Insider leads** displays the number of emails identified as potential insider threat email. **Insider reports generated** displays the number of reports created based on insider leads. ## Email threat hunting PhishGuard reviews suspicious and highly malicious activity in your email environment. On the Cloudflare One dashboard, email threat hunting displays previously unknown phishing attacks. Email threat hunting also gives you information on **Threat leads generated** and **Total reposts generated**. ## Actions **Actions** allows you to review the most common actions taken by the PhishGuard team, such as escalations, threat hunts, and moves. ## API Status API Status allows you to monitor and configure the current status of API message auto-moves and directory integrations. Select **Message moves** to [configure auto-moves](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/). Select **Directory integration** to [configure directories](https://developers.cloudflare.com/cloudflare-one/email-security/directories/). ## Managed email security operations Managed email security operations allows you to review the results of phish submissions reviewed by the PhishGuard team. It displays the following: * Total [phish submissions](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/) * Tracked incidents * Median time to resolve * Resolved track incidents ## Reports Under Reports, you can review reports of threats discovered and resolved by the PhishGuard team. If you select the three dots, you can: * **View report details**: Report Details gives you the following information about each report: * **Overview**: An Overview of the report. This includes date and time of the report, type of attack performed, and more. * **Target and victimology**: Company targeted. * **Details**: Displays information such as delivery disposition, current disposition, ES Alert ID, Message-ID, Timestamp, Subject, and Attempted Fraudulent Amount. * **Indicators of compromise (IOC)**: [Indicators of compromise (IOC) ↗](https://www.cloudflare.com/en-gb/learning/security/what-are-indicators-of-compromise/) are information about a specific security breach that can help security teams determine if an attack has taken place. * Preview email. * [Move email](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/phishguard/","name":"PhishGuard"}}]} ``` --- --- title: Dispositions and attributes description: Email security uses a variety of factors to determine whether a given email message, domain, URL, or packet is part of a phishing campaign. These small pattern assessments are dynamic in nature and — in many cases — no single pattern will determine the final verdict. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/reference/dispositions-and-attributes.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Dispositions and attributes Email security uses a variety of factors to determine whether a given email message, domain, URL, or packet is part of a phishing campaign. These small pattern assessments are dynamic in nature and — in many cases — no single pattern will determine the final verdict. Detection vs. disposition Detection is the process Email security does to identify what threat an email may contain. An email can have multiple detections, but they will only have one and final disposition. The detections an email have will determine the disposition of the email. ## Dispositions Any traffic that flows through Email security is given a final disposition, which represents our evaluation of that specific message. Each message will receive only one disposition header, so your organization can take clear and specific actions on different message types. You can use disposition values when [setting up auto-moves](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/). ### Available values The following disposition values follow an order of maliciousness: * **Malicious**: Traffic associated with active threat campaigns. Malicious messages invoked multiple phishing verdict triggers and met thresholds for bad behavior. * **Recommendation**: Block. * **Spam**: Traffic associated with non-malicious, commercial campaigns. * **Recommendation**: Route to existing Spam quarantine folder. * **Bulk**: Traffic often associated with newsletters or marketing campaigns. Refer to [Graymail ↗](https://en.wikipedia.org/wiki/Graymail%5F%28email%29) for more details. * **Recommendation**: Monitor or tag. * **Suspicious**: Traffic associated with phishing campaigns (and is under further analysis by our automated systems). * **Recommendation**: Research these messages internally to evaluate legitimacy. * **Spoof**: Traffic associated with phishing campaigns that is either non-compliant with your email authentication policies ([SPF ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-spf-record/), [DKIM ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dkim-record/), [DMARC ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dmarc-record/)) or has mismatching `Envelope From` and `Header From` values. * **Recommendation**: Block after investigating (can be triggered by third-party mail services). ### Header structure When Email security adds a disposition header to an email message, that header matches the following format: ``` X-CFEmailSecurity-Disposition: [Value] ``` Note that emails with a disposition of `SPAM` will be tagged with `UCE` (unsolicited commercial emails) in their headers: ``` X-CFEmailSecurity-Disposition: UCE ``` ## Attributes Traffic that flows through Email security can also receive one or more Attributes, which indicate that a specific condition has been met. ### Available values | Attribute | Notes | | ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | CUSTOM\_BLOCK\_LIST | This message matches a value you have defined in your custom block list. | | NEW\_DOMAIN\_SENDER= | Alerts to mail from a newly registered domain. Formatted as yyyy-MM-dd HH:mm:ss ZZZ. | | NEW\_DOMAIN\_LINK= | Alerts to mail with links pointing out to a newly registered domain. Formatted as yyyy-MM-dd HH:mm:ss ZZZ. | | ENCRYPTED | Email message is encrypted. | | EXECUTABLE | Email message contains an executable file. | | BEC | Indicates that an email address was contained in your [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) list. Associated with MALICIOUS or SPOOF dispositions. | ### Header structure When Email security adds a disposition header to an email message, that header matches the following format: ``` X-CFEmailSecurity-Attribute: [Value] X-CFEmailSecurity-Attribute: [Value2] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/reference/","name":"Reference"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/reference/dispositions-and-attributes/","name":"Dispositions and attributes"}}]} ``` --- --- title: How Email security detects phish description: Email security uses a variety of factors to determine whether a given email message, a web domain or URL, or specific network traffic is part of a phishing campaign (marked with a Malicious disposition) or other common campaigns (for example, Spam). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/reference/how-es-detects-phish.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # How Email security detects phish Email security uses a variety of factors to determine whether a given email message, a web domain or URL, or specific network traffic is part of a phishing campaign (marked with a [Malicious disposition](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/)) or other common campaigns (for example, `Spam`). Note Certain URL rewrite schemes cannot be decoded (for example, Mimecast). These small pattern assessments are dynamic in nature and — in many cases — no single one in and of itself will determine the final verdict. Instead, our automated systems use a combination of factors and non-factors to clearly distinguish between a valid phishing campaign and benign traffic. ## Scope Email Security inspects email protocols such as SMTP, IMAP, and POP3 to detect phishing, business email compromise (BEC), spoofing, and malware delivered via email. For protection against DDoS attacks targeting web and network infrastructure at layers 3, 4, and 7 — including TCP, UDP, DNS, and HTTP/S traffic — refer to [DDoS Protection](https://developers.cloudflare.com/ddos-protection/). ## Sample attack types and detections ### Malicious payload attached to the message * **Example**: Classic campaign technique which utilizes a variety of active attachment types (EXE, DOC, XLS, PPT, OLE, PDF, and more) as the malicious payload for ransomware attacks, Trojans, viruses, and malware. * **Detections applied**: Machine learning (ML) models on binary bitmaps of the payload as well as higher-level attributes of the payload, with specific focus on signatureless detections for maximum coverage. Additionally, for relevant active payloads, the engine invokes a real-time sandbox to assess behavior and determine maliciousness. ### Encrypted malicious payload attached to the message, with password in message body as text * **Example**: Campaigns that induce the user to apply a password within the message body to the attachment. * **Detections applied**: Real-time lexical parsing of message body for password extraction and ML models on binary bitmaps of the payload, signatureless detections for maximum coverage. ### Encrypted malicious payload attached to the message, with password in message body as an image * **Example**: Campaigns that induce the user to apply a password within the message body to the attachment, with the entire body or part of the body being an image. * **Detections applied**: Real-time OCR parsing of message body for password extraction and ML models on binary bitmaps of the payload, signatureless detections for maximum coverage. ### Malicious payload within an archive attached to the message * **Example**: Campaigns with payloads within typical archives, such as `.zip` files. * **Detections applied**: ML detection tree on the payload, as well as decomposition of each individual archive into component parts and fragments for compound documents. ### Malicious URLs within message body * **Example**: Typical phish campaigns with a socially engineered call to action URL that will implant malware (for example, Watering Hole attacks, Malvertizing, or scripting attacks). * **Detections applied**: Continuous web crawling, followed by real-time link crawling for a select group of suspicious urls, followed by machine learning applied to URL patterns in combination with other pattern rules and topic-based machine learning models for exhaustive coverage of link-based attacks. ### Malicious payload linked through a URL in a message * **Example**: Campaigns where the URL links through to a remote malicious attachment (for example, in a `.doc` or `.pdf` file). * **Detections applied**: Remote document and/or attachment extraction followed by ML detection tree on the payload, instant crawl of links. ### Blind URL campaigns * **Example**: Entirely new domain with intentional obfuscation, seen for the first time in a campaign. * **Detections applied**: Link structure analysis, link length analysis, domain age analysis, neural net models on entire URL as well as domain and IP reputation of URL host, including autonomous system name reputation and geolocation based reputation. ### Malicious URLs within a benign attachment in the message * **Example**: Campaigns obfuscating the payload within attachments. * **Detections applied**: URL extraction within attachments, followed by above mentioned URL detection mechanisms. ### Malicious URLs within an archive attached to the message * **Example**: Campaigns obfuscating the payload within attachments. * **Detections applied**: Attachments decomposed recursively (both in archive formats and compound document formats) to extract URLs, followed by above mentioned URL detection mechanisms. ### Malicious URLs behind URL shortening services * **Example**: Campaigns leveraging Bitly, Owly, and similar services at multiple levels of redirection to hide the target URL. * **Detections applied**: URL shorteners crawled in real time at the moment of message delivery to get to the eventual target URL, followed by URL detection methods. Real-time shorterners are intentionally not crawled ahead of time due to the dynamic nature of these services and the variation of target URLs based on time and source. ### Malicious URLs associated with QR codes (QR Code Phishing Attacks, Quishing) * **Example**: Campaigns leveraging QR code image attachment to deliver malicious payload links for malware distribution and/or credential harvesting. * **Detections applied**: Resolving for images resembling QR codes into URL, followed by above mentioned URL detection mechanisms. ### Instant crawl of URLs within message body * **Example**: Typical phish campaigns with a socially engineered call to action URL that will implant a malware (for example, Watering Hole attacks, Malvertizing, or scripting attacks). * **Detections applied**: Heuristics applied to URLs in message bodies that are not already detected from ahead of time crawling and those deemed suspicious according to strict criteria are crawled in real time. ### Credential Harvesters * **Example**: Form-based credential submission attacks, leveraging known brands (Office 365, PayPal, Dropbox, Google, and more). * **Detections applied**: Continuous web crawling, computer vision on top brand lures, ML models, and infrastructure association. ### Domain Spoof Attacks * **Example**: Campaigns spoofing sender domains to refer to the recipient domain or some known partner domain. * **Detections applied**: Header mismatches, email authentication assessments, sender reputation analysis, homographic analysis, and punycode manipulation assessments. ### Domain proximity attacks * **Example**: Campaigns taking advantage of domain similarity to confuse the end user (for example, `sampledoma1n.com` or `sampledomaln.com` compared to `sampledomain.com`). * **Detections applied**: Header mismatches, email authentication assessments, and sender reputation analysis. ### Email Auth violations * **Example**: Campaigns taking advantage of incorrect or invalid sender Auth records (SPF/DKIM/DMARC) and bypassing incoming Auth-based controls. * **Detections applied**: Assessment of sender authentication records against published SPF/DKIM/DMARC records which is applied in combination with overall message attributes. ### Name Spoof Attacks / Executive Attacks (BEC) * **Example**: Campaigns targeting executives and high-value targets within the organization or using the high-value targets as sources to attack other employees within the organization. * **Detections applied**: Display names compared with known executive names for similarity using several matching models including the Levenshtein algorithm, and if matched, flagged when sender is originating from an unknown domain. ### Fileless / Linkless campaigns (BEC) * **Example**: Typically BEC campaigns with an offline call to action (call me, wire money, invoice, or others). * **Detections applied**: Message lexical analysis, subject analysis, word count assessments, and sender analysis. ### Deferred campaign attacks * **Example**: Campaigns that have no malicious payload and the URL is clean when delivered, but is activated in a deferred manner (3-4 hours later), so the end user is compromised at click time. * **Detections applied**: URL rewrites and/or DNS blocks. ### IP-based spam * **Example**: Volume-based, large scale spam campaigns primarily originating from compromised IP address spaces or botnets. * **Detections applied**: Sender and IP reputation, history, and volume analysis. ### Content-based spam * **Example**: Commodity spam largely focused on selling wares. * **Detections applied**: Sender reputation, history, volume analysis, and message content analysis for commercial intent. ### Web phishing * **Example**: Directly originated or targeted through web (for example, LinkedIn, Malvertizing, and more). * **Detections applied**: Web and DNS service and network device integrations, like web proxies and firewalls. ### Mobile phishing * **Example**: Remote employee getting phished while outside the corporate network. * **Detections applied**: Employee email protection and web and DNS services enforcement in remote users (typically through an MDM integration or an always-on VPN solution). ### Network phishing * **Example**: C2 communications for lateral spread within the network or malicious phish downloaded from an external host. Typically seen when an end user gets infected outside the organization, comes back into the network and the C2 hosts uses the infected endpoint to download the implant based on the IP address space it is now resident in. * **Detections applied**: Network device integrations (firewalls) and API-based integrations within existing orchestration services. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/reference/","name":"Reference"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/reference/how-es-detects-phish/","name":"How Email security detects phish"}}]} ``` --- --- title: Retro Scan description: Use Retro Scan to check whether your current email security provider has missed any threats. Cloudflare scans up to 14 days of emails in your Microsoft 365 mailbox and generates a report of malicious messages. Once the scan is complete, you will receive an email notification with a link to the report. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/retro-scan.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Retro Scan Use Retro Scan to check whether your current email security provider has missed any threats. Cloudflare scans up to 14 days of emails in your Microsoft 365 mailbox and generates a report of malicious messages. Once the scan is complete, you will receive an email notification with a link to the report. Note Retro Scan is only available for Microsoft 365 accounts. To start a free scan: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security** \> **Overview**. 3. Select **Start a free scan** \> **Generate report**. 4. Enable your [Microsoft integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/#enable-microsoft-integration). Once you have enabled your Microsoft integration, you will be redirected to a page where you will add your domains and specify your current email security system. 5. Generate Retro Scan report: * **Connect domains**: Select at least one domain from your integration, then select **Continue**. * **Select current solution**: Select the email security tool you are currently using, then select **Continue**. * **Review details**: Confirm the domain and current solution you selected, then select **Continue**. You will receive an email notification once the report is ready. 6. When you receive the notification email, select the link to view the full report. 7. On the Cloudflare dashboard, select **View report**. The dashboard will display **Overview** and **Details** pages. ### Overview The **Overview** page shows a summary of the scan results across your selected domains, including: * [Disposition evaluation](https://developers.cloudflare.com/cloudflare-one/email-security/monitoring/#disposition-evaluation), the verdict assigned to each scanned message (for example: malicious, suspicious, or spam) * Malicious threat types * Malicious targets, the top recipients targeted by malicious messages * Malicious threat origins ### Details The **Details** page lists up to 1,000 emails that were assigned a disposition during the scan. Select any email to review [details](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#details) about the message. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/retro-scan/","name":"Retro Scan"}}]} ``` --- --- title: Auto-move events description: Auto-moves allow you to automatically move emails out of your inbox based on a disposition that Email security assigns to each message (for example, malicious, spam, or spoof). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/settings/auto-moves.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Auto-move events Auto-moves allow you to automatically move emails out of your inbox based on a [disposition](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/) that Email security assigns to each message (for example, malicious, spam, or spoof). Use auto-moves to enforce email security policy without relying on end users to identify and act on threats themselves. After you configure auto-moves, Email security handles flagged messages according to the action you choose for each disposition. To configure auto-move events: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings**. 4. Select **Moves**. 5. Under **Auto-moves**, select **Configure**. 6. For each disposition (malicious, spam, bulk, suspicious, spoof), choose what happens to matching emails: * **Soft delete - user recoverable**: Moves the message to the user's **Recoverable Items - Deleted** folder. The user can still find and restore the message. This option is only available for Microsoft 365 customers. Refer to [Microsoft 365 Exchange data deletion ↗](https://learn.microsoft.com/en-us/compliance/assurance/assurance-exchange-online-data-deletion) for more information. * **Hard delete - admin recoverable**: Removes the message from the user's inbox entirely. Only an administrator can recover it. * **Move to trash**: Moves the message to the user's trash or deleted items folder. This option is only available for Google Workspace users. * **Move to junk**: Moves the message to the user's junk or spam folder. * **No action**: Leaves the message where it is. Email security still records the disposition, but does not move the message. 7. Select **Save**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/auto-moves/","name":"Auto-move events"}}]} ``` --- --- title: Additional detections description: Email security allows you to configure the following additional detections: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/settings/detection-settings/additional-detections.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Additional detections Email security allows you to configure the following additional detections: * Domain age * Blank email detection * [Automated Clearing House (ACH) ↗](https://en.wikipedia.org/wiki/Automated%5Fclearing%5Fhouse) change from free email detection * HTML attachment email detection To configure additional detections: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings**. 4. On the **Settings** page, go to **Detection settings** \> **Additional detections**, and select **Edit**. ## Configure domain age The domain age is the time since the domain has been registered. Because of the domain age detection, [trusted domains](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/trusted-domains/) can be used to create an exception to the age detection. To configure a domain age: 1. On the **Edit additional detections** page: * Select **Malicious domain age**: Controls the threshold for a malicious disposition. Maximum of 100 days. It is recommended to set the **Malicious domain age** to 7 days. * Select **Suspicious domain age**: Controls the threshold for a suspicious disposition. Maximum of 100 days. It is recommended to set the **Suspicious domain age** between 30 and 45 days. 2. Select **Save**. ## Configure blank email detection Blank email detection detects emails with blank bodies and assigns a default disposition. You can choose between **Malicious** and **Suspicious** as dispositions. To enable blank email detection: 1. On the **Edit additional detections** page, enable **Blank email detection**. 2. Choose between **Malicious** and **Suspicious**. 3. Select **Save**. ## Configure ACH change from free email detection [Automated Clearing House (ACH) ↗](https://en.wikipedia.org/wiki/Automated%5Fclearing%5Fhouse) is a banking term related to direct deposits. ACH change from free email detection detects payroll inquiries or change requests from free email domains and assigns a default disposition. You can choose between **Malicious** and **Suspicious** as dispositions. To enable ACH change from free email detection: 1. On the **Edit additional detections** page, enable **ACH change from free email detection**. 2. Choose between **Malicious** and **Suspicious**. 3. Select **Save**. ## Configure HTML attachment email detection HTML attachment email detection detects HTM and HTML attachments in emails and assigns a default disposition. To enable HTML attachment email detection: 1. On the **Edit additional detections** page, enable **HTML attachment email detection**. 2. Choose between **Malicious** and **Suspicious**. 3. Select **Save**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/","name":"Detection settings"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/additional-detections/","name":"Additional detections"}}]} ``` --- --- title: Allow policies description: Email security allows you to configure allow policies. An allow policy exempts messages that match certain patterns from normal detection scanning. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/settings/detection-settings/allow-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Allow policies Email security allows you to configure allow policies. An allow policy exempts messages that match certain patterns from normal detection scanning. ## How allow policies work Allow policies are crucial for legitimate messages that may otherwise be blocked due to, for example, an incorrect setup. Example of allow policy An example of allow policy is a phishing simulation product. You want to configure a phishing simulation product as **Accept sender** so Email security does not scan the messages (or crawl links) in these simulated messages. Allow policies can be configured to match messages based on specific criteria such as individual email addresses, IP address ranges, or domains. This flexibility allows you to exempt legitimate messages from specific sources, even if those sources have low spam reputation or send bulk messages from their own servers. Allow policies are used to mitigate false positives. When an email has been marked as malicious or suspicious, but you still want to receive that email, you configure that email as part of an allow policy. ### Accept sender Allow policies in Email security give you the option to choose **Accept sender**. Accept sender creates exceptions for messages that would otherwise be marked as spam, bulk, or spoof. However, Email security will continue to scan the message for maliciousness. It is recommended to choose this option, as it is the safest option to protect your email inbox from malicious or suspicious activities. Example of a use case where marketing emails that are legitimate have been blocked When a marketing email does not follow the correct template, it may be marked as malicious or spam. It may not be possible to change the template. However, in this scenario, the marketing email is legitimate. To make sure that users still receive the marketing email, you will have to select **Accept sender** and add the marketing domain in **Rule Type** \> **Domains**. **Accept sender** and **Domains** combined exempt marketing emails that may not follow the correct template. Regular expressions and emails to add as Accept sender Below you can find a list of known services you can add when configuring an Accept sender. We recommend you use [RegExr Validation ↗](https://regexr.com/) to validate your regular expressions. * Google `drive-shares-noreply@google.com` `.*@docs\.google\.com` `.*@docos\.bounces\.google\.com` `.*@calendar-server\.bounces\.google\.com` `.*@alerts\.bounces\.google\.com` `calendar-notification@google.com` `.*\+bnc.*@` `noreply-cloud@google.com` `@` `.*@doclist\.bounces\.google\.com` * DocuSign `.*@docusign\.net` * Twitter - Mentions/Retweets `notify@twitter.com` * GitHub (mentions and notifications) `noreply@(github|git)\.` `notifications@github.com` * Apache Foundations (Developers) `.*@.*\.apache\.org` `jira@apache.org` * Atlassian `jira@` `jira@.atlassian.net` `confluence@` `confluence@.atlassian.net` * Intercom `notifications@intercom-mail.com` `notifications@mail.intercom.io` * SharePoint `no-reply@sharepointonline.com` * Box and Dropbox `.*@dropbox\.com` `noreply@box.com` * Salesforce `.*@chatter\.salesforce\.com` `.*@.*\.(apex|bnc)\.salesforce\.com` `.*@.*\.bnc(\.sandbox)?\.salesforce\.com` * Webex - Invites/Mentions `messenger@webex.com` * Bulk mailers `.*@.*mailchimp\.com` `.*@mandrillapp\.com` `.*mailspike\.org` * LinkedIn `invitations@linkedin.com` * FBWork `.*@fbworkmail\.com` * Asana `.*@mail\.asana\.com` * EchoSign `.*@mail\.echosign\.com` * HelloSign `noreply@(email|mail)\.hellosign\.com` * Podio `noreply@podio.com` * Quip `noreply.*@quip\.com` * Zeplin `no-reply@zeplin.io` * DataHug `notifications@datahug.com` * Paperless `.*@paperlesspost\.com` * NetSuite `.*@.*\.na\d\.netsuite\.com` * FS-ISAC `cyberintel@lists.fsisac.com` * Expensify `replies\+[0-9]+@expensify\.com` * KnowBe4 `.*@[a-z]+\.knowbe4\.com` `147\.160\.167\.([1-5][0-9]|6[0-2]|[1-9])` * FreshDesk `.*@.*\.freshdesk\.com` * Webroot `167.89.85.54` `49.72.237.117` * Wombat Egress IPs **Training Platform** `107.20.210.250` `52.1.14.157` * Phishing Assessment `107.23.16.222` `54.173.83.138` ## Configure allow policies To configure allow policies: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings**, then go to **Detection settings** \> **Allow policies**. 4. On the **Detection settings** page, select **Add a policy**. 5. On the **Add an allow policy** page, enter the policy information: * **Input method**: Choose between **Manual input**, and **Uploading an allow policy**: * **Manual input**: * **Action**: Select one of the following to choose how Email security will handle messages that match your criteria: * **Trust sender**: Messages will bypass all detections and link following. * **Exempt recipient**: Message to this recipient will bypass all detections. * **Accept sender**: Messages from this sender will be exempted from Spam, Spoof, and Bulk dispositions. Refer to [Allow policy configuration use cases](#use-case-1) for use case examples on how to configure allow policies for accept sender. * **Rule type**: Specify the scope of your policy. Choose one of the following: * **Email addresses**: Must be a valid email. Enter an email address whose emails are going to be exempted. * **IP addresses**: This is the IP address of the email server. Any email address sent from this email server is going to be allowed. The IP address can only be IPv4\. IPv6 and CIDR are invalid entries. * **Domains**: Must be a valid domain. * **Regular expressions**: Must be valid Java expressions. Regular expressions are matched with fields related to the sender email address (envelope from, header from, reply-to), the originating IP address, and the server name for the email. For example, you can enter `.*@domain\.com` to exempt any email address that ends with `domain.com`. * **(Recommended) Sender verification**: This option enforces DMARC, SPF, or DKIM authentication. If you choose to enable this option, Email security will only honor policies that pass authentication. * **Notes**: Provide additional information about your allow policy. * **Uploading an allow policy**: Upload a file no larger than 150 KB. The file can only contain `Pattern`, `Pattern Type`, `Verify Email`, `Trusted Sender`, `Exempt Recipient`, `Acceptable Sender`, `Notes` fields. The first row must be a header row. Refer to [CSV uploads](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/#csv-uploads) for an example file. 6. Select **Save**. Allow policy configuration use cases The following use cases show how you could configure allow policies for accept sender. ### Use case 1 Company receives emails from third-party providers not used internally. These emails are sent from the service provider, and Email security gives these emails an incorrect disposition. This use case can affect companies such as Shopify, PayPal, and Docusign. To solve this: 1. Create a [team submission](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/team-submissions/). 2. Inform your Cloudflare contact about the escalation. 3. Do not set up allow policies or blocked senders. In this use case, configuring allow policies will create a security gap. Setting up blocked senders will block legitimate emails from providers such as Shopify, PayPal, and Docusign. ### Use case 2 Company receives emails via third-party providers that are used internally. These emails are sent from the company's custom domain, but Email security marks these emails as bulk, spam, or spoof. This use case can cause the emails you want to receive to follow the auto-moves rules you set up. This use case affects emails from internal tools (such as Salesforce, Atlassian, and Figma) that are given an incorrect disposition. To solve this, when you add an allow policy in the Cloudflare One dashboard: 1. Choose **Accept sender**. 2. Verify that **Sender verification (recommended)** is turned on. ### Use case 3 Company receives emails via third-party providers that are used internally. These emails are sent from the company's custom domain, but Email security marks these emails as bulk, spam, or spoof. The custom email domain does not support DMARC, SPF, or DKIM, and would fail Sender Verification. This use case impacts the emails from internal tools (such as Salesforce, Atlassian, and Figma) that are given an incorrect disposition. To solve this, when you add an allow policy in the Cloudflare One dashboard: 1. Choose **Accept sender** based on the static IP you own. 2. Ensure that **Sender verification (recommended)** is turned off. Warning Do not use email addresses or email domains for this policy as they can be easily spoofed without **Sender Verification (Recommended)** enabled. ### CSV uploads You can upload a file no larger than 150 KB. The file can only contain `Pattern`, `Pattern Type`, `Verify Email`, `Trusted Sender`, `Exempt Recipient`, `Acceptable Sender`, `Notes`. The first row must be a header row. An example file would look like this: ``` Pattern, Pattern Type, Verify Email, Trusted Sender, Exempt Recipient, Acceptable Sender, Notes whale@notaphish.com, EMAIL, true, true, false, true, not a phish ``` ## Export allow policies To export all allow policies: 1. On the **Detection settings** page, select **Value(s)**. Selecting **Value(s)** will select all allow policies. 2. Select **Export to CSV**. To export specific allow policies: 1. On the **Detection settings** page, select the allow policies you want to export. 2. Select **Export to CSV**. ## Edit allow policy To edit an allow policy: 1. On the **Detection settings** page, select the allow policy you want to edit. 2. Select the three dots > **Edit**. 3. Edit the allow policy. 4. Select **Save**. ## Delete allow policy To delete an allow policy: 1. On the **Detection settings** page, select the allow policy you want to delete. 2. Select the three dots > **Delete**. 3. On the pop-up message, select **Delete**. To delete multiple allow policies at once: 1. On the **Detection settings** page, select the allow policies you want to delete. 2. Select **Action**. 3. Select **Delete**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/","name":"Detection settings"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/allow-policies/","name":"Allow policies"}}]} ``` --- --- title: Detection settings best practices description: This guide describes how to configure detection settings to mitigate impersonation risks while ensuring legitimate delivery. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/settings/detection-settings/best-practices.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Detection settings best practices This guide describes how to configure detection settings to mitigate impersonation risks while ensuring legitimate delivery. Once you configure the [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) to mitigate spoof detections, you can add emails in the impersonation registry as secondary email. Refer to [Edit users](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/#edit-users) to learn how to add a secondary email address. For impersonation events that are caused by systems, Cloudflare recommends that you configure an [allow policy](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/) to mitigate delivery disruptions. To maintain a higher security posture, allow policies should be defined with the narrowest possible scope. Start with specific expressions or email addresses that will target the actual sender or system. If the system is sending from a variety of addresses, you can create an expression that is wider while keeping the expression specific. In some situations, it is better to have multiple specific entries than a more generic policy that allows a whole domain. ## Policy selection criteria When you configure an [allow policy](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/), you can choose how Email security handles messages that match your criteria. Allow policies are suitable for services that may spoof people's names. Use **Accept sender** with **Sender verification (recommended)** turned on for systematic traffic. For example, a file shared through Google Drive will create a notification using the name of the user that is sharing the document. However, the underlying email address used will be a Google system address. Use **Trusted Sender** for emails that do not require phishing inspections. This will exempt messages from any phishing analysis, including links analysis. Example use cases: * Temporary rules (to avoid over-detection) * Phishing simulations * Applications that send one time links for verification ## Best practices for configuration * Prioritize static IPs: Use known and owned, static IP addresses for relay servers. Avoid [ephemeral IP addresses ↗](https://docs.cloud.google.com/vpc/docs/ip-addresses#ephemeral%5Fand%5Fstatic%5Fip%5Faddresses) as their transient nature can lead to policy degradation. * Enforce Sender Verification: Always have **Sender Verification (Recommended)** enabled in the Cloudflare dashboard. It validates the originating system's email authentication records (namely [SPF ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-spf-record/), [DKIM ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dkim-record/), and [DMARC ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dmarc-record/)) against the domain to ensure authenticity. * Handle unsanctioned traffic: Unsanctioned traffic is traffic which has not been approved within an organization. This is also known as [Shadow IT ↗](https://www.cloudflare.com/en-gb/learning/access-management/what-is-shadow-it/). If an unsanctioned system generates spam or spoofed content, [configure a text add-on](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons/) to append a tag to the subject line and automatically [move](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) the message to the junk folder. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/","name":"Detection settings"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/best-practices/","name":"Detection settings best practices"}}]} ``` --- --- title: Blocked senders description: Email security marks all messages from these senders with a malicious disposition. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/settings/detection-settings/blocked-senders.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Blocked senders Email security marks all messages from these senders with a malicious [disposition](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/). ## How blocked senders work Blocked senders ensures messages from any sender is automatically marked as malicious, preventing them from reaching users' inbox. Sometimes, the same email, IP address or domain always sends malicious emails to the company. In this case, you can add an email address, IP address or domain as a blocked sender. You can choose to enter a regular expression by turning **Regular expression** on. ## Configure blocked senders To configure blocked senders: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings**, go to **Detection settings** \> **Blocked senders**. 4. On the **Detection settings** page, select **Add a sender**. 5. Select the **Input method**: Choose between **Manual input**, and **Upload blocked sender list**: * **Manual input**: * **Sender type**: * **Email addresses**: Must be a valid email. * **IP addresses**: Can only be IPv4\. IPv6 and CIDR are invalid entries. * **Domains**: Must be a valid domain. * **Regular expressions**: Must be valid Java expressions. Regular expressions are matched with fields related to the sender email address (envelope from, header from, reply-to), the originating IP address, and the server name for the email. For example, you can enter `.*@domain\.com` to exempt any email address that ends with `domain.com`. * **Notes**: Provide additional information about the blocked sender policy. * **Upload blocked sender list**: Upload a file no larger than 150 KB. The file cannot can only contain `Blocked_Sender`, `Pattern Type,` and `Notes` fields. The first row must be a header row. Refer to [CSV uploads](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/blocked-senders/#csv-uploads) for an example file. 6. Select **Save**. ### CSV uploads You can upload a file no larger than 150 KB. The file cannot can only contain `Blocked_Sender`, `Pattern Type,` and `Notes` fields. The first row must be a header row. An example file would look like this: ``` Blocked Sender, Pattern Type, Notes john.smith@gmail.com, EMAIL, John Smith example.com, DOMAIN, Melanie Turner ``` ## Export blocked senders To export all blocked senders: 1. On the **Detection settings** page, select **Sender**. Selecting **Sender** will select all blocked senders. 2. Select **Export to CSV**. To export specific blocked senders: 1. On the **Detection settings** page, select **Value(s)**. Select the blocked senders you want to export. 2. Select **Export to CSV**. ## Edit a blocked sender To edit a blocked sender: 1. On the **Detection settings** page, select the blocked sender you want to edit. 2. Select the three dots > **Edit**. 3. Edit the blocked sender. 4. Select **Save**. ## Delete a blocked sender To delete a blocked sender: 1. On the **Detection settings** page, select the blocked sender you want to delete. 2. Select the three dots > **Delete**. 3. On the pop up message, select **Delete**. To delete multiple blocked senders at once: 1. On the **Detection settings** page, under **Blocked senders**, select the senders you want to delete. 2. Select **Action** 3. Select **Delete**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/","name":"Detection settings"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/blocked-senders/","name":"Blocked senders"}}]} ``` --- --- title: Configure link actions description: You can configure how Email security handles links in emails. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/settings/detection-settings/configure-link-actions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Configure link actions You can configure how Email security handles links in emails. Note You can only configure link actions if you deploy Email security via [MX/Inline](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment/). To configure link actions: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings**, then go to **Detection settings** \> **Link actions** \> **View**. You can configure **Link actions settings**, or **URL rewrite ignore patterns**. ## Link actions settings To configure link actions, select **Configure**. The dashboard will display **Open links evaluated as suspicious in a remote browser (Recommended)**. This option is turned on by default. Email security will also allow you to select message dispositions to open all the links for dispositioned emails in a remote browser. Select one or more disposition, then select **Save**. If **Open links evaluated as suspicious in a remote browser (Recommended)** is turned off, you can select **URL defang** or **No action** on each disposition. Select **Save** once you have completed the configuration. When opening links, Email security will not allow you to: * [Copy (from remote to client)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) * [Paste (from client to remote)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) * Use [keyboard](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) * [Print](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) * [Download files](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) * [Uploads files](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) ## Add patterns for URLs You can add patterns for URLs that should be rewritten. 1. Under **URL rewrite ignore patterns**, select **Add a pattern**. 2. Enter a valid IP, URL, or regular expression. You can enter up to 512 characters. 3. Select **Save**. To edit a pattern, go to the pattern you want to edit, select the three dots, then **Edit**. Once you have finished modifying the URL patter, select **Save**. To delete a pattern, go to the pattern you want to delete, select the three dots, then **Delete**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/","name":"Detection settings"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/configure-link-actions/","name":"Configure link actions"}}]} ``` --- --- title: Configure text add-ons description: You can create custom labels to be used as the subject or body prefix for emails with specific dispositions. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Configure text add-ons You can create custom labels to be used as the subject or body prefix for emails with specific dispositions. Note You can only configure text add-ons if you deploy Email security via [MX/Inline](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment/). Warning If you currently do not have text add-ons enabled, configuring text add-ons will add a banner to the subject line. As a result, the subject line and the email body will be reduced. ## Subject prefix To configure a subject prefix: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings**, then go to **Detection settings** \> **Text add-ons** \> **View**. 4. Select **Configure** \> **Subject prefix**. 5. Populate each disposition with a subject prefix, and turn on the **Status** to enable the subject prefix for a specific disposition. ### Advanced settings In **Advanced settings**, you can configure **Add "labels" variable**. This option allows you to add a dynamic value for a label that lists dispositions and allows for additional text. To turn on **Add "labels" variable**: 1. Go to **Advanced settings** \> **Add "labels" variable**. 2. Choose between: * **Use default**. * **Use custom "labels" variable**: Enter the custom label in the text box. Once you have configured the subject prefix, select **Save**. ## Body prefix A body prefix is a custom label added to the top of the email body for emails with specific dispositions. Populate each disposition with a body prefix, and turn on the **Status** to enable the body prefix for a specific disposition. ### Advanced settings In Advanced settings, you can configure **Add "labels" or "threat types" variable**. This option allows you to add a dynamic value for labels that lists dispositions, or threats that lists the threat types behind an assigned disposition. To turn on **Add "labels" or "threat types" variable**: 1. Go to **Advanced settings**: 2. Choose between: * **Add "labels" variable**: This option allows you to add a dynamic value that for a label that lists dispositions and allows for additional text. Choose between: * **Use default**. * **Use custom "labels" variable**: Enter the custom label in the text box. Once you have configured the body prefix, select **Save**. ### Add threat types variable This option allows you to include a dynamic value for '%THREATS' that lists the threat types behind an assigned disposition. It can include additional, HTML-formatted text. The dashboard will display **Default** or **Custom** (to use "labels" or "threat types" variable), depending on how you configured the [advanced settings](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons/#advanced-settings-1). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/","name":"Detection settings"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons/","name":"Configure text add-ons"}}]} ``` --- --- title: Impersonation registry description: The impersonation registry contains combinations of emails of users who are likely to be impersonated. If there is an email that is on the impersonation registry not listed as an alternative email address, that email will be reported as potential business email compromise (BEC). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/settings/detection-settings/impersonation-registry.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Impersonation registry The impersonation registry contains combinations of emails of users who are likely to be impersonated. If there is an email that is on the impersonation registry not listed as an alternative email address, that email will be reported as potential [business email compromise (BEC) ↗](https://www.cloudflare.com/en-gb/learning/email-security/business-email-compromise-bec/). Note The impersonation registry should contain a list of users who are likely to be impersonated. Email security applies enhanced security to variations of registered email addresses for additional [Business Email Compromise (BEC) ↗](https://www.cloudflare.com/en-gb/learning/email-security/business-email-compromise-bec/) protection. For easier tracking, the Email security team recommends syncing and structuring VIPs in groups, and avoid doing manual inputs of users. To add a user to the impersonation registry: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings** \> **Impersonation registry**. 4. Select **Add a user**. 5. Select **Input method**: Choose between **Manual input**, **Upload manual list**, and **Select from existing directories**: * **Manual input**: Enter the following information: * **User info**: enter a valid **Display name**. * **User email**: Enter one of the following: * **Email address**: Enter all known email addresses, separated by a comma. * **Regular expressions**: Must be valid Java expressions. * **Upload manual list**: You can upload a file no larger than 150 KB containing all variables of potential emails. The file must contain `Display_Name` and `Email`, and the first row must be the header row. Refer to [CSV uploads](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/#csv-uploads) for an example file. * **Select from existing directories**: * **Select directory**: Select your directory. * **Add users or groups**: Choose the users or groups you want to register. 6. Select **Save**. ### CSV uploads You can upload a file no larger than 150 KB containing all variables of potential emails. The file must contain `Display_Name` and `Email`, and the first row must be the header row. An example file would look like this: ``` Display Name, Email Star Phish, star@nophish.com Phish Ee, phishee@nophish.com ``` ## Edit users Note Administrators can edit the names and emails of users who belong to the Email security directory. Administrators from other integrated directories cannot edit the name and the primary emails of users. To edit users from the Email security directory: 1. Select the user you want to edit. 2. Select the three dots > **Edit**. 3. Enter the **Display name**, **Email** and **Secondary email**. 4. Select **Save**. To edit users from other integrations: 1. Select the user you want to edit. 2. Select the three dots > **Edit**. 3. Enter the **Secondary email**. 4. Select **Save**. ## Remove users Note Adiministrators can remove users who belong to the Email security directory from the **Impersonation registry**. Users who come from an integrated directory cannot be removed from the **Impersonation registry** directly. To remove a user from an integrated directory: 1. Select **Directories** on the sidebar. 2. Select the directory where your user is allocated. 3. Select the **Users** tab. 4. Search for the user you want to remove. 5. Select the three dots > **Remove from registry**. To remove a user from the impersonation registry: 1. Select the user you want to remove. 2. Select the three dots > **Remove from registry**. 3. Read the pop-up message, then select **Remove user**. To remove multiple users at once from the impersonation registry: 1. Select all the users you want to remove. 2. Select **Action** \> **Remove from registry**. 3. Read the pop-up message, then select **Remove users**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/","name":"Detection settings"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/","name":"Impersonation registry"}}]} ``` --- --- title: Trusted domains description: Email security allows you to exempt known partner and internal domains from typical detection scanning. Adding trusted domains helps to reduce false positives on malicious, suspicious, and spoof dispositions. Email security only checks the date when the domain is created. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/settings/detection-settings/trusted-domains.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Trusted domains Email security allows you to exempt known partner and internal domains from typical detection scanning. Adding trusted domains helps to reduce false positives on malicious, suspicious, and spoof [dispositions](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/). Email security only checks the date when the domain is created. ## How trusted domains work Trusted domains are not for the email message itself, but for entire domains. By default, Email security automatically detects lookalike domains. Lookalike domains can be something like this: `thisisdomain.com` and `thisisadomain.com`. Both domains almost look identical. If an email is received from a domain that looks like a configured domain, this will trigger a detection. Trusted domain is configured to ignore this detection. In [Additional detections](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/additional-detections/), you can configure malicious domain and suspicious [domain age](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/additional-detections/#configure-domain-age). Malicious domain age means that someone may create a domain today, similar to a target, and start sending emails with that domain. This is usually how many phish campaigns start. In this case, the domain is usually marked as Malicious. Malicious domain age is usually set to 7 days. Suspicious domain age means that after 7 days (this number corresponds to the Malicious domain age), a domain may not be malicious, but it can still be suspicious. Email security will mark these domains as Suspicious. It is recommended to configure the **Suspicious domain age** between 30 and 45 days. To view whether a domain is malicious or suspicious: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Investigation**. 2. Run a screen. For example, select **Run screen** for **Malicious emails**, then select **Run screen**. 3. Under **Your matching messages**, if any message displays **Domain Age** under **Threat types**, that means that the domain age is too low, and therefore the disposition assigned is Malicious. If the domain is legitimate, you can add it as a trusted domain: * Go to **Settings** \> **Trusted Domains**. * Under **Domain Info**, add the domain, and select **New Domain**. This will mark the domain whose age is low as a trusted domain. ## Configure trusted domains To configure a trusted domain: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings**, go to **Detection settings** \> **Trusted domains**. 4. On the **Detection settings** page, select **Add a domain**. 5. Select the **Input method**: Choose between **Manual input**, and **Upload trusted domain list**: * **Manual input**: * **Domain info**: Enter a valid domain name. * **Domain type**: Select one or both options: * **Proximity domain**: Domains with similar spelling to your existing domain. * **Recent domain**: Domains created recently. * **Notes**: Provide additional information about the trusted domain list. * **Upload trusted domain list**: You can upload a file no larger than 150 KB of multiple trusted domains. The file can only contain `Domain`, `Proximity`, `New` and `Notes` fields. The first row must be a header row. Refer to [CSV uploads](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/trusted-domains/#csv-uploads) for an example file. 6. Select **Save**. ### CSV uploads You can upload a file no larger than 150 KB of multiple trusted domains. The file can only contain `Domain`, `Proximity`, `New` and `Notes` fields. The first row must be a header row. An example file would look like this: ``` Domain, Proximity, New, Notes mydomain.com, true, true, First Person testdomain.com, false, true, New Hire ``` ## Export trusted domains To export all trusted domains: 1. On the **Detection settings** page, select **Domain**. Selecting **Domain** will select all trusted domains. 2. Select **Export to CSV**. To export specific trusted domains: 1. On the **Detection settings** page, select the trusted domains you want to export. 2. Select **Export to CSV**. ## Edit trusted domains To edit a trusted domain: 1. On the **Detection settings** page, select the trusted domains you want to edit. 2. Select the three dots > Edit. 3. Edit the trusted domain. 4. Select **Save**. ## Delete trusted domains To delete trusted domains: 1. On the **Detection settings** page, select the trusted domain you want to delete. 2. Select the three dots > **Delete**. 3. On the pop up message, select **Delete**. To delete multiple trusted domains at once: 1. On the **Detection settings** page, select the trusted domains you want to delete. 2. Select **Action**. 3. Select **Delete**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/","name":"Detection settings"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/trusted-domains/","name":"Trusted domains"}}]} ``` --- --- title: Information about your domain description: When you configure your domain, the Cloudflare dashboard will display you the following fields: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/settings/domain-management/domain.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Information about your domain When you configure your domain, the Cloudflare dashboard will display you the following fields: * **Domain**: Domain name. Refer to [Manage domains](https://developers.cloudflare.com/cloudflare-one/email-security/setup/manage-domains/) to learn how to add, filter, and delete domains. * **Configured method**: The deployment method you used to configure your domain. Depending on how you decided to configure Email security, the dashboard will display: * **MS Graph API**: Your current email provider is Microsoft 365, and Email security has been configured via the Microsoft Graph API. You do not need to change any MX record. * **BCC/Journaling**: You have chosen to set your email via BCC/Journaling. A copy of your email is sent to Cloudflare. * **MX/ Inline**: You have configured your email domain using MX/Inline. This configuration requires a [DNS record change](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/#edit-dns-records). * **Status**: Status indicates the state of the configuration. * For MX/Inline and BCC/Journaling, the dashboard will display **Active** if Email security has processed any email in the last seven days. The dashboard will display **No mail flow** if there has been no email activity in the last seven days. This is likely due to a misconfiguration. Refer to [Configuration checklist](https://developers.cloudflare.com/cloudflare-one/email-security/setup/#5-configuration-checklist) to ensure you have configured your environment correctly. * For MS Graph API, the dashboard will display **Active** if your integration has been successfully connected, and Email security can scan your inbox with the integration. The dashboard will display **Broken** if the API is not scanning emails. This could be due to a CASB misconfiguration. To troubleshoot this, refer to [Troubleshoot CASB](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/troubleshoot-casb/). * **Service address**: This is the email address you will use to send a copy of your email. * **Source**: Depending on how you added the domains, the dashboard will display **MS integration**, **Google**, **CF zones**, or **Manual add**. * **Integration name**: Name of the integration. This field will only be displayed for Microsoft integrations. To rename your integration: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Integrations** \> **Cloud & SaaS**. 2. Locate your integration, select **Configure**, then select **Edit**. 3. Rename your integration, then select **Save**. * **Hops**: The number of hops. This will not be displayed if the configuration method is Microsoft Graph API. Hop count will be visible only if it has been configured. * **Date added**: Date when the domain was added. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/domain-management/","name":"Domain management"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/domain-management/domain/","name":"Information about your domain"}}]} ``` --- --- title: Phish submissions description: As part of your continuous email security posture, administrators and security analysts need to submit missed phishing samples to Email security, so Cloudflare can process them and take necessary action. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/settings/phish-submissions/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Phish submissions As part of your continuous email security posture, administrators and security analysts need to submit missed phishing samples to Email security, so Cloudflare can process them and take necessary action. Submitting missed phish samples to Cloudflare is of paramount importance and necessary for continuous protection. Submitting missed phish samples helps Cloudflare improve our machine learning (ML) models, and alerts us of new attack vectors before they become prevalent. There are three routes you can use to report an email as a phish: * Via Investigation, by [reclassifying an email](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/#reclassify-an-email). * Via [PhishNet 365](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/phishnet-365/). * Via [Submission addresses](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/submission-addresses/). ## Reclassify an email 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security** \> **Investigation**. 3. On the **Investigation** page, under **Your matching messages**, select the message you want to reclassify. Select the three dots, then select **Submit for review**. By selecting **Submit for review**, you are requesting a new disposition for the message. 4. Select the new disposition, then select **Save**. When you report an email as phish, this email will be displayed under [User submissions](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/user-submissions/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/phish-submissions/","name":"Phish submissions"}}]} ``` --- --- title: PhishNet Microsoft 365 description: PhishNet is an add-in button that helps users to submit directly to Email security phish samples missed by Email security's detection. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/settings/phish-submissions/phishnet-365.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # PhishNet Microsoft 365 PhishNet is an add-in button that helps users to submit directly to Email security phish samples missed by Email security's detection. To set up PhishNet Microsoft 365: 1. Get the customized manifest URL from [Cloudflare One ↗](https://one.dash.cloudflare.com/?to=/:account/email-security/settings/email-policy/phish-submission?tab=phish-submission). 2. Log in to the [Microsoft admin panel ↗](https://admin.microsoft.com/). 3. Go to **Microsoft 365 admin center** \> **Settings** \> **Integrated Apps**. 4. Select **Upload custom apps**. 5. Choose **Provide link to manifest file** and paste the URL you copied from the Cloudflare One dashboard. 6. Verify and complete the wizard. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/phish-submissions/","name":"Phish submissions"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/phish-submissions/phishnet-365/","name":"PhishNet Microsoft 365"}}]} ``` --- --- title: PhishNet for Google Workspace description: To set up PhishNet with Google Workspace you need admin access to your Google Workspace account. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Google ](https://developers.cloudflare.com/search/?tags=Google) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/settings/phish-submissions/phishnet-google-workspace.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # PhishNet for Google Workspace To set up PhishNet with Google Workspace you need admin access to your Google Workspace account. ## Set up PhishNet for Google Workspace 1. Log in to [Google Workspace Marketplace apps ↗](https://workspace.google.com/marketplace/app/cloudflare%5Fphishnet/11369379045) using this direct link and an administrator account. 2. Select **Admin install** to install Cloudflare PhishNet. Read the warning, and select **Continue**. 3. You will be redirected to the **Allow data access** page, where you can choose to install Cloudflare PhishNet for **Everyone at your organization**, or **Certain groups or organizational units**. If you choose the latter option, you will have to select the users in the next step. 4. After choosing the groups you want to install PhishNet for, agree with Google's terms of service, and select **Finish**. 5. Cloudflare PhishNet has been installed. Select **DONE**. You have now successfully installed Cloudflare PhishNet. ## Submit phish with PhishNet 1. In your Gmail web client, open the message you would like to flag as either spam or phish. 2. Select the PhishNet logo on the side panel. 3. Under **Select Submission Type**, select **Spam** or **Phish**. 4. Select **Submit Report**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/phish-submissions/","name":"Phish submissions"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/phish-submissions/phishnet-google-workspace/","name":"PhishNet for Google Workspace"}}]} ``` --- --- title: Submission addresses description: To view the destination addresses of user and team submissions: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/settings/phish-submissions/submission-addresses.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Submission addresses To view the destination addresses of user and team submissions: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings**. 4. Go to **Phish submission** \> **Submission addresses** \> **View**. The dashboard will display **User submission addresses** and **Team submission addresses**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/phish-submissions/","name":"Phish submissions"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/phish-submissions/submission-addresses/","name":"Submission addresses"}}]} ``` --- --- title: Before you begin description: Before you start the onboarding process, you will have to: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Before you begin Before you start the onboarding process, you will have to: 1. Choose a deployment path: Email security provides two deployment modes, [post-delivery](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/) for API and BCC/Journaling and [pre-delivery](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/) for MX/Inline. 2. Learn about dispositions, impersonation registry, and submissions. 3. Know the steps to configure your email environment correctly. The following table compares features available across API, BCC/Journaling and MX/Inline: | Feature | Microsoft 365 | Google Workspace | Others (On-prem/Cloud) | | ------------------- | --------------------------------------------------- | --------------------------------- | -------------------------------------------------------- | | Deployment type | API and MX | BCC and MX | MX only | | API integration | Microsoft Graph API | BCC only | None | | BCC/Journaling | Uses a Journal Rule in the Microsoft Purview portal | Uses BCC rules | Uses journaling | | Inline/MX Mode | MX records point to Cloudflare | MX records point to Cloudflare | MX records point to Cloudflare | | Message remediation | Auto-moves through Read/Write API | Auto-moves through Read/Write API | Messages can be blocked, quarantined, or modified inline | Note that: * All email providers support MX/Inline deployment. * Microsoft 365 or Google Workspace users who integrate Email security via API, BCC/Journaling can modify emails primarily through deletion or post-delivery [move](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/). * Microsoft 365 or Google Workspace users who integrate Email security via MX/Inline can modify emails via post-delivery [move](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/), [link actions](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-link-actions/) and [text add-ons](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons/). ## 1\. Choose a deployment ### Post-delivery deployment When you choose post-delivery deployment, Cloudflare scans emails **after** they reach a users' inbox. If you are a Microsoft 365 user, this is done via [Microsoft's Graph API](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/) or [journaling](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/m365-journaling/). If you are a [Google Workspace](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/gmail-bcc-setup/) or [Microsoft Exchange](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/bcc-microsoft-exchange/) user, this is done via BCC. #### Why you should consider post-delivery deployment Post-delivery deployment is time-efficient, because it does not involve MX changes. Post-delivery deployment does not disrupt mail flow. Post-delivery deployment allows you to enable [auto-move events](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) to hard or soft delete messages, and synchronize your [directory](https://developers.cloudflare.com/cloudflare-one/email-security/directories/) when you use Microsoft Graph API or Google Workspace. Note When you choose post-delivery deployment: * The threat is removed **after** the message has been delivered to the inbox. * It requires API scopes, or BCC/Journaling rule configuration. * Auto-move is only available in BCC/Journaling if you associate an integration. ### Pre-delivery deployment When you choose pre-delivery deployment, Cloudflare scans emails **before** they reach a users' inbox. The MX record points to Cloudflare. #### Why you should consider pre-delivery deployment Pre-delivery deployment provides you with the highest level of protection. It enforces [text add-ons](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons/) or link rewrite at delivery. Pre-delivery blocks threats in transit, and it adds banners or texts before the user views the email. Note When you choose pre-delivery deployment: * You must edit MX records or create a connector. * You can enable auto-move events only after you associate an integration. * Cloudflare [egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) are allowed on downstream mail servers. ## 2\. Understand dispositions Dispositions allow you to configure policies and tune reporting. For example, you can configure a policy to move suspicious emails to your junk folder. Refer to [Dispositions](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to learn more about dispositions. ## 3\. Set up the impersonation registry Most [business email compromise (BEC) ↗](https://www.cloudflare.com/en-gb/learning/email-security/business-email-compromise-bec/) targets executives or finance roles. You must add addresses of roles who are likely to be impersonated. Refer to [Impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) to learn how to add a user to the impersonation registry. Roles you may want to include in the impersonation registry are: * C-suites * Finance roles * HR * IT help-desk * Legal You should review your impersonation registry on a quarterly basis as roles change. ## 4\. Submit messages A submission is a change to an email's disposition **after** initial scanning. It is Cloudflare's built-in feedback loop for correcting false positives/negatives **and** training the detection models to get smarter over time. Refer to [Submit messages for review](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/#submit-messages-for-review) to learn how to reclassify a message. ### Who can reclassify messages [Security teams](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/team-submissions/) and [end users](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/user-submissions/) can perform a submission. ### Why you should submit messages Submissions are critical because: * **They help improve model accuracy**: Every validated submissions teaches Cloudflare's machine learning to recognise new lures, language, infrastructure, and benign patterns. * **They reduce alert fatigue**: Correcting Suspicious or Spam emails that users actually want tailors detections to your organization, cutting noise in the dashboard. * **They close the remediation loop**: When a disposition is upgraded to Malicious, Cloudflare auto-moves those emails out of every inbox (Graph API or Google Workspace API integrations). * **They can help you log activity taken on any submission**: Each submission displays a submission ID, details about original, requested and final dispositions, and more. Refer to [Submit messages for review](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/#submit-messages-for-review) to learn more about submissions. To make the most of submissions: 1. Review submissions on a weekly basis. 2. Ensure you have an integration associated with any MX/Inline deployment. When you associate an integration, you will not need to upload the EMLs every time; Cloudflare can use APIs to receive a copy of your email messages. 3. Investigate any increase in [user submissions](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#user-submissions) (users may have found a phish that bypassed filters) and confirm that analyst-final dispositions align with your policies. A correct use of submissions ensures that Email security delivers a stronger protection with less manual tuning. ## 5\. Configuration checklist Follow the below checklist to ensure your email environment is set up correctly: | Step | Post-delivery | Pre-delivery | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | -------------------------------- | | Authorize integration ([Graph API](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/#enable-microsoft-integration) or [Google Workspace](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/)) | Required[1](#user-content-fn-1) | Required [2](#user-content-fn-2) | | Associate an integration with an MX/Inline domain | Required | | | Add/verify domains | Required | Required | | [Update MX records/connector](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/), then allow Cloudflare [egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) on downstream mail server | Required | | | Populate [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) and [allow](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/)/[block](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/blocked-senders/) lists | Required | Required | | Configure [partner domain TLS](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/partner-domain-tls/) and admin quarantine | Required | | | Configure [text add-ons](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons/) and [link actions](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-link-actions/) | Required | | | Send a test email and verify it appears in **Monitoring** \> [**Email activity**](https://developers.cloudflare.com/cloudflare-one/email-security/monitoring/#email-activity) with expected disposition | Required | Required | Now that you know which deployment path to choose, you can begin your onboarding process. ## Footnotes 1. Associating an integration with BCC/Journaling is required for post-delivery but not for pre-delivery. [↩](#user-content-fnref-1) 2. Still used for directory/auto‑move insight if desired as well as authorizing free API CASB. [↩](#user-content-fnref-2) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}}]} ``` --- --- title: Manage domains description: Once you have deployed your domain, Email security allows you to add, filter and edit domains. You can also choose to stop a domain from being scanned. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/manage-domains.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Manage domains Once you have deployed your domain, Email security allows you to add, filter and edit domains. You can also choose to stop a domain from being scanned. ## Add domains To protect a new domain: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com) \> Email security. 2. Select **Settings**, go to **Domains** and select **View**. 3. Select **Add a domain**. ## Filter domains To filter your domains: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. Select **Show filters** \> **Configured method**. Choose among the following filters: - **MS Graph API**: To view domains connected via MS Graph API. - **BCC/Journaling**: To view domains connected via BCC/Journaling. - **MX/Inline**: To view domains connected via MX/Inline. - **Retro Scan**: To view domains scanned by Retro Scan. 4. Select **Apply filters**. ## Edit domains To edit your domains: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. On the **Domains** page, locate your domain, select the three dots > **Edit**. 4. If you did not manually add your domain, you will only be able to edit **Hops**. If you manually added your domain, you will be able to edit **Domain name** and **Hops**. 5. Select **Save**. ## Prevent Cloudflare from scanning a domain To stop scanning domains: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. On the **Domains** page, locate your domain, select the three dots > **Stop scanning**. 4. Select **Stop scanning** again to stop Cloudflare from scanning your domain. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/manage-domains/","name":"Manage domains"}}]} ``` --- --- title: API deployment description: When you choose an API deployment, email messages only reach Email security after they have already reached a user's inbox. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/api/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # API deployment When you choose an API deployment, email messages only reach Email security after they have already reached a user's inbox. Then, through an integration with your email provider, Email security can [auto-move messages](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) based on your organization's policies. ![With API deployment, messages travel through Email security's email filter after reaching your users.](https://developers.cloudflare.com/_astro/M365_API_Deployment_Graph.Czbz8tQF_ZWYsK4.webp) ## Benefits When you choose API deployment, you get the following benefits: * Easy protection for complex email architectures, without requiring any change to mailflow operations. * Agentless deployment for Microsoft 365. ## Limitations However, API deployment also has the following disadvantages: * Email security is dependent on Microsoft's Graph API, and outages will increase the message dwell time in the inbox. * Your email provider may throttle API requests from Email security. * Email security requires read and write access to mailboxes. * Requires API support from your email provider (does not typically support on-premise providers). * Detection rates may be lower if multiple solutions exist. * Messages cannot be modified or quarantined. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/api/","name":"API deployment"}}]} ``` --- --- title: Set up with Microsoft 365 description: This guide will instruct you through setting up Microsoft 365 with Email security via the Cloudflare dashboard. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Set up with Microsoft 365 This guide will instruct you through setting up Microsoft 365 with Email security via the Cloudflare dashboard. ## Prerequisites To use Email security, you will need to have: * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up) * A [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization) * A domain to protect ## Enable Email security via the dashboard 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and select **Email security**.. 2. Select **Overview**. Select one of the following options depending on your use case: * If you have not purchased Email security, select **Contact sales**. * If you have not associated any integration: * Select **Set up**. * Choose **MS Graph API** \> **Authorize**. * Refer to [Enable Microsoft integration](#enable-microsoft-integration) to continue the onboarding process. * If you have associated an integration, but have not connected a domain: * Select **Connect a domain**. * Choose **MS Graph API**. Refer to [Connect your domains](#connect-your-domains) to connect your domain(s). ### Enable Microsoft integration To enable Microsoft integration: 1. **Configure policy**: Choose how [CASB](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) interacts with your data. Select **Read-only mode** or **Read-Write mode**. It is recommended that you choose **Read-Write mode**. 2. **Name integration**: Add your integration name, then select **Continue**. 3. **Authorize integration**: * Select **Authorize**. Selecting **Authorize** will take you to the Microsoft Sign in page where you will have to enter your email address. * Once you enter your email address, select **Next**. * After selecting **Next**, the system will show a dialog box with a list of requested permissions. Select **Accept** to authorize Email security. Upon authorization, you will be redirected to a page where you can review details and enroll integration. 4. **Review details**: Review your integration details, then: * Select **Complete Email security set up** where you will be able to connect your domains and configure auto-moves. * Select **Continue to Email security**. Continue with [Connect your domains](#connect-your-domains) for the next steps. ### Connect your domains On the **Set up Email security** page, you will be able to connect your Microsoft domains. To connect your domains: 1. **Connect domains**: Select at least one domain. Then, select **Continue**. 2. (Optional) **Modify default scanning**: You can configure which folder Email security can scan. 3. (Optional - select **Skip for now** to skip this step) **Redirect messages**: Refer to [Auto-moves](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) to learn what auto-moves are, and how to configure auto-moves. 4. **Review details**: Review your connected domains, then select **Go to Domains**. Your domains are now connected successfully. ### Connect new domains To connect new domains: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Select **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. Select **Add a domain**. 4. Select a method for connecting your mail environment to Email security: * If you select **MS Graph API**, refer to [Enable Microsoft integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/#enable-microsoft-integration). * If you select BCC/Journaling, choose how to connect your domains: * If you select **Integrate with MS**, refer to [Enable Microsoft integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/#enable-microsoft-integration). * If you select **Integrate with Google**, refer to [Connect your domains](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/). * If you select **Manual add**, refer to [Enter domain manually](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/manual-add/#enter-domain-manually). ## Prevent Cloudflare from scanning a domain If you want to prevent Cloudflare from scanning a domain: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. On the **Domain management** page, select the domain you do not want to be scanned. 4. Select the three dots > **Stop scanning**. ## View an integration To view the integration for each connected domain: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. Select a domain. 4. Select the three dots > **View integration**. Once you have set up Email security to scan through your inbox, Email security will display detailed information about your inbox. Refer to [Monitor your inbox](https://developers.cloudflare.com/cloudflare-one/email-security/monitoring/) to learn more. ## Verify successful deployment To verify that the deployment has been successful and that your emails are being scanned: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. Under **Your domains**, locate your domain, and verify that **Status** (which describes the state of the configuration) displays **Active**. ## Next steps [Enable logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/) to send detection data to an endpoint of your choice. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/api/","name":"API deployment"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/","name":"Set up with Microsoft 365"}}]} ``` --- --- title: BCC/Journaling description: BCC/Journaling deployment is a post-delivery type of deployment. Cloudflare analyzes emails after they reach the user's inbox. Every time you receive an email, your email provider will send a blind copy to Cloudflare for an analysis. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # BCC/Journaling BCC/Journaling deployment is a post-delivery type of deployment. Cloudflare analyzes emails after they reach the user's inbox. Every time you receive an email, your email provider will send a blind copy to Cloudflare for an analysis. * Choose [BCC](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/gmail-bcc-setup/) if your email provider is Gmail. * Choose [Journaling](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/m365-journaling/) if your email provider is Microsoft 365. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}}]} ``` --- --- title: Microsoft Exchange BCC setup description: For customers using Microsoft Exchange, setting up Email security via BCC is quick and easy. You need to configure an inbound rule to send emails to Email security via BCC for processing and detection of potential phishing attacks. The following email flow shows how this works: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/bcc-microsoft-exchange.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Microsoft Exchange BCC setup For customers using Microsoft Exchange, setting up Email security via BCC is quick and easy. You need to configure an inbound rule to send emails to Email security via BCC for processing and detection of potential phishing attacks. The following email flow shows how this works: ![Email flow when setting up a phishing assessment risk for Microsoft Exchange with Email security.](https://developers.cloudflare.com/_astro/Microsoft_Exchange_365.fz8IIJ7m_u12q9.webp) Auto-moves for Microsoft Exchange customers Microsoft Exchange customers can auto-move if your email service is on-premise and you are using Microsoft Exchange online. ## Configure Inbound Rule 1. Access Exchange's **Management Console**, and go to **Organization Configuration** \> **Hub Transport**. ![Access Hub transport](https://developers.cloudflare.com/_astro/step1.Cr53r8C4_1XeNup.webp) 2. On the **Actions** pane, select **New Transport Rule**. 3. Give the transport rule a name and a description and select **Next**. ![Give transport rule a name and description](https://developers.cloudflare.com/_astro/step3.Bo-0qS8t_Zos67d.webp) 4. In the **Condition** configuration panel, select the option **from users that are inside or outside the organization** option. In the dropdown that opens, select **Outside the organization**. ![Select scope of transport rule](https://developers.cloudflare.com/_astro/step4.CxndsEWe_ZkYidj.webp) 5. Still in the same **Condition** configuration panel, add a second condition to the transport rule. Select **sent to users that are inside or outside the organization, or partners**. Keep the default value of **Inside the organization**. ![Select where to send emails](https://developers.cloudflare.com/_astro/step5.CFjU-V5M_1so1Xm.webp) 6. Select **Next**. 7. In the **Action** configuration panel, select **Blind carbon copy (Bcc) the message to addresses**. Edit the **addresses** variable to add the addresses you want to copy as BCC. ![Select BCC and edit email addresses](https://developers.cloudflare.com/_astro/step7.DJeDn5tj_Z1JlsIT.webp) 8. In **Specify Recipient**, select the **down arrow** next to the **Add** button > **External E-Mail Address**. ![Select external e-mail address](https://developers.cloudflare.com/_astro/step8.D1wRFlWS_10xDa4.webp) 9. Enter the BCC address provided by Email security. This address is specific to your account. ![Enter the BCC address provided by Email security](https://developers.cloudflare.com/_astro/step9.DnJuKcbu_Z1TY58F.webp) 10. Select **OK** \> **OK** to return to the main configuration page of the transport rule. 11. At the main configuration page of the transport rule, select **Next** to continue to the Exception configuration panel. 12. You do not need to configure an exception rule. Select **Next**. ![You do not need to configure an exception rule](https://developers.cloudflare.com/_astro/step12.CubH_6Qs_ZbcOq.webp) 13. In **Create Rule**, select the **New** button. ![Select the new button](https://developers.cloudflare.com/_astro/step13.Bk-qDQZk_Z1rBVF9.webp) 14. Select **Finish** to close the transport rule configuration panel. This will return you to the Exchange Management Console. ![Select finish](https://developers.cloudflare.com/_astro/step14.FJuX6pFq_ZpkKjK.webp) Note If you have multiple rules, you may need to change the order of the BCC rule and move it to the right location in your rule sequence. This is needed so you can send BCC messages to Email security. Usually, the Email security BCC rule will be at the top of the ruleset. The configured conditions of the Email security BCC rule will only trigger for inbound messages. ## Email processing and reports In BCC mode, all emails are put through automated phishing detections by Email security. Emails that trigger phishing detections are logged for reporting via product portal, email and Slack. Emails that do not trigger any detections are deleted. ## Next steps [Enable logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/) to send detection data to an endpoint of your choice. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/","name":"BCC setup"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/bcc-microsoft-exchange/","name":"Microsoft Exchange BCC setup"}}]} ``` --- --- title: Add BCC rules description: This page will show you how to add BCC rules in the Google Admin Console. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/add-bcc-rules.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Add BCC rules This page will show you how to add BCC rules in the Google Admin Console. BCC stands for Blind Carbon Copy. A BCC rule is a Google Workspace feature that allows you to create a secure copy of all selected outbound and inbound emails. When you allow Email security to receive a copy of your emails, Cloudflare can perform post-delivery analysis to protect your email inbox. To add BCC rules: 1. Log in to the [Google Admin Console ↗](https://admin.google.com/). 2. On the sidebar, go to **Apps** \> **Google Workspace** \> **Gmail** \> **Compliance**. 3. Go to **Content Compliance** \> Select **Edit**. 4. Add a **Content Compliance** filter, and name it `Email security - BCC`. 5. In **Email messages to affect**, select **Inbound**. 6. Select the recipients you want to send emails to Email security via BCC. Under **Add expressions that describe the content you want to search for in each message**: * Select **If ANY of the following match the message**. * Select **Add** to configure the expression. * Select **Advanced content match**. * In **Location**, select **Headers + Body**. * In **Match type**, select **Matches regex**. * In **Regexp**, input `.*`. You can customize the regex as needed and test within the admin page or on sites like [Regexr ↗](https://regexr.com/). * Select **SAVE**. 7. In **If the above expressions match, do the following**: * Select **Modify message**. * Ensure that **Envelope recipient** \> **Change envelope recipient** is unselected, so that emails will not be dropped as an unintended consequence. You will select this option at a later stage. * Go to **Also deliver to**, select **Add more recipients** \> **ADD** \> Choose **Advanced**: * Under **Envelope recipient**, select **Change envelope recipient** \> **Replace recipient** \> Enter the service address. This is the service address you copied and pasted in step 5 when [connecting your domains](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/). If you did not copy and paste the service address: - In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security**. - Go to **Settings** and locate your domain under **Your domains**. - Select the three dots > **View domain** \> **Service address**. Copy and paste the service address. * Under **Spam and delivery options**, ensure **Suppress bounces from this recipient** is not enabled. * Under **Headers**, select **Add X-Gm-Spam and X-Gm-Phishy headers**. * Select **SAVE**. 8. In **Account types to affect**, select **Users** and **Groups**. 9. Select **SAVE**. To verify that BCC rules have been configured successfully: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security** \> **Settings**. 2. Select **Domains** \> **View**. 3. Locate your domain. Under Status, the dashboard should display **Active**. This means that the BCC rules have been configured successfully, and your mail flow is being detected. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/","name":"BCC setup"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/","name":"Gmail BCC setup"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/add-bcc-rules/","name":"Add BCC rules"}}]} ``` --- --- title: Connect your domains description: To connect your domains, you will need to enable your Gmail BCC integration. Once you have enabled your Gmail BCC integration, the Cloudflare dashboard will redirect you to the Set up Email security page. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Connect your domains To connect your domains, you will need to [enable your Gmail BCC integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/#enable-gmail-bcc-integration). Once you have enabled your Gmail BCC integration, the Cloudflare dashboard will redirect you to the **Set up Email security** page. On the **Set up Email security** page: 1. **Connect domains**: Select at least one domain. Then, select **Continue**. 2. (**Optional**) **Add manual domains**: Select **Add domain name** to manually enter additional domains. Then, select **Continue**. 3. (**Optional**) **Adjust hop count**: Enter the number of hops. Then, select **Continue**. Configuring the hop count will determine where you want Cloudflare to sit in the email processing chain. 4. (**Optional**, select **Skip for now** to skip this step) **Move messages**: Refer to [Auto-moves](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) to configure auto-moves. Then, select **Continue**. 5. **Select your processing location**: Configure where you want Cloudflare to process your email. **Global** will be the default option. If you choose **Global**, `@CF-emailsecurity.com` will be your regional service address. Once you have chosen your processing location, select **Continue**. 6. **Review details**: Review your connected domains and service addresses. Then, select **Go to domains.** Your domains are now added successfully. On the **Domains** page, select the three dots > **View integration**. The dashboard will display your [domain information](https://developers.cloudflare.com/cloudflare-one/email-security/settings/domain-management/domain/). Under **Source**, the dashboard will display **Google integration**, along with the **Integration name**. ## Add additional domains To add additional domains: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security** \> **Settings**. 2. Select **Connect an integration** \> **BCC/Journaling** \> **Integrate with Google** \> **Authorize**. 3. **Connect domains**: Select the domains you want to add, then select **Next**. 4. (Optional) Select **Add manual domains**: Enter additional domains manually, then select **Next**. 5. (Optional) Select **Adjust hop count**: Enter the number of hops. 6. **Review details**: Review your selected domains, then use the following email to configure the service address with your third-party email provider: ``` @CF-emailsecurity.com ``` 7. Select **Save**. ## Verify successful deployment To verify that the deployment has been successful and that your emails are being scanned: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. Under **Your domains**, locate your domain, and verify that **Status** (which describes the state of the configuration) displays **Active**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/","name":"BCC setup"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/","name":"Gmail BCC setup"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/","name":"Connect your domains"}}]} ``` --- --- title: Enable auto-moves description: If you do not have an integration: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-auto-moves.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Enable auto-moves If you do not have an integration: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains** \> select **View**. 3. Locate your domain, select the three dots > Select **Associate an integration**. 4. Select **Connect an integration**. You will then be redirected to the **Add an integration** page. 5. Select **Google Workspace CASB+EMAIL** \> **Select Integration**. 6. Once you select an integration, you can [enable Gmail BCC integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/#enable-gmail-bcc-integration). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/","name":"BCC setup"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/","name":"Gmail BCC setup"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-auto-moves/","name":"Enable auto-moves"}}]} ``` --- --- title: Enable Gmail BCC integration description: This guide describes the process for enabling Email security with Google Workspace. It requires setting up a service account and a JSON key in Google Cloud Platform (GCP), followed by configuring domain-wide delegation in the Google Workspace Admin Console to authorize the integration. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Google ](https://developers.cloudflare.com/search/?tags=Google) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Enable Gmail BCC integration This guide describes the process for enabling Email security with Google Workspace. It requires setting up a [service account ↗](https://docs.cloud.google.com/iam/docs/service-account-overview) and a JSON key in Google Cloud Platform (GCP), followed by configuring domain-wide delegation in the Google Workspace Admin Console to authorize the integration. ## Prerequisites To use Email security, you will need to have: * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up) * A [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization) * A domain to protect ## Enable Gmail BCC integration: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Overview**. Select one of the following options: * If you have not purchased Email security, select **Contact sales**. * If you have not associated any integration: * Select **Set up**, then choose **BCC/Journaling**. * Select **Integrate with Google** \> **Authorize**. * Name your integration, then select **Next**. * Go to [step 1](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/#1-create-a-service-account-in-your-gcp-project) to continue the process of associating an integration. * If you have associated an integration, but have not connected a domain: * Select **Connect a domain**. * Choose **BCC/Journaling** \> **Integrate with Google**. * Refer to [Connect your domains](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/) to connect your domain(s). ### 1\. Create a Service Account in your GCP Project 1. Once you have named your integration, select **Next**. 2. On the [Google Cloud Console ↗](https://console.cloud.google.com/welcome/new), go to the sidebar, select **APIs & Services**, then select **Credentials**. 3. Select **CREATE CREDENTIALS** \> **Service account**. Refer to [Service accounts overview ↗](https://docs.cloud.google.com/iam/docs/service-account-overview) to learn more about service accounts. 4. Fill in the details to create a service account: * **Service account name**: Enter `Cloudflare Google Integration`. * **Service account ID**: Enter `cloudflare-google-integration`. * **Service account description**: Enter `Cloudflare Google Integration`. * Select **CREATE AND CONTINUE**. ### 2\. Create a JSON Key for your Service Account On the [Google Cloud Console ↗](https://console.cloud.google.com/welcome/new): 1. On the sidebar, select **IAM & Admim** \> **Service Accounts**. 2. Locate your email, select the three dots, then select **Manage keys**. 3. Select **Add key** \> **Create new key**. 4. Select **JSON** \> Select **CREATE**. This downloads a `.json` file which you will use when [uploading a JSON key](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/#3-upload-json-key). ### 3\. Upload JSON Key On the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com/), upload the `.json` file downloaded on step 3. ### 4\. Enable Necessary Google Workspace APIs in GCP Enable the following APIs on the Google Cloud Console: * [Google Calendar API ↗](https://console.cloud.google.com/apis/library/calendar-json.googleapis.com?project=winter-surf-439414-h1) * [Google Drive API ↗](https://console.cloud.google.com/apis/library/drive.googleapis.com?project=winter-surf-439414-h1) * [Google Admin SDK API ↗](https://console.cloud.google.com/apis/library/admin.googleapis.com?project=winter-surf-439414-h1) * [Gmail API ↗](https://console.cloud.google.com/apis/library/gmail.googleapis.com?project=winter-surf-439414-h1) * [Google Service Usage API ↗](https://console.cloud.google.com/apis/library/serviceusage.googleapis.com?project=winter-surf-439414-h1) ### 5\. Log in to Google Workspace Admin Console Log in to Google Workspace Admin Console: Enter your password and log in to the Google Workspace Admin Console. ### 6\. Create a Domain-Wide Delegation API Client 1. Copy the **Client ID** and **Scopes** displayed on the Cloudflare One dashboard. 2. On Google Admin, go to **Security** \> **Access and data control** \> **API controls**. 3. Select **MANAGE DOMAIN WIDE DELEGATION** \> **Add new**. 4. Use the Client ID and copy the scopes to create a new API client. Refer to [Delegate domain-wide authority to your service account ↗](https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/google-alert-center?%5Fgl=1%2Askktsb%2A%5Fga%2AMTMxODg5NDExMy4xNzI5NjA1MzYy%2A%5Fga%5FWH2QY8WWF5%2AMTcyOTc3MDg2Ny40LjEuMTcyOTc3MDg5OC4yOS4wLjA.#delegate%5Fdomain-wide%5Fauthority%5Fto%5Fyour%5Fservice%5Faccount). Then, select **Next**. ### 7\. Confirm Workspace Administrator Email Enter the email associated with the Google Workspace Administrator account. Your email must match the email associated with your Google Workspace account, or else your integration will not work. ### 8\. Create integration 1. Select **Create integration**. 2. Once you created your integration, you will be redirected to the **Review details** page, where you will be able to review **Integration details**. 3. Review your details, then select **Complete Email security set up** \> **Continue to Email security**. ## Verify integration To verify that the integration has been successful: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Integrations**. 2. Under **Your integrations**, locate your integration, and ensure that the integration displays **CASB+EMAIL** under **Type**. Note If you do not reach the step to complete the Email security set up: 1. Go to **Integrations** \> **Cloud & SaaS Integrations** \> **Integrations**. 2. Delete the integration, if present. Locate your integration, select **Configure**, then select **Delete**. 3. Follow the steps from the beginning to [enable Gmail BCC integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/#enable-gmail-bcc-integration). ## Next steps Now that you have created an integration: * [Connect your domains](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/) for Email security to start scanning your inbox. * [Enable logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/) to send detection data to an endpoint of your choice. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/","name":"BCC setup"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/","name":"Gmail BCC setup"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/","name":"Enable Gmail BCC integration"}}]} ``` --- --- title: Overview description: For customers using Gmail as their email provider, setting up Email security is quick and easy. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/gmail-bcc-setup.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Overview For customers using Gmail as their email provider, setting up Email security is quick and easy. You will need to [create an integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/), [add BCC rules](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/add-bcc-rules/), and [connect your domain(s)](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/). You can choose to [add additional domains](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/#add-additional-domains) at a later stage. Once you set up Google integration, Email security will receive a copy of your email messages. You will need a Google integration to enable [auto-moves](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/). The following email flow shows how this works: ![Gmail BCC deployment flow](https://developers.cloudflare.com/_astro/Gmail_Deployment_BCC.YSoTUoiz_Z1MxITR.webp) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/","name":"BCC setup"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/","name":"Gmail BCC setup"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/gmail-bcc-setup/","name":"Overview"}}]} ``` --- --- title: Microsoft 365 journaling setup description: Microsoft 365 journaling is a post-delivery setup method that ensures a copy of every incoming and outgoing email is forwarded to Cloudflare for analysis. When you create a journal rule in the Microsoft Purview compliance portal, Cloudflare can scan messages that have already landed in your inbox. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/m365-journaling.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Microsoft 365 journaling setup Microsoft 365 journaling is a post-delivery setup method that ensures a copy of every incoming and outgoing email is forwarded to Cloudflare for analysis. When you create a [journal rule ↗](https://learn.microsoft.com/en-us/exchange/security-and-compliance/journaling/journaling#journal-rules) in the Microsoft Purview compliance portal, Cloudflare can scan messages that have already landed in your inbox. The following diagram shows how this works: ![Email flow when setting up Microsoft 365 with Email security.](https://developers.cloudflare.com/_astro/M365Deployment_Journaling.C-FeMlSK_aP6GS.webp) To enable Microsoft 365 journaling deployment: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Email security**. 2. Select **Overview**. If you have not purchased Email security, select **Contact Sales**. Otherwise, select **Set up** \> **BCC/Journaling**. 3. Select **Integrate with MS** \> **Authorize**. 4. Continue with [Integrate with Microsoft 365](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/m365-journaling/#1-integrate-with-microsoft-365) to connect your Microsoft integration. ## 1\. Integrate with Microsoft 365 To integrate with Microsoft 365: 1. **Name integration**: Add your integration name, then select **Continue**. 2. **Authorize integration**: * Select **Authorize**. Selecting **Authorize** will take you to the **Microsoft Sign in** page where you will have to enter your email address. * Once you enter your email address, select **Next**. * After selecting **Next**, the dashboard will show you a dialog box with a list of requested permissions. Select **Accept to authorize Email security**. Upon authorization, you will be redirected to a page where you can review details and enroll the integration. 3. **Review details**: Review your integration details, then: * Select **Complete Email security set up** where you will be able to connect your domains and configure auto-moves. * Select **Continue to Email security**. Continue with [Connect your domains](#connect-your-domains) for the next steps. ### Connect your domains On the **Set up Email security** page: 1. **Connect domains**: Select at least one domain. Then, select **Continue**. 2. (**Optional**) **Add manual domains**: Select **Add domain name** to manually enter additional domains. Then, select **Continue**. 3. (**Optional**) **Adjust hop count**: Enter the number of hops. Then, select **Continue**. 4. (**Optional**, select **Skip for now** to skip this step) **Move messages**: Refer to [Auto-moves](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) to configure auto-moves. Then, select **Continue**. 5. **Select your processing location**: Configure where you want Cloudflare to process your email. **Global** will be the default option. If you choose **Global**, `@CF-emailsecurity.com` will be your regional service address. Once you have chosen your processing location, select **Continue**. 6. **Review details**: Review your connected domains and service addresses. Then, select **Go to domains.** Your domains are now added successfully. To view your connected domains: 1. Go to **Settings**. 2. Locate your domain, select the three dots > **View domain**. Selecting **View domain** will display information about your domain. ## 2\. Configure journal rule 1. Log in to the [Microsoft Purview compliance portal ↗](https://compliance.microsoft.com/homepage). 2. On the sidebar, go to **Settings** (the gear icon) > **Data Lifecycle Management** \> **Exchange (legacy)**. 3. In **Send undeliverable journal reports to** enter the email address of a valid user account. Note that you cannot use a team or group address. Select **Save** once you entered the email address. 4. On the sidebar, go to **Solutions** \> **Data Lifecycle Management** \> **Exchange (legacy)**. 5. Select **Journal rules**. 6. Select **New rule** to configure a journaling rule, and configure it as follows: * **Send journal reports to**: This is the address you copied and pasted in step 5 of [Connect your domains](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/m365-journaling/#connect-your-domains). * **Journal rule name**: `Journal Messages to Email security` * **Journal messages sent or received from**: _Everyone_ * **Type of message to journal**: _External messages only_ 7. Select **Next**. 8. Verify the information is correct, and select **Submit** \> **Done**. Once saved, the rule is automatically active. However, it may take a few minutes for the configuration to propagate and start pushing messages to Email security. After it propagates, you can [monitor your inbox](https://developers.cloudflare.com/cloudflare-one/email-security/monitoring/) in the Cloudflare dashboard to check the number of messages processed. This number will grow as journaled messages are sent to Email security from your Exchange server. ## Verify successful deployment To verify that the deployment has been successful and that your emails are being scanned: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. Under **Your domains**, locate your domain, and verify that **Status** (which describes the state of the configuration) displays **Active**. ## Verify successful addition To verift that your domain has been added successfully and that your emails are being scanned: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. Under **Your domains**, locate your domain, and verify that **Status** is set to **Active**. The **Configured method** should be **BCC/Journaling**. ## Next steps [Enable logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/) to send detection data to an endpoint of your choice. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/","name":"Journaling setup"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/m365-journaling/","name":"Microsoft 365 journaling setup"}}]} ``` --- --- title: Manually add domains description: This page will teach you how to manually add domains via BCC/Journaling on the Cloudflare dashboard. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/manual-add.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Manually add domains This page will teach you how to manually add domains via BCC/Journaling on the Cloudflare dashboard. This setup is ideal if your email provider is not Microsoft 365 or Google Workspace, or you do not want to directly integrate your account. Beware that manually add does not support [auto-move](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) or [directory synchronization](https://developers.cloudflare.com/cloudflare-one/email-security/directories/). ## Prerequisites To use Email security, you will need to have: * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up) * A [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization) * A domain to protect ## Manually add domains 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Email security**. 2. Select **Overview**. If you have not purchased Email security, select **Contact Sales**. Otherwise, select **Set up** \> **BCC/Journaling**. 3. Select **Manual add**. ## Users with domains on Cloudflare On the **Set up Email security** page: 1. **Connect domains**: Select at least one domain. Then, select **Continue**. 2. (**Optional**) **Add manual domains**: Manually enter additional domains. Then, select **Continue**. 3. (**Optional**) **Adjust hop count**: Enter the number of hops, and then select **Continue**. 4. **Select your processing location**: Configure where you want Cloudflare to process your email. **Global** will be the default option. If you choose **Global**, `@CF-emailsecurity.com` will be your regional service address. Once you have chosen your processing location, select **Continue**. 5. **Review details**: Review your connected domains and regional service address. Then, select **Go to domains.** ## Users who do not have domains with Cloudflare If you do not have domains with Cloudflare, the Cloudflare dashboard will display two options: * Add a domain to Cloudflare. * Enter domain manually. ### Add a domain to Cloudflare Selecting **Add a domain to Cloudflare** will redirect you to a new page where you will connect your domain to Cloudflare. Once you have entered an existing domain, select **Continue**. ### Enter domain manually On the **Set up Email security** page: 1. **Connect domains**: Select at least one domain. Then, select **Continue**. 2. (**Optional**) **Add manual domains**: Manually enter additional domains. Then, select **Continue**. 3. (**Optional**) **Adjust hop count**: Enter the number of hops, and then select **Continue**. 4. **Configure service address with your third party email provider**: Copy and paste the service address into your third-party email provider to allow BCC/Journaling: `@CF-emailsecurity.com`. 5. **Review details**: Review your connected domains. Then, select **Go to domains.** ## Enable auto-moves To enable auto-move events, you will have to associate an integration. To associate an integration: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains** \> Select **View**. 3. On the **Domain management** page, locate your domain, select the three dots, then select **Associate an integration**. 4. Select **Connect an integration**. Follow the steps to [enable the Microsoft 365 integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/#enable-microsoft-integration). 5. Select the three dots, then select **Associate an integration**. Select the integration, then select **Associate**. Now that your domain has an associated integration, enable [auto-move events](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) on your domain. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/","name":"Journaling setup"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/manual-add/","name":"Manually add domains"}}]} ``` --- --- title: Egress IPs description: When Email Security processes inbound messages through an MX/Inline deployment, it re-delivers the messages to your mailbox from its own IP addresses, known as egress IPs (the source addresses Cloudflare sends outbound mail from). Your existing email provider (such as Microsoft 365 or Google Workspace) needs to be configured to accept connections from these addresses, otherwise it will reject the messages as coming from an unauthorized sender. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Egress IPs When Email Security processes inbound messages through an [MX/Inline deployment](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment/), it re-delivers the messages to your mailbox from its own IP addresses, known as egress IPs (the source addresses Cloudflare sends outbound mail from). Your existing email provider (such as Microsoft 365 or Google Workspace) needs to be configured to accept connections from these addresses, otherwise it will reject the messages as coming from an unauthorized sender. Add all of the following addresses to your mail provider's IP allowlist. Additional information for Microsoft 365 Microsoft 365 does not support IPv6 addresses or the following IPv4 ranges: * `104.30.32.0/19` * `134.195.26.0/23` If you use Microsoft 365, use the individual `/24` blocks (256 addresses each) listed in [Microsoft 365 /24 addresses](#microsoft-365-24-addresses) instead. ### IPv4 ``` 52.11.209.211 52.89.255.11 52.0.67.109 54.173.50.115 104.30.32.0/19 158.51.64.0/26 158.51.65.0/26 134.195.26.0/23 35.157.195.63 52.58.35.43 ``` ### IPv6 ``` 2405:8100:c400::/38 ``` ## Microsoft 365 `/24` addresses Use these IPv4 addresses for Microsoft 365, instead of the `/19` and `/23` subnets: ``` 104.30.32.0/24 104.30.33.0/24 104.30.34.0/24 104.30.35.0/24 104.30.36.0/24 104.30.37.0/24 104.30.38.0/24 104.30.39.0/24 104.30.40.0/24 104.30.41.0/24 104.30.42.0/24 104.30.43.0/24 104.30.44.0/24 104.30.45.0/24 104.30.46.0/24 104.30.47.0/24 104.30.48.0/24 104.30.49.0/24 104.30.50.0/24 104.30.51.0/24 104.30.52.0/24 104.30.53.0/24 104.30.54.0/24 104.30.55.0/24 104.30.56.0/24 104.30.57.0/24 104.30.58.0/24 104.30.59.0/24 104.30.60.0/24 104.30.61.0/24 104.30.62.0/24 104.30.63.0/24 134.195.26.0/24 134.195.27.0/24 ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/","name":"Egress IPs"}}]} ``` --- --- title: MX/Inline deployment description: With pre-delivery deployment, also known as Inline deployment, Email security evaluates email messages before they reach a user's inbox. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # MX/Inline deployment With pre-delivery deployment, also known as Inline deployment, Email security evaluates email messages before they reach a user's inbox. ![Inline deployment diagram](https://developers.cloudflare.com/_astro/Email_security_Deployment_Inline.Dsh4g8YD_fMdlm.webp) Before you change your MX records, you will have to set up the [Time to Live (TTL)](https://developers.cloudflare.com/dns/manage-dns-records/reference/ttl/) on your DNS records. If you do not set up the TTL, the DNS propagation will take longer to happen. Cloudflare recommends to decrease the TTL to five minutes (also known as [Auto](https://developers.cloudflare.com/dns/manage-dns-records/reference/ttl/#proxied-records)) 3 to 5 days prior to the planned MX record change. Reducing the TTL allows the DNS record to propagate ahead of time, so changes take effect rapidly. Once you have completed your onboarding process, you can choose to increase the TTL. When you have configured your TTL, you can deploy Email security via MX/Inline. An MX record is a [DNS record](https://developers.cloudflare.com/dns/manage-dns-records/). If your DNS records are hosted by Cloudflare (or any other provider, except for Google), you can [edit your DNS records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/#edit-dns-records) via the dashboard or the API to point your MX records to Cloudflare. By changing your MX records, Email security will be positioned between your incoming emails and Microsoft 0365 or Gmail. Email security becomes a hop in the [SMTP ↗](https://www.cloudflare.com/en-gb/learning/email-security/what-is-smtp/) processing chain and physically interacts with incoming email messages. Based on your policies, various messages are blocked before reaching the inbox. When you choose an inline deployment, you get the following benefits: * Messages are processed and physically blocked before arriving in a user's mailbox. * Your deployment is simpler, because any complex processing can happen downstream and without modification. * Email security can modify delivered messages, adding subject or body mark-ups. * Email security can offer high availability and adaptive message pooling. * You can set up advanced handling downstream for non-quarantined messages with added X-headers. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment/","name":"MX/Inline deployment"}}]} ``` --- --- title: Set up MX/Inline deployment description: To use Email security, you will need to have: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Set up MX/Inline deployment ## Prerequisites To use Email security, you will need to have: * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up) * A [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization) * A domain to protect ## Initiate MX/Inline configuration 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Overview**. Select one of the following options: * If you have not purchased Email security, select **Contact sales**. * If you have not associated any integration, [associate an integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/#associate-an-integration), then select **Set up**. * If you have associated an integration, but have not connected a domain, select [**Connect a domain**](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/#connect-a-domain). 1. Select **MX/Inline**. 2. To start the MX/Inline configuration, you will need to have completed the prerequisite setup on your email provider's platform. Once you have completed this step, select **I confirm that I have completed all the necessary requirements**. Then, select **Start configuration**. Note You can only onboard one domain at a time. ## Associate an integration MX/Inline does not require an integration for protection to be effective. However, it is a best practice to connect an integration. To associate an integration: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Integrations** \> **Cloud & SaaS Integrations** \> **Integrations** 2. Select **Connect an integration**. 3. Select an application: Choose between **Google Workspace CASB + EMAIL**, or **Microsoft CASB + EMAIL**. * Refer to [Enable Gmail BCC integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/#1-create-a-service-account-in-your-gcp-project) if you select **Google Workspace CASB + EMAIL**. * Refer to [Enable Microsoft integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/#enable-microsoft-integration) if you select **Microsoft CASB + EMAIL**. 4. After you have associated an integration, go to **Email security** \> **Set up**. 5. Follow the instructions to [connect a domain](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/#connect-a-domain). ## Connect a domain If you have verified zones on Cloudflare, continue with the following steps: 1. **Connect a domain**: Select your domain. Then, select **Continue**. 2. **Select position**: This step allows you to choose where Email security fits into your mail flow and configure position settings: * **Select position**: Choose between: * **Sit first (hop count = 1)**: Email security is the first server that receives the email. There are no other email scanners or services between the Internet and Cloudflare. * **Sit in the middle (hop count > 1)**: Email security sits anywhere other than the first position. Other servers receive emails _before_ Email security. There are other email scanners or email services in between. * **Position settings**: Refine how Email security receives and forwards emails: * **Forwarding address**: This is your mail flow next hop after Email security. This value is auto-filled, but you can still change it. * **Outbound TLS**: Choose between: 1. **Forward all messages over TLS** (recommended). 2. **Forward all messages using opportunistic TLS**. * Select **Continue**. 3. (**Optional**, select **Skip for now** to skip this step) **Configure quarantine policy**: Select dispositions to automatically prevent certain types of incoming messages from reaching a recipient's inbox. 4. (Optional) **Update MX records**: * Email security can automatically update MX records for domains that proxy traffic through Cloudflare. Under **Your mail processing location**, select your mail processing location. * You can also choose to allow Cloudflare to update MX records by selecting **I confirm that I allow Cloudflare to update to the new MX records**. When Email security updates MX records, we replace your original MX records with Email security MX records. * Select **Continue**. 5. **Review details**: Review your domain, then select **Go to domains**. ## Users who do not have domains with Cloudflare If you do not have domains with Cloudflare, the dashboard will display two options: * [Enter domain manually](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/#enter-domain-manually). * [Add a domain to Cloudflare](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/#add-a-domain-to-cloudflare). ## Enter domain manually 1. **Add domains**: Manually enter domain names. 2. **Review all domains**: Review all your domains, then select **Continue**. 3. **Verify your domains**: It may take up to 24 hours for your domains to be verified. Select **Done**. 4. Once your domains have been verified, the dashboard will display a message like this: **You have verified domains ready to connect to Email security**. This means that you can now set up Email security via MX/Inline. 5. Select **Set up**, then select **MX/Inline**. 6. Follow the steps to [initiate MX/Inline configuration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/#initiate-mxinline-configuration). ### Add a domain to Cloudflare Selecting **Add a domain to Cloudflare** will redirect you to a new page where you will connect your domain to Cloudflare. Once you have entered an existing domain, select **Continue**. Then, follow the steps to [Set up MX/Inline](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/). ## Verify successful deployment To verify that the deployment has been successful and that your emails are being scanned: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. Under **Your domains**, locate your domain, and verify that **Status** (which describes the state of the configuration) displays **Active**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/","name":"Set up MX/Inline deployment"}}]} ``` --- --- title: Partner domain TLS description: To add additional TLS (Transport Layer Security) requirements for emails coming from certain domains, you can enforce higher levels of SSL/TLS inspection. If TLS is required, mail without TLS from the specified domain will be dropped. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ TLS ](https://developers.cloudflare.com/search/?tags=TLS) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/partner-domain-tls.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Partner domain TLS To add additional TLS (Transport Layer Security) requirements for emails coming from certain domains, you can enforce higher levels of SSL/TLS inspection. If TLS is required, mail without TLS from the specified domain will be dropped. Note To enforce TLS across all emails, you will need to enforce TLS requirements when you are onboarding your domain. To only enforce TLS for specific emails, you can do so by going to **Settings** \> **Partner domain TLS** \> **Add a domain**. To set up a partner domain: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and select **Email security**. 2. Select **Settings** \> **Partner domain TLS** \> **View**. 3. Select **Add a domain**. 4. Enter a valid domain name. You can also exclude subdomains by selecting **Add exclude**. 5. (Optional) Add an optional note to describe your rule(s). 6. Select **Save**. To edit a partner domain, select the three dots > **Edit**. To delete a partner domain, select the three dots > **Delete**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/partner-domain-tls/","name":"Partner domain TLS"}}]} ``` --- --- title: Cisco - Email security as MX Record description: In this tutorial, you will learn how to configure Cisco IronPort with Email security as MX record. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/cisco-email-security-mx.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cisco - Email security as MX Record ![A schematic showing where Email security sits in the life cycle of an email received](https://developers.cloudflare.com/_astro/Cisco_to_Email_Security_MX_Inline.CY054jTO_Z1C8rNN.webp) In this tutorial, you will learn how to configure Cisco IronPort with Email security as MX record. ## Prerequisites To ensure changes made in this tutorial take effect quickly, update the Time to Live (TTL) value of the existing MX records on your domains to five minutes. Do this on all the domains you will be deploying. Changing the TTL value instructs DNS servers on how long to cache this value before requesting an update from the responsible nameserver. You need to change the TTL value before changing your MX records to Email security. This will ensure that changes take effect quickly and can also be reverted quickly if needed. If your DNS manager does not allow for a TTL of five minutes, set it to the lowest possible setting. Note Make TTL changes a few days before the production update, and wait at least as long as the old TTL values before making the update, since some senders might still be using the old cached values. To check your existing TTL, open a terminal window and run the following command against your domain: Terminal window ``` dig mx ``` ``` ; <<>> DiG 9.10.6 <<>> mx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39938 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN MX ;; ANSWER SECTION: . 300 IN MX 10 mxa.global.inbound.cf-emailsecurity.net. . 300 IN MX 10 mxb.global.inbound.cf-emailsecurity.net. ``` In the above example, TTL is shown in seconds as `300` (or five minutes). If you are using Cloudflare for DNS, you can leave the [TTL setting as **Auto**](https://developers.cloudflare.com/dns/manage-dns-records/reference/ttl/). Below is a list with instructions on how to edit MX records for some popular services: * **Cloudflare**: [Set up email records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/email-records/) * **GoDaddy**: [Edit an MX Record ↗](https://www.godaddy.com/help/edit-an-mx-record-19235) * **AWS**: [Creating records by using the Amazon Route 53 console ↗](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html) * **Azure**: [Create DNS records in a custom domain for a web app ↗](https://learn.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain) ## 1\. Add a Sender Group for Email security Email Protection IPs To add a new Sender Group: 1. Go to **Mail Policies** \> **HAT Overview**. 2. Select **Add Sender Group**. 3. Configure the new Sender Group as follows: * **Name**: `Email security`. * **Order**: Order above the existing **WHITELIST** sender group. * **Comment**: `Email security Email Protection egress IP Addresses`. * **Policy**: `TRUSTED` (by default, spam detection is disabled for this mail flow policy). * **SBRS**: Leave blank. * **DNS Lists**: Leave blank. * **Connecting Host DNS Verification**: Leave all options unchecked. 4. Select **Submit and Add Senders** and add the IP addresses mentioned in [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) ## 2\. Configure Incoming Relays You need to configure the Incoming Relays section to tell IronPort to ignore upstream hops, since all the connections are now coming from Email security. This step is needed so the IronPort can retrieve the original IPs to calculate IP reputation. IronPort also uses this information in the Anti-Spam (IPAS) scoring of messages. 1. To enable the Incoming Relays Feature, select **Network** \> **Incoming Relays**. 2. Select **Enable** and commit your changes. 3. Now, you will have to add an Incoming Relay. Select **Network** \> **Incoming Relays**. 4. Select **Add Relay** and give your relay a name. 5. Enter the IP address of the MTA, MX, or other machine that connects to the email gateway to relay incoming messages. You can use IPv4 or IPv6 addresses. 6. Specify the `Received:` header that will identify the IP address of the original external sender. 7. Commit your changes. ## 3\. Disable SPF checks Make sure you disable Sender Policy Framework (SPF) checks in IronPort. Because Email security is acting as the MX record, if you do not disable SPF checks, IronPort will block emails due to an SPF failure. Refer to [Cisco's documentation ↗](https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117973-faq-esa-00.html) for more information on how to disable SPF checks. ## 4\. Set up MX/Inline Now that you have completed the prerequisite steps, set up MX/Inline on the Cloudflare dashboard. Refer to [Set up MX/Inline deployment](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/) for the next steps. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/cisco-email-security-mx/","name":"Cisco - Email security as MX Record"}}]} ``` --- --- title: Cisco - Cisco as MX Record description: In this tutorial, you will learn how to configure Email security with Cisco as MX record. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/cisco-mx.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cisco - Cisco as MX Record ![A schematic showing where Email security is in the life cycle of an email received](https://developers.cloudflare.com/_astro/Cisco_to_Cisco_MX_Inline.T2fNxiw3_1dYDUm.webp) In this tutorial, you will learn how to configure Email security with Cisco as MX record. ## 1\. Add a Sender Group for Email security Email Protection IPs To add a new Sender Group: 1. Go to **Mail Policies** \> **HAT Overview**. 2. Select the **Add Sender Group** button. 3. Configure the new Sender Group as follows: * **Name**: `Email security`. * **Order**: Order above the existing **WHITELIST** sender group. * **Comment**: `Email security Email Protection egress IP Addresses`. * **Policy**: `TRUSTED` (by default, spam detection is disabled for this mail flow policy). * **SBRS**: Leave blank. * **DNS Lists**: Leave blank. * **Connecting Host DNS Verification**: Leave all options unchecked. 4. Select **Submit and Add Senders**, and add the IP addresses mentioned in [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/). If you need to process emails in the EU or India regions for compliance purposes, add those IP addresses as well. ## 2\. Add SMTP route for the Email security Email Protection Hosts To add a new SMTP Route: 1. Go to **Network** \> **SMTP Routes**. 2. Select **Add Route**. 3. Configure the new SMTP Route as follows: * **Receiving Domain**: `a1s.mailstream` * In **Destination Hosts**, select **Add Row**, and add the Email security MX hosts. Refer to the [Geographic locations](#5-geographic-locations) table for more information on which MX hosts to use. ## 3\. Create Incoming Content Filters To manage the mail flow between Email security and Cisco ESA, you need two filters: * One to direct all incoming messages to Email security. * One to recognize messages coming back from Email security to route for normal delivery. ### Incoming Content Filter - To Email security To create a new Content Filter: 1. Go to **Mail Policies** \> **Incoming Content Filters**. 2. Select **Add Filter** to create a new filter. 3. Configure the new Incoming Content Filter as follows: * **Name**: `ESA_to_A1S` * **Description**: `Redirect messages to Email security for anti-phishing inspection` * **Order**: This will depend on your other filters. * **Condition**: No conditions. * **Actions**: * For **Action** select **Send to Alternate Destination Host**. * For **Mail Host** input `a1s.mailstream` (the SMTP route configured in step 2). ### Incoming Content Filter - From Email security To create a new Content Filter: 1. Go to **Mail Policies** \> **Incoming Content Filters**. 2. Select the **Add Filter** button to create a new filter. 3. Configure the new Incoming Content Filter as follows: * **Name**: `A1S_to_ESA` * **Description**: `Email security inspected messages for final delivery` * **Order**: This filter must come before the previously created filter. * **Conditions**: Add conditions of type **Remote IP/Hostname** with all the IP addresses mentioned in [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/). For example: | Order | Condition | Rule | | ----- | ------------------ | ------------------ | | 1 | Remote IP/Hostname | Remote IP/Hostname | | 2 | Remote IP/Hostname | 52.89.255.11 | | 3 | Remote IP/Hostname | 52.0.67.109 | | 4 | Remote IP/Hostname | 54.173.50.115 | | 5 | Remote IP/Hostname | 104.30.32.0/19 | | 6 | Remote IP/Hostname | 158.51.64.0/26 | | 7 | Remote IP/Hostname | 158.51.65.0/26 | * Ensure that the _Apply rule:_ dropdown is set to **If one or more conditions match**. * **Actions**: Select **Add Action**, and add the following: | Order | Action | Rule | | ----- | --------------------------------------------- | -------------- | | \--1 | Skip Remaining Content Filters (Final Action) | skip-filters() | ## 4\. Add the Incoming Content Filter to the Inbound Policy table Assign the Incoming Content Filters created in [step 3](#3-create-incoming-content-filters) to your primary mail policy in the Incoming Mail Policy table. Then, commit your changes to activate the email redirection. ## 5\. Geographic locations When configuring the Email security MX records, it is important to configure hosts with the correct MX priority. This will allow mail flows to the preferred hosts and fail over as needed. Choose from the following Email security MX hosts, and order them by priority. For example, if you are located outside the US and want to prioritize email processing in the EU, add `mailstream-eu1.mxrecord.io` as your first host, and then the US servers. | Host | Location | Note | | -------------------------------------------------------------------------------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------ | | mailstream-central.mxrecord.mx mailstream-east.mxrecord.io mailstream-west.mxrecord.io | US | Best option to ensure all email traffic processing happens in the US. | | mailstream-eu1.mxrecord.io | EU | Best option to ensure all email traffic processing happens in Germany, with backup to US data centers. | | mailstream-bom.mxrecord.mx | India | Best option to ensure all email traffic processing happens within India. | | mailstream-india-primary.mxrecord.mx | India | Same as mailstream-bom.mxrecord.mx, with backup to US data centers. | | mailstream-asia.mxrecord.mx | India | Best option to ensure all email traffic processing happens in India, with Australia data centers as backup. | | mailstream-syd.area1.cloudflare.net | Australia / New Zealand | Best option to ensure all email traffic processing happens within Australia. | | mailstream-australia-primary.area1.cloudflare.net | Australia / New Zealand | Best option to ensure all email traffic processing happens in Australia, with India and US data centers as backup. | ## 6\. Set up MX/Inline Now that you have completed the prerequisite steps, set up MX/Inline on the Cloudflare dashboard. Refer to [Set up MX/Inline deployment](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/) for the next steps. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/cisco-mx/","name":"Cisco - Cisco as MX Record"}}]} ``` --- --- title: Google Workspace as MX Record description: In this tutorial, you will learn how to configure Google Workspace with Email security as MX record. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Google ](https://developers.cloudflare.com/search/?tags=Google) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/gsuite-email-security-mx.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Google Workspace as MX Record ![A schematic showing where Email security is in the life cycle of an email received](https://developers.cloudflare.com/_astro/Email_Security_Gmail_MX_Inline.BySaw74N_r7mj1.webp) In this tutorial, you will learn how to configure Google Workspace with Email security as MX record. ## Prerequisites To ensure changes made in this tutorial take effect quickly, update the Time to Live (TTL) value of the existing MX records on your domains to five minutes. Do this on all the domains you will be deploying. Changing the TTL value instructs DNS servers on how long to cache this value before requesting an update from the responsible nameserver. You need to change the TTL value before changing your MX records to Email security. This will ensure that changes take effect quickly and can also be reverted quickly if needed. If your DNS manager does not allow for a TTL of five minutes, set it to the lowest possible setting. Note Make TTL changes a few days before the production update, and wait at least as long as the old TTL values before making the update, since some senders might still be using the old cached values. To check your existing TTL, open a terminal window and run the following command against your domain: Terminal window ``` dig mx ``` ``` ; <<>> DiG 9.10.6 <<>> mx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39938 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN MX ;; ANSWER SECTION: . 300 IN MX 10 mxa.global.inbound.cf-emailsecurity.net. . 300 IN MX 10 mxb.global.inbound.cf-emailsecurity.net. ``` In the above example, TTL is shown in seconds as `300` (or five minutes). If you are using Cloudflare for DNS, you can leave the [TTL setting as **Auto**](https://developers.cloudflare.com/dns/manage-dns-records/reference/ttl/). Below is a list with instructions on how to edit MX records for some popular services: * **Cloudflare**: [Set up email records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/email-records/) * **GoDaddy**: [Edit an MX Record ↗](https://www.godaddy.com/help/edit-an-mx-record-19235) * **AWS**: [Creating records by using the Amazon Route 53 console ↗](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html) * **Azure**: [Create DNS records in a custom domain for a web app ↗](https://learn.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain) ## Requirements * Provisioned Email security account. * Access to the Google administrator console ([Google administrator console ↗](https://admin.google.com/) \> **Apps** \> **Google Workspace** \> **Gmail**). * Access to the domain nameserver hosting the MX records for the domains that will be processed by Email security. ## 1\. Set up Inbound Email Configuration Set up [Inbound Email Configuration ↗](https://support.google.com/a/answer/60730?hl=en) with the following details: * In **Gateway IPs**, select the **Add** link, and add the IPs mentioned in [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/). * Select **Automatically detect external IP (recommended)**. * Select **Require TLS for connections from the email gateways listed above**. * Do not select **Reject all mail not from gateway IPs**. You will enable this option at a later time to ensure your mail flows. * Select **SAVE**. ## 2\. (Optional) Set up an email quarantine [Set up an email quarantine ↗](https://support.google.com/a/answer/6104172?hl=en#add-new-quarantine) with the following details: * **Name**: Email security Malicious. * **Description**: Email security Malicious. * For the **Inbound denial consequence**, select **Drop message**. * For the **Outbound denial consequence**, select **Drop message**. * Select **SAVE**. To access the newly created quarantine, select **GO TO ADMIN QUARANTINE** or access the quarantine directly by pointing your browser to [https://email-quarantine.google.com/adminreview ↗](https://email-quarantine.google.com/adminreview). ## 3\. (Optional) Create a content compliance filter Go to **Compliance**, and create a [content compliance filter ↗](https://support.google.com/a/answer/1346934?hl=en#zippy=%2Cstep-go-to-gmail-compliance-settings-in-the-google-admin-console%2Cstep-enter-email-messages-to-affect) to send malicious messages to quarantine. Enter the following details: * **Content compliance**: Add `Quarantine Email security Malicious`. * **Email messages to affect**: Select **Inbound**. * **Add expressions that describe the content you want to search for in each message**: * Select **Add** to add the condition. * In **Simple content match**, select **Advanced content match**. * In **Location**, select **Full headers**. * In **Match type**, select **Contains text**. * In **Content**, enter `X-CFEmailSecurity-Disposition: MALICIOUS`. * Select **SAVE** to save the condition. * If the above expression match, do the following, select **Quarantine message** and the **Email security Malicious** quarantine that was created in the previous step. * Select **SAVE**. If you would like to quarantine the other dispositions, repeat the above steps and use the following strings for the other dispositions: * `X-CFEmailSecurity-Disposition: BULK` * `X-CFEmailSecurity-Disposition: SPOOF` * `X-CFEmailSecurity-Disposition: UCE` (`UCE` is the equivalent of `SPAM`) If desired, you can create a separate quarantine for each of the dispositions. ## 4\. Set up MX/Inline Now that you have completed the prerequisite steps, set up MX/Inline on the Cloudflare dashboard. Refer to [Set up MX/Inline deployment](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/) for the next steps. ## 5\. (Recommended) Secure Google Workspace from MX records bypass One method of a DNS attack is to search for old MX records and send phishing emails directly to the mail server. To secure the email flow, you should enforce an email flow where inbound messages are accepted by Google Workspace only when they originate from Email security. This can be done by adding a connector to only allow email from Email security with TLS encryption. This step is optional but recommended. Important This step should not be performed until 72 hours after all domains in your Google Workspace have been onboarded to Email security, and Email security is their MX record. If a domain has not been onboarded or DNS is still propagating, you will impact production email flow for that domain. After 72 hours, the MX record DNS update will have sufficiently propagated across the Internet. It is now safe to secure your email flow. This will ensure that Google Workspace only accepts messages that are first received by Email security. This step is highly recommended to prevent threat actors from using cached MX entries to bypass Email security by injecting messages directly into Google Workspace. 1. Access the [Google Administrative Console ↗](https://admin.google.com/), then select **Apps** \> **Google Workspace** \> **Gmail**. 2. Select **Spam, Phishing and Malware**. 3. Go to **Inbound gateway** and select **Edit Inbound gateway**. 4. Enable **Reject all mail not from gateway IPs** and select **Save**. 5. Select **Save** once more to commit and activate the configuration change in the Gmail advanced configuration console. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/gsuite-email-security-mx/","name":"Google Workspace as MX Record"}}]} ``` --- --- title: Microsoft 365 as MX Record description: In this tutorial, you will learn how to configure Microsoft 365 with Email security as its MX record. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Microsoft 365 as MX Record ![A schematic showing where Email security is in the life cycle of an email received](https://developers.cloudflare.com/_astro/Email_security_M365_MX_Inline.BeUQoQiv_Z2khods.webp) In this tutorial, you will learn how to configure Microsoft 365 with Email security as its MX record. ## Prerequisites To ensure changes made in this tutorial take effect quickly, update the Time to Live (TTL) value of the existing MX records on your domains to five minutes. Do this on all the domains you will be deploying. Changing the TTL value instructs DNS servers on how long to cache this value before requesting an update from the responsible nameserver. You need to change the TTL value before changing your MX records to Email security. This will ensure that changes take effect quickly and can also be reverted quickly if needed. If your DNS manager does not allow for a TTL of five minutes, set it to the lowest possible setting. Note Make TTL changes a few days before the production update, and wait at least as long as the old TTL values before making the update, since some senders might still be using the old cached values. To check your existing TTL, open a terminal window and run the following command against your domain: Terminal window ``` dig mx ``` ``` ; <<>> DiG 9.10.6 <<>> mx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39938 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN MX ;; ANSWER SECTION: . 300 IN MX 10 mxa.global.inbound.cf-emailsecurity.net. . 300 IN MX 10 mxb.global.inbound.cf-emailsecurity.net. ``` In the above example, TTL is shown in seconds as `300` (or five minutes). If you are using Cloudflare for DNS, you can leave the [TTL setting as **Auto**](https://developers.cloudflare.com/dns/manage-dns-records/reference/ttl/). Below is a list with instructions on how to edit MX records for some popular services: * **Cloudflare**: [Set up email records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/email-records/) * **GoDaddy**: [Edit an MX Record ↗](https://www.godaddy.com/help/edit-an-mx-record-19235) * **AWS**: [Creating records by using the Amazon Route 53 console ↗](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html) * **Azure**: [Create DNS records in a custom domain for a web app ↗](https://learn.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain) ## 1\. Add Email security IP addresses to Allow List 1. Go to the [Anti-spam policies page ↗](https://security.microsoft.com/antispam) \> Select **Edit connection filter policy**. 2. In **Always allow messages from the following IP addresses or address range**, add IP addresses and CIDR blocks mentioned in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. 3. Select **Save**. 4. Microsoft recommends disabling SPF Hard fail when an email solution is placed in front of it: * Return to the [Anti-spam option ↗](https://security.microsoft.com/antispam). * Select **Default anti-spam policy**. * Select **[Edit spam threshold and properties ↗](https://learn.microsoft.com/en-us/defender-office-365/anti-spam-bulk-complaint-level-bcl-about)** \> **Mark as spam** \> **SPF record: hard fail**, and ensure it is set to **Off**. 5. Select **Save**. ## 2\. Configure Enhanced Filtering ### Create an inbound connector 1. [Set up a connector ↗](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#1-set-up-a-connector-from-your-email-server-to-microsoft-365-or-office-365). 2. Select **Partner organization** under **Connection from**. * Provide a name for the connector: * **Name**: `Email security Inbound Connector` * **Description**: `Inbound connector for Enhanced Filtering` 3. In **Authenticating sent email**, select **By verifying that the IP address of the sending server matches one of the following IP addresses, which belongs to your partner organization.** 4. Enter all of the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. 5. In **Security restrictions**, accept the default **Reject email messages if they aren't sent over TLS** setting. ### Enable enhanced filtering Now that the inbound connector has been configured, you will need to enable the enhanced filtering configuration of the connector. 1. Go to the [Security admin console ↗](https://security.microsoft.com/homepage), and [enable enhanced filtering ↗](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors#use-the-microsoft-defender-portal-to-configure-enhanced-filtering-for-connectors-on-an-inbound-connector). 2. Select **Automatically detect and skip the last IP address** and **Apply to entire organization**. 3. Select **Save**. ## 3\. Configure anti-spam policies To configure anti-spam policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Policies**, select **Anti-spam**. 5. Select the **Anti-spam inbound policy (Default)** text (not the checkbox). 6. In **Actions**, scroll down and select **Edit actions**. 7. Set the following conditions and actions (you might need to scroll up or down to find them): * **Spam**: _Move messages to Junk Email folder_. * **High confidence spam**: _Quarantine message_. * **Select quarantine policy**: _AdminOnlyAccessPolicy_. * **Phishing**: _Quarantine message_. * **Select quarantine policy**: _AdminOnlyAccessPolicy_. * **High confidence phishing**: _Quarantine message_. * **Select quarantine policy**: _AdminOnlyAccessPolicy_. * **Retain spam in quarantine for this many days**: Default is 15 days. Email security recommends 15-30 days. * Select the spam actions in the above step: 1. Select **Save**. ## 4\. Create transport rules To create the transport rules that will send emails with certain [dispositions](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to Email security: 1. Open the new [Exchange admin center ↗](https://admin.exchange.microsoft.com/#/homepage). 2. Go to **Mail flow** \> **Rules**. 3. Select **Add a Rule** \> **Create a new rule**. 4. Set the following rule conditions: * **Name**: _Email Security Deliver to Junk Email folder_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: `BULK` \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs mentioned in [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/). * **Do the following** \- _Modify the message properties_ \> _Set the Spam Confidence Level (SCL)_ \> _5_. 5. Select **Next**. 6. You can use the default values on this screen. Select **Next**. 7. Review your settings and select **Finish** \> **Done**. 8. Select the rule **Email security Deliver to Junk Email folder** you have just created, and **Enable**. 9. Select **Add a Rule** \> **Create a new rule**. 10. Set the following rule conditions: * **Name**: `Email security Deliver to Junk Email folder`. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: `MALICIOUS`, `UCE`, `SPOOF` \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/). * **Do the following**: _Redirect the message to_ \> _hosted quarantine_. 11. Select **Next**. 12. You can use the default values on this screen. Select **Next**. 13. Review your settings and select **Finish** \> **Done**. 14. Select the rule you have just created, and select **Enable**. ## 5\. Set up MX/Inline Now that you have completed the prerequisite steps, set up MX/Inline on the Cloudflare dashboard. Refer to [Set up MX/Inline deployment](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/) for the next steps. ## 6\. (Recommended) Secure Microsoft 365 from MX records bypass One method of a DNS attack is to search for old MX records and send phishing emails directly to the mail server. To secure the email flow, you should enforce an email flow where inbound messages are accepted by Microsoft 365 only when they originate from Email security. This can be done by adding a connector to only allow email from Email security with TLS encryption. This step is optional but recommended. Important This step should not be performed until 72 hours after all domains in your Microsoft 365 organization have been onboarded to Email security, and Email security is their MX record. If a domain has not been onboarded or DNS is still propagating, you will impact production email flow for that domain. #### Create Connector 1. Go to the new [Exchange admin center ↗](https://admin.exchange.microsoft.com/#/homepage). 2. Go to **Mail flow** \> **Connectors**. 3. Select **Add a connector**. 4. Go to **Connection from** \> **Partner organization**. 5. Select **Next**. 6. Set the following options: * **Name** \- `Secure M365 Inbound` * **Description** \- `Only accept inbound email from Email security` 7. Select **Next**. 8. Make sure **By Verifying that the sender domain matches one of the following domains** is selected. 9. Enter `*` in the text field, and select **+**. 10. Select **Next**. 11. Make sure **Reject email messages if they aren't sent over TLS** is selected. 12. Still in the same screen, select **Reject email messages if they aren't sent from within this IP address range**, and enter all the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. 13. Select **Next**. 14. Review your settings and select **Create connector**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/","name":"Microsoft 365 as MX Record"}}]} ``` --- --- title: 5 - Junk email folder and administrative quarantine description: In this tutorial, you will learn to deliver BULK messages to the user's junk email folder, and MALICIOUS, SPAM, and SPOOF messages to the Administrative Quarantine (this requires an administrator to release the emails). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/five-junk-admin-quarantine.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # 5 - Junk email folder and administrative quarantine In this tutorial, you will learn to deliver `BULK` messages to the user's junk email folder, and `MALICIOUS`, `SPAM`, and `SPOOF` messages to the Administrative Quarantine (this requires an administrator to release the emails). ## Configure anti-spam policies To configure anti-spam policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Policies**, select **Anti-spam**. 5. Select the **Anti-spam inbound policy (Default)** text (not the checkbox). 6. In **Actions**, scroll down and select **Edit actions**. 7. Set the following conditions and actions (you might need to scroll up or down to find them): * **Spam**: _Move messages to Junk Email folder_. * **High confidence spam**: _Quarantine message_. * **Select quarantine policy**: \_AdminOnlyAccessPolicy\_. * **Phishing**: _Quarantine message_. * **Select quarantine policy**: \_AdminOnlyAccessPolicy\_. * **High confidence phishing**: _Quarantine message_. * **Select quarantine policy**: \_AdminOnlyAccessPolicy\_. * **Retain spam in quarantine for this many days**: Default is 15 days. Email security recommends 15-30 days. * Select the spam actions in the above step. 1. Select **Save**. ## Create transport rules To create the transport rules that will send emails with certain [disposition](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to Email security: 1. Open the new [Exchange admin center ↗](https://admin.exchange.microsoft.com/#/homepage). 2. Go to **Mail flow** \> **Rules**. 3. Select **Add a Rule** \> **Create a new rule**. 4. Set the following rule conditions: * **Name**: _Email security Deliver to Junk Email folder\`_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: `BULK` \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following** \- _\_Modify the message properties\_ > \_Set the Spam Confidence Level (SCL)\_ > \_5\__. 5. Select **Next**. 6. You can use the default values on this screen. Select **Next**. 7. Review your settings and select **Finish** \> **Done**. 8. Select the rule Email security Deliver to Junk Email folder\` you have just created, and **Enable**. 9. Select **Add a Rule** \> **Create a new rule**. 10. Set the following rule conditions: * **Name**: _\`Email security Admin Managed Host Quarantine\`_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: _\`MALICIOUS\`, \`UCE\`, \`SPOOF\`_ \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following**: _\_Redirect the message to\_ > \_hosted quarantine\__. 11. Select **Next**. 12. You can use the default values on this screen. Select **Next**. 13. Review your settings and select **Finish** \> **Done**. 14. Select the rule _\`Email security Admin Managed Host Quarantine\`_ you have just created, and select **Enable**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/","name":"Microsoft 365 as MX Record"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/five-junk-admin-quarantine/","name":"5 - Junk email folder and administrative quarantine"}}]} ``` --- --- title: 4 - User managed quarantine and administrative quarantine description: In this tutorial, you will learn to deliver SPAM and SPOOF messages to the user managed quarantine, and MALICIOUS messages to the administrative quarantine (this requires an administrator to release the emails). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/four-user-quarantine-admin-quarantine.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # 4 - User managed quarantine and administrative quarantine In this tutorial, you will learn to deliver `SPAM` and `SPOOF` messages to the user managed quarantine, and `MALICIOUS` messages to the administrative quarantine (this requires an administrator to release the emails). ## Create quarantine policies To create quarantine policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Rules**, select **Quarantine policies**. 5. Select **Add custom policy**. 6. Set the **Policy name** to `UserNotifyUserRelease`. 7. Select **Next**. 8. In **Recipient message access**, select **Set specific access (Advanced)**, and then: * In **Select release action preference**, choose _Allow recipients to release a message from quarantine_. * In **Select additional actions recipients can take on quarantined messages**, select the **Delete** and **Preview** checkboxes. 9. Select **Next**. 10. In **Quarantine notification**, select **Enable**. 11. Select **Next**. 12. Review your settings and select **Submit**. 13. Select **Done**. 14. Select **Add custom policy**. 15. Set the **Policy name** to `UserNotifyAdminRelease`. 16. Select **Next**. 17. In **Recipient message access**, select **Set specific access (Advanced)**, and then: * In **Select release action preference**, from the drop-down menu, choose _Allow recipients to request a message to be released from quarantine_. * In **Select additional actions recipients can take on quarantined messages**, select the **Delete** and **Preview** checkboxes. 18. Select **Next**. 19. In **Quarantine notification**, select **Enable**. 20. Select **Next**. 21. Review your settings and select **Submit**. 22. Select **Done**. ## Configure quarantine notifications To configure quarantine notifications: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Rules**, select **Quarantine policies**. 5. Select **Global settings**. 6. Scroll to the bottom and set the desired frequency in **Send end-user spam notifications every (days)**. This value can only be incremented in days. 7. Select **Save**. ## Configure anti-spam policies To configure anti-spam policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/) 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Policies**, select **Anti-spam**. 5. Select the **Anti-spam inbound policy (Default)** text (not the checkbox). 6. In the **Actions** section, scroll down and select **Edit actions**. 7. Set the following conditions and actions (you might need to scroll up or down to find them): * **Spam**: _Quarantine message_. * **Select quarantine policy**: _UserNotifyUserRelease_. * **High confidence spam**: _Quarantine message_. * **Select quarantine policy**: _UserNotifyAdminRelease_. * **Phishing**: _Quarantine message_. * **Select quarantine policy**: _UserNotifyAdminRelease_. * **High confidence phishing**: _Quarantine message_. * **Select quarantine policy**: _UserNotifyAdminRelease_. * **Retain spam in quarantine for this many days**: Default is 15 days. Email security recommends 15-30 days. 8. Select **Save**. ## Create transport rules To create the transport rules that will send emails with certain [disposition](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to Email security: 1. Open the new [Exchange admin center ↗](https://admin.exchange.microsoft.com/#/homepage). 2. Go to **Mail flow** \> **Rules**. 3. Select **Add a Rule** \> **Create a new rule**. 4. Set the following rule conditions: * **Name**: _\`Email security User Quarantine Message\`_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: `` `UCE`, `SPOOF` `` \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following** \- _\_Modify the message properties\_ > \_Set the Spam Confidence Level (SCL)\_ > \_5\__. 5. Select **Next**. 6. You can use the default values on this screen. Select **Next**. 7. Review your settings and select **Finish** \> **Done**. 8. Select the rule \`Email security User Quarantine Message\` you have just created, and **Enable**. 9. Select **Add a Rule** \> **Create a new rule**. 10. Set the following rule conditions: * **Name**: _\`Email security User Quarantine Message Admin Release\`_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: _\`MALICIOUS\`_ \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following**: _\_Modify the message properties\_ > \_Set the Spam Confidence Level (SCL)\_ > \_9\__. 11. Select **Next**. 12. You can use the default values on this screen. Select **Next**. 13. Review your settings and select **Finish** \> **Done**. 14. Select the rule _\`Email security User Quarantine Message Admin Release\`_ you have just created, and select **Enable**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/","name":"Microsoft 365 as MX Record"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/four-user-quarantine-admin-quarantine/","name":"4 - User managed quarantine and administrative quarantine"}}]} ``` --- --- title: 1 - Junk email and Email security Admin Quarantine description: In this tutorial, you will learn how to deliver emails to the Microsoft 365 junk email folder and the Admin Quarantine in Email security. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/one-junk-admin-quarantine.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # 1 - Junk email and Email security Admin Quarantine In this tutorial, you will learn how to deliver emails to the Microsoft 365 junk email folder and the Admin Quarantine in Email security. ## Create quarantine policies To create quarantine policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/) 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Rules**, select **Quarantine policies**. 5. Select **Add custom policy**. 6. Set the **Policy name** to `UserNotifyAdminRelease`. 7. Select **Next**. 8. In **Recipient message access**, select **Set specific access (Advanced)**, and then: * In **Select release action preference**, choose _Allow recipients to request a message to be released from quarantine_. * In **Select additional actions recipients can take on quarantined messages**, select the **Delete** and **Preview** checkboxes. 9. Select **Next**. 10. In **Quarantine notification**, select **Enable**. 11. Select **Next**. 12. Review your settings and select **Submit**. 13. Select **Done**. ## Configure quarantine notifications To configure quarantine notifications: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Rules**, select **Quarantine policies**. 5. Select **Global settings**. 6. Scroll to the bottom and set the desired frequency in **Send end-user spam notifications every (days)**. This value can only be incremented in days. 7. Select **Save**. ## Configure anti-spam policies To configure anti-spam policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Policies**, select **Anti-spam**. 5. Select the **Anti-spam inbound policy (Default)** text (not the checkbox). 6. In **Actions**, scroll down and select **Edit actions**. 7. Set the following conditions and actions (you might need to scroll up or down to find them): * **Spam**: _Move messages to Junk Email folder_. * **High confidence spam**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyAdminRelease\_. * **Phishing**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyAdminRelease\_. * **High confidence phishing**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyAdminRelease\_. * **Retain spam in quarantine for this many days**: Default is 15 days. Email security recommends 15-30 days. * Select the spam actions in the above step. 1. Select **Save**. ## Create transport rules To create the transport rules that will send emails with certain dispositions to Email security: 1. Open the new [Exchange admin center ↗](https://admin.exchange.microsoft.com/#/homepage). 2. Go to **Mail flow** \> **Rules**. 3. Select **Add a Rule** \> **Create a new rule**. 4. Set the following rule conditions: * **Name**: `Email security Deliver to Junk Email folder`. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: `BULK` \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following** \- _Modify the message properties_ \> _Set the Spam Confidence Level (SCL)_ \> _5_. 5. Select **Next**. 6. You can use the default values on this screen. Select **Next**. 7. Review your settings and select **Finish** \> **Done**. 8. Select the rule `Email security Deliver to Junk Email folder` you have just created, and select **Enable**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/","name":"Microsoft 365 as MX Record"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/one-junk-admin-quarantine/","name":"1 - Junk email and Email security Admin Quarantine"}}]} ``` --- --- title: 3 - Junk email and administrative quarantine description: In this tutorial, you will learn how to deliver BULK messages to the users's junk email folder, and MALICIOUS, SPAM, and SPOOF messages to the administrative quarantine (this requires an administrator to release the emails). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/three-junk-admin-quarantine.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # 3 - Junk email and administrative quarantine In this tutorial, you will learn how to deliver `BULK` messages to the users's junk email folder, and `MALICIOUS`, `SPAM`, and `SPOOF` messages to the administrative quarantine (this requires an administrator to release the emails). ## Create quarantine policies To create quarantine policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/) 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Rules**, select **Quarantine policies**. 5. Select **Add custom policy**. 6. Set the **Policy name** to `UserNotifyAdminRelease`. 7. Select **Next**. 8. In **Recipient message access**, select **Set specific access (Advanced)**, and then: * In **Select release action preference**, choose _Allow recipients to request a message to be released from quarantine_. * In **Select additional actions recipients can take on quarantined messages**, select the **Delete** and **Preview** checkboxes. 9. Select **Next**. 10. In **Quarantine notification**, select **Enable**. 11. Select **Next**. 12. Review your settings and select **Submit**. 13. Select **Done**. ## Configure quarantine notifications To configure quarantine notifications: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Rules**, select **Quarantine policies**. 5. Select **Global settings**. 6. Scroll to the bottom and set the desired frequency in **Send end-user spam notifications every (days)**. This value can only be incremented in days. 7. Select **Save**. ## Configure anti-spam policies To configure anti-spam policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Policies**, select **Anti-spam**. 5. Select the **Anti-spam inbound policy (Default)** text (not the checkbox). 6. In **Actions**, scroll down and select **Edit actions**. 7. Set the following conditions and actions (you might need to scroll up or down to find them): * **Spam**: _Move messages to Junk Email folder_. * **High confidence spam**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyAdminRelease\_. * **Phishing**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyAdminRelease\_. * **High confidence phishing**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyAdminRelease\_. * **Retain spam in quarantine for this many days**: Default is 15 days. Email security recommends 15-30 days. * Select the spam actions in the above step. 1. Select **Save**. ## Create transport rules To create the transport rules that will send emails with certain [disposition](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to Email security: 1. Open the new [Exchange admin center ↗](https://admin.exchange.microsoft.com/#/homepage). 2. Go to **Mail flow** \> **Rules**. 3. Select **Add a Rule** \> **Create a new rule**. 4. Set the following rule conditions: * **Name**: _\`Email security Deliver to Junk Email folder\`_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: `BULK` \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following** \- _\_Modify the message properties\_ > \_Set the Spam Confidence Level (SCL)\_ > \_5\__. 5. Select **Next**. 6. You can use the default values on this screen. Select **Next**. 7. Review your settings and select **Finish** \> **Done**. 8. Select the rule \`Email security Deliver to Junk Email folder\` you have just created, and **Enable**. 9. Select **Add a Rule** \> **Create a new rule**. 10. Set the following rule conditions: * **Name**: _\`Email security User Quarantine Message\`_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: _\`MALICIOUS\`, \`UCE\`, \`SPOOF\`_ \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following**: _\_Modify the message properties\_ > \_Set the Spam Confidence Level (SCL)\_ > \_9\__. 11. Select **Next**. 12. You can use the default values on this screen. Select **Next**. 13. Review your settings and select **Finish** \> **Done**. 14. Select the rule _\`Email security User Quarantine Message\`_ you have just created, and select **Enable**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/","name":"Microsoft 365 as MX Record"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/three-junk-admin-quarantine/","name":"3 - Junk email and administrative quarantine"}}]} ``` --- --- title: 2 - Junk email and user managed quarantine description: In this tutorial, you will learn how to deliver BULK messages to the user's junk folder, and SPAM and SPOOF messages to the user managed quarantine. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/two-junk-user-quarantine.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # 2 - Junk email and user managed quarantine In this tutorial, you will learn how to deliver `BULK` messages to the user's junk folder, and `SPAM` and `SPOOF` messages to the user managed quarantine. ## Create quarantine policies To create quarantine policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Rules**, select **Quarantine policies**. 5. Select **Add custom policy**. 6. Set the **Policy name** to `UserNotifyUserRelease`. 7. Select **Next**. 8. In **Recipient message access**, select **Set specific access (Advanced)**, and then: * In **Select release action preference**, choose _Allow recipients to release a message from quarantine_. * In **Select additional actions recipients can take on quarantined messages**, select the **Delete** and **Preview** checkboxes. 9. Select **Next**. 10. In **Quarantine notification**, select **Enable**. 11. Select **Next**. 12. Review your settings and select **Submit**. 13. Select **Done**. 14. Select **Add custom policy**. 15. Set the **Policy name** to `UserNotifyAdminRelease`. 16. Select **Next**. 17. In **Recipient message access**, select **Set specific access (Advanced)**, and then: * In **Select release action preference**, from the drop-down menu, choose _Allow recipients to request a message to be released from quarantine_. * In **Select additional actions recipients can take on quarantined messages**, select the **Delete** and **Preview** checkboxes. 18. Select **Next**. 19. In **Quarantine notification**, select **Enable**. 20. Select **Next**. 21. Review your settings and select **Submit**. 22. Select **Done**. ## Configure quarantine notifications To configure quarantine notifications: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Rules**, select **Quarantine policies**. 5. Select **Global settings**. 6. Scroll to the bottom and set the desired frequency in **Send end-user spam notifications every (days)**. This value can only be incremented in days. 7. Select **Save**. ## Configure anti-spam policies To configure anti-spam policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Policies**, select **Anti-spam**. 5. Select the **Anti-spam inbound policy (Default)** text (not the checkbox). 6. In **Actions**, scroll down and select **Edit actions**. 7. Set the following conditions and actions (you might need to scroll up or down to find them): * **Spam**: _Move messages to Junk Email folder_. * **High confidence spam**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyUserRelease\_. * **Phishing**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyAdminRelease\_. * **High confidence phishing**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyAdminRelease\_. * **Retain spam in quarantine for this many days**: Default is 15 days. Email security recommends 15-30 days. * Select the spam actions in the above step. 1. Select **Save**. ## Create transport rules To create the transport rules that will send emails with certain [disposition](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to Email security: 1. Open the new [Exchange admin center ↗](https://admin.exchange.microsoft.com/#/homepage). 2. Go to **Mail flow** \> **Rules**. 3. Select **Add a Rule** \> **Create a new rule**. 4. Set the following rule conditions: * **Name**: _\`Email security Deliver to Junk Email folder\`_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: `BULK` \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following** \- _\_Modify the message properties\_ > \_Set the Spam Confidence Level (SCL)\_ > \_5\__. 5. Select **Next**. 6. You can use the default values on this screen. Select **Next**. 7. Review your settings and select **Finish** \> **Done**. 8. Select the rule \`Email security Deliver to Junk Email folder\` you have just created, and **Enable**. 9. Select **Add a Rule** \> **Create a new rule**. 10. Set the following rule conditions: * **Name**: _\`Email security User Quarantine Message\`_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: _\`UCE\`, \`SPOOF\`_ \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following**: _\_Modify the message properties\_ > \_Set the Spam Confidence Level (SCL)\_ > \_9\__. 11. Select **Next**. 12. You can use the default values on this screen. Select **Next**. 13. Review your settings and select **Finish** \> **Done**. 14. Select the rule _\`Email security User Quarantine Message\`_ you have just created, and select **Enable**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/","name":"Microsoft 365 as MX Record"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/two-junk-user-quarantine/","name":"2 - Junk email and user managed quarantine"}}]} ``` --- --- title: Submissions description: Submitting messages allows you to choose the disposition of your messages if the disposition is incorrect. This helps improve Email security's detection accuracy and ensures proper handling of email threats. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/submissions/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Submissions Submitting messages allows you to choose the disposition of your messages if the disposition is incorrect. This helps improve Email security's detection accuracy and ensures proper handling of email threats. ## Submit messages for review To submit a message for review: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security** and select **Investigation**. 2. On the **Investigation** page, under **Your matching messages**, select the message you want to reclassify. 3. Select the three dots, then select **Submit for review**. 4. Under **New disposition**, select among the following: * **Malicious**: Traffic invoked multiple phishing verdict triggers, met thresholds for bad behavior, and is associated with active campaigns. * **Spoof**: Traffic associated with phishing campaigns that is either non-compliant with your email authentication policies (SPF, DKIM, DMARC) or has mismatching Envelope From and `Header From` values. * **Spam**: Traffic associated with non-malicious, commercial campaigns. * **Bulk**: Traffic associated with [Graymail ↗](https://en.wikipedia.org/wiki/Graymail%5F%28email%29), that falls in between the definitions of `SPAM` and `SUSPICIOUS`. For example, a marketing email that intentionally obscures its unsubscribe link. * **Clean**: Traffic not associated with any phishing campaigns. 5. Select **Save**. To submit messages in bulk, select **Select all messages** \> **Action** \> **Request submissions**. To release messages in bulk, select **Select all messages** \> **Action** \> **Release**. ## Upload EML files Email security classifies certain emails as "Clean". If you disagree with the disposition, you can upload an EML file and reclassify the email. On the **Investigation** page: 1. Go to the email marked as **Clean**. 2. Select the three dots > **Submit for review**. 3. Upload the EML file. 4. Select a new disposition. 5. Select **Save**. ## View submissions Once you have submitted your messages, you can access those on **Submissions**. To view submissions: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security** \> **Submissions**. 3. Choose from the following submission types: * [**Team submissions**](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/team-submissions/): View emails your security team submitted for submissions. * [**User submissions**](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/user-submissions/): View emails your users submitted for submissions. * [**Invalid submissions**](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/invalid-submissions/): View submissions that could not be processed. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/submissions/","name":"Submissions"}}]} ``` --- --- title: Invalid submissions description: A submission is invalid when: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/submissions/invalid-submissions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Invalid submissions A submission is invalid when: * A submission has no EML file attached. * A submission has been made with an incorrect file extension. * A submission was made to the wrong team or user alias. To ensure your submission is valid: * Ensure your submission has a file attached with a `.eml` file extension. * Ensure you configure the domain you are submitting emails for. * Ensure policies are configured correctly. To view invalid submissions: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security** \> **Submissions**. 3. Select **Invalid submissions**. You can search by submission ID or submitted email. You can filter based on **Date Range** and **Submitted by** (which will list emails that made the invalid submissions). Once you have configured your desired filters, select **Apply filters**. ## Enable notifications To enable Invalid submission email notifications: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security** \> **Settings**. 3. Go to **Invalid submission emails** and turn on **Invalid submission email notifications**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/submissions/","name":"Submissions"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/submissions/invalid-submissions/","name":"Invalid submissions"}}]} ``` --- --- title: Team submissions description: Team submissions are the emails your security team submitted for submission. All team submissions receive a human review by Cloudflare. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/submissions/team-submissions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Team submissions Team submissions are the emails your security team submitted for submission. All team submissions receive a human review by Cloudflare. ## View team submissions To view team submissions: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security** \> **Submissions**. 3. Select **Team submissions**. ## Filter team submissions Select among the following filters: * **Date Range**: You can select a date range from the last 7, last 30, and last 90 days. * **Original disposition**: Select among the [available values](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#available-values). * **Submitted as**: Select among the [available values](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#available-values). * **Final disposition**: Select among the [available values](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#available-values). * **Escalation**: Filter by team submissions that have been escalated or not. Select among `Yes`, `No`, or `All`. Once you have selected all the filters, select **Apply filters**. The dashboard will populate the table with the list of emails your security team submitted for submission, including a **Submission ID**, and the **Email subject**. ## View submission details To gain more details on a specific submission: 1. Go to the submission you want to have more details for. 2. Select the three dots > select among **View more**, **View email message** and **View similar details**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/submissions/","name":"Submissions"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/submissions/team-submissions/","name":"Team submissions"}}]} ``` --- --- title: User submissions description: User submissions are the emails your users submitted for submission. User submissions help enhance our detection model, but can be escalated for human review. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/submissions/user-submissions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # User submissions User submissions are the emails your users submitted for submission. User submissions help enhance our detection model, but can be escalated for human review. Any email that is reported as [phish](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/#reclassify-an-email) will be displayed under **User submissions**. Note [PhishGuard](https://developers.cloudflare.com/cloudflare-one/email-security/phishguard/) customers can have submissions analyzed when submitting at either user or team level. Any non-PhishGuard customer can still have submissions analyzed by submitting at team level. ## View user submissions To view user submissions: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security** \> **Submissions**. 3. Select **User submissions**. ## Filter user submissions Select among the following filters: * **Date Range**: Select a date range from the last 7, last 30, and last 90 days. * **Original disposition**: Select among the [available values](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#available-values). * **Submitted as**: Select among the [available values](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#available-values). Once you have selected all the filters, select **Apply filters**. The dashboard will populate the table with the list of emails your users submitted for submission, including a **Submission ID**, and the **Email subject**. ## View submission details To gain more details on a specific submission: 1. Go to the submission you want to have more details for. 2. Select the three dots > select among **View more**, **View email message**, **View similar details**, and **Escalate**. ## Escalate a submission To escalate a submission: 1. Go to the submission you want to escalate. 2. Select the three dots > select **Escalate**. 3. The dashboard will display a message to authorize escalation. Select **Escalate**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/submissions/","name":"Submissions"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/submissions/user-submissions/","name":"User submissions"}}]} ``` --- --- title: Troubleshoot Email security description: Resolve common issues with Cloudflare Email security, including delivery delays, false positives, and DMARC authentication errors. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/email-security/troubleshooting.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshoot Email security Review common troubleshooting scenarios for Cloudflare Email Security. ## Email headers and attributes Email Security identifies threats using detections that result in a final disposition. You can inspect email headers to understand why a specific disposition was applied. | Attribute | Description | | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | CUSTOM\_BLOCK\_LIST | Matches a value defined in your custom block list. | | NEW\_DOMAIN\_SENDER | The email was sent from a newly registered domain. | | NEW\_DOMAIN\_LINK | The email contains links to a newly registered domain. | | ENCRYPTED | The email message is encrypted. | | BEC | The sender address is in your [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/). | ## Detections and reclassification ### Handle a false positive A false positive occurs when a legitimate email is incorrectly flagged as malicious or spam. **Solution**: 1. In the Email Security dashboard, go to **Investigation**. 2. Find the email and select **Submit for reclassification**. 3. Choose the correct disposition (for example, `Clean`). 4. To prevent future blocks, add the sender to your [Acceptable Senders](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/) list. ### Handle a false negative A false negative occurs when a malicious email is not detected by Email Security. **Solution**: 1. Ensure the email actually passed through Email Security by checking for the `X-CFEmailSecurity-Disposition` header. 2. Submit the email for reclassification in the dashboard. This is the preferred method for reporting missed detections. ## Authentication errors ### DMARC failures Email Security may mark an email as **SPAM** if it fails DMARC authentication and the sending domain has a `p=reject` or `p=quarantine` policy. **Solution**: * Ask the sender to fix their DMARC/SPF/DKIM records. * Configure an [Acceptable Sender](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/) entry to suppress the failure for that specific sender. ## Delivery issues ### Emails are delayed or not arriving If emails are not being delivered or are arriving with significant latency: 1. **Check MX records**: Ensure your [MX records](https://developers.cloudflare.com/cloudflare-one/email-security/setup/) are correctly configured and pointing to Cloudflare. 2. **Verify connectivity**: From your sending mail server, verify you can connect to Cloudflare's mailstream endpoints on port 25. 3. **Check outbound logs**: In the dashboard, use the **Mail Trace** feature to confirm if Email Security successfully delivered the email to your downstream mail server (for example, Google Workspace or Microsoft 365). --- ## How to contact Support If you cannot resolve the issue, [open a support case](https://developers.cloudflare.com/support/contacting-cloudflare-support/). Please provide the **Message ID** or **Alert ID** for the affected emails, which you can find in the **Investigation** section of the dashboard. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/troubleshooting/","name":"Troubleshoot Email security"}}]} ``` --- --- title: Data loss prevention description: Cloudflare Data Loss Prevention (DLP) allows you to scan your web traffic and SaaS applications for the presence of sensitive data such as social security numbers, financial information, secret keys, and source code. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/data-loss-prevention/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Data loss prevention Availability Available as an add-on to Zero Trust Enterprise plans. Users on Zero Trust Free and Pay-as-you-go plans can use the [Financial Information](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#financial-information) and [Social Security, Insurance, Tax, and Identifier Numbers](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#social-security-insurance-tax-and-identifier-numbers) predefined profiles, [payload logging](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules), and [false positive reporting](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#report-false-positives). Cloudflare [Data Loss Prevention](https://www.cloudflare.com/learning/access-management/what-is-dlp/) (DLP) allows you to scan your web traffic and SaaS applications for the presence of sensitive data such as social security numbers, financial information, secret keys, and source code. DLP scans HTTP traffic, SaaS application files, and AI prompts for sensitive data such as credit card numbers, credentials, and personally identifiable information. Cloudflare does not write scanned content to disk. DLP encrypts and temporarily stores content in memory only. To retain matched content for review, configure [payload logging](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) for encrypted payload copies or a [Logpush destination](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#send-dlp-forensic-copies-to-logpush-destination) to export full matching HTTP requests. ## Data in transit Data Loss Prevention complements [Secure Web Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) to detect sensitive data transferred in HTTP requests. DLP scans the HTTP body (excluding headers), which may include uploaded or downloaded files, chat messages, forms, and other web content. You can also use DLP with [Email security](https://developers.cloudflare.com/cloudflare-one/email-security/) to scan [outbound emails](https://developers.cloudflare.com/cloudflare-one/email-security/outbound-dlp/). DLP requires [Gateway HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) with [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) to read the contents of HTTPS traffic in transit. The depth of visibility varies for each site or application. DLP does not scan any traffic that bypasses Cloudflare Gateway (such as traffic that matches a [Do Not Inspect](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policy). To get started, refer to [Scan HTTP traffic with DLP](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/). ## Data at rest Data Loss Prevention complements [Cloudflare CASB](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) (Cloud Access Security Broker) to detect sensitive data stored in your SaaS applications. CASB connects directly to SaaS application APIs to retrieve and scan files, rather than reading files as they pass through Cloudflare Gateway. Because of this, Gateway and Cloudflare One Client settings (such as [Do Not Inspect](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policies and [Split Tunnel](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) configurations) do not affect data at rest scans. To get started, refer to [Scan SaaS applications with DLP](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/casb-dlp/). ## AI traffic Data Loss Prevention integrates with [Cloudflare AI Gateway](https://developers.cloudflare.com/ai-gateway/) to scan AI prompts and responses for sensitive data. When DLP is enabled on an AI Gateway, it inspects the text content of requests sent to AI providers and responses returned from AI models, without requiring Gateway HTTP filtering or TLS decryption. To get started, refer to [Set up DLP for AI Gateway](https://developers.cloudflare.com/ai-gateway/features/dlp/set-up-dlp/). ## Troubleshooting For help resolving common issues with DLP, refer to [Troubleshoot DLP](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/troubleshoot-dlp/). ## Supported file types ### Formats DLP supports reporting and scanning the following file types: * Text and CSV * Microsoft Office 2007 and later (`.docx`, `.xlsx,` `.pptx`), including Microsoft 365 * PDF * ZIP files containing the above DLP will scan the text contained in text, Microsoft Office, and PDF files. ### Size DLP can scan files less than or equal to 100 MB in size. ZIP files can be recursively compressed a maximum of 10 times, and each content file within the ZIP file must be less than or equal to 200 MB in uncompressed size. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}}]} ``` --- --- title: Detection entries description: Detection entries are the data patterns that Cloudflare DLP looks for when scanning your web traffic and SaaS applications. You add detection entries to DLP profiles, which define what DLP should detect. Detection entries include: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/data-loss-prevention/detection-entries.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Detection entries Detection entries are the data patterns that Cloudflare DLP looks for when scanning your web traffic and SaaS applications. You add detection entries to [DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/), which define what DLP should detect. Detection entries include: * [Datasets](#datasets) — uploaded spreadsheets of specific values to match against (for example, credit card numbers or internal SKUs) * [Document entries](#documents) — fingerprints of example documents used to find similar content * [AI prompt topics](#ai-prompt-topics) — categories of prompts submitted to generative AI tools For datasets containing sensitive data, you can configure values to be hashed before reaching Cloudflare and redacted from matches in [payload logs](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules). ## Datasets You can create and upload custom datasets to scan for specific matching data. ### Dataset types #### Exact Data Match Exact Data Match (EDM) protects sensitive information, such as names, addresses, phone numbers, and credit card numbers. All EDM dataset data is encrypted before reaching Cloudflare. To detect matches, Cloudflare hashes traffic and compares it to hashes from your dataset. Matched data will be redacted in payload logs. #### Custom Wordlist Custom Wordlist (CWL) protects non-sensitive data, such as intellectual property and SKU numbers. Unlike EDM, Cloudflare stores data from CWL datasets in plaintext within DLP. Plaintext matches appear in payload logs. Optionally, CWL can detect case-sensitive data. ### Prepare DLP datasets #### Formatting To prepare a dataset for DLP, add your desired data to a multi-column spreadsheet. Each line must be at least six characters long. Entries do not require trailing or final commas. For compatibility, save your file in either `.csv` or `.txt` format with LF (`\n`) newline characters. DLP does not support CRLF (`\r\n`) newline characters. For information on dataset limits, refer to [Account limits](https://developers.cloudflare.com/cloudflare-one/account-limits/#data-loss-prevention-dlp). #### Column title cells Column title cells may result in false positives in Custom Wordlist datasets and should be removed. DLP will detect and use title cells as column names for Exact Data Match datasets. If multiple columns have the same name, DLP will append a number sign (`#`) and number to their names. Update EDM datasets To select which Exact Data Match columns to use, you will need to [reupload any EDM datasets](#manage-existing-datasets) added prior to column support. ### Upload a new dataset Upload an Exact Data Match dataset 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Data loss prevention** \> **Detection entries**. 2. From the **Datasets** tab, select **Add a dataset**. 3. Select **Exact Data Match (EDM)**. 4. Upload your dataset file. Select **Next**. 5. Review and choose the detected columns you want to include. Select **Next**. 6. Name your dataset. Optionally, add a description. Select **Next**. 7. Review the details for your uploaded dataset. Select **Save dataset**. DLP will encrypt your dataset and save its hash. Upload a Custom Wordlist dataset 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Data loss prevention** \> **Detection entries**. 2. From the **Datasets** tab, select **Add a dataset**. 3. Select **Custom Wordlist (CWL)**. 4. Name your dataset. Optionally, add a description. 5. (Optional) In **Settings**, turn on **Enforce case sensitivity** to require matched values to contain exact capitalization. 6. In **Upload file**, choose your dataset file. 7. Select **Save**. DLP will save your dataset in cleartext. The dataset will appear in the list with an **Uploading** status. Once the upload is complete, the status will change to **Complete**. To use your uploaded dataset, add it as an existing entry to a [custom DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile). ### Manage existing datasets Uploaded DLP datasets are read-only. To update a dataset, you must upload a new file to replace the original. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Data loss prevention** \> **Detection entries**. 2. From the **Datasets** tab, select the dataset you want to update. 3. Select **Upload dataset** and choose your updated dataset. Select **Next**. 4. If your select dataset is an Exact Data Match dataset, review and choose the new columns. Select **Next**. 5. Select **Save dataset**. Your new dataset will replace the original dataset. Remove existing column entries If you want to update an Exact Data Match dataset to remove a column in use as an [existing detection entry](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile), you must remove the existing entry from any custom DLP profiles using it before updating the dataset. ## Documents You can upload example documents to detect similar content in your organization's traffic. DLP creates a unique fingerprint of the document and compares traffic against it based on how similar it is to the original. This is useful for detecting specific document types common to your organization, such as contract templates or internal reports, where the content does not reduce to a list of individual values in a [dataset](#datasets). DLP stores uploaded documents encrypted at rest in a [Cloudflare R2](https://developers.cloudflare.com/r2/) bucket. To upload sensitive data that is only stored in memory, use [Exact Data Match](#exact-data-match). ### Prepare document entries DLP supports documents in `.docx` and `.txt` format. Documents must be under 10 MB. ### Upload a new document entry To upload a new document entry to DLP: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Data loss prevention** \> **Detection entries**. 2. From the **Documents** tab, select **Add a document entry**. 3. Name your document. Optionally, add a description. 4. In **Minimum similarity for matches**, enter a value between 0% and 100%. 5. In **Upload document**, choose and upload your document file. 6. Select **Save**. The document will appear in the list with a **Pending** status. Once the upload is complete, the status will change to **Complete**. If you created a document entry with Terraform, the status will be **No file** until you upload a file. To use your uploaded document fingerprint, add it as an existing entry to a [custom DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile). ### Manage existing document entries Uploaded document entries are read-only. To update a document entry, you must upload a new file to replace the original. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Data loss prevention** \> **Detection entries**. 2. From the **Documents** tab, choose the document you want to update and select **Edit**. 3. (Optional) Update the name and minimum similarity for matches for your document entry. You can also open the existing uploaded document. 4. In **Update document entry**, choose and upload your updated document file. 5. Select **Save**. Your new document entry will replace the original document entry. If your file upload fails, DLP will still use the original document fingerprint to scan traffic until you delete the entry. ## AI prompt topics DLP uses [Application Granular Controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#granular-controls) to detect and categorize prompts submitted to generative AI tools. Application Granular Controls analyzes prompts for both content and user intent. Supported AI prompt protection detections include: | Detection entry | Description | | ------------------------------------- | ------------------------------------------------------------------------------------------------- | | Content: PII | Prompt contains personal information such as names, SSNs, or email addresses. | | Content: Credentials and Secrets | Prompt contains API keys, passwords, or other sensitive credentials. | | Content: Source Code | Prompt contains actual source code, code snippets, or proprietary algorithms. | | Content: Customer Data | Prompt contains customer names, projects, business activities, or confidential customer contexts. | | Content: Financial Information | Prompt contains financial numbers or confidential business data. | | Intent: PII | Prompt requests specific personal information about individuals. | | Intent: Code Abuse and Malicious Code | Prompt requests malicious code for attacks, exploits, or harmful activities. | | Intent: Jailbreak | Prompt attempts to circumvent AI security policies. | Each detection entry is categorized as either **Content** or **Intent**: * **Content** — Detects specific text or data in the prompt itself (for example, a user pasting source code or a credit card number into a chat). * **Intent** — Detects the user's goal or objective for the AI's response (for example, a user asking an AI to generate malicious code or extract personal information). Intent detection is useful when AI applications have access to internal data sources containing sensitive information through SaaS connectors or Model Context Protocol (MCP) servers. To use an AI prompt topic, configure the corresponding [predefined DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#ai-prompt) or add it as an existing entry to a [custom DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile). AI prompt protection is available for ChatGPT, Google Gemini, Perplexity, and Claude. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/detection-entries/","name":"Detection entries"}}]} ``` --- --- title: Scan HTTP traffic description: You can scan HTTP traffic for sensitive data through Secure Web Gateway policies. To perform DLP filtering, first configure a DLP profile with the data patterns you want to detect, and then build a Gateway HTTP policy to allow or block the sensitive data from leaving your organization. Gateway will parse and scan your HTTP traffic for strings matching the keywords or regular expressions (regexes) specified in the DLP profile. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Scan HTTP traffic You can scan HTTP traffic for sensitive data through Secure Web Gateway policies. To perform DLP filtering, first configure a DLP profile with the data patterns you want to detect, and then build a Gateway HTTP policy to allow or block the sensitive data from leaving your organization. Gateway will parse and scan your HTTP traffic for strings matching the keywords or regular expressions (regexes) specified in the DLP profile. Note To scan AI prompts and responses without Gateway HTTP filtering, you can also enable DLP directly on an [AI Gateway](https://developers.cloudflare.com/ai-gateway/features/dlp/). ## Prerequisites * Set up [Gateway HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/). * HTTP filtering requires turning on the [Gateway proxy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP traffic. * Turn on [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption). ## 1\. Configure a DLP profile Refer to [Configure a DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/). We recommend getting started with a predefined profile. Important DLP scans will not start until you [create a DLP policy](#2-create-a-dlp-policy). ## 2\. Create a DLP policy DLP Profiles may be used alongside other Cloudflare One rules in a [Gateway HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). To start logging or blocking traffic, create a policy for DLP: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Firewall policies**. Select **HTTP**. 2. Select **Add a policy**. 3. Build an [HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) using the [DLP Profile](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#dlp-profile) selector. For example, the following policy prevents users from uploading sensitive data to any location other than an approved corporate application: | Selector | Operator | Value | Logic | Action | | ----------- | -------- | -------------------------------------------------------- | ----- | ------ | | DLP Profile | in | _Social Security, Insurance, Tax, and Identifer Numbers_ | And | Block | | HTTP Method | in | _POST_ | And | | | Application | not in | _Workday_ | | | 4. Select **Create policy**. DLP scanning is now turned on. ## 3\. Test DLP policy You can test your DLP policy on any device connected to your Zero Trust organization. To perform a basic test: 1. Go to [dlptest.com ↗](http://dlptest.com/http-post/). 2. Enter a text message or upload a file containing the sensitive data. 3. Select **Submit** to send the request. The request will be allowed or blocked according to your DLP policies. If the data matches a DLP policy, you will see the request in your [DLP logs](#4-view-dlp-logs). Different sites will send requests in different ways. For example, some sites will split a file upload into multiple requests. Therefore, even if the policy works on `dlptest.com`, it is not guaranteed to work the same way on another site or application. ## 4\. View DLP logs 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Logs** \> **HTTP request logs**. 2. Select **Filter**. 3. Choose an item under one of the following filters: * **DLP Profiles** shows the requests which matched a specific DLP profile. * **Policy** shows the requests which matched a specific DLP policy. You can expand an individual row to view details about the request. To see the data that triggered the DLP policy, [configure logging options](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/). ### Report false positives 1. Select the log you want to report. 2. Select **Report DLP false positive** under **DLP details**. 3. The information to be sent to Cloudflare will appear. To confirm your report, select **Send report**. Cloudflare will not respond directly to your report, but reporting false positives helps us improve our products. If you require technical assistance, reach out to [support ↗](https://dash.cloudflare.com/?to=/:account/support). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-policies/","name":"Scan HTTP traffic"}}]} ``` --- --- title: Common policies description: The following in-line DLP policies are commonly used to secure data in uploaded and downloaded files. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/common-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Common policies The following in-line DLP policies are commonly used to secure data in uploaded and downloaded files. ## Log uploads/downloads The **Allow** action functions as an implicit logger, providing visibility into where your sensitive data is going without impacting the end user experience. The following example scans for your enabled Financial Information profile entries when users upload or download data to file sharing apps. | Selector | Operator | Value | Logic | Action | | ------------------ | -------- | ----------------------- | ----- | ------ | | DLP Profile | in | _Financial Information_ | And | Allow | | Content Categories | in | _File Sharing_ | | | ## Block file types Block the upload or download of files based on their type. * [ Dashboard ](#tab-panel-3447) * [ API ](#tab-panel-3448) | Selector | Operator | Value | Logic | Action | | ------------------- | -------- | --------------------------------------- | ----- | ------ | | Upload File Types | in | _Microsoft Office Word Document (docx)_ | And | Block | | Download File Types | in | _PDF (pdf)_ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block file types", "description": "Block the upload or download of files based on their type", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(http.upload.file.types[*] in {\"docx\"}) and any(http.download.file.types[*] in {\"pdf\"})", "identity": "", "device_posture": "" }' ``` For more information on what file formats DLP can scan, refer to [Supported file types](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/#supported-file-types). ## Block uploads/downloads for specific users You can configure access on a per-user or group basis by adding [identity-based conditions](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) to your policies. The following example blocks only contractors from uploading/downloading Financial Information to file sharing apps. | Selector | Operator | Value | Logic | Action | | ------------------ | -------- | ----------------------- | ----- | ------ | | DLP Profile | in | _Financial Information_ | And | Block | | Content Categories | in | _File Sharing_ | And | | | User Group Names | in | _Contractors_ | | | ## Exclude Android applications Many Android applications (such as Google Drive) use [certificate pinning](https://developers.cloudflare.com/ssl/reference/certificate-pinning/), which is incompatible with Gateway inspection. If needed, you can create a [Do Not Inspect policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) so that the app can continue to function on Android: 1. Set up an [OS version device posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/os-version/) that checks for the Android operating system. 2. Create the following HTTP policy in Gateway: | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | -------------------- | ----- | -------------- | | Application | in | _Google Drive_ | And | Do Not Inspect | | Passed Device Posture Checks | in | _OS Version Android_ | | | Android users can now use the app, but the app traffic will bypass DLP scanning. ## Exclude specific sites In your [DLP logs](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#4-view-dlp-logs), you may find that certain sites are a common source of noise. To exempt these sites from DLP scanning: 1. [Create a list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of hostnames or URLs. 2. Exclude the list from your DLP policy as shown in the example below: | Selector | Operator | Value | Logic | Action | | ----------- | ----------- | ----------------------- | ----- | ------ | | DLP Profile | in | _Financial Information_ | And | Block | | Application | in | _Google Drive_ | And | | | Domain | not in list | _Do not DLP - SSN_ | | | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-policies/","name":"Scan HTTP traffic"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-policies/common-policies/","name":"Common policies"}}]} ``` --- --- title: Logging options description: Data Loss Prevention allows you to capture, store, and view the data that triggered a specific DLP policy for use as forensic evidence. Users on all plans can log the payload or generative AI prompt content of matched HTTP requests in their Cloudflare logs. Additionally, Enterprise users can configure a Logpush job to send copies of entire matched HTTP requests to storage destinations. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/logging-options.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Logging options Data Loss Prevention allows you to capture, store, and view the data that triggered a specific DLP policy for use as forensic evidence. Users on all plans can log the [payload](#log-the-payload-of-matched-rules) or [generative AI prompt content](#log-generative-ai-prompt-content) of matched HTTP requests in their Cloudflare logs. Additionally, Enterprise users can [configure a Logpush job](#send-http-requests-to-logpush-destination) to send copies of entire matched HTTP requests to storage destinations. The data that triggers a DLP policy is stored in the portion of the HTTP request known as the payload. Payload logging is especially useful when diagnosing the behavior of DLP policies. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later. The stored data will include a redacted version of the match, plus 75 bytes of additional context on both sides of the match. ## Set a DLP payload encryption public key Before you begin logging DLP payloads, you will need to set a DLP payload encryption public key. ### Generate a key pair To generate a public/private key pair in the command line, refer to [these instructions](https://developers.cloudflare.com/waf/managed-rules/payload-logging/command-line/generate-key-pair/). ### Upload the public key to Cloudflare 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Traffic settings**. 2. In the **Set a DLP payload and prompt encryption public key** field, select **Edit**. 3. Paste your public key. 4. Select **Save**. Note The matching private key is required to view logs. If you lose your private key, you will need to [generate](#1-generate-a-key-pair) and [upload](#2-upload-the-public-key-to-cloudflare) a new public key. The payload of new requests will be encrypted with the new public key. ## Log the payload of matched rules DLP can log the payload of matched HTTP requests in your Cloudflare logs. ### Turn on payload logging for a DLP policy You can enable payload logging for any Allow or Block HTTP policy that uses the [_DLP Profile_](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#dlp-profile) selector. 1. Go to **Traffic policies** \> **Firewall policies** \> **HTTP**. 2. Edit an existing Allow or Block DLP policy, or [create a new policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). 3. In the policy builder, scroll down to **Configure policy settings** and turn on **Log the payload of matched rules**. 4. Select **Save**. Data Loss Prevention will now store a portion of the payload for HTTP requests that match this policy. ### View payload logs To view DLP payload logs: 1. Go to **Insights** \> **Logs** \> **HTTP request logs**. 2. Go to the DLP log you are interested in reviewing and expand the row. 3. Select **Decrypt payload log**. 4. Enter your private key and select **Decrypt**. You will see the [ID of the matched DLP Profile](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/dlp/subresources/profiles/methods/list/) followed by the decrypted payload. Note Cloudflare does not store the key or the decrypted payload. ### Report false and true positives to AI context analysis When you have [AI context analysis](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#ai-context-analysis) turned on for a DLP profile, you can train the AI model to adjust its confident threshold by reporting false and true positives. To report a DLP match payload as a false or true positive: 1. [Find and decrypt](#4-view-payload-logs) the payload log you want to report. 2. In **Log details**, choose a detected context match. 3. In **Context**, select the redacted match data. 4. In **Match details**, choose whether you want to report the match as a false positive or a true positive. Based on your report, DLP's machine learning will adjust its confidence in future matches for the associated profile. ### Data privacy * All Cloudflare logs are encrypted at rest. Encrypting the payload content adds a second layer of encryption for the matched values that triggered a DLP rule. * Cloudflare cannot decrypt encrypted payloads, since this operation requires your private key. Cloudflare staff will never ask for the private key. * DLP will redact all predefined alphanumeric characters in the log. For example, `123-45-6789` will become `XXX-XX-XXXX`. * You can define sensitive data with [Exact Data Match (EDM)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/#exact-data-match). EDM match logs will redact your defined strings. ## Log generative AI prompt content DLP can detect and log the prompt topic sent to an AI tool. ### Turn on AI prompt content logging for a DLP policy You can enable payload logging for any Allow or Block HTTP policy that uses the [_Application_](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#application) selector with a supported [Application Granular Controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#granular-controls) application. 1. Go to **Traffic policies** \> **Firewall policies** \> **HTTP**. 2. Edit an existing Allow or Block DLP policy, or [create a new policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). 3. In the policy builder, scroll down to **Configure policy settings** and turn on **Capture generative AI prompt content in logs**. 4. Select **Save**. Data Loss Prevention will now store the user prompt and AI model response for requests that match this policy. ### View prompt logs To view generative AI prompt log details: 1. Go to **Insights** \> **Logs** \> **HTTP request logs**. 2. Go to the DLP log you are interested in reviewing and expand the row. 3. Select **Decrypt payload log**. 4. Enter your private key and select **Decrypt**. 5. In **Summary** \> **GenAI prompt captured**, select **View prompt**. Gateway logs will provide a summary of the conversation, including the topic and AI model used, and the user prompt and AI model's raw response if available. A text prompt must be present for DLP to capture the prompt. ## Send DLP forensic copies to Logpush destination Availability Only available on Enterprise plans. Gateway allows you to send copies of entire HTTP requests matched in HTTP Allow and Block policies to storage destinations configured in [Logpush](https://developers.cloudflare.com/logs/logpush/), including third-party destinations. Forensic copies include unaltered payloads and headers which may include sensitive data. Logpush logs are encrypted in transit only, such as when sent as TLS traffic. Further encryption depends on your storage destination's policies. To set up the DLP Forensic Copy Logpush job: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \>**Logs**, and select **Manage Logpush**. 2. In Logpush, select **Create a Logpush job**. 3. Choose a [Logpush destination](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/). 4. In **Configure logpush job**, choose the _DLP forensic copies_ dataset. Select **Create Logpush job**. 5. Return to Cloudflare One and go to **Traffic policies** \> **Firewall policies** \> **HTTP**. 6. Edit an existing Allow or Block policy, or [create a new policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). Your policy does not need to include a DLP profile. 7. In the policy builder, scroll down to **Configure policy settings** and turn on **Send DLP forensic copies to storage**. 8. Select a storage destination. Gateway will list any configured Logpush jobs or integrations that can receive HTTP requests. 9. Select **Save policy**. DLP will now send a copy of HTTP requests that match this policy to your Logpush destination. Logpush supports up to four DLP Forensic Copy Logpush jobs per account. By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs. To send specific policy matches to specific jobs, configure [Log filters](https://developers.cloudflare.com/logs/logpush/logpush-job/filters/). If the request contains an archive file, DLP will only send up to 100 MB of uncompressed content to your configured storage. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-policies/","name":"Scan HTTP traffic"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/","name":"Logging options"}}]} ``` --- --- title: DLP profiles description: A DLP profile is a collection of regular expressions and detection entries that define the data patterns you want to detect. Cloudflare DLP provides predefined profiles for common detections, or you can build custom DLP profiles specific to your data, organization, and risk tolerance. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # DLP profiles A DLP profile is a collection of regular expressions and [detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/) that define the data patterns you want to detect. Cloudflare DLP provides predefined profiles for common detections, or you can build custom DLP profiles specific to your data, organization, and risk tolerance. ## Configure a predefined profile 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Data loss prevention** \> **Profiles**. 2. Choose a [predefined profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/) and select **Edit**. 3. Enable one or more **Detection entries** according to your preferences. The DLP Profile matches using the OR logical operator — if multiple entries are enabled, your data needs to match only one of the entries. 4. Select **Save profile**. You can now use this profile in a [DLP policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy), [CASB integration](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/casb-dlp/), or [AI Gateway DLP policy](https://developers.cloudflare.com/ai-gateway/features/dlp/set-up-dlp/). ## Build a custom profile 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Data loss prevention** \> **Profiles**. 2. Select **Create profile**. 3. Enter a name and optional description for the profile. 4. Add custom or existing detection entries. Add a custom entry 1. Select **Add custom entry** and give it a name. 2. In **Value**, enter a regular expression (or regex) that defines the text pattern you want to detect. For example, `test\d\d` will detect the word `test` followed by two digits. * Regular expressions are written in Rust. We recommend validating your regex with [Rustexp ↗](https://rustexp.lpil.uk/). * DLP detects UTF-8 characters, which can be up to 4 bytes each. Custom text pattern detections are limited to 1024 bytes in length. * DLP does not support regular expressions with `+` or `*` operators because they are prone to exceeding the length limit. For example, the regex pattern `a+` can detect an infinite number of `a` characters. We recommend using `a{min,max}` instead, such as `a{1,1024}`. 3. To save the detection entry, select **Done**. Add existing entries Existing entries include [predefined](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/) and [user-defined](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/) detection entries. 1. Select **Add existing entries**. 2. Choose which entries you want to add, then select **Confirm**. 3. To save the detection entry, select **Done**. 5. (Optional) Configure [**profile settings**](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/) for the profile. 6. Select **Save profile**. You can now use this profile in a [DLP policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy), [CASB integration](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/casb-dlp/), or [AI Gateway DLP policy](https://developers.cloudflare.com/ai-gateway/features/dlp/set-up-dlp/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-profiles/","name":"DLP profiles"}}]} ``` --- --- title: Profile settings description: This page lists the profile settings available when configuring a predefined or custom DLP profile. You can configure profile settings when you create a custom profile or edit profile settings for an existing predefined or custom profile. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Profile settings This page lists the profile settings available when configuring a [predefined](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/) or [custom](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile) DLP profile. You can configure profile settings when you create a custom profile or [edit profile settings](#edit-profile-settings) for an existing predefined or custom profile. ## Edit profile settings To edit profile settings for an existing predefined or custom DLP profile: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Data loss prevention** \> **Profiles**. 2. Choose a profile, then select **Edit**. 3. In **Settings**, configure the [settings](#available-settings) for your profile. 4. Select **Save profile**. ## Available settings The following advanced detection settings are available for predefined and custom DLP profiles. ### Match count Match count refers to the number of times that any enabled entry in the profile can be detected before an action is triggered, such as blocking or logging. For example, if you select a match count of 10, the scanned file or HTTP body must contain 11 or more matching strings. Detections do not have to be unique. ### Optical Character Recognition (OCR) Optical Character Recognition (OCR) analyzes and interprets text within image files. When used with DLP profiles, OCR can detect sensitive data within images your users upload. OCR supports scanning `.jpg`/`.jpeg` and `.png` files between 4 KB and 1 MB in size. Text is encoded in UTF-8 format, including support for non-Latin characters. ### AI context analysis Beta Note AI context analysis only supports Gateway HTTP and HTTPS traffic. AI context analysis uses a pretrained model to analyze and adjust the confidence in a detection based on its surrounding context. DLP will log any matches that are above your confidence threshold. DLP redacts any matched text, then submits the context as an AI text embedding vector to [Cloudflare Workers AI](https://developers.cloudflare.com/workers-ai/). Vectors are stored in user-specific private namespaces for up to six months, along with hit count and the [false positive/negative report](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#report-false-and-true-positives-to-ai-context-analysis). To use AI context analysis: 1. Choose the **Confidence threshold** in a DLP profile. 2. [Add the profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy) to a DLP policy. 3. When configuring the DLP policy, turn on [payload logging](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules). AI context analysis results will appear in the payload section of your [DLP logs](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#4-view-dlp-logs). To improve future detections of sensitive data, you need to [report false and true positives](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#report-false-and-true-positives-to-ai-context-analysis). ### Confidence thresholds Confidence thresholds indicate how confident Cloudflare DLP is in a DLP detection. DLP determines the confidence by inspecting the content for proximity keywords around the detection. Confidence threshold is set on the DLP profile. When you select a confidence threshold in Cloudflare One, you will see which DLP entries will be affected by the confidence threshold. Entries that do not reflect a confidence threshold in Cloudflare One are not yet supported or are not applicable. DLP confidence detections consist of Low, Medium, and High confidence thresholds. DLP will default to Low confidence detections, which are based on regular expressions, require few keywords, and will trigger more often. Medium and High confidence detections require more keywords, will trigger less often, and have a higher likelihood of accuracy. To change the confidence threshold of a DLP profile: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Data loss prevention** \> **Profiles**. 2. Select the profile, then select **Edit**. 3. In **Settings** \> **Confidence threshold**, choose a new confidence threshold from the dropdown menu. 4. Select **Save profile**. Setting the confidence to Low will also consider Medium and High confidence detections as matches. Setting the confidence to Medium or High will filter out lower confidence detections. #### Gateway detections For inline detections in Gateway, to display Low and Medium confidence detections but block High confidence detections, Cloudflare recommends creating two HTTP policies. The first policy should use a Low confidence DLP profile with an Allow action. The second policy should use a High confidence DLP profile with a Block action. For example: | Selector | Operator | Value | Action | | ----------- | -------- | --------------------------- | ------ | | DLP Profile | in | _Low Confidence Detections_ | Allow | | Selector | Operator | Value | Action | | ----------- | -------- | ---------------------------- | ------ | | DLP Profile | in | _High Confidence Detections_ | Block | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-profiles/","name":"DLP profiles"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/","name":"Profile settings"}}]} ``` --- --- title: Integration profiles description: Cloudflare DLP integration profiles enable data loss prevention support for third-party data classification providers. Data classification information is retrieved from the third-party platform and populated into a DLP Profile. You can then enable detection entries in the profile and create a DLP policy to allow or block matching data. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/integration-profiles.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Integration profiles Note Integration profiles require [Cloudflare CASB](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/). Cloudflare DLP integration profiles enable data loss prevention support for third-party data classification providers. Data classification information is retrieved from the third-party platform and populated into a DLP Profile. You can then enable detection entries in the profile and create a DLP policy to allow or block matching data. Detection entries in integration profiles are managed by the third-party platform and cannot be manually added, edited, or deleted within Cloudflare DLP. ## Microsoft Purview Information Protection (MIP) sensitivity labels Microsoft provides [Purview Information Protection sensitivity labels ↗](https://learn.microsoft.com/en-us/purview/sensitivity-labels) to classify and protect sensitive data. Warning DLP does not filter or log [MIP sublabels ↗](https://learn.microsoft.com/purview/sensitivity-labels#sublabels-that-use-parent-labels-or-label-groups). Only top-level sensitivity labels will be detected, filtered, and logged. To ensure DLP will detect and filter all sensitive data, use only [MIP top-level labels ↗](https://learn.microsoft.com/purview/sensitivity-labels#top-level-labels). ### Setup To add MIP sensitivity labels to a DLP Profile, simply integrate your Microsoft account with [Cloudflare CASB](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/). A new integration profile will appear under **Data loss prevention** \> **DLP profiles**. The profile is named **MIP Sensitivity Labels** followed by the name of the CASB integration. MIP sensitivity labels can also be added to a [custom DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile) as an existing entry. ### Syncing Allow 24 hours for label additions and edits in your Microsoft account to propagate to Cloudflare DLP. Deletions in your Microsoft account will not delete entries in your Cloudflare DLP Profile. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-profiles/","name":"DLP profiles"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-profiles/integration-profiles/","name":"Integration profiles"}}]} ``` --- --- title: Predefined profiles description: Cloudflare Zero Trust provides predefined DLP profiles for common types of sensitive data. Some profiles include built-in validation checks to increase detection granularity. Additionally, you can configure advanced settings for predefined profiles. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Predefined profiles Cloudflare Zero Trust provides predefined DLP profiles for common types of sensitive data. Some profiles include built-in validation checks to increase detection granularity. Additionally, you can configure [advanced settings](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/) for predefined profiles. ## AI Prompt DLP provides AI prompt protection with the following predefined profiles: * AI Prompt: AI Security * AI Prompt: Customer * AI Prompt: Financial Information * AI Prompt: PII * AI Prompt: Technical For more information on included detection entries, refer to [AI prompt topics](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/#ai-prompt-topics). ## Credentials and Secrets The following secrets are validated with regex. * Google Cloud Platform keys * AWS keys * Azure API keys * SSH keys ## Financial Information Availability This predefined profile is available on all Zero Trust plans. Credit card numbers begin with a six or eight-digit Issuer Identification Number (IIN) and are followed by up to 23 additional digits. Card verification values (CVVs) are not validated. | Detection entry | Notes | | -------------------------------- | ------------------------------------------------------------------------------------- | | American Express Card Number | Validated using [Luhn's algorithm ↗](https://en.wikipedia.org/wiki/Luhn%5Falgorithm). | | American Express Text | Text matching amex or american express. | | Diners Club Card Number | Validated using Luhn's algorithm. | | Generic CVV Card Number | Validated with regex. | | Mastercard Card Number | Validated using Luhn's algorithm. | | Mastercard Text | Text matching mastercard. | | Union Pay Card Number | Validated using Luhn's algorithm. | | Union Pay Text | Text matching union pay. | | Visa Card Number | Validated using Luhn's algorithm. | | Visa Text | Text matching visa. | | United States ABA Routing Number | Validated algorithmically with checksum. | | IBAN | Validated with checksum. | ## Health Information The following diagnosis and medication names are checked for surrounding ASCII characters to prevent false positives. * FDA active ingredients * FDA drug names * ICD-10 FY2023 short descriptions ## Social Security, Insurance, Tax, and Identifier Numbers Availability This predefined profile is available on all Zero Trust plans. The following national identifier detections are validated algorithmically when possible. | Detection entry | Notes | | ---------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | United States SSN Numeric Detection | Commonly used separators are required to match the detection entry. For example, 000-00-0000 matches but 000000000 does not. Social security numbers do not adhere to algorithmic validation. | | Social Security Number Text | Text matching ssn or social security. | | Australia Tax File Number | Validated with checksum. | | Canada Social Insurance Number | Validated using Luhn's algorithm. | | France Social Security Number | Validated with regex. | | Hong Kong Identity Card (HKIC) Number | Validated with checksum. | | Indonesia Identity Card Number | Validated with regex. | | Malaysian National Identity Card Number | Validated with regex. | | Philippines Unified Multi-Purpose ID (UMID) Number | Validated with regex. | | Singapore National Registration Identity Card Number | Validated with checksum. | | Taiwan National Identification Number | Validated with checksum. | | Thai Identity Card Number | Validated with checksum. | | United Kingdom NHS Number | Validated with checksum. | | United Kingdom National Insurance Number | Validated with regex. | ## Source Code The following programming languages are validated with natural language processing (NLP). * C * C++ * C# * Go * Haskell * Java * JavaScript * Lua * Python * R * Rust * Swift ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-profiles/","name":"DLP profiles"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/","name":"Predefined profiles"}}]} ``` --- --- title: Scan SaaS apps image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/data-loss-prevention/saas-apps.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Scan SaaS apps ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/saas-apps/","name":"Scan SaaS apps"}}]} ``` --- --- title: Scan for sensitive data description: You can use Cloudflare Data Loss Prevention (DLP) to discover if files stored in a SaaS application contain sensitive data. To perform DLP scans in a SaaS app, first configure a DLP profile with the data patterns you want to detect, then add the profile to a CASB integration. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/data-loss-prevention/saas-apps-dlp.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Scan for sensitive data Note Requires Cloudflare CASB and Cloudflare DLP. You can use [Cloudflare Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) to discover if files stored in a SaaS application contain sensitive data. To perform DLP scans in a SaaS app, first configure a [DLP profile](#configure-a-dlp-profile) with the data patterns you want to detect, then [add the profile](#enable-dlp-scans-in-casb) to a CASB integration. ## Supported integrations * [Amazon Web Services (AWS) S3](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/aws-s3/) * [Box](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/box/) * [Dropbox](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/dropbox/) * [Google Cloud Platform (GCP) Cloud Storage](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/gcp-cloud-storage) * [Google Drive](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/google-workspace/google-drive/) * [Microsoft OneDrive](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/onedrive/) * [Microsoft SharePoint](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/sharepoint/) * [Microsoft 365 Copilot](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/m365-copilot/) * [OpenAI](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/openai/) * [Anthropic](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/anthropic/) ## Configure a DLP profile You may either use DLP profiles predefined by Cloudflare, or create your own custom profiles based on regex, predefined detection entries, datasets, and document fingerprints. ### Configure a predefined profile 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Data loss prevention** \> **Profiles**. 2. Choose a [predefined profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/) and select **Edit**. 3. Enable one or more **Detection entries** according to your preferences. The DLP Profile matches using the OR logical operator — if multiple entries are enabled, your data needs to match only one of the entries. 4. Select **Save profile**. Your DLP profile is now ready to use with CASB. ### Build a custom profile 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Data loss prevention** \> **Profiles**. 2. Select **Create profile**. 3. Enter a name and optional description for the profile. 4. Add custom or existing detection entries. Add a custom entry 1. Select **Add custom entry** and give it a name. 2. In **Value**, enter a regular expression (or regex) that defines the text pattern you want to detect. For example, `test\d\d` will detect the word `test` followed by two digits. * Regular expressions are written in Rust. We recommend validating your regex with [Rustexp ↗](https://rustexp.lpil.uk/). * DLP detects UTF-8 characters, which can be up to 4 bytes each. Custom text pattern detections are limited to 1024 bytes in length. * DLP does not support regular expressions with `+` or `*` operators because they are prone to exceeding the length limit. For example, the regex pattern `a+` can detect an infinite number of `a` characters. We recommend using `a{min,max}` instead, such as `a{1,1024}`. 3. To save the detection entry, select **Done**. Add existing entries Existing entries include [predefined](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/) and [user-defined](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/) detection entries. 1. Select **Add existing entries**. 2. Choose which entries you want to add, then select **Confirm**. 3. To save the detection entry, select **Done**. 5. (Optional) Configure [**profile settings**](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/) for the profile. 6. Select **Save profile**. Your DLP profile is now ready to use with CASB. For more information, refer to [Configure a DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/). ## Enable DLP scans in CASB ### Add a new integration 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Cloud & SaaS findings** \> **Integrations**. 2. Select **Connect an integration** and choose a [supported integration](#supported-integrations). 3. During the setup process, you will be prompted to select DLP profiles for the integration. 4. Select **Save integration**. CASB will scan every publicly accessible file in the integration for text that matches the DLP profile. The initial scan may take up to a few hours to complete. ### Modify an existing integration 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Cloud & SaaS findings** \> **Integrations**. 2. Choose a [supported integration](#supported-integrations) and select **Configure**. 3. Under **DLP profiles**, select the profiles that you want the integration to scan for. 4. Select **Save integration**. Note Enabling a DLP profile on an existing integration only scans publicly accessible files that have had a modification event after the profile is enabled. To scan all existing publicly accessible files, enable the DLP profile during the [initial integration setup](#add-a-new-integration). If you enable a DLP profile from the **Manage integrations** page, CASB will only scan publicly accessible files that have had a modification event since enabling the DLP profile. Modification events include changes to the following attributes: * Contents of the file * Name of the file * Visibility of the file (only if changed to publicly accessible) * Owner of the file * Location of the file (for example, moved to a different folder) In order to scan historical data, you must enable the DLP profile during the [integration setup flow](#add-a-new-integration). ## Limitations DLP in CASB will only scan: * [Text-based files](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/#supported-file-types) such as documents, spreadsheets, and PDFs. Images are not supported. * Files less than or equal 100 MB in size. * Source code with a minimum size of 5 KB for Java and R. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/saas-apps-dlp/","name":"Scan for sensitive data"}}]} ``` --- --- title: Troubleshoot DLP description: Use this guide to troubleshoot common issues with Data Loss Prevention (DLP). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/data-loss-prevention/troubleshoot-dlp.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshoot DLP Use this guide to troubleshoot common issues with Data Loss Prevention (DLP). ## DLP policy does not trigger or block content DLP not inspecting or blocking content is the most common issue reported. If you have configured a [DLP policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/) but it fails to inspect or block traffic, the cause is almost always that the traffic is not being decrypted. To use DLP to scan the content of HTTPS requests, you must turn on [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/). To turn on TLS decryption: * [ Dashboard ](#tab-panel-3449) * [ Terraform (v5) ](#tab-panel-3450) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Traffic settings**. 2. In **Proxy and inspection**, turn on **Inspect HTTPS requests with TLS decryption**. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api%5Ftoken): * `Zero Trust Write` 2. Configure the `tls_decrypt` argument in [cloudflare\_zero\_trust\_gateway\_settings ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Fgateway%5Fsettings): ``` resource "cloudflare_zero_trust_gateway_settings" "team_name" { account_id = var.cloudflare_account_id settings = { tls_decrypt = { enabled = true } } } ``` Once you turn on TLS decryption, you can create a DLP policy to inspect the content of HTTPS requests. For example: | Selector | Operator | Value | Logic | Action | | ----------- | -------- | --------------------- | ----- | ------ | | Domain | in | box.com | And | Block | | DLP Profile | in | _Credit card numbers_ | | | ## DLP scans trigger false positives or block legitimate sites If your DLP policy is blocking access to business-critical applications (such as Zoho, Google, or internal domains) or generating a high number of false positives, your DLP policy is likely too broad. Profiles such as **Credentials and Secrets** are powerful but can be overly aggressive if not scoped correctly. ### Problematic configuration Applying a sensitive profile to all traffic causes unnecessary blocks. For example: | Selector | Operator | Value | Action | | ----------- | -------- | ------------------------- | ------ | | DLP Profile | in | _Credentials and Secrets_ | Block | ### Recommended solution Make your policies more specific. Instead of a catch-all block, create granular policies that target high-risk destinations or user groups. This policy only blocks uploads of financial data to file-sharing websites for a specific user group, reducing the risk of false positives on other sites. | Selector | Operator | Value | Logic | Action | | ------------------ | -------- | --------------------------- | ----- | ------ | | Destination Domain | in | dropbox.com, wetransfer.com | And | Block | | DLP Profile | in | _Financial Information_ | And | | | User Group Names | in | Finance Team | | | You can also create policies that match trusted applications using the [**Do Not Scan** action](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-scan). ## DLP detections are inconsistent If DLP detects sensitive data in plain text but not within images or certain applications, check for the following issues: * **OCR is turned on**: For DLP to scan text within images (such as a picture of a credit card), you must turn on [Optical Character Recognition (OCR)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#optical-character-recognition-ocr) in the corresponding DLP profile. * **Application-specific behavior**: Some applications, such as WhatsApp Web, use protocols or encryption methods (such as WebSocket connections) that Gateway may not be able to fully inspect with HTTP policies. * **Supported file types**: Content must be in a [supported file type](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/#supported-file-types) for DLP inspection. ## DLP options are missing or you cannot create custom profiles If you cannot use the _DLP Profile_ selector when creating an HTTP policy or are blocked from creating a custom DLP profile, it typically means one of two things: 1. Incorrect plan. These features require a Zero Trust Enterprise plan. If you believe your account should have this entitlement, contact your account team to confirm your subscription details. 2. Permissions issue. You may not have the required administrative privileges to configure DLP settings. Check with your Cloudflare account administrator. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/troubleshoot-dlp/","name":"Troubleshoot DLP"}}]} ``` --- --- title: Remote browser isolation description: Cloudflare Browser Isolation complements the Secure Web Gateway and Zero Trust Network Access solutions by executing active webpage content in a secure isolated browser. Executing active content remotely from the endpoint protects users from zero-day attacks and malware. In addition to protecting endpoints, Browser Isolation also protects users from phishing attacks by preventing user input on risky websites and controlling data transmission to sensitive web applications. You can further filter isolated traffic with Gateway HTTP and DNS policies. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/remote-browser-isolation/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Remote browser isolation Cloudflare Browser Isolation complements the [Secure Web Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) and [Zero Trust Network Access](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) solutions by executing active webpage content in a secure isolated browser. Executing active content remotely from the endpoint protects users from zero-day attacks and malware. In addition to protecting endpoints, Browser Isolation also protects users from phishing attacks by preventing user input on risky websites and controlling data transmission to sensitive web applications. You can further filter isolated traffic with Gateway [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) and [DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/) policies. Remote browsing is invisible to the user who continues to use their browser normally without changing their preferred browser and habits. Every open tab and window is automatically isolated. When the user closes the isolated browser, their session is automatically deleted. Note Available as an add-on to Zero Trust Pay-as-you-go and Enterprise plans. ## Privacy Cloudflare Browser Isolation is a security product. In order to serve transparent isolated browsing and block web based threats our network decrypts Internet traffic using the [Cloudflare root CA](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/). Traffic logs are retained as per the [Zero Trust](https://developers.cloudflare.com/cloudflare-one/insights/logs/) documentation. ## Troubleshooting For help resolving common issues with Browser Isolation, refer to [Troubleshoot Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/troubleshooting/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}}]} ``` --- --- title: Accessibility description: Browser Isolation offers features to support users who have visual impairments or non-English language requirements. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ A11y ](https://developers.cloudflare.com/search/?tags=A11y) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/remote-browser-isolation/accessibility.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Accessibility Browser Isolation offers features to support users who have visual impairments or non-English language requirements. ## Screen reader The isolated browser has a built-in screen reader which speaks out loud the content of the isolated page. ### Turn the screen reader on or off To turn the built-in screen reader on or off, right-click on any isolated page and select **Accessibility** \> **Enable** / **Disable screen reader**. Alternatively, to use a keyboard shortcut, press `CTRL + ALT + Z`. ## Languages The isolated browser supports keyboard inputs in all languages. Users can use their native keyboard to type in languages that use diacritics (for example, `á` or`ç`) or character-based scripts (for example, Chinese, Japanese, or Korean). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/accessibility/","name":"Accessibility"}}]} ``` --- --- title: Extensions description: Browser Isolation supports running native Chromium Web Extensions in the remote browser. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/remote-browser-isolation/extensions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Extensions Browser Isolation supports running native Chromium Web Extensions in the remote browser. This capability allows extending tools that require DOM access (such as password managers and ad blockers) to isolated pages. ## Install an extension inside the remote browser ### Prerequisite: Isolate Chrome Web Store Note This step is not required when browsing via Clientless Web Isolation. You can access the Chrome Web Store at `https://.cloudflareaccess.com/browser/https://chromewebstore.google.com/`. Installing extensions requires Chrome Web Store isolation. Create an [HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to isolate the Chrome Web Store (chromewebstore.google.com). ### Install an extension 1. Go to `https://chromewebstore.google.com/` while isolated. 2. Choose your desired extension. 3. Select **Add to Chrome**. To confirm extension installation, select **Add extension**. Remote browser extensions are automatically reinstalled across isolated sessions. ## Remove an extension from the remote browser 1. Go to any isolated webpage. 2. Right-click anywhere to open the context menu and select **Show isolation toolbar**. 3. Select the jigsaw icon in the isolation toolbar to open the extension manager. 4. Select the hamburger icon for the desired extension to open the extension controls. 5. Select **Remove from Chromium**. To confirm removal, select **Remove**. ## Useful extensions ### Modify remote browser user agent [User-Agent Switcher for Chrome ↗](https://chromewebstore.google.com/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg) enables controlling the User Agent sent from the remote browser to an isolated website. ### Control remote browser request headers [ModHeader ↗](https://chromewebstore.google.com/detail/modheader/idgpnmonknjnojddfkpgkljpfnnfcklj) enables controlling arbitrary request headers sent from the remote browser to an isolated website. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/extensions/","name":"Extensions"}}]} ``` --- --- title: Isolation policies description: With Browser Isolation, you can define policies to dynamically isolate websites based on identity, security threats, or content. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/remote-browser-isolation/isolation-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Isolation policies With Browser Isolation, you can define policies to dynamically isolate websites based on identity, security threats, or content. ## Isolate When an HTTP policy applies the Isolate action, the user's web browser is transparently served an HTML compatible remote browser client. Isolation policies can be applied to requests that include `Accept: text/html*`. This allows Browser Isolation policies to co-exist with API traffic. The following example enables isolation for all web traffic: | Selector | Operator | Value | Action | | -------- | ------------- | ----- | ------- | | Host | matches regex | .\* | Isolate | If instead you need to isolate specific pages, you can list the domains for which you would like to isolate traffic: | Selector | Operator | Value | Action | | -------- | -------- | ------------------------ | ------- | | Domain | In | example.com, example.net | Isolate | Isolate identity providers for applications Existing cookies and sessions from non-isolated browsing are not sent to the remote browser. Websites that implement single sign-on using third-party cookies will also need to be isolated. For example, if `example.com` authenticates using Google Workspace, you will also need to isolate the top level [Google Workspace URLs ↗](https://support.google.com/a/answer/9012184). ## Do Not Isolate You can choose to disable isolation for certain destinations or categories. The following configuration disables isolation for traffic directed to `example.com`: | Selector | Operator | Value | Action | | -------- | -------- | ----------- | -------------- | | Host | In | example.com | Do Not Isolate | ## Policy settings The following optional settings appear in the Gateway HTTP policy builder when you select the _Isolate_ action. Configure these settings to [prevent data loss ↗](https://blog.cloudflare.com/data-protection-browser/) when users interact with untrusted websites in the remote browser. ### Copy (from remote to client) flowchart LR subgraph remotebrowser[Remote browser] siteA["Isolated website"]--Data-->remoteclip["Remote clipboard"] end subgraph client[Client] localclip["Local clipboard"] end remoteclip-->localclip * _Allow_: (Default) Users can copy content from an isolated website to their local clipboard. * _Allow only within isolated browser_: Users can only copy content from an isolated website to the remote clipboard. Users cannot copy content out of the remote browser to the local clipboard. You can use this setting alongside [**Paste (from client to remote)**: _Allow only within isolated browser_](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#paste-from-client-to-remote) to only allow copy-pasting between isolated websites. * _Do not allow_: Prohibits users from copying content from an isolated website. ### Paste (from client to remote) flowchart LR subgraph client[Client] localclip["Local clipboard"] end subgraph remotebrowser[Remote browser] remoteclip["Remote clipboard"]-->siteA["Isolated website"] end localclip--Data-->remoteclip * _Allow_: (Default) Users can paste content from their local clipboard to an isolated website. * _Allow only within isolated browser_: Users can only paste content from the remote clipboard to an isolated website. Users cannot paste content from their local clipboard to the remote browser. You can use this setting alongside [**Copy (from remote to client)**: _Allow only within isolated browser_](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#copy-from-remote-to-client) to only allow copy-pasting between isolated websites. * _Do not allow_: Prohibits users from pasting content into an isolated website. ### File downloads * _Allow_: (Default) User can download files from an isolated website to their local machine. * _Do not allow_: Prohibits users from downloading files from an isolated website to their local machine. * _View in remote browser_: Users can open and view files in an isolated environment. Note This option does not prevent files from being downloaded into the remote browser. To prevent files being downloaded into the remote browser, use HTTP Policies to block by [Download Mime Type](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-mime-type). ### File uploads * _Allow_: (Default) Users can upload files from their local machine into an isolated website. * _Do not allow_: Prohibits users from uploading files from their local machine into an isolated website. Note This option does not prevent files being uploaded to websites from third-party cloud file managers or files downloaded into the remote browser download bar from other isolated websites. To prevent files being uploaded from the remote browser into an isolated website, use HTTP Policies to block by [Upload Mime Type](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-mime-type). ### Keyboard * _Allow_: (Default) Users can perform keyboard inputs into an isolated website. * _Do not allow_: Prohibits users from performing keyboard inputs into an isolated website. Note Mouse input remains available to allow users to browse a website by following hyperlinks and scrolling. This does not prevent user input into third-party virtual keyboards within an isolated website. ### Printing * _Allow_: (Default) Users can print isolated web pages to their local machine. * _Do not allow_: Prohibits users from printing isolated web pages to their local machine. ## Custom block dialog Beta With custom block dialogs, you can host a custom block page when users are blocked from taking specific actions, like [copying](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#copy-from-remote-to-client), [pasting](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#paste-from-client-to-remote), [downloading](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#file-downloads), [uploading](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#file-uploads), [performing keyboard inputs](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#keyboard), or [printing](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#printing), within an isolated browser session. Administrators can configure custom block dialogs to explain the reason for the block, and guide the users on how to resolve their issue using the provided query parameters: * `action`: copy, paste, download, upload, perform keyboard inputs, and print * `cf_colo`: for example, `sea01` * `client_url`: for example, `https://example.com` * `policy_id`: 32-character id * `rbi_debug_id`: 32-character id * `user_id`: 32-character id Custom block dialogs are still in beta. Contact your account team to start using custom block dialogs. ## Common policies ### Isolate all security threats Isolate security threats such as malware and phishing. * [ Dashboard ](#tab-panel-3631) * [ API ](#tab-panel-3632) | Selector | Operator | Value | Action | | ------------------- | -------- | -------------------- | ------- | | Security Categories | in | _All security risks_ | Isolate | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Isolate all security threats", "description": "Isolate security threats such as malware and phishing", "enabled": true, "action": "isolate", "filters": [ "http" ], "traffic": "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", "identity": "", "device_posture": "" }' ``` ### Isolate high risk content Isolate high risk content categories such as newly registered domains. * [ Dashboard ](#tab-panel-3633) * [ API ](#tab-panel-3634) | Selector | Operator | Value | Action | | ------------------ | -------- | ---------------- | ------- | | Content Categories | in | _Security Risks_ | Isolate | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Isolate high risk content", "description": "Isolate high risk content categories such as newly registered domains", "enabled": true, "action": "isolate", "filters": [ "http" ], "traffic": "any(http.request.uri.content_category[*] in {32 169 177 128})", "identity": "", "device_posture": "" }' ``` ### Isolate news and media Isolate news and media sites, which are targets for malvertising attacks. * [ Dashboard ](#tab-panel-3635) * [ API ](#tab-panel-3636) | Selector | Operator | Value | Action | | ------------------ | -------- | ---------------- | ------- | | Content Categories | in | _News and Media_ | Isolate | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Isolate news and media", "description": "Isolate news and media sites, which are targets for malvertising attacks", "enabled": true, "action": "isolate", "filters": [ "http" ], "traffic": "any(http.request.uri.content_category[*] in {122})", "identity": "", "device_posture": "" }' ``` ### Isolate uncategorized content Isolate content that has not been categorized by [Cloudflare Radar](https://developers.cloudflare.com/radar/). * [ Dashboard ](#tab-panel-3637) * [ API ](#tab-panel-3638) | Selector | Operator | Value | Action | | ------------------ | -------- | ------------------------ | ------- | | Content Categories | not in | _All content categories_ | Isolate | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Isolate uncategorized content", "description": "Isolate content not categorized by Cloudflare Radar", "enabled": true, "action": "isolate", "filters": [ "http" ], "traffic": "not(any(http.request.uri.content_category[*] in {2 67 125 133 3 75 183 89 182 6 90 91 144 150 7 70 74 76 79 92 96 100 106 107 116 120 121 122 127 139 156 164 99 9 101 137 10 103 146 11 12 77 98 108 110 111 118 126 129 172 168 113 33 179 166 15 115 119 124 141 161 17 85 87 102 157 135 138 180 162 140 142 32 169 177 128 22 73 82 88 148 23 24 181 71 72 173 78 84 86 94 97 104 105 114 174 93 130 132 136 147 149 154 158 152 26 69 184 81 95 109 123 145 155 159 160 163 165 167}))", "identity": "", "device_posture": "" }' ``` ### Isolate ChatGPT Isolate the use of ChatGPT. * [ Dashboard ](#tab-panel-3639) * [ API ](#tab-panel-3640) | Selector | Operator | Value | Action | | ----------- | -------- | --------- | ------- | | Application | in | _ChatGPT_ | Isolate | In **Configure policy settings**, you can customize restrictions for ChatGPT. For example, to prevent your users from inputting sensitive information, you can select **Disable copy / paste** and **Disable file uploads**. Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Isolate ChatGPT", "description": "Isolate the use of ChatGPT", "enabled": true, "action": "isolate", "filters": [ "http" ], "traffic": "any(app.ids[*] in {1199})", "identity": "", "device_posture": "" }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/isolation-policies/","name":"Isolation policies"}}]} ``` --- --- title: Known limitations description: Below, you will find information regarding the current limitations for Browser Isolation. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Known limitations Below, you will find information regarding the current limitations for Browser Isolation. ## Website compatibility Our Network Vector Rendering (NVR) technology allows us to deliver a secure remote computing experience without the bandwidth limitations of video streams. While we expect most websites to work perfectly, some browser features and web technologies are unsupported and will be implemented in the future: * Webcam and microphone support is unavailable. * Websites that use WebGL may not function. To turn off WebGL in the browser, refer to [WebGL Rendering Error](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/troubleshooting/#webgl-rendering-error). * Netflix and Spotify Web Player are unavailable. * H.265/HEVC is not a supported video format at this time. ## Browser compatibility | Browser | Compatibility | | -------------------------------------------- | ------------- | | Google Chrome | ✅ | | Mozilla Firefox | ✅ | | Safari | ✅ | | Microsoft Edge (Chromium-based) | ✅ | | Other Chromium-based browsers (Opera, Brave) | ✅ | | Internet Explorer 11 and below | ❌ | ### Brave Brave's WebRTC IP Handling Policy can impact how Cloudflare RBI loads and functions. If the WebRTC IP Handling Policy is configured to **Disable Non-Proxied UDP**, RBI may fail to load correctly. To ensure RBI loads correctly, go to `brave://settings/privacy` in your Brave browser window, find **WebRTC IP Handling Policy**, and change the setting from **Disable Non-Proxied UDP** to one of the following: * **Default** * **Default Public and Private Interfaces** * **Default Public Interface Only** ## Protocol support Browser Isolation does not support HTTP. ## Virtual machines Browser Isolation is not supported in virtualized environments (VMs). ## Gateway selectors Certain selectors for Gateway HTTP policies bypass Browser Isolation, including: * [Destination Continent IP Geolocation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#destination-continent) * [Destination Country IP Geolocation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#destination-country) * [Destination IP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#destination-ip) You cannot use these selectors to isolate traffic and isolation matches for these selectors will not appear in your Gateway logs. Additionally, you cannot apply other policies based on these selectors while in isolation. For example, if you have a Block policy that matches traffic based on destination IP, Gateway will not block the matching traffic if it is already isolated by an Isolate policy. ## File download size When a user downloads a file within the remote browser, the file is held in memory and destroyed at the end of the remote browser session. Therefore, the total size of files downloaded per session is shared with the amount of memory available to the remote browser. We recommend a maximum individual file size of 512 MB. ## Multifactor authentication [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) does not support Yubikey or WebAuthN. These authentication technologies require the isolated website to use the same domain name as the non-isolated website. Therefore, they will not work with prefixed Clientless Web Isolation URLs but will work normally for [in-line deployments](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/) such as [isolated Access applications](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/). ## SAML applications Cloudflare Remote Browser Isolation now [supports SAML applications that use HTTP-POST bindings](https://developers.cloudflare.com/cloudflare-one/changelog/browser-isolation/#2025-05-13). This resolves previous issues such as `405` errors and login loops during SSO authentication flows. You no longer need to isolate both the Identity Provider (IdP) and Service Provider (SP), or switch to HTTP-Redirect bindings, to use Browser Isolation with POST-based SSO. Users can log in to internal or SaaS applications in the isolated browser securely and seamlessly. [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) may still be preferred in some deployment models. Clientless Web Isolation implicitly isolates all traffic (both IdP and SP) and supports HTTP-POST SAML bindings. ## Browser Isolation is not compatible with private apps on non-`443` ports Browser Isolation is not compatible with [self-hosted private applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) that use private IPs or hostnames on ports other than `443`. Trying to access self-hosted applications on non-`443` ports will result in a Gateway block page. To use Browser Isolation for an application on a private IP address with a non-`443` port, configure a [private network application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app/) instead. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/known-limitations/","name":"Known limitations"}}]} ``` --- --- title: Browser Isolation with firewall description: If your organization uses a firewall or other policies to restrict Internet traffic, you may need to make a few changes to allow Browser Isolation to connect. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ UDP ](https://developers.cloudflare.com/search/?tags=UDP) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/remote-browser-isolation/network-dependencies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Browser Isolation with firewall If your organization uses a firewall or other policies to restrict Internet traffic, you may need to make a few changes to allow Browser Isolation to connect. ## Remoting client Isolated pages are served by the remoting client. This client communicates to Cloudflare's network via HTTPS and WebRTC. ### Remoting Client (Services) The remoting client provides static assets and API endpoints. For Browser Isolation to function, you must allow: * HTTPS traffic to `*.browser.run` on port `443` #### Clientless Web Isolation Users connecting through Clientless Web Isolation also require connectivity to Cloudflare Access. For users to connect to Access, you must allow: * HTTPS traffic to `https://.cloudflareaccess.com` on port `443` ### WebRTC channel Browser Isolation uses WebRTC for low-latency communication between the local browser and the remote browser. In order to pass WebRTC traffic, the remoting client must be able to connect to the following IP addresses: | IP range | Port range | Protocol | | ------------------------------------------------------------------------------------------------- | ------------- | -------- | | IPv4: 162.159.201.10 - 162.159.201.255 IPv4: 172.64.73.0 - 72.64.73.255 IPv6: 2606:4700:f2::/48 | 10000 - 59999 | UDP | Each remote browser instance is randomly assigned a port, and the port that a user is allocated to will change often and without notice. Note WebRTC traffic does not flow through proxies specified in local browser HTTP/HTTPS proxy settings. The connecting device needs to be able to directly connect to the WebRTC IP ranges. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/network-dependencies/","name":"Browser Isolation with firewall"}}]} ``` --- --- title: Set up Browser Isolation description: Browser Isolation is enabled through Secure Web Gateway HTTP policies. By default, no traffic is isolated until you have added an Isolate policy to your HTTP policies. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/remote-browser-isolation/setup/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Set up Browser Isolation Browser Isolation is enabled through [Secure Web Gateway HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). By default, no traffic is isolated until you have added an Isolate policy to your HTTP policies. ## 1\. Connect devices to Cloudflare Setup instructions vary depending on how you want to connect your devices to Cloudflare. Refer to the links below to view the setup guide for each deployment option. | Connection | Mode | Description | | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------ | ------------------------------------------------------------------------------------------------------------------ | | [Traffic and DNS mode](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) | In-line | Apply identity-based HTTP policies to traffic proxied through the Cloudflare One Client. | | [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/) | In-line | Apply identity-based HTTP policies to Access applications that are rendered in a remote browser. | | [Gateway proxy endpoint](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/non-identity/) | In-line | Apply non-identity HTTP policies to traffic forwarded to a proxy endpoint. | | [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/non-identity/) | In-line | Apply non-identity HTTP policies to traffic connected through a GRE or IPsec tunnel. | | [Clientless remote browser](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) | Prefixed URL | Render web pages in a remote browser when users go to https://.cloudflareaccess.com/browser/. | ## 2\. Build an Isolation policy To configure Browser Isolation policies: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Firewall policies** \> **HTTP**. 2. Select **Add a policy** and enter a name for the policy. 3. Use the HTTP policy [selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#selectors) and [operators](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#comparison-operators) to specify the websites or content you want to isolate. 4. For **Action**, choose either [_Isolate_](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#isolate) or [_Do not Isolate_](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#do-not-isolate). 5. (Optional) Configure [settings](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings) for an Isolate policy. 6. Select **Create policy**. Next, [verify that your policy is working](#3-check-if-a-web-page-is-isolated). ## 3\. Check if a web page is isolated Users can see if a webpage is isolated by using one of the following methods: * Select the padlock in the address bar and check for the presence of a Cloudflare Root CA. * Right-click the web page and view the context menu options. ### Normal browsing * A non-Cloudflare root certificate indicates that Cloudflare did not proxy this web page. ![Website does not present a Cloudflare root certificate](https://developers.cloudflare.com/_astro/non-cloudflare-root-ca.DUtGDw33_ZFcJnQ.webp) * The right-click context menu will have all of the normal options. ![Normal right-click menu in browser](https://developers.cloudflare.com/_astro/non-isolated-browser.B9h2hRe6_Z19cAm7.webp) ### Isolated browsing * A Cloudflare root certificate indicates traffic was proxied through Cloudflare Gateway. ![Website presents a Cloudflare root certificate](https://developers.cloudflare.com/_astro/cloudflare-gateway-root-ca.DLxxnVYn_ZdwfJP.webp) * The right-click context menu will be simplified. ![Simplified right-click menu in browser](https://developers.cloudflare.com/_astro/isolated-browser.CBtYLGGn_141dVf.webp) #### Disconnect Browser Isolation Cloudflare One Client users can temporarily disable remote browsing by [disconnecting the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#lock-device-client-switch). Once the Cloudflare One Client is disconnected, a refresh will return the non-isolated page. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/setup/","name":"Set up Browser Isolation"}}]} ``` --- --- title: Clientless Web Isolation description: Clientless Web Isolation allows users to securely browse high risk or sensitive websites in a remote browser without having to install the Cloudflare One Client on their device. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ TLS ](https://developers.cloudflare.com/search/?tags=TLS) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Clientless Web Isolation Clientless Web Isolation allows users to securely browse high risk or sensitive websites in a remote browser without having to install the Cloudflare One Client on their device. ## Set up Clientless Web Isolation 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Browser isolation** \> **Browser isolation settings**. 2. Under **Manage remote browser permissions**, select **Manage**. 3. Enable **Clientless Web Isolation**. 1. To configure permissions, in **Browser isolation** \> **Browser isolation settings** \> select **Manage** next to **Manage remote browser permissions**. You can add authentication methods and [rules](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to control who can access the remote browser. 2. Under **Policies** \> Access Policies > select **Create new policy**. 3. Name your policy and define who will have access to your isolated application. Refer to the [Access policy documentation](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#actions) to construct your policy. 4. Select **Save**. 5. Under **Policies** \> Access Policies > select **Select existing policies** and select the policy or policies you created in the previous step > select **Confirm**. 6. At the bottom of the page, select **Save**. Your application will now be served in an isolated browser for users matching your policies. ### Open links in Browser Isolation To open links using Browser Isolation: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Browser isolation**. 2. Select **Launch isolated browser**. Turn **Clientless web isolation** on. 3. In **Launch browser**, enter the URL link, and then select **Launch**. Your URL will open in a secure isolated browser. ## Filter DNS queries Gateway filters and resolves DNS queries for isolated sessions via [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/). Enterprise users can resolve domains available only through private resolvers by creating [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/). Gateway DNS and resolver policies will always apply to Clientless Web Isolation traffic, regardless of device configuration. ## Use the remote browser Clientless Web Isolation is implemented through a prefixed URL, where `` is your organization's team name. ``` https://.cloudflareaccess.com/browser/ ``` For example, to isolate `www.example.com`, users would visit `https://.cloudflareaccess.com/browser/https://www.example.com/` in their preferred browser. If `` is not provided, users are presented with a Cloudflare Zero Trust landing page where they can input a target URL or search for a website. ## Optional configurations ### Allow or block websites When users visit a website through the [Clientless Web Isolation URL](#use-the-remote-browser), the traffic passes through Cloudflare Gateway. This allows you to [apply HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to control what websites the remote browser can connect to, even if the user's device does not have the Cloudflare One Client installed. For example, if you use a third-party Secure Web Gateway to block `example.com`, users can still access the page in the remote browser by visiting `https://.cloudflareaccess.com/browser/https://www.example.com/`. To block `https://.cloudflareaccess.com/browser/https://www.example.com/`, create a Cloudflare Gateway HTTP policy to block `example.com`: | Selector | Operator | Value | Action | | -------- | -------- | ----------- | ------ | | Domain | in | example.com | Block | ### Bypass TLS decryption If [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is turned on, Gateway will decrypt all sites accessed through the Clientless Web Isolation URL. To connect to sites that are incompatible with TLS decryption, you will need to add a Do Not Inspect HTTP policy for the application or domain. | Selector | Operator | Value | Action | | -------- | -------- | ---------- | -------------- | | Domain | is | mysite.com | Do Not Inspect | Note Clientless Web Isolation can function without TLS decryption enabled. However, TLS decryption is required to apply [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to Clientless Web Isolation traffic. ### Connect private networks With Clientless Web Isolation, users can reach any internal web server you have connected through [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). For more information, refer to [Connect private networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/). For example, if you added `192.168.2.1` to your tunnel, users can connect to your application through the remote browser by going to `https://.cloudflareaccess.com/browser/http://192.168.2.1`. Clientless Web Isolation also supports connecting over private ports, for example `https://.cloudflareaccess.com/browser/http://192.168.2.1:7148`. Note All users with access to your remote browser can access your Cloudflare Tunnel applications unless you create a Gateway HTTP policy to block them. ### Disable remote browser controls You can configure [remote browser controls](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings) such as disabling copy/paste, printing, or keyboard input. These settings display in the Gateway [HTTP policy builder](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) when you select the Isolate action. ### Sync cookies between local and remote browser The Cloudflare One Chrome extension allows a user to seamlessly access isolated and non-isolated applications without needing to re-authenticate. The user can log in once to their identity provider (whether through a Clientless Web Isolation link or their local browser) and gain access to all applications behind the SSO login. Note The Chrome extension is available in early access. To install, contact your account team. ## Address bar Clientless Web Isolation has an embedded address bar. This feature is designed to improve the user's experience while visiting isolated pages with prefixed URLs. The clientless address bar has three views: hostname notch, full address bar and hidden. The user's selected view is remembered across domains and remote browsing sessions. ### Hostname notch view By default the isolated domain name appears in the notch positioned at the top and center of an isolated page. ![Viewing hostname of an isolated page in the clientless remote browser](https://developers.cloudflare.com/_astro/rbi-address-bar-notch.BsghmuIS_ZhyMH.webp) Selecting **Expand** or the hostname text will expand the notch to the full address bar view. If isolated page content is obscured by the notch, expanding to the full address bar view will make the content accessible. ### Full address bar view The full address bar allows users to search and go to isolated websites. Users can jump to the address bar at any time by pressing `CTRL + L` on the keyboard. ![Viewing full address of an isolated page in the clientless remote browser](https://developers.cloudflare.com/_astro/rbi-address-bar-full.BDXQJUgz_Z1cD7Aj.webp) ### Hidden view To turn on or off the address bar, users can right-click on any isolated page and select **Show / Hide address bar**. ## Logs * **Authentication events**: User login events are available in [Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/). * **HTTP requests**: Traffic from the remote browser to the Internet is logged in [Gateway activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). * **DNS queries**: DNS queries from the remote browser are shown in [Gateway activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). * **User actions**: Track copy/paste, download/upload, and print actions initiated by users in the remote browser (only available in [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/)). ## Redirect traffic to the remote browser If you want to isolate a website without the Cloudflare One Client installed, you will need to redirect traffic to the Clientless Web Isolation [prefixed URL](#use-the-remote-browser). One way to do this is through a third-party Secure Web Gateway. To redirect users to the remote browser, you can implement a custom block page similar to the example shown below. ``` Redirecting website to a remote browser

This website is being redirected to a remote browser. Select here if you are not automatically redirected.

``` ## Troubleshooting Review troubleshooting guidance related to Clientless Web Isolation. * [Clientless Web Isolation is loading a blank screen on a Windows device](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/troubleshooting/#blank-screen-on-windows) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/setup/","name":"Set up Browser Isolation"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/","name":"Clientless Web Isolation"}}]} ``` --- --- title: Non-identity on-ramps description: With Cloudflare One, you can isolate HTTP traffic from on-ramps such as proxy endpoints or Cloudflare WAN (formerly Magic WAN). Since these on-ramps do not require users to log in to the Cloudflare One Client, identity-based policies are not supported. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/remote-browser-isolation/setup/non-identity.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Non-identity on-ramps With Cloudflare One, you can isolate HTTP traffic from on-ramps such as [proxy endpoints](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) or [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/) (formerly Magic WAN). Since these on-ramps do not require users to log in to the Cloudflare One Client, [identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) are not supported. Note If you want to apply Isolate policies based on user identity, you will need to either install the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) or manually redirect users to the [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) URL. ## Set up non-identity browser isolation 1. [Install a Cloudflare certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your devices. 2. Connect your infrastructure to Gateway using one of the following on-ramps: * Configure your browser to forward traffic to a Gateway proxy endpoint with [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/). * Connect your enterprise site router to Gateway with the [anycast GRE or IPsec tunnel on-ramp to Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/). 3. Enable non-identity browser isolation: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Browser isolation** \> **Browser isolation settings**. 2. Turn on **Allow isolated HTTP traffic when user identity is unknown**. 4. Build a non-identity [HTTP policy](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) to isolate websites in a remote browser. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/setup/","name":"Set up Browser Isolation"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/remote-browser-isolation/setup/non-identity/","name":"Non-identity on-ramps"}}]} ``` --- --- title: Troubleshoot Browser Isolation description: Resolve common issues with Cloudflare Browser Isolation, including session limits, rendering errors, and WebGL support. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/remote-browser-isolation/troubleshooting.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshoot Browser Isolation Review common troubleshooting scenarios for Cloudflare Browser Isolation. ## Connectivity and sessions ### No Browsers Available If you encounter a `No Browsers Available` alert, please file feedback via the Cloudflare One Client. This error typically indicates a temporary capacity issue in the data center or a connectivity problem between your client and the remote browser. ### Maximum Sessions Reached This alert appears if your device attempts to establish more than two concurrent remote browser instances. A browser isolation session is shared across all tabs and windows within the same browser (for example, all Chrome tabs share one session). You can use two different browsers (such as Chrome and Firefox) concurrently, but opening a third will trigger this alert. To release a session, close all tabs and windows in one of your local browsers. ## Rendering and performance ### WebGL Rendering Error Cloudflare Browser Isolation uses Network Vector Rendering (NVR), which does not support WebGL (Web Graphics Library) in all environments. If a website requires WebGL and your device lacks the necessary hardware resources in the virtualized environment, you may see a rendering error. To resolve this, try enabling software rasterization in your browser: 1. Go to `chrome://flags/#override-software-rendering-list`. 2. Set **Override software rendering list** to _Enabled_. 3. Select **Relaunch**. ### Blank screen on Windows On Windows devices, Clientless Web Isolation may load with a blank screen if there is a conflict between browser mDNS settings and Windows IGMP configuration. | IGMPLevel | WebRTC Anonymization | Result | | ------------ | -------------------- | -------------- | | 0 (disabled) | Enabled / Default | ❌ Blank screen | | 0 (disabled) | Disabled | ✅ Works | | 2 (enabled) | Enabled / Default | ✅ Works | To fix this, either disable **Anonymize local IPs exposed by WebRTC** in your browser flags or ensure `IGMPLevel` is enabled (set to `2`) in your Windows network settings. ### Rendering issues (CSS/Images) If a website displays incorrectly (for example, broken CSS or missing images), it may indicate that the remote browser is unable to fetch specific resources from the origin server. Check your [Gateway HTTP logs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/troubleshooting/) for any blocked subresources that might be required by the page. --- ## How to contact Support If you cannot resolve the issue, [open a support case](https://developers.cloudflare.com/support/contacting-cloudflare-support/). For RBI issues, it is helpful to provide the **Ray ID** from any error page and a description of the browser you are using. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/troubleshooting/","name":"Troubleshoot Browser Isolation"}}]} ``` --- --- title: Roles and permissions description: When creating a Cloudflare Zero Trust account, you will be given the Super Administrator role. As a Super Administrator, you can invite members to join your Zero Trust account and assign them different roles. There is no limit to the number of members which can be added to a given account. Any members with the proper permissions will be able to make configuration changes while actively logged into Zero Trust (unless read-only mode is enabled). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/roles-permissions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Roles and permissions When creating a Cloudflare Zero Trust account, you will be given the Super Administrator role. As a Super Administrator, you can invite members to join your Zero Trust account and assign them different roles. There is no limit to the number of members which can be added to a given account. Any members with the proper permissions will be able to make configuration changes while actively logged into Zero Trust (unless [read-only mode](https://developers.cloudflare.com/cloudflare-one/api-terraform/#set-dashboard-to-read-only) is enabled). To check the list of members in your account, or to manage roles and permissions, refer to our [Account setup](https://developers.cloudflare.com/fundamentals/manage-members/) documentation. ## Zero Trust roles Only Super Administrators will be able to assign or remove the following roles from users in their account. Scroll to the right to see a full list of permissions for each role. | Access Read | Access Edit | Gateway Read | Gateway Edit | Gateway Report | DNS Location Read | DNS Location Edit | Billing Read | Billing Edit | DEX Read | DEX Edit | CASB Read | CASB Edit | | | ---------------------------------------------------------------- | ----------- | ------------ | ------------ | -------------- | ----------------- | ----------------- | ------------ | ------------ | -------- | -------- | --------- | --------- | - | | Super Administrator | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | Cloudflare Zero Trust[1](#user-content-fn-1) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | | Cloudflare Access | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | | Cloudflare Gateway | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | | Cloudflare Zero Trust Read Only | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | | Cloudflare Zero Trust Reporting | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | | Cloudflare Zero Trust DNS Locations Write[2](#user-content-fn-2) | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | Cloudflare DEX | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | | Cloudflare CASB Read | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | Cloudflare CASB | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ### Cloudflare Zero Trust PII By default, only Super Administrators can view end users' PII in the Gateway activity logs, such as Device IDs, Source IPs, or user emails. No other roles will have the ability to read PII unless Super Administrators explicitly assign the **Cloudflare Zero Trust PII** role to them. The Cloudflare Zero Trust PII role should be considered an add-on role, to be combined with any role from the table above. For example, Super Administrators may decide to assign the Cloudflare Gateway role to a user, and add the Cloudflare Zero Trust PII role to allow that user to access PII in the Gateway logs. Note The Cloudflare Zero Trust PII role does not apply to Access authentication logs. PII is always visible in Access logs. ## Email security roles For more information on Email security roles, refer to [Account-scoped roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/#account-scoped-roles). * **Cloudflare Zero Trust**: Can edit Cloudflare [Zero Trust](https://developers.cloudflare.com/cloudflare-one/). Grants administrator access to all Zero Trust products including Access, Gateway, the Cloudflare One Client, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email security. * **Cloudflare Zero Trust PII**: Can read PII in Zero Trust. This includes Email security. * **Email security Analyst** and **Email security Configuration Admin**: Has full access to all admin features in Email security. * **Email security Integration Admin**: Can read and set up integrations only. * **Email security Configuration Admin**: Has administrator access. Cannot take actions on emails, or read emails. * **Email security Analyst**: Has analyst access. Can take action on emails and read emails. * **Email security Reporting**: Can read metrics. * **Email security Read Only**: Can read all information, but cannot take action on anything. * **Email security Policy Admin**: Can read all settings, but only write [allow policies](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/), [trusted domains](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/trusted-domains/), and [blocked senders](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/blocked-senders/). ## Footnotes 1. The **Cloudflare Zero Trust** role grants administrator access to all Zero Trust products including Access, Gateway, the Cloudflare One Client, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email security. [↩](#user-content-fnref-1) 2. Users with the **Cloudflare Zero Trust DNS Locations Write** role can view all DNS locations for an organization but can only create and edit [secure DNS locations](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations). [↩](#user-content-fnref-2) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/roles-permissions/","name":"Roles and permissions"}}]} ``` --- --- title: Tutorials description: View tutorials for Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Copy page # Tutorials | Name | Last Updated | Difficulty | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ | ------------ | | [Implement regional private DNS servers with Gateway resolver policies](https://developers.cloudflare.com/cloudflare-one/tutorials/regional-private-dns-resolver-policies/) | 5 months ago | Advanced | | [Deploy the Cloudflare One Client on headless Linux machines](https://developers.cloudflare.com/cloudflare-one/tutorials/deploy-client-headless-linux/) | 6 months ago | Beginner | | [Create and secure an AI agent wrapper using AI Gateway and Zero Trust](https://developers.cloudflare.com/cloudflare-one/tutorials/ai-wrapper-tenant-control/) | 11 months ago | Advanced | | [Use Cloudflare Tunnels with Kubernetes client-go credential plugins](https://developers.cloudflare.com/cloudflare-one/tutorials/tunnel-kubectl/) | over 1 year ago | Intermediate | | [Send SSO attributes to Access-protected origins with Workers](https://developers.cloudflare.com/cloudflare-one/tutorials/extend-sso-with-workers/) | over 1 year ago | Advanced | | [Use virtual networks to change user egress IPs](https://developers.cloudflare.com/cloudflare-one/tutorials/user-selectable-egress-ips/) | about 2 years ago | Intermediate | | [Access and secure a MySQL database using Cloudflare Tunnel and network policies](https://developers.cloudflare.com/cloudflare-one/tutorials/mysql-network-policy/) | about 2 years ago | Intermediate | | [Access a web application via its private hostname without the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/tutorials/clientless-access-private-dns/) | about 2 years ago | Intermediate | | [Use Microsoft Entra ID Conditional Access policies in Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/tutorials/entra-id-conditional-access/) | about 2 years ago | Intermediate | | [Protect access to Microsoft 365 with dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/tutorials/m365-dedicated-egress-ips/) | over 2 years ago | Intermediate | | [Monitor Cloudflare Tunnel with Grafana](https://developers.cloudflare.com/cloudflare-one/tutorials/grafana/) | over 2 years ago | Intermediate | | [Use Cloudflare R2 as a Zero Trust log destination](https://developers.cloudflare.com/cloudflare-one/tutorials/r2-logs/) | over 2 years ago | Beginner | | [Create custom headers for Cloudflare Access-protected origins with Workers](https://developers.cloudflare.com/cloudflare-one/tutorials/access-workers/) | over 2 years ago | Intermediate | | [Protect access to Amazon S3 buckets with Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/tutorials/s3-buckets/) | over 2 years ago | Advanced | | [Validate the Access token with FastAPI](https://developers.cloudflare.com/cloudflare-one/tutorials/fastapi/) | almost 3 years ago | Beginner | | [Isolate risky Entra ID users](https://developers.cloudflare.com/cloudflare-one/tutorials/entra-id-risky-users/) | about 3 years ago | Advanced | | [Connect through Cloudflare Access using kubectl](https://developers.cloudflare.com/cloudflare-one/tutorials/kubectl/) | over 3 years ago | Advanced | | [GraphQL Analytics](https://developers.cloudflare.com/cloudflare-one/tutorials/graphql-analytics/) | about 4 years ago | Intermediate | | [Integrate Microsoft MCAS with Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/tutorials/integrate-microsoft-mcas-teams/) | over 4 years ago | Intermediate | | [Connect through Cloudflare Access using a CLI](https://developers.cloudflare.com/cloudflare-one/tutorials/cli/) | about 5 years ago | Intermediate | | [MongoDB SSH](https://developers.cloudflare.com/cloudflare-one/tutorials/mongodb-tunnel/) | over 5 years ago | Advanced | | [Zero Trust GitLab SSH & HTTP](https://developers.cloudflare.com/cloudflare-one/tutorials/gitlab/) | over 5 years ago | Advanced | | [Require U2F with Okta](https://developers.cloudflare.com/cloudflare-one/tutorials/okta-u2f/) | over 5 years ago | Intermediate | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}}]} ``` --- --- title: Create custom headers for Cloudflare Access-protected origins with Workers description: This tutorial covers how to use a Cloudflare Worker to add custom headers to traffic. The headers will be sent to origin services protected by Cloudflare Access. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ JavaScript ](https://developers.cloudflare.com/search/?tags=JavaScript) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/access-workers.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Create custom headers for Cloudflare Access-protected origins with Workers **Last reviewed:** over 2 years ago This tutorial covers how to use a [Cloudflare Worker](https://developers.cloudflare.com/workers/) to add custom HTTP headers to traffic, and how to send those custom headers to your origin services protected by [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). Some applications and networking implementations require specific custom headers to be passed to the origin, which can be difficult to implement for traffic moving through a Zero Trust proxy. You can configure a Worker to send the [user authorization headers](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/) required by Access. --- ## Before you begin * Secure your origin server with Cloudflare Access ## Before you begin 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to the **Workers & Pages** page. [ Go to **Workers & Pages** ](https://dash.cloudflare.com/?to=/:account/workers-and-pages) 2. If this is your first Worker, select **Create Worker**. Otherwise, select **Create application**, then select **Create Worker**. 3. Enter an identifiable name for the Worker, then select **Deploy**. 4. Select **Edit code**. 5. Input the following Worker: * [ JavaScript ](#tab-panel-3942) * [ TypeScript ](#tab-panel-3943) JavaScript ``` export default { async fetch(request, env, ctx) { const { headers } = request; const cfaccessemail = headers.get("cf-access-authenticated-user-email"); const requestWithID = new Request(request); requestWithID.headers.set("company-user-id", cfaccessemail); return fetch(requestWithID); }, }; ``` TypeScript ``` export default { async fetch(request, env, ctx): Promise { const { headers } = request; const cfaccessemail = headers.get("cf-access-authenticated-user-email"); const requestWithID = new Request(request); requestWithID.headers.set("company-user-id", cfaccessemail); return fetch(requestWithID); }, } satisfies ExportedHandler; ``` 1. Select **Save and deploy**. Your Worker is now ready to send custom headers to your Access-protected origin services. ## Apply the Worker to your hostname 1. Select the Worker you created, then go to **Triggers**. 2. In **Routes**, select **Add route**. 3. Enter the hostname and zone for your origin, then select **Add route**. The Worker will now insert a custom header into requests that match the defined route. For example: Example custom header ``` "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Accept-Encoding": "gzip", "Accept-Language": "en-US,en;q=0.9", "Cf-Access-Authenticated-User-Email": "user@example.com", "Company-User-Id": "user@example.com", "Connection": "keep-alive" ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/access-workers/","name":"Create custom headers for Cloudflare Access-protected origins with Workers"}}]} ``` --- --- title: Create and secure an AI agent wrapper using AI Gateway and Zero Trust description: This tutorial explains how to use Cloudflare AI Gateway and Zero Trust to create a functional and secure website wrapper for an AI agent. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ AI ](https://developers.cloudflare.com/search/?tags=AI) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Create and secure an AI agent wrapper using AI Gateway and Zero Trust **Last reviewed:** 11 months ago This tutorial explains how to use [Cloudflare AI Gateway](https://developers.cloudflare.com/ai-gateway/) and Zero Trust to create a functional and secure website wrapper for an AI agent. Cloudflare Zero Trust administrators can protect access to the wrapper with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). Additionally, you can enforce [Gateway policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) to control how your users interact with AI agents, including executing AI agents in an isolated browser with [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/), enforcing [Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) profiles to prevent your users from sharing sensitive data, and scanning content to avoid answers from AI agents that violate internal corporate guidelines. Creating an AI agent wrapper is also an effective way to enforce tenant control if you have an enterprise plan for a specific AI provider, such as ChatGPT Enterprise. This tutorial uses ChatGPT as an example AI agent. ## Before you begin Make sure you have: * A [Cloudflare Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/). * An API key for your desired AI provider, such as an [OpenAI API key ↗](https://platform.openai.com/api-keys) for ChatGPT. ## 1\. Create an AI gateway First, create an AI gateway to control your AI app. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to the **AI Gateway** page. [ Go to **AI Gateway** ](https://dash.cloudflare.com/?to=/:account/ai/ai-gateway) 2. Select **Create Gateway**. 3. Name your gateway. 4. Select **Create**. 5. Configure your desired options for the gateway. 6. [Connect your AI provider](https://developers.cloudflare.com/ai-gateway/get-started/#connect-application) to proxy queries to your AI agent of choice using your AI gateway. 7. (Optional) Turn on [Authenticated Gateway](https://developers.cloudflare.com/ai-gateway/configuration/authentication/). The Authenticated Gateway feature ensures your AI gateway can only be called securely by enforcing a token in the form of a request header `cf-aig-authorization`. 1. Go to **AI** \> **AI Gateway**. 2. Select your AI gateway, then go to **Settings**. 3. Turn on **Authenticated Gateway**, then choose **Confirm**. 4. Select **Create authentication token**, then select **Create an AI Gateway authentication token**. 5. Configure your token and copy the token value. When creating your Worker, you will need to pass this token when calling your AI gateway. For more information, refer to [Getting started with AI Gateway](https://developers.cloudflare.com/ai-gateway/get-started/). ## 2\. (Optional) Use Guardrails to block unsafe or inappropriate content [Guardrails](https://developers.cloudflare.com/ai-gateway/features/guardrails/) is an built-in AI Gateway security feature that allows Cloudflare to identify unsafe or inappropriate content in prompts and responses based on selected categories. 1. In the Cloudflare dashboard, go to the **AI Gateway** page. [ Go to **AI Gateway** ](https://dash.cloudflare.com/?to=/:account/ai/ai-gateway) 2. Select your AI gateway. 3. Go to **Guardrails**. 4. Turn on Guardrails. 5. Select **Change** to configure the categories you would like to filter for both prompts and responses. ## 3\. Build a Worker to serve the wrapper ### 1\. Create the Worker In order to build the Worker, you will need to choose if you want to build it locally using [Wrangler](https://developers.cloudflare.com/workers/wrangler/install-and-update/) or remotely using the [dashboard ↗](https://dash.cloudflare.com/). * [ Wrangler ](#tab-panel-3944) * [ Dashboard ](#tab-panel-3945) 1. In a terminal, log in to your Cloudflare account: Terminal window ``` wrangler login ``` 2. Initiate the project locally: Terminal window ``` mkdir ai-agent-wrapper cd ai-agent-wrapper wrangler init ``` 3. Create a Wrangler configuration file: ``` name = "ai-agent-wrapper" main = "src/index.js" compatibility_date = "2023-10-30" [vars] # Add any environment variables here ``` 4. Add your AI provider's API key as a [secret](https://developers.cloudflare.com/workers/configuration/secrets/): Terminal window ``` wrangler secret put ``` You can now build the Worker using the `index.js` file created by Wrangler. 1. In the Cloudflare dashboard, go to the **Workers & Pages** page. [ Go to **Workers & Pages** ](https://dash.cloudflare.com/?to=/:account/workers-and-pages) 2. Select **Create**. 3. In **Workers**, choose the **Hello world** template. 4. Name your worker, then select **Deploy**. 5. Select your Worker, then go to the **Settings** tab. 6. Go to **Variables and Secrets**, then select **Add**. 7. Choose _Secret_ as the type, name your secret (for example, `OPENAI_API_KEY`), and enter the value of your AI provider's API key in **Value**. You can now build the Worker using the online code editor by selecting **Edit code** on your Worker page. ### 2\. Build the Worker The following is an example starter Worker that serves a simple front-end to allow a user to interact with an AI provider behind AI Gateway. This example uses OpenAI as its AI provider: JavaScript ``` export default { async fetch(request, env) { if (request.url.endsWith("/api/chat")) { if (request.method === "POST") { try { const { messages } = await request.json(); const response = await fetch( "https://gateway.ai.cloudflare.com/v1/$ACCOUNT_ID/$GATEWAY_ID/openai/chat/completions", { method: "POST", headers: { "Content-Type": "application/json", Authorization: `Bearer ${env.OPENAI_API_KEY}`, }, body: JSON.stringify({ model: "gpt-4o-mini", messages: messages, }), }, ); if (!response.ok) { throw new Error(`AI Gateway Error: ${response.status}`); } const result = await response.json(); return new Response( JSON.stringify({ response: result.choices[0].message.content, }), { headers: { "Content-Type": "application/json" }, }, ); } catch (error) { return new Response(JSON.stringify({ error: error.message }), { status: 500, headers: { "Content-Type": "application/json" }, }); } } return new Response("Method not allowed", { status: 405 }); } return new Response(HTML, { headers: { "Content-Type": "text/html" }, }); }, }; const HTML = ` 177 collapsed lines ChatGPT Wrapper

AI Assistant

`; ``` Note that the account ID and gateway ID need to be replaced in the AI Gateway endpoint. You can add these as [environment variables](https://developers.cloudflare.com/workers/configuration/environment-variables/) or [secrets](https://developers.cloudflare.com/workers/configuration/secrets/) in Workers. If you chose to use Authenticated Gateway when creating your AI gateway, make sure to also add your token as a secret and pass its value to the AI gateway in the `cf-aig-authorization` header. ### 3\. Publish the Worker Once the Worker code is complete, you need to make the Worker addressable using a hostname controllable by Cloudflare Access. * [ Wrangler ](#tab-panel-3946) * [ Dashboard ](#tab-panel-3947) Edit the Wrangler configuration file and add the following information to ensure that the Worker is only accessible using the custom hostname: ``` name = "ai-agent-wrapper" main = "src/index.js" compatibility_date = "2023-10-30" workers_dev = false # Replace with your custom domain routes = [ { pattern = "", custom_domain = true } ] [vars] # Add any environment variables here ``` To publish the worker, run `wrangler deploy`. If you built your Worker remotely using the [code editor](https://developers.cloudflare.com/workers/get-started/dashboard/) available in the Cloudflare dashboard, you can deploy it by selecting **Deploy**. To ensure that the Worker is only accessible from the custom hostname: 1. In the Cloudflare dashboard, go to the **Workers & Pages** page. [ Go to **Workers & Pages** ](https://dash.cloudflare.com/?to=/:account/workers-and-pages) 2. Select your Worker. 3. Go to **Settings**. 4. Within **Domains & Routes**, select **Add**. 5. Choose **Custom domain**. 6. Enter your desired custom domain name. 7. Select **Add domain**. The Worker is now behind an addressable public hostname. Make sure to turn off both **workers.dev** and **Preview URLs** so that the Worker can only be accessed with its custom domain. ## 4\. Secure the wrapper with Access To secure the AI agent wrapper to ensure that only trusted users can access it: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Applications**. 2. Select **Add an application**. 3. Choose **Self-hosted**. 4. Enter a name for your AI agent wrapper application. 5. In **Session Duration**, choose when the user's application token should expire. 6. Select **Add public hostname** and enter the custom domain you set for your Worker. 7. [Configure your Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for your Worker. 8. Add [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/) to control who can connect to your application. Now your AI wrapper can only be accessed by your users that successfully match your Access policies. ## 5\. Block access to public AI agents with Gateway You can now block access to all unauthorized public AI agents with a Gateway [HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Firewall policies** \> **HTTP**. 2. Select **Add a policy**. 3. Add the following policy: | Selector | Operator | Value | Action | | ------------------ | -------- | ------------------------- | ------ | | Content Categories | in | _Artificial Intelligence_ | Block | 4. Select **Create policy**. This ensures that public AI agents are not accessible using a managed endpoint. Alternatively, you can prevent users from using public AI agents by displaying a [custom block message](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#customize-the-block-page), [redirect](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page), or a [user notification](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#cloudflare-one-client-block-notifications) directing users to the AI agent wrapper. ## 6\. Enforce Data Loss Prevention and Clientless Browser Isolation Now that you have full control over access to your AI agent wrapper, you can enforce extra security methods such as Data Loss Prevention (DLP) and Clientless Web Isolation to protect and control data shared with the AI agent. ### Apply Data Loss Prevention profiles You can use [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) to prevent your users from sending sensitive data to the AI agent. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Data loss prevention** \> **Profiles**. 2. Ensure that the [DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/) you want to enforce are properly configured. 3. Add an HTTP policy to enforce the DLP profile for the hostname for your wrapper. For example: | Selector | Operator | Value | Logic | Action | | ----------- | -------- | ---------------------- | ----- | ------ | | Host | is | ai-wrapper.example.com | And | Block | | DLP Profile | in | _AI DLP profile_ | | | 4. Select **Create policy**. For more information on creating DLP policies, refer to [Scan HTTP traffic](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/). ### Execute in a clientless isolated browser Because you published your wrapper as a self-hosted Access application, you can execute it in an [isolated session](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) for your users by creating an [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) and configuring it for your application. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Browser isolation** \> **Browser isolation settings**. 2. Under **Manage remote browser permissions**, select **Manage**. 3. Enable **Clientless Web Isolation**. 1. Go to **Access controls** \> **Policies**. 2. Select **Add a policy**. 3. Set the **Action** to _Allow_. 4. In **Add rules**, add identity rules to define who the application should be isolated for. 5. In **Additional settings (optional)**, turn on **Isolate application**. Once the Access policy has been created, you can attach it to your wrapper. 1. Go to **Access controls** \> **Applications**. 2. Choose your wrapper application, then select **Configure**. 3. In **Policies**, select **Select existing policies**. 4. Choose the Access policy you previously created. 5. Select **Confirm**, then select **Save application**. Because Clientless Web Isolation traffic applies your Gateway HTTP policies, your configured DLP profiles will apply to isolated sessions. For more information on isolating an Access application, refer to [Isolate self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/). ## Additional benefits Organizations that adopt Cloudflare to secure access to AI agents will benefit from improved visibility and configurability. ### Visibility Zero Trust will log all [Access events](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/) and [DLP detections](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/#http-logs). In addition, AI Gateway provides [visibility](https://developers.cloudflare.com/ai-gateway/observability/logging/) into user prompts, model response, token usage, and costs. Logs can be exported to external providers with [Logpush](https://developers.cloudflare.com/logs/logpush/). ### Configurability You can configure your wrapper to use a [different AI provider](https://developers.cloudflare.com/ai-gateway/usage/providers/) or give your users the option to choose between multiple AI providers, including AI models running directly on Cloudflare's global network with [Workers AI](https://developers.cloudflare.com/workers-ai/). With this, you can control costs related to AI usage or adopt newer models without impacting your users or the access controls already put in place. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/ai-wrapper-tenant-control/","name":"Create and secure an AI agent wrapper using AI Gateway and Zero Trust"}}]} ``` --- --- title: Connect through Cloudflare Access using a CLI description: Cloudflare's cloudflared command-line tool allows you to interact with endpoints protected by Cloudflare Access. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ CLI ](https://developers.cloudflare.com/search/?tags=CLI) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/cli.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Connect through Cloudflare Access using a CLI **Last reviewed:** about 5 years ago Cloudflare's `cloudflared` command-line tool allows you to interact with endpoints protected by Cloudflare Access. You can use `cloudflared` to interact with a protected application's API. These instructions are not meant for configuring a service to run against an API. The token in this example is tailored to user identity and intended only for an end user interacting with an API via a command-line tool. **This walkthrough covers how to:** * Connect to resources secured by Cloudflare Access from a CLI **Time to complete:** 30 minutes --- ## Authenticate a session from the command line Once you have [installed cloudflared](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/), you can use it to retrieve a Cloudflare Access [application token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/). This walkthrough uses the domain `example.com` as a stand-in for a protected API. 1. To generate a token, run the following command: Terminal window ``` cloudflared access login https://example.com ``` With this command, `cloudflared` launches a browser window containing the same Access login page found when attempting to access a web application. 2. Select your identity provider and log in. If the browser window does not launch, you can use the unique URL that is automatically printed to the command line. 1. Once you have successfully authenticated, the browser returns the token to `cloudflared` in a cryptographic transfer and stores it. The token is valid for the [session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/) configured by the Access administrator. ## Access your API Once you have retrieved a token, you can access the protected API. The `cloudflared` command-line tool includes a wrapper for transferring data via `curl`, which uses URL syntax (for more, see the [curl ↗](https://github.com/curl/curl) GitHub project). The wrapper injects the token into the `curl` request as a query argument named _token_. You can invoke the wrapper as follows: Terminal window ``` cloudflared access curl http://example.com ``` It is possible also to use the `put` command with `cloudflared` for any Unix tool to include the token in the request. Read on for other available commands. ## Available commands ### login The `login` command initiates the login flow for an application behind Access. Terminal window ``` cloudflared access login http://example.com ``` ### curl The `curl` command invokes the client wrapper and includes the token in the request automatically. Terminal window ``` cloudflared access curl http://example.com ``` ### token The `token` command retrieves the token scoped to that specific application for use in other command-line tools. Terminal window ``` cloudflared access token -app=http://example.com ``` ## Using the token as an environment variable It is possible to save the token as an environment variable for convenience and concision in scripts that access a protected application. Set up a token as an environment variable as follows: 1. Run the following command to export the token to the shell environment: Terminal window ``` export TOKEN=$(cloudflared access token -app=http://example.com) ``` 2. Confirm the token was saved with the following: Terminal window ``` echo $TOKEN ``` Once you have exported the token to your environment, use the variable with the Cloudflare Access request header in the script to access a protected endpoint, as in the following example: Terminal window ``` curl -H "cf-access-token: $TOKEN" https://example.com/rest/api/2/item/foo-123 ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/cli/","name":"Connect through Cloudflare Access using a CLI"}}]} ``` --- --- title: Access a web application via its private hostname without the Cloudflare One Client description: With Cloudflare Browser Isolation and resolver policies, users can connect to private web-based applications via their private hostnames. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS)[ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Access a web application via its private hostname without the Cloudflare One Client **Last reviewed:** about 2 years ago With Cloudflare Browser Isolation and resolver policies, users can connect to private web-based applications via their private hostnames without needing to install the Cloudflare One Client. By the end of this tutorial, users who pass your Gateway DNS and network policies will be able to access your private application at `https://.cloudflareaccess.com/browser/https://internalrecord.com`. ## Before you begin Make sure you have: * [Cloudflare Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) enabled on your account * [Resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) enabled on your account * An HTTP or HTTPS application that users access through a browser ## Create a Cloudflare Tunnel First, install `cloudflared` on a server in your private network: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com) and go to **Networks** \> **Connectors** \> **Cloudflare Tunnels**. 2. Select **Create a tunnel**. 3. Choose **Cloudflared** for the connector type and select **Next**. 4. Enter a name for your tunnel. We suggest choosing a name that reflects the type of resources you want to connect through this tunnel (for example, `enterprise-VPC-01`). 5. Select **Save tunnel**. 6. Next, you will need to install `cloudflared` and run it. To do so, check that the environment under **Choose an environment** reflects the operating system on your machine, then copy the command in the box below and paste it into a terminal window. Run the command. 7. Once the command has finished running, your connector will appear in Cloudflare One. ![Connector appearing in the UI after cloudflared has run](https://developers.cloudflare.com/_astro/connector.BnVS4T_M_ZxLFu6.webp) 8. Select **Next**. ## Add private network routes 1. In the **CIDR** tab, add the following IP addresses: * Private IP/CIDR of your application server (for example, `10.128.0.175/32`) * Private IP/CIDR of your DNS server 2. Select **Save tunnel**. The application and DNS server are now connected to Cloudflare. ## Enable Clientless Web Isolation 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Browser isolation** \> **Browser isolation settings**. 2. Under **Manage remote browser permissions**, select **Manage**. 3. Enable **Clientless Web Isolation**. 1. For **Permissions**, select **Manage**. 2. Select **Add a rule**. 3. Create an expression that defines who can open the Clientless Web Isolation browser. For example, | Rule action | Rule type | Selector | Value | Action | | ----------- | --------- | ---------------- | ------------ | ---------------- | | Allow | Include | Emails ending in | @example.com | Select **Save**. | To test, open a browser and go to `https://.cloudflareaccess.com/browser/https://`. ## Create a Gateway resolver policy 1. Go to **Traffic policies** \> **Resolver policies**. 2. Select **Add a policy**. 3. Create an expression to match against the private [domain](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/#domain) or [hostname](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/#host) of the application: | Selector | Operator | Value | | -------- | -------- | ------------------ | | Domain | in | internalrecord.com | 4. In **Select DNS resolver**, select _Configure custom DNS resolvers_. 5. Enter the private IP address of your DNS server. 6. In the dropdown menu, select _` - Private`_. 7. (Optional) Enter a custom port. 8. Select **Create policy**. To test, open a browser and go to `https://.cloudflareaccess.com/browser/https://internalrecord.com`. ## Create a Gateway network policy (recommended) 1. Go to **Traffic policies** \> **Firewall policies** \> **Network**. 2. Add a [network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) that targets the private IP address of your application. You can optionally include any ports or protocols relevant for application access. For example, | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | -------------- | ----- | ------ | | Destination IP | in | 10.128.0.175 | And | Allow | | Destination Port | in | 80 | Or | | | User Email | matches regex | .\*example.com | | | Note Device posture checks are not supported because they require the Cloudflare One Client. For best practices on securing private applications, refer to [Build secure access policies](https://developers.cloudflare.com/learning-paths/replace-vpn/build-policies/). ## Connect as a user Users can now access the application at the following URL: `https://.cloudflareaccess.com/browser/https://internalrecord.com` The application will load in an isolated browser. You can optionally [configure remote browser controls](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings) such as disabling copy/paste, printing, or keyboard input. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/clientless-access-private-dns/","name":"Access a web application via its private hostname without the Cloudflare One Client"}}]} ``` --- --- title: Deploy the Cloudflare One Client on headless Linux machines description: This tutorial explains how to deploy the Cloudflare One Client on headless Linux devices using a service token and an installation script. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Linux ](https://developers.cloudflare.com/search/?tags=Linux) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/deploy-client-headless-linux.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Deploy the Cloudflare One Client on headless Linux machines **Last reviewed:** 6 months ago This tutorial explains how to deploy the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) on Linux devices using a service token and an installation script. This deployment workflow is designed for headless servers - that is, servers which do not have access to a browser for identity provider logins - and for situations where you want to fully automate the onboarding process. Because devices will not register through an identity provider, [identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) and logging will be unavailable. Note This tutorial focuses on deploying the Cloudflare One Client as an endpoint device agent. If you are looking to deploy the Cloudflare One Client as a gateway to a private network, refer to the [WARP Connector documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/). ## Prerequisites * [Cloudflare Zero Trust account](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization) ## 1\. Create a service token Fully automated deployments rely on a service token to enroll the Cloudflare One Client in your Zero Trust organization. You can use the same token to enroll multiple devices, or generate a unique token per device if they require different [device profile settings](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/). To create a service token: * [ Dashboard ](#tab-panel-3948) * [ API ](#tab-panel-3949) * [ Terraform (v5) ](#tab-panel-3950) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Service credentials** \> **Service Tokens**. 2. Select **Create Service Token**. 3. Name the service token. The name allows you to easily identify events related to the token in the logs and to revoke the token individually. 4. Choose a **Service Token Duration**. This sets the expiration date for the token. 5. Select **Generate token**. You will see the generated Client ID and Client Secret for the service token, as well as their respective request headers. 6. Copy the Client Secret. Warning This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token. 1. Make a `POST` request to the [Access Service Tokens](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/service%5Ftokens/methods/create/) endpoint: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Service Tokens Write` Create a service token ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/service_tokens" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "CI/CD token", "duration": "8760h" }' ``` 2. Copy the `client_id` and `client_secret` values returned in the response. Response ``` "result": { "client_id": "88bf3b6d86161464f6509f7219099e57.access", "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5", "created_at": "2025-09-25T22:26:26Z", "expires_at": "2026-09-25T22:26:26Z", "id": "3537a672-e4d8-4d89-aab9-26cb622918a1", "name": "CI/CD token", "updated_at": "2025-09-25T22:26:26Z", "duration": "8760h", "client_secret_version": 1 } ``` Warning This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api%5Ftoken): * `Access: Service Tokens Write` 2. Configure the [cloudflare\_zero\_trust\_access\_service\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fservice%5Ftoken) resource: ``` resource "cloudflare_zero_trust_access_service_token" "example_service_token" { account_id = var.cloudflare_account_id name = "Example service token" duration = "8760h" lifecycle { create_before_destroy = true } } ``` 3. Get the Client ID and Client Secret of the service token: Example: Output to CLI 1. Output the Client ID and Client Secret to the Terraform state file: ``` output "example_service_token_client_id" { value = cloudflare_zero_trust_access_service_token.example_service_token.client_id } output "example_service_token_client_secret" { value = cloudflare_zero_trust_access_service_token.example_service_token.client_secret sensitive = true } ``` 2. Apply the configuration: Terminal window ``` terraform apply ``` 3. Read the Client ID and Client Secret: Terminal window ``` terraform output -raw example_service_token_client_id ``` Terminal window ``` terraform output -raw example_service_token_client_secret ``` Example: Store in HashiCorp Vault ``` resource "vault_generic_secret" "example_service_token" { path = "kv/cloudflare/example_service_token" data_json = jsonencode({ "CLIENT_ID" = cloudflare_access_service_token.example_service_token.client_id "CLIENT_SECRET" = cloudflare_access_service_token.example_service_token.client_secret }) } ``` ## 2\. Configure device enrollment permissions Device enrollment permissions determine the users and devices that can register WARP with your Zero Trust organization. To allow devices to enroll using a service token: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Team & Resources** \> **Devices**. Select the **Management** tab. 2. In **Device enrollment permissions**, select **Manage**. 3. In the **Policies** tab, select **Create new policy**. A new tab will open with the policy creation page. 4. For **Action**, select _Service Auth_. 5. For the **Selector** field, you have two options: you can either allow all service tokens (`Any Access Service Token`) or specific service tokens (`Service Token`). For example: | Rule Action | Rule type | Selector | Value | | ------------ | --------- | ------------- | ------------ | | Service Auth | Include | Service Token | | 6. Save the policy. 7. Go back to **Device enrollment permissions** and add the newly created policy to your permissions. 8. Select **Save**. ## 3\. Create an installation script You can use a shell script to automate WARP installation and registration. The following example shows how to deploy the Cloudflare One Client on Ubuntu 24.04. 1. In a terminal, create a new `.sh` file using a text editor. For example: Terminal window ``` vim install_warp.sh ``` 2. Press `i` to enter insert mode and add the following lines: ``` #!/bin/bash set -e # Download and install the Cloudflare One Client function warp() { curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list sudo apt-get update --assume-yes sudo apt-get install --assume-yes cloudflare-warp } # Create an MDM file with your Cloudflare One Client deployment parameters function mdm() { sudo touch /var/lib/cloudflare-warp/mdm.xml cat > /var/lib/cloudflare-warp/mdm.xml << "EOF" auth_client_id 88bf3b6d86161464f6509f7219099e57.access auth_client_secret bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5 auto_connect 1 onboarding organization your-team-name service_mode warp EOF } #main program warp mdm ``` 3. If you are using Debian or RHEL / CentOS, modify the `warp()` function so that it installs the correct [WARP package ↗](https://pkg.cloudflareclient.com/) for your OS. 4. Modify the values in the `mdm()` function: 1. For `auth_client_id` and `auth_client_secret`, replace the string values with the Client ID and Client Secret of your [service token](https://developers.cloudflare.com/cloudflare-one/tutorials/deploy-client-headless-linux/#1-create-a-service-token). 2. For `organization`, replace `your-team-name` with your Zero Trust team name. 3. (Optional) Add or modify other [Cloudflare One Client deployment parameters](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/) according to your preferences. 5. Press `esc`, then type `:x` and press `Enter` to save and exit. ## 4\. Install WARP To install the Cloudflare One Client using the example script: 1. Make the script executable: Terminal window ``` chmod +x install_warp.sh ``` 2. Run the script: Terminal window ``` sudo ./install_warp.sh ``` The Cloudflare One Client is now deployed with the configuration parameters stored in `/var/lib/cloudflare-warp/mdm.xml`. Assuming [auto\_connect](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#auto%5Fconnect) is configured, the Cloudflare One Client will automatically connect to your Zero Trust organization. Once connected, the device will appear in [Cloudflare One ↗](https://one.dash.cloudflare.com) under **Team & Resources** \> **Devices** with the email `non_identity@.cloudflareaccess.com`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/deploy-client-headless-linux/","name":"Deploy the Cloudflare One Client on headless Linux machines"}}]} ``` --- --- title: Use Microsoft Entra ID Conditional Access policies in Cloudflare Access description: With Conditional Access in Microsoft Entra ID, administrators can enforce policies on applications and users directly in EntraID. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Microsoft Entra ID ](https://developers.cloudflare.com/search/?tags=Microsoft%20Entra%20ID) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Use Microsoft Entra ID Conditional Access policies in Cloudflare Access **Last reviewed:** about 2 years ago With [Conditional Access ↗](https://learn.microsoft.com/entra/identity/conditional-access/overview) in Microsoft Entra ID (formerly Azure Active Directory), administrators can enforce policies on applications and users directly in Entra ID. Conditional Access has a set of checks that are specialized to Windows and are often preferred by organizations with Windows power users. ## Before you begin Make sure you have: * Global admin rights to Microsoft Entra ID account * Configured users in the Microsoft Entra ID account ## Set up an identity provider for your application Refer to [our IdP setup instructions](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/entra-id/#set-up-entra-id-as-an-identity-provider) for Entra ID. ## Add API permission in Entra ID Once the base IdP integration is tested and working, grant permission for Cloudflare to read Conditional Access policies from Entra ID. 1. In Microsoft Entra ID, go to **App registrations**. 2. Select the application you created for the IdP integration. 3. Go to **API permissions** and select **Add a permission**. 4. Select **Microsoft Graph**. 5. Select **Application permissions** and add `Policy.Read.ConditionalAccess`. Note You must select **Application permissions**; delegated permissions will not work for this feature. 6. Select **Grant admin consent**. ## Configure Conditional Access in Entra ID 1. In Microsoft Entra ID, go to **Enterprise applications** \> **Conditional Access**. 2. Go to **Authentication Contexts**. 3. [Create an authentication context ↗](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#authentication-context) to reference in your Cloudflare Access policies. Give the authentication context a descriptive name (for example, `Require compliant devices`). 4. Next, go to **Policies**. 5. [Create a new Conditional Access policy ↗](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies) or select an existing policy. 6. Assign the conditional access policy to an authentication context: 1. In the policy builder, select **Target resources**. 2. In the **Select what this policy applies to** dropdown, select _Authentication context_. 3. Select the authentication context that will use this policy. 4. Save the policy. ## Sync Conditional Access with Zero Trust To import your Conditional Access policies into Cloudflare Access: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Access settings**. 2. In **Manage your App Launcher**, select **Manage**. 3. Choose **Login methods**. 4. Find your Microsoft Entra ID integration and select **Edit**. 5. Enable **Azure AD Policy Sync**. 6. Select **Save**. ## Create an Access application To enforce your Conditional Access policies on a Cloudflare Access application: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application**. 3. Select **Self-hosted**. 4. Enter any name for the application. 5. Select **Add public hostname** and enter the target URL of the protected application. 6. Select **Create new policy** and build an [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) using the _Azure AD - Auth context_ selector. For example: | Action | Rule type | Selector | Value | | ------- | ----------------------- | ------------------------- | ------------ | | Allow | Include | Emails ending in | @example.com | | Require | Azure AD - Auth context | Require compliant devices | | 7. Add this policy to your application configuration. 8. For **Identity providers**, select your Microsoft Entra ID integration. 9. Follow the remaining [self-hosted application creation steps](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to publish the application. Users will only be allowed access if they pass the Microsoft Entra ID Conditional Access policies associated with this authentication context. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/entra-id-conditional-access/","name":"Use Microsoft Entra ID Conditional Access policies in Cloudflare Access"}}]} ``` --- --- title: Isolate risky Entra ID users description: Microsoft Entra ID (formerly Azure Active Directory) calculates a user's risk level based on the probability that their account has been compromised. With Cloudflare Zero Trust, you can synchronize the Entra ID risky users list with Cloudflare Access and apply more stringent Zero Trust policies to users at higher risk. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Microsoft Entra ID ](https://developers.cloudflare.com/search/?tags=Microsoft%20Entra%20ID)[ SCIM ](https://developers.cloudflare.com/search/?tags=SCIM) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Isolate risky Entra ID users **Last reviewed:** about 3 years ago Microsoft Entra ID (formerly Azure Active Directory) calculates a user's [risk level ↗](https://learn.microsoft.com/entra/id-protection/howto-identity-protection-investigate-risk) based on the probability that their account has been compromised. With Cloudflare Zero Trust, you can synchronize the Entra ID risky users list with Cloudflare Access and apply more stringent Zero Trust policies to users at higher risk. This tutorial demonstrates how to automatically redirect users to a remote browser when they are deemed risky by Entra ID. **Time to complete:** 1 hour ## Prerequisites * Microsoft Entra ID Premium P2 license * [Cloudflare Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) add-on * [Gateway HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) enabled on your devices * [npm ↗](https://docs.npmjs.com/getting-started) installation * [Node.js ↗](https://nodejs.org/en/) installation ## 1\. Set up Entra ID as an identity provider Refer to [our IdP setup instructions](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/entra-id/#set-up-entra-id-as-an-identity-provider) for Entra ID. Note * When you configure the IdP in Cloudflare One, be sure to select **Enable group membership change reauthentication**. * Save the **Application (client) ID**, **Directory (tenant) ID**, and **Client secret** as you will need them again in a later step. ## 2\. Add Entra ID API permissions Once the base IdP integration is tested and working, enable additional permissions that will allow a script to create and update risky user groups in Entra ID: 1. In Microsoft Entra ID, go to **App registrations**. 2. Select the application you created for the IdP integration. 3. Go to **API permissions** and select **Add a permission**. 4. Select **Microsoft Graph**. 5. Select **Application permissions** and add the following [permissions ↗](https://learn.microsoft.com/en-us/graph/permissions-reference): * `IdentityRiskyUser.ReadAll` * `Directory.ReadWriteAll` * `Group.Create` * `Group.ReadAll` * `GroupMember.ReadAll` * `GroupMember.ReadWriteAll` 6. Select **Grant admin consent**. You will see the list of enabled permissions. ![API permissions in Entra ID](https://developers.cloudflare.com/_astro/risky-users-permissions.BXnsnrQO_Zax1Jt.webp) ## 3\. Add risky users to Entra ID group Next, configure an automated script that will populate an Entra ID security group with risky users. To get started quickly, deploy our example Cloudflare Workers script by following the step-by-step instructions below. Alternatively, you can implement the script using [Azure Functions ↗](https://learn.microsoft.com/azure/azure-functions/functions-overview) or any other tool. 1. Open a terminal and clone our example project. Terminal window ``` npm create cloudflare@latest risky-users -- --template https://github.com/cloudflare/msft-risky-user-ad-sync ``` 2. Go to the project directory. Terminal window ``` cd risky-users ``` 3. Modify the [Wrangler configuration file](https://developers.cloudflare.com/workers/wrangler/configuration/) to include the following values: * ``: your Cloudflare [account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/). * ``: your Entra ID **Directory (tenant) ID**, obtained when [setting up Entra ID as an identity provider](#1-set-up-entra-id-as-an-identity-provider). * ``: your Entra ID **Application (client) ID**, obtained when [setting up Entra ID as an identity provider](#1-set-up-entra-id-as-an-identity-provider). * [ wrangler.jsonc ](#tab-panel-3951) * [ wrangler.toml ](#tab-panel-3952) ``` { "$schema": "./node_modules/wrangler/config-schema.json", "name": "risky-users", // Set this to today's date "compatibility_date": "2026-04-03", "main": "src/index.js", "workers_dev": false, "account_id": "", "vars": { "AZURE_AD_TENANT_ID": "", "AZURE_AD_CLIENT_ID": "", }, "triggers": { "crons": ["* * * * *"], }, } ``` ``` "$schema" = "./node_modules/wrangler/config-schema.json" name = "risky-users" # Set this to today's date compatibility_date = "2026-04-03" main = "src/index.js" workers_dev = false account_id = "" [vars] AZURE_AD_TENANT_ID = "" AZURE_AD_CLIENT_ID = "" [triggers] crons = [ "* * * * *" ] ``` Note The [Cron Trigger](https://developers.cloudflare.com/workers/configuration/cron-triggers/) in this example schedules the script to run every minute. Learn more about [supported cron expressions](https://developers.cloudflare.com/workers/configuration/cron-triggers/#supported-cron-expressions). 1. Deploy the Worker to Cloudflare's global network. Terminal window ``` npx wrangler deploy ``` 2. Create a secret variable named `AZURE_AD_CLIENT_SECRET`. Terminal window ``` wrangler secret put AZURE_AD_CLIENT_SECRET ``` You will be prompted to input the secret's value. Enter the **Client secret** obtained when [setting up Microsoft Entra ID as an identity provider](#1-set-up-azure-ad-as-an-identity-provider). The Worker script will begin executing once per minute. To view realtime logs, run the following command and wait for the script to execute: Terminal window ``` wrangler tail --format pretty ``` After the initial run, the auto-generated groups will appear in the Entra ID dashboard. ![Risky user groups in the Entra ID dashboard](https://developers.cloudflare.com/_astro/risky-users-groups.DdF4Xs9Y_Z2mmVhk.webp) ## 4\. Synchronize risky user groups Next, synchronize Entra ID risky user groups with Cloudflare Access: 1. [Enable SCIM synchronization](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/entra-id/#synchronize-users-and-groups). 2. In Entra ID, assign the following groups to your SCIM enterprise application: * `IdentityProtection-RiskyUser-RiskLevel-high` * `IdentityProtection-RiskyUser-RiskLevel-medium` * `IdentityProtection-RiskyUser-RiskLevel-low` Cloudflare Access will now synchronize changes in group membership with Entra ID. You can verify the synchronization status on the SCIM application's **Provisioning** page. ## 5\. Create a browser isolation policy Finally, create a [Gateway HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to isolate traffic for risky user groups. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Firewall policies** \> **HTTP**. 2. Select **Add a policy**. 3. Build an [Isolate policy](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) that contains a _User Group Names_ rule. For example, the following policy serves `app1.example.com` and `app2.example.com` in a remote browser for all members flagged as high risk: | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ------------------------------------------- | ----- | ------- | | Domain | in | app1.example.com, app2.example.com | And | Isolate | | User Group Names | in | IdentityProtection-RiskyUser-RiskLevel-high | | | To test the policy, refer to the Microsoft documentation for [simulating risky detections ↗](https://learn.microsoft.com/entra/id-protection/howto-identity-protection-simulate-risk). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/entra-id-risky-users/","name":"Isolate risky Entra ID users"}}]} ``` --- --- title: Send SSO attributes to Access-protected origins with Workers description: This tutorial will walk you through extending the single-sign-on (SSO) capabilities of Cloudflare Access with our serverless computing platform, Cloudflare Workers. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SSO ](https://developers.cloudflare.com/search/?tags=SSO) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/extend-sso-with-workers.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Send SSO attributes to Access-protected origins with Workers **Last reviewed:** over 1 year ago This tutorial will walk you through extending the single-sign-on (SSO) capabilities of [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) with our serverless computing platform, [Cloudflare Workers](https://developers.cloudflare.com/workers/). Specifically, this guide will demonstrate how to modify requests sent to your secured origin to include additional information from the Cloudflare Access authentication event. **Time to complete:** 45 minutes ## Authentication flow [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) is an authentication proxy in charge of validating a user's identity before they connect to your application. As shown in the diagram below, Access inserts a [JWT](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) into the request, which can then be [verified](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#validate-jwts) by the origin server. ![Standard authentication flow for a request to an Access application](https://developers.cloudflare.com/_astro/access-standard-flow.CLZ6SIBs_EHYYX.webp) You can extend this functionality by using a Cloudflare Worker to insert additional HTTP headers into the request. In this example, we will add the [device posture attributes](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/#enforce-device-posture) `firewall_activated` and `disk_encrypted`, but you can include any attributes that Cloudflare Access collects from the authentication event. ![Extended authentication flow uses a Worker to pass additional request headers to the origin](https://developers.cloudflare.com/_astro/access-extended-flow-serverless.DKpY2r43_1lrFbX.webp) ## Benefits This approach allows you to: * **Enhance security:** By incorporating additional information from the authentication event, you can implement more robust security measures. For example, you can use device posture data to enforce access based on device compliance. * **Improve user experience:** You can personalize the user experience by tailoring content or functionality based on user attributes. For example, you can display different content based on the user's role or location. * **Simplify development:** By using Cloudflare Workers, you can easily extend your Cloudflare Access configuration without modifying your origin application code. ## Before you begin * Add a [self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to Cloudflare Access. * Enable the [Disk encryption](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/disk-encryption/) and [Firewall](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/firewall/) device posture checks. * Install [Wrangler](https://developers.cloudflare.com/workers/wrangler/install-and-update/) on your local machine. ## 1\. Create the Worker 1. Create a new Workers project: npm yarn pnpm ``` npm create cloudflare@latest -- device-posture-worker ``` ``` yarn create cloudflare device-posture-worker ``` ``` pnpm create cloudflare@latest device-posture-worker ``` For setup, select the following options: * For _What would you like to start with?_, choose `Hello World example`. * For _Which template would you like to use?_, choose `Worker only`. * For _Which language do you want to use?_, choose `JavaScript`. * For _Do you want to use git for version control?_, choose `Yes`. * For _Do you want to deploy your application?_, choose `No` (we will be making some changes before deploying). 2. Change to the project directory: Terminal window ``` $ cd device-posture-worker ``` 3. Copy-paste the following code into `src/index.js`. Be sure to replace `` with your Zero Trust team name. index.js ``` import { parse } from "cookie"; export default { async fetch(request, env, ctx) { // The name of the cookie const COOKIE_NAME = "CF_Authorization"; const CF_GET_IDENTITY = "https://.cloudflareaccess.com/cdn-cgi/access/get-identity"; const cookie = parse(request.headers.get("Cookie") || ""); if (cookie[COOKIE_NAME] != null) { try { let id = await (await fetch(CF_GET_IDENTITY, request)).json(); let diskEncryptionStatus = false; let firewallStatus = false; for (const checkId in id.devicePosture) { const check = id.devicePosture[checkId]; if (check.type === "disk_encryption") { console.log(check.type); diskEncryptionStatus = check.success; } if (check.type === "firewall") { console.log(check.type); firewallStatus = check.success; break; } } //clone request (immutable otherwise) and insert posture values in new header set let newRequest = await new Request(request); newRequest.headers.set( "Cf-Access-Firewall-Activated", firewallStatus, ); newRequest.headers.set("Cf-Access-Disk-Encrypted", firewallStatus); //sent modified request to origin return await fetch(newRequest); } catch (e) { console.log(e); return await fetch(request); } } return await fetch(request); }, }; ``` ## 2\. View the user's identity The script in `index.js` uses the [get-identity](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/#user-identity) endpoint to fetch a user's complete identity from a Cloudflare Access authentication event. To view a list of available data fields, log in to your Access application and append `/cdn-cgi/access/get-identity` to the URL. For example, if `www.example.com` is behind Access, go to `https://www.example.com/cdn-cgi/access/get-identity`. Below is an example of a user identity that includes the `disk_encryption` and `firewall` posture checks. The Worker inserts the posture check results into the request headers **Cf-Access-Firewall-Activated** and **Cf-Access-Disk-Encrypted**. Example user identity ``` { "id": "P51Tuu01fWHMBjIBvrCK1lK-eUDWs2aQMv03WDqT5oY", "name": "John Doe", "email": "john.doe@cloudflare.com", "amr": [ "pwd" ], "oidc_fields": { "principalName": "XXXXXX_cloudflare.com#EXT#@XXXXXXcloudflare.onmicrosoft.com" }, "groups": [ { "id": "fdaedb59-e9be-4ab7-8001-3e069da54185", "name": "XXXXX" } ], "idp": { "id": "b9f4d68e-dac1-48b0-b728-ae05a5f0d4b2", "type": "azureAD" }, "geo": { "country": "FR" }, "user_uuid": "ce40d564-c72f-475f-a9b8-f395f19ad986", "account_id": "121287a0c6e6260ec930655e6b39a3a8", "iat": 1724056537, "devicePosture": { "f6f9391e-6776-4878-9c60-0cc807dc7dc8": { "id": "f6f9391e-6776-4878-9c60-0cc807dc7dc8", "schedule": "5m", "timestamp": "2024-08-19T08:31:59.274Z", "description": "", "type": "disk_encryption", "check": { "drives": { "C": { "encrypted": true } } }, "success": false, "rule_name": "Disk Encryption - Windows", "input": { "requireAll": true, "checkDisks": [] }, "a0a8e83d-be75-4aa6-bfa0-5791da6e9186": { "id": "a0a8e83d-be75-4aa6-bfa0-5791da6e9186", "schedule": "5m", "timestamp": "2024-08-19T08:31:59.274Z", "description": "", "type": "firewall", "check": { "firewall": false }, "success": false, "rule_name": "Local Firewall Check - Windows", "input": { "enabled": true } } ... } ``` ## 3\. Route the Worker to your application In the [Wrangler configuration file](https://developers.cloudflare.com/workers/wrangler/configuration/), [set up a route](https://developers.cloudflare.com/workers/configuration/routing/routes/) that maps the Worker to your Access application domain: * [ wrangler.jsonc ](#tab-panel-3953) * [ wrangler.toml ](#tab-panel-3954) ``` { "route": { "pattern": "app.example.com/*", "zone_name": "example.com" } } ``` ``` [route] pattern = "app.example.com/*" zone_name = "example.com" ``` ## 4\. Deploy the Worker Terminal window ``` npx wrangler deploy ``` The Worker will now insert the **Cf-Access-Firewall-Activated** and **Cf-Access-Disk-Encrypted** headers into requests that pass your application's Access policies. Example request headers ``` { "headers": { "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Accept-Encoding": "gzip", "Accept-Language": "en-US,en;q=0.9,fr-FR;q=0.8,fr;q=0.7,en-GB;q=0.6", "Cf-Access-Authenticated-User-Email": "John.Doe@cloudflare.com", "Cf-Access-Disk-Encrypted": "false", "Cf-Access-Firewall-Activated": "false", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" } } ``` You can verify that these headers are received by the origin server. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/extend-sso-with-workers/","name":"Send SSO attributes to Access-protected origins with Workers"}}]} ``` --- --- title: Validate the Access token with FastAPI description: This tutorial covers how to validate that the Access JWT is on requests made to FastAPI apps. The code is written in Python. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Python ](https://developers.cloudflare.com/search/?tags=Python) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/fastapi.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Validate the Access token with FastAPI **Last reviewed:** almost 3 years ago This tutorial covers how to validate that the [Access JWT](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) is on requests made to FastAPI apps. **Time to complete:** 15 minutes ## Prerequisites * A [self-hosted Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for your FastAPI app * The [AUD tag](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application ## 1\. Create a validation function 1. In your FastAPI project, create a new file called `cloudflare.py` that contains the following code: Python ``` from fastapi import Request, HTTPException # The Application Audience (AUD) tag for your application POLICY_AUD = "XXXXX" # Your CF Access team domain TEAM_DOMAIN = "https://.cloudflareaccess.com" CERTS_URL = "{}/cdn-cgi/access/certs".format(TEAM_DOMAIN) async def validate_cloudflare(request: Request): """ Validate that the request is authenticated by Cloudflare Access. """ if verify_token(request) != True: raise HTTPException(status_code=400, detail="Not authenticated properly!") def _get_public_keys(): """ Returns: List of RSA public keys usable by PyJWT. """ r = requests.get(CERTS_URL) public_keys = [] jwk_set = r.json() for key_dict in jwk_set["keys"]: public_key = jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(key_dict)) public_keys.append(public_key) return public_keys def verify_token(request): """ Verify the token in the request. """ token = "" if "CF_Authorization" in request.cookies: token = request.cookies["CF_Authorization"] else: raise HTTPException(status_code=400, detail="missing required cf authorization token") keys = _get_public_keys() # Loop through the keys since we can't pass the key set to the decoder valid_token = False for key in keys: try: # decode returns the claims that has the email when needed jwt.decode(token, key=key, audience=POLICY_AUD, algorithms=["RS256"]) valid_token = True break except: raise HTTPException(status_code=400, detail="Error decoding token") if not valid_token: raise HTTPException(status_code=400, detail="Invalid token") return True ``` ## 2\. Use the validation function in your app You can now add the validation function as a dependency in your FastAPI app. One way to do this is by creating an [APIRouter instance ↗](https://fastapi.tiangolo.com/tutorial/bigger-applications/#another-module-with-apirouter). The following example executes the validation function on each request made to paths that start with `/admin`: Python ``` from fastapi import APIRouter, Depends, HTTPException from cloudflare import validate_cloudflare router = APIRouter( prefix="/admin", tags=["admin"], dependencies=[Depends(validate_cloudflare)] responses={404: {"description": "Not found"}}, ) @router.get("/") async def root(): return {"message": "Hello World"} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/fastapi/","name":"Validate the Access token with FastAPI"}}]} ``` --- --- title: Zero Trust GitLab SSH & HTTP description: Learn how to add Zero Trust rules to a self-hosted instance of GitLab. This tutorial walks you through deploying GitLab in DigitalOcean. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SSH ](https://developers.cloudflare.com/search/?tags=SSH) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/gitlab.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Zero Trust GitLab SSH & HTTP **Last reviewed:** over 5 years ago You can use Cloudflare Access to add Zero Trust rules to a self-hosted instance of GitLab. Combined with Cloudflare Tunnel, users can connect through HTTP and SSH and authenticate with your team's identity provider. **This walkthrough covers how to:** * Deploy an instance of GitLab * Lock down all inbound connections to that instance and use Cloudflare Tunnel to set outbound connections to Cloudflare * Build policies with Cloudflare Access to control who can reach GitLab * Connect over HTTP and SSH through Cloudflare **Time to complete:** 1 hour --- ## Deploying GitLab This section walks through deploying GitLab in DigitalOcean. If you have already deployed GitLab, you can skip this section. Create a Droplet that has 16 GB of RAM and 6 CPUs. This should make it possible to support 500 users, based on [GitLab's resource recommendations ↗](https://docs.gitlab.com/ee/install/requirements.html). ![Create Droplet](https://developers.cloudflare.com/_astro/create-droplet.5w9w-Z20_Z1VnfVG.webp) GitLab will provide an external IP that is exposed to the Internet (for now). You will need to connect to the deployed server using this external IP for the initial configuration. You can secure connections to the IP by [adding SSH keys ↗](https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2) to your DigitalOcean account. This example uses a macOS machine to configure the Droplet. Copy the IP address assigned to the machine from DigitalOcean. ![Machine IP](https://developers.cloudflare.com/_astro/show-ip.BX4xqubr_8H1My.webp) Open Terminal and run the following command, replacing the IP address with the IP assigned by DigitalOcean. Terminal window ``` ssh root@134.209.124.123 ``` Next, install GitLab. This example uses the [Ubuntu package ↗](https://about.gitlab.com/install/#ubuntu) and the steps in the GitLab documentation, with a few exceptions called out below. Run the following commands to begin. Terminal window ``` sudo apt-get update sudo apt-get install -y curl openssh-server ca-certificates curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash ``` The commands above download the GitLab software to this machine. You must now install it. This is the first place this tutorial will diverge from the operations in the GitLab documentation. The next step in the GitLab-provided tutorial sets an external hostname. Instead, you can just install the software. Terminal window ``` sudo apt-get install gitlab-ee ``` After a minute or so, GitLab will be installed. ![Install GitLab](https://developers.cloudflare.com/_astro/install-gitlab.COTmg1AD_2wx6Wb.webp) However, the application is not running yet. You can check to see what ports are listening to confirm by using `ss`. Terminal window ``` sudo ss -lntup ``` The result should be only the services currently active on the machine: Terminal window ``` sudo ss -lntup ``` ``` Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process udp UNCONN 0 0 *:9094 *:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=29,fd=3)) tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=29,fd=4)) ``` To start GitLab, run the software's reconfigure command. Terminal window ``` sudo gitlab-ctl reconfigure ``` GitLab will launch its component services. Once complete, confirm that GitLab is running and listening on both ports 22 and 80. ![GitLab Services](https://developers.cloudflare.com/_astro/gitlab-services.DWHydQAd_1zXwjJ.webp) Terminal window ``` sudo ss -lntup ``` ``` Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process udp UNCONN 0 0 *:9094 *:* tcp LISTEN 0 4096 127.0.0.1:9236 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:8150 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=29,fd=3)) tcp LISTEN 0 4096 127.0.0.1:8151 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:3000 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:8153 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:8154 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:8155 0.0.0.0:* tcp LISTEN 0 511 0.0.0.0:8060 0.0.0.0:* users:(("nginx",pid=324,fd=8)) tcp LISTEN 0 4096 127.0.0.1:9121 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:9090 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:9187 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:9093 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:9229 0.0.0.0:* tcp LISTEN 0 1024 127.0.0.1:8080 0.0.0.0:* tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=324,fd=7)) tcp LISTEN 0 4096 127.0.0.1:9168 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:8082 0.0.0.0:* tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=29,fd=4)) tcp LISTEN 0 4096 *:9094 *:* ``` Users connect to GitLab over SSH (port 22 here) and HTTP for the web app (port 80). In the next step, you will make it possible for users to try both through Cloudflare Access. I'll leave this running and head over to the Cloudflare dashboard. ## Securing GitLab with Zero Trust rules ### Building Zero Trust policies You can use Cloudflare Access to build Zero Trust rules to determine who can connect to both the web application of GitLab (HTTP) and who can connect over SSH. When a user makes a request to a site protected by Access, that request hits Cloudflare's network first. Access can then check if the user is allowed to reach the application. When integrated with Cloudflare Tunnel, the Zero Trust architecture looks like this: ![GitLab Services](https://developers.cloudflare.com/_astro/teams-diagram.DZV8IyTp_ZaozQs.webp) To determine who can reach the application, Cloudflare Access relies on integration with identity providers like Okta, Microsoft Entra ID, or Google to issue the identity cards that get checked at the door. While a VPN allows users free range on a private network unless someone builds an active rule to stop them, Access enforces that identity check on every request (and at any granularity configured). For GitLab, start by building two policies. Users will connect to GitLab in a couple of methods: in the web app and over SSH. Create policies to secure a subdomain for each. First, the web app. Before you build the rule, you'll need to follow [these instructions](https://developers.cloudflare.com/cloudflare-one/setup/) to set up Cloudflare Access in your account. Once enabled, go to the **Applications** page in Zero Trust. Select **Add an application**. Choose self-hosted from the options presented. ![Self Hosted](https://developers.cloudflare.com/_astro/policy.V6-L7e37_Z1O2Ag1.webp) In the policy builder, you will be prompted to add a subdomain that will represent the resource. This must be a subdomain of a domain in your Cloudflare account. You will need separate subdomains for the web application and SSH flows. This example uses `gitlab.widgetcorp.tech` for the web application and `gitlab-ssh.widgetcorp.tech` for SSH connectivity. While on this page, you can decide which identity providers will be allowed to authenticate. By default, all configured providers are allowed. Select **Next** to build rules to determine who can reach the application. You can then add rules to determine who can reach the site. Select **Next** and **Next** again on the **Setup** page - this example does not require advanced CORS configuration. Repeat these steps for the second application, `gitlab-ssh.widgetcorp.tech`. ## Cloudflare Tunnel Cloudflare Tunnel creates a secure, outbound-only, connection between this machine and Cloudflare's network. With an outbound-only model, you can prevent any direct access to this machine and lock down any externally exposed points of ingress. And with that, no open firewall ports. Cloudflare Tunnel is made possible through a lightweight daemon from Cloudflare called `cloudflared`. Download and install `cloudflared` on the DigitalOcean machine by following the instructions listed on the [Downloads](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/) page. Once installed, authenticate the instance of `cloudflared` with the following command. Terminal window ``` cloudflared login ``` The command will print a URL that you must visit to login with your Cloudflare account. Choose a website that you have added into your account. Once you select one of the sites in your account, Cloudflare will download a certificate file to authenticate this instance of `cloudflared`. You can now use `cloudflared` to control Cloudflare Tunnel connections in your Cloudflare account. ![Download Cert](https://developers.cloudflare.com/_astro/cert-download.CzGYlCAx_Z1IrUwf.webp) ### Connecting to Cloudflare You can now connect GitLab to Cloudflare using Cloudflare Tunnel. 1. Create a new Tunnel by running the following command. Terminal window ``` cloudflared tunnel create gitlab ``` `cloudflared` will generate a unique ID for this Tunnel, for example `6ff42ae2-765d-4adf-8112-31c55c1551ef`. You can use this Tunnel both for SSH and HTTP traffic. 1. You will need to configure Cloudflare Tunnel to proxy traffic to both destinations. The configuration below will take traffic bound for the DNS record that will be created for the web app and the DNS record to represent SSH traffic to the right port. You use the text editor of your choice to edit the configuration file. The example relies on `Vi`. Terminal window ``` vim ~/.cloudflared/config.yml ``` 1. Configure the Tunnel to serve traffic. ``` tunnel: 6ff42ae2-765d-4adf-8112-31c55c1551ef credentials-file: /root/.cloudflared/6ff42ae2-765d-4adf-8112-31c55c1551ef.json ingress: - hostname: gitlab.widgetcorp.tech service: http://localhost:80 - hostname: gitlab-ssh.widgetcorp.tech service: ssh://localhost:22 # Catch-all rule, which just responds with 404 if traffic doesn't match any of # the earlier rules - service: http_status:404 ``` ![Self Hosted](https://developers.cloudflare.com/_astro/config-file.C9yhlhb3_fa9dL.webp) 1. You can test that the configuration file is set correctly with the following command: Terminal window ``` cloudflared tunnel ingress validate ``` `cloudflared` should indicate the Tunnel is okay. You can now begin running the Tunnel. Terminal window ``` cloudflared tunnel run ``` ![Tunnel Run](https://developers.cloudflare.com/_astro/tunnel-run.0yb8I0dS_Z12fkE.webp) Note This command should be run as a `systemd` service for long-term use; if it terminates, GitLab will be unavailable. ### Configure DNS records You can now create DNS records for GitLab in the Cloudflare dashboard. Remember, you will still need two records - one for the web application and one for SSH traffic. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and go to the **DNS Records** page for your domain. [ Go to **Records** ](https://dash.cloudflare.com/?to=/:account/:zone/dns/records) 2. Select **Add record**. Choose `CNAME` as the record type. 3. In the **Name** field, input `gitlab`. 4. In the **Target** field, input the ID of the Tunnel created followed by `cfargotunnel.com`. In this example, that value is: ``` 6ff42ae2-765d-4adf-8112-31c55c1551ef.cfargotunnel.com ``` 1. Select **Save**. 2. Repeat the process again by creating a second `CNAME` record, with the same **Target**, but input `gitlab-ssh` for the **Name**. Both records should then appear, pointing to the same Tunnel. The ingress rules defined in the configuration file above will direct traffic to the appropriate port. ![View DNS](https://developers.cloudflare.com/_astro/view-dns.D18Ri4DU_128DTe.webp) ### Connecting to the web application You can now test the end-to-end configuration for the web application. Visit the subdomain created for the web application. Cloudflare Access will prompt you to authenticate. Login with your provider. Once authenticated, you should see the GitLab web application. ![GitLab Web](https://developers.cloudflare.com/_astro/gitlab-web.Jd4Y_aFN_Z27DDoX.webp) Register your own account and create a Blank project to test SSH in the next step. ![Blank Project](https://developers.cloudflare.com/_astro/blank-project.fZ_spCg9_86YyE.webp) GitLab will create a new project and repository. Note To pull or push code, you must also add an SSH key to your profile in GitLab. ### Configuring SSH To push and pull code over SSH, you will need to install `cloudflared` on the client machine as well. This example uses a macOS laptop. On macOS, you can install `cloudflared` with the following command. Terminal window ``` brew install cloudflared ``` While you need to install `cloudflared`, you do not need to wrap your SSH commands in any unique way. Instead, you will need to make a one-time change to your SSH configuration file. Terminal window ``` vim /Users/samrhea/.ssh/config ``` Input the following values; replacing `gitlab-ssh.widgetcorp.tech` with the hostname you created. ``` Host gitlab-ssh.widgetcorp.tech ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h ``` You can now test the SSH flow by attempting to clone the project created earlier. Terminal window ``` git clone git@gitlab-ssh.widgetcorp.tech:samrhea/demo ``` `cloudflared` will prompt you to login with my identity provider and, once successful, issue a token to your device to allow you to authenticate. ![GitLab Clone](https://developers.cloudflare.com/_astro/git-clone.JvUcJ24A_60TIt.webp) ### Lock down exposed ports You can now configure your DigitalOcean firewall with a single rule, block any inbound traffic, to prevent direct access. ![Set Rules](https://developers.cloudflare.com/_astro/disable-ingress.DuP5QaLx_Z1NcTV3.webp) Cloudflare Tunnel will continue to run outbound-only connections and I can avoid this machine getting caught up in a crypto mining operation, or something worse. ## View logs You can also view logs of the events that are allowed and blocked. Open the `Access` page of the `Logs` section in Zero Trust. ## Troubleshooting If you are using Git Large File Storage (LFS), note that Git LFS is not automatically supported by `cloudflared`. To access repositories protected by Cloudflare Access, you need to authenticate manually by running: Terminal window ``` cloudflared access login ``` Replace `` with the Cloudflare Access-protected URL. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/gitlab/","name":"Zero Trust GitLab SSH & HTTP"}}]} ``` --- --- title: Monitor Cloudflare Tunnel with Grafana description: This tutorial covers how to create the metrics endpoint and set up the Prometheus server. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/grafana.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Monitor Cloudflare Tunnel with Grafana **Last reviewed:** over 2 years ago [Grafana ↗](https://grafana.com/) is a dashboard tool that visualizes data stored in other databases. You can use Grafana to convert your [tunnel metrics](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/metrics/) into actionable insights. It is not possible to push metrics directly from `cloudflared` to Grafana. Instead, `cloudflared` runs a [Prometheus ↗](https://prometheus.io) metrics endpoint, which a Prometheus server periodically scrapes. Grafana then uses Prometheus as a data source to present metrics to the administrator. flowchart LR subgraph 192.168.1.1 A[cloudflared]-->B[Metrics endpoint] end B--->C subgraph 192.168.1.2 C[Prometheus server]-->D[Grafana dashboard] end This tutorial covers how to create the metrics endpoint, set up the Prometheus server, and view the data in Grafana. ## Before you begin * You will need a Cloudflare Tunnel. To create a tunnel, refer to our [getting started guide](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/). ## Create the metrics endpoint If your tunnel was created via the CLI, run the following command on the `cloudflared` server (`192.168.1.1`): Terminal window ``` cloudflared tunnel --metrics 192.168.1.1:60123 run my-tunnel ``` If your tunnel was created via the dashboard, the [\--metrics](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#metrics) flag must be added to your `cloudflared` system service configuration. Refer to [Add tunnel run parameters](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#add-run-parameters-to-tunnel-service) for instructions on how to do this. ## Set up Prometheus On the Prometheus and Grafana server (`192.168.1.2`): 1. [Download ↗](https://prometheus.io/download/) Prometheus. 2. Extract Prometheus: Terminal window ``` tar xvfz prometheus-*.tar.gz cd prometheus-* ``` 3. Open `prometheus.yml` in a text editor and add the `cloudflared` job to the end of the file: ``` # my global config global: scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute. evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute. # scrape_timeout is set to the global default (10s). # Alertmanager configuration alerting: alertmanagers: - static_configs: - targets: # - alertmanager:9093 # Load rules once and periodically evaluate them according to the global 'evaluation_interval'. rule_files: # - "first_rules.yml" # - "second_rules.yml" # A scrape configuration containing exactly one endpoint to scrape: # Here it's Prometheus itself. scrape_configs: # The job name is added as a label `job=` to any timeseries scraped from this config. - job_name: "prometheus" # metrics_path defaults to '/metrics' # scheme defaults to 'http'. static_configs: - targets: ["localhost:9090"] ## Address of Prometheus dashboard - job_name: "cloudflared" static_configs: - targets: ["198.168.1.1:60123"] ## cloudflared server IP and the --metrics port configured for the tunnel ``` 4. Start Prometheus: Terminal window ``` ./prometheus --config.file="prometheus.yml" ``` You can optionally configure Prometheus to run as a service so that it does not need to be manually started if the machine reboots. 5. Open a browser and go to `http://localhost:9090/`. You should be able to access the Prometheus dashboard. 6. To verify that Prometheus is fetching tunnel metrics, enter `cloudflared_tunnel_total_requests` into the expression console and select **Execute**. ![Prometheus dashboard showing tunnel metrics data](https://developers.cloudflare.com/_astro/Prometheus-dashboard.CUKRS856_28Ma3Y.webp) Refer to [Available metrics](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/metrics/#available-metrics) to check what other metrics are available. ## Connect Grafana to Prometheus 1. [Download ↗](https://grafana.com/grafana/download) and install Grafana. 2. Start Grafana as a system service: Terminal window ``` sudo systemctl daemon-reload sudo systemctl start grafana-server ``` 3. Verify that Grafana is running: Terminal window ``` sudo systemctl status grafana-server ``` 4. Open a browser and go to `http://localhost:3000/`. The default HTTP port that Grafana listens to is `3000` unless you have configured a different port. 5. On the sign-in page, enter your Grafana credentials. To test without an account, you can enter `admin` for both the username and password and skip the password change step. 6. In Grafana, go to **Connections** \> **Data sources**. 7. Select **Add a new data source** and select **Prometheus**. 8. In the **Prometheus server URL** field, enter the IP address and port of your Prometheus dashboard (`http://localhost:9090`). 9. Select **Save & test**. ## Build Grafana dashboard 1. In Grafana, go to **Dashboards** \> **New** \> **New dashboard**. 2. Select **Add visualization**. 3. Select **Prometheus**. 4. In the metrics field, enter `cloudflared_tunnel_total_requests` and select **Run queries**. You will see a graph showing the number of requests as a function of time. ![Grafana dashboard showing a tunnel metrics graph](https://developers.cloudflare.com/_astro/Grafana-dashboard.Bz0eyO9h_ZBdbLa.webp) You can add operations to the queries to modify what is displayed. For example, you could show all tunnel requests over a recent period of time, such as a day, rather than all tunnel requests since metrics began reporting. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/grafana/","name":"Monitor Cloudflare Tunnel with Grafana"}}]} ``` --- --- title: GraphQL Analytics description: Use the GraphQL Analytics API to review data for Cloudflare Network Firewall network traffic related to rules matching your traffic. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ GraphQL ](https://developers.cloudflare.com/search/?tags=GraphQL) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/graphql-analytics.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # GraphQL Analytics **Last reviewed:** about 4 years ago Use the GraphQL Analytics API to review data for Cloudflare Network Firewall network traffic related to rules matching your traffic. This contains both rules you configured in the Cloudflare Network Firewall dashboard, and the rules managed by Cloudflare as a part of [Cloudflare Network Firewall Managed rules](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/enable-managed-rulesets/) and [Cloudflare Network Firewall IDS](https://developers.cloudflare.com/cloudflare-network-firewall/about/ids/) features. Before you begin, you must have an [API token](https://developers.cloudflare.com/analytics/graphql-api/getting-started/authentication/). For additional help getting started with GraphQL Analytics, refer to [GraphQL Analytics API](https://developers.cloudflare.com/analytics/graphql-api/). ## Obtain Cloudflare Account ID To construct a Network Firewall GraphQL query for an object, you will need a Cloudflare Account ID ### Obtain your Cloudflare Account ID 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account. 2. The URL in your browser's address bar should show `https://dash.cloudflare.com/` followed by a hex string. The hex string is your Cloudflare Account ID. ### Obtain the rule ID for a firewall rule To construct queries to gather analytics for a particular rule, you need the rule ID for each firewall rule. 1. In the Cloudflare dashboard, go to the **Cloudflare Network Firewall** page. [ Go to **Firewall policies** ](https://dash.cloudflare.com/?to=/:account/network-security/magic%5Ffirewall) 2. In the **Custom rules** tab, locate the rule you need the rule ID for from the list and select the three dots > **Edit**. 3. Locate the **Rule ID** and select the copy button. 4. Select **Cancel** to return to the **Cloudflare Network Firewall** page. ## Explore GraphQL schema with Cloudflare Network Firewall query example In this section, you will run a test query to retrieve a five minute count of all configured Cloudflare Network Firewall rules within five minute intervals. You can copy and paste the code below into GraphiQL. For additional information about the Analytics schema, refer to [Explore the Analytics schema with GraphiQL](https://developers.cloudflare.com/analytics/graphql-api/getting-started/explore-graphql-schema/). ``` query MagicFirewallExample($accountTag: string!, $start: Time, $end: Time) { viewer { accounts(filter: { accountTag: $accountTag }) { magicFirewallSamplesAdaptiveGroups( filter: { datetime_geq: $start, datetime_leq: $end } limit: 2 orderBy: [datetimeFiveMinute_DESC] ) { sum { bits packets } dimensions { datetimeFiveMinute ruleId } } } } } ``` [Run in GraphQL API Explorer](https://graphql.cloudflare.com/explorer?query=I4VwpgTgngBAsgQwOYEsDGAxFEwHcEA2BAogB4IC2ADgWABQAkCaaA9iAHYAuAKsgFwwAzlwgoOSAIQAaGAxEIIXQTxQUwshmA4ATFWrABKGAG8AUDBgA3FHkimLlmMzacuQugDMUBLpEEmzizs3HxIgkzBbmEwAL7G5k5OFMjoWDj4RADKlDRgQgCCOghUXChWYADiEOxUHo5Jlt6+-qYwxX5l6gD6SGDAEQpKsh1gXWDdtANy2jpxDY0EaijKMABMC0msEDqQAEJQggDao+NYFXDiIH7dACLEWQDCALqbMAlvlkIgFA6NjQAjFZCT5OKjMADWYxB-0ssVBOgMHCEKFYyL+sMspwM5zAlw41zAoMsEBAtAAkjpQfD-jSnHT4bEgA&variables=N4IghgxhD2CuB2AXAKmA5iAXCAggYTwHkBVAOWQH0BJAERABoQBnRMAJ0SxACYAGbgGwBaXgBYRAZmS9emAKxzM3AIwAtBiACm8ACZc+gkeN5TeA+YpXqAvkA) ## Example queries for Cloudflare Network Firewall ### Obtain analytics for a specific rule Use the example below to display the total number of packets and bits for the top ten suspected malicious traffic streams within the last hour. After receiving the results, you can sort by packet rates with a five minute average. For each stream, display the: * Source and destination IP addresses * Ingress Cloudflare data centers that received it * Total traffic volume in bits and packets received within the hour * Actions taken by the firewall rule ``` query MagicFirewallObtainRules( $accountId: string! $ruleId: string $start: Time $end: Time ) { viewer { accounts(filter: { accountTag: $accountId }) { magicFirewallNetworkAnalyticsAdaptiveGroups( filter: { ruleId: $ruleId, datetime_geq: $start, datetime_leq: $end } limit: 10 orderBy: [avg_packetRateFiveMinutes_DESC] ) { sum { bits packets } dimensions { coloCity ipDestinationAddress ipSourceAddress outcome } } } } } ``` [Run in GraphQL API Explorer](https://graphql.cloudflare.com/explorer?query=I4VwpgTgngBAsgQwOYEsDGAxFEwHcEA2BA8gEYAuCKAdgEogFgDOAFAFAwwAkCaaA9iGrkAkgBMAXDCbkINJAEIO3CAzDipMudSTKuMhBHJSAKigC2YPWGqSYZy2wCUMAN7KAbijyQ3yzrwCQuSsAGYoBOSQUq4wgYLCJshSPHwJomIwAL4u7pz5MObI6Fg4+EQAcmDkuPwQANYAgtSEUOToTI1iCAAO7R5gAOIQgj2s-gUw4ZHRbjCqjBoqauIANDDdUe2WAPpIYMApBkbrm9UWYDuMh9w2mVkTBQQWKMYwAIwADI-5dWKQACEoFIANoIDxIHY9Xj1aq0BBRLADOA0EBRJg7AAiAFEAMoAYQAuj9cj9OEwQOY-JNJqRXkwyfloWhYSFGQ8aZwxBdqEwUPxedTOZwBAR+PjXlBGZwUD1Mcx2i12gKumIcEwGcKZT1cYIIGgwKr1ZqtYJyAJHMKOZNrZxrQ8skA&variables=N4IghgxhD2CuB2AXAkgExALhAJQKIAUAZAQQGFcB9AdWQBUAJC5AERABoQAnWAGwFM0mHARLlqdRi3YgAzojCdEQgEwAGZQDYAtKoAsOgMy1VqjAFYzGZQEYAWtL7x0WNZp37VR1RvOWb9gF8gA) ### Obtain IDS analytics Use the example below to display the total number of packets and bits for the top 10 traffic streams that Cloudflare Network Firewall IDS has detected in the last hour. By setting `verdict` to `drop` and `outcome` as `pass`, we are filtering for traffic that was marked as a detection (i.e. verdict was drop) but was not dropped (for example, outcome was `pass`). This is because currently, Cloudflare Network Firewall IDS only detects malicious traffic but does not drop the traffic. For each stream, display the: * Source and destination IP addresses. * Ingress Cloudflare data centers that received it. * Total traffic volume in bits and packets received within the hour. ``` query MagicFirewallObtainIDS($accountTag: string!, $start: Time, $end: Time) { viewer { accounts(filter: { accountTag: $accountTag }) { magicIDPSNetworkAnalyticsAdaptiveGroups( filter: { datetime_geq: $start datetime_leq: $end verdict: drop outcome: pass } limit: 10 orderBy: [avg_packetRateFiveMinutes_DESC] ) { sum { bits packets } dimensions { coloCity ipDestinationAddress ipSourceAddress } } } } } ``` [Run in GraphQL API Explorer](https://graphql.cloudflare.com/explorer?query=I4VwpgTgngBAsgQwOYEsDGAxFEwHcEA2BA8gEYAuCKAdgJIAiAygBQAkCaaA9iNeQCrIAXDADO5CDSQBCADQxW4hBHIj+KALZh5rMNQAmazWACUMAN4AoGDABuKPJAvWbMDt17lRzAGYoC5JAi5m6cPHyCSCLsYZ6RMAC+ZlaurhrI6AwACowAcmDkuFwQANYAgtSEUOToomX6CAAONbZgAOIQPI3eLqk2fgFBzn19DYE1WgD6SGDA0UoqvSMwYwXGkwSz0Xr6SyOtEProqiudjXt9POTcWiKNCKKiFzYJzzAEmignAIwADG-FfSQABCUBEAG0ELYkJN7mgSgUAEoIQJYVpwGggQKiSb0ACijAAwgBdC7JN6iEAaYbLGykL5PWk2OEIrxvV60o5aaiiFBcHk02ncAhcQlfKBvGwoRr0MDiGgovnUer6HCPSUwaWMHgQNBgFVqxnLDl9E0vFyvBJAA&variables=N4IghgxhD2CuB2AXAKmA5iAXCAggYTwHkBVAOWQH0BJAERABoQBnRMAJ0SxACYAGbgGwBaXgBYRAZmS9emAKxzM3AIwAtBiACm8ACZc+gkeN5TeA+YpXqAvkA) Alternatively, to inspect all traffic that was analyzed, but grouped into malicious traffic and other traffic, the example below can be used. The response will contain two entries for each five minute timestamp. `verdict` will be set to `drop` for malicious traffic, and `verdict` will be set to `pass` for traffic that did not match any of the IDS rules. ``` query MagicFirewallTraffic($accountTag: string!, $start: Time, $end: Time) { viewer { accounts(filter: { accountTag: $accountTag }) { magicIDPSNetworkAnalyticsAdaptiveGroups( filter: { datetime_geq: $start, datetime_leq: $end } limit: 10 orderBy: [avg_packetRateFiveMinutes_DESC] ) { sum { bits packets } dimensions { coloCity ipDestinationAddress ipSourceAddress verdict } } } } } ``` [Run in GraphQL API Explorer](https://graphql.cloudflare.com/explorer?query=I4VwpgTgngBAsgQwOYEsDGAxFEwHcEA2BAKhAgGbnoAUAJAmmgPYgB2ALscgFwwDO7CClZIAhABoYtAQgjtexFAFswk2mFYATBcrABKGAG8AUDBgA3FHkhHTZmA2Zt2falQLtIvQw8YsOXEi89H7OgTAAvgYm9vZKyOgAkgAiAAoAygByYOy4TBAA1gCCrIRQ7Oh8RZoIAA4V5mAA4hAsta52sWbunhDeMDWeFSoA+khgwMEycpKDObojBBPBGpqRnV0EyijyMACMAAwbsfmakABCULwA2gjmSCO1DAU5AEoInliNcMIgnnwjZIAUXSAGEALrHGDRKFmPggJS2LpdABGOz4sPsTzQLxcmIimM0ulYfBQTBJSOR9mYBCYoJ2UExZhQtWSYAEwg+ZNY1U0OD4GKp9hZ6RYEDQYF5-MFQoskCJaHY+KhBNiqvWESAA&variables=N4IghgxhD2CuB2AXAKmA5iAXCAggYTwHkBVAOWQH0BJAERABoQBnRMAJ0SxACYAGbgGwBaXgBYRAZmS9emAKxzM3AIwAtBiACm8ACZc+gkeN5TeA+YpXqAvkA) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/graphql-analytics/","name":"GraphQL Analytics"}}]} ``` --- --- title: Integrate Microsoft MCAS with Cloudflare Zero Trust description: With an MCAS API call, you can manage a URL category that contains the blocked URLs. Use the output to create a Hostname List that can be used by Gateway HTTP policies to block them. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/integrate-microsoft-mcas-teams.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Integrate Microsoft MCAS with Cloudflare Zero Trust **Last reviewed:** over 4 years ago Many security teams rely on Microsoft MCAS (Microsoft Cloud App Security), Microsoft's CASB solution, to identify and block threats on the Internet, as well as allow or block access to cloud applications. This tutorial covers how to integrate MCAS with Cloudflare Zero Trust, and create Gateway HTTP policies to ensure visibility and control over data. Microsoft provides an MCAS API endpoint to allow queries to see which applications have been marked as blocked or allowed. With an MCAS API call, you can manage a URL category that contains the blocked URLs returned by the API query, and use the output to create a Hostname List that can be used by Gateway HTTP policies to block them. **Time to complete:** 20 minutes ## Basic configuration In your Microsoft account, you first need to create an API token and URL endpoint to use to query the URLs blocked by MCAS. Follow the guide for [Managing API tokens for Microsoft Cloud App Security ↗](https://learn.microsoft.com/defender-cloud-apps/api-authentication) to generate a new API token and a custom API URL for the API endpoint. ## Using the API to query banned applications Once you have the API token and API URL, use curl to get the list of banned applications from Microsoft MCAS: Terminal window ``` curl -v "https:///api/discovery_block_scripts/?format=120&type=banned" -H "Authorization: Token " ``` This will return a list of banned hostnames. In this case, Angie's List is the banned application. ![Banned hostnames](https://developers.cloudflare.com/_astro/mcas-domains.CtUPNlL__5tMjF.webp) ### Processing the output As you can see, the banned hostnames are preceded by a `.`. To use this output for a Zero Trust List, we need to do some text processing. 1. Run the curl API call and direct the output to a file, in this case `mcas.txt`: Terminal window ``` curl -v "https:///api/discovery_block_scripts/?format=120&type=banned" -H "Authorization: Token " > mcas.txt ``` 2. Remove the leading `.`, for example by running `sed` from the CLI: Terminal window ``` sed -i 's/^.//' mcas.txt ``` 3. This will give you the list of hostnames without leading `.`. 4. Replace the file's `.txt` extension with `.csv`. The file can now be imported into Cloudflare Zero Trust as a Hostname list. ## Using the API to query allowed applications If you would like to get a list of all of the MCAS allowed applications, you can use the same API query, but instead of using `type=banned`, use `type=allowed`. This will return a much larger list. Terminal window ``` curl -v "https:///api/discovery_block_scripts/?format=120&type=allowed" -H "Authorization: Token " ``` ## Adding a hostname list in Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Reusable components** \> **Lists** 2. Select **Upload CSV**. Even though the hostname list is not in CSV format, it will work with no issues. 3. Add a name for the list, specify _Hostnames_ as the list type, and give it a description. 4. Drag and drop your MCAS output file created via the API call, or you can select **Select a file**. 5. Select **Create**. You will see the list of hostnames that have been added to the list. 6. Save the list. Your list is now ready to be referenced by Gateway HTTP policies. ## Creating an HTTP policy 1. Go to **Traffic policies** \> **Traffic policies** \> **HTTP**. 2. Select **Add a policy**. 3. Create the following policy. | Selector | Operator | Value | Action | | -------- | -------- | --------------------- | ------ | | Host | in list | | Block | Now when trying to visit one of the MCAS defined sites, the user will be blocked. ![Access Restricted](https://developers.cloudflare.com/_astro/mcas-block-page.Bgzcx6ig_ZPxsLe.webp) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/integrate-microsoft-mcas-teams/","name":"Integrate Microsoft MCAS with Cloudflare Zero Trust"}}]} ``` --- --- title: Connect through Cloudflare Access using kubectl description: Connecting to Cloudflare's network using kubectl. Create a Zero Trust policy for your machine. Create an outbound-only connection between your machine and Cloudflared's network. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Kubernetes ](https://developers.cloudflare.com/search/?tags=Kubernetes)[ TCP ](https://developers.cloudflare.com/search/?tags=TCP) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/kubectl.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Connect through Cloudflare Access using kubectl **Last reviewed:** over 3 years ago You can connect to machines over `kubectl` using Cloudflare's Zero Trust platform. **This walkthrough covers how to:** * Build a policy in Cloudflare Access to secure the machine * Connect a machine to Cloudflare's network using kubectl * Connect from a client machine **Before you start** * [Add a website to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) **Time to complete:** 30 minutes --- ## Create an Access policy 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Access controls** \> **Applications**. 2. Select **Add an application**. 3. Select **Self-hosted**. 4. Enter a name for your Access application. 5. Select **Add public hostname** and input a subdomain. This will be the hostname where your application will be available to users. 6. [Create a new policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/) to control who can reach the application, or select existing policies. 7. Follow the remaining [self-hosted application creation steps](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to publish the application. ## Install `cloudflared` Cloudflare Tunnel creates a secure, outbound-only connection between this machine and Cloudflare's network. With an outbound-only model, you can prevent any direct access to this machine and lock down any externally exposed points of ingress. And with that, no open firewall ports. Cloudflare Tunnel is made possible through a lightweight daemon from Cloudflare called `cloudflared`. Download and install `cloudflared` on the DigitalOcean machine by following the instructions listed on the [Downloads](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/) page. ## Authenticate `cloudflared` Run the following command to authenticate cloudflared into your Cloudflare account. Terminal window ``` cloudflared tunnel login ``` `cloudflared` will open a browser window and prompt you to log in to your Cloudflare account. If you are working on a machine that does not have a browser, or a browser window does not launch, you can copy the URL from the command-line output and visit the URL in a browser on any machine. Choose any hostname presented in the list. Cloudflare will issue a certificate scoped to your account. You do not need to pick the specific hostname where you will serve the Tunnel. ## Create a Tunnel Next, create a tunnel with the command below. Terminal window ``` cloudflared tunnel create ``` Replacing `` with a name for the Tunnel. This name can be any value. A single Tunnel can also serve traffic for multiple hostnames to multiple services in your environment, including a mix of connection types like SSH and HTTP. The command will output an ID for the Tunnel and generate an associated credentials file. At any time you can list the Tunnels in your account with the following command. Terminal window ``` cloudflared tunnel list ``` ## Configure the Tunnel You can now [configure the tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/create-local-tunnel/#4-create-a-configuration-file) to serve traffic. Create a `YAML` file that `cloudflared` can reach. By default, `cloudflared` will look for the file in the same folder where `cloudflared` has been installed. Terminal window ``` vim ~/.cloudflared/config.yml ``` Next, configure the Tunnel, replacing the example ID below with the ID of the Tunnel created above. Additionally, replace the hostname in this example with the hostname of the application configured with Cloudflare Access. ``` tunnel: 6ff42ae2-765d-4adf-8112-31c55c1551ef credentials-file: /root/.cloudflared/6ff42ae2-765d-4adf-8112-31c55c1551ef.json ingress: - hostname: azure.widgetcorp.tech service: tcp://kubernetes.docker.internal:6443 originRequest: proxyType: socks - service: http_status:404 # Catch-all rule, which responds with 404 if traffic doesn't match any of # the earlier rules ``` ## Route to the Tunnel You can now create a DNS record that will route traffic to this Tunnel. Multiple DNS records can point to a single Tunnel and will send traffic to the configured service as long as the hostname is defined with an [ingress rule](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/#file-structure-for-public-hostnames). 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and go to the **DNS Records** page for your domain. [ Go to **Records** ](https://dash.cloudflare.com/?to=/:account/:zone/dns/records) 2. Select **Add record**. Choose `CNAME` as the record type. For **Name**, choose the hostname where you want to create a Tunnel. This should match the hostname of the Access policy. 3. For **Target**, input the ID of your Tunnel followed by `.cfargotunnel.com`. For example: ``` 6ff42ae2-765d-4adf-8112-31c55c1551ef.cfargotunnel.com ``` 1. Select **Save**. ## Run the Tunnel You can now run the Tunnel to connect the target service to Cloudflare. Use the following command to run the Tunnel, replacing `` with the name created for your Tunnel. Terminal window ``` cloudflared tunnel run ``` We recommend that you run `cloudflared` [as a service](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/as-a-service/) that is configured to launch on start. ## Connect from a client machine You can now connect from a client machine using `cloudflared`. This example uses a macOS laptop. On macOS, you can install `cloudflared` with the following command using Homebrew. Terminal window ``` brew install cloudflared ``` Run the following command to create a connection from the device to Cloudflare. Any available port can be specified. Terminal window ``` cloudflared access tcp --hostname azure.widgetcorp.tech --url 127.0.0.1:1234 ``` With this service running, you can run a `kubectl` command and `cloudflared` will launch a browser window and prompt the user to authenticate with your SSO provider. Once authenticated, `cloudflared` will expose the connection to the client machine at the local URL specified in the command. `kubeconfig` does not support proxy command configurations at this time, though the community has submitted plans to do so. In the interim, users can alias the cluster's API server to save time. Terminal window ``` alias kubeone="env HTTPS_PROXY=socks5://127.0.0.1:1234 kubectl" ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/kubectl/","name":"Connect through Cloudflare Access using kubectl"}}]} ``` --- --- title: Protect access to Microsoft 365 with dedicated egress IPs description: This tutorial covers how to secure access to your Microsoft 365 applications with Cloudflare Gateway dedicated egress IPs. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft)[ IPv4 ](https://developers.cloudflare.com/search/?tags=IPv4)[ IPv6 ](https://developers.cloudflare.com/search/?tags=IPv6) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Protect access to Microsoft 365 with dedicated egress IPs **Last reviewed:** over 2 years ago Note Only available on Zero Trust Enterprise plans. This tutorial covers how to secure access to your Microsoft 365 applications with Cloudflare Gateway dedicated egress IPs. You can map a named location in Microsoft Entra ID to a location associated with your dedicated egress IPs. Traffic will egress from Cloudflare with these IP addresses. If users attempt to access your Microsoft applications without these IPs, Entra ID will block access. ## Before you begin Make sure you have: * In Cloudflare, a Zero Trust Enterprise plan with [dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) * In Microsoft 365, an organization managed with [Microsoft Entra ID ↗](https://learn.microsoft.com/en-us/entra/identity/) ## Create an egress policy in Cloudflare Gateway 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Egress policies**. 2. Select **Add a policy**. 3. Name your policy, then add conditions to check users are configured in Microsoft Entra ID. For example, you can check for [identity conditions](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/): | Selector | Operator | Value | | ---------------- | -------- | --------------------------------------- | | User Group Names | in | Sales and Marketing, Retail, U.S. Sales | Additionally, you can check for [device posture conditions](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/): | Selector | Operator | Value | Logic | | --------------------------- | -------- | ----------------------------------------------- | ----- | | Passed Device Posture Check | is | CrowdStrike Overall ZTA score (Crowdstrike s2s) | And | | Passed Device Posture Check | is | AppCheckMac - Required Software (Application) | | 4. Enable **Use dedicated Cloudflare egress IPs**. Select your desired IPv4 and IPv6 addresses. For example: | Primary IPv4 address | IPv6 address | | -------------------- | ------------- | | 203.0.113.0 | 2001:db8::/32 | ## Create a named IP range location in Microsoft Entra ID 1. Log in to the [Microsoft Azure portal ↗](https://aka.ms/azureportal). 2. In the sidebar, select **Microsoft Entra ID**. 3. Go to **Security** \> **Named locations**. 4. Select **IP ranges location**. 5. Name your location, then add the IP addresses used in your Cloudflare dedicated egress IP policy. 6. Select **Upload**. This named location corresponds with the locations of your dedicated egress IPs. ## Create a conditional access policy in Microsoft Entra ID 1. In **Protect**, go to **Conditional Access**. 2. Select **Create new policy**. 3. Configure which Entra ID users you want to limit access for, and which traffic, applications, or actions you want to protect. 4. In **Conditions**, select **Locations**. Enable **Configure**. 5. In **Include**, select _Any location_. In **Exclude**, select the named location you created. 6. In **Access controls**, go to **Grant**. Enable _Block access_. Your policy will block access for your selected users from any location except those using your dedicated egress IPs. ## Test your policies 1. Using [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/), sign in to your Zero Trust organization with a user's account. 2. Go to any Microsoft 365 app within your organization. Entra ID should allow access. 3. Disconnect the Cloudflare One Client from your Zero Trust organization. Entra ID should block access to any Microsoft 365 applications. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/m365-dedicated-egress-ips/","name":"Protect access to Microsoft 365 with dedicated egress IPs"}}]} ``` --- --- title: MongoDB SSH description: You can build Zero Trust rules to secure connections to MongoDB deployments using Cloudflare Access and Cloudflared Tunnel. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ MongoDB ](https://developers.cloudflare.com/search/?tags=MongoDB)[ SSH ](https://developers.cloudflare.com/search/?tags=SSH)[ Kubernetes ](https://developers.cloudflare.com/search/?tags=Kubernetes) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # MongoDB SSH **Last reviewed:** over 5 years ago You can build Zero Trust rules to secure connections to MongoDB deployments using Cloudflare Access and Cloudflare Tunnel. Cloudflare Tunnel requires a lightweight daemon, `cloudflared`, running alongisde the deployment and as on the client side. In this tutorial, a client running `cloudflared` connects over SSH to a MongoDB deployment running on Kubernetes. The deployment example is structured to connect [Compass ↗](https://www.mongodb.com/products/compass) to the MongoDB instance. The MongoDB Kubernetes deployment runs both the MongoDB database service and `cloudflared` as a ingress service that operates like a jump host. **This tutorial covers how to:** * Create a Cloudflare Access rule to secure a MongoDB deployment * Configure a StatefulSet and service definition for the deployment * Configure an Cloudflare Tunnel connection to Cloudflare's edge * Create an SSH configuration file for the client **Time to complete:** 50 minutes --- ## Configure Cloudflare Access You can build a rule in Cloudflare Access to control who can connect to your MongoDB deployment. Cloudflare Access rules are built around a hostname; even though this deployment will be accessible over SSH, the resource will be represented in Cloudflare as a hostname. For example, if you have the website `app.com` in your Cloudflare account, you can build a rule to secure `mongodb.app.com`. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Applications**. 2. Select **Add an application**. 3. Select **Self-hosted**. 4. Enter any name for the application. 5. Select **Add public hostname** and enter the subdomain where users will connect to your deployment (for example, `mongodb.app.com`). 6. Add [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to control who can reach the deployment. You can build a policy that allows anyone in your organization to connect or you can build more granular policies based on signals like identity provider groups, [multifactor method](https://developers.cloudflare.com/cloudflare-one/tutorials/okta-u2f/), or [country](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/). 7. Follow the remaining [self-hosted application creation steps](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to publish the application. ## Configure the Kubernetes deployment To be accessible over SSH, the Kubernetes deployment should manage both the MongoDB standalone service and an SSH proxy service. The configuration below will deploy 1 replica of the database service, available at port 27017, as well as an SSH proxy available at port 22. StatefulSet Configuration ``` apiVersion: apps/v1 kind: StatefulSet metadata: name: mongodb-standalone namespace: mongodb spec: serviceName: database replicas: 1 selector: matchLabels: app: database template: metadata: labels: app: database selector: mongodb-standalone spec: containers: - name: mongodb-standalone image: mongo command: ["mongod"] args: ["--config=/config/mongod.conf"] ports: - containerPort: 27017 protocol: TCP name: mongod volumeMounts: - name: mongodb-conf mountPath: /config readOnly: true - name: mongodb-data mountPath: /data/db - name: tls mountPath: /etc/tls - name: mongodb-socket mountPath: /socket - name: ssh-proxy image: ubuntu:20.04 command: ["/scripts/entrypoint.sh"] ports: - containerPort: 22 protocol: TCP name: ssh-port volumeMounts: - name: mongodb-socket mountPath: /socket - name: scripts mountPath: /scripts readOnly: true - name: ssh-authorized-keys mountPath: /config/ssh readOnly: true resources: requests: cpu: 20m memory: 32Mi volumes: - name: mongodb-socket emptyDir: {} - name: mongodb-conf configMap: name: mongodb-standalone items: - key: mongod.conf path: mongod.conf - name: tls secret: secretName: tls - name: mongodb-data persistentVolumeClaim: claimName: mongodb-standalone - name: scripts configMap: name: scripts items: - key: entrypoint.sh path: entrypoint.sh mode: 0744 - name: ssh-authorized-keys configMap: name: ssh-proxy-config items: - key: authorized_keys path: authorized_keys mode: 0400 ``` The corresponding service definition should also specify the ports and target ports for the containers (in this case, the database service and the SSH proxy service). Service Definition ``` apiVersion: v1 kind: Service metadata: name: database namespace: mongodb labels: app: database spec: clusterIP: None selector: app: database ports: - protocol: TCP port: 27017 targetPort: 27017 --- apiVersion: v1 kind: Service metadata: name: ssh-proxy namespace: mongodb labels: app: database spec: selector: app: database ports: - protocol: TCP port: 22 targetPort: 22 ``` The MongoDB pod and the SSH jump host will share a Unix socket over an empty directory volume. The `entrypoint.sh` file run by the jump host, example below, will start an OpenSSH server. ``` #!/bin/sh export TZ=America/Chicago ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone apt-get update -y && apt-get install -y openssh-server mkdir /root/.ssh cp /config/ssh/authorized_keys /root/.ssh/authorized_keys chmod 400 /root/.ssh/authorized_keys service ssh start while true; do sleep 30; done; ``` ## Configure Cloudflare Tunnel Next, you can use `cloudflared` to connect to Cloudflare's Edge using Cloudflare Tunnel. Start by [downloading and installing](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/create-local-tunnel/) the Cloudflare Tunnel daemon, `cloudflared`. Once installed, run the following command to authenticate the instance of `cloudflared` into your Cloudflare account. Terminal window ``` cloudflared login ``` The command will launch a browser window and prompt you to login with your Cloudflare account. Choose a website that you have added into your account. Once you select one of the sites in your account, Cloudflare will download a certificate file, called `cert.pem` to authenticate this instance of `cloudflared`. The `cert.pem` file uses a certificate to authenticate your instance of `cloudflared` and includes an API key for your account to perform actions like DNS record changes. You can now use `cloudflared` to control Cloudflare Tunnel connections in your Cloudflare account. ![Download Certificate](https://developers.cloudflare.com/_astro/cert-download.CzGYlCAx_Z1IrUwf.webp) ### Create a Tunnel You can now [create a Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/create-local-tunnel/) that will connect `cloudflared` to Cloudflare's edge. You'll configure the details of that Tunnel in the next step. Run the following command to create a Tunnel. You can replace `mongodb` with any name that you choose. This command requires the `cert.pem` file. `cloudflared tunnel create mongodb` Cloudflare will create the Tunnel with that name and generate an ID and credentials file for that Tunnel. ![New Tunnel](https://developers.cloudflare.com/_astro/create.2q9ua5Ht_18exbR.webp) ### Delete the `cert.pem` file The credentials file is separate from the `cert.pem` file. Unlike the `cert.pem` file, the credentials file consists of a token that authenticates only the Named Tunnel you just created. Formatted as `JSON`, the file cannot make changes to your Cloudflare account or create additional Tunnels. If you are done creating Tunnels, you can delete the `cert.pem` file, leave only the credentials file, and continue to manage DNS records directly in the Cloudflare dashboard or API. For additional information on the different functions of the two files, refer to the list of [useful terms](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/tunnel-useful-terms/#certpem). Store the `JSON` file as a Kubernetes secret. ### Configure Cloudflare Tunnel The previous setps used `cloudflared` to generate a credentials file for your Cloudflare account. When run as a service alongside the MongoDB Kubernetes deployment you will need to use a Docker image of `cloudflared`. Cloudflare makes an [official image available ↗](https://hub.docker.com/r/cloudflare/cloudflared) in DockerHub. The configuration below will run a single replica of `cloudflared` as an ingress point alongside the MongoDB and SSH proxy services. `cloudflared` will proxy traffic to the SSH proxy service. The `cloudflared` instance will run as its own deployment in a different namespace and, if network policy allows, ingress to any service in the Kubernetes node. `cloudflared` Configuration ``` apiVersion: apps/v1 kind: Deployment metadata: name: dashboard-tunnel namespace: argotunnel labels: app: dashboard-tunnel spec: replicas: 1 selector: matchLabels: app: dashboard-tunnel template: metadata: labels: app: dashboard-tunnel spec: containers: - name: dashboard-tunnel # Image from https://hub.docker.com/r/cloudflare/cloudflared image: cloudflare/cloudflared:2020.11.11 command: ["cloudflared", "tunnel"] args: ["--config", "/etc/tunnel/config.yaml", "run"] ports: - containerPort: 5000 livenessProbe: tcpSocket: port: 5000 initialDelaySeconds: 60 periodSeconds: 60 volumeMounts: - name: dashboard-tunnel-config mountPath: /etc/tunnel - name: tunnel-credentials mountPath: /etc/credentials volumes: - name: dashboard-tunnel-config configMap: name: dashboard-tunnel-config - name: tunnel-credentials secret: secretName: tunnel-credentials --- apiVersion: v1 kind: ConfigMap metadata: name: dashboard-tunnel-config namespace: argotunnel data: config.yaml: | tunnel: 9a00ef26-4997-4de2-83db-631efc74245c credentials-file: /etc/credentials/k8s-dashboard.json metrics: :5000 protocol: http2 no-autoupdate: true ingress: - hostname: mongodb.widgetcorp.tech originRequest: bastionMode: true - service: http_status:404 ``` ## Connect from a client Once deployed, you can run `cloudflared` on the client side to connect to the MongoDB deployment. Add the following lines to your SSH configuration file, replacing the examples with your hostname and details. The `--destination` value should match the URL of the SSH Proxy service configured previously. Terminal window ``` Host mongodb ProxyCommand /usr/local/bin/cloudflared access ssh --hostname mongodb.widgetcorp.tech --destination ssh-proxy.mongodb.svc.cluster.local:22 LocalForward 27000 /socket/mongodb-27017.sock User root IdentityFile /Users/username/.ssh/id_rsa ``` This is a one-time step. When you next attempt to make an SSH connection to the deployment, `cloudflared` will launch a browser window and prompt you to authenticate. Once authenticated, you will be connected if you have a valid session. Once the tunnel is established, all requests to `localhost:27000` on your machine will be forwarded to `/socket/mongodb-27017.sock` on the SSH proxy container. You can then set MongoDB Compass to connect to `localhost:27000`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/mongodb-tunnel/","name":"MongoDB SSH"}}]} ``` --- --- title: Access and secure a MySQL database using Cloudflare Tunnel and network policies description: Using Cloudflare Tunnel's private networks, users can connect to arbitrary non-browser based TCP/UDP applications, like databases. You can set up network policies that implement zero trust controls to define who and what can access those applications using the Cloudflare One Client. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ MySQL ](https://developers.cloudflare.com/search/?tags=MySQL)[ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Access and secure a MySQL database using Cloudflare Tunnel and network policies **Last reviewed:** about 2 years ago Using Cloudflare Tunnel's private networks, users can connect to arbitrary non-browser based TCP/UDP applications, like databases. You can set up network policies that implement zero trust controls to define who and what can access those applications using the Cloudflare One Client. By the end of this tutorial, users that pass network policies will be able to access a remote MySQL database available through a Cloudflare Tunnel on TCP port 3306. ## Before you begin Make sure you have: * A MySQL database listening for remote connections and configured with users that can connect remotely * (Optional)[Resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) enabled on your account ## Create a Cloudflare Tunnel Install `cloudflared` on a server in your private network. This server should have connectivity to the MySQL database. 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com) and go to **Networks** \> **Connectors** \> **Cloudflare Tunnels**. 2. Select **Create a tunnel**. 3. Choose **Cloudflared** for the connector type and select **Next**. 4. Enter a name for your tunnel. We suggest choosing a name that reflects the type of resources you want to connect through this tunnel (for example, `enterprise-VPC-01`). 5. Select **Save tunnel**. 6. Next, you will need to install `cloudflared` and run it. To do so, check that the environment under **Choose an environment** reflects the operating system on your machine, then copy the command in the box below and paste it into a terminal window. Run the command. 7. Once the command has finished running, your connector will appear in Cloudflare One. ![Connector appearing in the UI after cloudflared has run](https://developers.cloudflare.com/_astro/connector.BnVS4T_M_ZxLFu6.webp) 8. Select **Next**. ## Add private network routes 1. In the **CIDR** tab, add the following IP addresses: * Private IP/CIDR of your MySQL server (for example, `10.128.0.175/32`) * (Optional) Private IP/CIDR of your internal DNS server 1. Select **Save tunnel**. The application and (optional) DNS server are now connected to Cloudflare. ## Create a Gateway network policy 1. Go to **Traffic policies** \> **Network policies**. 2. Add a [network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) that targets the private IP address and the port of the MySQL database (port 3306 by default). The following example allows access to the database to the users that enrolled into the Cloudflare One Client using an `@example.com` email address. The network policies can also take into consideration [device posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | -------------- | ----- | ------ | | Destination IP | in | 10.128.0.175 | And | Allow | | Destination Port | in | 3306 | And | | | User Email | matches regex | .\*example.com | | | In addition to the Allow rule above, Cloudflare recommends adding a [catch-all block policy](https://developers.cloudflare.com/learning-paths/replace-vpn/build-policies/) to the bottom of your network policy list to enforce a default-deny model. Allowed Cloudflare One Client users can now connect to the MySQL server at `10.128.0.175` using the MySQL client of their choice. ## (Optional) Create a Gateway resolver policy To allow users to access the MySQL database using an internal hostname instead of the private IP address, configure a Gateway resolver policy. 1. Go to **Traffic policies** \> **Resolver policies**. 2. Select **Add a policy**. 3. Create an expression to match against the private [domain](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/#domain) or [hostname](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/#host) of the application, like in the following example: | Selector | Operator | Value | | -------- | -------- | ------------------ | | Domain | in | internalrecord.com | 4. In **Select DNS resolver**, select _Configure custom DNS resolvers_. 5. Enter the private IP address of your DNS server. 6. In the dropdown menu, select _` - Private`_. 7. (Optional) Enter a custom port. 8. Select **Create policy**. If your internal DNS server has an `A` record for the MySQL database, users can connect to the server using this record. For example, assuming a BIND server that includes the entry: `mysql IN A 10.128.0.175` Allowed Cloudflare One Client users can connect to the MySQL database at `mysql.internalrecord.com` using the MySQL client of their choice. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/mysql-network-policy/","name":"Access and secure a MySQL database using Cloudflare Tunnel and network policies"}}]} ``` --- --- title: Require U2F with Okta description: This tutorial covers how to Integrate Cloudflare Access with Okta. It also covers the steps to set up Cloudflare Access and integrate Okta with Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Okta ](https://developers.cloudflare.com/search/?tags=Okta) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/okta-u2f.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Require U2F with Okta **Last reviewed:** over 5 years ago Many identity providers, like Okta, support multiple multifactor authentication (MFA) options simultaneously. For example, Okta will allow you to login with your password and a temporary code generated in an app or a U2F hard key like a Yubikey. Some second factor methods are more resistant to phishing. U2F options require you to have access to a physical device, also known as a hardware key. Without that key, a user cannot impersonate you even if they have your password. You can build rules in Cloudflare Access to require that users authenticate with a hardware key - even if your provider supports multiple options. When users login with a less secure option, like an app-based code, Access will block them. **This tutorial covers how to:** * Integrate Cloudflare Access with Okta * Configure Okta for U2F enrollment * Build an [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) that require users login with a hardware key * Specify that policy to apply to certain Access applications The first two sections of this tutorial link to guides to set up Cloudflare Access and integrate Okta. If you already use Cloudflare Access with Okta, you can skip ahead to the fourth section. **Time to complete:** 20 minutes --- ## Configure Cloudflare Access Before you begin, you'll need to follow [these instructions](https://developers.cloudflare.com/cloudflare-one/setup/) to set up Cloudflare Access in your account. The hardware key feature is available on any plan, including the free plan. ## Integrate Okta Follow [these instructions](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/okta/) to integrate Okta with your Cloudflare Access account. Once integrated, Access will be able to apply rules using identity, group membership, and multifactor method from Okta. ## Configure Okta for U2F An Okta administrator in your organization must first [enable U2F support ↗](https://help.okta.com/en/prod/Content/Topics/Security/MFA.htm) in your Okta account **and** [configure users ↗](https://help.okta.com/en/prod/Content/Topics/Security/healthinsight/required-factors.htm) to be prompted for it. This is a global setting; if your account has already configured U2F, you do not need to do anything unique to use it with Cloudflare Access. ## Test U2F in Access You can begin building U2F policies by testing your Okta integration. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to the **Access controls** \> **Access settings**. 2. In **Manage your App Launcher**, select **Manage**. 3. Choose **Login methods**. 4. Choose the row for Okta and select **Test**. Cloudflare Access will prompt you to login with your Okta account. For the purposes of the test, use a second factor option like an app-based code. Okta will return `amr` values to Cloudflare Access - these are standard indicators of multifactor methods shared between identity control systems. The `mfa` value is sent by Okta to tell Cloudflare Access that you used a multifactor authentication option. The `pwd` value indicates you used a password. In this example, the `otp` value is sent because the user authenticatd with an app-based code. You can test with a hardkey by logging out of Okta and returning to the list of providers in Access. Select **Test** again, but this time use your hardware key as a second factor. Cloudflare Access will now see Okta share `hwk` in the `amr` fields. ![Test MFA](https://developers.cloudflare.com/_astro/with-hwk.CL1DMkwd_Z6LXdY.webp) ## Build a Zero Trust policy to require U2F You can use this information to build a rule in Access. Go to the `Applications` list in the Cloudflare Access section of the dashboard. Choose an application that you have already built or create a new one. This example adds the requirement to an existing application. Select **Edit** to edit the existing `Allow` rule. Add a `Require` rule and select `Authentication Method` from the list. Choose `hwk` as the required `Authentication Method`. Select **Save rule**. ![Require Rule](https://developers.cloudflare.com/_astro/require-hwk.D9ImfCao_ZAoRHD.webp) Optional: you can also configure Cloudflare Access to only show users Okta for this application if you have multiple other providers integrated. In the `Authentication` Tab, choose `Okta` as the only option to show users. ## Testing the rule You can now test the rule. Visit the application and attempt to login using an app-based code or method other than a hardware security key. Access will block the attempt. ![Blocked](https://developers.cloudflare.com/_astro/blocked-user.DutI7nnY_2mWm6R.webp) If you sign out of Okta, and reattempt with a hardware key, Access will then allow the connection. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/okta-u2f/","name":"Require U2F with Okta"}}]} ``` --- --- title: Use Cloudflare R2 as a Zero Trust log destination description: This tutorial covers how to build a Cloudflare R2 bucket to store Zero Trust logs. It also shows how to connect the bucket to the Zero Trust Logpush service. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/r2-logs.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Use Cloudflare R2 as a Zero Trust log destination **Last reviewed:** over 2 years ago Note Only available on Zero Trust Enterprise plans. This tutorial covers how to build a [Cloudflare R2 bucket](https://developers.cloudflare.com/r2/buckets/) to store logs, and how to connect the bucket to the Zero Trust [Logpush service](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/) to store logs persistently and export them into other tools. ## Before you begin * Ensure Cloudflare R2 and the Zero Trust Logpush integration are included in your plan. For more information, contact your account team. ## Create a Cloudflare R2 bucket 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to the **R2 Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/r2/overview) 2. Select **Create bucket**. 3. Enter an identifiable name for the bucket, then select **Create bucket**. ## Create an R2 API token 1. Return to **R2**, then select **Manage R2 API tokens**. 2. Select **Create API token**. 3. In **Permissions**, select **Object Read & Write**. 4. In **Specify bucket(s)**, choose _Apply to specific buckets only_. Select the bucket you created. 5. Configure other token settings to your preferences. 6. Select **Create API Token**. 7. Copy the **Access Key ID**, **Secret Access Key**, and endpoint URL values. You will not be able to access these values again. 8. Select **Finish**. ## Connect a Zero Trust Logpush job 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Logs**. Select **Manage Logpush**. 2. Select **Connect a service**. 3. Choose which data sets and fields you want to send to your bucket. Select **Next**. 4. Select **S3 Compatible**. 5. In **S3 Compatible Bucket Path**, enter the name of your bucket. 6. In **Bucket region**, enter `auto`. 7. Enter the values for **Access Key ID**, **Secret Access Key**, and **Endpoint URL** in their corresponding fields. 8. Select **Push**. If prompted, you do not need to prove ownership with a token challenge. The Logpush job will send the selected Zero Trust logs to your R2 bucket. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/r2-logs/","name":"Use Cloudflare R2 as a Zero Trust log destination"}}]} ``` --- --- title: Implement regional private DNS servers with Gateway resolver policies description: Configure Gateway resolver policies to route DNS queries to region-specific private DNS servers, enabling geo-steering for internal resources across multiple locations. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS)[ Geolocation ](https://developers.cloudflare.com/search/?tags=Geolocation)[ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/regional-private-dns-resolver-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Implement regional private DNS servers with Gateway resolver policies **Last reviewed:** 5 months ago Gateway resolver policies allow you to route DNS queries to custom DNS resolvers based on various criteria. This tutorial demonstrates how to configure region-specific private DNS servers to ensure your users are directed to the closest internal resources based on their geographic location. This approach is particularly useful for organizations with internal networks spanning multiple locations where DNS routes and manages access to private network resources. By the end of this tutorial, you will have configured Gateway resolver policies to automatically route DNS queries to region-specific private DNS servers based on user location, providing optimal performance and access to internal resources. This tutorial uses US and EU region servers as example private DNS servers. ## Prerequisites Before you begin, make sure you have: * An Enterprise Zero Trust account * Private DNS servers deployed in multiple regions (for example, US, EU, and APAC) * A [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) connecting your private DNS servers to Cloudflare * Internal domains that need to be resolved (for example, `internal.example.com`) ## 1\. Connect private DNS servers with Cloudflare Tunnel First, connect your regional private DNS servers to Cloudflare using Cloudflare Tunnel. For each region where you have a private DNS server, [create a tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#1-create-a-tunnel). For each tunnel, [add the private IP addresses](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2-add-private-network-routes) of your DNS servers. For example, `10.0.1.53/32` for the US region and `10.1.1.53/32` for the EU region. Repeat this process for all regional DNS servers. ## 2\. Create Gateway resolver policies for each region Once your private DNS servers are connected to Cloudflare, configure Gateway resolver policies to route DNS queries to the appropriate regional DNS server based on user location. ### Create resolver policies for each region For each region where you have a private DNS server: 1. Go to **Traffic policies** \> **Resolver policies**. 2. Select **Add a policy**. 3. Name your policy based on the region (for example, `US Internal DNS`). 4. Create an expression to match internal domains and users in that region. For example, to match users in the United States: | Selector | Operator | Value | Logic | | ----------------------------- | -------- | -------------------- | ----- | | Domain | in | internal.example.com | And | | Source Country IP Geolocation | in | _United States_ | | 5. In **Select DNS resolver**, select _Configure custom DNS resolvers_. 6. Enter the private IP address of your regional DNS server (for example, `10.0.1.53` for US or `10.1.1.53` for EU). 7. In the dropdown menu, choose _` - Private`_. 8. (Optional) Select **Add DNS resolver** and enter a secondary IP address to add a backup DNS resolver. 9. Select **Create policy**. 10. Repeat steps 1-9 for each region where you have a private DNS server. For example, to create a policy to match users in the EU region: | Selector | Operator | Value | Logic | | ----------------------------- | -------- | -------------------------------------------------------- | ----- | | Domain | in | internal.example.com | And | | Source Country IP Geolocation | in | _Austria_, _Belgium_, _France_, _Germany_, _Netherlands_ | | ### Create a fallback resolver policy Create a catch-all policy for users in regions without a dedicated DNS server, or if no policies match your traffic: 1. Go to **Traffic policies** \> **Resolver policies**. 2. Select **Add a policy**. 3. Name your policy (for example, `Internal DNS Fallback`). 4. Create an expression to match internal domains: | Selector | Operator | Value | | -------- | -------- | -------------------- | | Domain | in | internal.example.com | 5. In **Select DNS resolver**, select _Configure custom DNS resolvers_. 6. Enter the private IP address of your primary DNS server. 7. Select **Create policy**. ## 3\. Configure policy order Gateway will apply resolver policies based on [order of precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence). Ensure your policies are ordered from most specific to least specific: 1. Go to **Traffic policies** \> **Resolver policies**. 2. Use the drag handle to reorder policies: * Resolver policies with regional coverage first * Your fallback resolver policy last Gateway will apply the first matching policy. If no policies match your traffic, Gateway will apply the fallback resolver policy. The order between resolver policies with regional coverage does not matter. ## 4\. Test your configuration ### Test from different regions To test your configuration, deploy the Cloudflare One Client on a device in each region where you have a private DNS server and run a DNS query to an internal domain. For example, to test the US region: 1. [Deploy the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/) on a device in the US region. 2. From the device, open a terminal and run: Terminal window ``` nslookup internal.example.com ``` 3. Verify that the DNS query returns the expected IP address for your internal resource. The response should show the IP address that your US DNS server is configured to return for `internal.example.com`. 4. Repeat the test from devices in other regions to confirm they receive responses from their respective regional DNS servers. Each region may return different IP addresses based on your DNS server configuration. ### Verify in Gateway logs 1. Go to **Insights** \> **Logs** \> **DNS query logs**. 2. Filter for queries to `internal.example.com`. 3. Check the **Resolver IP** field to confirm queries are being routed to the correct regional DNS servers based on user location. ## Best practices * **Use backup resolvers**: Configure secondary DNS resolvers for each region to ensure high availability. * **Monitor DNS performance**: Use [Gateway Analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/gateway/) to track DNS query performance and identify any issues with regional routing. * **Implement network policies**: Combine resolver policies with [network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) to control access to internal resources based on user identity and device posture. * **Consider virtual networks**: If you have overlapping IP address spaces across regions, use [virtual networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) to isolate traffic. * **Test failover scenarios**: Regularly test what happens when a regional DNS server becomes unavailable to ensure your backup resolvers work as expected. ## Related resources * [Resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) * [Connect private networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) * [Gateway Analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/gateway/) * [Virtual networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/regional-private-dns-resolver-policies/","name":"Implement regional private DNS servers with Gateway resolver policies"}}]} ``` --- --- title: Protect access to Amazon S3 buckets with Cloudflare Zero Trust description: This tutorial demonstrates how to secure access to Amazon S3 buckets with Cloudflare Zero Trust so that data in these buckets is not publicly exposed on the Internet. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ S3 ](https://developers.cloudflare.com/search/?tags=S3) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Protect access to Amazon S3 buckets with Cloudflare Zero Trust **Last reviewed:** over 2 years ago This tutorial demonstrates how to secure access to Amazon S3 buckets with Cloudflare Zero Trust so that data in these buckets is not publicly exposed on the Internet. You can combine Cloudflare Access and AWS VPC endpoints. Enterprise may also use Cloudflare Gateway egress policies with dedicated egress IPs. ## Method 1: Via Cloudflare Access and VPC endpoints flowchart TB cf1[/Cloudflare One Client or clientless users/]--Access policy-->cf2{{Cloudflare}} cf2--Cloudflare Tunnel-->vpc1 subgraph VPC vpc1[EC2 VM]-->vpc2[VPC endpoint] end vpc2-->s3_1 subgraph S3 service s3_1([S3 bucket]) end i1[/Users outside
Zero Trust/]-. "S3 access denied" .->s3_1 ### Prerequisites * S3 bucket to be protected by Cloudflare Zero Trust * AWS VPC with one EC2 virtual machine (VM) hosting the [Cloudflare Tunnel daemon](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) * S3 bucket and AWS VPC configured in the same [AWS region ↗](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html) ### 1\. Create a VPC endpoint in AWS 1. In the [AWS dashboard ↗](https://aws.amazon.com/console/), go to **Services** \> **Networking & Content Delivery** \> **VPC**. 2. Under **Virtual private cloud**, go to **Endpoints**. 3. Select **Create endpoint** and name the endpoint. 4. Choose _AWS services_ as the service category. 5. In **Services**, search and select the S3 service in the same region of the VPC. For example, for the AWS region **Europe (London) - eu-west-2**, the corresponding S3 service is named `com.amazonaws.eu-west-2.s3` with a type of Gateway. 6. In **VPC**, select your VPC that contains the EC2 VM hosting the Cloudflare tunnel daemon. 7. In **Route tables**, select the route table associated with the VPC. 8. In **Policy**, choose _Full access_. 9. Select **Create endpoint**. After you create the VPC endpoint, a new entry in the VPC route table with the target being your VPC endpoint. The entry will have the format `vpce-xxxxxxxxxxxxxxxxx`. ### 2\. Set up a bucket policy for VPC access 1. Go to **Services** \> **Storage** \> **S3**. 2. In Amazon S3, go to **Buckets** \> **** \> **Permissions**. 3. Disable **Block all public access**. 4. In **Bucket policy**, add the following policy: ``` { "Version": "2012-10-17", "Id": "VPCe", "Statement": [ { "Sid": "VPCe", "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::", "arn:aws:s3:::/*" ], "Condition": { "StringEquals": { "aws:SourceVpce": "" } } } ] } ``` Your bucket policy will allow your VPC to access your S3 bucket. ### 3\. Enable static website hosting for the S3 bucket 1. Return to Amazon S3, then go to **Buckets** \> **** \> **Properties**. 2. In **Static website hosting**, select **Edit**. 3. Enable **Static website hosting**. 4. Specify the Index and Error documents for the S3 bucket. 5. Select **Save changes**. A bucket website endpoint will be available at `http://.s3-website..amazonaws.com`. Because of the bucket policy, this website endpoint will only be accessible from the VPC with the VPC endpoint configured. ### 4\. Add a published application to the Cloudflare Tunnel 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Networks** \> **Connectors** \> **Cloudflare Tunnels**. 2. Select your Tunnel, then select **Configure**. 3. Go to **Published applications**, then select **Add a public hostname**. 4. Enter a subdomain your organization will use to access the S3 bucket. For example, `s3-bucket..com`. 5. Under **Service**, choose _HTTP_ for **Type**. In **URL**, enter `.s3-website..amazonaws.com`. 6. In **Additional application settings** \> **HTTP Settings**, input the **HTTP Host Header** as `.s3-website..amazonaws.com`. 7. Select **Save hostname**. Your Cloudflare Tunnel will terminate at the AWS VPC using your public hostname. ### 5\. Restrict S3 access with an Access policy 1. Go to **Access controls** \> **Applications**. 2. Select **Add an application**. 3. Select **Self-hosted**. 4. Enter a name for the application. 5. Select **Add public hostname** and enter the public hostname used by your Tunnel. For example, `s3-bucket..com`. 6. Add [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to determine which users and applications may access your bucket. You can optionally create a [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) policy to automatically authenticate access to your S3 bucket. 7. Follow the remaining [self-hosted application creation steps](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to publish the application. Users and applications that successfully authenticate via Cloudflare Access can access your S3 bucket at `https://s3-bucket..com`. ## Method 2: Via Cloudflare Gateway egress policies Note This method is only available on Enterprise plans. flowchart TB cf1[/Cloudflare One Client users/]--Egress policy-->cf2{{Cloudflare}} cf2--Egress with dedicated IP-->i1[Internet] i1-->s3_1 subgraph S3 Service s3_1([S3 bucket]) end i2[/Users outside
Zero Trust/]-. "IPs denied" .->s3_1 ### Prerequisites * Cloudflare Zero Trust account with [dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) * S3 bucket to be protected by Cloudflare Zero Trust ### 1\. Set up a bucket policy to restrict access to a specific IP address 1. In the [AWS dashboard ↗](https://aws.amazon.com/console/), go to **Services** \> **Storage** \> **S3**. 2. Go to **Buckets** \> **** \> **Permissions**. 3. Disable **Block all public access**. 4. In **Bucket policy**, add the following policy: ``` { "Version": "2012-10-17", "Id": "SourceIP", "Statement": [ { "Sid": "SourceIP", "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::", "arn:aws:s3:::/*" ], "Condition": { "IpAddress": { "aws:SourceIp": "/32" } } } ] } ``` ### 2\. Enable static website hosting for the S3 bucket 1. Return to your bucket, then go to **Properties**. 2. In **Static website hosting**, select **Edit**. 3. Enable **Static website hosting**. 4. Specify the Index and Error documents for the S3 bucket. 5. Select **Save changes**. A bucket website endpoint will be available at `http://.s3-website..amazonaws.com`. Because of the bucket policy, the website endpoint will only be accessible to traffic sourced from the dedicated egress IP specified. ### 3\. Setup a dedicated egress IP policy 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Egress policies**. Select **Add a policy**. 2. Create a policy that specifies which proxied traffic Gateway should assign a [dedicated egress IP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) to. For more information, refer to [Egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/). 3. In **Select an egress IP**, choose _Use dedicated Cloudflare egress IPs_. Select the dedicated egress IP defined in your bucket policy. 4. Select **Create policy**. Traffic proxied by Gateway and assigned your specified egress IP can access your S3 bucket at `http://.s3-website..amazonaws.com`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/s3-buckets/","name":"Protect access to Amazon S3 buckets with Cloudflare Zero Trust"}}]} ``` --- --- title: Use Cloudflare Tunnels with Kubernetes client-go credential plugins description: This tutorial explains how to use Cloudflare Tunnels with Kubernetes client-go credential plugins for authentication. By following these steps, you can securely access your Kubernetes cluster through a Cloudflare Tunnel. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ Kubernetes ](https://developers.cloudflare.com/search/?tags=Kubernetes) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/tunnel-kubectl.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Use Cloudflare Tunnels with Kubernetes client-go credential plugins **Last reviewed:** over 1 year ago This tutorial explains how to use Cloudflare Tunnels with Kubernetes client-go credential plugins for authentication. By following these steps, you can securely access your Kubernetes cluster through a Cloudflare Tunnel using the `kubectl` command-line tool. ## Prerequisites * A Cloudflare account * The Cloudflare Tunnel client (`cloudflared`) installed on your machine * Access to a Kubernetes cluster * `kubectl` installed on your machine ## 1\. Set up a Cloudflare Tunnel 1. Authenticate `cloudflared` with your Cloudflare account: Terminal window ``` cloudflared tunnel login ``` 2. Create a new tunnel: Terminal window ``` cloudflared tunnel create k8s-tunnel ``` 3. Configure your tunnel by creating a configuration file named `config.yml`: ``` tunnel: credentials-file: /path/to/credentials.json ingress: - hostname: k8s.example.com service: tcp://kubernetes.default.svc.cluster.local:443 - service: http_status:404 ``` Replace `` with your tunnel ID and adjust the hostname as needed. 4. Start the tunnel: Terminal window ``` cloudflared tunnel run k8s-tunnel ``` ## 2\. Configure the Kubernetes API server Ensure your Kubernetes API server is configured to accept authentication from Cloudflare Tunnels. This may involve setting up an authentication webhook or configuring the API server to trust the Cloudflare Tunnel's client certificates. ## 3\. Set up client-go credential plugin 1. Create a script named `cloudflare-k8s-auth.sh` with the following content: ``` #!/bin/bash echo '{ "apiVersion": "client.authentication.k8s.io/v1beta1", "kind": "ExecCredential", "status": { "token": "'"$(cloudflared access token -app=https://k8s.example.com)"'" } }' ``` Make the script executable: Terminal window ``` chmod +x cloudflare-k8s-auth.sh ``` 2. Update your `~/.kube/config` file to use the credential plugin: ``` apiVersion: v1 kind: Config clusters: - cluster: server: https://k8s.example.com name: cloudflare-k8s users: - name: cloudflare-user user: exec: apiVersion: client.authentication.k8s.io/v1beta1 command: /path/to/cloudflare-k8s-auth.sh interactiveMode: Never contexts: - context: cluster: cloudflare-k8s user: cloudflare-user name: cloudflare-k8s-context current-context: cloudflare-k8s-context ``` ## 4\. Use kubectl with Cloudflare Tunnel Now you can use `kubectl` commands as usual. The client-go credential plugin will automatically handle authentication through the Cloudflare Tunnel: Terminal window ``` kubectl get pods ``` ## Troubleshooting If you encounter issues: * Ensure `cloudflared` is running and the tunnel is active * Check that your `~/.kube/config` file is correctly configured * Verify that the Kubernetes API server is properly set up to accept authentication from Cloudflare Tunnels * Review the Cloudflare Tunnel logs for any error messages For more information, refer to the [Cloudflare Tunnels documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) and the [Kubernetes client-go credential plugins documentation ↗](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/tunnel-kubectl/","name":"Use Cloudflare Tunnels with Kubernetes client-go credential plugins"}}]} ``` --- --- title: Use virtual networks to change user egress IPs description: This tutorial gives administrators an easy way to allow their users to change their egress IP address between any of your assigned dedicated egress IP addresses. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ IPv4 ](https://developers.cloudflare.com/search/?tags=IPv4)[ IPv6 ](https://developers.cloudflare.com/search/?tags=IPv6)[ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Use virtual networks to change user egress IPs **Last reviewed:** about 2 years ago Note Only available on Enterprise plans. This tutorial gives administrators an easy way to allow their users to change their egress IP address between any of your assigned dedicated egress IP addresses. Your users can choose which egress IP to use by switching virtual networks directly from in the Cloudflare One Client. Changing egress IPs can be useful in quality assurance (QA) and other similar scenarios in which users both use their local egress location and either switch to or simulate other remote locations. ## Before you begin Make sure you have: * [Deployed the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) on your users' devices. * [Configured tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/) to connect your private network to Cloudflare. This tutorial assumes you have: * Created two tunnels [through the dashboard](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/). * Routed `10.0.0.0/8` through one tunnel. * Routed `192.168.88.0/24` through the other tunnel. * Received multiple [dedicated egress IP addresses](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). ## Create a virtual network for each egress route First, create [virtual networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) corresponding to your dedicated egress IPs. * [ Dashboard ](#tab-panel-3955) * [ API ](#tab-panel-3956) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Networks** \> **Routes**. 2. In **Virtual networks**, select **Create virtual network**. 3. Name your virtual network. We recommend using a name related to the location of the corresponding dedicated egress IP. For example, if your users will egress from the Americas, you can name the virtual network `vnet-AMER`. 4. Select **Save**. 5. Repeat Steps 2-4 for each dedicated egress IP you want users to switch between. For example, you can create another virtual network called `vnet-EMEA` for egress from Europe, the Middle East, and Africa. 1. Create a [virtual network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) corresponding to one of your dedicated egress IPs. We recommend using a name related to the location of the corresponding dedicated egress IP. For example, if your users will egress from the Americas, you can name the virtual network `vnet-AMER`. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Cloudflare One Networks Write` * `Cloudflare Tunnel Write` Create a virtual network ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "comment": "Virtual network to egress from the Americas", "is_default": false, "name": "vnet-AMER" }' ``` For more information, refer to [Create a virtual network](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/virtual%5Fnetworks/methods/create/). 2. Repeat Step 1 for each dedicated egress IP you want users to switch between. For example, you can create another virtual network called `vnet-EMEA` for egress from Europe, the Middle East, and Africa. ## Assign each virtual network to each tunnel After creating your virtual networks, route your private network CIDRs over each virtual network. This ensures that users can reach all services on your network regardless of which egress IP they use. * [ Dashboard ](#tab-panel-3957) * [ API ](#tab-panel-3958) 1. Go to **Networks** \> **Connectors** \> **Cloudflare Tunnels**. 2. Select your tunnel routing `10.0.0.0/8`, then select **Configure**. 3. Go to **Private Networks**. Select the `10.0.0.0/8` route. 4. In **Additional settings**, choose your first virtual network. For example, `vnet-AMER`. 5. Select **Save private network**. 6. To route `10.0.0.0/8` over another virtual network, select **Add a private network**. 7. In **CIDR**, enter `10.0.0.0/8`. In **Additional settings**, choose your second virtual network. For example, `vnet-EMEA`. 8. Select **Save private network**. 9. Repeat Steps 6-8 for each virtual network you created. 10. Return to **Networks** \> **Tunnels**. Repeat Steps 2-9 for each private network tunnel route. 1. Assign your first virtual network to your private network route. For example, assign `vnet-AMER` to your tunnel that routes `10.0.0.0/8`: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Cloudflare One Networks Write` * `Cloudflare Tunnel Write` Update a tunnel route ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/$ROUTE_ID" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "network": "10.0.0.0/8", "tunnel_id": "", "virtual_network_id": "" }' ``` For more information, refer to [Update a tunnel route](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/routes/methods/edit/). 2. Repeat this process for each virtual network you created. For example: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Cloudflare One Networks Write` * `Cloudflare Tunnel Write` Update a tunnel route ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/$ROUTE_ID" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "network": "10.0.0.0/8", "tunnel_id": "", "virtual_network_id": "" }' ``` 3. Repeat Steps 1-2 for each private network tunnel route. Each tunnel connected to your private network should have each of your virtual networks assigned to it. For example, if you have tunnels routing `10.0.0.0/8` and `192.168.88.0/24`, both tunnels should have the `vnet-AMER` and `vnet-EMEA` virtual networks assigned. | Tunnel | CIDR | Virtual network | | --------------- | --------------- | --------------- | | **Tunnel 1** | 10.0.0.0/8 | vnet-AMER | | 10.0.0.0/8 | vnet-EMEA | | | **Tunnel 2** | 192.168.88.0/24 | vnet-AMER | | 192.168.88.0/24 | vnet-EMEA | | ## Create virtual network egress policies Next, assign your dedicated egress IPs to each virtual network using Gateway egress policies. * [ Dashboard ](#tab-panel-3959) * [ API ](#tab-panel-3960) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Egress policies**. 2. Select **Add a policy**. 3. Name your policy. We recommend including the country or region traffic will egress from. 4. Add the virtual network with the _Virtual Network_ selector. For example: | Selector | Operator | Value | | --------------- | -------- | ----------- | | Virtual Network | is | _vnet-AMER_ | 5. In **Select an egress IP**, choose **Use dedicated Cloudflare egress IPs**. Choose the dedicated IPv4 and IPv6 addresses you want traffic to egress with. 6. Select **Create policy**. 7. Repeat Steps 1-6 to create a separate egress policy for each virtual network you created. 1. Add a Gateway egress policy that matches the corresponding virtual network. For example: Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "action": "egress", "description": "Egress via North America by connecting to vnet-AMER", "enabled": true, "filters": [ "egress" ], "name": "Egress AMER vnet", "precedence": 0, "traffic": "net.vnet_id == ", "rule_settings": { "egress": { "ipv4": "", "ipv4_fallback": "", "ipv6": "" } } }' ``` For more information, refer to [Create a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/create/). 2. Repeat Step 1 to create an egress policy for each virtual network you created. Each policy you create should correspond to a different primary dedicated egress IP. ## Test virtual network egress Windows, macOS, and Linux 1. On your user's device, log in to your Zero Trust organization in the Cloudflare One Client. 2. In a terminal, run the following command to check the default egress IP address. Terminal window ``` curl ifconfig.me -4 ``` The command should output your organization's default egress IP. 3. In the client GUI, use the **VNET** dropdown to switch to a virtual network you created. Version 2026.1 and earlier In the Cloudflare One Client, select the gear icon > **Virtual Networks**. 4. Check the egress IP address by running `curl ifconfig.me -4` again. The command should output the IP address specified in your egress policy. iOS and Android 1. On your user's device, log in to your Zero Trust organization in the Cloudflare One Agent app. 2. In a browser, go to [ifconfig.me ↗](https://ifconfig.me/). Your organization's default egress IP should appear in **IP Address**. 3. In Cloudflare One Agent, go to **Advanced** \> **Connection options** \> **Virtual networks**. Choose a virtual network you created. 4. Check the egress IP address by reloading the browser page from Step 1\. The IP address specified in your egress policy should appear in **IP Address**. While your users are connected to a virtual network, their traffic will route via the dedicated egress IP specified. You can repeat these steps to test that each virtual network is egressing from the correct IP. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/user-selectable-egress-ips/","name":"Use virtual networks to change user egress IPs"}}]} ``` --- --- title: Changelog description: Review recent changes to Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/changelog/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Changelog [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/cloudflare-one.xml) ## 2026-04-02 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Cloudflare One Client for Windows (version 2026.3.846.0)** A new GA release for the Windows Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. The next stable release for Windows will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information. **Changes and improvements** * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms. * Fixed packet capture failing on tunnel interface when the tunnel interface is renamed by SCCM VPN boundary support. * Fixed unnecessary registration deletion caused by RDP connections in multi-user mode. * Fixed increased tunnel interface start-up time due to a race between duplicate address detection (DAD) and disabling NetBT. * Fixed tunnel failing to connect when the system DNS search list contains unexpected characters. * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization. * Fixed initiating managed network detections checks when no network is available, which caused device profile flapping. * Fixed an issue where degraded Windows Management Instrumentation (WMI) state could put the client in a failed connection state loop during initialization. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. This warning will be omitted from future release notes. This Windows update was released in July 2025. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. This warning will be omitted from future release notes. This Microsoft Security Intelligence update was released in May 2025. * DNS resolution may be broken when the following conditions are all true: * The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while the client is connected. To work around this issue, reconnect the client by selecting **Disconnect** and then **Connect** in the client user interface. ## 2026-04-02 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Cloudflare One Client for macOS (version 2026.3.846.0)** A new GA release for the macOS Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. The next stable release for macOS will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information. **Changes and improvements** * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization. * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms. * Fixed initiating managed network detections checks when no network is available, which caused device profile flapping. ## 2026-04-02 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Cloudflare One Client for Linux (version 2026.3.846.0)** A new GA release for the Linux Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. The next stable release for Linux will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information. **Changes and improvements** * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization. * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms. * Fixed initiating managed network detections checks when no network is available, which caused device profile flapping. ## 2026-04-01 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Logs UI refresh** Access authentication logs and Gateway activity logs (DNS, Network, and HTTP) now feature a refreshed user interface that gives you more flexibility when viewing and analyzing your logs. ![Screenshot of the new logs UI showing DNS query logs with customizable columns and filtering options](https://developers.cloudflare.com/_astro/cf1-new-logs-ui.DxF4x0l-_mRSyH.webp) The updated UI includes: * **Filter by field** \- Select any field value to add it as a filter and narrow down your results. * **Customizable fields** \- Choose which fields to display in the log table. Querying for fewer fields improves log loading performance. * **View details** \- Select a timestamp to view the full details of a log entry. * **Switch to classic view** \- Return to the previous log viewer interface if needed. For more information, refer to [Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/) and [Gateway activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). ## 2026-03-24 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **OIDC Claims filtering now available in Gateway Firewall, Resolver, and Egress policies** Cloudflare Gateway now supports [OIDC Claims](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#oidc-claims) as a selector in Firewall, Resolver, and Egress policies. Administrators can use custom OIDC claims from their identity provider to build fine-grained, identity-based traffic policies across all Gateway policy types. With this update, you can: * Filter traffic in [DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/), [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/), and [Network](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) firewall policies based on OIDC claim values. * Apply custom [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) to route DNS queries to specific resolvers depending on a user's OIDC claims. * Control [egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/) to assign dedicated egress IPs based on OIDC claim attributes. For example, you can create a policy that routes traffic differently for users with `department=engineering` in their OIDC claims, or restrict access to certain destinations based on a user's role claim. To get started, configure [custom OIDC claims](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) on your identity provider and use the **OIDC Claims** selector in the Gateway policy builder. For more information, refer to [Identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/). ## 2026-03-20 [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **Stream logs from multiple replicas of Cloudflare Tunnel simultaneously** In the Cloudflare One dashboard, the overview page for a specific Cloudflare Tunnel now shows all [replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/) of that tunnel and supports streaming logs from multiple replicas at once. ![View replicas and stream logs from multiple connectors](https://developers.cloudflare.com/_astro/tunnel-multiconn.DEOEaLlu_ZDxArh.webp) Previously, you could only stream logs from one replica at a time. With this update: * **Replicas on the tunnel overview** — All active replicas for the selected tunnel now appear on that tunnel's overview page under **Connectors**. Select any replica to stream its logs. * **Multi-connector log streaming** — Stream logs from multiple replicas simultaneously, making it easier to correlate events across your infrastructure during debugging or incident response. To try it out, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Networks** \> **Connectors** \> **Cloudflare Tunnels**. Select **View logs** next to the tunnel you want to monitor. For more information, refer to [Tunnel log streams](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) and [Deploy replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/deploy-replicas/). ## 2026-03-10 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2026.3.566.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and introduces a brand new visual style for the client interface. The new Cloudflare One Client interface changes connectivity management from a toggle to a button and brings useful connectivity settings to the home screen. The redesign also introduces a collapsible navigation bar. When expanded, more client information can be accessed including connectivity, settings, and device profile information. If you have any feedback or questions, visit the [Cloudflare Community forum](https://community.cloudflare.com/t/introducing-the-new-cloudflare-one-client-interface/901362) and let us know. **Changes and improvements** * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations. * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms. * Fixed initiating managed network detection checks when no network is available, which caused device profile flapping. **Known issues** * The client may become stuck in a `Connecting` state. To resolve this issue, reconnect the client by selecting **Disconnect** and then **Connect** in the client user interface. Alternatively, change the client's operation mode. * The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it. * Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client. ## 2026-03-10 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2026.3.566.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and introduces a brand new visual style for the client interface. The new Cloudflare One Client interface changes connectivity management from a toggle to a button and brings useful connectivity settings to the home screen. The redesign also introduces a collapsible navigation bar. When expanded, more client information can be accessed including connectivity, settings, and device profile information. If you have any feedback or questions, visit the [Cloudflare Community forum](https://community.cloudflare.com/t/introducing-the-new-cloudflare-one-client-interface/901362) and let us know. **Changes and improvements** * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms. * Fixed packet capture failing on tunnel interface when the tunnel interface is renamed by SCCM VPN boundary support. * Fixed unnecessary registration deletion caused by RDP connections in multi-user mode. * Fixed increased tunnel interface start-up time due to a race between duplicate address detection (DAD) and disabling NetBT. * Fixed tunnel failing to connect when the system DNS search list contains unexpected characters. * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations. * Fixed initiating managed network detection checks when no network is available, which caused device profile flapping. **Known issues** * The client may unexpectedly terminate during captive portal login. To work around this issue, use a web browser to authenticate with the captive portal and then re-launch the client. * An error indicating that Microsoft Edge can't read and write to its data directory may be displayed during captive portal login; this error is benign and can be dismissed. * The client may become stuck in a `Connecting` state. To resolve this issue, reconnect the client by selecting **Disconnect** and then **Connect** in the client user interface. Alternatively, change the client's operation mode. * The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it. * Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client. * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. This warning will be omitted from future release notes. This Microsoft Security Intelligence update was released in May 2025. * DNS resolution may be broken when the following conditions are all true: * The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while the client is connected. To work around this issue, reconnect the client by selecting **Disconnect** and then **Connect** in the client user interface. ## 2026-03-04 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **User risk score selector in Access policies** You can now use [user risk scores](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/) in your [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). The new **User Risk Score** selector allows you to create Access policies that respond to user behavior patterns detected by Cloudflare's risk scoring system, including impossible travel, high DLP policy matches, and more. For more information, refer to [Use risk scores in Access policies](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/#use-risk-scores-in-access-policies). ## 2026-03-04 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Gateway Authorization Proxy and hosted PAC files (open beta)** The [Gateway Authorization Proxy](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#authorization-endpoint) and [PAC file hosting](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#create-a-hosted-pac-file) are now in open beta for all plan types. Previously, [proxy endpoints](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#source-ip-endpoint) relied on static source IP addresses to authorize traffic, providing no user-level identity in logs or policies. The new authorization proxy replaces IP-based authorization with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) authentication, verifying who a user is before applying Gateway filtering without installing the WARP client. This is ideal for environments where you cannot deploy a device client, such as virtual desktops (VDI), mergers and acquisitions, or compliance-restricted endpoints. #### Key capabilities * **Identity-aware proxy traffic** — Users authenticate through your identity provider (Okta, Microsoft Entra ID, Google Workspace, and others) via Cloudflare Access. Logs now show exactly which user accessed which site, and you can write [identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) like "only the Finance team can access this accounting tool." * **Multiple identity providers** — Display one or multiple login methods simultaneously, giving flexibility for organizations managing users across different identity systems. * **Cloudflare-hosted PAC files** — Create and host [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#create-a-hosted-pac-file) directly in Cloudflare One with pre-configured templates for Okta and Azure, hosted at `https://pac.cloudflare-gateway.com//` on Cloudflare's global network. * **Simplified billing** — Each user occupies a seat, exactly like they do with the Cloudflare One Client. No new metrics to track. #### Get started 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Networks** \> **Resolvers & Proxies** \> **Proxy endpoints**. 2. [Create an authorization proxy endpoint](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#authorization-endpoint) and configure Access policies. 3. [Create a hosted PAC file](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#create-a-hosted-pac-file) or write your own. 4. [Configure browsers](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#3b-configure-browser-to-use-pac-file) to use the PAC file URL. 5. [Install the Cloudflare certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) for HTTPS inspection. For more details, refer to the [proxy endpoints documentation](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) and the [announcement blog post ↗](https://blog.cloudflare.com/gateway-authorization-proxy-identity-aware-policies/). ## 2026-03-02 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **Copy Cloudflare One resources as JSON or POST requests** You can now copy Cloudflare One resources as JSON or as a ready-to-use API POST request directly from the dashboard. This makes it simple to transition workflows into API calls, automation scripts, or infrastructure-as-code pipelines. To use this feature, click the overflow menu (⋮) on any supported resource and select **Copy as JSON** or **Copy as POST request**. The copied output includes only the fields present on your resource, giving you a clean and minimal starting point for your own API calls. Initially supported resources: * Access applications * Access policies * Gateway policies * Resolver policies * Service tokens * Identity providers We will continue to add support for more resources throughout 2026. ## 2026-03-01 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Clipboard controls for browser-based RDP** You can now configure clipboard controls for browser-based RDP with Cloudflare Access. Clipboard controls allow administrators to restrict whether users can copy or paste text between their local machine and the remote Windows server. ![Enable users to copy and paste content from their local machine to remote RDP sessions in the Cloudflare One dashboard](https://developers.cloudflare.com/_astro/rdp-clipboard-controls.B0ZmliDb_Z1Ne5yg.webp) This feature is useful for organizations that support bring-your-own-device (BYOD) policies or third-party contractors using unmanaged devices. By restricting clipboard access, you can prevent sensitive data from being transferred out of the remote session to a user's personal device. #### Configuration options Clipboard controls are configured per policy within your Access application. For each policy, you can independently allow or deny: * **Copy from local client to remote RDP session** — Users can copy/paste text from their local machine into the browser-based RDP session. * **Copy from remote RDP session to local client** — Users can copy/paste text from the browser-based RDP session to their local machine. By default, both directions are denied for new policies. For existing Access applications created before this feature was available, clipboard access remains enabled to preserve backwards compatibility. When a user attempts a restricted clipboard action, the clipboard content is replaced with an error message informing them that the action is not allowed. For more information, refer to [Clipboard controls for browser-based RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/#clipboard-controls). ## 2026-02-27 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Export MCP server portal logs with Logpush** Availability Only available on Enterprise plans. [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) now supports [Logpush](https://developers.cloudflare.com/logs/logpush/) integration. You can automatically export MCP server portal activity logs to third-party storage destinations or security information and event management (SIEM) tools for analysis and auditing. #### Available log fields The MCP server portal logs dataset includes fields such as: * `Datetime` — Timestamp of the request * `PortalID` / `PortalAUD` — Portal identifiers * `ServerID` / `ServerURL` — Upstream MCP server details * `Method` — JSON-RPC method (for example, `tools/call`, `prompts/get`, `resources/read`) * `ToolCallName` / `PromptGetName` / `ResourceReadURI` — Method-specific identifiers * `UserID` / `UserEmail` — Authenticated user information * `Success` / `Error` — Request outcome * `ServerResponseDurationMs` — Response time from upstream server For the complete field reference, refer to [MCP portal logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/mcp%5Fportal%5Flogs/). #### Set up Logpush To configure Logpush for MCP server portal logs, refer to [Logpush integration](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). Note MCP server portals is currently in beta. ## 2026-02-27 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **New protocols added for Gateway Protocol Detection (Beta)** Gateway [Protocol Detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/) now supports seven additional protocols in beta: | Protocol | Notes | | ------------ | -------------------------------------------------- | | IMAP | Internet Message Access Protocol — email retrieval | | POP3 | Post Office Protocol v3 — email retrieval | | SMTP | Simple Mail Transfer Protocol — email sending | | MYSQL | MySQL database wire protocol | | RSYNC-DAEMON | rsync daemon protocol | | LDAP | Lightweight Directory Access Protocol | | NTP | Network Time Protocol | These protocols join the existing set of detected protocols (HTTP, HTTP2, SSH, TLS, DCERPC, MQTT, and TPKT) and can be used with the _Detected Protocol_ selector in [Network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) to identify and filter traffic based on the application-layer protocol, without relying on port-based identification. If protocol detection is enabled on your account, these protocols will automatically be logged when detected in your Gateway network traffic. For more information on using Protocol Detection, refer to the [Protocol detection documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/). ## 2026-02-24 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2026.1.150.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features. **Changes and improvements** * Improvements to [multi-user mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/). Fixed an issue where when switching from a pre-login registration to a user registration, Mobile Device Management (MDM) configuration association could be lost. * Added a new feature to [manage NetBIOS over TCP/IP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#netbios-over-tcpip) functionality on the Windows client. NetBIOS over TCP/IP on the Windows client is now disabled by default and can be enabled in [device profile settings](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/). * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for the Windows [client certificate posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/) to ensure logged results are from checks that run once users log in. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. * Fixed an issue where misconfigured DEX HTTP tests prevented new registrations. * Fixed an issue causing DNS requests to fail with clients in Traffic and DNS mode. * Improved service shutdown behavior in cases where the daemon is unresponsive. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2026-02-24 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2026.1.150.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. * Fixed an issue with DNS server configuration failures that caused tunnel connection delays. * Fixed an issue where misconfigured DEX HTTP tests prevented new registrations. * Fixed an issue causing DNS requests to fail with clients in Traffic and DNS mode. ## 2026-02-24 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2026.1.150.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com). **Changes and improvements** * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. * Fixed an issue where misconfigured DEX HTTP tests prevented new registrations. * Fixed issues causing DNS requests to fail with clients in Traffic and DNS mode or DNS only mode. ## 2026-02-20 [ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) **Understand CASB findings instantly with Cloudy Summaries** You can now easily understand your SaaS security posture findings and why they were detected with **Cloudy Summaries in CASB**. This feature integrates Cloudflare's Cloudy AI directly into your CASB Posture Findings to automatically generate clear, plain-language summaries of complex security misconfigurations, third-party app risks, and data exposures. This allows security teams and IT administrators to drastically reduce triage time by immediately understanding the context, potential impact, and necessary remediation steps for any given finding—without needing to be an expert in every connected SaaS application. To view a summary, simply navigate to your Posture Findings in the Cloudflare One dashboard (under **Cloud and SaaS findings**) and open the finding details of a specific instance of a Finding. Cloudy Summaries are supported on all available integrations, including Microsoft 365, Google Workspace, Salesforce, GitHub, AWS, Slack, and Dropbox. See the full list of supported integrations [here](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/). #### Key capabilities * **Contextual explanations** — Quickly understand the specifics of a finding with plain-language summaries detailing exactly what was detected, from publicly shared sensitive files to risky third-party app scopes. * **Clear risk assessment** — Instantly grasp the potential security impact of the finding, such as data breach risks, unauthorized account access, or email spoofing vulnerabilities. * **Actionable guidance** — Get clear recommendations and next steps on how to effectively remediate the issue and secure your environment. * **Built-in feedback** — Help improve future AI summarization accuracy by submitting feedback directly using the thumbs-up and thumbs-down buttons. #### Learn more * Learn more about managing [CASB Posture Findings](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/) in Cloudflare. Cloudy Summaries in CASB are available to all Cloudflare CASB users today. ## 2026-02-20 [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **Manage Cloudflare Tunnel directly from the main Cloudflare Dashboard** [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) is now available in the main Cloudflare Dashboard at [Networking > Tunnels ↗](https://dash.cloudflare.com/?to=/:account/tunnels), bringing first-class Tunnel management to developers using Tunnel for securing origin servers. ![Manage Tunnels in the Core Dashboard](https://developers.cloudflare.com/_astro/tunnel-core-dashboard.BGPqaHfo_Pi6HO.webp) This new experience provides everything you need to manage Tunnels for [public applications](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/), including: * **Full Tunnel lifecycle management**: Create, configure, delete, and monitor all your Tunnels in one place. * **Native integrations**: View Tunnels by name when configuring [DNS records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/) and [Workers VPC](https://developers.cloudflare.com/workers-vpc/) — no more copy-pasting UUIDs. * **Real-time visibility**: Monitor [replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/) and Tunnel [health status](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors/#tunnel-status) directly in the dashboard. * **Routing map**: Manage all ingress routes for your Tunnel, including [public applications](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/), [private hostnames](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/), [private CIDRs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/), and [Workers VPC services](https://developers.cloudflare.com/workers-vpc/), from a single interactive interface. #### Choose the right dashboard for your use case **Core Dashboard**: Navigate to [Networking > Tunnels ↗](https://dash.cloudflare.com/?to=/:account/tunnels) to manage Tunnels for: * Securing origin servers and [public applications](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) with CDN, WAF, Load Balancing, and DDoS protection * Connecting [Workers to private services](https://developers.cloudflare.com/workers-vpc/) via Workers VPC **Cloudflare One Dashboard**: Navigate to [Zero Trust > Networks > Connectors ↗](https://one.dash.cloudflare.com/?to=/:account/networks/connectors) to manage Tunnels for: * Securing your public applications with [Zero Trust access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) * Connecting users to [private applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) * Building a [private mesh network](https://developers.cloudflare.com/reference-architecture/architectures/sase/#connecting-networks) Both dashboards provide complete Tunnel management capabilities — choose based on your primary workflow. #### Get started New to Tunnel? Learn how to [get started with Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/) or explore advanced use cases like [securing SSH servers](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/) or [running Tunnels in Kubernetes](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/kubernetes/). ## 2026-02-19 [ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/) **DEX Supports EU Customer Metadata Boundary** [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into [WARP](https://developers.cloudflare.com/warp-client/) device connectivity and performance to any internal or external application. Now, all DEX logs are fully compatible with Cloudflare's [Customer Metadata Boundary](https://developers.cloudflare.com/data-localization/metadata-boundary/) (CMB) setting for the 'EU' (European Union), which ensures that DEX logs will not be stored outside the 'EU' when the option is configured. If a Cloudflare One customer using DEX enables CMB 'EU', they will not see any DEX data in the Cloudflare One dashboard. Customers can ingest DEX data via [LogPush](https://developers.cloudflare.com/logs/logpush/), and build their own analytics and dashboards. If a customer enables CMB in their account, they will see the following message in the Digital Experience dashboard: "DEX data is unavailable because Customer Metadata Boundary configuration is on. Use Cloudflare LogPush to export DEX datasets." ![Digital Experience Monitoring message when Customer Metadata Boundary for the EU is enabled](https://developers.cloudflare.com/_astro/dex_supports_cmb.6YOLXjHN_ZJh3uv.webp) ## 2026-02-17 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Streamlined clientless browser isolation for private applications** A new **Allow clientless access** setting makes it easier to connect users without a device client to internal applications, without using public DNS. ![Allow clientless access setting in the Cloudflare One dashboard](https://developers.cloudflare.com/_astro/allow-clientless-access.BHKwQuVt_1mLRiX.webp) Previously, to provide clientless access to a private hostname or IP without a [published application](https://developers.cloudflare.com/cloudflare-one/networks/routes/add-routes/#add-a-published-application-route), you had to create a separate [bookmark application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/bookmarks/) pointing to a prefixed [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) URL (for example, `https://.cloudflareaccess.com/browser/https://10.0.0.1/`). This bookmark was visible to all users in the App Launcher, regardless of whether they had access to the underlying application. Now, you can manage clientless access directly within your [private self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). When **Allow clientless access** is turned on, users who pass your Access application policies will see a tile in their App Launcher pointing to the prefixed URL. Users must have [remote browser permissions](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) to open the link. ## 2026-02-17 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Policies for bookmark applications** You can now assign [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to [bookmark applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/bookmarks/). This lets you control which users see a bookmark in the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) based on identity, device posture, and other policy rules. Previously, bookmark applications were visible to all users in your organization. With policy support, you can now: * **Tailor the App Launcher to each user** — Users only see the applications they have access to, reducing clutter and preventing accidental clicks on irrelevant resources. * **Restrict visibility of sensitive bookmarks** — Limit who can view bookmarks to internal tools or partner resources based on group membership, identity provider, or device posture. Bookmarks support all [Access policy configurations](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) except purpose justification, temporary authentication, and application isolation. If no policy is assigned, the bookmark remains visible to all users (maintaining backwards compatibility). For more information, refer to [Add bookmarks](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/bookmarks/). ## 2026-02-17 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Cloudflare Network Firewall ](https://developers.cloudflare.com/cloudflare-network-firewall/)[ Network Flow ](https://developers.cloudflare.com/network-flow/) **Cloudflare One Product Name Updates** We are updating naming related to some of our Networking products to better clarify their place in the Zero Trust and Secure Access Service Edge (SASE) journey. We are retiring some older brand names in favor of names that describe exactly what the products do within your network. We are doing this to help customers build better, clearer mental models for comprehensive SASE architecture delivered on Cloudflare. #### What's changing * **Magic WAN** → **Cloudflare WAN** * **Magic WAN IPsec** → **Cloudflare IPsec** * **Magic WAN GRE** → **Cloudflare GRE** * **Magic WAN Connector** → **Cloudflare One Appliance** * **Magic Firewall** → **Cloudflare Network Firewall** * **Magic Network Monitoring** → **Network Flow** * **Magic Cloud Networking** → **Cloudflare One Multi-cloud Networking** **No action is required by you** — all functionality, existing configurations, and billing will remain exactly the same. For more information, visit the [Cloudflare One documentation](https://developers.cloudflare.com/cloudflare-one/). ## 2026-02-13 [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Fine-grained permissions for Access policies and service tokens** Fine-grained permissions for **Access policies** and **Access service tokens** are available. These new resource-scoped roles expand the existing RBAC model, enabling administrators to grant permissions scoped to individual resources. #### New roles * **Cloudflare Access policy admin**: Can edit a specific [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) in an account. * **Cloudflare Access service token admin**: Can edit a specific [Access service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) in an account. These roles complement the existing resource-scoped roles for Access applications, identity providers, and infrastructure targets. For more information: * [Resource-scoped roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/#resource-scoped-roles) * [Role scopes](https://developers.cloudflare.com/fundamentals/manage-members/scope/) Note Resource-scoped roles is currently in beta. ## 2026-02-12 [ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Anycast IPs displayed on the dashboard** Cloudflare WAN now displays your Anycast IP addresses directly in the dashboard when you configure IPsec or GRE tunnels. Previously, customers received their Anycast IPs during onboarding or had to retrieve them with an API call. The dashboard now pre-loads these addresses, reducing setup friction and preventing configuration errors. No action is required. All Cloudflare WAN customers can see their Anycast IPs in the tunnel configuration form automatically. For more information, refer to [Configure tunnel endpoints](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/how-to/configure-tunnel-endpoints/). ## 2026-02-11 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Post-quantum encryption support for Cloudflare One Appliance** Cloudflare One Appliance version 2026.2.0 adds [post-quantum encryption](https://developers.cloudflare.com/ssl/post-quantum-cryptography/) support using hybrid ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism). The appliance now uses TLS 1.3 with hybrid ML-KEM for its connection to the Cloudflare edge. During the TLS handshake, the appliance and the edge share a symmetric secret over the TLS connection and inject it into the ESP layer of IPsec. This protects IPsec data plane traffic against harvest-now, decrypt-later attacks. This upgrade deploys automatically to all appliances during their configured interrupt windows with no manual action required. For more information, refer to [Cloudflare One Appliance](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/). ## 2026-02-02 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Improved Accessibility and Search for Monitoring** We have updated the Monitoring page to provide a more streamlined and insightful experience for administrators, improving both data visualization and dashboard accessibility. * **Enhanced Visual Layout**: Optimized contrast and the introduction of stacked bar charts for clearer data visualization and trend analysis.![visual-example](https://developers.cloudflare.com/_astro/monitoring-bar-charts.Bi-4BuXC_xiAlF.webp) * **Improved Accessibility & Usability**: * **Widget Search**: Added search functionality to multiple widgets, including Policies, Submitters, and Impersonation. * **Actionable UI**: All available actions are now accessible via dedicated buttons. * **State Indicators**: Improved UI states to clearly communicate loading, empty datasets, and error conditions.![buttons-example](https://developers.cloudflare.com/_astro/monitoring-buttons.DORPJvP__1JBNhu.webp) * **Granular Data Breakdowns**: New views for dispositions by month, malicious email details, link actions, and impersonations.![monthly-example](https://developers.cloudflare.com/_astro/monitoring-monthly-dispositions.CYuI5d9y_ZSVir3.webp) This applies to all Email Security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2026-01-30 [ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Magic Transit ](https://developers.cloudflare.com/magic-transit/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **BGP over GRE and IPsec tunnels** Magic WAN and Magic Transit customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using IPsec and GRE tunnel on-ramps (beta). Using BGP peering allows customers to: * Automate the process of adding or removing networks and subnets. * Take advantage of failure detection and session recovery features. With this functionality, customers can: * Establish an eBGP session between their devices and the Magic WAN / Magic Transit service when connected via IPsec and GRE tunnel on-ramps. * Secure the session by MD5 authentication to prevent misconfigurations. * Exchange routes dynamically between their devices and their Magic routing table. For configuration details, refer to: * [Configure BGP routes for Magic WAN](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/how-to/configure-routes/#configure-bgp-routes) * [Configure BGP routes for Magic Transit](https://developers.cloudflare.com/magic-transit/how-to/configure-routes/#configure-bgp-routes) ## 2026-01-27 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2026.1.89.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes, improvements, and new features. **Changes and improvements** * Improvements to [multi-user mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/). Fixed an issue where when switching from a pre-login registration to a user registration, Mobile Device Management (MDM) configuration association could be lost. * Added a new feature to [manage NetBIOS over TCP/IP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#netbios-over-tcpip) functionality on the Windows client. NetBIOS over TCP/IP on the Windows client is now disabled by default and can be enabled in [device profile settings](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/). * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for the Windows [client certificate posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/) to ensure logged results are from checks that run once users log in. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2026-01-27 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2026.1.89.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. ## 2026-01-27 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Configure Cloudflare source IPs (beta)** Cloudflare source IPs are the IP addresses used by Cloudflare services (such as Load Balancing, Gateway, and Browser Isolation) when sending traffic to your private networks. For customers using legacy mode routing, traffic to private networks is sourced from public Cloudflare IPs, which may cause IP conflicts. For customers using Unified Routing mode (beta), traffic to private networks is sourced from dedicated, non-Internet-routable private IPv4 range to ensure: * Symmetric routing over private network connections * Proper firewall state preservation * Private traffic stays on secure paths Key details: * **IPv4**: Sourced from `100.64.0.0/12` by default, configurable to any `/12` CIDR * **IPv6**: Sourced from `2606:4700:cf1:5000::/64` (not configurable) * **Affected connectors**: GRE, IPsec, CNI, WARP Connector, and WARP Client (Cloudflare Tunnel is not affected) Configuring Cloudflare source IPs requires Unified Routing (beta) and the `Cloudflare One Networks Write` permission. For configuration details, refer to [Configure Cloudflare source IPs](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/how-to/configure-cloudflare-source-ips/). ## 2026-01-22 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Require Access protection for zones** You can now require Cloudflare Access protection for all hostnames in your account. When enabled, traffic to any hostname that does not have a matching Access application is automatically blocked. This deny-by-default approach prevents accidental exposure of internal resources to the public Internet. If a developer deploys a new application or creates a DNS record without configuring an Access application, the traffic is blocked rather than exposed. ![Require Cloudflare Access protection in the dashboard](https://developers.cloudflare.com/_astro/require-cloudflare-access-protection.BAUmTYOs_ZxNecb.webp) #### How it works * **Blocked by default**: Traffic to all hostnames in the account is blocked unless an Access application exists for that hostname. * **Explicit access required**: To allow traffic, create an Access application with an Allow or Bypass policy. * **Hostname exemptions**: You can exempt specific hostnames from this requirement. To turn on this feature, refer to [Require Access protection](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/require-access-protection/). ## 2026-01-22 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **New granular API token permissions for Cloudflare Access** Three new API token permissions are available for Cloudflare Access, giving you finer-grained control when building automations and integrations: * **Access: Organizations Revoke** — Grants the ability to [revoke user sessions](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#revoke-user-sessions) in a Zero Trust organization. Use this permission when you need a token that can terminate active sessions without broader write access to organization settings. * **Access: Population Read** — Grants read access to the [SCIM users and groups](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) synced from an identity provider to Cloudflare Access. Use this permission for tokens that only need to read synced user and group data. * **Access: Population Write** — Grants write access to the [SCIM users and groups](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) synced from an identity provider to Cloudflare Access. Use this permission for tokens that need to create or modify synced user and group data. These permissions are scoped at the account level and can be combined with existing Access permissions. For a full list of available permissions, refer to [API token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/). ## 2026-01-15 [ Magic Transit ](https://developers.cloudflare.com/magic-transit/)[ Cloudflare Network Firewall ](https://developers.cloudflare.com/cloudflare-network-firewall/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Network Flow ](https://developers.cloudflare.com/network-flow/) **Network Services navigation update** The Network Services menu structure in Cloudflare's dashboard has been updated to reflect solutions and capabilities instead of product names. This will make it easier for you to find what you need and better reflects how our services work together. Your existing configurations will remain the same, and you will have access to all of the same features and functionality. The changes visible in your dashboard may vary based on the products you use. Overall, changes relate to [Magic Transit ↗](https://developers.cloudflare.com/magic-transit/), [Magic WAN ↗](https://developers.cloudflare.com/magic-wan/), and [Magic Firewall ↗](https://developers.cloudflare.com/cloudflare-network-firewall/). **Summary of changes:** * A new **Overview** page provides access to the most common tasks across Magic Transit and Magic WAN. * Product names have been removed from top-level navigation. * Magic Transit and Magic WAN configuration is now organized under **Routes** and **Connectors**. For example, you will find IP Prefixes under **Routes**, and your GRE/IPsec Tunnels under **Connectors.** * Magic Firewall policies are now called **Firewall Policies.** * Magic WAN Connectors and Connector On-Ramps are now referenced in the dashboard as **Appliances** and **Appliance profiles.** They can be found under **Connectors > Appliances.** * Network analytics, network health, and real-time analytics are now available under **Insights.** * Packet Captures are found under **Insights > Diagnostics.** * You can manage your Sites from **Insights > Network health.** * You can find Magic Network Monitoring under **Insights > Network flow**. If you would like to provide feedback, complete [this form ↗](https://forms.gle/htWyjRsTjw1usdis5). You can also find these details in the January 7, 2026 email titled **\[FYI\] Upcoming Network Services Dashboard Navigation Update**. ![Networking Navigation](https://developers.cloudflare.com/_astro/networking-overview-and-navigation.CeMgEFaZ_Z20HKl.webp) ## 2026-01-15 [ Risk Score ](https://developers.cloudflare.com/cloudflare-one/insights/risk-score/) **Support for CrowdStrike device scores in User Risk Scoring** Cloudflare One has expanded its \[User Risk Scoring\] (/cloudflare-one/insights/risk-score/) capabilities by introducing two new behaviors for organizations using the \[CrowdStrike integration\] (/cloudflare-one/integrations/service-providers/crowdstrike/). Administrators can now automatically escalate the risk score of a user if their device matches specific CrowdStrike Zero Trust Assessment (ZTA) score ranges. This allows for more granular security policies that respond dynamically to the health of the endpoint. New risk behaviors The following risk scoring behaviors are now available: * CrowdStrike low device score: Automatically increases a user's risk score when the connected device reports a "Low" score from CrowdStrike. * CrowdStrike medium device score: Automatically increases a user's risk score when the connected device reports a "Medium" score from CrowdStrike. These scores are derived from \[CrowdStrike device posture attributes\] (/cloudflare-one/integrations/service-providers/crowdstrike/#device-posture-attributes), including OS signals and sensor configurations. ## 2026-01-15 [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **Verify WARP Connector connectivity with a simple ping** We have made it easier to validate connectivity when deploying [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) as part of your [software-defined private network](https://developers.cloudflare.com/reference-architecture/architectures/sase/#connecting-networks). You can now `ping` the WARP Connector host directly on its LAN IP address immediately after installation. This provides a fast, familiar way to confirm that the Connector is online and reachable within your network before testing access to downstream services. Starting with [version 2025.10.186.0](https://developers.cloudflare.com/changelog/2026-01-13-warp-linux-ga/), WARP Connector responds to traffic addressed to its own LAN IP, giving you immediate visibility into Connector reachability. Learn more about deploying [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) and building private network connectivity with [Cloudflare One](https://developers.cloudflare.com/cloudflare-one/). ## 2026-01-13 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.10.186.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features. New features include the ability to manage WARP client connectivity for all devices in your fleet using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/), and a new WARP client device posture check for [Antivirus](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/antivirus/). **Changes and improvements** * Added a new feature to manage WARP client connectivity for all devices using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint. * Fixed an issue that caused occasional audio degradation and increased CPU usage on Windows by optimizing route configurations for large [domain-based split tunnel rules](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/#domain-based-split-tunnels). * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. * Fixed an issue where sending large messages to the daemon by Inter-Process Communication (IPC) could cause the daemon to fail and result in service interruptions. * Added support for a new WARP client device posture check for [Antivirus](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/antivirus/). The check confirms the presence of an antivirus program on a Windows device with the option to check if the antivirus is up to date. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2026-01-13 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.10.186.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features, including the ability to manage WARP client connectivity for all devices in your fleet using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). **Changes and improvements** * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. * Added a new feature to manage WARP client connectivity for all devices using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint. ## 2026-01-13 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.10.186.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features, including the ability to manage WARP client connectivity for all devices in your fleet using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com). **Changes and improvements** * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * Linux [disk encryption posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/disk-encryption/) now supports non-filesystem encryption types like `dm-crypt`. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. * Fixed an issue where the GUI becomes unresponsive when the **Re-Authenticate in browser** button is clicked. * Added a new feature to manage WARP client connectivity for all devices using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint. ## 2026-01-12 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Enhanced visibility for post-delivery actions** The Action Log now provides enriched data for post-delivery actions to improve troubleshooting. In addition to success confirmations, failed actions now display the targeted Destination folder and a specific failure reason within the Activity field. Note Error messages will vary depending on whether you are using Google Workspace or Microsoft 365. ![failure-log-example](https://developers.cloudflare.com/_astro/enhanced-visibility-post-delivery-actions.BNiyPtJU_GFx2V.webp) This update allows you to see the full lifecycle of a failed action. For instance, if an administrator tries to move an email that has already been deleted or moved manually, the log will now show the multiple retry attempts and the specific destination error. This applies to all Email Security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2026-01-08 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Cloudflare admin activity logs capture creation of DNS over HTTP (DoH) users** Cloudflare [admin activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/) now capture each time a [DNS over HTTP (DoH) user](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-https/) is created. These logs can be viewed from the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com/), pulled via the [Cloudflare API](https://developers.cloudflare.com/api/), and exported through [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ## 2025-12-31 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Breakout traffic visibility via NetFlow** Magic WAN Connector now exports NetFlow data for breakout traffic to Magic Network Monitoring (MNM), providing visibility into traffic that bypasses Cloudflare's security filtering. This feature allows you to: * Monitor breakout traffic statistics in the Cloudflare dashboard. * View traffic patterns for applications configured to bypass Cloudflare. * Maintain visibility across all traffic passing through your Magic WAN Connector. For more information, refer to [NetFlow statistics](https://developers.cloudflare.com/cloudflare-wan/analytics/netflow-analytics/). ## 2025-12-17 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **Shadow IT - domain level SaaS analytics** Zero Trust has again upgraded its **Shadow IT analytics**, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application. With this update, you can review data transfer metrics at the domain level, rather than just the application level, providing more granular insight into your data transfer patterns. ![New Domain Level Metrics](https://developers.cloudflare.com/_astro/shadow-it-domain.DoZnGAtf_Z1mHw4r.webp) These metrics can be filtered by all available filters on the dashboard, including user, application, or content category. Both the analytics and policies are accessible in the Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), empowering organizations with better visibility and control. ## 2025-12-16 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New duplicate action for supported Cloudflare One resources** You can now duplicate specific Cloudflare One resources with a single click from the dashboard. Initially supported resources: * Access Applications * Access Policies * Gateway Policies To try this out, simply click on the overflow menu (⋮) from the resource table and click _Duplicate_. We will continue to add the Duplicate action for resources throughout 2026. ## 2025-12-09 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.10.118.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. * Fixed an issue where sending large messages to the WARP daemon by Inter-Process Communication (IPC) could cause WARP to crash and result in service interruptions. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-12-09 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.10.118.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. ## 2025-12-03 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Reclassifications to Submissions** We have updated the terminology “Reclassify” and “Reclassifications” to “Submit” and “Submissions” respectively. This update more accurately reflects the outcome of providing these items to Cloudflare. Submissions are leveraged to tune future variants of campaigns. To respect data sanctity, providing a submission does not change the original disposition of the emails submitted. ![nav_example](https://developers.cloudflare.com/_astro/reclassification-submission.B6nL5Hw7_Z2qliyJ.webp) This applies to all Email Security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-11-18 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Adjustment to Final Disposition Column** #### Adjustment to Final Disposition column #### The **Final Disposition** column in **Submissions** \> **Team Submissions** tab is changing for non-Phishguard customers. #### What's Changing * Column will be called **Status** instead of **Final Disposition** * Column status values will now be: **Submitted**, **Accepted** or **Rejected**. #### Next Steps We will listen carefully to your feedback and continue to find comprehensive ways to communicate updates on your submissions. Your submissions will continue to be addressed at an even greater rate than before, fuelling faster and more accurate email security improvement. ## 2025-11-17 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New Cloudflare One Navigation and Product Experience** The Zero Trust dashboard and navigation is receiving significant and exciting updates. The dashboard is being restructured to better support common tasks and workflows, and various pages have been moved and consolidated. There is a new guided experience on login detailing the changes, and you can use the Zero Trust dashboard search to find product pages by both their new and old names, as well as your created resources. To replay the guided experience, you can find it in Overview > Get Started. ![Cloudflare One Dash Changes](https://developers.cloudflare.com/_astro/cf1-dash-changes.Uk_Y-2V-_ZUKoJR.webp) Notable changes * Product names have been removed from many top-level navigation items to help bring clarity to what they help you accomplish. For example, you can find Gateway policies under ‘Traffic policies' and CASB findings under ‘Cloud & SaaS findings.' * You can view all analytics, logs, and real-time monitoring tools from ‘Insights.' * ‘Networks' better maps the ways that your corporate network interacts with Cloudflare. Some pages like Tunnels, are now a tab rather than a full page as part of these changes. You can find them at Networks > Connectors. * Settings are now located closer to the tools and resources they impact. For example, this means you'll find your WARP configurations at Team & Resources > Devices. ![New Cloudflare One Navigation](https://developers.cloudflare.com/_astro/new-cf1-navigation.B7-E-9CV_18BSsx.webp) No changes to our API endpoint structure or to any backend services have been made as part of this effort. ## 2025-11-14 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Generate Cloudflare Access SSH certificate authority (CA) directly from the Cloudflare dashboard** SSH with [Cloudflare Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) allows you to use short-lived SSH certificates to eliminate SSH key management and reduce security risks associated with lost or stolen keys. Previously, users had to generate this certificate by using the [Cloudflare API ↗](https://developers.cloudflare.com/api/) directly. With this update, you can now create and manage this certificate in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com) from the **Access controls** \> **Service credentials** page. ![Navigate to Access controls and then Service credentials to see where you can generate an SSH CA](https://developers.cloudflare.com/_astro/SSH-CA-generation.DYa9RnX1_ZKuDAo.webp) For more details, refer to [Generate a Cloudflare SSH CA](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#generate-a-cloudflare-ssh-ca). ## 2025-11-14 [ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) **New SaaS Security weekly digests with API CASB** You can now stay on top of your SaaS security posture with the new **CASB Weekly Digest** notification. This opt-in email digest is delivered to your inbox every Monday morning and provides a high-level summary of your organization's Cloudflare API CASB findings from the previous week. This allows security teams and IT administrators to get proactive, at-a-glance visibility into new risks and integration health without having to log in to the dashboard. To opt in, navigate to **Manage Account** \> **Notifications** in the Cloudflare dashboard to configure the **CASB Weekly Digest** alert type. #### Key capabilities * **At-a-glance summary** — Review new high/critical findings, most frequent finding types, and new content exposures from the past 7 days. * **Integration health** — Instantly see the status of all your connected SaaS integrations (Healthy, Unhealthy, or Paused) to spot API connection issues. * **Proactive alerting** — The digest is sent automatically to all subscribed users every Monday morning. * **Easy to configure** — Users can opt in by enabling the notification in the Cloudflare dashboard under **Manage Account** \> **Notifications**. #### Learn more * Configure [notification preferences](https://developers.cloudflare.com/notifications/) in Cloudflare. The CASB Weekly Digest notification is available to all Cloudflare users today. ## 2025-11-12 [ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/) **DEX Logpush jobs** [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into WARP device metrics, connectivity, and network performance across your Cloudflare SASE deployment. We've released four new WARP and DEX device data sets that can be exported via [Cloudflare Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). These Logpush data sets can be exported to R2, a cloud bucket, or a SIEM to build a customized logging and analytics experience. 1. [DEX Application Tests](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fapplication%5Ftests/) 2. [DEX Device State Events](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fdevice%5Fstate%5Fevents/) 3. [WARP Config Changes](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/warp%5Fconfig%5Fchanges/) 4. [WARP Toggle Changes](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/warp%5Ftoggle%5Fchanges/) To create a new DEX or WARP Logpush job, customers can go to the account level of the Cloudflare dashboard > Analytics & Logs > Logpush to get started. ![DEX logpush job creation dashboard](https://developers.cloudflare.com/_astro/dex_logpush_datasets.CtCk36pX_Z1tuyHu.webp) ## 2025-11-11 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.9.558.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features including [Path Maximum Transmission Unit Discovery (PMTUD)](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). When PMTUD is enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to diagnose connectivity issues. **Changes and improvements** * Fixed an inconsistency with [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings in multi-user environments when switching between users. * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues. * Fixed an issue where deleting a registration was erroneously reported as having failed. * Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the [PMTUD documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). * Improvements for the [OS version](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/os-version/) WARP client check. Windows Updated Build Revision (UBR) numbers can now be checked by the client to ensure devices have required security patches and features installed. * The WARP client now supports Windows 11 ARM-based machines. For information on known limitations, refer to the [Known limitations page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/known-limitations/#cloudflare-one-client-disconnected-on-windows-arm). **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-11-11 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.9.558.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features including [Path Maximum Transmission Unit Discovery (PMTUD)](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). When PMTUD is enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to diagnose connectivity issues. **Changes and improvements** * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues. * Fixed an issue where deleting a registration was erroneously reported as having failed. * Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the [PMTUD documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-11-11 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.9.558.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features including [Path Maximum Transmission Unit Discovery (PMTUD)](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). When PMTUD is enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to diagnose connectivity issues. WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com/). **Changes and improvements** * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues. * Fixed an issue where deleting a registration was erroneously reported as having failed. * Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the [PMTUD documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). ## 2025-11-11 [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **cloudflared proxy-dns command will be removed starting February 2, 2026** Starting February 2, 2026, the `cloudflared proxy-dns` command will be removed from all new `cloudflared` [releases](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/). This change is being made to enhance security and address a potential vulnerability in an underlying DNS library. This vulnerability is specific to the `proxy-dns` command and does not affect any other `cloudflared` features, such as the core [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) service. The `proxy-dns` command, which runs a client-side [DNS-over-HTTPS (DoH)](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/) proxy, has been an officially undocumented feature for several years. This functionality is fully and securely supported by our actively developed products. Versions of `cloudflared` released before this date will not be affected and will continue to operate. However, note that our [official support policy](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#deprecated-releases) for any `cloudflared` release is one year from its release date. #### Migration paths We strongly advise users of this undocumented feature to migrate to one of the following officially supported solutions before February 2, 2026, to continue benefiting from secure [DNS-over-HTTPS](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/). #### End-user devices The preferred method for enabling DNS-over-HTTPS on user devices is the [Cloudflare WARP client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/). The WARP client automatically secures and proxies all DNS traffic from your device, integrating it with your organization's [Zero Trust policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) and [posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). #### Servers, routers, and IoT devices For scenarios where installing a client on every device is not possible (such as servers, routers, or IoT devices), we recommend using the [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/). Instead of running `cloudflared proxy-dns` on a machine, you can install the WARP Connector on a single Linux host within your private network. This connector will act as a gateway, securely routing all DNS and network traffic from your [entire subnet](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-internet/) to Cloudflare for [filtering and logging](https://developers.cloudflare.com/cloudflare-one/traffic-policies/). ## 2025-11-06 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Automatic Return Routing (Beta)** Magic WAN now supports Automatic Return Routing (ARR), allowing customers to configure Magic on-ramps (IPsec/GRE/CNI) to learn the return path for traffic flows without requiring static routes. Key benefits: * **Route-less mode**: Static or dynamic routes are optional when using ARR. * **Overlapping IP space support**: Traffic originating from customer sites can use overlapping private IP ranges. * **Symmetric routing**: Return traffic is guaranteed to use the same connection as the original on-ramp. This feature is currently in beta and requires the new Unified Routing mode (beta). For configuration details, refer to [Configure Automatic Return Routing](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/how-to/configure-routes/#configure-automatic-return-routing-beta). ## 2025-11-06 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Designate WAN link for breakout traffic** Magic WAN Connector now allows you to designate a specific WAN port for breakout traffic, giving you deterministic control over the egress path for latency-sensitive applications. With this feature, you can: * Pin breakout traffic for specific applications to a preferred WAN port. * Ensure critical traffic (such as Zoom or Teams) always uses your fastest or most reliable connection. * Benefit from automatic failover to standard WAN port priority if the preferred port goes down. This is useful for organizations with multiple ISP uplinks who need predictable egress behavior for performance-sensitive traffic. For configuration details, refer to [Designate WAN ports for breakout apps](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/network-options/application-based-policies/breakout-traffic/#designate-wan-ports-for-breakout-apps). ## 2025-11-06 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Applications to be remapped to the new categories** We have previously added new application categories to better reflect their content and improve HTTP traffic management: refer to [Changelog](https://developers.cloudflare.com/cloudflare-one/changelog/gateway/#2025-10-28). While the new categories are live now, we want to ensure you have ample time to review and adjust any existing rules you have configured against old categories. The remapping of existing applications into these new categories will be completed by January 30, 2026\. This timeline allows you a dedicated period to: * Review the new category structure. * Identify any policies you have that target the older categories. * Adjust your rules to reference the new, more precise categories before the old mappings change. Once the applications have been fully remapped by January 30, 2026, you might observe some changes in the traffic being mitigated or allowed by your existing policies. We encourage you to use the intervening time to prepare for a smooth transition. **Applications being remappedd** | Application Name | Existing Category | New Category | | ------------------------------- | ----------------- | ---------------------------- | | Google Photos | File Sharing | Photography & Graphic Design | | Flickr | File Sharing | Photography & Graphic Design | | ADP | Human Resources | Business | | Greenhouse | Human Resources | Business | | myCigna | Human Resources | Health & Fitness | | UnitedHealthcare | Human Resources | Health & Fitness | | ZipRecruiter | Human Resources | Business | | Amazon Business | Human Resources | Business | | Jobcenter | Human Resources | Business | | Jobsuche | Human Resources | Business | | Zenjob | Human Resources | Business | | DocuSign | Legal | Business | | Postident | Legal | Business | | Adobe Creative Cloud | Productivity | Photography & Graphic Design | | Airtable | Productivity | Development | | Autodesk Fusion360 | Productivity | IT Management | | Coursera | Productivity | Education | | Microsoft Power BI | Productivity | Business | | Tableau | Productivity | Business | | Duolingo | Productivity | Education | | Adobe Reader | Productivity | Business | | AnpiReport | Productivity | Travel | | ビズリーチ | Productivity | Business | | doda (デューダ) | Productivity | Business | | 求人ボックス | Productivity | Business | | マイナビ2026 | Productivity | Business | | Power Apps | Productivity | Business | | RECRUIT AGENT | Productivity | Business | | シフトボード | Productivity | Business | | スタンバイ | Productivity | Business | | Doctolib | Productivity | Health & Fitness | | Miro | Productivity | Photography & Graphic Design | | MyFitnessPal | Productivity | Health & Fitness | | Sentry Mobile | Productivity | Travel | | Slido | Productivity | Photography & Graphic Design | | Arista Networks | Productivity | IT Management | | Atlassian | Productivity | Business | | CoderPad | Productivity | Business | | eAgreements | Productivity | Business | | Vmware | Productivity | IT Management | | Vmware Vcenter | Productivity | IT Management | | AWS Skill Builder | Productivity | Education | | Microsoft Office 365 (GCC) | Productivity | Business | | Microsoft Exchange Online (GCC) | Productivity | Business | | Canva | Sales & Marketing | Photography & Graphic Design | | Instacart | Shopping | Food & Drink | | Wawa | Shopping | Food & Drink | | McDonald's | Shopping | Food & Drink | | Vrbo | Shopping | Travel | | American Airlines | Shopping | Travel | | Booking.com | Shopping | Travel | | Ticketmaster | Shopping | Entertainment & Events | | Airbnb | Shopping | Travel | | DoorDash | Shopping | Food & Drink | | Expedia | Shopping | Travel | | EasyPark | Shopping | Travel | | UEFA Tickets | Shopping | Entertainment & Events | | DHL Express | Shopping | Business | | UPS | Shopping | Business | For more information on creating HTTP policies, refer to [Applications and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/). ## 2025-10-28 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Access private hostname applications support all ports/protocols** [Cloudflare Access for private hostname applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) can now secure traffic on all ports and protocols. Previously, applying Zero Trust policies to private applications required the application to use HTTPS on port `443` and support Server Name Indicator (SNI). This update removes that limitation. As long as the application is reachable via a Cloudflare off-ramp, you can now enforce your critical security controls — like single sign-on (SSO), MFA, device posture, and variable session lengths — to any private application. This allows you to extend Zero Trust security to services like SSH, RDP, internal databases, and other non-HTTPS applications. ![Example private application on non-443 port](https://developers.cloudflare.com/_astro/internal_private_app_any_port.DNXnEy0u_2rybRJ.webp) For example, you can now create a self-hosted application in Access for `ssh.testapp.local` running on port `22`. You can then build a policy that only allows engineers in your organization to connect after they pass an SSO/MFA check and are using a corporate device. This feature is generally available across all plans. ## 2025-10-28 [ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) **CASB introduces new granular roles** Cloudflare CASB (Cloud Access Security Broker) now supports two new granular roles to provide more precise access control for your security teams: * **Cloudflare CASB Read:** Provides read-only access to view CASB findings and dashboards. This role is ideal for security analysts, compliance auditors, or team members who need visibility without modification rights. * **Cloudflare CASB:** Provides full administrative access to configure and manage all aspects of the CASB product. These new roles help you better enforce the principle of least privilege. You can now grant specific members access to CASB security findings without assigning them broader permissions, such as the **Super Administrator** or **Administrator** roles. To enable [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/), scans in CASB, account members will need the **Cloudflare Zero Trust** role. You can find these new roles when inviting members or creating API tokens in the Cloudflare dashboard under **Manage Account** \> **Members**. To learn more about managing roles and permissions, refer to the [Manage account members and roles documentation](https://developers.cloudflare.com/fundamentals/manage-members/roles/). ## 2025-10-28 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **New Application Categories added for HTTP Traffic Management** To give you precision and flexibility while creating policies to block unwanted traffic, we are introducing new, more granular application categories in the Gateway product. We have added the following categories to provide more precise organization and allow for finer-grained policy creation, designed around how users interact with different types of applications: * Business * Education * Entertainment & Events * Food & Drink * Health & Fitness * Lifestyle * Navigation * Photography & Graphic Design * Travel The new categories are live now, but we are providing a transition period for existing applications to be fully remapped to these new categories. The full remapping will be completed by January 30, 2026. We encourage you to use this time to: * Review the new category structure. * Identify and adjust any existing HTTP policies that reference older categories to ensure a smooth transition. For more information on creating HTTP policies, refer to [Applications and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/). ## 2025-10-20 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Schedule DNS policies from the UI** Admins can now create [scheduled DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/timed-policies/) directly from the Zero Trust dashboard, without using the API. You can configure policies to be active during specific, recurring times, such as blocking social media during business hours or gaming sites on school nights. * **Preset Schedules**: Use built-in templates for common scenarios like Business Hours, School Days, Weekends, and more. * **Custom Schedules**: Define your own schedule with specific days and up to three non-overlapping time ranges per day. * **Timezone Control**: Choose to enforce a schedule in a specific timezone (for example, US Eastern) or based on the local time of each user. * **Combined with Duration**: Policies can have both a schedule and a duration. If both are set, the duration's expiration takes precedence. You can see the flow in the demo GIF: ![Schedule DNS policies demo](https://developers.cloudflare.com/_astro/gateway-dns-scheduled-policies-ui.Cf4l1OTE_Z9szVM.webp) This update makes time-based DNS policies accessible to all Gateway customers, removing the technical barrier of the API. ## 2025-10-17 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **On-Demand Security Report** You can now generate on-demand security reports directly from the Cloudflare dashboard. This new feature provides a comprehensive overview of your email security posture, making it easier than ever to demonstrate the value of Cloudflare’s Email security to executives and other decision makers. These reports offer several key benefits: * **Executive Summary:** Quickly view the performance of Email security with a high-level executive summary. * **Actionable Insights:** Dive deep into trend data, breakdowns of threat types, and analysis of top targets to identify and address vulnerabilities. * **Configuration Transparency:** Gain a clear view of your policy, submission, and domain configurations to ensure optimal setup. * **Account Takeover Risks:** Get a snapshot of your M365 risky users (requires a Microsoft Entra ID P2 license and [M365 SaaS integration ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/)). ![Report](https://developers.cloudflare.com/_astro/report.CbkPa8Jt_Z1xMpIx.webp) This feature is available across the following Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-10-16 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.9.173.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). With PMTUD enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to debug connectivity issues. **Changes and improvements** * Improvements for [Windows multi-user](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/) to maintain the [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) state when switching between users. * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues. * Deleting registrations no longer returns an error when succeeding. * Path Maximum Transmission Unit Discovery (PMTUD) is now used to discover the effective MTU of the connection. This allows the client to improve connection performance optimized for the current network. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-10-16 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.9.173.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). With PMTUD enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to debug connectivity issues. **Changes and improvements** * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues. * Deleting registrations no longer returns an error when succeeding. * Path Maximum Transmission Unit Discovery (PMTUD) is now used to discover the effective MTU of the connection. This allows the client to improve connection performance optimized for the current network. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-10-10 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **New domain categories added** We have added three new domain categories under the Technology parent category, to better reflect online content and improve DNS filtering. **New categories added** | Parent ID | Parent Name | Category ID | Category Name | | --------- | ----------- | ----------- | ------------------- | | 26 | Technology | 194 | Keep Awake Software | | 26 | Technology | 192 | Remote Access | | 26 | Technology | 193 | Shareware/Freeware | Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more. ## 2025-10-07 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.8.779.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains significant fixes and improvements including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com/). **Changes and improvements** * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases. * The MASQUE protocol is now the only protocol that can use [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode). If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-10-07 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.8.779.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains significant fixes and improvements. **Changes and improvements** * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases. * The MASQUE protocol is now the only protocol that can use [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode). If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-10-07 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.8.779.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains significant fixes and improvements. **Changes and improvements** * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases. * The MASQUE protocol is now the only protocol that can use [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode). If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-10-02 [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Fine-grained Permissioning for Access for Apps, IdPs, & Targets now in Public Beta** Fine-grained permissions for **Access Applications, Identity Providers (IdPs), and Targets** is now available in Public Beta. This expands our RBAC model beyond account & zone-scoped roles, enabling administrators to grant permissions scoped to individual resources. #### What's New * **[Access Applications ↗](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/)**: Grant admin permissions to specific Access Applications. * **[Identity Providers ↗](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/)**: Grant admin permissions to individual Identity Providers. * **[Targets ↗](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#1-add-a-target)**: Grant admin rights to specific Targets ![Updated Permissions Policy UX](https://developers.cloudflare.com/_astro/2025-10-01-fine-grained-permissioning-ux.BWVmQsVF_Z1p4MJh.webp) Note During the public beta, members must also be assigned an account-scoped, read only role to view resources in the dashboard. This restriction will be lifted in a future release. * **Account Read Only** plus a fine-grained permission for a specific App, IdP, or Target * **Cloudflare Zero Trust Read Only** plus fine-grained permission for a specific App, IdP, or Target For more info: * [Get started with Cloudflare Permissioning](https://developers.cloudflare.com/fundamentals/manage-members/roles/) * [Manage Member Permissioning via the UI & API](https://developers.cloudflare.com/fundamentals/manage-members/manage) ## 2025-10-01 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Expanded File Type Controls for Executables and Disk Images** You can now enhance your security posture by blocking additional application installer and disk image file types with Cloudflare Gateway. Preventing the download of unauthorized software packages is a critical step in securing endpoints from malware and unwanted applications. We have expanded Gateway's file type controls to include: * Apple Disk Image (dmg) * Microsoft Software Installer (msix, appx) * Apple Software Package (pkg) You can find these new options within the [_Upload File Types_ and _Download File Types_ selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) when creating or editing an HTTP policy. The file types are categorized as follows: * **System**: _Apple Disk Image (dmg)_ * **Executable**: _Microsoft Software Installer (msix)_, _Microsoft Software Installer (appx)_, _Apple Software Package (pkg)_ To ensure these file types are blocked effectively, please note the following behaviors: * DMG: Due to their file structure, DMG files are blocked at the very end of the transfer. A user's download may appear to progress but will fail at the last moment, preventing the browser from saving the file. * MSIX: To comprehensively block Microsoft Software Installers, you should also include the file type _Unscannable_. MSIX files larger than 100 MB are identified as Unscannable ZIP files during inspection. To get started, go to your HTTP policies in Zero Trust. For a full list of file types, refer to [supported file types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#supported-file-types). ## 2025-09-30 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.7.176.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * MASQUE is now the default [tunnel protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) for all new WARP device profiles. * Improvement to limit idle connections in [Gateway with DoH mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) to avoid unnecessary resource usage that can lead to DoH requests not resolving. * Improvement to maintain TCP connections to reduce interruptions in long-lived connections such as RDP or SSH. * Improvements to maintain [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings when [switching between organizations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/#switch-organizations-in-the-cloudflare-one-client). * Improvements to maintain client connectivity during network changes. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-09-30 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.7.176.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed a bug preventing the `warp-diag captive-portal` command from running successfully due to the client not parsing SSID on macOS. * Improvements to maintain [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings when [switching between organizations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/#switch-organizations-in-the-cloudflare-one-client). * MASQUE is now the default [tunnel protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) for all new WARP device profiles. * Improvement to limit idle connections in [Gateway with DoH mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) to avoid unnecessary resource usage that can lead to DoH requests not resolving. * Improvements to maintain client connectivity during network changes. * The WARP client now supports macOS Tahoe (version 26.0). **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-09-30 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.7.176.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com/). **Changes and improvements** * MASQUE is now the default [tunnel protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) for all new WARP device profiles. * Improvement to limit idle connections in [Gateway with DoH mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) to avoid unnecessary resource usage that can lead to DoH requests not resolving. * Improvements to maintain [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings when [switching between organizations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/#switch-organizations-in-the-cloudflare-one-client). * Improvements to maintain client connectivity during network changes. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-09-30 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Application granular controls for operations in SaaS applications** Gateway users can now apply granular controls to their file sharing and AI chat applications through [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies). The new feature offers two methods of controlling SaaS applications: * **Application Controls** are curated groupings of Operations which provide an easy way for users to achieve a specific outcome. Application Controls may include _Upload_, _Download_, _Prompt_, _Voice_, and _Share_ depending on the application. * **Operations** are controls aligned to the most granular action a user can take. This provides a fine-grained approach to enforcing policy and generally aligns to the SaaS providers API specifications in naming and function. Get started using [Application Granular Controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/granular-controls) and refer to the list of [supported applications](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/granular-controls/#compatible-applications). ## 2025-09-25 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Refine DLP Scans with New Body Phase Selector** You can now more precisely control your HTTP DLP policies by specifying whether to scan the request or response body, helping to reduce false positives and target specific data flows. In the Gateway HTTP policy builder, you will find a new selector called _Body Phase_. This allows you to define the direction of traffic the DLP engine will inspect: * _Request Body_: Scans data sent from a user's machine to an upstream service. This is ideal for monitoring data uploads, form submissions, or other user-initiated data exfiltration attempts. * _Response Body_: Scans data sent to a user's machine from an upstream service. Use this to inspect file downloads and website content for sensitive data. For example, consider a policy that blocks Social Security Numbers (SSNs). Previously, this policy might trigger when a user visits a website that contains example SSNs in its content (the response body). Now, by setting the **Body Phase** to _Request Body_, the policy will only trigger if the user attempts to upload or submit an SSN, ignoring the content of the web page itself. All policies without this selector will continue to scan both request and response bodies to ensure continued protection. For more information, refer to [Gateway HTTP policy selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#body-phase). ## 2025-09-23 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Invalid Submissions Feedback** Email security relies on your submissions to continuously improve our detection models. However, we often receive submissions in formats that cannot be ingested, such as incomplete EMLs, screenshots, or text files. To ensure all customer feedback is actionable, we have launched two new features to manage invalid submissions sent to our team and user [submission aliases](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/submission-addresses/): * **Email Notifications:** We now automatically notify users by email when they provide an invalid submission, educating them on the correct format. To disable notifications, go to **[Settings ↗](https://one.dash.cloudflare.com/?to=/:account/email-security/settings)** \> **Invalid submission emails** and turn the feature off. ![EmailSec-Invalid-Submissions-Toggle](https://developers.cloudflare.com/_astro/EmailSec-Invalid-Submissions-Toggle.DXjbR6aX_ZsxWGB.webp) * **Invalid Submission dashboard:** You can quickly identify which users need education to provide valid submissions so Cloudflare can provide continuous protection. ![EmailSec-Invalid-Submissions-Dashboard](https://developers.cloudflare.com/_astro/EmailSec-Invalid-Submissions-Dashboard.zuf1on2n_2gjnGS.webp) Learn more about this feature on [invalid submissions](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/invalid-submissions/). This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-09-22 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Access Remote Desktop Protocol (RDP) destinations securely from your browser — now generally available!** [Browser-based RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) is now generally available for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients. Since we announced our [open beta](https://developers.cloudflare.com/changelog/access/#2025-06-30), we've made a few improvements: * Support for targets with IPv6. * Support for [Magic WAN](https://developers.cloudflare.com/cloudflare-wan/) and [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) as on-ramps. * More robust error messaging on the login page to help you if you encounter an issue. * Worldwide keyboard support. Whether your day-to-day is in Portuguese, Chinese, or something in between, your browser-based RDP experience will look and feel exactly like you are using a desktop RDP client. * Cleaned up some other miscellaneous issues, including but not limited to enhanced support for Entra ID accounts and support for usernames with spaces, quotes, and special characters. As a refresher, here are some benefits browser-based RDP provides: * **Control how users authenticate to internal RDP resources** with single sign-on (SSO), multi-factor authentication (MFA), and granular access policies. * **Record who is accessing which servers and when** to support regulatory compliance requirements and to gain greater visibility in the event of a security event. * **Eliminate the need to install and manage software on user devices**. You will only need a web browser. * **Reduce your attack surface** by keeping your RDP servers off the public Internet and protecting them from common threats like credential stuffing or brute-force attacks. ![Example of a browser-based RDP Access application](https://developers.cloudflare.com/_astro/browser-based-rdp-access-app.BNXce1JL_1TDoUX.webp) To get started, refer to [Connect to RDP in a browser](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/). ## 2025-09-18 [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **Connect and secure any private or public app by hostname, not IP — with hostname routing for Cloudflare Tunnel** You can now route private traffic to [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) based on a hostname or domain, moving beyond the limitations of IP-based routing. This new capability is **free for all Cloudflare One customers**. Previously, Tunnel routes could only be defined by IP address or [CIDR range](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/). This created a challenge for modern applications with dynamic or ephemeral IP addresses, often forcing administrators to maintain complex and brittle IP lists. ![Hostname-based routing in Cloudflare Tunnel](https://developers.cloudflare.com/_astro/tunnel-hostname-routing.DSi8MP_7_Z1E6Ym4.webp) **What’s new:** * **Hostname & Domain Routing**: Create routes for individual hostnames (e.g., `payroll.acme.local`) or entire domains (e.g., `*.acme.local`) and direct their traffic to a specific Tunnel. * **Simplified Zero Trust Policies**: Build resilient policies in Cloudflare Access and Gateway using stable hostnames, making it dramatically easier to apply per-resource authorization for your private applications. * **Precise Egress Control**: Route traffic for public hostnames (e.g., `bank.example.com`) through a specific Tunnel to enforce a dedicated source IP, solving the IP allowlist problem for third-party services. * **No More IP Lists**: This feature makes the workaround of maintaining dynamic IP Lists for Tunnel connections obsolete. Get started in the Tunnels section of the Zero Trust dashboard with your first [private hostname](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) or [public hostname](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared/) route. Learn more in our [blog post ↗](https://blog.cloudflare.com/tunnel-hostname-routing/). ## 2025-09-16 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New AI-Enabled Search for Zero Trust Dashboard** Zero Trust Dashboard has a brand new, AI-powered search functionality. You can search your account by resources (applications, policies, device profiles, settings, etc.), pages, products, and more. ![Example search results in the Zero Trust dashboard](https://developers.cloudflare.com/_astro/searchexample.Di8yS8ju_1GmPhw.webp) **Ask Cloudy** — You can also ask Cloudy, our AI agent, questions about Cloudflare Zero Trust. Cloudy is trained on our developer documentation and implementation guides, so it can tell you how to configure functionality, best practices, and can make recommendations. Cloudy can then stay open with you as you move between pages to build configuration or answer more questions. **Find Recents** — Recent searches and Cloudy questions also have a new tab under Zero Trust Overview. ## 2025-09-11 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Regional Email Processing for Germany, India, or Australia** We’re excited to announce that Email security customers can now choose their preferred mail processing location directly from the UI when onboarding a domain. This feature is available for the following onboarding methods: **MX**, **BCC**, and **Journaling**. #### What’s new Customers can now select where their email is processed. The following regions are supported: * **Germany** * **India** * **Australia** Global processing remains the default option, providing flexibility to meet both compliance requirements or operational preferences. #### How to use it When onboarding a domain with MX, BCC, or Journaling: 1. Select the desired processing location (Germany, India, or Australia). 2. The UI will display updated processing addresses specific to that region. 3. For MX onboarding, if your domain is managed by Cloudflare, you can automatically update MX records directly from the UI. #### Availability This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** #### What’s next We’re expanding the list of processing locations to match our [Data Localization Suite (DLS)](https://developers.cloudflare.com/data-localization/) footprint, giving customers the broadest set of regional options in the market without the complexity of self-hosting. ## 2025-09-11 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **DNS filtering for private network onramps** [Magic WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/#dns-filtering) and [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-internet/#configure-dns-resolver-on-devices) users can now securely route their DNS traffic to the Gateway resolver without exposing traffic to the public Internet. Routing DNS traffic to the Gateway resolver allows DNS resolution and filtering for traffic coming from private networks while preserving source internal IP visibility. This ensures Magic WAN users have full integration with our Cloudflare One features, including [Internal DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/#internal-dns) and [hostname-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). To configure DNS filtering, change your Magic WAN or WARP Connector DNS settings to use Cloudflare's shared resolver IPs, `172.64.36.1` and `172.64.36.2`. Once you configure DNS resolution and filtering, you can use _Source Internal IP_ as a traffic selector in your [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) for routing private DNS traffic to your [Internal DNS](https://developers.cloudflare.com/dns/internal-dns/). ## 2025-09-10 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.7.106.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements including enhancements to [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) or all devices matching the profile will lose connectivity. **Changes and improvements** * Enhancements to [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) or all devices matching the profile will lose connectivity. * Improvement to keep TCP connections up the first time WARP connects on devices so that remote desktop sessions (such as RDP or SSH) continue to work. * Improvements to maintain Global WARP Override settings when switching between organization configurations. * The [MASQUE protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) is now the default protocol for all new WARP device profiles. * Improvement to limit idle connections in DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-09-10 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.7.106.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements including enhancements to [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) or all devices matching the profile will lose connectivity. **Changes and improvements** * Enhancements to [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) or all devices matching the profile will lose connectivity. * Fixed a bug preventing the `warp-diag captive-portal` command from running successfully due to the client not parsing SSID on macOS. * Improvements to maintain Global WARP Override settings when switching between organization configurations. * The [MASQUE protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) is now the default protocol for all new WARP device profiles. * Improvement to limit idle connections in DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-09-08 [ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Custom IKE ID for IPsec Tunnels** Now, Magic WAN customers can configure a custom IKE ID for their IPsec tunnels. Customers that are using Magic WAN and a VeloCloud SD-WAN device together can utilize this new feature to create a high availability configuration. This feature is available via API only. Customers can read the Magic WAN documentation to learn more about the [Custom IKE ID feature and the API call to configure it](https://developers.cloudflare.com/cloudflare-wan/configuration/common-settings/custom-ike-id-ipsec/). ## 2025-09-05 [ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Bidirectional tunnel health checks are compatible with all Magic on-ramps** All bidirectional tunnel health check return packets are accepted by any Magic on-ramp. Previously, when a Magic tunnel had a bidirectional health check configured, the bidirectional health check would pass when the return packets came back to Cloudflare over the same tunnel that was traversed by the forward packets. There are SD-WAN devices, like VeloCloud, that do not offer controls to steer traffic over one tunnel versus another in a high availability tunnel configuration. Now, when a Magic tunnel has a bidirectional health check configured, the bidirectional health check will pass when the return packet traverses over any tunnel in a high availability configuration. ## 2025-09-02 [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **Cloudflare Tunnel and Networks API will no longer return deleted resources by default starting December 1, 2025** Starting **December 1, 2025**, list endpoints for the [Cloudflare Tunnel API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/) and [Zero Trust Networks API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/) will no longer return deleted tunnels, routes, subnets and virtual networks by default. This change makes the API behavior more intuitive by only returning active resources unless otherwise specified. No action is required if you already explicitly set `is_deleted=false` or if you only need to list active resources. This change affects the following API endpoints: * List all tunnels: [GET /accounts/{account\_id}/tunnels](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/methods/list/) * List [Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/): [GET /accounts/{account\_id}/cfd\_tunnel](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/subresources/cloudflared/methods/list/) * List [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) tunnels: [GET /accounts/{account\_id}/warp\_connector](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/subresources/warp%5Fconnector/methods/list/) * List tunnel routes: [GET /accounts/{account\_id}/teamnet/routes](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/routes/methods/list/) * List subnets: [GET /accounts/{account\_id}/zerotrust/subnets](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/subnets/methods/list/) * List virtual networks: [GET /accounts/{account\_id}/teamnet/virtual\_networks](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/virtual%5Fnetworks/methods/list/) #### What is changing? The default behavior of the `is_deleted` query parameter will be updated. | Scenario | Previous behavior (before December 1, 2025) | New behavior (from December 1, 2025) | | -------------------------------- | -------------------------------------------------------------------------- | --------------------------------------------------------------------- | | is\_deleted parameter is omitted | Returns **active & deleted** tunnels, routes, subnets and virtual networks | Returns **only active** tunnels, routes, subnets and virtual networks | #### Action required If you need to retrieve deleted (or all) resources, please update your API calls to explicitly include the `is_deleted` parameter before **December 1, 2025**. To get a list of only deleted resources, you must now explicitly add the `is_deleted=true` query parameter to your request: Terminal window ``` # Example: Get ONLY deleted Tunnels curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/tunnels?is_deleted=true" \ -H "Authorization: Bearer $API_TOKEN" # Example: Get ONLY deleted Virtual Networks curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks?is_deleted=true" \ -H "Authorization: Bearer $API_TOKEN" ``` Following this change, retrieving a complete list of both active and deleted resources will require two separate API calls: one to get active items (by omitting the parameter or using `is_deleted=false`) and one to get deleted items (`is_deleted=true`). #### Why we’re making this change This update is based on user feedback and aims to: * **Create a more intuitive default:** Aligning with common API design principles where list operations return only active resources by default. * **Reduce unexpected results:** Prevents users from accidentally operating on deleted resources that were returned unexpectedly. * **Improve performance:** For most users, the default query result will now be smaller and more relevant. To learn more, please visit the [Cloudflare Tunnel API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/) and [Zero Trust Networks API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/) documentation. ## 2025-09-01 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Updated Email security roles** To provide more granular controls, we refined the [existing roles](https://developers.cloudflare.com/cloudflare-one/roles-permissions/#email-security-roles) for Email security and launched a new Email security role as well. All Email security roles no longer have read or write access to any of the other Zero Trust products: * **Email Configuration Admin** * **Email Integration Admin** * **Email security Read Only** * **Email security Analyst** * **Email security Policy Admin** * **Email security Reporting** To configure [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/email-security/outbound-dlp/) or [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/#set-up-clientless-web-isolation), you now need to be an admin for the Zero Trust dashboard with the **Cloudflare Zero Trust** role. Also through customer feedback, we have created a new additive role to allow **Email security Analyst** to create, edit, and delete Email security policies, without needing to provide access via the **Email Configuration Admin** role. This role is called **Email security Policy Admin**, which can read all settings, but has write access to [allow policies](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/), [trusted domains](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/trusted-domains/), and [blocked senders](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/blocked-senders/). This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-08-29 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Cloudflare One WARP Diagnostic AI Analyzer** We're excited to share a new AI feature, the [WARP diagnostic analyzer ↗](https://blog.cloudflare.com/AI-troubleshoot-warp-and-network-connectivity-issues/), to help you troubleshoot and resolve WARP connectivity issues faster. This beta feature is now available in the [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) to all users. The AI analyzer makes it easier for you to identify the root cause of client connectivity issues by parsing [remote captures](https://developers.cloudflare.com/cloudflare-one/insights/dex/remote-captures/#start-a-remote-capture) of [WARP diagnostic logs](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diag-logs). The WARP diagnostic analyzer provides a summary of impact that may be experienced on the device, lists notable events that may contribute to performance issues, and recommended troubleshooting steps and articles to help you resolve these issues. Refer to [WARP diagnostics analyzer (beta)](https://developers.cloudflare.com/cloudflare-one/insights/dex/remote-captures/#diagnostics-analyzer-beta) to learn more about how to maximize using the WARP diagnostic analyzer to troubleshoot the WARP client. ## 2025-08-29 [ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/) **DEX MCP Server** [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into device connectivity and performance across your Cloudflare SASE deployment. We've released an MCP server [(Model Context Protocol) ↗](https://cloudflare.com/learning/ai/what-is-model-context-protocol-mcp/) for DEX. The DEX MCP server is an AI tool that allows customers to ask a question like, "Show me the connectivity and performance metrics for the device used by carly‌@acme.com", and receive an answer that contains data from the DEX API. Any Cloudflare One customer using a Free, PayGo, or Enterprise account can access the DEX MCP Server. This feature is available to everyone. Customers can test the new DEX MCP server in less than one minute. To learn more, read the [DEX MCP server documentation](https://developers.cloudflare.com/cloudflare-one/insights/dex/dex-mcp-server/). ## 2025-08-27 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **Shadow IT - SaaS analytics dashboard** Zero Trust has significantly upgraded its **Shadow IT analytics**, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application. You can review these metrics against application type, such as Artificial Intelligence or Social Media. You can also mark applications with an approval status, including **Unreviewed**, **In Review**, **Approved**, and **Unapproved** designating how they can be used in your organization. ![Cloudflare One Analytics Dashboards](https://developers.cloudflare.com/_astro/shadow-it-analytics.BLNnG72w_Z1vDznE.webp) These application statuses can also be used in Gateway HTTP policies, so you can block, isolate, limit uploads and downloads, and more based on the application status. Both the analytics and policies are accessible in the Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), empowering organizations with better visibility and control. ## 2025-08-26 [ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) **New CASB integrations for ChatGPT, Claude, and Gemini** [Cloudflare CASB ↗](https://www.cloudflare.com/zero-trust/products/casb/) now supports three of the most widely used GenAI platforms — **OpenAI ChatGPT**, **Anthropic Claude**, and **Google Gemini**. These API-based integrations give security teams agentless visibility into posture, data, and compliance risks across their organization’s use of generative AI. ![Cloudflare CASB showing selection of new findings for ChatGPT, Claude, and Gemini integrations.](https://developers.cloudflare.com/_astro/casb-ai-integrations-preview.B-zsSA1P_Z1wlfJX.webp) #### Key capabilities * **Agentless connections** — connect ChatGPT, Claude, and Gemini tenants via API; no endpoint software required * **Posture management** — detect insecure settings and misconfigurations that could lead to data exposure * **DLP detection** — identify sensitive data in uploaded chat attachments or files * **GenAI-specific insights** — surface risks unique to each provider’s capabilities #### Learn more * [ChatGPT integration docs ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/openai/) * [Claude integration docs ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/anthropic/) * [Gemini integration docs ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/google-workspace/gemini/) These integrations are available to all Cloudflare One customers today. ## 2025-08-26 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Manage and restrict access to internal MCP servers with Cloudflare Access** You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). [Self-hosted applications](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes. For example, if you have an MCP server designed for internal use within your organization, you can configure Access policies to ensure that only authorized users can access it, regardless of which MCP client they use. Support for internal, self-hosted MCP servers also works with MCP server portals, allowing you to provide a single MCP endpoint for multiple MCP servers. For more on MCP server portals, read the [blog post ↗](https://blog.cloudflare.com/zero-trust-mcp-server-portals/) on the Cloudflare Blog. ## 2025-08-26 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **MCP server portals** ![MCP server portal](https://developers.cloudflare.com/_astro/mcp-server-portal.BOKqTCoI_ZXYCcF.webp) An [MCP server portal](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include: * **Streamlined access to multiple MCP servers**: MCP server portals support both unauthenticated MCP servers as well as MCP servers secured using any third-party or custom OAuth provider. Users log in to the portal URL through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth. * **Customized tools per portal**: Admins can tailor an MCP portal to a particular use case by choosing the specific tools and prompt templates that they want to make available to users through the portal. This allows users to access a curated set of tools and prompts — the less external context exposed to the AI model, the better the AI responses tend to be. * **Observability**: Once the user's AI agent is connected to the portal, Cloudflare Access logs the indiviudal requests made using the tools in the portal. This is available in an open beta for all customers across all plans! For more information check out our [blog ↗](https://blog.cloudflare.com/zero-trust-mcp-server-portals/) for this release. ## 2025-08-25 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **New DLP topic based detection entries for AI prompt protection** You now have access to a comprehensive suite of capabilities to secure your organization's use of generative AI. AI prompt protection introduces four key features that work together to provide deep visibility and granular control. 1. **Prompt Detection for AI Applications** DLP can now natively detect and inspect user prompts submitted to popular AI applications, including **Google Gemini**, **ChatGPT**, **Claude**, and **Perplexity**. 1. **Prompt Analysis and Topic Classification** Our DLP engine performs deep analysis on each prompt, applying [topic classification](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/#ai-prompt-topics). These topics are grouped into two evaluation categories: * **Content:** PII, Source Code, Credentials and Secrets, Financial Information, and Customer Data. * **Intent:** Jailbreak attempts, requests for malicious code, or attempts to extract PII. To help you apply these topics quickly, we have also released five new predefined profiles (for example, AI Prompt: AI Security, AI Prompt: PII) that bundle these new topics. ![DLP](https://developers.cloudflare.com/_astro/ai-prompt-detection-entry.4QmdkAuv_Z14HtSJ.webp) 1. **Granular Guardrails** You can now build guardrails using Gateway HTTP policies with [application granular controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#granular-controls). Apply a DLP profile containing an [AI prompt topic detection](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/#ai-prompt-topics) to individual AI applications (for example, `ChatGPT`) and specific user actions (for example, `SendPrompt`) to block sensitive prompts. ![DLP](https://developers.cloudflare.com/_astro/ai-prompt-policy.CF3H2rbK_2muoEC.webp) 2. **Full Prompt Logging** To aid in incident investigation, an optional setting in your Gateway policy allows you to [capture prompt logs](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content) to store the full interaction of prompts that trigger a policy match. To make investigations easier, logs can be filtered by `conversation_id`, allowing you to reconstruct the full context of an interaction that led to a policy violation. ![DLP](https://developers.cloudflare.com/_astro/ai-prompt-log.ywQDc5qN_2v6nax.webp) AI prompt protection is now available in open beta. To learn more about it, read the [blog ↗](https://blog.cloudflare.com/ai-prompt-protection/#closing-the-loop-logging) or refer to [AI prompt topics](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/#ai-prompt-topics). ## 2025-08-21 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.6.1400.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for pre-login for multi-user for the 2025.6.1135.0 release. **Changes and improvements** * Fixes an issue where new pre-login registrations were not being properly created. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, please reconnect the WARP client by toggling off and back on. ## 2025-08-21 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Gateway BYOIP Dedicated Egress IPs now available.** Enterprise Gateway users can now use Bring Your Own IP (BYOIP) for dedicated egress IPs. Admins can now onboard and use their own IPv4 or IPv6 prefixes to egress traffic from Cloudflare, delivering greater control, flexibility, and compliance for network traffic. Get started by following the [BYOIP onboarding process](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). Once your IPs are onboarded, go to **Gateway** \> **Egress policies** and select or create an egress policy. In **Select an egress IP**, choose _Use dedicated egress IPs (Cloudflare or BYOIP)_, then select your BYOIP address from the dropdown menu. ![Screenshot of a dropdown menu adding a BYOIP IPv4 address as a dedicated egress IP in a Gateway egress policy](https://developers.cloudflare.com/_astro/Gateway-byoip-dedicated-egress-ips.D0pzLAbV_8yK6N.webp) For more information, refer to [BYOIP for dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). ## 2025-08-19 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.6.1335.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Improvements to better manage multi-user pre-login registrations. * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement for faster client connectivity on high-latency captive portal networks. * Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-08-19 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.6.1335.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement for faster client connectivity on high-latency captive portal networks. * Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-08-19 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.6.1335.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement for faster client connectivity on high-latency captive portal networks. * Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-08-15 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **SFTP support for SSH with Cloudflare Access for Infrastructure** [SSH with Cloudflare Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) now supports SFTP. It is compatible with SFTP clients, such as Cyberduck. ## 2025-08-14 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Cloudflare Access Logging supports the Customer Metadata Boundary (CMB)** Cloudflare Access logs now support the [Customer Metadata Boundary (CMB)](https://developers.cloudflare.com/data-localization/metadata-boundary/). If you have configured the CMB for your account, all Access logging will respect that configuration. Note For EU CMB customers, the logs will not be stored by Access and will appear as empty in the dashboard. EU CMB customers should utilize [Logpush](https://developers.cloudflare.com/logs/logpush/) to retain their Access logging, if desired. ## 2025-08-07 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Expanded Email Link Isolation** When you deploy MX or Inline, not only can you apply email link isolation to suspicious links in all emails (including benign), you can now also apply email link isolation to all links of a specified disposition. This provides more flexibility in controlling user actions within emails. For example, you may want to deliver suspicious messages but isolate the links found within them so that users who choose to interact with the links will not accidentally expose your organization to threats. This means your end users are more secure than ever before. ![Expanded Email Link Isolation Configuration](https://developers.cloudflare.com/_astro/expanded-link-actions.DziIg6E8_1Sx0Ar.webp) To isolate all links within a message based on the disposition, select **Settings** \> **Link Actions** \> **View** and select **Configure**. As with other other links you isolate, an interstitial will be provided to warn users that this site has been isolated and the link will be recrawled live to evaluate if there are any changes in our threat intel. Learn more about this feature on [Configure link actions ↗](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-link-actions/). This feature is available across these Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-07-31 [ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Terraform V5 support for tunnels and routes** The Cloudflare Terraform provider resources for Cloudflare WAN tunnels and routes now support Terraform provider version 5\. Customers using infrastructure-as-code workflows can manage their tunnel and route configuration with the latest provider version. For more information, refer to the [Cloudflare Terraform provider documentation ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs). ## 2025-07-30 [ Magic Transit ](https://developers.cloudflare.com/magic-transit/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Magic Transit and Magic WAN health check data is fully compatible with the CMB EU setting.** Today, we are excited to announce that all Magic Transit and Magic WAN customers with CMB EU ([Customer Metadata Boundary - Europe](https://developers.cloudflare.com/data-localization/metadata-boundary/)) enabled in their account will be able to access GRE, IPsec, and CNI health check and traffic volume data in the Cloudflare dashboard and via API. This ensures that all Magic Transit and Magic WAN customers with CMB EU enabled will be able to access all Magic Transit and Magic WAN features. Specifically, these two GraphQL endpoints are now compatible with CMB EU: * `magicTransitTunnelHealthChecksAdaptiveGroups` * `magicTransitTunnelTrafficAdaptiveGroups` ## 2025-07-28 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Scam domain category introduced under Security Threats** We have introduced a new Security Threat category called **Scam**. Relevant domains are marked with the Scam category. Scam typically refers to fraudulent websites and schemes designed to trick victims into giving away money or personal information. **New category added** | Parent ID | Parent Name | Category ID | Category Name | | --------- | ---------------- | ----------- | ------------- | | 21 | Security Threats | 191 | Scam | Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more. ## 2025-07-24 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.6.824.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * Improvements to better manage multi-user pre-login registrations. * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement to managed network detection checks for faster switching between managed networks. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-07-24 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.6.824.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement to managed network detection checks for faster switching between managed networks. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-07-24 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Gateway HTTP Filtering on all ports available in open BETA** [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) can now apply [HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to all proxied HTTP requests, not just traffic on standard HTTP (`80`) and HTTPS (`443`) ports. This means all requests can now be filtered by [A/V scanning](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), [file sandboxing](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/file-sandboxing/), [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/#data-in-transit), and more. You can turn this [setting](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports) on by going to **Settings** \> **Network** \> **Firewall** and choosing _Inspect on all ports_. ![HTTP Inspection on all ports setting](https://developers.cloudflare.com/_astro/Gateway-Inspection-all-ports.CCmwX6D0_OoDoS.webp) To learn more, refer to [Inspect on all ports (Beta)](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). ## 2025-07-23 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.5.943.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect. * Changes to the [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) feature to no longer restart the SMS Agent Host (`ccmexec.exe`) service. * Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-07-23 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.5.943.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect. * Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client. * For macOS deployments, the WARP client can now be managed using an `mdm.xml` file placed in `/Library/Application Support/Cloudflare/mdm.xml`. This new configuration option offers an alternative to the still supported method of deploying a managed plist through an MDM solution. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-07-23 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.5.943.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect. * Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-07-22 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Google Bard Application replaced by Gemini** The **Google Bard** application (ID: 1198) has been deprecated and fully removed from the system. It has been replaced by the **Gemini** application (ID: 1340). Any existing Gateway policies that reference the old Google Bard application will no longer function. To ensure your policies continue to work as intended, you should update them to use the new Gemini application. We recommend replacing all instances of the deprecated Bard application with the new Gemini application in your Gateway policies. For more information about application policies, please see the [Cloudflare Gateway documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/). ## 2025-07-21 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Virtual Cloudflare One Appliance with KVM support (open beta)** The KVM-based virtual Cloudflare One Appliance is now in open beta with official support for Proxmox VE. Customers can deploy the virtual appliance on KVM hypervisors to connect branch or data center networks to Cloudflare WAN without dedicated hardware. For setup instructions, refer to [Configure a virtual Cloudflare One Appliance](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/configure-virtual-appliance/). ## 2025-07-17 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **New detection entry type: Document Matching for DLP** You can now create [document-based](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/#documents) detection entries in DLP by uploading example documents. Cloudflare will encrypt your documents and create a unique fingerprint of the file. This fingerprint is then used to identify similar documents or snippets within your organization's traffic and stored files. ![DLP](https://developers.cloudflare.com/_astro/document-match.CcN8pGgR_Z1e3PDm.webp) **Key features and benefits:** * **Upload documents, forms, or templates:** Easily upload .docx and .txt files (up to 10 MB) that contain sensitive information you want to protect. * **Granular control with similarity percentage:** Define a minimum similarity percentage (0-100%) that a document must meet to trigger a detection, reducing false positives. * **Comprehensive coverage:** Apply these document-based detection entries in: * **Gateway policies:** To inspect network traffic for sensitive documents as they are uploaded or shared. * **CASB (Cloud Access Security Broker):** To scan files stored in cloud applications for sensitive documents at rest. * **Identify sensitive data:** This new detection entry type is ideal for identifying sensitive data within completed forms, templates, or even small snippets of a larger document, helping you prevent data exfiltration and ensure compliance. Once uploaded and processed, you can add this new document entry into a DLP profile and policies to enhance your data protection strategy. ## 2025-07-15 [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **Faster, more reliable UDP traffic for Cloudflare Tunnel** Your real-time applications running over [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) are now faster and more reliable. We've completely re-architected the way `cloudflared` proxies UDP traffic in order to isolate it from other traffic, ensuring latency-sensitive applications like private DNS are no longer slowed down by heavy TCP traffic (like file transfers) on the same Tunnel. This is a foundational improvement to Cloudflare Tunnel, delivered automatically to all customers. There are no settings to configure — your UDP traffic is already flowing faster and more reliably. **What’s new:** * **Faster UDP performance**: We've significantly reduced the latency for establishing new UDP sessions, making applications like private DNS much more responsive. * **Greater reliability for mixed traffic**: UDP packets are no longer affected by heavy TCP traffic, preventing timeouts and connection drops for your real-time services. Learn more about running [TCP or UDP applications](https://developers.cloudflare.com/reference-architecture/architectures/sase/#connecting-applications) and [private networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/) through [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). ## 2025-07-10 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New onboarding guides for Zero Trust** Use our brand new onboarding experience for Cloudflare Zero Trust. New and returning users can now engage with a **Get Started** tab with walkthroughs for setting up common use cases end-to-end. ![Zero Trust onboarding guides](https://developers.cloudflare.com/_astro/zt-onboarding-guides._18EfPbe_NEBk9.webp) There are eight brand new onboarding guides in total: * Securely access a private network (sets up device client and Tunnel) * Device-to-device / mesh networking (sets up and connects multiple device clients) * Network to network connectivity (sets up and connects multiple WARP Connectors, makes reference to Magic WAN availability for Enterprise) * Secure web traffic (sets up device client, Gateway, pre-reqs, and initial policies) * Secure DNS for networks (sets up a new DNS location and Gateway policies) * Clientless web access (sets up Access to a web app, Tunnel, and public hostname) * Clientless SSH access (all the same + the web SSH experience) * Clientless RDP access (all the same + RDP-in-browser) Each flow walks the user through the steps to configure the essential elements, and provides a “more details” panel with additional contextual information about what the user will accomplish at the end, along with why the steps they take are important. Try them out now in the [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/?to=/:account/home)! ## 2025-07-07 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **Cloudy summaries for Access and Gateway Logs** Cloudy, Cloudflare's AI Agent, will now automatically summarize your [Access](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/) and [Gateway](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/) block logs. In the log itself, Cloudy will summarize what occurred and why. This will be helpful for quick troubleshooting and issue correlation. ![Cloudy AI summarizes a log](https://developers.cloudflare.com/_astro/cloudy-explanation.oFZR6cXa_Z2e1RtR.webp) If you have feedback about the Cloudy summary - good or bad - you can provide that right from the summary itself. ## 2025-07-07 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New App Library for Zero Trust Dashboard** Cloudflare Zero Trust customers can use the App Library to get full visibility over the SaaS applications that they use in their Gateway policies, CASB integrations, and Access for SaaS applications. **App Library**, found under **My Team**, makes information available about all Applications that can be used across the Zero Trust product suite. ![Zero Trust App Library](https://developers.cloudflare.com/_astro/app-library.D403GJ9j_1SfMgP.webp) You can use the App Library to see: * How Applications are defined * Where they are referenced in policies * Whether they have Access for SaaS configured * Review their CASB findings and integration status. Within individual Applications, you can also track their usage across your organization, and better understand user behavior. ## 2025-07-01 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Access RDP securely from your browser — now in open beta** [Browser-based RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) is now available in open beta for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients. With browser-based RDP, you can: * **Control how users authenticate to internal RDP resources** with single sign-on (SSO), multi-factor authentication (MFA), and granular access policies. * **Record who is accessing which servers and when** to support regulatory compliance requirements and to gain greater visibility in the event of a security event. * **Eliminate the need to install and manage software on user devices**. You will only need a web browser. * **Reduce your attack surface** by keeping your RDP servers off the public Internet and protecting them from common threats like credential stuffing or brute-force attacks. ![Example of a browsed-based RDP Access application](https://developers.cloudflare.com/_astro/browser-based-rdp-access-app.BNXce1JL_1TDoUX.webp) To get started, see [Connect to RDP in a browser](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/). ## 2025-06-30 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.5.893.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains improvements and new exciting features, including [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) and [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed a device registration issue that caused WARP connection failures when changing networks. * Captive portal improvements and fixes: * Captive portal sign in notifications will now be sent through operating system notification services. * Fix for firewall configuration issue affecting clients in DoH only mode. * Improved the connectivity status message in the client GUI. * Fixed a bug affecting clients in Gateway with DoH mode where the original DNS servers were not restored after disabling WARP. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to handle client configuration changes made by an MDM while WARP is not running. * Improvements for multi-user experience to better handle fast user switching and transitions from a pre-login to a logged-in state. * Added a WARP client device posture check for SAN attributes to the [client certificate check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/). * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. * Added [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) to device profile settings. With SCCM VPN boundary support enabled, operating systems will register WARP's local interface IP with the on-premise DNS server when reachable. * Fix for an issue causing WARP connectivity to fail without full system reboot. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5060829](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-06-30 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.5.893.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed an issue where WARP sometimes failed to automatically relaunch after updating. * Fixed a device registration issue causing WARP connection failures when changing networks. * Captive portal improvements and fixes: * Captive portal sign in notifications will now be sent through operating system notification services. * Fix for firewall configuration issue affecting clients in DoH only mode. * Improved the connectivity status message in the client GUI. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to handle client configuration changes made by an MDM while WARP is not running. * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. * Improvement for WARP connectivity issues on macOS due to the operating system not accepting DNS server configurations. * Added a WARP client device posture check for SAN attributes to the [client certificate check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/). **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-06-30 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.5.893.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed a device registration issue causing WARP connection failures when changing networks. * Captive portal improvements and fixes: * Captive portal sign in notifications will now be sent through operating system notification services. * Fix for firewall configuration issue affecting clients in DoH only mode. * Improved the connectivity status message in the client GUI. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to handle client configuration changes made by MDM while WARP is not running. * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. * Added a WARP client device posture check for SAN attributes to the [client certificate check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/). **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-06-30 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Cloudflare One Agent for Android (version 2.4.2)** A new GA release for the Android Cloudflare One Agent is now available in the [Google Play Store ↗](https://play.google.com/store/apps/details?id=com.cloudflare.cloudflareoneagent). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate [protection of post-quantum cryptography ↗](https://blog.cloudflare.com/pq-2024/) without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * QLogs are now disabled by default and can be enabled in the app by turning on **Enable qlogs** under **Settings** \> **Advanced** \> **Diagnostics** \> **Debug Logs**. The QLog setting from previous releases will no longer be respected. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * The WARP client now applies [post-quantum cryptography ↗](https://blog.cloudflare.com/pq-2024/) end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by [MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Fixed an issue that caused WARP connection failures on ChromeOS devices. ## 2025-06-30 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Cloudflare One Agent for iOS (version 1.11)** A new GA release for the iOS Cloudflare One Agent is now available in the [iOS App Store ↗](https://apps.apple.com/us/app/cloudflare-one-agent/id6443476492). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate [protection of post-quantum cryptography ↗](https://blog.cloudflare.com/pq-2024/) without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * QLogs are now disabled by default and can be enabled in the app by turning on **Enable qlogs** under **Settings** \> **Advanced** \> **Diagnostics** \> **Debug Logs**. The QLog setting from previous releases will no longer be respected. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * The WARP client now applies [post-quantum cryptography ↗](https://blog.cloudflare.com/pq-2024/) end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by [MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). ## 2025-06-23 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)[ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **Data Security Analytics in the Zero Trust dashboard** Zero Trust now includes **Data security analytics**, providing you with unprecedented visibility into your organization sensitive data. The new dashboard includes: * **Sensitive Data Movement Over Time:** * See patterns and trends in how sensitive data moves across your environment. This helps understand where data is flowing and identify common paths. * **Sensitive Data at Rest in SaaS & Cloud:** * View an inventory of sensitive data stored within your corporate SaaS applications (for example, Google Drive, Microsoft 365) and cloud accounts (such as AWS S3). * **DLP Policy Activity:** * Identify which of your Data Loss Prevention (DLP) policies are being triggered most often. * See which specific users are responsible for triggering DLP policies. ![Data Security Analytics](https://developers.cloudflare.com/_astro/cf1-data-security-analytics-v1.BGl6fYXl_H3N0P.webp) To access the new dashboard, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Insights** on the sidebar. ## 2025-06-18 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Gateway will now evaluate Network policies before HTTP policies from July 14th, 2025** [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) will now evaluate [Network (Layer 4) policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) **before** [HTTP (Layer 7) policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users. This change will roll out progressively between **July 14–18, 2025**. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent. #### Updated order of enforcement **Previous order:** 1. DNS policies 2. HTTP policies 3. Network policies **New order:** 1. DNS policies 2. **Network policies** 3. **HTTP policies** #### Action required: Review your Gateway HTTP policies This change may affect block notifications. For example: * You have an **HTTP policy** to block `example.com` and display a block page. * You also have a **Network policy** to block `example.com` silently (no client notification). With the new order, the Network policy will trigger first — and the user will no longer see the HTTP block page. To ensure users still receive a block notification, you can: * Add a client notification to your Network policy, or * Use only the HTTP policy for that domain. --- #### Why we’re making this change This update is based on user feedback and aims to: * Create a more intuitive model by evaluating network-level policies before application-level policies. * Minimize [526 connection errors](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/#error-526-in-the-zero-trust-context) by verifying the network path to an origin before attempting to establish a decrypted TLS connection. --- To learn more, visit the [Gateway order of enforcement documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/). ## 2025-06-17 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.5.828.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains new improvements in addition to the features and improvements introduced in Beta client version 2025.5.735.1. **Changes and improvements** * Improvement to better handle multi-user fast user switching. * Fix for an issue causing WARP connectivity to fail without full system reboot. **Known issues** * Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-06-17 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.5.828.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains new improvements in addition to the features and improvements introduced in Beta client version 2025.5.735.1. **Changes and improvements** * Improvement for WARP connectivity issues on macOS due to the operating system not accepting DNS server configurations. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-06-05 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.5.735.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains improvements and new exciting features, including [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) and [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed a device registration issue causing WARP connection failures when changing networks. * Captive portal improvements including showing connectivity status in the client and sending system notifications for captive portal sign in. * Fixed a bug where in Gateway with DoH mode, connection to DNS servers was not automatically restored after reconnecting WARP. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to gracefully handle changes made by MDM while WARP is not running. * Improvement for multi-user mode to avoid unnecessary key rotations when transitioning from a pre-login to a logged-in state. * Added a WARP client device posture check for SAN attributes to the [client certificate check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/). * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. * Added [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) to device profile settings. With SCCM VPN boundary support enabled, operating systems will register WARP's local interface IP with the on-premise DNS server when reachable. **Known issues** * Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-06-05 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.5.735.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed an issue where the Cloudflare WARP application may not have automatically relaunched after an update. * Fixed a device registration issue causing WARP connection failures when changing networks. * Captive portal improvements including showing connectivity status in the client and sending system notifications for captive portal sign in. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to gracefully handle changes made by MDM while WARP is not running. * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-06-05 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **Cloudflare One Analytics Dashboards and Exportable Access Report** Cloudflare One now offers powerful new analytics dashboards to help customers easily discover available insights into their application access and network activity. These dashboards provide a centralized, intuitive view for understanding user behavior, application usage, and security posture. !\[Cloudflare One Analytics Dashboards\](\~/assets/images/changelog/cloudflare-one/Analytics Dashboards.png) Additionally, a new exportable access report is available, allowing customers to quickly view high-level metrics and trends in their application access. A **preview** of the report is shown below, with more to be found in the report: ![Cloudflare One Analytics Dashboards](https://developers.cloudflare.com/_astro/access-report.C744W7JR_2uzMcN.webp) Both features are accessible in the Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), empowering organizations with better visibility and control. ## 2025-05-29 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New Gateway Analytics in the Cloudflare One Dashboard** Users can now access significant enhancements to Cloudflare Gateway analytics, providing you with unprecedented visibility into your organization's DNS queries, HTTP requests, and Network sessions. These powerful new dashboards enable you to go beyond raw logs and gain actionable insights into how your users are interacting with the Internet and your protected resources. You can now visualize and explore: * Patterns Over Time: Understand trends in traffic volume and blocked requests, helping you identify anomalies and plan for future capacity. * Top Users & Destinations: Quickly pinpoint the most active users, enabling better policy enforcement and resource allocation. * Actions Taken: See a clear breakdown of security actions applied by Gateway policies, such as blocks and allows, offering a comprehensive view of your security posture. * Geographic Regions: Gain insight into the global distribution of your traffic. ![Gateway Analytics](https://developers.cloudflare.com/_astro/gateway-analytics.BdSwbIBb_1WTkQL.webp) To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and go to Analytics in the side navigation bar. ## 2025-05-27 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Gateway Protocol Detection Now Available for PAYGO and Free Plans** All Cloudflare One Gateway users can now use Protocol detection logging and filtering, including those on Pay-as-you-go and Free plans. With Protocol Detection, admins can identify and enforce policies on traffic proxied through Gateway based on the underlying network protocol (for example, HTTP, TLS, or SSH), enabling more granular traffic control and security visibility no matter your plan tier. This feature is available to enable in your account network settings for all accounts. For more information on using Protocol Detection, refer to the [Protocol detection documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/). ## 2025-05-22 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.4.943.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for [managed networks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) for the 2025.4.929.0 release. **Changes and improvements** * Fixed an issue where it could take up to 3 minutes for the correct device profile to be applied in some circumstances. In the worst case, it should now only take up to 40 seconds. This will be improved further in a future release. **Known issues** * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. * Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. ## 2025-05-22 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.4.943.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for [managed networks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) for the 2025.4.929.0 release. **Changes and improvements** * Fixed an issue where it could take up to 3 minutes for the correct device profile to be applied in some circumstances. In the worst case, it should now only take up to 40 seconds. This will be improved further in a future release. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-05-22 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.4.943.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for [managed networks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) for the 2025.4.929.0 release. **Changes and improvements** * Fixed an issue where it could take up to 3 minutes for the correct device profile to be applied in some circumstances. In the worst case, it should now only take up to 40 seconds. This will be improved further in a future release. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-05-18 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New Applications Added to Zero Trust** 42 new applications have been added for Zero Trust support within the Application Library and Gateway policy enforcement, giving you the ability to investigate or apply inline policies to these applications. 33 of the 42 applications are Artificial Intelligence applications. The others are Human Resources (2 applications), Development (2 applications), Productivity (2 applications), Sales & Marketing, Public Cloud, and Security. To view all available applications, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), navigate to the **App Library** under **My Team**. For more information on creating Gateway policies, see our [Gateway policy documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/). ## 2025-05-16 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New Access Analytics in the Cloudflare One Dashboard** A new Access Analytics dashboard is now available to all Cloudflare One customers. Customers can apply and combine multiple filters to dive into specific slices of their Access metrics. These filters include: * Logins granted and denied * Access events by type (SSO, Login, Logout) * Application name (Salesforce, Jira, Slack, etc.) * Identity provider (Okta, Google, Microsoft, onetimepin, etc.) * Users (`chris@cloudflare.com`, `sally@cloudflare.com`, `rachel@cloudflare.com`, etc.) * Countries (US, CA, UK, FR, BR, CN, etc.) * Source IP address * App type (self-hosted, Infrastructure, RDP, etc.) ![Access Analytics](https://developers.cloudflare.com/_astro/accessanalytics.DYXgwZCl_Z2PPi7.webp) To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and find Analytics in the side navigation bar. ## 2025-05-15 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Open email attachments with Browser Isolation** You can now safely open email attachments to view and investigate them. What this means is that messages now have a **Attachments** section. Here, you can view processed attachments and their classifications (for example, _Malicious_, _Suspicious_, _Encrypted_). Next to each attachment, a **Browser Isolation** icon allows your team to safely open the file in a **clientless, isolated browser** with no risk to the analyst or your environment. ![Attachment-RBI](https://developers.cloudflare.com/_astro/Attachment-RBI.U9Dp8dJO_265xjw.webp) To use this feature, you must: * Enable **Clientless Web Isolation** in your Zero Trust settings. * Have **Browser Isolation (BISO)** seats assigned. For more details, refer to our [setup guide](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). Some attachment types may not render in Browser Isolation. If there is a file type that you would like to be opened with Browser Isolation, reach out to your Cloudflare contact. This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-05-14 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.4.929.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains two significant changes all customers should be aware of: 1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our [DoH IP addresses and domains](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#doh-ip). 2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks. **Changes and improvements** * Fixed an issue causing reconnection loops when captive portals are detected. * Fixed an issue that caused WARP client disk encryption posture checks to fail due to missing drive names. * Fixed an issue where managed network policies could incorrectly report network location beacons as missing. * Improved DEX test error reporting. * Fixed an issue where some parts of the WARP Client UI were missing in high contrast mode. * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile. * Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically. * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met. * Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments. * Fixed an issue where frequent network changes could cause WARP to become unresponsive. * Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect. * Fixed an issue causing WARP connection disruptions after network changes. **Known issues** * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. * Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. ## 2025-05-14 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Domain Categories improvements** **New categories added** | Parent ID | Parent Name | Category ID | Category Name | | --------- | --------------------- | ----------- | ----------------------------- | | 1 | Ads | 66 | Advertisements | | 3 | Business & Economy | 185 | Personal Finance | | 3 | Business & Economy | 186 | Brokerage & Investing | | 21 | Security Threats | 187 | Compromised Domain | | 21 | Security Threats | 188 | Potentially Unwanted Software | | 6 | Education | 189 | Reference | | 9 | Government & Politics | 190 | Charity and Non-profit | **Changes to existing categories** | Original Name | New Name | | ------------- | ----------------------- | | Religion | Religion & Spirituality | | Government | Government/Legal | | Redirect | URL Alias/Redirect | Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more. ## 2025-05-13 [ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) **SAML HTTP-POST bindings support for RBI** Remote Browser Isolation (RBI) now supports SAML HTTP-POST bindings, enabling seamless authentication for SSO-enabled applications that rely on POST-based SAML responses from Identity Providers (IdPs) within a Remote Browser Isolation session. This update resolves a previous limitation that caused `405` errors during login and improves compatibility with multi-factor authentication (MFA) flows. With expanded support for major IdPs like Okta and Azure AD, this enhancement delivers a more consistent and user-friendly experience across authentication workflows. Learn how to [set up Remote Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/). ## 2025-05-13 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **New Applications Added for DNS Filtering** You can now create DNS policies to manage outbound traffic for an expanded list of applications. This update adds support for 273 new applications, giving you more control over your organization's outbound traffic. With this update, you can: * Create DNS policies for a wider range of applications * Manage outbound traffic more effectively * Improve your organization's security and compliance posture For more information on creating DNS policies, see our [DNS policy documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/). ## 2025-05-12 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.4.929.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains two significant changes all customers should be aware of: 1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our [DoH IP addresses and domains](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#doh-ip). 2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks. **Changes and improvements** * Fixed an issue where the managed network policies could incorrectly report network location beacons as missing. * Improved DEX test error reporting. * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile. * Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically. * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs. * Fixed an issue where frequent network changes could cause WARP to become unresponsive. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect. * Fixed an issue causing WARP connection disruptions after network changes. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-05-12 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.4.929.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains two significant changes all customers should be aware of: 1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our [DoH IP addresses and domains](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#doh-ip). 2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks. **Changes and improvements** * Fixed an issue where the managed network policies could incorrectly report network location beacons as missing. * Improved DEX test error reporting. * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile. * Improved captive portal detection. * Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically. * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met. * Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments. * Fixed an issue where frequent network changes could cause WARP to become unresponsive. * Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect. * Fixed an issue causing WARP connection disruptions after network changes. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-05-12 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Case Sensitive Custom Word Lists** You can now configure [custom word lists](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/#custom-wordlist) to enforce case sensitivity. This setting supports flexibility where needed and aims to reduce false positives where letter casing is critical. ![dlp](https://developers.cloudflare.com/_astro/case-sesitive-cwl.MPuOc_3r_220dca.webp) ## 2025-05-08 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Open email links with Browser Isolation** You can now safely open links in emails to view and investigate them. ![Open links with Browser Isolation](https://developers.cloudflare.com/_astro/investigate-links.pYbpGkt5_Z1DQRHU.webp) From **Investigation**, go to **View details**, and look for the **Links identified** section. Next to each link, the Cloudflare dashboard will display an **Open in Browser Isolation** icon which allows your team to safely open the link in a clientless, isolated browser with no risk to the analyst or your environment. Refer to [Open links](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#open-links) to learn more about this feature. To use this feature, you must: * Enable **Clientless Web Isolation** in your Zero Trust settings. * Have **Browser Isolation (RBI)** seats assigned. For more details, refer to our [setup guide](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-05-07 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Send forensic copies to storage without DLP profiles** You can now [send DLP forensic copies](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#send-dlp-forensic-copies-to-logpush-destination) to third-party storage for any HTTP policy with an `Allow` or `Block` action, without needing to include a DLP profile. This change increases flexibility for data handling and forensic investigation use cases. By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs. ![DLP](https://developers.cloudflare.com/_astro/forensic-copies-for-all.fxeFrCY4_Z1rCUy9.webp) ## 2025-05-01 [ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) **Browser Isolation Overview page for Zero Trust** A new **Browser Isolation Overview** page is now available in the Cloudflare Zero Trust dashboard. This centralized view simplifies the management of [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) deployments, providing: * **Streamlined Onboarding:** Easily set up and manage isolation policies from one location. * **Quick Testing:** Validate [clientless web application isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) with ease. * **Simplified Configuration:** Configure [isolated access applications](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/) and policies efficiently. * **Centralized Monitoring:** Track aggregate usage and blocked actions. This update consolidates previously disparate settings, accelerating deployment, improving visibility into isolation activity, and making it easier to ensure your protections are working effectively. ![Browser Isolation Overview](https://developers.cloudflare.com/_astro/browser-isolation-overview.Ljd5ax_O_Z1SURww.webp) To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and find Browser Isolation in the side navigation bar. ## 2025-04-30 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **Dark Mode for Zero Trust Dashboard** The [Cloudflare Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) now supports Cloudflare's native dark mode for all accounts and plan types. Zero Trust Dashboard will automatically accept your user-level preferences for system settings, so if your Dashboard appearance is set to 'system' or 'dark', the Zero Trust dashboard will enter dark mode whenever the rest of your Cloudflare account does. ![Zero Trust dashboard supports dark mode](https://developers.cloudflare.com/_astro/dark-mode.DfLeS20d_Z2kTwNR.webp) * [ Zero Trust Dashboard ](#tab-panel-3443) * [ Core Dashboard ](#tab-panel-3444) To update your view preference in the Zero Trust dashboard: 1. Log into the [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/). 2. Select your user icon. 3. Select **Dark Mode**. To update your view preference in the Core dashboard: 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com). 2. Go to **My Profile** 3. For **Appearance**, choose **Dark**. ## 2025-04-30 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Cloudflare One Appliance supports multiple DNS server IPs** Cloudflare One Appliance DHCP server settings now support specifying multiple DNS server IP addresses in the DHCP pool. Previously, customers could only configure a single DNS server per DHCP pool. With this update, you can specify multiple DNS servers to provide redundancy for clients at branch locations. For configuration details, refer to [DHCP server](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/network-options/dhcp/dhcp-server/). ## 2025-04-28 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **FQDN Filtering For Gateway Egress Policies** Cloudflare One administrators can now control which egress IP is used based on a destination's fully qualified domain name (FDQN) within Gateway Egress policies. * Host, Domain, Content Categories, and Application selectors are now available in the Gateway Egress policy builder in beta. * During the beta period, you can use these selectors with traffic on-ramped to Gateway with the WARP client, proxy endpoints (commonly deployed with PAC files), or Cloudflare Browser Isolation. * For WARP client support, additional configuration is required. For more information, refer to the [WARP client configuration documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#limitations). ![Egress by FQDN and Hostname](https://developers.cloudflare.com/_astro/Gateway-Egress-FQDN-Policy-preview.Civon5p8_Z2hcuQE.webp) This will help apply egress IPs to your users' traffic when an upstream application or network requires it, while the rest of their traffic can take the most performant egress path. ## 2025-04-22 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.4.589.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). **Changes and improvements** * Fixed an issue causing reconnection loops when captive portals are detected. * Fixed an issue that caused WARP client disk encryption posture checks to fail due to missing drive names. * Fixed an issue where managed network policies could incorrectly report network location beacons as missing. * Improved error reporting for DEX tests. * Improved WARP client UI high contrast mode. * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile. * Added a TCP fallback for the MASQUE tunnel protocol to improve compatibility with networks on MASQUE. * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met. * Added a [Collect Captive Portal Diag](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/captive-portals/#get-captive-portal-logs) button in the client GUI to make it easier for users to collect captive portal debugging diagnostics. * Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments. * Fixed an issue where frequent network changes could cause WARP to become unresponsive. **Known issues** * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-04-22 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.4.589.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). **Changes and improvements** * Fixed an issue where managed network policies could incorrectly report network location beacons as missing. * Improved DEX test error reporting. * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile. * Improved captive portal detection. * Added a TCP fallback for the MASQUE tunnel protocol to improve compatibility with networks on MASQUE. * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met. * Added a [Collect Captive Portal Diag](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/captive-portals/#get-captive-portal-logs) button in the client GUI to make it easier for users to collect captive portal debugging diagnostics. * Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments. * Fixed an issue where frequent network changes could cause WARP to become unresponsive. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-04-21 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Access bulk policy tester** The [Access bulk policy tester](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/#test-all-policies-in-an-application) is now available in the Cloudflare Zero Trust dashboard. The bulk policy tester allows you to simulate Access policies against your entire user base before and after deploying any changes. The policy tester will simulate the configured policy against each user's last seen identity and device posture (if applicable). ![Example policy tester](https://developers.cloudflare.com/_astro/example-policy-tester.DCY8hQvx_2nxAfs.webp) ## 2025-04-14 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **New predefined detection entry for ICD-11** You now have access to the World Health Organization (WHO) 2025 edition of the [International Classification of Diseases 11th Revision (ICD-11) ↗](https://www.who.int/news/item/14-02-2025-who-releases-2025-update-to-the-international-classification-of-diseases-%28icd-11%29) as a predefined detection entry. The new dataset can be found in the [Health Information](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#health-information) predefined profile. ICD-10 dataset remains available for use. ## 2025-04-11 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **HTTP redirect and custom block page redirect** You can now use more flexible redirect capabilities in Cloudflare One with Gateway. * A new **Redirect** action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters. * For **Block** actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL. Learn more in our documentation for [HTTP Redirect](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#redirect) and [Block page redirect](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page). ## 2025-04-09 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Cloudflare Zero Trust SCIM User and Group Provisioning Logs** [Cloudflare Zero Trust SCIM provisioning](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim) now has a full audit log of all create, update and delete event from any SCIM Enabled IdP. The [SCIM logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/scim-logs/) support filtering by IdP, Event type, Result and many more fields. This will help with debugging user and group update issues and questions. SCIM logs can be found on the Zero Trust Dashboard under **Logs** \-> **SCIM provisioning**. ![Example SCIM Logs](https://developers.cloudflare.com/_astro/example-scim-log.Bv5Zqckh_BY26C.webp) ## 2025-04-08 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.2.664.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for captive portal detection for the 2025.2.600.0 release. **Changes and improvements** * Fix to reduce the number of browser tabs opened during captive portal logins. **Known issues** * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-04-08 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.2.664.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for captive portal detection and PF state tables for the 2025.2.600.0 release. **Changes and improvements** * Fix to reduce the number of browser tabs opened during captive portal logins. * Improvement to exclude local DNS traffic entries from PF state table to reduce risk of connectivity issues from exceeding table capacity. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-04-01 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **CASB and Email security** With Email security, you get two free CASB integrations. Use one SaaS integration for Email security to sync with your directory of users, take actions on delivered emails, automatically provide EMLs for reclassification requests for clean emails, discover CASB findings and more. With the other integration, you can have a separate SaaS integration for CASB findings for another SaaS provider. Refer to [Add an integration](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) to learn more about this feature. ![CASB-EmailSecurity](https://developers.cloudflare.com/_astro/CASB-EmailSecurity.B1wd9be2_PR5LD.webp) This feature is available across these Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-03-21 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Secure DNS Locations Management User Role** We're excited to introduce the [**Cloudflare Zero Trust Secure DNS Locations Write role**](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations), designed to provide DNS filtering customers with granular control over third-party access when configuring their Protective DNS (PDNS) solutions. Many DNS filtering customers rely on external service partners to manage their DNS location endpoints. This role allows you to grant access to external parties to administer DNS locations without overprovisioning their permissions. **Secure DNS Location Requirements:** * Mandate usage of [Bring your own DNS resolver IP addresses ↗](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#bring-your-own-dns-resolver-ip) if available on the account. * Require source network filtering for IPv4/IPv6/DoT endpoints; token authentication or source network filtering for the DoH endpoint. You can assign the new role via Cloudflare Dashboard (`Manage Accounts > Members`) or via API. For more information, refer to the [Secure DNS Locations documentation ↗](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations). ## 2025-03-17 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Cloudflare One Agent for Android (version 2.4)** A new GA release for the Android Cloudflare One Agent is now available in the [Google Play Store ↗](https://play.google.com/store/apps/details?id=com.cloudflare.cloudflareoneagent). This release includes a new feature allowing [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url) during enrollment, as well as fixes and minor improvements. **Changes and improvements** * Improved in-app error messages. * Improved mobile client login with support for [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url). * Fixed an issue preventing admin split tunnel settings taking priority for traffic from certain applications. ## 2025-03-17 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Cloudflare One Agent for iOS (version 1.10)** A new GA release for the iOS Cloudflare One Agent is now available in the [iOS App Store ↗](https://apps.apple.com/us/app/cloudflare-one-agent/id6443476492). This release includes a new feature allowing [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url) during enrollment, as well as fixes and minor improvements. **Changes and improvements** * Improved in-app error messages. * Improved mobile client login with support for [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url). * Bug fixes and performance improvements. ## 2025-03-13 [ Cloudflare Network Firewall ](https://developers.cloudflare.com/cloudflare-network-firewall/) **Cloudflare IP Ranges List** Magic Firewall now supports a new managed list of Cloudflare IP ranges. This list is available as an option when creating a Magic Firewall policy based on IP source/destination addresses. When selecting "is in list" or "is not in list", the option "**Cloudflare IP Ranges**" will appear in the dropdown menu. This list is based on the IPs listed in the Cloudflare [IP ranges ↗](https://www.cloudflare.com/en-gb/ips/). Updates to this managed list are applied automatically. ![Cloudflare IPs Managed List](https://developers.cloudflare.com/_astro/cloudflare-ips.DetyOndL_10JG5B.webp) Note: IP Lists require a Cloudflare Advanced Network Firewall subscription. For more details about Cloudflare Network Firewall plans, refer to [Plans](https://developers.cloudflare.com/cloudflare-network-firewall/plans). ## 2025-03-07 [ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/) **Cloudflare One Agent now supports Endpoint Monitoring** [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into device, network, and application performance across your Cloudflare SASE deployment. The latest release of the Cloudflare One agent (v2025.1.861) now includes device endpoint monitoring capabilities to provide deeper visibility into end-user device performance which can be analyzed directly from the dashboard. Device health metrics are now automatically collected, allowing administrators to: * View the last network a user was connected to * Monitor CPU and RAM utilization on devices * Identify resource-intensive processes running on endpoints ![Device endpoint monitoring dashboard](https://developers.cloudflare.com/_astro/cloudflare-one-agent-health-monitoring.XXtiRuOp_Z25TN9Q.webp) This feature complements existing DEX features like [synthetic application monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) and [network path visualization](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/traceroute/), creating a comprehensive troubleshooting workflow that connects application performance with device state. For more details refer to our [DEX](https://developers.cloudflare.com/cloudflare-one/insights/dex/) documentation. ## 2025-03-04 [ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) **Gain visibility into user actions in Zero Trust Browser Isolation sessions** We're excited to announce that new logging capabilities for [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) through [Logpush](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/) are available in Beta starting today! With these enhanced logs, administrators can gain visibility into end user behavior in the remote browser and track blocked data extraction attempts, along with the websites that triggered them, in an isolated session. ``` { "AccountID": "$ACCOUNT_ID", "Decision": "block", "DomainName": "www.example.com", "Timestamp": "2025-02-27T23:15:06Z", "Type": "copy", "UserID": "$USER_ID" } ``` User Actions available: * **Copy & Paste** * **Downloads & Uploads** * **Printing** Learn more about how to get started with Logpush in our [documentation](https://developers.cloudflare.com/logs/logpush/). ## 2025-03-03 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **New SAML and OIDC Fields and SAML transforms for Access for SaaS** [Access for SaaS applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications. **SAML and OIDC Field Additions** OIDC apps now include: * Group Filtering via RegEx * OIDC Claim mapping from an IdP * OIDC token lifetime control * Advanced OIDC auth flows including hybrid and implicit flows ![OIDC field additions](https://developers.cloudflare.com/_astro/oidc-claims.2di8l9Lv_ZrD1mx.webp) SAML apps now include improved SAML attribute mapping from an IdP. ![SAML field additions](https://developers.cloudflare.com/_astro/saml-attribute-statements.CW45j5Qi_1ydeSQ.webp) **SAML transformations** SAML identities sent to Access applications can be fully customized using JSONata expressions. This allows admins to configure the precise identity SAML statement sent to a SaaS application. ![Configured SAML statement sent to application](https://developers.cloudflare.com/_astro/transformation-box.DyKn-DdN_2rtirg.webp) ## 2025-03-01 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Use Logpush for Email security detections** You can now send detection logs to an endpoint of your choice with Cloudflare Logpush. Filter logs matching specific criteria you have set and select from over 25 fields you want to send. When creating a new Logpush job, remember to select **Email security alerts** as the dataset. ![logpush-detections](https://developers.cloudflare.com/_astro/Logpush-Detections.Dc5tHta3_1PsIMk.webp) For more information, refer to [Enable detection logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/#enable-detection-logs). This feature is available across these Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-02-27 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Check status of Email security or Area 1** Concerns about performance for Email security or Area 1? You can now check the operational status of both on the [Cloudflare Status page ↗](https://www.cloudflarestatus.com/). For Email security, look under **Cloudflare Sites and Services**. * **Dashboard** is the dashboard for Cloudflare, including Email security * **Email security (Zero Trust)** is the processing of email * **API** are the Cloudflare endpoints, including the ones for Email security For Area 1, under **Cloudflare Sites and Services**: * **Area 1 - Dash** is the dashboard for Cloudflare, including Email security * **Email security (Area1)** is the processing of email * **Area 1 - API** are the Area 1 endpoints ![Status-page](https://developers.cloudflare.com/_astro/Status-Page.DcFJ1286_2qTtkN.webp) This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-02-25 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Use DLP Assist for M365** Cloudflare Email security customers who have Microsoft 365 environments can quickly deploy an Email DLP (Data Loss Prevention) solution for free. Simply deploy our add-in, create a DLP policy in Cloudflare, and configure Outlook to trigger behaviors like displaying a banner, alerting end users before sending, or preventing delivery entirely. Refer to [Outbound Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/email-security/outbound-dlp/) to learn more about this feature. In GUI alert: ![DLP-Alert](https://developers.cloudflare.com/_astro/DLP-Alert.5s-fbKn3_1xfB14.webp) Alert before sending: ![DLP-Pop-up](https://developers.cloudflare.com/_astro/DLP-Pop-up.0gkYy7o5_ZgIo8K.webp) Prevent delivery: ![DLP-Blocked](https://developers.cloudflare.com/_astro/DLP-Blocked.CmQkGrnM_ZewJi3.webp) This feature is available across these Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-02-14 [ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Configure your Magic WAN Connector to connect via static IP assigment** You can now locally configure your [Magic WAN Connector](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/) to work in a static IP configuration. This local method does not require having access to a DHCP Internet connection. However, it does require being comfortable with using tools to access the serial port on Magic WAN Connector as well as using a serial terminal client to access the Connector's environment. For more details, refer to [WAN with a static IP address](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/configure-hardware-appliance/#bootstrap-via-serial-console). ## 2025-02-07 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Open email links with Security Center** You can now investigate links in emails with Cloudflare Security Center to generate a report containing a myriad of technical details: a phishing scan, SSL certificate data, HTTP request and response data, page performance data, DNS records, what technologies and libraries the page uses, and more. ![Open links in Security Center](https://developers.cloudflare.com/_astro/Open-Links-Security-Center.b-LJU4YB_2dBHq8.webp) From **Investigation**, go to **View details**, and look for the **Links identified** section. Select **Open in Security Center** next to each link. **Open in Security Center** allows your team to quickly generate a detailed report about the link with no risk to the analyst or your environment. For more details, refer to [Open links](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#open-links). This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-02-03 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Block files that are password-protected, compressed, or otherwise unscannable.** Gateway HTTP policies can now block files that are password-protected, compressed, or otherwise unscannable. These unscannable files are now matched with the [Download and Upload File Types traffic selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) for HTTP policies: * Password-protected Microsoft Office document * Password-protected PDF * Password-protected ZIP archive * Unscannable ZIP archive To get started inspecting and modifying behavior based on these and other rules, refer to [HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/). ## 2025-01-20 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Detect source code leaks with Data Loss Prevention** You can now detect source code leaks with Data Loss Prevention (DLP) with predefined checks against common programming languages. The following programming languages are validated with natural language processing (NLP). * C * C++ * C# * Go * Haskell * Java * JavaScript * Lua * Python * R * Rust * Swift DLP also supports confidence level for [source code profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#source-code). For more details, refer to [DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/). ## 2025-01-15 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Export SSH command logs with Access for Infrastructure using Logpush** Availability Only available on Enterprise plans. Cloudflare now allows you to send SSH command logs to storage destinations configured in [Logpush](https://developers.cloudflare.com/logs/logpush/), including third-party destinations. Once exported, analyze and audit the data as best fits your organization! For a list of available data fields, refer to the [SSH logs dataset](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/ssh%5Flogs/). To set up a Logpush job, refer to [Logpush integration](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ## 2024-12-19 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Escalate user submissions** After you triage your users' submissions (that are machine reviewed), you can now escalate them to our team for reclassification (which are instead human reviewed). User submissions from the submission alias, PhishNet, and our API can all be escalated. ![Escalate](https://developers.cloudflare.com/_astro/Escalate.CwXPIyM3_ZxuRN6.webp) From **Reclassifications**, go to **User submissions**. Select the three dots next to any of the user submissions, then select **Escalate** to create a team request for reclassification. The Cloudflare dashboard will then show you the submissions on the **Team Submissions** tab. Refer to [User submissions](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/user-submissions/) to learn more about this feature. This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2024-12-19 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Increased transparency for phishing email submissions** You now have more transparency about team and user submissions for phishing emails through a **Reclassification** tab in the Zero Trust dashboard. Reclassifications happen when users or admins [submit a phish](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/) to Email security. Cloudflare reviews and - in some cases - reclassifies these emails based on improvements to our machine learning models. This new tab increases your visibility into this process, allowing you to view what submissions you have made and what the outcomes of those submissions are. ![Use the Reclassification area to review submitted phishing emails](https://developers.cloudflare.com/_astro/reclassifications-tab.yDgtjG51_Z1TVbIE.webp) ## 2024-12-19 [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **Troubleshoot tunnels with diagnostic logs** The latest `cloudflared` build [2024.12.2 ↗](https://github.com/cloudflare/cloudflared/releases/tag/2024.12.2) introduces the ability to collect all the diagnostic logs needed to troubleshoot a `cloudflared` instance. A diagnostic report collects data from a single instance of `cloudflared` running on the local machine and outputs it to a `cloudflared-diag` file. For more information, refer to [Diagnostic logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/diag-logs/). ## 2024-12-17 [ Magic Transit ](https://developers.cloudflare.com/magic-transit/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Network Interconnect ](https://developers.cloudflare.com/network-interconnect/) **Establish BGP peering over Direct CNI circuits** Magic WAN and Magic Transit customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using a Direct CNI on-ramp. Using BGP peering allows customers to: * Automate the process of adding or removing networks and subnets. * Take advantage of failure detection and session recovery features. With this functionality, customers can: * Establish an eBGP session between their devices and the Magic WAN / Magic Transit service when connected via CNI. * Secure the session by MD5 authentication to prevent misconfigurations. * Exchange routes dynamically between their devices and their Magic routing table. Refer to [Magic WAN BGP peering](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/how-to/configure-routes/#configure-bgp-routes) or [Magic Transit BGP peering](https://developers.cloudflare.com/magic-transit/how-to/configure-routes/#configure-bgp-routes) to learn more about this feature and how to set it up. ## 2024-12-05 [ Multi-Cloud Networking ](https://developers.cloudflare.com/multi-cloud-networking/) **Generate customized terraform files for building cloud network on-ramps** You can now generate customized terraform files for building cloud network on-ramps to [Magic WAN](https://developers.cloudflare.com/cloudflare-wan/). [Magic Cloud](https://developers.cloudflare.com/multi-cloud-networking/) can scan and discover existing network resources and generate the required terraform files to automate cloud resource deployment using their existing infrastructure-as-code workflows for cloud automation. You might want to do this to: * Review the proposed configuration for an on-ramp before deploying it with Cloudflare. * Deploy the on-ramp using your own infrastructure-as-code pipeline instead of deploying it with Cloudflare. For more details, refer to [Set up with Terraform](https://developers.cloudflare.com/multi-cloud-networking/cloud-on-ramps/#set-up-with-terraform). ## 2024-11-22 [ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) **Find security misconfigurations in your AWS cloud environment** You can now use CASB to find security misconfigurations in your AWS cloud environment using [Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/). You can also [connect your AWS compute account](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/aws-s3/#compute-account) to extract and scan your S3 buckets for sensitive data while avoiding egress fees. CASB will scan any objects that exist in the bucket at the time of configuration. To connect a compute account to your AWS integration: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Integrations**. 2. Find and select your AWS integration. 3. Select **Open connection instructions**. 4. Follow the instructions provided to connect a new compute account. 5. Select **Refresh**. ## 2024-11-21 [ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) **Improved non-English keyboard support** You can now type in languages that use diacritics (like á or ç) and character-based scripts (such as Chinese, Japanese, and Korean) directly within the remote browser. The isolated browser now properly recognizes non-English keyboard input, eliminating the need to copy and paste content from a local browser or device. ## 2024-11-07 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Use Logpush for Email security user actions** You can now send user action logs for Email security to an endpoint of your choice with Cloudflare Logpush. Filter logs matching specific criteria you have set or select from multiple fields you want to send. For all users, we will log the date and time, user ID, IP address, details about the message they accessed, and what actions they took. When creating a new Logpush job, remember to select **Audit logs** as the dataset and filter by: * **Field**: `"ResourceType"` * **Operator**: `"starts with"` * **Value**: `"email_security"`. ![Logpush-user-actions](https://developers.cloudflare.com/_astro/Logpush-User-Actions.D14fWgmq_CYM35.webp) For more information, refer to [Enable user action logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/#enable-user-action-logs). This feature is available across all Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2024-10-02 [ Cloudflare Network Firewall ](https://developers.cloudflare.com/cloudflare-network-firewall/) **Search for custom rules using rule name and/or ID** The Magic Firewall dashboard now allows you to search custom rules using the rule name and/or ID. 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com) and select your account. 2. Go to **Analytics & Logs** \> **Network Analytics**. 3. Select **Magic Firewall**. 4. Add a filter for **Rule ID**. ![Search for firewall rules with rule IDs](https://developers.cloudflare.com/_astro/search-with-rule-id.DJgzqgKk_2jJ9x8.webp) Additionally, the rule ID URL link has been added to Network Analytics. ## 2024-10-01 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Eliminate long-lived credentials and enhance SSH security with Cloudflare Access for Infrastructure** Organizations can now eliminate long-lived credentials from their SSH setup and enable strong multi-factor authentication for SSH access, similar to other Access applications, all while generating access and command logs. SSH with [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) uses short-lived SSH certificates from Cloudflare, eliminating SSH key management and reducing the security risks associated with lost or stolen keys. It also leverages a common deployment model for Cloudflare One customers: [WARP-to-Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-device-client/). SSH with Access for Infrastructure enables you to: * **Author fine-grained policy** to control who may access your SSH servers, including specific ports, protocols, and SSH users. * **Monitor infrastructure access** with Access and SSH command logs, supporting regulatory compliance and providing visibility in case of security breach. * **Preserve your end users' workflows.** SSH with Access for Infrastructure supports native SSH clients and does not require any modifications to users’ SSH configs. ![Example of an infrastructure Access application](https://developers.cloudflare.com/_astro/infrastructure-app.BhpJOgxs_Z1M0wLH.webp) To get started, refer to [SSH with Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). ## 2024-06-17 [ Risk Score ](https://developers.cloudflare.com/cloudflare-one/insights/risk-score/) **Exchange user risk scores with Okta** Beyond the controls in [Zero Trust](https://developers.cloudflare.com/cloudflare-one/), you can now [exchange user risk scores](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/#send-risk-score-to-okta) with Okta to inform SSO-level policies. First, configure Cloudflare One to send user risk scores to Okta. 1. Set up the [Okta SSO integration](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/okta/). 2. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Integrations** \> **Identity providers**. 3. In **Your identity providers**, locate your Okta integration and select **Edit**. 4. Turn on **Send risk score to Okta**. 5. Select **Save**. 6. Upon saving, Cloudflare One will display the well-known URL for your organization. Copy the value. Next, configure Okta to receive your risk scores. 1. On your Okta admin dashboard, go to **Security** \> **Device Integrations**. 2. Go to **Receive shared signals**, then select **Create stream**. 3. Name your integration. In **Set up integration with**, choose _Well-known URL_. 4. In **Well-known URL**, enter the well-known URL value provided by Cloudflare One. 5. Select **Create**. ## 2024-06-16 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)[ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/)[ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/)[ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/)[ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)[ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/)[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Multi-Cloud Networking ](https://developers.cloudflare.com/multi-cloud-networking/)[ Cloudflare Network Firewall ](https://developers.cloudflare.com/cloudflare-network-firewall/)[ Network Flow ](https://developers.cloudflare.com/network-flow/)[ Magic Transit ](https://developers.cloudflare.com/magic-transit/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Network Interconnect ](https://developers.cloudflare.com/network-interconnect/)[ Risk Score ](https://developers.cloudflare.com/cloudflare-one/insights/risk-score/)[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Explore product updates for Cloudflare One** Welcome to your new home for product updates on [Cloudflare One](https://developers.cloudflare.com/cloudflare-one/). Our [new changelog](https://developers.cloudflare.com/changelog/) lets you read about changes in much more depth, offering in-depth examples, images, code samples, and even gifs. If you are looking for older product updates, refer to the following locations. Older product updates * [Access](https://developers.cloudflare.com/cloudflare-one/changelog/access/) * [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/changelog/browser-isolation/) * [CASB](https://developers.cloudflare.com/cloudflare-one/changelog/casb/) * [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/changelog/tunnel/) * [Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/changelog/dlp/) * [Digital Experience Monitoring](https://developers.cloudflare.com/cloudflare-one/changelog/dex/) * [Email security](https://developers.cloudflare.com/cloudflare-one/changelog/email-security/) * [Gateway](https://developers.cloudflare.com/cloudflare-one/changelog/gateway/) * [Multi-Cloud Networking](https://developers.cloudflare.com/multi-cloud-networking/changelog/) * [Cloudflare Network Firewall](https://developers.cloudflare.com/cloudflare-network-firewall/changelog/) * [Magic Network Monitoring](https://developers.cloudflare.com/network-flow/changelog/) * [Magic Transit](https://developers.cloudflare.com/magic-transit/changelog/) * [Magic WAN](https://developers.cloudflare.com/cloudflare-wan/changelog/) * [Network Interconnect](https://developers.cloudflare.com/network-interconnect/changelog/) * [Risk score](https://developers.cloudflare.com/cloudflare-one/changelog/risk-score/) * [Cloudflare One Client](https://developers.cloudflare.com/changelog/cloudflare-one-client/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}}]} ``` --- --- title: Access description: Review recent changes to Cloudflare Access. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/changelog/access.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Access [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/access.xml) ## 2026-04-01 **Logs UI refresh** Access authentication logs and Gateway activity logs (DNS, Network, and HTTP) now feature a refreshed user interface that gives you more flexibility when viewing and analyzing your logs. ![Screenshot of the new logs UI showing DNS query logs with customizable columns and filtering options](https://developers.cloudflare.com/_astro/cf1-new-logs-ui.DxF4x0l-_mRSyH.webp) The updated UI includes: * **Filter by field** \- Select any field value to add it as a filter and narrow down your results. * **Customizable fields** \- Choose which fields to display in the log table. Querying for fewer fields improves log loading performance. * **View details** \- Select a timestamp to view the full details of a log entry. * **Switch to classic view** \- Return to the previous log viewer interface if needed. For more information, refer to [Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/) and [Gateway activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). ## 2026-03-04 **User risk score selector in Access policies** You can now use [user risk scores](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/) in your [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). The new **User Risk Score** selector allows you to create Access policies that respond to user behavior patterns detected by Cloudflare's risk scoring system, including impossible travel, high DLP policy matches, and more. For more information, refer to [Use risk scores in Access policies](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/#use-risk-scores-in-access-policies). ## 2026-03-01 **Clipboard controls for browser-based RDP** You can now configure clipboard controls for browser-based RDP with Cloudflare Access. Clipboard controls allow administrators to restrict whether users can copy or paste text between their local machine and the remote Windows server. ![Enable users to copy and paste content from their local machine to remote RDP sessions in the Cloudflare One dashboard](https://developers.cloudflare.com/_astro/rdp-clipboard-controls.B0ZmliDb_Z1Ne5yg.webp) This feature is useful for organizations that support bring-your-own-device (BYOD) policies or third-party contractors using unmanaged devices. By restricting clipboard access, you can prevent sensitive data from being transferred out of the remote session to a user's personal device. #### Configuration options Clipboard controls are configured per policy within your Access application. For each policy, you can independently allow or deny: * **Copy from local client to remote RDP session** — Users can copy/paste text from their local machine into the browser-based RDP session. * **Copy from remote RDP session to local client** — Users can copy/paste text from the browser-based RDP session to their local machine. By default, both directions are denied for new policies. For existing Access applications created before this feature was available, clipboard access remains enabled to preserve backwards compatibility. When a user attempts a restricted clipboard action, the clipboard content is replaced with an error message informing them that the action is not allowed. For more information, refer to [Clipboard controls for browser-based RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/#clipboard-controls). ## 2026-02-27 **Export MCP server portal logs with Logpush** Availability Only available on Enterprise plans. [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) now supports [Logpush](https://developers.cloudflare.com/logs/logpush/) integration. You can automatically export MCP server portal activity logs to third-party storage destinations or security information and event management (SIEM) tools for analysis and auditing. #### Available log fields The MCP server portal logs dataset includes fields such as: * `Datetime` — Timestamp of the request * `PortalID` / `PortalAUD` — Portal identifiers * `ServerID` / `ServerURL` — Upstream MCP server details * `Method` — JSON-RPC method (for example, `tools/call`, `prompts/get`, `resources/read`) * `ToolCallName` / `PromptGetName` / `ResourceReadURI` — Method-specific identifiers * `UserID` / `UserEmail` — Authenticated user information * `Success` / `Error` — Request outcome * `ServerResponseDurationMs` — Response time from upstream server For the complete field reference, refer to [MCP portal logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/mcp%5Fportal%5Flogs/). #### Set up Logpush To configure Logpush for MCP server portal logs, refer to [Logpush integration](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). Note MCP server portals is currently in beta. ## 2026-02-17 **Streamlined clientless browser isolation for private applications** A new **Allow clientless access** setting makes it easier to connect users without a device client to internal applications, without using public DNS. ![Allow clientless access setting in the Cloudflare One dashboard](https://developers.cloudflare.com/_astro/allow-clientless-access.BHKwQuVt_1mLRiX.webp) Previously, to provide clientless access to a private hostname or IP without a [published application](https://developers.cloudflare.com/cloudflare-one/networks/routes/add-routes/#add-a-published-application-route), you had to create a separate [bookmark application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/bookmarks/) pointing to a prefixed [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) URL (for example, `https://.cloudflareaccess.com/browser/https://10.0.0.1/`). This bookmark was visible to all users in the App Launcher, regardless of whether they had access to the underlying application. Now, you can manage clientless access directly within your [private self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). When **Allow clientless access** is turned on, users who pass your Access application policies will see a tile in their App Launcher pointing to the prefixed URL. Users must have [remote browser permissions](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) to open the link. ## 2026-02-17 **Policies for bookmark applications** You can now assign [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to [bookmark applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/bookmarks/). This lets you control which users see a bookmark in the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) based on identity, device posture, and other policy rules. Previously, bookmark applications were visible to all users in your organization. With policy support, you can now: * **Tailor the App Launcher to each user** — Users only see the applications they have access to, reducing clutter and preventing accidental clicks on irrelevant resources. * **Restrict visibility of sensitive bookmarks** — Limit who can view bookmarks to internal tools or partner resources based on group membership, identity provider, or device posture. Bookmarks support all [Access policy configurations](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) except purpose justification, temporary authentication, and application isolation. If no policy is assigned, the bookmark remains visible to all users (maintaining backwards compatibility). For more information, refer to [Add bookmarks](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/bookmarks/). ## 2026-02-13 **Fine-grained permissions for Access policies and service tokens** Fine-grained permissions for **Access policies** and **Access service tokens** are available. These new resource-scoped roles expand the existing RBAC model, enabling administrators to grant permissions scoped to individual resources. #### New roles * **Cloudflare Access policy admin**: Can edit a specific [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) in an account. * **Cloudflare Access service token admin**: Can edit a specific [Access service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) in an account. These roles complement the existing resource-scoped roles for Access applications, identity providers, and infrastructure targets. For more information: * [Resource-scoped roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/#resource-scoped-roles) * [Role scopes](https://developers.cloudflare.com/fundamentals/manage-members/scope/) Note Resource-scoped roles is currently in beta. ## 2026-01-22 **Require Access protection for zones** You can now require Cloudflare Access protection for all hostnames in your account. When enabled, traffic to any hostname that does not have a matching Access application is automatically blocked. This deny-by-default approach prevents accidental exposure of internal resources to the public Internet. If a developer deploys a new application or creates a DNS record without configuring an Access application, the traffic is blocked rather than exposed. ![Require Cloudflare Access protection in the dashboard](https://developers.cloudflare.com/_astro/require-cloudflare-access-protection.BAUmTYOs_ZxNecb.webp) #### How it works * **Blocked by default**: Traffic to all hostnames in the account is blocked unless an Access application exists for that hostname. * **Explicit access required**: To allow traffic, create an Access application with an Allow or Bypass policy. * **Hostname exemptions**: You can exempt specific hostnames from this requirement. To turn on this feature, refer to [Require Access protection](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/require-access-protection/). ## 2026-01-22 **New granular API token permissions for Cloudflare Access** Three new API token permissions are available for Cloudflare Access, giving you finer-grained control when building automations and integrations: * **Access: Organizations Revoke** — Grants the ability to [revoke user sessions](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#revoke-user-sessions) in a Zero Trust organization. Use this permission when you need a token that can terminate active sessions without broader write access to organization settings. * **Access: Population Read** — Grants read access to the [SCIM users and groups](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) synced from an identity provider to Cloudflare Access. Use this permission for tokens that only need to read synced user and group data. * **Access: Population Write** — Grants write access to the [SCIM users and groups](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) synced from an identity provider to Cloudflare Access. Use this permission for tokens that need to create or modify synced user and group data. These permissions are scoped at the account level and can be combined with existing Access permissions. For a full list of available permissions, refer to [API token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/). ## 2026-01-08 **Cloudflare admin activity logs capture creation of DNS over HTTP (DoH) users** Cloudflare [admin activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/) now capture each time a [DNS over HTTP (DoH) user](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-https/) is created. These logs can be viewed from the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com/), pulled via the [Cloudflare API](https://developers.cloudflare.com/api/), and exported through [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ## 2025-11-14 **Generate Cloudflare Access SSH certificate authority (CA) directly from the Cloudflare dashboard** SSH with [Cloudflare Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) allows you to use short-lived SSH certificates to eliminate SSH key management and reduce security risks associated with lost or stolen keys. Previously, users had to generate this certificate by using the [Cloudflare API ↗](https://developers.cloudflare.com/api/) directly. With this update, you can now create and manage this certificate in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com) from the **Access controls** \> **Service credentials** page. ![Navigate to Access controls and then Service credentials to see where you can generate an SSH CA](https://developers.cloudflare.com/_astro/SSH-CA-generation.DYa9RnX1_ZKuDAo.webp) For more details, refer to [Generate a Cloudflare SSH CA](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#generate-a-cloudflare-ssh-ca). ## 2025-10-28 **Access private hostname applications support all ports/protocols** [Cloudflare Access for private hostname applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) can now secure traffic on all ports and protocols. Previously, applying Zero Trust policies to private applications required the application to use HTTPS on port `443` and support Server Name Indicator (SNI). This update removes that limitation. As long as the application is reachable via a Cloudflare off-ramp, you can now enforce your critical security controls — like single sign-on (SSO), MFA, device posture, and variable session lengths — to any private application. This allows you to extend Zero Trust security to services like SSH, RDP, internal databases, and other non-HTTPS applications. ![Example private application on non-443 port](https://developers.cloudflare.com/_astro/internal_private_app_any_port.DNXnEy0u_2rybRJ.webp) For example, you can now create a self-hosted application in Access for `ssh.testapp.local` running on port `22`. You can then build a policy that only allows engineers in your organization to connect after they pass an SSO/MFA check and are using a corporate device. This feature is generally available across all plans. ## 2025-10-02 **Fine-grained Permissioning for Access for Apps, IdPs, & Targets now in Public Beta** Fine-grained permissions for **Access Applications, Identity Providers (IdPs), and Targets** is now available in Public Beta. This expands our RBAC model beyond account & zone-scoped roles, enabling administrators to grant permissions scoped to individual resources. #### What's New * **[Access Applications ↗](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/)**: Grant admin permissions to specific Access Applications. * **[Identity Providers ↗](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/)**: Grant admin permissions to individual Identity Providers. * **[Targets ↗](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#1-add-a-target)**: Grant admin rights to specific Targets ![Updated Permissions Policy UX](https://developers.cloudflare.com/_astro/2025-10-01-fine-grained-permissioning-ux.BWVmQsVF_Z1p4MJh.webp) Note During the public beta, members must also be assigned an account-scoped, read only role to view resources in the dashboard. This restriction will be lifted in a future release. * **Account Read Only** plus a fine-grained permission for a specific App, IdP, or Target * **Cloudflare Zero Trust Read Only** plus fine-grained permission for a specific App, IdP, or Target For more info: * [Get started with Cloudflare Permissioning](https://developers.cloudflare.com/fundamentals/manage-members/roles/) * [Manage Member Permissioning via the UI & API](https://developers.cloudflare.com/fundamentals/manage-members/manage) ## 2025-09-22 **Access Remote Desktop Protocol (RDP) destinations securely from your browser — now generally available!** [Browser-based RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) is now generally available for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients. Since we announced our [open beta](https://developers.cloudflare.com/changelog/access/#2025-06-30), we've made a few improvements: * Support for targets with IPv6. * Support for [Magic WAN](https://developers.cloudflare.com/cloudflare-wan/) and [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) as on-ramps. * More robust error messaging on the login page to help you if you encounter an issue. * Worldwide keyboard support. Whether your day-to-day is in Portuguese, Chinese, or something in between, your browser-based RDP experience will look and feel exactly like you are using a desktop RDP client. * Cleaned up some other miscellaneous issues, including but not limited to enhanced support for Entra ID accounts and support for usernames with spaces, quotes, and special characters. As a refresher, here are some benefits browser-based RDP provides: * **Control how users authenticate to internal RDP resources** with single sign-on (SSO), multi-factor authentication (MFA), and granular access policies. * **Record who is accessing which servers and when** to support regulatory compliance requirements and to gain greater visibility in the event of a security event. * **Eliminate the need to install and manage software on user devices**. You will only need a web browser. * **Reduce your attack surface** by keeping your RDP servers off the public Internet and protecting them from common threats like credential stuffing or brute-force attacks. ![Example of a browser-based RDP Access application](https://developers.cloudflare.com/_astro/browser-based-rdp-access-app.BNXce1JL_1TDoUX.webp) To get started, refer to [Connect to RDP in a browser](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/). ## 2025-08-26 **Manage and restrict access to internal MCP servers with Cloudflare Access** You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). [Self-hosted applications](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes. For example, if you have an MCP server designed for internal use within your organization, you can configure Access policies to ensure that only authorized users can access it, regardless of which MCP client they use. Support for internal, self-hosted MCP servers also works with MCP server portals, allowing you to provide a single MCP endpoint for multiple MCP servers. For more on MCP server portals, read the [blog post ↗](https://blog.cloudflare.com/zero-trust-mcp-server-portals/) on the Cloudflare Blog. ## 2025-08-26 **MCP server portals** ![MCP server portal](https://developers.cloudflare.com/_astro/mcp-server-portal.BOKqTCoI_ZXYCcF.webp) An [MCP server portal](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include: * **Streamlined access to multiple MCP servers**: MCP server portals support both unauthenticated MCP servers as well as MCP servers secured using any third-party or custom OAuth provider. Users log in to the portal URL through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth. * **Customized tools per portal**: Admins can tailor an MCP portal to a particular use case by choosing the specific tools and prompt templates that they want to make available to users through the portal. This allows users to access a curated set of tools and prompts — the less external context exposed to the AI model, the better the AI responses tend to be. * **Observability**: Once the user's AI agent is connected to the portal, Cloudflare Access logs the indiviudal requests made using the tools in the portal. This is available in an open beta for all customers across all plans! For more information check out our [blog ↗](https://blog.cloudflare.com/zero-trust-mcp-server-portals/) for this release. ## 2025-08-15 **SFTP support for SSH with Cloudflare Access for Infrastructure** [SSH with Cloudflare Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) now supports SFTP. It is compatible with SFTP clients, such as Cyberduck. ## 2025-08-14 **Cloudflare Access Logging supports the Customer Metadata Boundary (CMB)** Cloudflare Access logs now support the [Customer Metadata Boundary (CMB)](https://developers.cloudflare.com/data-localization/metadata-boundary/). If you have configured the CMB for your account, all Access logging will respect that configuration. Note For EU CMB customers, the logs will not be stored by Access and will appear as empty in the dashboard. EU CMB customers should utilize [Logpush](https://developers.cloudflare.com/logs/logpush/) to retain their Access logging, if desired. ## 2025-07-01 **Access RDP securely from your browser — now in open beta** [Browser-based RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) is now available in open beta for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients. With browser-based RDP, you can: * **Control how users authenticate to internal RDP resources** with single sign-on (SSO), multi-factor authentication (MFA), and granular access policies. * **Record who is accessing which servers and when** to support regulatory compliance requirements and to gain greater visibility in the event of a security event. * **Eliminate the need to install and manage software on user devices**. You will only need a web browser. * **Reduce your attack surface** by keeping your RDP servers off the public Internet and protecting them from common threats like credential stuffing or brute-force attacks. ![Example of a browsed-based RDP Access application](https://developers.cloudflare.com/_astro/browser-based-rdp-access-app.BNXce1JL_1TDoUX.webp) To get started, see [Connect to RDP in a browser](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/). ## 2025-06-05 **Cloudflare One Analytics Dashboards and Exportable Access Report** Cloudflare One now offers powerful new analytics dashboards to help customers easily discover available insights into their application access and network activity. These dashboards provide a centralized, intuitive view for understanding user behavior, application usage, and security posture. !\[Cloudflare One Analytics Dashboards\](\~/assets/images/changelog/cloudflare-one/Analytics Dashboards.png) Additionally, a new exportable access report is available, allowing customers to quickly view high-level metrics and trends in their application access. A **preview** of the report is shown below, with more to be found in the report: ![Cloudflare One Analytics Dashboards](https://developers.cloudflare.com/_astro/access-report.C744W7JR_2uzMcN.webp) Both features are accessible in the Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), empowering organizations with better visibility and control. ## 2025-05-16 **New Access Analytics in the Cloudflare One Dashboard** A new Access Analytics dashboard is now available to all Cloudflare One customers. Customers can apply and combine multiple filters to dive into specific slices of their Access metrics. These filters include: * Logins granted and denied * Access events by type (SSO, Login, Logout) * Application name (Salesforce, Jira, Slack, etc.) * Identity provider (Okta, Google, Microsoft, onetimepin, etc.) * Users (`chris@cloudflare.com`, `sally@cloudflare.com`, `rachel@cloudflare.com`, etc.) * Countries (US, CA, UK, FR, BR, CN, etc.) * Source IP address * App type (self-hosted, Infrastructure, RDP, etc.) ![Access Analytics](https://developers.cloudflare.com/_astro/accessanalytics.DYXgwZCl_Z2PPi7.webp) To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and find Analytics in the side navigation bar. ## 2025-04-21 **Access bulk policy tester** The [Access bulk policy tester](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/#test-all-policies-in-an-application) is now available in the Cloudflare Zero Trust dashboard. The bulk policy tester allows you to simulate Access policies against your entire user base before and after deploying any changes. The policy tester will simulate the configured policy against each user's last seen identity and device posture (if applicable). ![Example policy tester](https://developers.cloudflare.com/_astro/example-policy-tester.DCY8hQvx_2nxAfs.webp) ## 2025-04-09 **Cloudflare Zero Trust SCIM User and Group Provisioning Logs** [Cloudflare Zero Trust SCIM provisioning](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim) now has a full audit log of all create, update and delete event from any SCIM Enabled IdP. The [SCIM logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/scim-logs/) support filtering by IdP, Event type, Result and many more fields. This will help with debugging user and group update issues and questions. SCIM logs can be found on the Zero Trust Dashboard under **Logs** \-> **SCIM provisioning**. ![Example SCIM Logs](https://developers.cloudflare.com/_astro/example-scim-log.Bv5Zqckh_BY26C.webp) ## 2025-03-03 **New SAML and OIDC Fields and SAML transforms for Access for SaaS** [Access for SaaS applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications. **SAML and OIDC Field Additions** OIDC apps now include: * Group Filtering via RegEx * OIDC Claim mapping from an IdP * OIDC token lifetime control * Advanced OIDC auth flows including hybrid and implicit flows ![OIDC field additions](https://developers.cloudflare.com/_astro/oidc-claims.2di8l9Lv_ZrD1mx.webp) SAML apps now include improved SAML attribute mapping from an IdP. ![SAML field additions](https://developers.cloudflare.com/_astro/saml-attribute-statements.CW45j5Qi_1ydeSQ.webp) **SAML transformations** SAML identities sent to Access applications can be fully customized using JSONata expressions. This allows admins to configure the precise identity SAML statement sent to a SaaS application. ![Configured SAML statement sent to application](https://developers.cloudflare.com/_astro/transformation-box.DyKn-DdN_2rtirg.webp) ## 2025-01-15 **Export SSH command logs with Access for Infrastructure using Logpush** Availability Only available on Enterprise plans. Cloudflare now allows you to send SSH command logs to storage destinations configured in [Logpush](https://developers.cloudflare.com/logs/logpush/), including third-party destinations. Once exported, analyze and audit the data as best fits your organization! For a list of available data fields, refer to the [SSH logs dataset](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/ssh%5Flogs/). To set up a Logpush job, refer to [Logpush integration](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ## 2024-10-01 **Eliminate long-lived credentials and enhance SSH security with Cloudflare Access for Infrastructure** Organizations can now eliminate long-lived credentials from their SSH setup and enable strong multi-factor authentication for SSH access, similar to other Access applications, all while generating access and command logs. SSH with [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) uses short-lived SSH certificates from Cloudflare, eliminating SSH key management and reducing the security risks associated with lost or stolen keys. It also leverages a common deployment model for Cloudflare One customers: [WARP-to-Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-device-client/). SSH with Access for Infrastructure enables you to: * **Author fine-grained policy** to control who may access your SSH servers, including specific ports, protocols, and SSH users. * **Monitor infrastructure access** with Access and SSH command logs, supporting regulatory compliance and providing visibility in case of security breach. * **Preserve your end users' workflows.** SSH with Access for Infrastructure supports native SSH clients and does not require any modifications to users’ SSH configs. ![Example of an infrastructure Access application](https://developers.cloudflare.com/_astro/infrastructure-app.BhpJOgxs_Z1M0wLH.webp) To get started, refer to [SSH with Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). ## 2025-02-12 **Access policies support filtering** You can now filter Access policies by their action, selectors, rule groups, and assigned applications. ## 2025-02-11 **Private self-hosted applications and reusable policies GA** [Private self-hosted applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) and [reusable Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/) are now generally available (GA) for all customers. ## 2025-01-21 **Access Applications support private hostnames/IPs and reusable Access policies.** Cloudflare Access self-hosted applications can now be defined by [private IPs](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/), [private hostnames](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) (on port 443) and [public hostnames](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). Additionally, we made Access policies into their own object which can be reused across multiple applications. These updates involved significant updates to the overall Access dashboard experience. The updates will be slowly rolled out to different customer cohorts. If you are an Enterprise customer and would like early access, reach out to your account team. ## 2025-01-15 **Logpush for SSH command logs** Enterprise customers can now use Logpush to export SSH command logs for Access for Infrastructure targets. ## 2024-12-04 **SCIM GA for Okta and Microsoft Entra ID** Cloudflare's SCIM integrations with [Okta](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/okta/#synchronize-users-and-groups) and [Microsoft Entra ID](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/entra-id/#synchronize-users-and-groups) (formerly AzureAD) are now out of beta and generally available (GA) for all customers. These integrations can be used for Access and Gateway policies and Zero Trust user management. Note: This GA release does not include [Dashboard SSO SCIM](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/) support. ## 2024-10-23 **SSH with Access for Infrastructure** Admins can now use [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) to manage privileged access to SSH servers. Access for Infrastructure provides improved control and visibility over who accessed what service and what they did during their SSH session. Access for Infrastructure also eliminates the risk and overhead associated with managing SSH keys by using short-lived SSH certificates to access SSH servers. ## 2024-08-26 **Reduce automatic seat deprovisioning minimum to 1 month, down from 2 months.** Admins can now configure Zero Trust seats to [automatically expire](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management/#enable-seat-expiration) after 1 month of user inactivity. The previous minimum was 2 months. ## 2024-06-06 **Scalability improvements to the App Launcher** Applications now load more quickly for customers with a large number of applications or complex policies. ## 2024-04-28 **Add option to bypass CORS to origin server** Access admins can [defer all CORS enforcement to their origin server](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/#bypass-options-requests-to-origin) for specific Access applications. ## 2024-04-15 **Zero Trust User identity audit logs** All user identity changes via SCIM or Authentication events are logged against a user's registry identity. ## 2024-02-22 **Access for SaaS OIDC Support** Access for SaaS applications can be setup with OIDC as an authentication method. OIDC and SAML 2.0 are now both fully supported. ## 2024-02-22 **WARP as an identity source for Access** Allow users to log in to Access applications with their WARP session identity. Users need to reauthenticate based on default session durations. WARP authentication identity must be turned on in your device enrollment permissions and can be enabled on a per application basis. ## 2023-12-20 **Unique Entity IDs in Access for SaaS** All new Access for SaaS applications have unique Entity IDs. This allows for multiple integrations with the same SaaS provider if required. The unique Entity ID has the application audience tag appended. Existing apps are unchanged. ## 2023-12-15 **Default relay state support in Access for SaaS** Allows Access admins to set a default relay state on Access for SaaS apps. ## 2023-09-15 **App launcher supports tags and filters** Access admins can now tag applications and allow users to filter by those tags in the App Launcher. ## 2023-09-15 **App launcher customization** Allow Access admins to configure the App Launcher page within Zero Trust. ## 2023-09-15 **View active Access user identities in the dashboard and API** Access admins can now view the full contents of a user's identity and device information for all active application sessions. ## 2023-09-08 **Custom OIDC claims for named IdPs** Access admins can now add custom claims to the existing named IdP providers. Previously this was locked to the generic OIDC provider. ## 2023-08-02 **Azure AD authentication contexts** Support Azure AD authentication contexts directly in Access policies. ## 2023-06-23 **Custom block pages for Access applications** Allow Access admins to customize the block pages presented by Access to end users. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/access/","name":"Access"}}]} ``` --- --- title: Browser Isolation description: Review recent changes to Cloudflare Browser Isolation. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/changelog/browser-isolation.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Browser Isolation [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/browser-isolation.xml) ## 2025-05-13 **SAML HTTP-POST bindings support for RBI** Remote Browser Isolation (RBI) now supports SAML HTTP-POST bindings, enabling seamless authentication for SSO-enabled applications that rely on POST-based SAML responses from Identity Providers (IdPs) within a Remote Browser Isolation session. This update resolves a previous limitation that caused `405` errors during login and improves compatibility with multi-factor authentication (MFA) flows. With expanded support for major IdPs like Okta and Azure AD, this enhancement delivers a more consistent and user-friendly experience across authentication workflows. Learn how to [set up Remote Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/). ## 2025-05-01 **Browser Isolation Overview page for Zero Trust** A new **Browser Isolation Overview** page is now available in the Cloudflare Zero Trust dashboard. This centralized view simplifies the management of [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) deployments, providing: * **Streamlined Onboarding:** Easily set up and manage isolation policies from one location. * **Quick Testing:** Validate [clientless web application isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) with ease. * **Simplified Configuration:** Configure [isolated access applications](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/) and policies efficiently. * **Centralized Monitoring:** Track aggregate usage and blocked actions. This update consolidates previously disparate settings, accelerating deployment, improving visibility into isolation activity, and making it easier to ensure your protections are working effectively. ![Browser Isolation Overview](https://developers.cloudflare.com/_astro/browser-isolation-overview.Ljd5ax_O_Z1SURww.webp) To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and find Browser Isolation in the side navigation bar. ## 2025-03-04 **Gain visibility into user actions in Zero Trust Browser Isolation sessions** We're excited to announce that new logging capabilities for [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) through [Logpush](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/) are available in Beta starting today! With these enhanced logs, administrators can gain visibility into end user behavior in the remote browser and track blocked data extraction attempts, along with the websites that triggered them, in an isolated session. ``` { "AccountID": "$ACCOUNT_ID", "Decision": "block", "DomainName": "www.example.com", "Timestamp": "2025-02-27T23:15:06Z", "Type": "copy", "UserID": "$USER_ID" } ``` User Actions available: * **Copy & Paste** * **Downloads & Uploads** * **Printing** Learn more about how to get started with Logpush in our [documentation](https://developers.cloudflare.com/logs/logpush/). ## 2024-11-21 **Improved non-English keyboard support** You can now type in languages that use diacritics (like á or ç) and character-based scripts (such as Chinese, Japanese, and Korean) directly within the remote browser. The isolated browser now properly recognizes non-English keyboard input, eliminating the need to copy and paste content from a local browser or device. ## 2024-03-21 **Removed third-party cookie dependencies** Removed dependency on third-party cookies in the isolated browser, fixing an issue that previously caused intermittent disruptions for users maintaining multi-site, cross-tab sessions in the isolated browser. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/browser-isolation/","name":"Browser Isolation"}}]} ``` --- --- title: CASB description: Review recent changes to Cloudflare CASB. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/changelog/casb.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # CASB [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/casb.xml) ## 2026-02-20 **Understand CASB findings instantly with Cloudy Summaries** You can now easily understand your SaaS security posture findings and why they were detected with **Cloudy Summaries in CASB**. This feature integrates Cloudflare's Cloudy AI directly into your CASB Posture Findings to automatically generate clear, plain-language summaries of complex security misconfigurations, third-party app risks, and data exposures. This allows security teams and IT administrators to drastically reduce triage time by immediately understanding the context, potential impact, and necessary remediation steps for any given finding—without needing to be an expert in every connected SaaS application. To view a summary, simply navigate to your Posture Findings in the Cloudflare One dashboard (under **Cloud and SaaS findings**) and open the finding details of a specific instance of a Finding. Cloudy Summaries are supported on all available integrations, including Microsoft 365, Google Workspace, Salesforce, GitHub, AWS, Slack, and Dropbox. See the full list of supported integrations [here](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/). #### Key capabilities * **Contextual explanations** — Quickly understand the specifics of a finding with plain-language summaries detailing exactly what was detected, from publicly shared sensitive files to risky third-party app scopes. * **Clear risk assessment** — Instantly grasp the potential security impact of the finding, such as data breach risks, unauthorized account access, or email spoofing vulnerabilities. * **Actionable guidance** — Get clear recommendations and next steps on how to effectively remediate the issue and secure your environment. * **Built-in feedback** — Help improve future AI summarization accuracy by submitting feedback directly using the thumbs-up and thumbs-down buttons. #### Learn more * Learn more about managing [CASB Posture Findings](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/) in Cloudflare. Cloudy Summaries in CASB are available to all Cloudflare CASB users today. ## 2025-11-14 **New SaaS Security weekly digests with API CASB** You can now stay on top of your SaaS security posture with the new **CASB Weekly Digest** notification. This opt-in email digest is delivered to your inbox every Monday morning and provides a high-level summary of your organization's Cloudflare API CASB findings from the previous week. This allows security teams and IT administrators to get proactive, at-a-glance visibility into new risks and integration health without having to log in to the dashboard. To opt in, navigate to **Manage Account** \> **Notifications** in the Cloudflare dashboard to configure the **CASB Weekly Digest** alert type. #### Key capabilities * **At-a-glance summary** — Review new high/critical findings, most frequent finding types, and new content exposures from the past 7 days. * **Integration health** — Instantly see the status of all your connected SaaS integrations (Healthy, Unhealthy, or Paused) to spot API connection issues. * **Proactive alerting** — The digest is sent automatically to all subscribed users every Monday morning. * **Easy to configure** — Users can opt in by enabling the notification in the Cloudflare dashboard under **Manage Account** \> **Notifications**. #### Learn more * Configure [notification preferences](https://developers.cloudflare.com/notifications/) in Cloudflare. The CASB Weekly Digest notification is available to all Cloudflare users today. ## 2025-10-28 **CASB introduces new granular roles** Cloudflare CASB (Cloud Access Security Broker) now supports two new granular roles to provide more precise access control for your security teams: * **Cloudflare CASB Read:** Provides read-only access to view CASB findings and dashboards. This role is ideal for security analysts, compliance auditors, or team members who need visibility without modification rights. * **Cloudflare CASB:** Provides full administrative access to configure and manage all aspects of the CASB product. These new roles help you better enforce the principle of least privilege. You can now grant specific members access to CASB security findings without assigning them broader permissions, such as the **Super Administrator** or **Administrator** roles. To enable [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/), scans in CASB, account members will need the **Cloudflare Zero Trust** role. You can find these new roles when inviting members or creating API tokens in the Cloudflare dashboard under **Manage Account** \> **Members**. To learn more about managing roles and permissions, refer to the [Manage account members and roles documentation](https://developers.cloudflare.com/fundamentals/manage-members/roles/). ## 2025-08-26 **New CASB integrations for ChatGPT, Claude, and Gemini** [Cloudflare CASB ↗](https://www.cloudflare.com/zero-trust/products/casb/) now supports three of the most widely used GenAI platforms — **OpenAI ChatGPT**, **Anthropic Claude**, and **Google Gemini**. These API-based integrations give security teams agentless visibility into posture, data, and compliance risks across their organization’s use of generative AI. ![Cloudflare CASB showing selection of new findings for ChatGPT, Claude, and Gemini integrations.](https://developers.cloudflare.com/_astro/casb-ai-integrations-preview.B-zsSA1P_Z1wlfJX.webp) #### Key capabilities * **Agentless connections** — connect ChatGPT, Claude, and Gemini tenants via API; no endpoint software required * **Posture management** — detect insecure settings and misconfigurations that could lead to data exposure * **DLP detection** — identify sensitive data in uploaded chat attachments or files * **GenAI-specific insights** — surface risks unique to each provider’s capabilities #### Learn more * [ChatGPT integration docs ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/openai/) * [Claude integration docs ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/anthropic/) * [Gemini integration docs ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/google-workspace/gemini/) These integrations are available to all Cloudflare One customers today. ## 2025-06-23 **Data Security Analytics in the Zero Trust dashboard** Zero Trust now includes **Data security analytics**, providing you with unprecedented visibility into your organization sensitive data. The new dashboard includes: * **Sensitive Data Movement Over Time:** * See patterns and trends in how sensitive data moves across your environment. This helps understand where data is flowing and identify common paths. * **Sensitive Data at Rest in SaaS & Cloud:** * View an inventory of sensitive data stored within your corporate SaaS applications (for example, Google Drive, Microsoft 365) and cloud accounts (such as AWS S3). * **DLP Policy Activity:** * Identify which of your Data Loss Prevention (DLP) policies are being triggered most often. * See which specific users are responsible for triggering DLP policies. ![Data Security Analytics](https://developers.cloudflare.com/_astro/cf1-data-security-analytics-v1.BGl6fYXl_H3N0P.webp) To access the new dashboard, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Insights** on the sidebar. ## 2024-11-22 **Find security misconfigurations in your AWS cloud environment** You can now use CASB to find security misconfigurations in your AWS cloud environment using [Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/). You can also [connect your AWS compute account](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/aws-s3/#compute-account) to extract and scan your S3 buckets for sensitive data while avoiding egress fees. CASB will scan any objects that exist in the bucket at the time of configuration. To connect a compute account to your AWS integration: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Integrations**. 2. Find and select your AWS integration. 3. Select **Open connection instructions**. 4. Follow the instructions provided to connect a new compute account. 5. Select **Refresh**. ## 2024-06-03 **Atlassian Bitbucket integration** You can now scan your Bitbucket Cloud workspaces for a variety of contextualized security issues such as source code exposure, admin misconfigurations, and more. ## 2024-05-23 **Data-at-rest DLP for Box and Dropbox** You can now scan your [Box](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/box/#data-loss-prevention-optional) and [Dropbox](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/dropbox/#data-loss-prevention-optional) files for DLP matches. ## 2024-04-16 **Export CASB findings to CSV** You can now export all top-level CASB findings or every instance of your findings to CSV. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/casb/","name":"CASB"}}]} ``` --- --- title: Cloudflare Network Firewall description: We are updating naming related to some of our Networking products to better clarify their place in the Zero Trust and Secure Access Service Edge (SASE) journey. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/changelog/cloudflare-network-firewall.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare Network Firewall [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/cloudflare-network-firewall.xml) ## 2026-02-17 **Cloudflare One Product Name Updates** We are updating naming related to some of our Networking products to better clarify their place in the Zero Trust and Secure Access Service Edge (SASE) journey. We are retiring some older brand names in favor of names that describe exactly what the products do within your network. We are doing this to help customers build better, clearer mental models for comprehensive SASE architecture delivered on Cloudflare. #### What's changing * **Magic WAN** → **Cloudflare WAN** * **Magic WAN IPsec** → **Cloudflare IPsec** * **Magic WAN GRE** → **Cloudflare GRE** * **Magic WAN Connector** → **Cloudflare One Appliance** * **Magic Firewall** → **Cloudflare Network Firewall** * **Magic Network Monitoring** → **Network Flow** * **Magic Cloud Networking** → **Cloudflare One Multi-cloud Networking** **No action is required by you** — all functionality, existing configurations, and billing will remain exactly the same. For more information, visit the [Cloudflare One documentation](https://developers.cloudflare.com/cloudflare-one/). ## 2026-01-15 **Network Services navigation update** The Network Services menu structure in Cloudflare's dashboard has been updated to reflect solutions and capabilities instead of product names. This will make it easier for you to find what you need and better reflects how our services work together. Your existing configurations will remain the same, and you will have access to all of the same features and functionality. The changes visible in your dashboard may vary based on the products you use. Overall, changes relate to [Magic Transit ↗](https://developers.cloudflare.com/magic-transit/), [Magic WAN ↗](https://developers.cloudflare.com/magic-wan/), and [Magic Firewall ↗](https://developers.cloudflare.com/cloudflare-network-firewall/). **Summary of changes:** * A new **Overview** page provides access to the most common tasks across Magic Transit and Magic WAN. * Product names have been removed from top-level navigation. * Magic Transit and Magic WAN configuration is now organized under **Routes** and **Connectors**. For example, you will find IP Prefixes under **Routes**, and your GRE/IPsec Tunnels under **Connectors.** * Magic Firewall policies are now called **Firewall Policies.** * Magic WAN Connectors and Connector On-Ramps are now referenced in the dashboard as **Appliances** and **Appliance profiles.** They can be found under **Connectors > Appliances.** * Network analytics, network health, and real-time analytics are now available under **Insights.** * Packet Captures are found under **Insights > Diagnostics.** * You can manage your Sites from **Insights > Network health.** * You can find Magic Network Monitoring under **Insights > Network flow**. If you would like to provide feedback, complete [this form ↗](https://forms.gle/htWyjRsTjw1usdis5). You can also find these details in the January 7, 2026 email titled **\[FYI\] Upcoming Network Services Dashboard Navigation Update**. ![Networking Navigation](https://developers.cloudflare.com/_astro/networking-overview-and-navigation.CeMgEFaZ_Z20HKl.webp) ## 2025-03-13 **Cloudflare IP Ranges List** Magic Firewall now supports a new managed list of Cloudflare IP ranges. This list is available as an option when creating a Magic Firewall policy based on IP source/destination addresses. When selecting "is in list" or "is not in list", the option "**Cloudflare IP Ranges**" will appear in the dropdown menu. This list is based on the IPs listed in the Cloudflare [IP ranges ↗](https://www.cloudflare.com/en-gb/ips/). Updates to this managed list are applied automatically. ![Cloudflare IPs Managed List](https://developers.cloudflare.com/_astro/cloudflare-ips.DetyOndL_10JG5B.webp) Note: IP Lists require a Cloudflare Advanced Network Firewall subscription. For more details about Cloudflare Network Firewall plans, refer to [Plans](https://developers.cloudflare.com/cloudflare-network-firewall/plans). ## 2024-10-02 **Search for custom rules using rule name and/or ID** The Magic Firewall dashboard now allows you to search custom rules using the rule name and/or ID. 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com) and select your account. 2. Go to **Analytics & Logs** \> **Network Analytics**. 3. Select **Magic Firewall**. 4. Add a filter for **Rule ID**. ![Search for firewall rules with rule IDs](https://developers.cloudflare.com/_astro/search-with-rule-id.DJgzqgKk_2jJ9x8.webp) Additionally, the rule ID URL link has been added to Network Analytics. ## 2024-09-12 **New UI improvements** The dashboard now displays the order number of custom rules, and improved drag and drop functionality. You can also preview rules on a side panel without leaving the current page. ## 2024-08-16 **Cloudflare Network Firewall Analytics Rule Log Enhancement** Customers who create a rule in a disabled mode will see the rule as **Log (rule disabled)**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}}]} ``` --- --- title: Cloudflare One Client description: Review recent changes to the Cloudflare One Client. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/changelog/cloudflare-one-client.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare One Client Review recent changes to the Cloudflare One Client (formerly WARP). [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/cloudflare-one-client.xml) ## 2026-04-02 **Cloudflare One Client for Windows (version 2026.3.846.0)** A new GA release for the Windows Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. The next stable release for Windows will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information. **Changes and improvements** * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms. * Fixed packet capture failing on tunnel interface when the tunnel interface is renamed by SCCM VPN boundary support. * Fixed unnecessary registration deletion caused by RDP connections in multi-user mode. * Fixed increased tunnel interface start-up time due to a race between duplicate address detection (DAD) and disabling NetBT. * Fixed tunnel failing to connect when the system DNS search list contains unexpected characters. * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization. * Fixed initiating managed network detections checks when no network is available, which caused device profile flapping. * Fixed an issue where degraded Windows Management Instrumentation (WMI) state could put the client in a failed connection state loop during initialization. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. This warning will be omitted from future release notes. This Windows update was released in July 2025. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. This warning will be omitted from future release notes. This Microsoft Security Intelligence update was released in May 2025. * DNS resolution may be broken when the following conditions are all true: * The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while the client is connected. To work around this issue, reconnect the client by selecting **Disconnect** and then **Connect** in the client user interface. ## 2026-04-02 **Cloudflare One Client for macOS (version 2026.3.846.0)** A new GA release for the macOS Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. The next stable release for macOS will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information. **Changes and improvements** * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization. * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms. * Fixed initiating managed network detections checks when no network is available, which caused device profile flapping. ## 2026-04-02 **Cloudflare One Client for Linux (version 2026.3.846.0)** A new GA release for the Linux Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. The next stable release for Linux will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information. **Changes and improvements** * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization. * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms. * Fixed initiating managed network detections checks when no network is available, which caused device profile flapping. ## 2026-03-10 **WARP client for macOS (version 2026.3.566.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and introduces a brand new visual style for the client interface. The new Cloudflare One Client interface changes connectivity management from a toggle to a button and brings useful connectivity settings to the home screen. The redesign also introduces a collapsible navigation bar. When expanded, more client information can be accessed including connectivity, settings, and device profile information. If you have any feedback or questions, visit the [Cloudflare Community forum](https://community.cloudflare.com/t/introducing-the-new-cloudflare-one-client-interface/901362) and let us know. **Changes and improvements** * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations. * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms. * Fixed initiating managed network detection checks when no network is available, which caused device profile flapping. **Known issues** * The client may become stuck in a `Connecting` state. To resolve this issue, reconnect the client by selecting **Disconnect** and then **Connect** in the client user interface. Alternatively, change the client's operation mode. * The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it. * Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client. ## 2026-03-10 **WARP client for Windows (version 2026.3.566.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and introduces a brand new visual style for the client interface. The new Cloudflare One Client interface changes connectivity management from a toggle to a button and brings useful connectivity settings to the home screen. The redesign also introduces a collapsible navigation bar. When expanded, more client information can be accessed including connectivity, settings, and device profile information. If you have any feedback or questions, visit the [Cloudflare Community forum](https://community.cloudflare.com/t/introducing-the-new-cloudflare-one-client-interface/901362) and let us know. **Changes and improvements** * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms. * Fixed packet capture failing on tunnel interface when the tunnel interface is renamed by SCCM VPN boundary support. * Fixed unnecessary registration deletion caused by RDP connections in multi-user mode. * Fixed increased tunnel interface start-up time due to a race between duplicate address detection (DAD) and disabling NetBT. * Fixed tunnel failing to connect when the system DNS search list contains unexpected characters. * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations. * Fixed initiating managed network detection checks when no network is available, which caused device profile flapping. **Known issues** * The client may unexpectedly terminate during captive portal login. To work around this issue, use a web browser to authenticate with the captive portal and then re-launch the client. * An error indicating that Microsoft Edge can't read and write to its data directory may be displayed during captive portal login; this error is benign and can be dismissed. * The client may become stuck in a `Connecting` state. To resolve this issue, reconnect the client by selecting **Disconnect** and then **Connect** in the client user interface. Alternatively, change the client's operation mode. * The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it. * Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client. * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. This warning will be omitted from future release notes. This Microsoft Security Intelligence update was released in May 2025. * DNS resolution may be broken when the following conditions are all true: * The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while the client is connected. To work around this issue, reconnect the client by selecting **Disconnect** and then **Connect** in the client user interface. ## 2026-02-24 **WARP client for Windows (version 2026.1.150.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features. **Changes and improvements** * Improvements to [multi-user mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/). Fixed an issue where when switching from a pre-login registration to a user registration, Mobile Device Management (MDM) configuration association could be lost. * Added a new feature to [manage NetBIOS over TCP/IP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#netbios-over-tcpip) functionality on the Windows client. NetBIOS over TCP/IP on the Windows client is now disabled by default and can be enabled in [device profile settings](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/). * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for the Windows [client certificate posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/) to ensure logged results are from checks that run once users log in. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. * Fixed an issue where misconfigured DEX HTTP tests prevented new registrations. * Fixed an issue causing DNS requests to fail with clients in Traffic and DNS mode. * Improved service shutdown behavior in cases where the daemon is unresponsive. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2026-02-24 **WARP client for macOS (version 2026.1.150.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. * Fixed an issue with DNS server configuration failures that caused tunnel connection delays. * Fixed an issue where misconfigured DEX HTTP tests prevented new registrations. * Fixed an issue causing DNS requests to fail with clients in Traffic and DNS mode. ## 2026-02-24 **WARP client for Linux (version 2026.1.150.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com). **Changes and improvements** * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. * Fixed an issue where misconfigured DEX HTTP tests prevented new registrations. * Fixed issues causing DNS requests to fail with clients in Traffic and DNS mode or DNS only mode. ## 2026-01-27 **WARP client for Windows (version 2026.1.89.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes, improvements, and new features. **Changes and improvements** * Improvements to [multi-user mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/). Fixed an issue where when switching from a pre-login registration to a user registration, Mobile Device Management (MDM) configuration association could be lost. * Added a new feature to [manage NetBIOS over TCP/IP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#netbios-over-tcpip) functionality on the Windows client. NetBIOS over TCP/IP on the Windows client is now disabled by default and can be enabled in [device profile settings](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/). * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for the Windows [client certificate posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/) to ensure logged results are from checks that run once users log in. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2026-01-27 **WARP client for macOS (version 2026.1.89.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. ## 2026-01-13 **WARP client for Windows (version 2025.10.186.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features. New features include the ability to manage WARP client connectivity for all devices in your fleet using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/), and a new WARP client device posture check for [Antivirus](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/antivirus/). **Changes and improvements** * Added a new feature to manage WARP client connectivity for all devices using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint. * Fixed an issue that caused occasional audio degradation and increased CPU usage on Windows by optimizing route configurations for large [domain-based split tunnel rules](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/#domain-based-split-tunnels). * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. * Fixed an issue where sending large messages to the daemon by Inter-Process Communication (IPC) could cause the daemon to fail and result in service interruptions. * Added support for a new WARP client device posture check for [Antivirus](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/antivirus/). The check confirms the presence of an antivirus program on a Windows device with the option to check if the antivirus is up to date. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2026-01-13 **WARP client for macOS (version 2025.10.186.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features, including the ability to manage WARP client connectivity for all devices in your fleet using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). **Changes and improvements** * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. * Added a new feature to manage WARP client connectivity for all devices using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint. ## 2026-01-13 **WARP client for Linux (version 2025.10.186.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features, including the ability to manage WARP client connectivity for all devices in your fleet using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com). **Changes and improvements** * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * Linux [disk encryption posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/disk-encryption/) now supports non-filesystem encryption types like `dm-crypt`. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. * Fixed an issue where the GUI becomes unresponsive when the **Re-Authenticate in browser** button is clicked. * Added a new feature to manage WARP client connectivity for all devices using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint. ## 2025-12-09 **WARP client for Windows (version 2025.10.118.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. * Fixed an issue where sending large messages to the WARP daemon by Inter-Process Communication (IPC) could cause WARP to crash and result in service interruptions. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-12-09 **WARP client for macOS (version 2025.10.118.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. ## 2025-11-11 **WARP client for Windows (version 2025.9.558.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features including [Path Maximum Transmission Unit Discovery (PMTUD)](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). When PMTUD is enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to diagnose connectivity issues. **Changes and improvements** * Fixed an inconsistency with [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings in multi-user environments when switching between users. * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues. * Fixed an issue where deleting a registration was erroneously reported as having failed. * Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the [PMTUD documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). * Improvements for the [OS version](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/os-version/) WARP client check. Windows Updated Build Revision (UBR) numbers can now be checked by the client to ensure devices have required security patches and features installed. * The WARP client now supports Windows 11 ARM-based machines. For information on known limitations, refer to the [Known limitations page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/known-limitations/#cloudflare-one-client-disconnected-on-windows-arm). **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-11-11 **WARP client for macOS (version 2025.9.558.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features including [Path Maximum Transmission Unit Discovery (PMTUD)](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). When PMTUD is enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to diagnose connectivity issues. **Changes and improvements** * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues. * Fixed an issue where deleting a registration was erroneously reported as having failed. * Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the [PMTUD documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-11-11 **WARP client for Linux (version 2025.9.558.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features including [Path Maximum Transmission Unit Discovery (PMTUD)](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). When PMTUD is enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to diagnose connectivity issues. WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com/). **Changes and improvements** * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues. * Fixed an issue where deleting a registration was erroneously reported as having failed. * Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the [PMTUD documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). ## 2025-10-16 **WARP client for Windows (version 2025.9.173.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). With PMTUD enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to debug connectivity issues. **Changes and improvements** * Improvements for [Windows multi-user](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/) to maintain the [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) state when switching between users. * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues. * Deleting registrations no longer returns an error when succeeding. * Path Maximum Transmission Unit Discovery (PMTUD) is now used to discover the effective MTU of the connection. This allows the client to improve connection performance optimized for the current network. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-10-16 **WARP client for macOS (version 2025.9.173.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). With PMTUD enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to debug connectivity issues. **Changes and improvements** * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues. * Deleting registrations no longer returns an error when succeeding. * Path Maximum Transmission Unit Discovery (PMTUD) is now used to discover the effective MTU of the connection. This allows the client to improve connection performance optimized for the current network. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-10-07 **WARP client for Linux (version 2025.8.779.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains significant fixes and improvements including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com/). **Changes and improvements** * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases. * The MASQUE protocol is now the only protocol that can use [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode). If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-10-07 **WARP client for Windows (version 2025.8.779.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains significant fixes and improvements. **Changes and improvements** * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases. * The MASQUE protocol is now the only protocol that can use [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode). If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-10-07 **WARP client for macOS (version 2025.8.779.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains significant fixes and improvements. **Changes and improvements** * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases. * The MASQUE protocol is now the only protocol that can use [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode). If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-09-30 **WARP client for Windows (version 2025.7.176.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * MASQUE is now the default [tunnel protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) for all new WARP device profiles. * Improvement to limit idle connections in [Gateway with DoH mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) to avoid unnecessary resource usage that can lead to DoH requests not resolving. * Improvement to maintain TCP connections to reduce interruptions in long-lived connections such as RDP or SSH. * Improvements to maintain [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings when [switching between organizations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/#switch-organizations-in-the-cloudflare-one-client). * Improvements to maintain client connectivity during network changes. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-09-30 **WARP client for macOS (version 2025.7.176.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed a bug preventing the `warp-diag captive-portal` command from running successfully due to the client not parsing SSID on macOS. * Improvements to maintain [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings when [switching between organizations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/#switch-organizations-in-the-cloudflare-one-client). * MASQUE is now the default [tunnel protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) for all new WARP device profiles. * Improvement to limit idle connections in [Gateway with DoH mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) to avoid unnecessary resource usage that can lead to DoH requests not resolving. * Improvements to maintain client connectivity during network changes. * The WARP client now supports macOS Tahoe (version 26.0). **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-09-30 **WARP client for Linux (version 2025.7.176.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com/). **Changes and improvements** * MASQUE is now the default [tunnel protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) for all new WARP device profiles. * Improvement to limit idle connections in [Gateway with DoH mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) to avoid unnecessary resource usage that can lead to DoH requests not resolving. * Improvements to maintain [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings when [switching between organizations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/#switch-organizations-in-the-cloudflare-one-client). * Improvements to maintain client connectivity during network changes. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-09-10 **WARP client for Windows (version 2025.7.106.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements including enhancements to [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) or all devices matching the profile will lose connectivity. **Changes and improvements** * Enhancements to [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) or all devices matching the profile will lose connectivity. * Improvement to keep TCP connections up the first time WARP connects on devices so that remote desktop sessions (such as RDP or SSH) continue to work. * Improvements to maintain Global WARP Override settings when switching between organization configurations. * The [MASQUE protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) is now the default protocol for all new WARP device profiles. * Improvement to limit idle connections in DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-09-10 **WARP client for macOS (version 2025.7.106.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements including enhancements to [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) or all devices matching the profile will lose connectivity. **Changes and improvements** * Enhancements to [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) or all devices matching the profile will lose connectivity. * Fixed a bug preventing the `warp-diag captive-portal` command from running successfully due to the client not parsing SSID on macOS. * Improvements to maintain Global WARP Override settings when switching between organization configurations. * The [MASQUE protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) is now the default protocol for all new WARP device profiles. * Improvement to limit idle connections in DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-08-29 **Cloudflare One WARP Diagnostic AI Analyzer** We're excited to share a new AI feature, the [WARP diagnostic analyzer ↗](https://blog.cloudflare.com/AI-troubleshoot-warp-and-network-connectivity-issues/), to help you troubleshoot and resolve WARP connectivity issues faster. This beta feature is now available in the [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) to all users. The AI analyzer makes it easier for you to identify the root cause of client connectivity issues by parsing [remote captures](https://developers.cloudflare.com/cloudflare-one/insights/dex/remote-captures/#start-a-remote-capture) of [WARP diagnostic logs](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diag-logs). The WARP diagnostic analyzer provides a summary of impact that may be experienced on the device, lists notable events that may contribute to performance issues, and recommended troubleshooting steps and articles to help you resolve these issues. Refer to [WARP diagnostics analyzer (beta)](https://developers.cloudflare.com/cloudflare-one/insights/dex/remote-captures/#diagnostics-analyzer-beta) to learn more about how to maximize using the WARP diagnostic analyzer to troubleshoot the WARP client. ## 2025-08-21 **WARP client for Windows (version 2025.6.1400.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for pre-login for multi-user for the 2025.6.1135.0 release. **Changes and improvements** * Fixes an issue where new pre-login registrations were not being properly created. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, please reconnect the WARP client by toggling off and back on. ## 2025-08-19 **WARP client for Windows (version 2025.6.1335.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Improvements to better manage multi-user pre-login registrations. * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement for faster client connectivity on high-latency captive portal networks. * Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-08-19 **WARP client for macOS (version 2025.6.1335.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement for faster client connectivity on high-latency captive portal networks. * Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-08-19 **WARP client for Linux (version 2025.6.1335.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement for faster client connectivity on high-latency captive portal networks. * Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-07-24 **WARP client for Windows (version 2025.6.824.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * Improvements to better manage multi-user pre-login registrations. * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement to managed network detection checks for faster switching between managed networks. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-07-24 **WARP client for macOS (version 2025.6.824.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement to managed network detection checks for faster switching between managed networks. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-07-23 **WARP client for Windows (version 2025.5.943.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect. * Changes to the [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) feature to no longer restart the SMS Agent Host (`ccmexec.exe`) service. * Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-07-23 **WARP client for macOS (version 2025.5.943.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect. * Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client. * For macOS deployments, the WARP client can now be managed using an `mdm.xml` file placed in `/Library/Application Support/Cloudflare/mdm.xml`. This new configuration option offers an alternative to the still supported method of deploying a managed plist through an MDM solution. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-07-23 **WARP client for Linux (version 2025.5.943.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect. * Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-06-30 **WARP client for Windows (version 2025.5.893.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains improvements and new exciting features, including [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) and [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed a device registration issue that caused WARP connection failures when changing networks. * Captive portal improvements and fixes: * Captive portal sign in notifications will now be sent through operating system notification services. * Fix for firewall configuration issue affecting clients in DoH only mode. * Improved the connectivity status message in the client GUI. * Fixed a bug affecting clients in Gateway with DoH mode where the original DNS servers were not restored after disabling WARP. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to handle client configuration changes made by an MDM while WARP is not running. * Improvements for multi-user experience to better handle fast user switching and transitions from a pre-login to a logged-in state. * Added a WARP client device posture check for SAN attributes to the [client certificate check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/). * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. * Added [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) to device profile settings. With SCCM VPN boundary support enabled, operating systems will register WARP's local interface IP with the on-premise DNS server when reachable. * Fix for an issue causing WARP connectivity to fail without full system reboot. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5060829](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-06-30 **WARP client for macOS (version 2025.5.893.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed an issue where WARP sometimes failed to automatically relaunch after updating. * Fixed a device registration issue causing WARP connection failures when changing networks. * Captive portal improvements and fixes: * Captive portal sign in notifications will now be sent through operating system notification services. * Fix for firewall configuration issue affecting clients in DoH only mode. * Improved the connectivity status message in the client GUI. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to handle client configuration changes made by an MDM while WARP is not running. * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. * Improvement for WARP connectivity issues on macOS due to the operating system not accepting DNS server configurations. * Added a WARP client device posture check for SAN attributes to the [client certificate check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/). **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-06-30 **WARP client for Linux (version 2025.5.893.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed a device registration issue causing WARP connection failures when changing networks. * Captive portal improvements and fixes: * Captive portal sign in notifications will now be sent through operating system notification services. * Fix for firewall configuration issue affecting clients in DoH only mode. * Improved the connectivity status message in the client GUI. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to handle client configuration changes made by MDM while WARP is not running. * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. * Added a WARP client device posture check for SAN attributes to the [client certificate check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/). **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-06-30 **Cloudflare One Agent for Android (version 2.4.2)** A new GA release for the Android Cloudflare One Agent is now available in the [Google Play Store ↗](https://play.google.com/store/apps/details?id=com.cloudflare.cloudflareoneagent). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate [protection of post-quantum cryptography ↗](https://blog.cloudflare.com/pq-2024/) without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * QLogs are now disabled by default and can be enabled in the app by turning on **Enable qlogs** under **Settings** \> **Advanced** \> **Diagnostics** \> **Debug Logs**. The QLog setting from previous releases will no longer be respected. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * The WARP client now applies [post-quantum cryptography ↗](https://blog.cloudflare.com/pq-2024/) end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by [MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Fixed an issue that caused WARP connection failures on ChromeOS devices. ## 2025-06-30 **Cloudflare One Agent for iOS (version 1.11)** A new GA release for the iOS Cloudflare One Agent is now available in the [iOS App Store ↗](https://apps.apple.com/us/app/cloudflare-one-agent/id6443476492). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate [protection of post-quantum cryptography ↗](https://blog.cloudflare.com/pq-2024/) without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * QLogs are now disabled by default and can be enabled in the app by turning on **Enable qlogs** under **Settings** \> **Advanced** \> **Diagnostics** \> **Debug Logs**. The QLog setting from previous releases will no longer be respected. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * The WARP client now applies [post-quantum cryptography ↗](https://blog.cloudflare.com/pq-2024/) end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by [MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). ## 2025-06-17 **WARP client for Windows (version 2025.5.828.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains new improvements in addition to the features and improvements introduced in Beta client version 2025.5.735.1. **Changes and improvements** * Improvement to better handle multi-user fast user switching. * Fix for an issue causing WARP connectivity to fail without full system reboot. **Known issues** * Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-06-17 **WARP client for macOS (version 2025.5.828.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains new improvements in addition to the features and improvements introduced in Beta client version 2025.5.735.1. **Changes and improvements** * Improvement for WARP connectivity issues on macOS due to the operating system not accepting DNS server configurations. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-06-05 **WARP client for Windows (version 2025.5.735.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains improvements and new exciting features, including [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) and [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed a device registration issue causing WARP connection failures when changing networks. * Captive portal improvements including showing connectivity status in the client and sending system notifications for captive portal sign in. * Fixed a bug where in Gateway with DoH mode, connection to DNS servers was not automatically restored after reconnecting WARP. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to gracefully handle changes made by MDM while WARP is not running. * Improvement for multi-user mode to avoid unnecessary key rotations when transitioning from a pre-login to a logged-in state. * Added a WARP client device posture check for SAN attributes to the [client certificate check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/). * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. * Added [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) to device profile settings. With SCCM VPN boundary support enabled, operating systems will register WARP's local interface IP with the on-premise DNS server when reachable. **Known issues** * Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-06-05 **WARP client for macOS (version 2025.5.735.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed an issue where the Cloudflare WARP application may not have automatically relaunched after an update. * Fixed a device registration issue causing WARP connection failures when changing networks. * Captive portal improvements including showing connectivity status in the client and sending system notifications for captive portal sign in. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to gracefully handle changes made by MDM while WARP is not running. * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-05-22 **WARP client for Windows (version 2025.4.943.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for [managed networks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) for the 2025.4.929.0 release. **Changes and improvements** * Fixed an issue where it could take up to 3 minutes for the correct device profile to be applied in some circumstances. In the worst case, it should now only take up to 40 seconds. This will be improved further in a future release. **Known issues** * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. * Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. ## 2025-05-22 **WARP client for macOS (version 2025.4.943.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for [managed networks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) for the 2025.4.929.0 release. **Changes and improvements** * Fixed an issue where it could take up to 3 minutes for the correct device profile to be applied in some circumstances. In the worst case, it should now only take up to 40 seconds. This will be improved further in a future release. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-05-22 **WARP client for Linux (version 2025.4.943.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for [managed networks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) for the 2025.4.929.0 release. **Changes and improvements** * Fixed an issue where it could take up to 3 minutes for the correct device profile to be applied in some circumstances. In the worst case, it should now only take up to 40 seconds. This will be improved further in a future release. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-05-14 **WARP client for Windows (version 2025.4.929.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains two significant changes all customers should be aware of: 1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our [DoH IP addresses and domains](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#doh-ip). 2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks. **Changes and improvements** * Fixed an issue causing reconnection loops when captive portals are detected. * Fixed an issue that caused WARP client disk encryption posture checks to fail due to missing drive names. * Fixed an issue where managed network policies could incorrectly report network location beacons as missing. * Improved DEX test error reporting. * Fixed an issue where some parts of the WARP Client UI were missing in high contrast mode. * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile. * Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically. * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met. * Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments. * Fixed an issue where frequent network changes could cause WARP to become unresponsive. * Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect. * Fixed an issue causing WARP connection disruptions after network changes. **Known issues** * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. * Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. ## 2025-05-12 **WARP client for Linux (version 2025.4.929.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains two significant changes all customers should be aware of: 1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our [DoH IP addresses and domains](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#doh-ip). 2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks. **Changes and improvements** * Fixed an issue where the managed network policies could incorrectly report network location beacons as missing. * Improved DEX test error reporting. * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile. * Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically. * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs. * Fixed an issue where frequent network changes could cause WARP to become unresponsive. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect. * Fixed an issue causing WARP connection disruptions after network changes. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-05-12 **WARP client for macOS (version 2025.4.929.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains two significant changes all customers should be aware of: 1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our [DoH IP addresses and domains](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#doh-ip). 2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks. **Changes and improvements** * Fixed an issue where the managed network policies could incorrectly report network location beacons as missing. * Improved DEX test error reporting. * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile. * Improved captive portal detection. * Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically. * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met. * Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments. * Fixed an issue where frequent network changes could cause WARP to become unresponsive. * Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect. * Fixed an issue causing WARP connection disruptions after network changes. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-04-22 **WARP client for Windows (version 2025.4.589.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). **Changes and improvements** * Fixed an issue causing reconnection loops when captive portals are detected. * Fixed an issue that caused WARP client disk encryption posture checks to fail due to missing drive names. * Fixed an issue where managed network policies could incorrectly report network location beacons as missing. * Improved error reporting for DEX tests. * Improved WARP client UI high contrast mode. * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile. * Added a TCP fallback for the MASQUE tunnel protocol to improve compatibility with networks on MASQUE. * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met. * Added a [Collect Captive Portal Diag](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/captive-portals/#get-captive-portal-logs) button in the client GUI to make it easier for users to collect captive portal debugging diagnostics. * Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments. * Fixed an issue where frequent network changes could cause WARP to become unresponsive. **Known issues** * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-04-22 **WARP client for macOS (version 2025.4.589.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). **Changes and improvements** * Fixed an issue where managed network policies could incorrectly report network location beacons as missing. * Improved DEX test error reporting. * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile. * Improved captive portal detection. * Added a TCP fallback for the MASQUE tunnel protocol to improve compatibility with networks on MASQUE. * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met. * Added a [Collect Captive Portal Diag](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/captive-portals/#get-captive-portal-logs) button in the client GUI to make it easier for users to collect captive portal debugging diagnostics. * Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments. * Fixed an issue where frequent network changes could cause WARP to become unresponsive. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-04-08 **WARP client for Windows (version 2025.2.664.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for captive portal detection for the 2025.2.600.0 release. **Changes and improvements** * Fix to reduce the number of browser tabs opened during captive portal logins. **Known issues** * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-04-08 **WARP client for macOS (version 2025.2.664.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for captive portal detection and PF state tables for the 2025.2.600.0 release. **Changes and improvements** * Fix to reduce the number of browser tabs opened during captive portal logins. * Improvement to exclude local DNS traffic entries from PF state table to reduce risk of connectivity issues from exceeding table capacity. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-03-17 **Cloudflare One Agent for Android (version 2.4)** A new GA release for the Android Cloudflare One Agent is now available in the [Google Play Store ↗](https://play.google.com/store/apps/details?id=com.cloudflare.cloudflareoneagent). This release includes a new feature allowing [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url) during enrollment, as well as fixes and minor improvements. **Changes and improvements** * Improved in-app error messages. * Improved mobile client login with support for [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url). * Fixed an issue preventing admin split tunnel settings taking priority for traffic from certain applications. ## 2025-03-17 **Cloudflare One Agent for iOS (version 1.10)** A new GA release for the iOS Cloudflare One Agent is now available in the [iOS App Store ↗](https://apps.apple.com/us/app/cloudflare-one-agent/id6443476492). This release includes a new feature allowing [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url) during enrollment, as well as fixes and minor improvements. **Changes and improvements** * Improved in-app error messages. * Improved mobile client login with support for [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url). * Bug fixes and performance improvements. ## 2024-06-16 **Explore product updates for Cloudflare One** Welcome to your new home for product updates on [Cloudflare One](https://developers.cloudflare.com/cloudflare-one/). Our [new changelog](https://developers.cloudflare.com/changelog/) lets you read about changes in much more depth, offering in-depth examples, images, code samples, and even gifs. If you are looking for older product updates, refer to the following locations. Older product updates * [Access](https://developers.cloudflare.com/cloudflare-one/changelog/access/) * [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/changelog/browser-isolation/) * [CASB](https://developers.cloudflare.com/cloudflare-one/changelog/casb/) * [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/changelog/tunnel/) * [Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/changelog/dlp/) * [Digital Experience Monitoring](https://developers.cloudflare.com/cloudflare-one/changelog/dex/) * [Email security](https://developers.cloudflare.com/cloudflare-one/changelog/email-security/) * [Gateway](https://developers.cloudflare.com/cloudflare-one/changelog/gateway/) * [Multi-Cloud Networking](https://developers.cloudflare.com/multi-cloud-networking/changelog/) * [Cloudflare Network Firewall](https://developers.cloudflare.com/cloudflare-network-firewall/changelog/) * [Magic Network Monitoring](https://developers.cloudflare.com/network-flow/changelog/) * [Magic Transit](https://developers.cloudflare.com/magic-transit/changelog/) * [Magic WAN](https://developers.cloudflare.com/cloudflare-wan/changelog/) * [Network Interconnect](https://developers.cloudflare.com/network-interconnect/changelog/) * [Risk score](https://developers.cloudflare.com/cloudflare-one/changelog/risk-score/) * [Cloudflare One Client](https://developers.cloudflare.com/changelog/cloudflare-one-client/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/cloudflare-one-client/","name":"Cloudflare One Client"}}]} ``` --- --- title: Digital Experience Monitoring description: Review recent changes to Digital Experience Monitoring. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/changelog/dex.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Digital Experience Monitoring [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/dex.xml) ## 2026-02-19 **DEX Supports EU Customer Metadata Boundary** [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into [WARP](https://developers.cloudflare.com/warp-client/) device connectivity and performance to any internal or external application. Now, all DEX logs are fully compatible with Cloudflare's [Customer Metadata Boundary](https://developers.cloudflare.com/data-localization/metadata-boundary/) (CMB) setting for the 'EU' (European Union), which ensures that DEX logs will not be stored outside the 'EU' when the option is configured. If a Cloudflare One customer using DEX enables CMB 'EU', they will not see any DEX data in the Cloudflare One dashboard. Customers can ingest DEX data via [LogPush](https://developers.cloudflare.com/logs/logpush/), and build their own analytics and dashboards. If a customer enables CMB in their account, they will see the following message in the Digital Experience dashboard: "DEX data is unavailable because Customer Metadata Boundary configuration is on. Use Cloudflare LogPush to export DEX datasets." ![Digital Experience Monitoring message when Customer Metadata Boundary for the EU is enabled](https://developers.cloudflare.com/_astro/dex_supports_cmb.6YOLXjHN_ZJh3uv.webp) ## 2025-11-12 **DEX Logpush jobs** [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into WARP device metrics, connectivity, and network performance across your Cloudflare SASE deployment. We've released four new WARP and DEX device data sets that can be exported via [Cloudflare Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). These Logpush data sets can be exported to R2, a cloud bucket, or a SIEM to build a customized logging and analytics experience. 1. [DEX Application Tests](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fapplication%5Ftests/) 2. [DEX Device State Events](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fdevice%5Fstate%5Fevents/) 3. [WARP Config Changes](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/warp%5Fconfig%5Fchanges/) 4. [WARP Toggle Changes](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/warp%5Ftoggle%5Fchanges/) To create a new DEX or WARP Logpush job, customers can go to the account level of the Cloudflare dashboard > Analytics & Logs > Logpush to get started. ![DEX logpush job creation dashboard](https://developers.cloudflare.com/_astro/dex_logpush_datasets.CtCk36pX_Z1tuyHu.webp) ## 2025-08-29 **DEX MCP Server** [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into device connectivity and performance across your Cloudflare SASE deployment. We've released an MCP server [(Model Context Protocol) ↗](https://cloudflare.com/learning/ai/what-is-model-context-protocol-mcp/) for DEX. The DEX MCP server is an AI tool that allows customers to ask a question like, "Show me the connectivity and performance metrics for the device used by carly‌@acme.com", and receive an answer that contains data from the DEX API. Any Cloudflare One customer using a Free, PayGo, or Enterprise account can access the DEX MCP Server. This feature is available to everyone. Customers can test the new DEX MCP server in less than one minute. To learn more, read the [DEX MCP server documentation](https://developers.cloudflare.com/cloudflare-one/insights/dex/dex-mcp-server/). ## 2025-03-07 **Cloudflare One Agent now supports Endpoint Monitoring** [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into device, network, and application performance across your Cloudflare SASE deployment. The latest release of the Cloudflare One agent (v2025.1.861) now includes device endpoint monitoring capabilities to provide deeper visibility into end-user device performance which can be analyzed directly from the dashboard. Device health metrics are now automatically collected, allowing administrators to: * View the last network a user was connected to * Monitor CPU and RAM utilization on devices * Identify resource-intensive processes running on endpoints ![Device endpoint monitoring dashboard](https://developers.cloudflare.com/_astro/cloudflare-one-agent-health-monitoring.XXtiRuOp_Z25TN9Q.webp) This feature complements existing DEX features like [synthetic application monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) and [network path visualization](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/traceroute/), creating a comprehensive troubleshooting workflow that connects application performance with device state. For more details refer to our [DEX](https://developers.cloudflare.com/cloudflare-one/insights/dex/) documentation. ## 2025-01-24 **IP visibility** [IP visibility](https://developers.cloudflare.com/cloudflare-one/insights/dex/ip-visibility/) enables admins to inspect the different IP addresses associated with an end-user device. IP types available for review on the Cloudflare dashboard include: the device's private IP, the public IP assigned to the device by the ISP, and the router's (that the device is connected to) private IP. ## 2024-12-19 **Remote captures** Admins can now collect packet captures (PCAPs) and WARP diagnostic logs from end-user devices. For more information, refer to [Remote captures](https://developers.cloudflare.com/cloudflare-one/insights/dex/remote-captures/). ## 2024-05-20 **Last seen ISP** Admins can view the last ISP seen for a device by going to **My Team** \> **Devices**. Requires setting up a [traceroute test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/traceroute/). ## 2024-05-13 **DEX alerts** Admins can now set [DEX alerts](https://developers.cloudflare.com/cloudflare-one/insights/dex/notifications/) using [Cloudflare Notifications](https://developers.cloudflare.com/notifications/). Three new DEX alert types: * Device connectivity anomaly * Test latency * Test low availability ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/dex/","name":"Digital Experience Monitoring"}}]} ``` --- --- title: Data Loss Prevention description: Review recent changes to Cloudflare DLP. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/changelog/dlp.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Data Loss Prevention [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/dlp.xml) ## 2025-10-01 **Expanded File Type Controls for Executables and Disk Images** You can now enhance your security posture by blocking additional application installer and disk image file types with Cloudflare Gateway. Preventing the download of unauthorized software packages is a critical step in securing endpoints from malware and unwanted applications. We have expanded Gateway's file type controls to include: * Apple Disk Image (dmg) * Microsoft Software Installer (msix, appx) * Apple Software Package (pkg) You can find these new options within the [_Upload File Types_ and _Download File Types_ selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) when creating or editing an HTTP policy. The file types are categorized as follows: * **System**: _Apple Disk Image (dmg)_ * **Executable**: _Microsoft Software Installer (msix)_, _Microsoft Software Installer (appx)_, _Apple Software Package (pkg)_ To ensure these file types are blocked effectively, please note the following behaviors: * DMG: Due to their file structure, DMG files are blocked at the very end of the transfer. A user's download may appear to progress but will fail at the last moment, preventing the browser from saving the file. * MSIX: To comprehensively block Microsoft Software Installers, you should also include the file type _Unscannable_. MSIX files larger than 100 MB are identified as Unscannable ZIP files during inspection. To get started, go to your HTTP policies in Zero Trust. For a full list of file types, refer to [supported file types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#supported-file-types). ## 2025-09-25 **Refine DLP Scans with New Body Phase Selector** You can now more precisely control your HTTP DLP policies by specifying whether to scan the request or response body, helping to reduce false positives and target specific data flows. In the Gateway HTTP policy builder, you will find a new selector called _Body Phase_. This allows you to define the direction of traffic the DLP engine will inspect: * _Request Body_: Scans data sent from a user's machine to an upstream service. This is ideal for monitoring data uploads, form submissions, or other user-initiated data exfiltration attempts. * _Response Body_: Scans data sent to a user's machine from an upstream service. Use this to inspect file downloads and website content for sensitive data. For example, consider a policy that blocks Social Security Numbers (SSNs). Previously, this policy might trigger when a user visits a website that contains example SSNs in its content (the response body). Now, by setting the **Body Phase** to _Request Body_, the policy will only trigger if the user attempts to upload or submit an SSN, ignoring the content of the web page itself. All policies without this selector will continue to scan both request and response bodies to ensure continued protection. For more information, refer to [Gateway HTTP policy selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#body-phase). ## 2025-08-25 **New DLP topic based detection entries for AI prompt protection** You now have access to a comprehensive suite of capabilities to secure your organization's use of generative AI. AI prompt protection introduces four key features that work together to provide deep visibility and granular control. 1. **Prompt Detection for AI Applications** DLP can now natively detect and inspect user prompts submitted to popular AI applications, including **Google Gemini**, **ChatGPT**, **Claude**, and **Perplexity**. 1. **Prompt Analysis and Topic Classification** Our DLP engine performs deep analysis on each prompt, applying [topic classification](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/#ai-prompt-topics). These topics are grouped into two evaluation categories: * **Content:** PII, Source Code, Credentials and Secrets, Financial Information, and Customer Data. * **Intent:** Jailbreak attempts, requests for malicious code, or attempts to extract PII. To help you apply these topics quickly, we have also released five new predefined profiles (for example, AI Prompt: AI Security, AI Prompt: PII) that bundle these new topics. ![DLP](https://developers.cloudflare.com/_astro/ai-prompt-detection-entry.4QmdkAuv_Z14HtSJ.webp) 1. **Granular Guardrails** You can now build guardrails using Gateway HTTP policies with [application granular controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#granular-controls). Apply a DLP profile containing an [AI prompt topic detection](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/#ai-prompt-topics) to individual AI applications (for example, `ChatGPT`) and specific user actions (for example, `SendPrompt`) to block sensitive prompts. ![DLP](https://developers.cloudflare.com/_astro/ai-prompt-policy.CF3H2rbK_2muoEC.webp) 2. **Full Prompt Logging** To aid in incident investigation, an optional setting in your Gateway policy allows you to [capture prompt logs](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content) to store the full interaction of prompts that trigger a policy match. To make investigations easier, logs can be filtered by `conversation_id`, allowing you to reconstruct the full context of an interaction that led to a policy violation. ![DLP](https://developers.cloudflare.com/_astro/ai-prompt-log.ywQDc5qN_2v6nax.webp) AI prompt protection is now available in open beta. To learn more about it, read the [blog ↗](https://blog.cloudflare.com/ai-prompt-protection/#closing-the-loop-logging) or refer to [AI prompt topics](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/#ai-prompt-topics). ## 2025-07-17 **New detection entry type: Document Matching for DLP** You can now create [document-based](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/#documents) detection entries in DLP by uploading example documents. Cloudflare will encrypt your documents and create a unique fingerprint of the file. This fingerprint is then used to identify similar documents or snippets within your organization's traffic and stored files. ![DLP](https://developers.cloudflare.com/_astro/document-match.CcN8pGgR_Z1e3PDm.webp) **Key features and benefits:** * **Upload documents, forms, or templates:** Easily upload .docx and .txt files (up to 10 MB) that contain sensitive information you want to protect. * **Granular control with similarity percentage:** Define a minimum similarity percentage (0-100%) that a document must meet to trigger a detection, reducing false positives. * **Comprehensive coverage:** Apply these document-based detection entries in: * **Gateway policies:** To inspect network traffic for sensitive documents as they are uploaded or shared. * **CASB (Cloud Access Security Broker):** To scan files stored in cloud applications for sensitive documents at rest. * **Identify sensitive data:** This new detection entry type is ideal for identifying sensitive data within completed forms, templates, or even small snippets of a larger document, helping you prevent data exfiltration and ensure compliance. Once uploaded and processed, you can add this new document entry into a DLP profile and policies to enhance your data protection strategy. ## 2025-06-23 **Data Security Analytics in the Zero Trust dashboard** Zero Trust now includes **Data security analytics**, providing you with unprecedented visibility into your organization sensitive data. The new dashboard includes: * **Sensitive Data Movement Over Time:** * See patterns and trends in how sensitive data moves across your environment. This helps understand where data is flowing and identify common paths. * **Sensitive Data at Rest in SaaS & Cloud:** * View an inventory of sensitive data stored within your corporate SaaS applications (for example, Google Drive, Microsoft 365) and cloud accounts (such as AWS S3). * **DLP Policy Activity:** * Identify which of your Data Loss Prevention (DLP) policies are being triggered most often. * See which specific users are responsible for triggering DLP policies. ![Data Security Analytics](https://developers.cloudflare.com/_astro/cf1-data-security-analytics-v1.BGl6fYXl_H3N0P.webp) To access the new dashboard, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Insights** on the sidebar. ## 2025-05-12 **Case Sensitive Custom Word Lists** You can now configure [custom word lists](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/#custom-wordlist) to enforce case sensitivity. This setting supports flexibility where needed and aims to reduce false positives where letter casing is critical. ![dlp](https://developers.cloudflare.com/_astro/case-sesitive-cwl.MPuOc_3r_220dca.webp) ## 2025-05-07 **Send forensic copies to storage without DLP profiles** You can now [send DLP forensic copies](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#send-dlp-forensic-copies-to-logpush-destination) to third-party storage for any HTTP policy with an `Allow` or `Block` action, without needing to include a DLP profile. This change increases flexibility for data handling and forensic investigation use cases. By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs. ![DLP](https://developers.cloudflare.com/_astro/forensic-copies-for-all.fxeFrCY4_Z1rCUy9.webp) ## 2025-04-14 **New predefined detection entry for ICD-11** You now have access to the World Health Organization (WHO) 2025 edition of the [International Classification of Diseases 11th Revision (ICD-11) ↗](https://www.who.int/news/item/14-02-2025-who-releases-2025-update-to-the-international-classification-of-diseases-%28icd-11%29) as a predefined detection entry. The new dataset can be found in the [Health Information](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#health-information) predefined profile. ICD-10 dataset remains available for use. ## 2025-02-03 **Block files that are password-protected, compressed, or otherwise unscannable.** Gateway HTTP policies can now block files that are password-protected, compressed, or otherwise unscannable. These unscannable files are now matched with the [Download and Upload File Types traffic selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) for HTTP policies: * Password-protected Microsoft Office document * Password-protected PDF * Password-protected ZIP archive * Unscannable ZIP archive To get started inspecting and modifying behavior based on these and other rules, refer to [HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/). ## 2025-01-20 **Detect source code leaks with Data Loss Prevention** You can now detect source code leaks with Data Loss Prevention (DLP) with predefined checks against common programming languages. The following programming languages are validated with natural language processing (NLP). * C * C++ * C# * Go * Haskell * Java * JavaScript * Lua * Python * R * Rust * Swift DLP also supports confidence level for [source code profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#source-code). For more details, refer to [DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/). ## 2025-01-15 **Payload log match visibility** When viewing decrypted payload log matches, DLP now provides more context by listing multiple DLP matches and the matching DLP profile. ## 2024-11-25 **Profile confidence levels** DLP profiles now support setting a [confidence level](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-levels) to choose how tolerant its detections are to false positives based on the context of the detection. The higher a profile's confidence level is, the less false positives will be allowed. Confidence levels include Low, Medium, or High. DLP profile confidence levels supersede [context analysis](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#context-analysis). ## 2024-11-01 **Send entire HTTP requests to a Logpush destination** In addition to [logging the payload](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) from HTTP requests that matched a DLP policy in Cloudflare Logs, Enterprise users can now configure a [Logpush job](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#send-dlp-forensic-copies-to-logpush-destination) to send the entire HTTP request that triggered a DLP match to a storage destination. This allows long-term storage of full requests for use in forensic investigation. ## 2024-09-03 **Exact Data Match multi-entry upload support** You can now upload files with [multiple columns of data](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/#upload-a-new-dataset) as Exact Data Match datasets. DLP can use each column as a separate existing detection entry. ## 2024-05-23 **Data-at-rest DLP for Box and Dropbox** You can now scan your [Box](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/box/#data-loss-prevention-optional) and [Dropbox](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/dropbox/#data-loss-prevention-optional) files for DLP matches. ## 2024-04-16 **Optical character recognition** DLP can now [detect sensitive data](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#optical-character-recognition-ocr) in jpeg, jpg, and png files. This helps companies prevent the leak of sensitive data in images, such as screenshots. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/dlp/","name":"Data Loss Prevention"}}]} ``` --- --- title: Email security description: We have updated the Monitoring page to provide a more streamlined and insightful experience for administrators, improving both data visualization and dashboard accessibility. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/changelog/email-security.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Email security [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/email-security-cf1.xml) ## 2026-02-02 **Improved Accessibility and Search for Monitoring** We have updated the Monitoring page to provide a more streamlined and insightful experience for administrators, improving both data visualization and dashboard accessibility. * **Enhanced Visual Layout**: Optimized contrast and the introduction of stacked bar charts for clearer data visualization and trend analysis.![visual-example](https://developers.cloudflare.com/_astro/monitoring-bar-charts.Bi-4BuXC_xiAlF.webp) * **Improved Accessibility & Usability**: * **Widget Search**: Added search functionality to multiple widgets, including Policies, Submitters, and Impersonation. * **Actionable UI**: All available actions are now accessible via dedicated buttons. * **State Indicators**: Improved UI states to clearly communicate loading, empty datasets, and error conditions.![buttons-example](https://developers.cloudflare.com/_astro/monitoring-buttons.DORPJvP__1JBNhu.webp) * **Granular Data Breakdowns**: New views for dispositions by month, malicious email details, link actions, and impersonations.![monthly-example](https://developers.cloudflare.com/_astro/monitoring-monthly-dispositions.CYuI5d9y_ZSVir3.webp) This applies to all Email Security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2026-01-12 **Enhanced visibility for post-delivery actions** The Action Log now provides enriched data for post-delivery actions to improve troubleshooting. In addition to success confirmations, failed actions now display the targeted Destination folder and a specific failure reason within the Activity field. Note Error messages will vary depending on whether you are using Google Workspace or Microsoft 365. ![failure-log-example](https://developers.cloudflare.com/_astro/enhanced-visibility-post-delivery-actions.BNiyPtJU_GFx2V.webp) This update allows you to see the full lifecycle of a failed action. For instance, if an administrator tries to move an email that has already been deleted or moved manually, the log will now show the multiple retry attempts and the specific destination error. This applies to all Email Security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-12-03 **Reclassifications to Submissions** We have updated the terminology “Reclassify” and “Reclassifications” to “Submit” and “Submissions” respectively. This update more accurately reflects the outcome of providing these items to Cloudflare. Submissions are leveraged to tune future variants of campaigns. To respect data sanctity, providing a submission does not change the original disposition of the emails submitted. ![nav_example](https://developers.cloudflare.com/_astro/reclassification-submission.B6nL5Hw7_Z2qliyJ.webp) This applies to all Email Security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-11-18 **Adjustment to Final Disposition Column** #### Adjustment to Final Disposition column #### The **Final Disposition** column in **Submissions** \> **Team Submissions** tab is changing for non-Phishguard customers. #### What's Changing * Column will be called **Status** instead of **Final Disposition** * Column status values will now be: **Submitted**, **Accepted** or **Rejected**. #### Next Steps We will listen carefully to your feedback and continue to find comprehensive ways to communicate updates on your submissions. Your submissions will continue to be addressed at an even greater rate than before, fuelling faster and more accurate email security improvement. ## 2025-10-17 **On-Demand Security Report** You can now generate on-demand security reports directly from the Cloudflare dashboard. This new feature provides a comprehensive overview of your email security posture, making it easier than ever to demonstrate the value of Cloudflare’s Email security to executives and other decision makers. These reports offer several key benefits: * **Executive Summary:** Quickly view the performance of Email security with a high-level executive summary. * **Actionable Insights:** Dive deep into trend data, breakdowns of threat types, and analysis of top targets to identify and address vulnerabilities. * **Configuration Transparency:** Gain a clear view of your policy, submission, and domain configurations to ensure optimal setup. * **Account Takeover Risks:** Get a snapshot of your M365 risky users (requires a Microsoft Entra ID P2 license and [M365 SaaS integration ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/)). ![Report](https://developers.cloudflare.com/_astro/report.CbkPa8Jt_Z1xMpIx.webp) This feature is available across the following Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-09-23 **Invalid Submissions Feedback** Email security relies on your submissions to continuously improve our detection models. However, we often receive submissions in formats that cannot be ingested, such as incomplete EMLs, screenshots, or text files. To ensure all customer feedback is actionable, we have launched two new features to manage invalid submissions sent to our team and user [submission aliases](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/submission-addresses/): * **Email Notifications:** We now automatically notify users by email when they provide an invalid submission, educating them on the correct format. To disable notifications, go to **[Settings ↗](https://one.dash.cloudflare.com/?to=/:account/email-security/settings)** \> **Invalid submission emails** and turn the feature off. ![EmailSec-Invalid-Submissions-Toggle](https://developers.cloudflare.com/_astro/EmailSec-Invalid-Submissions-Toggle.DXjbR6aX_ZsxWGB.webp) * **Invalid Submission dashboard:** You can quickly identify which users need education to provide valid submissions so Cloudflare can provide continuous protection. ![EmailSec-Invalid-Submissions-Dashboard](https://developers.cloudflare.com/_astro/EmailSec-Invalid-Submissions-Dashboard.zuf1on2n_2gjnGS.webp) Learn more about this feature on [invalid submissions](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/invalid-submissions/). This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-09-11 **Regional Email Processing for Germany, India, or Australia** We’re excited to announce that Email security customers can now choose their preferred mail processing location directly from the UI when onboarding a domain. This feature is available for the following onboarding methods: **MX**, **BCC**, and **Journaling**. #### What’s new Customers can now select where their email is processed. The following regions are supported: * **Germany** * **India** * **Australia** Global processing remains the default option, providing flexibility to meet both compliance requirements or operational preferences. #### How to use it When onboarding a domain with MX, BCC, or Journaling: 1. Select the desired processing location (Germany, India, or Australia). 2. The UI will display updated processing addresses specific to that region. 3. For MX onboarding, if your domain is managed by Cloudflare, you can automatically update MX records directly from the UI. #### Availability This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** #### What’s next We’re expanding the list of processing locations to match our [Data Localization Suite (DLS)](https://developers.cloudflare.com/data-localization/) footprint, giving customers the broadest set of regional options in the market without the complexity of self-hosting. ## 2025-09-01 **Updated Email security roles** To provide more granular controls, we refined the [existing roles](https://developers.cloudflare.com/cloudflare-one/roles-permissions/#email-security-roles) for Email security and launched a new Email security role as well. All Email security roles no longer have read or write access to any of the other Zero Trust products: * **Email Configuration Admin** * **Email Integration Admin** * **Email security Read Only** * **Email security Analyst** * **Email security Policy Admin** * **Email security Reporting** To configure [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/email-security/outbound-dlp/) or [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/#set-up-clientless-web-isolation), you now need to be an admin for the Zero Trust dashboard with the **Cloudflare Zero Trust** role. Also through customer feedback, we have created a new additive role to allow **Email security Analyst** to create, edit, and delete Email security policies, without needing to provide access via the **Email Configuration Admin** role. This role is called **Email security Policy Admin**, which can read all settings, but has write access to [allow policies](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/), [trusted domains](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/trusted-domains/), and [blocked senders](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/blocked-senders/). This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-08-07 **Expanded Email Link Isolation** When you deploy MX or Inline, not only can you apply email link isolation to suspicious links in all emails (including benign), you can now also apply email link isolation to all links of a specified disposition. This provides more flexibility in controlling user actions within emails. For example, you may want to deliver suspicious messages but isolate the links found within them so that users who choose to interact with the links will not accidentally expose your organization to threats. This means your end users are more secure than ever before. ![Expanded Email Link Isolation Configuration](https://developers.cloudflare.com/_astro/expanded-link-actions.DziIg6E8_1Sx0Ar.webp) To isolate all links within a message based on the disposition, select **Settings** \> **Link Actions** \> **View** and select **Configure**. As with other other links you isolate, an interstitial will be provided to warn users that this site has been isolated and the link will be recrawled live to evaluate if there are any changes in our threat intel. Learn more about this feature on [Configure link actions ↗](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-link-actions/). This feature is available across these Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-05-15 **Open email attachments with Browser Isolation** You can now safely open email attachments to view and investigate them. What this means is that messages now have a **Attachments** section. Here, you can view processed attachments and their classifications (for example, _Malicious_, _Suspicious_, _Encrypted_). Next to each attachment, a **Browser Isolation** icon allows your team to safely open the file in a **clientless, isolated browser** with no risk to the analyst or your environment. ![Attachment-RBI](https://developers.cloudflare.com/_astro/Attachment-RBI.U9Dp8dJO_265xjw.webp) To use this feature, you must: * Enable **Clientless Web Isolation** in your Zero Trust settings. * Have **Browser Isolation (BISO)** seats assigned. For more details, refer to our [setup guide](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). Some attachment types may not render in Browser Isolation. If there is a file type that you would like to be opened with Browser Isolation, reach out to your Cloudflare contact. This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-05-08 **Open email links with Browser Isolation** You can now safely open links in emails to view and investigate them. ![Open links with Browser Isolation](https://developers.cloudflare.com/_astro/investigate-links.pYbpGkt5_Z1DQRHU.webp) From **Investigation**, go to **View details**, and look for the **Links identified** section. Next to each link, the Cloudflare dashboard will display an **Open in Browser Isolation** icon which allows your team to safely open the link in a clientless, isolated browser with no risk to the analyst or your environment. Refer to [Open links](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#open-links) to learn more about this feature. To use this feature, you must: * Enable **Clientless Web Isolation** in your Zero Trust settings. * Have **Browser Isolation (RBI)** seats assigned. For more details, refer to our [setup guide](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-04-01 **CASB and Email security** With Email security, you get two free CASB integrations. Use one SaaS integration for Email security to sync with your directory of users, take actions on delivered emails, automatically provide EMLs for reclassification requests for clean emails, discover CASB findings and more. With the other integration, you can have a separate SaaS integration for CASB findings for another SaaS provider. Refer to [Add an integration](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) to learn more about this feature. ![CASB-EmailSecurity](https://developers.cloudflare.com/_astro/CASB-EmailSecurity.B1wd9be2_PR5LD.webp) This feature is available across these Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-03-01 **Use Logpush for Email security detections** You can now send detection logs to an endpoint of your choice with Cloudflare Logpush. Filter logs matching specific criteria you have set and select from over 25 fields you want to send. When creating a new Logpush job, remember to select **Email security alerts** as the dataset. ![logpush-detections](https://developers.cloudflare.com/_astro/Logpush-Detections.Dc5tHta3_1PsIMk.webp) For more information, refer to [Enable detection logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/#enable-detection-logs). This feature is available across these Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-02-27 **Check status of Email security or Area 1** Concerns about performance for Email security or Area 1? You can now check the operational status of both on the [Cloudflare Status page ↗](https://www.cloudflarestatus.com/). For Email security, look under **Cloudflare Sites and Services**. * **Dashboard** is the dashboard for Cloudflare, including Email security * **Email security (Zero Trust)** is the processing of email * **API** are the Cloudflare endpoints, including the ones for Email security For Area 1, under **Cloudflare Sites and Services**: * **Area 1 - Dash** is the dashboard for Cloudflare, including Email security * **Email security (Area1)** is the processing of email * **Area 1 - API** are the Area 1 endpoints ![Status-page](https://developers.cloudflare.com/_astro/Status-Page.DcFJ1286_2qTtkN.webp) This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-02-25 **Use DLP Assist for M365** Cloudflare Email security customers who have Microsoft 365 environments can quickly deploy an Email DLP (Data Loss Prevention) solution for free. Simply deploy our add-in, create a DLP policy in Cloudflare, and configure Outlook to trigger behaviors like displaying a banner, alerting end users before sending, or preventing delivery entirely. Refer to [Outbound Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/email-security/outbound-dlp/) to learn more about this feature. In GUI alert: ![DLP-Alert](https://developers.cloudflare.com/_astro/DLP-Alert.5s-fbKn3_1xfB14.webp) Alert before sending: ![DLP-Pop-up](https://developers.cloudflare.com/_astro/DLP-Pop-up.0gkYy7o5_ZgIo8K.webp) Prevent delivery: ![DLP-Blocked](https://developers.cloudflare.com/_astro/DLP-Blocked.CmQkGrnM_ZewJi3.webp) This feature is available across these Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-02-07 **Open email links with Security Center** You can now investigate links in emails with Cloudflare Security Center to generate a report containing a myriad of technical details: a phishing scan, SSL certificate data, HTTP request and response data, page performance data, DNS records, what technologies and libraries the page uses, and more. ![Open links in Security Center](https://developers.cloudflare.com/_astro/Open-Links-Security-Center.b-LJU4YB_2dBHq8.webp) From **Investigation**, go to **View details**, and look for the **Links identified** section. Select **Open in Security Center** next to each link. **Open in Security Center** allows your team to quickly generate a detailed report about the link with no risk to the analyst or your environment. For more details, refer to [Open links](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#open-links). This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2024-12-19 **Escalate user submissions** After you triage your users' submissions (that are machine reviewed), you can now escalate them to our team for reclassification (which are instead human reviewed). User submissions from the submission alias, PhishNet, and our API can all be escalated. ![Escalate](https://developers.cloudflare.com/_astro/Escalate.CwXPIyM3_ZxuRN6.webp) From **Reclassifications**, go to **User submissions**. Select the three dots next to any of the user submissions, then select **Escalate** to create a team request for reclassification. The Cloudflare dashboard will then show you the submissions on the **Team Submissions** tab. Refer to [User submissions](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/user-submissions/) to learn more about this feature. This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2024-12-19 **Increased transparency for phishing email submissions** You now have more transparency about team and user submissions for phishing emails through a **Reclassification** tab in the Zero Trust dashboard. Reclassifications happen when users or admins [submit a phish](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/) to Email security. Cloudflare reviews and - in some cases - reclassifies these emails based on improvements to our machine learning models. This new tab increases your visibility into this process, allowing you to view what submissions you have made and what the outcomes of those submissions are. ![Use the Reclassification area to review submitted phishing emails](https://developers.cloudflare.com/_astro/reclassifications-tab.yDgtjG51_Z1TVbIE.webp) ## 2024-11-07 **Use Logpush for Email security user actions** You can now send user action logs for Email security to an endpoint of your choice with Cloudflare Logpush. Filter logs matching specific criteria you have set or select from multiple fields you want to send. For all users, we will log the date and time, user ID, IP address, details about the message they accessed, and what actions they took. When creating a new Logpush job, remember to select **Audit logs** as the dataset and filter by: * **Field**: `"ResourceType"` * **Operator**: `"starts with"` * **Value**: `"email_security"`. ![Logpush-user-actions](https://developers.cloudflare.com/_astro/Logpush-User-Actions.D14fWgmq_CYM35.webp) For more information, refer to [Enable user action logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/#enable-user-action-logs). This feature is available across all Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2024-12-19 **Email security expanded folder scanning** Microsoft 365 customers can now choose to scan all folders or just the inbox when deploying via the Graph API. ## 2024-08-06 **Email security is live** Email security is now live under Zero Trust. ## 2024-08-06 **Microsoft Graph API deployment.** Customers using Microsoft Office 365 can set up Email security via Microsoft Graph API. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/email-security/","name":"Email security"}}]} ``` --- --- title: Gateway description: Review recent changes to Cloudflare Gateway. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/changelog/gateway.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Gateway [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/gateway.xml) ## 2026-04-01 **Logs UI refresh** Access authentication logs and Gateway activity logs (DNS, Network, and HTTP) now feature a refreshed user interface that gives you more flexibility when viewing and analyzing your logs. ![Screenshot of the new logs UI showing DNS query logs with customizable columns and filtering options](https://developers.cloudflare.com/_astro/cf1-new-logs-ui.DxF4x0l-_mRSyH.webp) The updated UI includes: * **Filter by field** \- Select any field value to add it as a filter and narrow down your results. * **Customizable fields** \- Choose which fields to display in the log table. Querying for fewer fields improves log loading performance. * **View details** \- Select a timestamp to view the full details of a log entry. * **Switch to classic view** \- Return to the previous log viewer interface if needed. For more information, refer to [Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/) and [Gateway activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). ## 2026-03-24 **OIDC Claims filtering now available in Gateway Firewall, Resolver, and Egress policies** Cloudflare Gateway now supports [OIDC Claims](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#oidc-claims) as a selector in Firewall, Resolver, and Egress policies. Administrators can use custom OIDC claims from their identity provider to build fine-grained, identity-based traffic policies across all Gateway policy types. With this update, you can: * Filter traffic in [DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/), [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/), and [Network](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) firewall policies based on OIDC claim values. * Apply custom [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) to route DNS queries to specific resolvers depending on a user's OIDC claims. * Control [egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/) to assign dedicated egress IPs based on OIDC claim attributes. For example, you can create a policy that routes traffic differently for users with `department=engineering` in their OIDC claims, or restrict access to certain destinations based on a user's role claim. To get started, configure [custom OIDC claims](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) on your identity provider and use the **OIDC Claims** selector in the Gateway policy builder. For more information, refer to [Identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/). ## 2026-02-27 **New protocols added for Gateway Protocol Detection (Beta)** Gateway [Protocol Detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/) now supports seven additional protocols in beta: | Protocol | Notes | | ------------ | -------------------------------------------------- | | IMAP | Internet Message Access Protocol — email retrieval | | POP3 | Post Office Protocol v3 — email retrieval | | SMTP | Simple Mail Transfer Protocol — email sending | | MYSQL | MySQL database wire protocol | | RSYNC-DAEMON | rsync daemon protocol | | LDAP | Lightweight Directory Access Protocol | | NTP | Network Time Protocol | These protocols join the existing set of detected protocols (HTTP, HTTP2, SSH, TLS, DCERPC, MQTT, and TPKT) and can be used with the _Detected Protocol_ selector in [Network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) to identify and filter traffic based on the application-layer protocol, without relying on port-based identification. If protocol detection is enabled on your account, these protocols will automatically be logged when detected in your Gateway network traffic. For more information on using Protocol Detection, refer to the [Protocol detection documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/). ## 2025-12-17 **Shadow IT - domain level SaaS analytics** Zero Trust has again upgraded its **Shadow IT analytics**, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application. With this update, you can review data transfer metrics at the domain level, rather than just the application level, providing more granular insight into your data transfer patterns. ![New Domain Level Metrics](https://developers.cloudflare.com/_astro/shadow-it-domain.DoZnGAtf_Z1mHw4r.webp) These metrics can be filtered by all available filters on the dashboard, including user, application, or content category. Both the analytics and policies are accessible in the Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), empowering organizations with better visibility and control. ## 2025-11-06 **Applications to be remapped to the new categories** We have previously added new application categories to better reflect their content and improve HTTP traffic management: refer to [Changelog](https://developers.cloudflare.com/cloudflare-one/changelog/gateway/#2025-10-28). While the new categories are live now, we want to ensure you have ample time to review and adjust any existing rules you have configured against old categories. The remapping of existing applications into these new categories will be completed by January 30, 2026\. This timeline allows you a dedicated period to: * Review the new category structure. * Identify any policies you have that target the older categories. * Adjust your rules to reference the new, more precise categories before the old mappings change. Once the applications have been fully remapped by January 30, 2026, you might observe some changes in the traffic being mitigated or allowed by your existing policies. We encourage you to use the intervening time to prepare for a smooth transition. **Applications being remappedd** | Application Name | Existing Category | New Category | | ------------------------------- | ----------------- | ---------------------------- | | Google Photos | File Sharing | Photography & Graphic Design | | Flickr | File Sharing | Photography & Graphic Design | | ADP | Human Resources | Business | | Greenhouse | Human Resources | Business | | myCigna | Human Resources | Health & Fitness | | UnitedHealthcare | Human Resources | Health & Fitness | | ZipRecruiter | Human Resources | Business | | Amazon Business | Human Resources | Business | | Jobcenter | Human Resources | Business | | Jobsuche | Human Resources | Business | | Zenjob | Human Resources | Business | | DocuSign | Legal | Business | | Postident | Legal | Business | | Adobe Creative Cloud | Productivity | Photography & Graphic Design | | Airtable | Productivity | Development | | Autodesk Fusion360 | Productivity | IT Management | | Coursera | Productivity | Education | | Microsoft Power BI | Productivity | Business | | Tableau | Productivity | Business | | Duolingo | Productivity | Education | | Adobe Reader | Productivity | Business | | AnpiReport | Productivity | Travel | | ビズリーチ | Productivity | Business | | doda (デューダ) | Productivity | Business | | 求人ボックス | Productivity | Business | | マイナビ2026 | Productivity | Business | | Power Apps | Productivity | Business | | RECRUIT AGENT | Productivity | Business | | シフトボード | Productivity | Business | | スタンバイ | Productivity | Business | | Doctolib | Productivity | Health & Fitness | | Miro | Productivity | Photography & Graphic Design | | MyFitnessPal | Productivity | Health & Fitness | | Sentry Mobile | Productivity | Travel | | Slido | Productivity | Photography & Graphic Design | | Arista Networks | Productivity | IT Management | | Atlassian | Productivity | Business | | CoderPad | Productivity | Business | | eAgreements | Productivity | Business | | Vmware | Productivity | IT Management | | Vmware Vcenter | Productivity | IT Management | | AWS Skill Builder | Productivity | Education | | Microsoft Office 365 (GCC) | Productivity | Business | | Microsoft Exchange Online (GCC) | Productivity | Business | | Canva | Sales & Marketing | Photography & Graphic Design | | Instacart | Shopping | Food & Drink | | Wawa | Shopping | Food & Drink | | McDonald's | Shopping | Food & Drink | | Vrbo | Shopping | Travel | | American Airlines | Shopping | Travel | | Booking.com | Shopping | Travel | | Ticketmaster | Shopping | Entertainment & Events | | Airbnb | Shopping | Travel | | DoorDash | Shopping | Food & Drink | | Expedia | Shopping | Travel | | EasyPark | Shopping | Travel | | UEFA Tickets | Shopping | Entertainment & Events | | DHL Express | Shopping | Business | | UPS | Shopping | Business | For more information on creating HTTP policies, refer to [Applications and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/). ## 2025-10-28 **New Application Categories added for HTTP Traffic Management** To give you precision and flexibility while creating policies to block unwanted traffic, we are introducing new, more granular application categories in the Gateway product. We have added the following categories to provide more precise organization and allow for finer-grained policy creation, designed around how users interact with different types of applications: * Business * Education * Entertainment & Events * Food & Drink * Health & Fitness * Lifestyle * Navigation * Photography & Graphic Design * Travel The new categories are live now, but we are providing a transition period for existing applications to be fully remapped to these new categories. The full remapping will be completed by January 30, 2026. We encourage you to use this time to: * Review the new category structure. * Identify and adjust any existing HTTP policies that reference older categories to ensure a smooth transition. For more information on creating HTTP policies, refer to [Applications and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/). ## 2025-10-20 **Schedule DNS policies from the UI** Admins can now create [scheduled DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/timed-policies/) directly from the Zero Trust dashboard, without using the API. You can configure policies to be active during specific, recurring times, such as blocking social media during business hours or gaming sites on school nights. * **Preset Schedules**: Use built-in templates for common scenarios like Business Hours, School Days, Weekends, and more. * **Custom Schedules**: Define your own schedule with specific days and up to three non-overlapping time ranges per day. * **Timezone Control**: Choose to enforce a schedule in a specific timezone (for example, US Eastern) or based on the local time of each user. * **Combined with Duration**: Policies can have both a schedule and a duration. If both are set, the duration's expiration takes precedence. You can see the flow in the demo GIF: ![Schedule DNS policies demo](https://developers.cloudflare.com/_astro/gateway-dns-scheduled-policies-ui.Cf4l1OTE_Z9szVM.webp) This update makes time-based DNS policies accessible to all Gateway customers, removing the technical barrier of the API. ## 2025-10-10 **New domain categories added** We have added three new domain categories under the Technology parent category, to better reflect online content and improve DNS filtering. **New categories added** | Parent ID | Parent Name | Category ID | Category Name | | --------- | ----------- | ----------- | ------------------- | | 26 | Technology | 194 | Keep Awake Software | | 26 | Technology | 192 | Remote Access | | 26 | Technology | 193 | Shareware/Freeware | Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more. ## 2025-09-30 **Application granular controls for operations in SaaS applications** Gateway users can now apply granular controls to their file sharing and AI chat applications through [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies). The new feature offers two methods of controlling SaaS applications: * **Application Controls** are curated groupings of Operations which provide an easy way for users to achieve a specific outcome. Application Controls may include _Upload_, _Download_, _Prompt_, _Voice_, and _Share_ depending on the application. * **Operations** are controls aligned to the most granular action a user can take. This provides a fine-grained approach to enforcing policy and generally aligns to the SaaS providers API specifications in naming and function. Get started using [Application Granular Controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/granular-controls) and refer to the list of [supported applications](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/granular-controls/#compatible-applications). ## 2025-09-25 **Refine DLP Scans with New Body Phase Selector** You can now more precisely control your HTTP DLP policies by specifying whether to scan the request or response body, helping to reduce false positives and target specific data flows. In the Gateway HTTP policy builder, you will find a new selector called _Body Phase_. This allows you to define the direction of traffic the DLP engine will inspect: * _Request Body_: Scans data sent from a user's machine to an upstream service. This is ideal for monitoring data uploads, form submissions, or other user-initiated data exfiltration attempts. * _Response Body_: Scans data sent to a user's machine from an upstream service. Use this to inspect file downloads and website content for sensitive data. For example, consider a policy that blocks Social Security Numbers (SSNs). Previously, this policy might trigger when a user visits a website that contains example SSNs in its content (the response body). Now, by setting the **Body Phase** to _Request Body_, the policy will only trigger if the user attempts to upload or submit an SSN, ignoring the content of the web page itself. All policies without this selector will continue to scan both request and response bodies to ensure continued protection. For more information, refer to [Gateway HTTP policy selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#body-phase). ## 2025-09-11 **DNS filtering for private network onramps** [Magic WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/#dns-filtering) and [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-internet/#configure-dns-resolver-on-devices) users can now securely route their DNS traffic to the Gateway resolver without exposing traffic to the public Internet. Routing DNS traffic to the Gateway resolver allows DNS resolution and filtering for traffic coming from private networks while preserving source internal IP visibility. This ensures Magic WAN users have full integration with our Cloudflare One features, including [Internal DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/#internal-dns) and [hostname-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). To configure DNS filtering, change your Magic WAN or WARP Connector DNS settings to use Cloudflare's shared resolver IPs, `172.64.36.1` and `172.64.36.2`. Once you configure DNS resolution and filtering, you can use _Source Internal IP_ as a traffic selector in your [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) for routing private DNS traffic to your [Internal DNS](https://developers.cloudflare.com/dns/internal-dns/). ## 2025-08-27 **Shadow IT - SaaS analytics dashboard** Zero Trust has significantly upgraded its **Shadow IT analytics**, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application. You can review these metrics against application type, such as Artificial Intelligence or Social Media. You can also mark applications with an approval status, including **Unreviewed**, **In Review**, **Approved**, and **Unapproved** designating how they can be used in your organization. ![Cloudflare One Analytics Dashboards](https://developers.cloudflare.com/_astro/shadow-it-analytics.BLNnG72w_Z1vDznE.webp) These application statuses can also be used in Gateway HTTP policies, so you can block, isolate, limit uploads and downloads, and more based on the application status. Both the analytics and policies are accessible in the Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), empowering organizations with better visibility and control. ## 2025-08-21 **Gateway BYOIP Dedicated Egress IPs now available.** Enterprise Gateway users can now use Bring Your Own IP (BYOIP) for dedicated egress IPs. Admins can now onboard and use their own IPv4 or IPv6 prefixes to egress traffic from Cloudflare, delivering greater control, flexibility, and compliance for network traffic. Get started by following the [BYOIP onboarding process](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). Once your IPs are onboarded, go to **Gateway** \> **Egress policies** and select or create an egress policy. In **Select an egress IP**, choose _Use dedicated egress IPs (Cloudflare or BYOIP)_, then select your BYOIP address from the dropdown menu. ![Screenshot of a dropdown menu adding a BYOIP IPv4 address as a dedicated egress IP in a Gateway egress policy](https://developers.cloudflare.com/_astro/Gateway-byoip-dedicated-egress-ips.D0pzLAbV_8yK6N.webp) For more information, refer to [BYOIP for dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). ## 2025-07-28 **Scam domain category introduced under Security Threats** We have introduced a new Security Threat category called **Scam**. Relevant domains are marked with the Scam category. Scam typically refers to fraudulent websites and schemes designed to trick victims into giving away money or personal information. **New category added** | Parent ID | Parent Name | Category ID | Category Name | | --------- | ---------------- | ----------- | ------------- | | 21 | Security Threats | 191 | Scam | Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more. ## 2025-07-24 **Gateway HTTP Filtering on all ports available in open BETA** [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) can now apply [HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to all proxied HTTP requests, not just traffic on standard HTTP (`80`) and HTTPS (`443`) ports. This means all requests can now be filtered by [A/V scanning](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), [file sandboxing](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/file-sandboxing/), [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/#data-in-transit), and more. You can turn this [setting](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports) on by going to **Settings** \> **Network** \> **Firewall** and choosing _Inspect on all ports_. ![HTTP Inspection on all ports setting](https://developers.cloudflare.com/_astro/Gateway-Inspection-all-ports.CCmwX6D0_OoDoS.webp) To learn more, refer to [Inspect on all ports (Beta)](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). ## 2025-07-22 **Google Bard Application replaced by Gemini** The **Google Bard** application (ID: 1198) has been deprecated and fully removed from the system. It has been replaced by the **Gemini** application (ID: 1340). Any existing Gateway policies that reference the old Google Bard application will no longer function. To ensure your policies continue to work as intended, you should update them to use the new Gemini application. We recommend replacing all instances of the deprecated Bard application with the new Gemini application in your Gateway policies. For more information about application policies, please see the [Cloudflare Gateway documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/). ## 2025-06-18 **Gateway will now evaluate Network policies before HTTP policies from July 14th, 2025** [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) will now evaluate [Network (Layer 4) policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) **before** [HTTP (Layer 7) policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users. This change will roll out progressively between **July 14–18, 2025**. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent. #### Updated order of enforcement **Previous order:** 1. DNS policies 2. HTTP policies 3. Network policies **New order:** 1. DNS policies 2. **Network policies** 3. **HTTP policies** #### Action required: Review your Gateway HTTP policies This change may affect block notifications. For example: * You have an **HTTP policy** to block `example.com` and display a block page. * You also have a **Network policy** to block `example.com` silently (no client notification). With the new order, the Network policy will trigger first — and the user will no longer see the HTTP block page. To ensure users still receive a block notification, you can: * Add a client notification to your Network policy, or * Use only the HTTP policy for that domain. --- #### Why we’re making this change This update is based on user feedback and aims to: * Create a more intuitive model by evaluating network-level policies before application-level policies. * Minimize [526 connection errors](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/#error-526-in-the-zero-trust-context) by verifying the network path to an origin before attempting to establish a decrypted TLS connection. --- To learn more, visit the [Gateway order of enforcement documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/). ## 2025-05-29 **New Gateway Analytics in the Cloudflare One Dashboard** Users can now access significant enhancements to Cloudflare Gateway analytics, providing you with unprecedented visibility into your organization's DNS queries, HTTP requests, and Network sessions. These powerful new dashboards enable you to go beyond raw logs and gain actionable insights into how your users are interacting with the Internet and your protected resources. You can now visualize and explore: * Patterns Over Time: Understand trends in traffic volume and blocked requests, helping you identify anomalies and plan for future capacity. * Top Users & Destinations: Quickly pinpoint the most active users, enabling better policy enforcement and resource allocation. * Actions Taken: See a clear breakdown of security actions applied by Gateway policies, such as blocks and allows, offering a comprehensive view of your security posture. * Geographic Regions: Gain insight into the global distribution of your traffic. ![Gateway Analytics](https://developers.cloudflare.com/_astro/gateway-analytics.BdSwbIBb_1WTkQL.webp) To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and go to Analytics in the side navigation bar. ## 2025-05-27 **Gateway Protocol Detection Now Available for PAYGO and Free Plans** All Cloudflare One Gateway users can now use Protocol detection logging and filtering, including those on Pay-as-you-go and Free plans. With Protocol Detection, admins can identify and enforce policies on traffic proxied through Gateway based on the underlying network protocol (for example, HTTP, TLS, or SSH), enabling more granular traffic control and security visibility no matter your plan tier. This feature is available to enable in your account network settings for all accounts. For more information on using Protocol Detection, refer to the [Protocol detection documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/). ## 2025-05-14 **Domain Categories improvements** **New categories added** | Parent ID | Parent Name | Category ID | Category Name | | --------- | --------------------- | ----------- | ----------------------------- | | 1 | Ads | 66 | Advertisements | | 3 | Business & Economy | 185 | Personal Finance | | 3 | Business & Economy | 186 | Brokerage & Investing | | 21 | Security Threats | 187 | Compromised Domain | | 21 | Security Threats | 188 | Potentially Unwanted Software | | 6 | Education | 189 | Reference | | 9 | Government & Politics | 190 | Charity and Non-profit | **Changes to existing categories** | Original Name | New Name | | ------------- | ----------------------- | | Religion | Religion & Spirituality | | Government | Government/Legal | | Redirect | URL Alias/Redirect | Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more. ## 2025-05-13 **New Applications Added for DNS Filtering** You can now create DNS policies to manage outbound traffic for an expanded list of applications. This update adds support for 273 new applications, giving you more control over your organization's outbound traffic. With this update, you can: * Create DNS policies for a wider range of applications * Manage outbound traffic more effectively * Improve your organization's security and compliance posture For more information on creating DNS policies, see our [DNS policy documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/). ## 2025-04-28 **FQDN Filtering For Gateway Egress Policies** Cloudflare One administrators can now control which egress IP is used based on a destination's fully qualified domain name (FDQN) within Gateway Egress policies. * Host, Domain, Content Categories, and Application selectors are now available in the Gateway Egress policy builder in beta. * During the beta period, you can use these selectors with traffic on-ramped to Gateway with the WARP client, proxy endpoints (commonly deployed with PAC files), or Cloudflare Browser Isolation. * For WARP client support, additional configuration is required. For more information, refer to the [WARP client configuration documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#limitations). ![Egress by FQDN and Hostname](https://developers.cloudflare.com/_astro/Gateway-Egress-FQDN-Policy-preview.Civon5p8_Z2hcuQE.webp) This will help apply egress IPs to your users' traffic when an upstream application or network requires it, while the rest of their traffic can take the most performant egress path. ## 2025-04-11 **HTTP redirect and custom block page redirect** You can now use more flexible redirect capabilities in Cloudflare One with Gateway. * A new **Redirect** action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters. * For **Block** actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL. Learn more in our documentation for [HTTP Redirect](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#redirect) and [Block page redirect](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page). ## 2025-03-21 **Secure DNS Locations Management User Role** We're excited to introduce the [**Cloudflare Zero Trust Secure DNS Locations Write role**](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations), designed to provide DNS filtering customers with granular control over third-party access when configuring their Protective DNS (PDNS) solutions. Many DNS filtering customers rely on external service partners to manage their DNS location endpoints. This role allows you to grant access to external parties to administer DNS locations without overprovisioning their permissions. **Secure DNS Location Requirements:** * Mandate usage of [Bring your own DNS resolver IP addresses ↗](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#bring-your-own-dns-resolver-ip) if available on the account. * Require source network filtering for IPv4/IPv6/DoT endpoints; token authentication or source network filtering for the DoH endpoint. You can assign the new role via Cloudflare Dashboard (`Manage Accounts > Members`) or via API. For more information, refer to the [Secure DNS Locations documentation ↗](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations). ## 2025-02-03 **Block files that are password-protected, compressed, or otherwise unscannable.** Gateway HTTP policies can now block files that are password-protected, compressed, or otherwise unscannable. These unscannable files are now matched with the [Download and Upload File Types traffic selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) for HTTP policies: * Password-protected Microsoft Office document * Password-protected PDF * Password-protected ZIP archive * Unscannable ZIP archive To get started inspecting and modifying behavior based on these and other rules, refer to [HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/). ## 2025-02-12 **Upload/Download File Size selectors for HTTP policies** Gateway and DLP users can now create HTTP policies with the [Download and Upload File Size (MiB)](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-size) traffic selectors. This update allows users to block uploads or downloads based on file size. ## 2025-02-02 **The default global Cloudflare root certificate expired on 2025-02-02 at 16:05 UTC** If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. Refer to [Troubleshooting](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/common-issues/#browser-and-certificate-issues) for instructions and troubleshooting steps. ## 2025-01-08 **Bring your own resolver IP (BYOIP) for DNS locations** Enterprise users can now [provide an IP address](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#bring-your-own-dns-resolver-ip) for a private DNS resolver to use with [DNS locations](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/). Gateway supports bringing your own IPv4 and IPv6 addresses. ## 2024-11-20 **Category filtering in the network policy builder** Gateway users can now create network policies with the [Content Categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/#content-categories) and [Security Risks](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/#security-risks) traffic selectors. This update simplifies malicious traffic blocking and streamlines network monitoring for improved security management. ## 2024-10-17 **Per-account Cloudflare root certificate** Gateway users can now generate [unique root CAs](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) for their Zero Trust account. Both generated certificate and custom certificate users must [activate a root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/#activate-a-root-certificate) to use it for inspection. Per-account certificates replace the default Cloudflare certificate, which is set to expire on 2025-02-02. ## 2024-10-10 **Time-based policy duration** Gateway now offers [time-based DNS policy duration](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/timed-policies/#time-based-policy-duration). With policy duration, you can configure a duration of time for a policy to turn on or set an exact date and time to turn a policy off. ## 2024-10-04 **Expanded Gateway log fields** Gateway now offers new fields in [activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/) for DNS, network, and HTTP policies to provide greater insight into your users' traffic routed through Gateway. ## 2024-09-30 **File sandboxing** Gateway users on Enterprise plans can create HTTP policies with [file sandboxing](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/file-sandboxing/) to quarantine previously unseen files downloaded by your users and scan them for malware. ## 2024-07-30 **UK NCSC indicator feed publicly available in Gateway** Gateway users on any plan can now use the [PDNS threat intelligence feed](https://developers.cloudflare.com/security-center/indicator-feeds/#publicly-available-feeds) provided by the UK National Cyber Security Centre (NCSC) in DNS policies. ## 2024-07-14 **Gateway DNS filter non-authenticated queries** Gateway users can now select which endpoints to use for a given DNS location. Available endpoints include IPv4, IPv6, DNS over HTTPS (DoH), and DNS over TLS (DoT). Users can protect each configured endpoint by specifying allowed source networks. Additionally, for the DoH endpoint, users can filter traffic based on source networks and/or authenticate user identity tokens. ## 2024-06-25 **Gateway DNS policy setting to ignore CNAME category matches** Gateway now offers the ability to selectively ignore CNAME domain categories in DNS policies via the [**Ignore CNAME domain categories** setting](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#ignore-cname-domain-categories) in the policy builder and the [ignore\_cname\_category\_matches setting](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/create/) in the API. ## 2024-04-05 **Gateway file type control improvements** Gateway now offers a more extensive, categorized [list of files](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) to control uploads and downloads. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/gateway/","name":"Gateway"}}]} ``` --- --- title: Risk score description: Review recent changes to Cloudflare Zero Trust user risk scoring. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/changelog/risk-score.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Risk score [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/risk-score.xml) ## 2026-01-15 **Support for CrowdStrike device scores in User Risk Scoring** Cloudflare One has expanded its \[User Risk Scoring\] (/cloudflare-one/insights/risk-score/) capabilities by introducing two new behaviors for organizations using the \[CrowdStrike integration\] (/cloudflare-one/integrations/service-providers/crowdstrike/). Administrators can now automatically escalate the risk score of a user if their device matches specific CrowdStrike Zero Trust Assessment (ZTA) score ranges. This allows for more granular security policies that respond dynamically to the health of the endpoint. New risk behaviors The following risk scoring behaviors are now available: * CrowdStrike low device score: Automatically increases a user's risk score when the connected device reports a "Low" score from CrowdStrike. * CrowdStrike medium device score: Automatically increases a user's risk score when the connected device reports a "Medium" score from CrowdStrike. These scores are derived from \[CrowdStrike device posture attributes\] (/cloudflare-one/integrations/service-providers/crowdstrike/#device-posture-attributes), including OS signals and sensor configurations. ## 2024-06-17 **Exchange user risk scores with Okta** Beyond the controls in [Zero Trust](https://developers.cloudflare.com/cloudflare-one/), you can now [exchange user risk scores](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/#send-risk-score-to-okta) with Okta to inform SSO-level policies. First, configure Cloudflare One to send user risk scores to Okta. 1. Set up the [Okta SSO integration](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/okta/). 2. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Integrations** \> **Identity providers**. 3. In **Your identity providers**, locate your Okta integration and select **Edit**. 4. Turn on **Send risk score to Okta**. 5. Select **Save**. 6. Upon saving, Cloudflare One will display the well-known URL for your organization. Copy the value. Next, configure Okta to receive your risk scores. 1. On your Okta admin dashboard, go to **Security** \> **Device Integrations**. 2. Go to **Receive shared signals**, then select **Create stream**. 3. Name your integration. In **Set up integration with**, choose _Well-known URL_. 4. In **Well-known URL**, enter the well-known URL value provided by Cloudflare One. 5. Select **Create**. ## 2024-06-14 **SentinelOne signal ingestion** You can now configure a [predefined risk behavior](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/#predefined-risk-behaviors) to evaluate user risk score using device posture attributes from the [SentinelOne integration](https://developers.cloudflare.com/cloudflare-one/integrations/service-providers/sentinelone/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/risk-score/","name":"Risk score"}}]} ``` --- --- title: Cloudflare Tunnel description: Review recent changes to Cloudflare Tunnel. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/changelog/tunnel.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare Tunnel [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/tunnel.xml) ## 2026-03-20 **Stream logs from multiple replicas of Cloudflare Tunnel simultaneously** In the Cloudflare One dashboard, the overview page for a specific Cloudflare Tunnel now shows all [replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/) of that tunnel and supports streaming logs from multiple replicas at once. ![View replicas and stream logs from multiple connectors](https://developers.cloudflare.com/_astro/tunnel-multiconn.DEOEaLlu_ZDxArh.webp) Previously, you could only stream logs from one replica at a time. With this update: * **Replicas on the tunnel overview** — All active replicas for the selected tunnel now appear on that tunnel's overview page under **Connectors**. Select any replica to stream its logs. * **Multi-connector log streaming** — Stream logs from multiple replicas simultaneously, making it easier to correlate events across your infrastructure during debugging or incident response. To try it out, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Networks** \> **Connectors** \> **Cloudflare Tunnels**. Select **View logs** next to the tunnel you want to monitor. For more information, refer to [Tunnel log streams](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) and [Deploy replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/deploy-replicas/). ## 2026-03-19 **Manage Cloudflare Tunnels with Wrangler** You can now manage [Cloudflare Tunnels](https://developers.cloudflare.com/tunnel/) directly from [Wrangler](https://developers.cloudflare.com/workers/wrangler/), the CLI for the Cloudflare Developer Platform. The new [wrangler tunnel](https://developers.cloudflare.com/workers/wrangler/commands/tunnel/) commands let you create, run, and manage tunnels without leaving your terminal. ![Wrangler tunnel commands demo](https://developers.cloudflare.com/_astro/wrangler-tunnel.DOqrtGGg_7EDX0.webp) Available commands: * `wrangler tunnel create` — Create a new remotely managed tunnel. * `wrangler tunnel list` — List all tunnels in your account. * `wrangler tunnel info` — Display details about a specific tunnel. * `wrangler tunnel delete` — Delete a tunnel. * `wrangler tunnel run` — Run a tunnel using the cloudflared daemon. * `wrangler tunnel quick-start` — Start a free, temporary tunnel without an account using [Quick Tunnels](https://developers.cloudflare.com/tunnel/setup/#quick-tunnels-development). Wrangler handles downloading and managing the [cloudflared](https://developers.cloudflare.com/tunnel/downloads/) binary automatically. On first use, you will be prompted to download `cloudflared` to a local cache directory. These commands are currently experimental and may change without notice. To get started, refer to the [Wrangler tunnel commands documentation](https://developers.cloudflare.com/workers/wrangler/commands/tunnel/). ## 2026-02-20 **Manage Cloudflare Tunnel directly from the main Cloudflare Dashboard** [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) is now available in the main Cloudflare Dashboard at [Networking > Tunnels ↗](https://dash.cloudflare.com/?to=/:account/tunnels), bringing first-class Tunnel management to developers using Tunnel for securing origin servers. ![Manage Tunnels in the Core Dashboard](https://developers.cloudflare.com/_astro/tunnel-core-dashboard.BGPqaHfo_Pi6HO.webp) This new experience provides everything you need to manage Tunnels for [public applications](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/), including: * **Full Tunnel lifecycle management**: Create, configure, delete, and monitor all your Tunnels in one place. * **Native integrations**: View Tunnels by name when configuring [DNS records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/) and [Workers VPC](https://developers.cloudflare.com/workers-vpc/) — no more copy-pasting UUIDs. * **Real-time visibility**: Monitor [replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/) and Tunnel [health status](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors/#tunnel-status) directly in the dashboard. * **Routing map**: Manage all ingress routes for your Tunnel, including [public applications](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/), [private hostnames](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/), [private CIDRs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/), and [Workers VPC services](https://developers.cloudflare.com/workers-vpc/), from a single interactive interface. #### Choose the right dashboard for your use case **Core Dashboard**: Navigate to [Networking > Tunnels ↗](https://dash.cloudflare.com/?to=/:account/tunnels) to manage Tunnels for: * Securing origin servers and [public applications](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) with CDN, WAF, Load Balancing, and DDoS protection * Connecting [Workers to private services](https://developers.cloudflare.com/workers-vpc/) via Workers VPC **Cloudflare One Dashboard**: Navigate to [Zero Trust > Networks > Connectors ↗](https://one.dash.cloudflare.com/?to=/:account/networks/connectors) to manage Tunnels for: * Securing your public applications with [Zero Trust access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) * Connecting users to [private applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) * Building a [private mesh network](https://developers.cloudflare.com/reference-architecture/architectures/sase/#connecting-networks) Both dashboards provide complete Tunnel management capabilities — choose based on your primary workflow. #### Get started New to Tunnel? Learn how to [get started with Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/) or explore advanced use cases like [securing SSH servers](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/) or [running Tunnels in Kubernetes](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/kubernetes/). ## 2026-01-15 **Verify WARP Connector connectivity with a simple ping** We have made it easier to validate connectivity when deploying [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) as part of your [software-defined private network](https://developers.cloudflare.com/reference-architecture/architectures/sase/#connecting-networks). You can now `ping` the WARP Connector host directly on its LAN IP address immediately after installation. This provides a fast, familiar way to confirm that the Connector is online and reachable within your network before testing access to downstream services. Starting with [version 2025.10.186.0](https://developers.cloudflare.com/changelog/2026-01-13-warp-linux-ga/), WARP Connector responds to traffic addressed to its own LAN IP, giving you immediate visibility into Connector reachability. Learn more about deploying [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) and building private network connectivity with [Cloudflare One](https://developers.cloudflare.com/cloudflare-one/). ## 2025-11-11 **cloudflared proxy-dns command will be removed starting February 2, 2026** Starting February 2, 2026, the `cloudflared proxy-dns` command will be removed from all new `cloudflared` [releases](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/). This change is being made to enhance security and address a potential vulnerability in an underlying DNS library. This vulnerability is specific to the `proxy-dns` command and does not affect any other `cloudflared` features, such as the core [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) service. The `proxy-dns` command, which runs a client-side [DNS-over-HTTPS (DoH)](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/) proxy, has been an officially undocumented feature for several years. This functionality is fully and securely supported by our actively developed products. Versions of `cloudflared` released before this date will not be affected and will continue to operate. However, note that our [official support policy](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#deprecated-releases) for any `cloudflared` release is one year from its release date. #### Migration paths We strongly advise users of this undocumented feature to migrate to one of the following officially supported solutions before February 2, 2026, to continue benefiting from secure [DNS-over-HTTPS](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/). #### End-user devices The preferred method for enabling DNS-over-HTTPS on user devices is the [Cloudflare WARP client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/). The WARP client automatically secures and proxies all DNS traffic from your device, integrating it with your organization's [Zero Trust policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) and [posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). #### Servers, routers, and IoT devices For scenarios where installing a client on every device is not possible (such as servers, routers, or IoT devices), we recommend using the [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/). Instead of running `cloudflared proxy-dns` on a machine, you can install the WARP Connector on a single Linux host within your private network. This connector will act as a gateway, securely routing all DNS and network traffic from your [entire subnet](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-internet/) to Cloudflare for [filtering and logging](https://developers.cloudflare.com/cloudflare-one/traffic-policies/). ## 2025-09-18 **Connect and secure any private or public app by hostname, not IP — with hostname routing for Cloudflare Tunnel** You can now route private traffic to [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) based on a hostname or domain, moving beyond the limitations of IP-based routing. This new capability is **free for all Cloudflare One customers**. Previously, Tunnel routes could only be defined by IP address or [CIDR range](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/). This created a challenge for modern applications with dynamic or ephemeral IP addresses, often forcing administrators to maintain complex and brittle IP lists. ![Hostname-based routing in Cloudflare Tunnel](https://developers.cloudflare.com/_astro/tunnel-hostname-routing.DSi8MP_7_Z1E6Ym4.webp) **What’s new:** * **Hostname & Domain Routing**: Create routes for individual hostnames (e.g., `payroll.acme.local`) or entire domains (e.g., `*.acme.local`) and direct their traffic to a specific Tunnel. * **Simplified Zero Trust Policies**: Build resilient policies in Cloudflare Access and Gateway using stable hostnames, making it dramatically easier to apply per-resource authorization for your private applications. * **Precise Egress Control**: Route traffic for public hostnames (e.g., `bank.example.com`) through a specific Tunnel to enforce a dedicated source IP, solving the IP allowlist problem for third-party services. * **No More IP Lists**: This feature makes the workaround of maintaining dynamic IP Lists for Tunnel connections obsolete. Get started in the Tunnels section of the Zero Trust dashboard with your first [private hostname](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) or [public hostname](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared/) route. Learn more in our [blog post ↗](https://blog.cloudflare.com/tunnel-hostname-routing/). ## 2025-09-02 **Cloudflare Tunnel and Networks API will no longer return deleted resources by default starting December 1, 2025** Starting **December 1, 2025**, list endpoints for the [Cloudflare Tunnel API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/) and [Zero Trust Networks API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/) will no longer return deleted tunnels, routes, subnets and virtual networks by default. This change makes the API behavior more intuitive by only returning active resources unless otherwise specified. No action is required if you already explicitly set `is_deleted=false` or if you only need to list active resources. This change affects the following API endpoints: * List all tunnels: [GET /accounts/{account\_id}/tunnels](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/methods/list/) * List [Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/): [GET /accounts/{account\_id}/cfd\_tunnel](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/subresources/cloudflared/methods/list/) * List [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) tunnels: [GET /accounts/{account\_id}/warp\_connector](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/subresources/warp%5Fconnector/methods/list/) * List tunnel routes: [GET /accounts/{account\_id}/teamnet/routes](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/routes/methods/list/) * List subnets: [GET /accounts/{account\_id}/zerotrust/subnets](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/subnets/methods/list/) * List virtual networks: [GET /accounts/{account\_id}/teamnet/virtual\_networks](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/virtual%5Fnetworks/methods/list/) #### What is changing? The default behavior of the `is_deleted` query parameter will be updated. | Scenario | Previous behavior (before December 1, 2025) | New behavior (from December 1, 2025) | | -------------------------------- | -------------------------------------------------------------------------- | --------------------------------------------------------------------- | | is\_deleted parameter is omitted | Returns **active & deleted** tunnels, routes, subnets and virtual networks | Returns **only active** tunnels, routes, subnets and virtual networks | #### Action required If you need to retrieve deleted (or all) resources, please update your API calls to explicitly include the `is_deleted` parameter before **December 1, 2025**. To get a list of only deleted resources, you must now explicitly add the `is_deleted=true` query parameter to your request: Terminal window ``` # Example: Get ONLY deleted Tunnels curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/tunnels?is_deleted=true" \ -H "Authorization: Bearer $API_TOKEN" # Example: Get ONLY deleted Virtual Networks curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks?is_deleted=true" \ -H "Authorization: Bearer $API_TOKEN" ``` Following this change, retrieving a complete list of both active and deleted resources will require two separate API calls: one to get active items (by omitting the parameter or using `is_deleted=false`) and one to get deleted items (`is_deleted=true`). #### Why we’re making this change This update is based on user feedback and aims to: * **Create a more intuitive default:** Aligning with common API design principles where list operations return only active resources by default. * **Reduce unexpected results:** Prevents users from accidentally operating on deleted resources that were returned unexpectedly. * **Improve performance:** For most users, the default query result will now be smaller and more relevant. To learn more, please visit the [Cloudflare Tunnel API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/) and [Zero Trust Networks API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/) documentation. ## 2025-07-15 **Faster, more reliable UDP traffic for Cloudflare Tunnel** Your real-time applications running over [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) are now faster and more reliable. We've completely re-architected the way `cloudflared` proxies UDP traffic in order to isolate it from other traffic, ensuring latency-sensitive applications like private DNS are no longer slowed down by heavy TCP traffic (like file transfers) on the same Tunnel. This is a foundational improvement to Cloudflare Tunnel, delivered automatically to all customers. There are no settings to configure — your UDP traffic is already flowing faster and more reliably. **What’s new:** * **Faster UDP performance**: We've significantly reduced the latency for establishing new UDP sessions, making applications like private DNS much more responsive. * **Greater reliability for mixed traffic**: UDP packets are no longer affected by heavy TCP traffic, preventing timeouts and connection drops for your real-time services. Learn more about running [TCP or UDP applications](https://developers.cloudflare.com/reference-architecture/architectures/sase/#connecting-applications) and [private networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/) through [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). ## 2024-12-19 **Troubleshoot tunnels with diagnostic logs** The latest `cloudflared` build [2024.12.2 ↗](https://github.com/cloudflare/cloudflared/releases/tag/2024.12.2) introduces the ability to collect all the diagnostic logs needed to troubleshoot a `cloudflared` instance. A diagnostic report collects data from a single instance of `cloudflared` running on the local machine and outputs it to a `cloudflared-diag` file. For more information, refer to [Diagnostic logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/diag-logs/). ## 2024-10-17 **Simplifed WARP Connector deployment** You can now deploy WARP Connector using a simplified, guided workflow similar to `cloudflared` connectors. For detailed instructions, refer to the [WARP Connector documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/). ## 2024-10-10 **Bugfix for --grace-period** The new `cloudflared` build [2024.10.0 ↗](https://github.com/cloudflare/cloudflared/releases/tag/2024.10.0) has a bugfix related to the [\--grace-period](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#grace-period) tunnel run parameter. `cloudflared` connectors will now abide by the specified waiting period before forcefully closing connections to Cloudflare's network. ## 2024-08-06 **cloudflared builds available in GitHub for Apple silicon** macOS users can now download `cloudflared-arm64.pkg` directly from [GitHub ↗](https://github.com/cloudflare/cloudflared/releases), in addition to being available via Homebrew. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/tunnel/","name":"Cloudflare Tunnel"}}]} ``` --- --- title: Reference architecture image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/reference-architecture.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Reference architecture ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/reference-architecture/","name":"Reference architecture"}}]} ``` --- --- title: Account limits description: This page lists the default account limits for rules, applications, fields, and other features. These limits may be increased on Enterprise accounts. To request a limit increase, contact your account team. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/account-limits.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Account limits This page lists the default account limits for rules, applications, fields, and other features. These limits may be increased on Enterprise accounts. To request a limit increase, contact your account team. ## Access | Feature | Limit | | ------------------------ | ----- | | Applications | 500 | | Audit Logpush jobs | 5 | | Email addresses per rule | 1,000 | | Rule groups | 300 | | Rules per rule group | 1,000 | | IP addresses per rule | 1,000 | | mTLS root certificates | 50 | | Service tokens | 50 | | Identity providers | 50 | | Reusable policies | 500 | | Rules per application | 1,000 | | Domains per application | 5 | | Infrastructure targets | 5,000 | | MCP portals | 20 | | MCP servers per portal | 10 | ## Gateway | Feature | Limit | | ----------------------------------------- | ----- | | DNS policies per account | 500 | | Network policies per account | 500 | | HTTP policies per account | 500 | | Egress policies per account | 500 | | Resolver policies per account | 500 | | DNS locations | 250 | | Source IP CIDRs per DNS location | 1,500 | | Concurrent streams for HTTP/2 connections | 256 | | PAC files (Standard users) | 50 | | PAC files (Enterprise users) | 1,000 | | Proxy endpoints (Standard users) | 50 | | Proxy endpoints (Enterprise users) | 500 | | Source IP CIDRs per proxy endpoint | 2,000 | | Lists | 100 | | Entries per list (Standard users) | 1,000 | | Entries per list (Enterprise users) | 5,000 | | List API requests per minute | 600 | | DNS Logpush jobs | 5 | | HTTP Logpush jobs | 5 | ## Data Loss Prevention (DLP) | Feature | Limit | | ---------------------------------------- | --------- | | Custom entries | 25 | | Exact Data Match cells per spreadsheet | 100,000 | | Custom Wordlist keywords per spreadsheet | 200 | | Custom Wordlist keywords per account | 1,000 | | Dataset cells per account | 1,000,000 | ## Cloudflare Tunnel | Feature | Limit | | -------------------------------------------------- | ----- | | cloudflared tunnels per account | 1,000 | | WARP Connectors per account | 10 | | Routes (CIDR routes + Hostname routes) per account | 1,000 | | Active cloudflared replicas per tunnel | 25 | | Virtual networks per account | 1,000 | ## Digital Experience Monitoring (DEX) | Feature | Limit | | ----------------------- | -------------------------------------------------------------------------- | | DEX Tests per account | Zero Trust Free: 10 Zero Trust Standard: 30 Zero Trust Enterprise: 50 | | Remote captures per day | Zero Trust Free: 100 Zero Trust Standard: 200 Zero Trust Enterprise: 800 | ## Certificates | Feature | Limit | | ------------------------------ | ----- | | Active certificates | 10 | | Certificates generated per day | 3 | | Custom certificates | 5 | ## Maximum number of characters | Feature | Character limit | | ----------------------------- | --------------- | | Application name | 350 | | Group name | 350 | | mTLS certificates name | 350 | | Service token name | 350 | | IdP name | 350 | | Target name | 255 | | Application URL | 63 | | Team domain | 63 | | Gateway API policy expression | 140,000 | ## Cloudflare One Client | Feature | Limit | | -------------------------------------------------------------------------- | ------ | | Characters per device profile expression | 10,000 | | Combined Split Tunnel and Local Domain Fallback entries per device profile | 1,000 | | Device IP profiles per account | 30 | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/account-limits/","name":"Account limits"}}]} ``` --- --- title: FAQ description: Review answers to the most commonly asked questions on Cloudflare Zero Trust, as well as a troubleshooting section to help you solve common issues and errors you may come across. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/faq/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # FAQ Review answers to the most commonly asked questions on Cloudflare Zero Trust, as well as a troubleshooting section to help you solve common issues and errors you may come across. If you cannot find the answer you are looking for, go to our [community page ↗](https://community.cloudflare.com/) and post your question there. --- ## Getting started with Cloudflare Zero Trust For extra guidance on experiencing Cloudflare Zero Trust for the first time. [ Getting started ❯ ](https://developers.cloudflare.com/cloudflare-one/faq/getting-started-faq/) ## General For general questions on Cloudflare Zero Trust and how it works. [ General ❯ ](https://developers.cloudflare.com/cloudflare-one/faq/general-faq/) ## Identity For questions on identity providers and accessing applications behind Cloudflare Zero Trust. [ Identity ❯ ](https://developers.cloudflare.com/cloudflare-one/faq/authentication-faq/) ## Policies For questions on how policies work, and how to create and test them. [ Policies ❯ ](https://developers.cloudflare.com/cloudflare-one/faq/policies-faq/) ## Devices For questions on device connectivity and the Cloudflare One Client. [ Devices ❯ ](https://developers.cloudflare.com/cloudflare-one/faq/devices-faq/) ## Tunnels For questions on connecting applications with Tunnels. [ Tunnels ❯ ](https://developers.cloudflare.com/cloudflare-one/faq/cloudflare-tunnels-faq/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/faq/","name":"FAQ"}}]} ``` --- --- title: Identity FAQ description: Review frequently asked questions about identity and identity providers in Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/faq/authentication-faq.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Identity FAQ [❮ Back to FAQ](https://developers.cloudflare.com/cloudflare-one/faq/) ## Can Access work with multiple identity providers at the same time? Yes. Your team can simultaneously use multiple providers, reducing friction when working with partners or contractors. Get started by adding your preferred identity providers as login methods in Zero Trust. Then, when securing a new application behind Access, you'll be able to choose which providers you want your users to log in with to reach that application. ## What if the identity provider my team uses is not listed? You can add your preferred identity providers to Cloudflare Access even if you do not see them listed in Zero Trust, as long as these providers support SAML 2.0 or [OpenID Connect (OIDC)](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/). ## How do end users log out of an application protected by Access? Access provides a URL that will end a user's current session. To force log out of an Access application, go to: `/cdn-cgi/access/logout` To log out of an App Launcher session, go to: `.cloudflareaccess.com/cdn-cgi/access/logout` For more information, refer to our [session management page](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#log-out-as-a-user). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/faq/","name":"FAQ"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/faq/authentication-faq/","name":"Identity FAQ"}}]} ``` --- --- title: Tunnels FAQ description: Review frequently asked questions about tunnels in Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/faq/cloudflare-tunnels-faq.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Tunnels FAQ [❮ Back to FAQ](https://developers.cloudflare.com/cloudflare-one/faq/) ## ​Can I create a Tunnel for an apex domain? Yes. With [Named Tunnels ↗](https://blog.cloudflare.com/argo-tunnels-that-live-forever/) you can create a CNAME at the apex that points to the named tunnel. ## ​Does Cloudflare Tunnel support Websockets? Yes. Cloudflare Tunnel has full support for Websockets. ## ​Does Cloudflare Tunnel support gRPC? Yes. Cloudflare Tunnel supports gRPC traffic via [private subnet routing](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/). Public hostname deployments are not currently supported. ## How can Tunnel be used with Partial DNS (CNAME Setup)? Cloudflare offers two modes of setup: [Full Setup](https://developers.cloudflare.com/dns/zone-setups/full-setup/), in which the domain uses Cloudflare DNS nameservers, and [Partial Setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/) (also known as CNAME setup) in which the domain uses non-Cloudflare DNS servers. The best experience with Cloudflare Tunnel is using Full Setup because Cloudflare manages DNS for the domain and can automatically configure DNS records for newly started Tunnels. You can still use Tunnel with Partial Setup. You will need to create a new DNS record with your current DNS provider for each new hostname connected through Cloudflare Tunnel. The DNS record should be of type CNAME or ALIAS if it is on the root of the domain. The name of the record should be the subdomain it corresponds to (e.g. `example.com` or `tunnel.example.com`) and the value of the record should be `subdomain.domain.tld.cdn.cloudflare.net`. (e.g. `example.com.cdn.cloudflare.net` or `tunnel.example.com.cdn.cloudflare.net`) ## How can origin servers be secured when using Tunnel? Tunnel can expose web applications to the Internet that sit behind a NAT or firewall. Thus, you can keep your web server otherwise completely locked down. To double check that your origin web server is not responding to requests outside Cloudflare while Tunnel is running you can run netcat in the command line: Terminal window ``` netcat -zv [your-server's-ip-address] 80 netcat -zv [your-server's-ip-address] 443 ``` If your server is still responding on those ports, you will see: ``` [ip-address] 80 (http) open ``` If your server is correctly locked down, you will see: ``` [ip-address] 443 (https): Connection refused ``` ## What records are created for routing to a Named Tunnel's hostname? Named Tunnels can be routed via DNS records, in which case we use CNAME records to point to the `.cfargotunnel.com`; Or as Load Balancing endpoints, which also point to `.cfargotunnel.com`. ## Does Cloudflare Tunnel send visitor IPs to my origin? No. When using Cloudflare Tunnel, all requests to the origin are made internally between `cloudflared` and the origin. To log external visitor IPs, you will need to [configure an alternative method](https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/). ## Why does the name 'warp' and 'argo' appear in some legacy materials? Cloudflare Tunnel was previously named Warp during the beta phase. As Warp was added to the Argo product family, we changed the name to Argo Tunnel to match. Once we no longer required users to purchase Argo to create Tunnels, we renamed Argo Tunnel to Cloudflare Tunnel. ## Is it possible to restore a deleted tunnel? No. You cannot undo a tunnel deletion. If the tunnel was locally-managed, its [config.yaml file](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/tunnel-useful-terms/#configuration-file) will still be present and you can create a new tunnel with the same configuration. If the tunnel was remotely-managed, both the tunnel and its configuration are permanently deleted. ## How do I contact support? Before contacting the Cloudflare support team: 1. Take note of any specific error messages and/or problematic behaviors. 2. Make sure that `cloudflared` is updated to the [latest version ↗](https://github.com/cloudflare/cloudflared). 3. Gather any relevant error/access logs from your server. 4. If needed set [\--loglevel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#loglevel) to `debug`, so the Cloudflare support team can get more info from the `cloudflared.log` file. 5. Include your [Cloudflare Tunnel diagnostic logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/diag-logs/) (`cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip`). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/faq/","name":"FAQ"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/faq/cloudflare-tunnels-faq/","name":"Tunnels FAQ"}}]} ``` --- --- title: Devices FAQ description: Review frequently asked questions about devices in Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/faq/devices-faq.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Devices FAQ [❮ Back to FAQ](https://developers.cloudflare.com/cloudflare-one/faq/) ## Why does my Windows device appear to switch from Wi-Fi to Ethernet when I enable the Cloudflare One Client? As the Cloudflare One Client has replaced WinDivert with WinTun architecture, all Windows machines using WinTun will show as being connected using a virtual adapter. Windows, by default, shows virtual adapter connections with a wired Ethernet connection icon, even if the device is connected over wireless. This is by design and should have no impact on connectivity. ## Why is my device not connecting to a closer Cloudflare data center? As our [Network Map ↗](https://www.cloudflare.com/en-gb/network/) shows, we have locations all over the globe. However, in the Advanced Connection stats of our application, you may notice that the data center (colo) you are connecting to isn't necessarily the one physically closest to your location. This can be due to a number of reasons: * Sometimes your nearest colo may be undergoing maintenance or having problems. Check the [Cloudflare Status page ↗](https://www.cloudflarestatus.com/) for system status. * Your Internet provider may choose to route traffic along an alternate path for reasons such as cost savings, reliability, or other infrastructure concerns. ## Why is my public IP address sometimes visible? The Cloudflare One Client is meant to ensure all your traffic is kept private between you and the origin (the site you are connecting to), but not from the origin itself. In a number of cases, if the origin site you are communicating with can't determine who you are and where you're from, they can't serve locale relevant content to you. Sites inside Cloudflare network are able to see this information. If a site is showing you your IP address, chances are they are in our network. Most sites outside our network (orange clouded sites) however are unable to see this information and instead see the nearest egress colo to their server. We are working to see if in the future we can't find a way to more easily share this information with a limited number of gray clouded sites where it is relevant to both parties. ## Why has my throughput dropped while using the Cloudflare One Client? The Cloudflare One Client is in part powered by 1.1.1.1\. When visiting sites or going to a new location on the Internet, you should see blazing fast DNS lookups. However, the Cloudflare One Client is built to trade some throughput for enhanced privacy, because it encrypts all traffic both to and from your device. While this isn't noticeable at most mobile speeds, on desktop systems in countries where high speed broadband is available, you may notice a drop. We think the tradeoff is worth it though and continue to work on improving performance all over the system. ## Why is my device not connecting to a public Wi-Fi? The Wi-Fi network may have a captive portal that is blocking the Cloudflare One Client from establishing a secure connection. In order to access the portal, and therefore the Internet, you will need to temporarily turn off the Cloudflare One Client. After you login to the captive portal through your browser, you can turn the Cloudflare One Client back on to access corporate resources. For more information, refer to [Captive portal detection](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/captive-portals/). ## Why is my device not connecting to the Internet? A third-party service or ISP may be blocking WARP, or Zero Trust settings may be misconfigured. For a list of common issues and steps to resolve, refer to our [troubleshooting guide](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/common-issues/). ## Why is my device not connecting to the corporate Wi-Fi? An [OS firewall rule](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/#system-firewall) on the device may be blocking the EAP/Radius server that allows users to join the Wi-Fi network. If your corporate Wi-Fi uses a Radius server for network authentication, add the Radius server to your [Split Tunnel](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) Exclude list. ## Why is my device not connecting to my private network? If your private network is [exposed via Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/): * Verify that the Cloudflare One Client is [properly configured](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#device-configuration) on the device. * Verify that the user is allowed through by your Access and Gateway policies. * Verify that the [local LAN settings](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#router-configuration) for the device do not overlap with the CIDR range of your private network. When contacting Cloudflare support, ensure that you include [Cloudflare One Client debug logs](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/) for your device. These logs will help Cloudflare support understand the overall architecture of your machine and networks. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/faq/","name":"FAQ"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/faq/devices-faq/","name":"Devices FAQ"}}]} ``` --- --- title: General description: Review frequently asked questions about Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/faq/general-faq.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # General [❮ Back to FAQ](https://developers.cloudflare.com/cloudflare-one/faq/) ## What is the difference between Cloudflare Gateway and 1.1.1.1? 1.1.1.1 does not block any DNS query. When a browser requests for example.com, 1.1.1.1 simply looks up the answer either in cache or by performing a full recursive DNS query. Cloudflare Gateway's DNS resolver introduces security into this flow. Instead of allowing all DNS queries, Gateway first checks the hostname being queried against the intelligence Cloudflare has about threats on the Internet. If that query matches a known threat, or is requesting a blocked domain configured by an administrator as part of a Gateway policy, Gateway stops it before the site could load for the user - and potentially execute code or phish that team member. ## Is multi-factor authentication supported? Access is subjected to the MFA policies set in your identity provider. For example, users attempting to log in to an Access protected app might log in through Okta. Okta would enforce an MFA check before sending the valid authentication confirmation back to Cloudflare Access. Access does not have an independent or out-of-band MFA feature. ## Which browsers are supported? These browsers are supported: * Internet Explorer 11 * Edge (current release, last release) * Firefox (current release, last release) * Chrome (current release, last release) * Safari (current release, last release) ## What data localization services are supported? Cloudflare Zero Trust can be used with the Data Localization Suite to ensure that traffic is only inspected in the regions you choose. For more information refer to [Use Zero Trust with Data Localization Suite](https://developers.cloudflare.com/data-localization/how-to/zero-trust/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/faq/","name":"FAQ"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/faq/general-faq/","name":"General"}}]} ``` --- --- title: Getting started with Cloudflare Zero Trust FAQ description: Review FAQs about getting started with Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Getting started with Cloudflare Zero Trust FAQ [❮ Back to FAQ](https://developers.cloudflare.com/cloudflare-one/faq/) ## How do I sign up for Cloudflare Zero Trust? You can sign up today at [this link ↗](https://one.dash.cloudflare.com). Follow the onboarding steps, choose a team name and a payment plan, and start protecting your network in just a few minutes. ## What is a team domain/team name? Your team domain is a unique subdomain assigned to your Cloudflare account, for example, `.cloudflareaccess.com`. [Setting up a team domain](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization) is an essential step in your Zero Trust configuration. This is where your users will find the apps you have secured behind Cloudflare Zero Trust — displayed in the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) — and will be able to make login requests to them. The customizable portion of your team domain is called **team name**. You can view your team name and team domain in [Cloudflare One ↗](https://one.dash.cloudflare.com/) under **Settings**. | team name | team domain | | -------------- | ------------------------------------- | | your-team-name | .cloudflareaccess.com | You can change your team name at any time, unless you have the Cloudflare dashboard SSO feature enabled on your account. If Cloudflare dashboard SSO is enabled, you must [turn off SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/#change-your-zero-trust-team-name) before changing your team name. Note Once a team name has been used, even if the team domain is later deleted, the team name cannot be reused by any account. Once you delete a team name, you will not be able to use it again. Consider this limitation before changing or deleting your team name. Warning If you change your team name, you need to update your organization's identity providers (IdPs) and the Cloudflare One Client to reflect the new team name in order to avoid any mismatch errors. ### Why is my old team name is still showing up on the Login page and App Launcher? After changing your team name, you will need to check your Block page, Login page, and App Launcher settings to make sure the new team name is reflected. To verify that your team name change is successfully rendering on the Block page, Login page and App Launcher: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Custom pages** \> **Team name and domain**. 2. Find the **Account Gateway block page** and **Access login page** sections, then select **Manage** next to the page you would like to review first. 3. Review that the value in **Your Organization's name** matches your new team name. 4. If the desired name is not already displayed, change the value to your desired team name and select **Save**. 5. Check both pages (**Account Gateway block page** and **Access login page** to set **Your Organization's name** as your desired team name. The App Launcher will display the same team name set on the Access login page, so you do not need to update the **Your Organization's name** field in the App Launcher page. ## How do I change my subscription plan? To make changes to your subscription, visit the Billing section under **Settings** in [Cloudflare One ↗](https://one.dash.cloudflare.com/). You can change or cancel your subscription at any time. Just remember - if you downgrade your plan during a billing cycle, your downgraded pricing will apply in the next billing cycle. If you upgrade during a billing cycle, you will be billed for the upgraded plan at the moment you select it. ## How are active seats measured? Cloudflare Zero Trust subscriptions consist of seats that users in your account consume. When users authenticate to an application or enroll their agent into the Cloudflare One Client, they count against one of your active seats. Seats can be added, removed, or revoked at **Settings** \> **Cloudflare One plan**. If all seats are currently consumed, you must first remove users before decreasing your purchased seat count. ### Removing users User seats can be removed for Access and Gateway at **Team & Resources** \> **Users** \> **Your users**. Removing a user will have consequences both on Access and on Gateway: * **Access**: All active sessions for that user will be invalidated. A user will be able to log back into an application unless you create an [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to block future logins from that user. * **Gateway**: All active devices for that user will be logged out of your Zero Trust organization, which stops all filtering and routing via the Cloudflare One Client. A user will be able to re-enroll their device unless you create a [device enrollment policy](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/device-enrollment/) to block them. Warning The Remove action will remove a user's seat, but it will not permanently revoke their ability to authenticate. To permanently disable a user's ability to authenticate, you must modify the policies that allow them to reach a given application or enroll a device in the Cloudflare One Client. ### Revoking users The Revoke action will terminate active sessions and log out active devices, but will not remove the user's consumption of an active seat. ## How do I know if my network is protected behind Cloudflare Zero Trust? You can visit the [Zero Trust help page ↗](https://help.one.cloudflare.com/). This page will give you an overview of your network details, as well as an overview of the categories that are being blocked and/or allowed. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/faq/","name":"FAQ"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/faq/getting-started-faq/","name":"Getting started with Cloudflare Zero Trust FAQ"}}]} ``` --- --- title: Policies FAQ description: Review frequently asked questions about policies in Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/faq/policies-faq.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Policies FAQ [❮ Back to FAQ](https://developers.cloudflare.com/cloudflare-one/faq/) ## What is the order of policy enforcement? Gateway and Access policies generally trigger from top to bottom based on their position in the policy table in the UI. Exceptions include Bypass and Service Auth policies, which Access evaluates first. Similarly, for Gateway HTTP policies, Do Not Inspect and Isolate policies take precedence over all Allow or Block policies. To learn more about order of enforcement, refer to our documentation for [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#order-of-execution) and [Gateway policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/). ## **How can I bypass the L7 firewall for a website?** Cloudflare Gateway uses the hostname in the HTTP `CONNECT` header to identify the destination of the request. Administrators who wish to bypass a site must create a [Do Not Inspect](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policy in order to prevent HTTP inspection from occurring on both encrypted and plaintext traffic. Bypassing the L7 firewall results in no HTTP traffic inspection, and logging is disabled for that HTTP session. ## Can I secure applications with a second-level subdomain URL? Yes. Ensure that your SSL certificates cover the first- and second-level subdomain. Most certificates only cover the first-level subdomain and not the second. This is true for most Cloudflare certificates. To cover a second-level subdomain with a CF certificate, create an [advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/). Wildcard-based policies in Cloudflare Access only cover the level where they are applied. Add the wildcard policy to the left-most subdomain to be covered. ## How do isolation policies work together with HTTP policies? Isolation policies, like all HTTP policies, are evaluated in stages. When a user makes a request which evaluates an Isolation policy, the request will be rerouted to an isolated browser and re-evaluated for HTTP policies. This makes it possible for an isolated browser to remotely render a block page, or have malicious content within the isolated browser blocked by HTTP policies. ## Why is API or CLI traffic not isolated? Isolation policies are applied to requests that include `Accept: text/html*`. This allows Browser Isolation policies to co-exist with API and command line requests. ## Can Access enforce policies on a specific nonstandard port? No. Cloudflare Access cannot enforce a policy that would contain a port appended to the URL. However, you can use Cloudflare Tunnel to point traffic to non-standard ports. For example, if Jira is available at port `8443` on your origin, you can proxy traffic to that port via Cloudflare Tunnel. ## Why can I still reach domains blocked by a Gateway policy? If the domain is blocked by a DNS, network, or HTTP policy, it may be because: * **Your policy is still being updated.** After you edit or create a policy, Cloudflare updates the new setting across all of our data centers around the world. It takes about 60 seconds for the change to propagate. If the domain is only blocked by a DNS policy, it may be because: * **Your device is using another DNS resolver.** If you have other DNS resolvers in your DNS settings, your device could be using IP addresses for resolvers that are not part of Gateway. As a result, the domain you are trying to block is still accessible from your device. Make sure to remove all other IP addresses from your DNS settings and only include Gateway's DNS resolver IP addresses. * **Your policy is not assigned to a DNS location.** If your policy is not assigned to a DNS location and you send a DNS query from that location, Gateway will not apply that policy. Assign a policy to a DNS location to make sure the desired policy is applied when you send a DNS query from that location. * **Your DoH endpoint is not a Gateway DNS location**. Browsers can be configured to use any DoH endpoint. If you chose to configure DoH directly in your browser, make sure that the DoH endpoint is a Gateway DNS location. If the domain is only blocked by a network policy, it may be because: * **Your browser is reusing an existing connection**. Network policies only apply when a connection is opened. If a browser is connected to a domain to be blocked by a network policy, Gateway will not block requests until the connection is closed. To block the domain, close any related tabs or restart your browser. ## When does Access return a Forbidden status page versus a login page? Access returns a Forbidden page with status codes `401`/`403` when it determines there is no way a user can pass a [policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). If Cloudflare can make a full policy determination that a user will not be able to log in, Access will return a Forbidden page instead of a [login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/). For example, your application has a policy that requires a user to be in a [specific geolocation](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#allow) to log in. As admin, you could define this geolocation policy by using [Include](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#include) rules, meaning the user could log in to the application from Country A or Country B. Or you could define this geolocation policy using a [Require](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#require) rule, meaning the user must be in Country A to log in. If a user from country C attempts to access the application, in both the Include and Require scenarios, the user will receive the Forbidden page. This is because Country C was not defined in either scenario. Therefore, Cloudflare has determined that this user cannot meet policy requirements and will receive the Forbidden status page. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/faq/","name":"FAQ"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/faq/policies-faq/","name":"Policies FAQ"}}]} ``` --- --- title: API and Terraform description: You can manage your Cloudflare Zero Trust configuration using the API or Terraform. For more information, refer to the following links: image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/api-terraform.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # API and Terraform You can manage your Cloudflare Zero Trust configuration using the API or Terraform. For more information, refer to the following links: * [API reference](https://developers.cloudflare.com/api/) * [Terraform provider reference ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) * [Terraform how-to documentation](https://developers.cloudflare.com/terraform/) Detailed API and Terraform examples for Cloudflare Zero Trust are available in our [implementation guides](https://developers.cloudflare.com/cloudflare-one/implementation-guides/) and throughout the Cloudflare Zero Trust documentation. ## Set dashboard to read-only Super Administrators can lock all settings as read-only in the Cloudflare One dashboard. Read-only mode ensures that all updates for the account are made through the API or Terraform. To enable read-only mode: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Settings** \> **Admin controls**. 2. Enable **Set dashboard to read-only**. All users, regardless of [user permissions](https://developers.cloudflare.com/cloudflare-one/roles-permissions/), will be prevented from making configuration changes through the UI. ## Scoped API tokens The administrators managing policies and groups in Cloudflare Zero Trust might be different from those responsible for configuring WAF custom rules or other Cloudflare settings. You can configure scoped API tokens so that team members and automated systems can manage Cloudflare Zero Trust settings without having permission to modify other configurations in Cloudflare. You can create a scoped API token [via the dashboard](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) or [via the API](https://developers.cloudflare.com/fundamentals/api/how-to/create-via-api/). For a list of available token permissions, refer to [API token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/api-terraform/","name":"API and Terraform"}}]} ``` --- --- title: Troubleshooting description: Find troubleshooting guides for Cloudflare One products and learn how to collect information for Cloudflare Support. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/troubleshooting/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshooting Cloudflare One provides troubleshooting guides to help you diagnose and resolve common connectivity, configuration, and security issues across your Zero Trust organization. If you cannot resolve an issue using these guides, you can collect diagnostic information and [contact Cloudflare Support](https://developers.cloudflare.com/cloudflare-one/troubleshooting/contact-support/). * [ Access ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/access/) * [ Gateway ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/gateway/) * [ Tunnel ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/tunnel/) * [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/warp-client/) * [ CASB ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/casb/) * [ DLP ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/dlp/) * [ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/browser-isolation/) * [ DEX ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/dex/) * [ Email Security ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/email-security/) * [ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/wan/) * [ Contact Cloudflare Support ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/contact-support/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}}]} ``` --- --- title: Access description: Review common troubleshooting scenarios for Cloudflare Access. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/troubleshooting/access.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Access Review common troubleshooting scenarios for Cloudflare Access. ## Authentication and login ### AJAX/CORS errors Cloudflare Access requires that the `credentials: same-origin` parameter be added to JavaScript when using the Fetch API to include cookies. AJAX requests fail if this parameter is missing, resulting in an error such as `No Access-Control-Allow-Origin header is present on the requested resource`. For more information, refer to [CORS settings](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/). ### SAML verification failure The error `SAML Verify: Invalid SAML response, SAML Verify: No certificate selected to verify` occurs when the identity provider (IdP) does not include the signing public key in the SAML response. Cloudflare Access requires the public key to match the **Signing certificate** uploaded to Zero Trust. Configure your IdP to include the public key in the response. ### Identity provider user/group info error The error `Failed to fetch user/group information from the identity provider` occurs when Cloudflare lacks the necessary API permissions to communicate with your IdP. Review the [SSO integration guide](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) for your specific IdP and ensure the application has the correct permissions (for example, Microsoft Entra or Okta). ### Google Workspace redirect loop If you place your Google Workspace behind Access, you cannot use Google or Google Workspace as an identity provider for that application. This creates an infinite redirect cycle because both systems depend on each other to complete the login. ### Invalid session error The error `Invalid session. Please try logging in again` indicates that Access was unable to validate your `CF_Session` cookie. This can happen if software or a firewall on your device interferes with requests to Access. Ensure that the same browser instance is used to both initiate and complete the sign-in. ### Firefox Private Window Firefox's default tracking prevention in Private Windows may prevent the `CF_authorization` cookie from being sent, especially for XHR requests. To resolve this, you may need to exempt your application domain and your [team domain](https://developers.cloudflare.com/cloudflare-one/glossary/#team-name) from tracking protection. ### Workers routes on the login path If you have a Cloudflare Worker route assigned to your application's login path, the Worker may overwrite the `cf-authorization` cookie. To prevent this, ensure your Worker script does not modify or strip the `Set-Cookie` header for Access cookies. ## Identity providers ### OTP email not received If a user does not receive a one-time PIN (OTP) email: * **Policy denial**: If the user's email address does not match any **Allow** policies for the application, Cloudflare will not send an OTP email. The login page will still display a message saying the email was sent to prevent account enumeration. * **Email suppression**: The user's email may be on a suppression list due to previous delivery failures. Check your email logs or contact Support to clear suppressions. ### OTP code already used The error `This One-Time PIN has already been used` occurs when the OTP code has already been redeemed before the user enters it. OTP codes are single-use and expire 10 minutes after the initial request. This error most commonly occurs when an email security or anti-phishing tool on your network automatically follows links in emails, consuming the code before you have a chance to enter it. To resolve the issue, select **Request new code** on the login page. If the error recurs consistently, add `noreply@notify.cloudflare.com` to your email security tool's allowlist to prevent it from scanning Cloudflare authentication emails. For setup instructions, refer to [One-time PIN login](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/). ### Google Super Admin login If you use Access as the SSO provider for your Google Workspace, Google Super Admins cannot sign in via Access when accessing `admin.google.com`. Google requires Super Admins to use their original Google password to ensure they can always access the admin console. ### Missing SAML attributes If you receive a `Required attributes are missing` error during SAML authentication, verify that your IdP is sending the mandatory **email** attribute. Additionally, check for typos in attribute names (for example, `groups` vs `gropus`) in your [IdP configuration](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). ## Applications and certificates ### SSH short-lived certificates The error `Error 0: Bad Request. Please create a ca for application` appears if a certificate has not been generated for the Access application. Refer to [SSH short-lived certificates](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy/) to generate a CA for the application. ### SSH "Origin auth failed" This error often indicates a configuration issue on the target server's SSH daemon (`sshd`): * **SSHD config**: Verify that `PubkeyAuthentication` is set to `yes` and `TrustedUserCAKeys` points to the correct Cloudflare CA file. * **Multiple auth methods**: Cloudflare Access for Infrastructure currently does not support `AuthenticationMethods` with multiple comma-separated requirements (for example, `publickey,keyboard-interactive`). ### Team domain change error The error `Access api error auth_domain_cannot_be_updated_dash_sso` occurs if you try to change your team domain while [Cloudflare dashboard SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/) is enabled. Dashboard SSO does not currently support team domain changes. ### Long-lived SSH sessions disconnect All connections proxied through Cloudflare Gateway, including traffic to [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) SSH targets, have a maximum guaranteed duration of 10 hours. If a connection is active during a Gateway release, it will be terminated 10 hours later. To prevent unexpected disconnects, we recommend terminating sessions on a predefined schedule (for example, an 8-hour idle timeout). You can configure this using `ChannelTimeout` in your SSH server or client configuration. --- ## More Access resources For more information, refer to the full Access troubleshooting guide. [ Full Access troubleshooting guide ❯ ](https://developers.cloudflare.com/cloudflare-one/access-controls/troubleshooting/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/access/","name":"Access"}}]} ``` --- --- title: Browser Isolation description: Review common troubleshooting scenarios for Cloudflare Browser Isolation. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/troubleshooting/browser-isolation.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Browser Isolation Review common troubleshooting scenarios for Cloudflare Browser Isolation. ## Connectivity and sessions ### No Browsers Available If you encounter a `No Browsers Available` alert, please file feedback via the Cloudflare One Client. This error typically indicates a temporary capacity issue in the data center or a connectivity problem between your client and the remote browser. ### Maximum Sessions Reached This alert appears if your device attempts to establish more than two concurrent remote browser instances. A browser isolation session is shared across all tabs and windows within the same browser (for example, all Chrome tabs share one session). You can use two different browsers (such as Chrome and Firefox) concurrently, but opening a third will trigger this alert. To release a session, close all tabs and windows in one of your local browsers. ## Rendering and performance ### WebGL Rendering Error Cloudflare Browser Isolation uses Network Vector Rendering (NVR), which does not support WebGL (Web Graphics Library) in all environments. If a website requires WebGL and your device lacks the necessary hardware resources in the virtualized environment, you may see a rendering error. To resolve this, try enabling software rasterization in your browser: 1. Go to `chrome://flags/#override-software-rendering-list`. 2. Set **Override software rendering list** to _Enabled_. 3. Select **Relaunch**. ### Blank screen on Windows On Windows devices, Clientless Web Isolation may load with a blank screen if there is a conflict between browser mDNS settings and Windows IGMP configuration. | IGMPLevel | WebRTC Anonymization | Result | | ------------ | -------------------- | -------------- | | 0 (disabled) | Enabled / Default | ❌ Blank screen | | 0 (disabled) | Disabled | ✅ Works | | 2 (enabled) | Enabled / Default | ✅ Works | To fix this, either disable **Anonymize local IPs exposed by WebRTC** in your browser flags or ensure `IGMPLevel` is enabled (set to `2`) in your Windows network settings. ### Rendering issues (CSS/Images) If a website displays incorrectly (for example, broken CSS or missing images), it may indicate that the remote browser is unable to fetch specific resources from the origin server. Check your [Gateway HTTP logs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/troubleshooting/) for any blocked subresources that might be required by the page. --- ## More Browser Isolation resources For more information, refer to the full Browser Isolation documentation. [ Browser Isolation troubleshooting ❯ ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/troubleshooting/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/browser-isolation/","name":"Browser Isolation"}}]} ``` --- --- title: CASB description: Use this guide to troubleshoot common issues with Cloud Access Security Broker (CASB). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/troubleshooting/casb.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # CASB Use this guide to troubleshoot common issues with Cloud Access Security Broker (CASB). ## Security findings ### Findings not appearing If you do not see findings for an integrated application: * **Wait for scan**: Initial scans can take up to 24 hours depending on the size of the application. * **Permissions**: Ensure the account used to integrate the application has the necessary administrative permissions. * **Enabled status**: Verify that the integration is enabled in the Zero Trust dashboard. ### False positives If CASB flags a configuration that is intended for your organization: 1. Go to **CASB** \> **Findings**. 2. Select the finding and choose **Dismiss**. 3. Provide a reason for dismissal to help refine future scans. --- ## More CASB resources For more information, refer to the full CASB documentation. [ CASB troubleshooting ❯ ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/troubleshooting/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/casb/","name":"CASB"}}]} ``` --- --- title: Contact Cloudflare Support description: If you cannot resolve an issue using our troubleshooting guides, you can open a support case. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/troubleshooting/contact-support.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Contact Cloudflare Support If you cannot resolve an issue using our troubleshooting guides, you can [open a support case](https://developers.cloudflare.com/support/contacting-cloudflare-support/). To help us investigate your issue quickly, please collect and provide the following information when you contact Cloudflare Support. ## 1\. Gather general information For all issues, please include: * **Timestamp (UTC)**: The exact time the issue occurred. * **Detailed description**: A clear description of the problem and the steps to reproduce it. * **Actual vs. Expected**: What happened versus what you expected to happen. * **Problem frequency**: How often does the issue occur? * **Screenshots**: Any relevant screenshots or videos of the error. * **Example URLs**: Specific URLs where the issue is occurring. ## 2\. Collect product diagnostics Depending on the product, providing diagnostic files is critical for a technical investigation. ### Cloudflare One Client (WARP) If the issue involves the Cloudflare One Client, run the `warp-diag` command on the affected device and attach the resulting `.zip` file to your case. For more information, refer to [Diagnostic logs](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/). ### Cloudflare Tunnel If the issue involves Cloudflare Tunnel, run the `cloudflared tunnel diag` command and provide the generated report. For more information, refer to [Tunnel diagnostic logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/diag-logs/). ### Access and Gateway For issues related to authentication loops, blocked websites, or policy enforcement: * **HAR file**: Provide a [HAR file](https://developers.cloudflare.com/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#generate-a-har-file) captured while reproducing the issue. * **Ray ID**: If you see a Cloudflare error page, provide the **Ray ID** displayed at the bottom of the page. * **Identity Provider logs**: Relevant logs from your identity provider (IdP) if the issue involves login failures. * **Request ID**: For Gateway issues, you can find the `request_id` (HTTP logs) or `query_id` (DNS logs) in your [Gateway logs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/troubleshooting/). ### Digital Experience Monitoring (DEX) For issues with DEX tests or device monitoring, provide a [remote capture](https://developers.cloudflare.com/cloudflare-one/insights/dex/remote-captures/) from the Zero Trust dashboard. --- For more information, refer to [Contacting Cloudflare Support](https://developers.cloudflare.com/support/contacting-cloudflare-support/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/contact-support/","name":"Contact Cloudflare Support"}}]} ``` --- --- title: DEX description: Review common troubleshooting scenarios for Digital Experience Monitoring (DEX). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/troubleshooting/dex.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # DEX Review common troubleshooting scenarios for Digital Experience Monitoring (DEX). ## Data visibility ### No data displayed for certain users If you do not see DEX data for specific users in your organization, verify the following: * **Client version**: Ensure the users are running a version of the Cloudflare One Client that supports DEX. * **DEX enabled**: Confirm that DEX is enabled for the [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) assigned to those users. * **Traffic routing**: DEX requires that traffic to Cloudflare's orchestration API is not blocked by local firewalls or SSL-inspecting proxies. ### Fleet status not updating The Fleet status dashboard can take several minutes to reflect changes in device connectivity. If a device remains in an incorrect state, try disconnecting and reconnecting the Cloudflare One Client to force a status update. ## Remote captures ### Remote capture fails to start Remote captures require the Cloudflare One Client to be connected and able to communicate with the Cloudflare control plane. If a capture fails to start: * Verify the device status in the Zero Trust dashboard. * Ensure the device has sufficient disk space to store the capture files before upload. * Check for any local firewall rules that might be blocking the capture command. --- ## More DEX resources For more information, refer to the full DEX documentation. [ DEX troubleshooting ❯ ](https://developers.cloudflare.com/cloudflare-one/insights/dex/troubleshooting/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/dex/","name":"DEX"}}]} ``` --- --- title: DLP description: Use this guide to troubleshoot common issues with Data Loss Prevention (DLP). image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/troubleshooting/dlp.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # DLP Use this guide to troubleshoot common issues with Data Loss Prevention (DLP). ## DLP policy does not trigger or block content DLP not inspecting or blocking content is the most common issue reported. If you have configured a [DLP policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/) but it fails to inspect or block traffic, the cause is almost always that the traffic is not being decrypted. To use DLP to scan the content of HTTPS requests, you must turn on [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/). To turn on TLS decryption: * [ Dashboard ](#tab-panel-3929) * [ Terraform (v5) ](#tab-panel-3930) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Traffic settings**. 2. In **Proxy and inspection**, turn on **Inspect HTTPS requests with TLS decryption**. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api%5Ftoken): * `Zero Trust Write` 2. Configure the `tls_decrypt` argument in [cloudflare\_zero\_trust\_gateway\_settings ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Fgateway%5Fsettings): ``` resource "cloudflare_zero_trust_gateway_settings" "team_name" { account_id = var.cloudflare_account_id settings = { tls_decrypt = { enabled = true } } } ``` Once you turn on TLS decryption, you can create a DLP policy to inspect the content of HTTPS requests. For example: | Selector | Operator | Value | Logic | Action | | ----------- | -------- | --------------------- | ----- | ------ | | Domain | in | box.com | And | Block | | DLP Profile | in | _Credit card numbers_ | | | ## DLP scans trigger false positives or block legitimate sites If your DLP policy is blocking access to business-critical applications (such as Zoho, Google, or internal domains) or generating a high number of false positives, your DLP policy is likely too broad. Profiles such as **Credentials and Secrets** are powerful but can be overly aggressive if not scoped correctly. ### Problematic configuration Applying a sensitive profile to all traffic causes unnecessary blocks. For example: | Selector | Operator | Value | Action | | ----------- | -------- | ------------------------- | ------ | | DLP Profile | in | _Credentials and Secrets_ | Block | ### Recommended solution Make your policies more specific. Instead of a catch-all block, create granular policies that target high-risk destinations or user groups. This policy only blocks uploads of financial data to file-sharing websites for a specific user group, reducing the risk of false positives on other sites. | Selector | Operator | Value | Logic | Action | | ------------------ | -------- | --------------------------- | ----- | ------ | | Destination Domain | in | dropbox.com, wetransfer.com | And | Block | | DLP Profile | in | _Financial Information_ | And | | | User Group Names | in | Finance Team | | | You can also create policies that match trusted applications using the [**Do Not Scan** action](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-scan). ## DLP detections are inconsistent If DLP detects sensitive data in plain text but not within images or certain applications, check for the following issues: * **OCR is turned on**: For DLP to scan text within images (such as a picture of a credit card), you must turn on [Optical Character Recognition (OCR)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#optical-character-recognition-ocr) in the corresponding DLP profile. * **Application-specific behavior**: Some applications, such as WhatsApp Web, use protocols or encryption methods (such as WebSockets) that Gateway may not be able to fully inspect with HTTP policies. * **Supported file types**: Content must be in a [supported file type](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/#supported-file-types) for DLP inspection. ## DLP options are missing or you cannot create custom profiles If you cannot use the _DLP Profile_ selector when creating an HTTP policy or are blocked from creating a custom DLP profile, it typically means one of two things: 1. Incorrect plan. These features require a Zero Trust Enterprise plan. If you believe your account should have this entitlement, contact your account team to confirm your subscription details. 2. Permissions issue. You may not have the required administrative privileges to configure DLP settings. Check with your Cloudflare account administrator. --- ## More DLP resources For more information, refer to the full DLP documentation. [ DLP troubleshooting ❯ ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/troubleshoot-dlp/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/dlp/","name":"DLP"}}]} ``` --- --- title: Email Security description: Review common troubleshooting scenarios for Cloudflare Email Security. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/troubleshooting/email-security.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Email Security Review common troubleshooting scenarios for Cloudflare Email Security. ## Email headers and attributes Email Security identifies threats using detections that result in a final disposition. You can inspect email headers to understand why a specific disposition was applied. | Attribute | Description | | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | CUSTOM\_BLOCK\_LIST | Matches a value defined in your custom block list. | | NEW\_DOMAIN\_SENDER | The email was sent from a newly registered domain. | | NEW\_DOMAIN\_LINK | The email contains links to a newly registered domain. | | ENCRYPTED | The email message is encrypted. | | BEC | The sender address is in your [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/). | ## Detections and reclassification ### Handle a false positive A false positive occurs when a legitimate email is incorrectly flagged as malicious or spam. **Solution**: 1. In the Email Security dashboard, go to **Investigation**. 2. Find the email and select **Submit for reclassification**. 3. Choose the correct disposition (for example, `Clean`). 4. To prevent future blocks, add the sender to your [Acceptable Senders](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/) list. ### Handle a false negative A false negative occurs when a malicious email is not detected by Email Security. **Solution**: 1. Ensure the email actually passed through Email Security by checking for the `X-CFEmailSecurity-Disposition` header. 2. Submit the email for reclassification in the dashboard. This is the preferred method for reporting missed detections. ## Authentication errors ### DMARC failures Email Security may mark an email as **SPAM** if it fails DMARC authentication and the sending domain has a `p=reject` or `p=quarantine` policy. **Solution**: * Ask the sender to fix their DMARC/SPF/DKIM records. * Configure an [Acceptable Sender](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/) entry to suppress the failure for that specific sender. ## Delivery issues ### Emails are delayed or not arriving If emails are not being delivered or are arriving with significant latency: 1. **Check MX records**: Ensure your [MX records](https://developers.cloudflare.com/cloudflare-one/email-security/setup/) are correctly configured and pointing to Cloudflare. 2. **Verify connectivity**: From your sending mail server, verify you can connect to Cloudflare's mailstream endpoints on port 25. 3. **Check outbound logs**: In the dashboard, use the **Mail Trace** feature to confirm if Email Security successfully delivered the email to your downstream mail server (for example, Google Workspace or Microsoft 365). --- ## More Email Security resources For more information, refer to the full Email Security documentation. [ Email Security troubleshooting ❯ ](https://developers.cloudflare.com/cloudflare-one/email-security/troubleshooting/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/email-security/","name":"Email Security"}}]} ``` --- --- title: Gateway description: This guide helps you troubleshoot common issues with Cloudflare Gateway policies. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/troubleshooting/gateway.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Gateway This guide helps you troubleshoot common issues with Cloudflare Gateway policies. ## Blocked websites and connectivity ### A website is blocked incorrectly If you believe a domain has been incorrectly blocked by Gateway's security categories or threat intelligence, you can use the [Cloudflare Radar categorization feedback form ↗](https://radar.cloudflare.com/categorization-feedback/) to request a review. ### Error 526: Invalid SSL certificate Gateway presents a **526** error page when it cannot establish a secure connection to the origin. This typically occurs in two cases: * **Untrusted origin certificate**: The certificate presented by the origin server is expired, revoked, or issued by an unknown authority. * **Insecure origin connection**: The origin does not support modern cipher suites or redirects all HTTPS requests to HTTP. For more information, refer to [Error 526](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/). ### Error 502: Bad Gateway This issue can occur when communicating with an origin that partially supports HTTP/2\. If the origin requests a downgrade to HTTP/1.1 (for example, via a `RST_STREAM` frame with `HTTP_1_1_REQUIRED`), Gateway will not automatically reissue the request over HTTP/1.1 and will instead return a `502 Bad Gateway`. To resolve this, disable HTTP/2 at the origin server. ### Untrusted certificate warnings If users see certificate warnings for every page, ensure that the [Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) is installed and trusted on their devices. This is required for Gateway to inspect HTTPS traffic. ## Dashboard and analytics ### Gateway analytics not displayed If you do not see analytics on the Gateway Overview page: * **Verify DNS traffic**: Ensure your devices are actually sending queries to Gateway. Check your [DNS locations](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) and verify the source IPv4 address. * **Check other resolvers**: Ensure that no other DNS resolvers are configured on the device, as they might be bypassing Gateway. * **Wait for processing**: It can take up to 5 minutes for analytics to appear in the dashboard. ## Egress policies Egress policies symptoms include traffic not using your dedicated egress IP, incorrect failover behavior, or high latency due to Gateway routing traffic through a distant data center. ### Symptom: traffic is not using your dedicated egress IP Even with an active egress policy, you may find that traffic is egressing from a default Cloudflare IP address instead of your dedicated egress IP. | Common cause | Solution | | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | DNS resolution to CGNAT (carrier-grade NAT) | When an egress policy uses a _Domain_ or _Host_ selector, Gateway must first resolve that domain. For traffic proxied through Cloudflare, this often resolves to a CGNAT IP address from the 100.64.0.0/10 range. Because this IP is internal to Cloudflare's network, it may not be subject to egress policies, which apply to traffic leaving the network. Change the selector in your egress policy from _Domain_ or _Host_ to _Destination IP_. Use the public IP addresses of the service you are trying to reach. | | Policy precedence | A different egress policy with a higher precedence (a lower number) is matching the traffic first. Remember that egress policies follow the same first-match-wins logic. | | Split Tunnel configuration | The destination IP or domain is excluded from the WARP tunnel via your Split Tunnel configuration. Traffic that is excluded from the tunnel will not be subject to any Gateway policies, including egress. | | No egress logs | Egress logging is available via Logpush with the Gateway Egress dataset. This is essential for troubleshooting. You can also use a third-party IP check service to verify the egress IP from a test device. | ### Symptom: failover is not working or is using the wrong IP Your primary dedicated egress IP becomes unavailable, but instead of using your configured secondary dedicated IP, traffic fails over to a default Cloudflare shared IP. | Common cause | Solution | | ----------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Routing or configuration issue on the Cloudflare side | Document the time of the incident and collect Request IDs from Gateway HTTP or DNS logs for affected users. Open a support ticket and provide this information. Temporarily, you can edit the egress policy to set your secondary IP as the primary to restore service. | ### Symptom: users are egressing from a geographically distant location Gateway routes your users in one country (such as Australia) through a dedicated egress IP located in another region (such as Germany), causing high latency and breaking access to geo-restricted content. | Common cause | Solution | | -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Single egress policy | You may have one broad egress policy that applies to all users regardless of their location. Create location-aware egress policies. Use the _User Location_ selector in your policy to tie specific user locations to their nearest dedicated egress IP. For example, create one policy for when _User Location_ is United Kingdom, egress via London IP; create a second policy for when _User Location_ is Australia, egress via Sydney IP. | | Incorrect geolocation data | The IP address of the user's ISP may not be correctly geolocated. Check the user's location as seen by Cloudflare in the Gateway logs. If it appears incorrect, you can report it to Cloudflare Support. | ## Policy precedence A common point of confusion is how Gateway evaluates its different policy types and the rules within them. ### Symptom: a Block policy is overriding a more specific Allow or Do Not Scan policy You have a high-precedence Allow or Do Not Scan policy for a specific application (such as Allow finance.example.com), but Gateway still block traffic with a low-precedence Block policy (such as Block All High-Risk Sites). The most important concept is [Gateway policy precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/), which Gateway enforces based on the policy's order number. A lower order number in the list means a higher precedence. Gateway stops processing further policies when it encounters the first rule that matches. To resolve Gateway policy precedence issues: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Firewall policies**. 2. Review the order of your DNS, Network, and HTTP policies. 3. Ensure that your most specific Allow, Do Not Scan, or Do Not Inspect policies have a lower order number than your general Block policies. 4. Drag and drop policies to reorder them as needed. An Allow policy for `teams.microsoft.com` should be placed before a general Block policy for all file sharing applications. ## TLS decryption breaks applications Turning on [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is required for Gateway features such as Data Loss Prevention (DLP), Browser Isolation, and application-aware HTTP policies. However, it can cause issues with certain types of software. ### Symptom: command-line tools (CLI tools) or native applications fail with certificate errors If after turning on TLS decryption, command-line tools (such as `git`, `aws`, `kubectl`, and `terraform`) or desktop applications (such as ChatGPT or Docker) stop working, this may be due to certificate errors. Applications may return errors such as `SSL: CERTIFICATE_VERIFY_FAILED`, `self-signed certificate in certificate chain`, or similar TLS errors. These applications do not use the operating system's trust store and therefore do not trust the Cloudflare root certificate that you installed. They often have their own certificate trust store or use certificate pinning, which expects the server's original certificate, not one re-signed by Cloudflare. To resolve this issue: * [ Recommended ](#tab-panel-3931) * [ Workaround ](#tab-panel-3932) Create a targeted HTTP policy to bypass decryption for the specific domains these tools need to access. Place this policy at a higher precedence (lower order number) than your main TLS decryption policy. Create a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) that includes hosts such as `github.com`, `*.amazonaws.com`, and `*.docker.io`. | Selector | Operator | Value | Action | | -------- | -------- | ------------------ | -------------- | | Domain | in list | _CLI Tool Domains_ | Do Not Inspect | You can configure some tools to trust a custom CA or disable SSL verification. This is less secure and harder to manage at scale. For more information, refer to [Install certificate manually](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/). ### Symptom: the custom block page is not displayed When an HTTP policy blocks a user's request, their browser will return a generic error (`ERR_SSL_PROTOCOL_ERROR`) instead of your configured Gateway block page. This happens because the browser does not trust the certificate presented by the block page, which is signed by the Cloudflare root certificate. This means the certificate is not installed or not trusted on the user's device. To resolve this issue: 1. Confirm that a [Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) is installed on the device. 2. Ensure the certificate is placed in the correct system-level trust store (such as, Keychain's System store on macOS, or Trusted Root Certification Authorities for the Local Computer on Windows). 3. If you are using an MDM, verify that your deployment script correctly installs and trusts the certificate. ## Private DNS and internal resources are not working You have configured Gateway to resolve internal hostnames, but users are unable to access them. For example, a user connected to the Cloudflare One Client tries to access an internal service like `jira.mycompany.local`, but the DNS query fails. | Common causes | Solution | | ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Missing or incorrect resolver policy | Go to **Traffic policies** \> **Resolver policies**. Create a policy that matches your internal domain suffix and forwards queries to your internal DNS servers' IP addresses. | | Split Tunnel excludes the private IP range | If your internal resources are in a private IP range (such as 10.0.0.0/8), that range must be included in the tunnel. If it is in the Exclude list of your Split Tunnel configuration, the Cloudflare One Client will not proxy the traffic. | | Local Domain Fallback misconfiguration | Use resolver policies for corporate DNS. Only use Local Domain Fallback for domains specific to a user's immediate physical network. | --- ## More Gateway resources For more information, refer to the full Gateway troubleshooting guide. [ Full Gateway troubleshooting guide ❯ ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/troubleshooting/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/gateway/","name":"Gateway"}}]} ``` --- --- title: Tunnel description: Explore common issues and solutions for Cloudflare Tunnel. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/troubleshooting/tunnel.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Tunnel Explore common issues and solutions for Cloudflare Tunnel. ## I see `cloudflared service is already installed`. If you see this error when installing a remotely-managed tunnel, ensure that no other `cloudflared` instances are running as a service on this machine. Only a single instance of `cloudflared` may run as a service on any given machine. Instead, add additional routes to your existing tunnel. Alternatively, you can run `sudo cloudflared service uninstall` to uninstall `cloudflared`. ## I see `An A, AAAA, or CNAME record with that host already exists`. If you are unable to save your tunnel's public hostname, choose a different hostname or delete the existing DNS record. [Check the DNS records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/) for your domain from the [Cloudflare dashboard ↗](https://dash.cloudflare.com). ## Tunnel credentials file does not exist or is not a file. If you encounter the following error when running a tunnel, double check your `config.yml` file and ensure that the `credentials-file` points to the correct location. You may need to change `/root/` to your home directory. Terminal window ``` cloudflared tunnel run ``` ``` 2021-06-04T06:21:16Z INF Starting tunnel tunnelID=928655cc-7f95-43f2-8539-2aba6cf3592d Tunnel credentials file '/root/.cloudflared/928655cc-7f95-43f2-8539-2aba6cf3592d.json' doesn't exist or is not a file ``` ## My tunnel fails to authenticate. To start using Cloudflare Tunnel, a super administrator in the Cloudflare account must first log in through `cloudflared login`. The client will launch a browser window and prompt the user to select a hostname in their Cloudflare account. Once selected, Cloudflare generates a certificate that consists of three components: * The public key of the origin certificate for that hostname * The private key of the origin certificate for that domain * A token that is unique to Cloudflare Tunnel Those three components are bundled into a single PEM file that is downloaded one time during that login flow. The host certificate is valid for the root domain and any subdomain one-level deep. Cloudflare uses that certificate file to authenticate `cloudflared` to create DNS records for your domain in Cloudflare. The third component, the token, consists of the zone ID (for the selected domain) and an API token scoped to the user who first authenticated with the login command. When user permissions change (if that user is removed from the account or becomes an admin of another account, for example), Cloudflare rolls the user's API key. However, the certificate file downloaded through `cloudflared` retains the older API key and can cause authentication failures. The user will need to login once more through `cloudflared` to regenerate the certificate. Alternatively, the administrator can create a dedicated service user to authenticate. ## I see an error: x509: certificate signed by unknown authority. This means the origin is using a certificate that `cloudflared` does not trust. For example, you may get this error if you are using SSL/TLS inspection in a proxy between your server and Cloudflare. To resolve: * Add the certificate to the system certificate pool. * Use the `--origin-ca-pool` flag and specify the path to the certificate. * Use the `--no-tls-verify` flag to stop `cloudflared` checking the certificate for a trust chain. ## I see an error 1033 when attempting to run a tunnel. A `1033` error indicates your tunnel is not connected to Cloudflare's network because Cloudflare's network cannot find a healthy `cloudflared` instance to receive the traffic. First, review whether your tunnel is listed as `Active` on the [Cloudflare One ↗](https://one.dash.cloudflare.com/) dashboard by going to **Networks** \> **Connectors** \> **Cloudflare Tunnels** or run `cloudflared tunnel list`. If the tunnel is not `Active`, review the following and take the action necessary for your tunnel status: | Status | Meaning | Recommended Action | | ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Healthy** | The tunnel is active and serving traffic through four connections to the Cloudflare global network. | No action is required. Your tunnel is running correctly. | | **Inactive** | The tunnel has been created (via the API or dashboard) but the cloudflared connector has never been run to establish a connection. | Run the tunnel as a service (recommended) or use the cloudflared tunnel run command on your origin server to connect the tunnel to Cloudflare. Refer to [substep 6 of step 1 in the Create a Tunnel dashboard guide](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#1-create-a-tunnel) or step 4 in the [Create a Tunnel API guide](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api/#4-install-and-run-the-tunnel). | | **Down** | The tunnel was previously connected but is currently disconnected because the cloudflared process has stopped. | 1\. Ensure the cloudflared [service](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/as-a-service/) or process is actively running on your server. 2\. Check for server-side issues, such as the machine being powered off, an application crash, or recent network changes. | | **Degraded** | The cloudflared connector is running and the tunnel is serving traffic, but at least one individual connection has failed. Further degradation in [tunnel availability](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/) could risk the tunnel going down and failing to serve traffic. | 1\. Review your cloudflared [logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) for connection failures or error messages. 2\. Investigate local network and firewall rules to ensure they are not blocking connections to the [Cloudflare Tunnel IPs and ports](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/). | For more information, refer to the [comprehensive list of Cloudflare 1xxx errors](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/). ## I see a 502 Bad Gateway error when connecting to an HTTP or HTTPS application through tunnel. A `502 Bad Gateway` error with `Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared` on a tunnel route means the tunnel itself is connected to the Cloudflare network, but `cloudflared` cannot reach the origin service defined in your ingress rule. Unlike [error 1033](#i-see-an-error-1033-when-attempting-to-run-a-tunnel), which indicates the tunnel is not connected to Cloudflare, a 502 error indicates the problem is between `cloudflared` and your local service. To identify the specific cause, review your [Tunnel logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) for `error`\-level messages. Common causes include: #### Origin service is not running If the origin service has stopped or never started, `cloudflared` logs will show an error similar to: ``` error="dial tcp [::1]:8080: connect: connection refused" ``` To resolve, verify the service is running and listening on the expected port: Terminal window ``` curl -v http://localhost:8080 ``` If the service is not running, start or restart it. You can confirm the service is listening by running `ss -tlnp | grep ` (Linux) or `lsof -iTCP -sTCP:LISTEN -nP | grep ` (macOS). #### Origin service URL uses the wrong protocol If the origin expects HTTPS but the tunnel route specifies `http://`, or vice versa, `cloudflared` logs will show an error similar to: ``` error="net/http: HTTP/1.x transport connection broken: malformed HTTP response \"\x15\x03\x01\x00\x02\x02\"" ``` To resolve, update the service URL in your tunnel route to match the [protocol](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/protocols/) your origin expects. For example, change `http://localhost:8080` to `https://localhost:8080`. If you are using a locally-managed tunnel, update your ingress rule in the [configuration file](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/). #### Origin service URL points to the wrong port If the port in your tunnel route does not match the port your service is listening on, `cloudflared` will log a `connection refused` error for that port. Double-check the service URL in your ingress rule and compare it against the port your application is bound to. #### Origin uses a certificate that `cloudflared` does not trust If the origin presents a TLS certificate that `cloudflared` cannot verify, the logs will show an error similar to: ``` error="x509: certificate is valid for example.com, not localhost" ``` This commonly occurs when the origin uses a self-signed certificate or when an SSL/TLS inspection proxy sits between `cloudflared` and the origin. To resolve, use one of the following approaches: * Set [originServerName](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/origin-parameters/) to the hostname on the origin certificate in your tunnel route. If you are using a locally-managed tunnel, here is an example of a [configuration file](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/): ``` ingress: - hostname: app.example.com service: https://localhost:443 originRequest: originServerName: app.example.com ``` * Provide the CA certificate using [caPool](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/origin-parameters/): ``` ingress: - hostname: app.example.com service: https://localhost:443 originRequest: caPool: /path/to/ca-cert.pem ``` * As a last resort, disable TLS verification with [noTLSVerify](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/origin-parameters/). This is not recommended for production environments. ``` ingress: - hostname: app.example.com service: https://localhost:443 originRequest: noTLSVerify: true ``` ## I see `ERR_TOO_MANY_REDIRECTS` when attempting to connect to an Access self-hosted app. This error occurs when `cloudflared` does not recognize the SSL/TLS certificate presented by your origin. To resolve the issue, set the [origin server name](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/origin-parameters/) parameter to the hostname on your origin certificate. Here is an example of a locally-managed tunnel configuration: ``` ingress: - hostname: test.example.com service: https://localhost:443 originRequest: originServerName: test.example.com ``` ## `cloudflared access` shows an error `websocket: bad handshake`. This means that your `cloudflared access` client is unable to reach your `cloudflared tunnel` origin. To diagnose this, look at the `cloudflared tunnel` logs. A common root cause is that the `cloudflared tunnel` is unable to proxy to your origin (for example, because the ingress is misconfigured, the origin is down, or the origin HTTPS certificate cannot be validated by `cloudflared tunnel`). If `cloudflared tunnel` has no logs, it means Cloudflare's network is not able to route the websocket traffic to it. There are several possible root causes behind this error: * Your `cloudflared tunnel` is either not running or not connected to Cloudflare's network. * WebSockets are not [enabled](https://developers.cloudflare.com/network/websockets/#enable-websockets). * Your Cloudflare account has Universal SSL enabled but your SSL/TLS encryption mode is set to **Off (not secure)**. To resolve, go to **SSL/TLS** \> **Overview** in the Cloudflare dashboard and set your SSL/TLS encryption mode to **Flexible**, **Full**, or **Full (strict)**. * Your requests are blocked by [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/). To resolve, make sure you set **Definitely automated** to _Allow_ in the bot fight mode settings. * Your SSH or RDP Access application has the [Binding Cookie](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#binding-cookie) enabled. To disable the cookie, go to **Access controls** \> **Applications** and edit the application settings. * One or more [Workers routes](https://developers.cloudflare.com/workers/configuration/routing/routes/) are overlapping with the tunnel hostname, and the Workers do not properly handle the traffic. To resolve, either exclude your tunnel from the Worker route by not defining a route that includes the tunnel's hostname, or update your Worker to only handle specific paths and forward all other requests to the origin (for example, by using `return fetch(req)`). ## Tunnel connections fail with SSL error. If `cloudflared` returns error `error="remote error: tls: handshake failure"`, check to make sure the hostname in question is covered by a SSL certificate. If using a multi-level subdomain, an [advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) may be required as the Universal SSL will not cover more than one level of subdomain. This may surface in the browser as `ERR_SSL_VERSION_OR_CIPHER_MISMATCH`. ## Tunnel connections fail with `Too many open files` error. If your [Cloudflare Tunnel logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) return a `socket: too many open files` error, it means that `cloudflared` has exhausted the open files limit on your machine. The maximum number of open files, or file descriptors, is an operating system setting that determines how many files a process is allowed to open. To increase the open file limit, you will need to [configure ulimit settings](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/availability/ulimits/) on the machine running `cloudflared`. ## I see `failed to sufficiently increase receive buffer size` in my cloudflared logs. This buffer size increase is reported by the [quic-go library ↗](https://github.com/quic-go/quic-go) leveraged by [cloudflared ↗](https://github.com/cloudflare/cloudflared). You can learn more about the log message in the [quic-go repository ↗](https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes). This log message is generally not impactful and can be safely ignored when troubleshooting. However, if you have deployed `cloudflared` within a unique, high-bandwidth environment then buffer size can be manually overridden for testing purposes. To set the maximum receive buffer size on Linux: 1. Create a new file under `/etc/sysctl.d/`: Terminal window ``` sudo vi 98-core-rmem-max.conf ``` 2. In the file, define the desired buffer size: ``` net.core.rmem_max=2500000 ``` 3. Reboot the host machine running `cloudflared`. 4. To validate that these changes have taken effect, use the `grep` command: Terminal window ``` sudo sysctl -a | grep net.core.rmem_max ``` ``` net.core.rmem_max = 2500000 ``` ## Cloudflare Tunnel is buffering my streaming response instead of streaming it live. Proxied traffic through Cloudflare Tunnel is buffered by default unless the origin server includes the `Content-Type: text/event-stream` response header. This header tells `cloudflared` to stream data as it arrives instead of buffering the entire response. --- ## More Tunnel resources For more information, refer to the full Tunnel troubleshooting guide. [ Full Tunnel troubleshooting guide ❯ ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/tunnel/","name":"Tunnel"}}]} ``` --- --- title: Connectivity description: This guide helps you determine whether a tunnel health alert is actually affecting your traffic. A degraded or down tunnel only matters if your traffic is currently routing through the Cloudflare data center where that tunnel is unhealthy. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/troubleshooting/wan/connectivity.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Connectivity This guide helps you determine whether a tunnel health alert is actually affecting your traffic. A degraded or down tunnel only matters if your traffic is currently routing through the Cloudflare data center where that tunnel is unhealthy. Note Cloudflare does not synchronize health checks among global network servers. A tunnel can be healthy in one data center and degraded in another at the same time. This is normal behavior, not an outage. ## Before you begin Understand how Cloudflare WAN health checks and traffic routing work: * Health checks run independently from every Cloudflare data center. * Each data center evaluates tunnel health based on its own probes. * Traffic enters Cloudflare at the data center closest to the source (anycast routing). * A degraded tunnel in a data center that is not handling your traffic has no impact on your connectivity. If you are experiencing actual tunnel health issues (tunnels flapping, all tunnels down, or IPsec errors), refer to [Troubleshoot tunnel health](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/tunnel-health/) instead. ## Diagnostic flowchart Use this flowchart to determine whether a tunnel health alert requires action. flowchart TD accTitle: Connectivity troubleshooting flowchart accDescr: A decision tree to determine whether a degraded tunnel alert is affecting your traffic. A["You received a tunnel
health alert"] --> B{"Is your traffic
affected?"} B -- "Yes, I have
connectivity issues" --> C["Identify your ingress
data center and check
tunnel health there"] B -- "No, traffic
flows normally" --> D{"Does the alert match
a data center carrying
your traffic?"} D -- "No" --> E["No action required.
The degraded tunnel is in
a data center not serving
your traffic."] D -- "Yes" --> C C --> G{"Are tunnels healthy
at your ingress
data center?"} G -- "Yes" --> H["The issue is not
tunnel-related. Check
Cloudflare Status and
your origin network."] G -- "No" --> I["Tunnels at your ingress
data center are unhealthy.
Refer to Troubleshoot
tunnel health."] ## 1\. Identify your ingress data center Determine which Cloudflare data center your traffic is entering. This is the only data center whose tunnel health status matters for your current connectivity. ### Use traceroute Run a `traceroute` from the source network to your Cloudflare WAN prefix. Look for the Cloudflare data center hostname in the trace output, which contains a three-letter [IATA airport code ↗](https://en.wikipedia.org/wiki/IATA%5Fairport%5Fcode) that identifies the data center. Terminal window ``` traceroute 203.0.113.1 ``` ``` 1 192.168.1.1 (192.168.1.1) 1.234 ms 2 10.0.0.1 (10.0.0.1) 5.678 ms 3 198.51.100.1 (198.51.100.1) 10.123 ms 4 198.51.100.10 (198.51.100.10) 12.345 ms 5 lhr01.cf (198.51.100.11) 15.678 ms ``` In this example, `lhr` indicates that traffic enters Cloudflare at the London (Heathrow) data center. ### Use the Cloudflare dashboard You can identify which data centers handle your traffic by using **Network Analytics**. 1. Go to the **Network Analytics** page. [ Go to **Network analytics** ](https://dash.cloudflare.com/?to=/:account/networking-insights/analytics/network-analytics/transport-analytics) 2. Select **Add filter** and filter traffic by your source IP addresses to isolate your traffic. 3. Under **Packets summary**, select the **Source data center** tab. If the tab is not visible, select the three-dot menu (`...`) to reveal additional view options and select **Source data center**. 4. Review the per-data-center traffic breakdown to identify which Cloudflare data centers are handling your traffic. 5. Cross-reference these data centers with the tunnel health status on the [**Connector health** page](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/common-settings/check-tunnel-health-dashboard/). If tunnels are healthy at the data centers carrying your traffic, a degraded tunnel alert for a different data center is not the cause of your connectivity issue. ## 2\. Correlate with Cloudflare status If your tunnels are healthy at the relevant data center but you still experience connectivity issues, check for broader platform issues. 1. Go to [Cloudflare Status ↗](https://www.cloudflarestatus.com/). 2. Look for any active incidents or maintenance at the data center you identified. 3. Check for any incidents that might affect your traffic, such as outages related to networking, BYOIP, or the services your configuration depends on. ## 3\. Gather information for support If you have worked through this guide and cannot resolve the issue, gather the following information before contacting Cloudflare support. ### Required information 1. **Account ID** and **tunnel name(s)** affected 2. **Timestamps** (in UTC) when the issue started 3. **Ingress data center** you identified (airport code, for example `LHR`, `IAD`) 4. **Symptoms observed:** * Whether user traffic is affected or only health check alerts fired * Which tunnels and data centers show degraded or down status * Whether the issue is intermittent or persistent ### Helpful diagnostic data * **Traceroute output** from your source network to your Cloudflare WAN prefix * **Dashboard screenshots** showing tunnel health at the relevant data center * **Distributed traceroutes** using tools like [ping.pe ↗](https://ping.pe) to test reachability from multiple global locations * **Packet captures** from your router if traffic loss is confirmed ## Related resources * [Troubleshoot tunnel health](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/tunnel-health/): Resolve common tunnel health issues (flapping, IPsec errors, stateful firewall drops). * [Troubleshoot routing and BGP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/routing-and-bgp/): Diagnose routing and BGP issues that affect traffic delivery. * [Check tunnel health in the dashboard](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/common-settings/check-tunnel-health-dashboard/): Monitor tunnel status per data center. * [Tunnel health checks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/tunnel-health-checks/): Technical details on how health checks work. * [Network Analytics](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/analytics/network-analytics/): Analyze traffic patterns over time. --- ## More WAN resources For more information, refer to the full Cloudflare WAN documentation. [ Full connectivity troubleshooting guide ❯ ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/connectivity/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/wan/","name":"Cloudflare WAN"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/troubleshooting/wan/connectivity/","name":"Connectivity"}}]} ``` --- --- title: IPsec description: Use IPsec logs to troubleshoot issues with your IPsec tunnels during the key-exchange phase of the IPsec handshake. Configure a logpush job to forward these logs to your preferred storage service for analysis. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/troubleshooting/wan/ipsec.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # IPsec Use IPsec logs to troubleshoot issues with your IPsec tunnels during the key-exchange phase of the IPsec handshake. Configure a logpush job to forward these logs to your preferred storage service for analysis. ## Set up an IPsec logpush job 1. Go to the **Logpush** page. [ Go to **Logpush** ](https://dash.cloudflare.com/?to=/:account/logs) 2. Select **Create a Logpush job**. 3. Select **IPsec logs** as your dataset. Refer to the [Logpush documentation](https://developers.cloudflare.com/logs/logpush/) for more information about features, including the [available fields](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/ipsec%5Flogs/) in the dataset. --- ## More WAN resources For more information, refer to the full Cloudflare WAN documentation. [ Full IPsec troubleshooting guide ❯ ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/ipsec-troubleshoot/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/wan/","name":"Cloudflare WAN"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/troubleshooting/wan/ipsec/","name":"IPsec"}}]} ``` --- --- title: Routing and BGP description: This guide helps you diagnose and resolve common routing and BGP issues with Cloudflare WAN. These issues can affect traffic delivery, cause unexpected latency, or result in connectivity loss. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/troubleshooting/wan/routing-bgp.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Routing and BGP This guide helps you diagnose and resolve common routing and BGP issues with Cloudflare WAN. These issues can affect traffic delivery, cause unexpected latency, or result in connectivity loss. ## Quick diagnostic checklist If you are experiencing routing or BGP issues, check these items first: 1. **BGP session state**: Verify session is **Established**, not stuck in **Connect** or **Active**. 2. **Firewall rules**: Ensure TCP port `179` is permitted bidirectionally between your router and Cloudflare. 3. **Tunnel or CNI health**: Check that underlying connectivity is healthy. Degraded tunnels affect route priority. 4. **Static route conflicts**: Static routes take precedence over BGP routes at equal priority. ## Resolve common issues ### BGP session not establishing This section covers BGP peering sessions (beta) between your network and Cloudflare, established over [CNI](https://developers.cloudflare.com/network-interconnect/) or tunnels. #### Symptoms * BGP session never reaches **Established** state * No routes being advertised or received * Router logs show repeated connection attempts #### BGP session states | State | Meaning | Action | | --------------- | ------------------------------------ | ------------------------------------------ | | **Established** | Session up, exchanging routes | Normal operation | | **Active** | Attempting to initiate connection | Check firewall rules, verify neighbor IP | | **Connect** | TCP connection in progress | Check port 179 access, verify peering IP | | **Idle** | Session down, no connection attempts | Check configuration, verify BGP is enabled | #### Solution 1. Verify your firewall permits TCP port `179` bidirectionally between your router and the Cloudflare peering address. 2. Confirm the neighbor IP matches the Cloudflare-provided peering address exactly. 3. Verify your ASN configuration matches the dashboard settings. Only eBGP is supported, so your ASN must differ from the Cloudflare account ASN. 4. If using MD5 authentication, verify the password matches on both sides. ### Unexpected traffic routing or latency #### Symptoms * Traffic from specific regions routed through distant data centers * Higher than expected latency for regional users * Traffic not using the closest tunnel or CNI #### Causes * Tunnel health degradation causing route deprioritization * Regional route scoping misconfiguration * BGP route priorities not set as expected * Static routes overriding BGP routes #### Solution 1. **Check tunnel health**: Degraded tunnels have 500,000 added to their route priority. Down tunnels have 1,000,000 added. Traffic shifts to healthier paths, which may be in different regions. Refer to [Troubleshoot tunnel health](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/tunnel-health/) for diagnostic steps. 2. **Review route priorities**: Lower priority values indicate higher preference. Verify your routes have the expected priority configuration. * Default BGP route priority: `100` * Static routes at priority `100` take precedence over BGP routes at `100` 3. **Check regional scoping**: If you use region-scoped routes, ensure all regions have route coverage. Traffic arriving at a region without a matching route is dropped. 4. **Use Network Analytics**: Review traffic patterns to identify where traffic is landing and which paths it follows. Refer to [Network Analytics](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/analytics/network-analytics/) for usage instructions. ### CNI link failures #### Symptoms * CNI shows down in dashboard * BGP session over CNI drops * Traffic fails over to tunnels or alternate CNIs #### CNI issue layers CNI issues can occur at multiple layers: | Issue type | Impact | What to check | | ------------------ | ---------------------------------- | ---------------------------------- | | Physical link down | All traffic over that CNI affected | Light levels, cross-connect status | | BGP session down | Dynamic routes withdrawn | BGP neighbor state on your router | | Prefixes withdrawn | Specific routes unavailable | BGP advertised and received routes | A healthy physical link can still have BGP issues. A healthy BGP session can exist while specific prefixes are withdrawn. #### Solution **Check physical layer (your side):** Note In the case of interconnects provisioned by third parties, you may need to request that your provider carry these steps out. 1. Verify the interface is administratively up on your router. 2. Check optical light levels (Tx/Rx dBm). Abnormal readings indicate fiber or transceiver issues. 3. If light levels are low or absent on your receive side, contact your data center to verify cross-connect status. **Check BGP session:** 1. Verify BGP neighbor state on your router shows **Established**. 2. Check for MD5 authentication mismatches if authentication is configured. 3. Review BGP logs for error messages indicating why the session may have dropped. **Check for maintenance:** 1. Review [Cloudflare Status ↗](https://www.cloudflarestatus.com/) for scheduled maintenance affecting your CNI location. 2. Some maintenance events may temporarily affect CNI connectivity even when marked as non-disruptive. Refer to [Network Interconnect](https://developers.cloudflare.com/network-interconnect/) for CNI configuration and setup information. ### Static and BGP route conflicts #### Symptoms * BGP routes not being used despite being learned * Traffic not following expected BGP path * Route changes not taking effect as expected #### Cause Cloudflare prefers static routes when static and BGP routes share the same prefix and priority. This ensures manually configured routes take precedence unless explicitly deprioritized. #### Solution Adjust route priorities based on your preference: * **To prefer BGP routes**: Set static route priority to a higher number (for example, `150` or `200`). Higher numbers indicate lower preference. * **To prefer static routes**: Keep static route priority at or below `100`. BGP routes default to priority `100`. | Route type | Prefix | Priority | Selected | | ---------- | ----------- | -------- | ---------------------- | | Static | 10.0.0.0/24 | 100 | Yes (static wins ties) | | BGP | 10.0.0.0/24 | 100 | No | To make the BGP route preferred in this example, change the static route priority to `150` or higher, or remove the static route entirely. Refer to [Route prioritization](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/traffic-steering/#route-prioritization) for detailed information on how priorities work. ## CNI, tunnel, and BGP health Understanding the relationship between these components helps diagnose routing issues: | Component | What it monitors | Impact when unhealthy | | ----------------- | ------------------------------------------------------- | -------------------------------------------------------------- | | **CNI health** | Physical or virtual interconnect link status | BGP session may drop. All traffic over that CNI is affected. | | **Tunnel health** | Logical GRE or IPsec tunnel through health check probes | Route priority penalized. Traffic steers to healthier tunnels. | | **BGP session** | Control plane connectivity for dynamic routing | Dynamic routes withdrawn. Static routes remain unaffected. | A healthy CNI can have an unhealthy tunnel if health check probes are blocked or misconfigured. BGP routes can be withdrawn even when the underlying physical link is operational. ## Gather information for support If you have worked through this guide and still experience routing issues, gather the following information before contacting Cloudflare support. ### Required information 1. **Account ID** and affected prefix(es), tunnel name(s), or CNI identifier(s) 2. **Timestamps** (in UTC) when the issue occurred 3. **BGP configuration details:** * Your ASN and Cloudflare peering ASN * Neighbor IP addresses * Sanitized router configuration (remove passwords and keys) 4. **Current state information:** * BGP session state from your router * Dashboard screenshots showing prefix, route, or tunnel status ### Helpful diagnostic data * **Router logs**: BGP neighbor logs covering the incident timeframe * **Traceroute results**: From affected source networks to your prefix * **For CNI issues**: Optical light level readings from your equipment ### Router diagnostic commands Collect output from these commands (syntax varies by vendor): Terminal window ``` # Show BGP neighbor status show bgp neighbors # Show BGP summary show bgp ipv4 unicast summary # Show specific prefix in BGP table show bgp ipv4 unicast # Show interface status (for CNI) show interface # Show received and advertised routes show bgp ipv4 unicast neighbors routes show bgp ipv4 unicast neighbors advertised-routes ``` ## Resources * [Traffic steering](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/traffic-steering/#route-prioritization): Route prioritization, BGP communities, and ECMP behavior * [Configure routes](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/manually/how-to/configure-routes/): Static route configuration * [Network Interconnect](https://developers.cloudflare.com/network-interconnect/): CNI setup and BGP peering * [Troubleshoot tunnel health](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/tunnel-health/): Tunnel-specific diagnostic steps * [Network Analytics](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/analytics/network-analytics/): Traffic analysis and monitoring * [Cloudflare Status ↗](https://www.cloudflarestatus.com/): Maintenance and incident notifications --- ## More WAN resources For more information, refer to the full Cloudflare WAN documentation. [ Full routing and BGP guide ❯ ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/routing-and-bgp/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/wan/","name":"Cloudflare WAN"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/troubleshooting/wan/routing-bgp/","name":"Routing and BGP"}}]} ``` --- --- title: Tunnel health description: This guide helps you diagnose and resolve common tunnel health issues with Cloudflare WAN. Tunnel health checks monitor your GRE and IPsec tunnels and steer traffic to the best available routes. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/troubleshooting/wan/tunnel-health.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Tunnel health This guide helps you diagnose and resolve common tunnel health issues with Cloudflare WAN. Tunnel health checks monitor your GRE and IPsec tunnels and steer traffic to the best available routes. ## Quick diagnostic checklist If you are experiencing tunnel health issues, check these items first: 1. **Health check type**: If using a stateful firewall (Palo Alto, Checkpoint, Cisco, Fortinet), change health check type from _Reply_ to _Request_. 2. **Anti-replay protection**: Disable anti-replay protection on your router, or set the replay window to `0`. 3. **MTU settings**: Verify MTU is set correctly (typically `1476` for GRE, `1400-1450` for IPsec). 4. **IPsec parameters**: Confirm your cryptographic parameters match [Cloudflare's supported configuration](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/gre-ipsec-tunnels/#supported-configuration-parameters). 5. **Health check direction**: Cloudflare WAN defaults to _Bidirectional_. 6. **Cloudflare Network Firewall rules (Less common)**: Ensure ICMP traffic from [Cloudflare IP addresses ↗](https://www.cloudflare.com/ips/) is allowed. --- ## Tunnel health states The [Connector health ↗](https://dash.cloudflare.com/?to=/:account/networking-insights/health) page in the Cloudflare dashboard displays three tunnel health states: | State | Dashboard display | Technical threshold | | ------------ | ----------------------------------------- | ------------------------------------------------------------------ | | **Healthy** | More than 80% of health checks pass | Less than 0.1% failure rate | | **Degraded** | Between 40% and 80% of health checks pass | At least 0.1% failures in last five minutes (minimum two failures) | | **Down** | Less than 40% of health checks pass | All health checks failed (at least three samples in last second) | The dashboard shows tunnel health as measured from each Cloudflare data center where your traffic lands. It is normal to see some locations reporting degraded status due to Internet path issues. Focus on locations that show traffic in the Average ingress traffic column. Probe retry behavior When a health check probe fails, Cloudflare sends two additional probes to confirm the failure. A tunnel is only marked as unhealthy if all three probes fail. This retry behavior provides resilience against random packet loss. ### Routing priority penalties When a tunnel becomes unhealthy, Cloudflare applies priority penalties to routes through that tunnel: * **Degraded**: Adds `500,000` to route priority * **Down**: Adds `1,000,000` to route priority These penalties shift traffic to healthier tunnels while maintaining redundancy. Cloudflare never completely removes routes, preserving failover options even when all tunnels are unhealthy. ### Recovery behavior Tunnels transition between states asymmetrically to prevent flapping: * **Healthy to Degraded/Down**: Transitions quickly when failures are detected. A tunnel can go directly from Healthy to Down if all probe retries fail. * **Down to Degraded**: Requires three consecutive successful health check probes. * **Degraded to Healthy**: Requires failure rate below 0.1% over 30 consecutive probes. Minimum state duration Tunnels remain in a degraded or down state for at least five minutes, even if health checks start succeeding immediately. This minimum duration prevents rapid flapping when there is intermittent packet loss. Additionally, a tunnel recovering from `Down` must always transition through `Degraded` before returning to `Healthy`. Recovery from degraded to healthy can take up to 30 minutes. This intentional slow recovery behavior (called hysteresis) prevents rapid state changes caused by intermittent network issues or tunnel flapping. For instructions on monitoring tunnel status, refer to [Check tunnel health in the dashboard](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/common-settings/check-tunnel-health-dashboard/). ### Health check types and directions **Health check type:** | Type | Behavior | When to use | | ------------------- | ------------------------------------- | ------------------------------------------------------------------- | | **Reply** (default) | Cloudflare sends an ICMP reply packet | Simple networks without stateful firewalls | | **Request** | Cloudflare sends an ICMP echo request | Networks with stateful firewalls (recommended for most deployments) | **Health check direction:** | Direction | Behavior | Default for | | ------------------ | ----------------------------------------------------- | ------------------------------------ | | **Bidirectional** | Probe and response both traverse the tunnel | Cloudflare WAN (formerly Magic WAN) | | **Unidirectional** | Probe traverses tunnel; response returns via Internet | Magic Transit (direct server return) | Note Unidirectional health checks can be unreliable because intermediate network devices may drop ICMP reply packets. If you have egress traffic enabled, consider switching to bidirectional health checks. --- ## Resolve common issues ### Tunnel shows `Down` but traffic is flowing #### Symptoms * Dashboard shows tunnel as `Down` or `Degraded` * Actual user traffic passes through the tunnel successfully * Health check failure rate is 100% despite working connectivity #### Cause Stateful firewalls (including Palo Alto, Checkpoint, Cisco ASA, and Fortinet) drop the health check packets. By default, Cloudflare sends ICMP _Reply_ packets as health check probes. Stateful firewalls inspect these packets and look for a matching ICMP _Request_ in their session table. When no matching request exists, firewalls drop the reply as "out-of-state". #### Solution Change the health check type from _Reply_ to _Request_: 1. Go to the **Connectors** page. [ Go to **Connectors** ](https://dash.cloudflare.com/?to=/:account/magic-networks/connections) 2. In **IPsec/GRE tunnels**, select **Edit** on the affected tunnel. 3. Under **Health check type**, change from _Reply_ to _Request_. 4. Select **Update tunnel**. When you use _Request_ style health checks, Cloudflare sends an ICMP echo request. Your firewall's stateful inspection engine recognizes this as a legitimate request and automatically permits the ICMP reply response. Note If your firewall drops ICMP request packets as well, verify that your firewall policy permits ICMP traffic on the tunnel interface. --- ### Health check failures with Cloudflare Network Firewall #### Symptoms * Tunnels were healthy before enabling Cloudflare Network Firewall * After adding Cloudflare Network Firewall rules, health checks fail * Blocking ICMP traffic causes immediate health check failures #### Cause Cloudflare Network Firewall processes all traffic, including Cloudflare's health check probes. If you create a rule that blocks ICMP traffic, you also block the health check packets that Cloudflare sends to monitor tunnel status. #### Solution Add an allow rule for ICMP traffic from Cloudflare IP addresses _before_ any block rules: 1. Go to the **Firewall policies** page. [ Go to **Firewall policies** ](https://dash.cloudflare.com/?to=/:account/network-security/magic%5Ffirewall) 2. Create a new policy with the following parameters: | Field | Value | | ------------ | --------------------------------------------------------- | | **Action** | Allow | | **Protocol** | ICMP | | **Source** | [Cloudflare IP ranges ↗](https://www.cloudflare.com/ips/) | 1. Position this rule _before_ any rules that block ICMP traffic. For more information, refer to [Cloudflare Network Firewall rules and endpoint health checks](https://developers.cloudflare.com/cloudflare-network-firewall/about/ruleset-logic/#cloudflare-network-firewall-rules-and-magic-transit-endpoint-health-checks). --- ### IPsec tunnel instability or packet drops #### Symptoms * IPsec tunnel frequently flaps between healthy and down states * Intermittent packet loss on the tunnel * Traffic works for a period then stops without configuration changes * Router logs show packets dropped due to: * "replay check failed" * "invalid sequence number" * "invalid SPI" (Security Parameter Index) #### Cause Anti-replay protection is enabled on your router. IPsec anti-replay protection expects packets to arrive in sequence from a single sender. Cloudflare's anycast architecture means your tunnel traffic can originate from thousands of servers across hundreds of data centers. Each server maintains its own sequence counter, causing packets to arrive out-of-order from your router's perspective. #### Solution Disable anti-replay protection on your router: **For most routers:** Locate the anti-replay or replay protection setting in your IPsec configuration and disable it. **If you can only set a replay window size:** Set the replay window to `0` to effectively disable the check. **For devices that do not support disabling anti-replay:** Enable replay protection in the Cloudflare dashboard. This routes all tunnel traffic through a single server, maintaining proper sequence numbers at the cost of losing anycast benefits. 1. Go to the Connectors page. [ Go to **Connectors** ](https://dash.cloudflare.com/?to=/:account/magic-networks/connections) 2. In **IPsec/GRE tunnels**, select **Edit** on your IPsec tunnel. 3. Enable **Replay protection**. 4. Select **Update tunnel**. **For Cisco IOS/IOS-XE routers experiencing "invalid SPI" errors:** Enable ISAKMP invalid SPI recovery to help the router resynchronize Security Associations: ``` configure terminal crypto isakmp invalid-spi-recovery exit ``` Warning Enabling replay protection in Cloudflare reduces the performance and resilience benefits of the anycast architecture. Only use this option when your device does not support disabling anti-replay protection. For a detailed explanation of why this setting is necessary, refer to [Anti-replay protection](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/anti-replay-protection/). --- ### Tunnel degraded after rekey events #### Symptoms * Tunnel health drops to `Degraded` or `Down` periodically * Issues coincide with IPsec rekey intervals (typically every few hours) * Tunnel recovers automatically after 1-3 minutes * Router logs show successful rekey completion #### Cause When your router initiates an IPsec rekey, new Security Associations (SAs) are negotiated with a single Cloudflare server. These new SAs must then propagate across Cloudflare's global network. During this propagation window (typically 90-150 seconds), some Cloudflare servers may not have the new SA. These servers drop traffic encrypted with the new SA until propagation completes. #### Solution This behavior is expected and the tunnel will automatically recover. To minimize impact: 1. **Increase rekey intervals**: Configure longer SA lifetimes on your router to reduce rekey frequency. Common values are 8-24 hours for IKE SA and 1-8 hours for IPsec SA. 2. **Adjust health check sensitivity**: If brief degradation during rekeys triggers alerts, consider lowering the health check rate: 1. Go to the **Connectors** page. [ Go to **Connectors** ](https://dash.cloudflare.com/?to=/:account/magic-networks/connections) 1. In **IPsec/GRE tunnels**, select **Edit** on the tunnel. 2. Change **Health check rate** to _Low_. 3. **Stagger rekey times**: If you have multiple tunnels, configure different SA lifetimes so they do not rekey simultaneously. --- ### Bidirectional health check failures #### Symptoms * Health checks configured as bidirectional fail consistently * Unidirectional health checks work correctly * Traffic flows through the tunnel normally #### Cause Bidirectional health checks require both the probe and response to traverse the tunnel. Your router must: 1. Accept ICMP packets destined for the tunnel interface IP addresses 2. Route the ICMP response back through the tunnel to Cloudflare If traffic selectors or firewall rules do not permit this traffic, bidirectional health checks fail. #### Solution **For IPsec tunnels:** Configure traffic selectors to accept packets for the tunnel interface addresses. For example, if your tunnel interface address is `10.252.2.27/31`: * Permit traffic to/from `10.252.2.26` (Cloudflare side) * Permit traffic to/from `10.252.2.27` (your side) **For all tunnel types:** Ensure your firewall permits ICMP traffic on the tunnel interface. Many firewalls require explicit rules to allow management traffic (including ping) on tunnel interfaces. For detailed information on how bidirectional health checks work, refer to [Tunnel health checks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/tunnel-health-checks/). --- ### IPsec tunnel establishment failures #### Symptoms * Tunnel status shows `Down` and never becomes healthy * No traffic passes through the tunnel * Router logs show IKE negotiation failures #### Cause IPsec tunnel establishment can fail due to several configuration mismatches: | Issue | Symptom | | ----------------------------- | ----------------------------------------------- | | **Crypto parameter mismatch** | IKE negotiation fails with "no proposal chosen" | | **Incorrect PSK** | Authentication failures in Phase 1 | | **Wrong IKE ID format** | Authentication failures despite correct PSK | | **Firewall blocking IKE** | No IKE traffic reaches Cloudflare | #### Solution 1. **Verify crypto parameters match Cloudflare's supported configuration:** **Phase 1 (IKE)** | Parameter | Supported values | | -------------- | --------------------------- | | IKE version | IKEv2 only | | Encryption | AES-GCM-16, AES-CBC-256 | | Authentication | SHA-256, SHA-384, SHA-512 | | DH Group | DH group 14, 15, 16, 19, 20 | **Phase 2 (IPsec)** | Parameter | Supported values | | -------------- | --------------------------- | | Encryption | AES-GCM-16, AES-CBC-256 | | Authentication | SHA-256, SHA-512 | | PFS Group | DH group 14, 15, 16, 19, 20 | 1. **Verify the Pre-Shared Key (PSK):** * Regenerate the PSK in the Cloudflare dashboard * Copy the new PSK exactly (no extra spaces or characters) * Update your router with the new PSK 2. **Check the IKE ID format:** Cloudflare uses FQDN format for the IKE ID. Ensure your router is configured to accept an FQDN peer identity. The FQDN is displayed in the tunnel details in the Cloudflare dashboard. 3. **Verify firewall rules:** Ensure your edge firewall permits: * UDP port 500 (IKE) * UDP port 4500 (IKE NAT-T) * IP protocol 50 (ESP) For the complete list of supported parameters, refer to [Supported configuration parameters](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/gre-ipsec-tunnels/#supported-configuration-parameters). --- ## Vendor-specific guidance ### Common vendor-specific issues | Vendor | Common issue | Solution | | ------------------- | ---------------------------------------- | ---------------------------------------------------------- | | **Palo Alto** | Health checks fail with default settings | Change health check type to _Request_; disable anti-replay | | **Cisco Meraki** | Cannot disable anti-replay | Enable replay protection in Cloudflare dashboard | | **AWS VPN Gateway** | Cannot disable anti-replay | Enable replay protection in Cloudflare dashboard | | **Velocloud** | Cannot disable anti-replay | Enable replay protection in Cloudflare dashboard | | **Checkpoint** | Out-of-state packet drops | Change health check type to _Request_ | --- ## Gather information for support If you have worked through this guide and still experience tunnel health issues, gather the following information before contacting Cloudflare support: ### Required information 1. **Account ID** and **Tunnel name(s)** affected 2. **Timestamps** (in UTC) when the issue occurred 3. **Tunnel configuration details:** * Tunnel type (GRE or IPsec) * Health check type (Request or Reply) * Health check direction (Bidirectional or Unidirectional) * Health check rate (Low, Medium, or High) 4. **Router information:** * Vendor and model * Firmware/software version * IPsec configuration (sanitized to remove PSK) 5. **Symptoms observed:** * Dashboard tunnel health status * Whether user traffic is affected * Error messages from router logs ### Helpful diagnostic data * **Packet captures** from your router showing tunnel traffic * **Router logs** covering the time period of the issue * **Traceroute** results from your network to Cloudflare endpoints * **Screenshots** of the tunnel health dashboard * **Distributed traceroutes** using tools like [ping.pe ↗](https://ping.pe) to test reachability from multiple global locations ### Router diagnostic commands Collect output from these commands (syntax varies by vendor): ``` # Show IPsec SA status show crypto ipsec sa # Show IKE SA status show crypto isakmp sa # Show tunnel interface status show interface tunnel # Show routing table show ip route ``` --- ## Resources * [Tunnel health checks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/tunnel-health-checks/): Technical details on health check behavior * [Anti-replay protection](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/anti-replay-protection/): Why anti-replay must be disabled * [Configure tunnel endpoints](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/manually/how-to/configure-tunnel-endpoints/): Tunnel setup instructions * [Check tunnel health in the dashboard](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/common-settings/check-tunnel-health-dashboard/): Dashboard navigation guide * [Network Analytics](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/analytics/network-analytics/): Traffic analysis tools --- ## More WAN resources For more information, refer to the full Cloudflare WAN documentation. [ Full tunnel health guide ❯ ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/tunnel-health/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/wan/","name":"Cloudflare WAN"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/troubleshooting/wan/tunnel-health/","name":"Tunnel health"}}]} ``` --- --- title: Cloudflare One Client description: This guide helps you diagnose and resolve common issues with the Cloudflare One Client (formerly WARP). It covers how to troubleshoot the Cloudflare One Client on desktop operating systems, including Windows, macOS, and Linux. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/troubleshooting/warp-client.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare One Client This guide helps you diagnose and resolve common issues with the Cloudflare One Client (formerly WARP). It covers how to troubleshoot the Cloudflare One Client on desktop operating systems, including Windows, macOS, and Linux. 1. **Before you start**: [Prerequisites](#prerequisites), permissions, [version control](#check-your-client-version), and client basics. 2. **Collect logs**: Through [Cloudflare One](#option-a-collect-logs-via-the-cloudflare-dashboard) (with DEX remote capture) or the [command-line interface](#option-b-collect-logs-via-the-cli) (CLI) (`warp-diag`). 3. **Review logs**: [Status](#check-client-status), [settings](#check-client-settings), [profile ID](#profile-id), [split tunnel](#exclude-mode-with-hostsips) configuration, and other settings. 4. **Fix common misconfigurations**: [Profile mismatch](#wrong-profile-id), [split tunnel issues](#wrong-split-tunnel-configuration), [managed network issues](#review-your-managed-network-settings), [user group mismatch](#check-a-users-group-membership). 5. **File a support ticket**: [How to file a ticket](#5-file-a-support-ticket) after you have exhausted your troubleshooting options. AI-assisted troubleshooting Cloudflare One includes two free AI helpers to speed up Cloudflare One Client investigations: [**Diagnostics Analyzer**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#diagnostics-analyzer-beta) \- Uses AI to parse a device's client diagnostic log and summarizes key events, likely causes, and recommended next steps in a concise summary. This analyzer is available for logs collected via the dashboard. [**DEX MCP server**](https://developers.cloudflare.com/cloudflare-one/insights/dex/dex-mcp-server/) — An AI tool that allows customers to ask a question like, "Show me the connectivity and performance metrics for the device used by [carly@acme.com](mailto:carly@acme.com)", and receive an answer that contains data from the DEX API. ## 1\. Before you start ### Prerequisites * You must have completed the [Zero Trust onboarding flow](https://developers.cloudflare.com/cloudflare-one/setup/) with a Zero Trust organization created. * You must have the Cloudflare One Client installed on an end user device. * You must have a [role](https://developers.cloudflare.com/cloudflare-one/roles-permissions/) that gives admin permission to access logs on the Cloudflare dashboard. ### Check your client version Many troubleshooting issues are caused by outdated client versions. For the best performance and compatibility, administrators should check for new releases and [update the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/) before attempting to troubleshoot other issues. After updating the Cloudflare One Client, monitor the issue to see if it recurs. If the issue persists, continue with the troubleshooting guide. #### Via the device * [ Version 2026.2+ ](#tab-panel-3933) * [ Version 2026.1 and earlier ](#tab-panel-3934) 1. Open the Cloudflare One Client on your desktop. 2. Select **About**. 3. Compare your device's version with the [latest version](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). 1. Open the Cloudflare One Client on the desktop. 2. Select the gear icon. 3. Select **About WARP**. 4. Compare your device's version with the [latest version of the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). #### Via the Cloudflare One dashboard 1. Log into [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> go to **Team & Resources** \> **Devices** \> **Your devices**. 2. Select the device you want to investigate. 3. Find the device's client version under **Client version** in the side menu. 4. Compare your device's version with the [latest version of the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). ### Client basics Understand the Cloudflare One Client's architecture, installation paths, and modes to help you diagnose issues with greater accuracy. Chapters * ![Introduction and WARP GUI Basics](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=0s) **Introduction and WARP GUI Basics** 0s * ![Consumer vs. Corporate WARP](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=57s) **Consumer vs. Corporate WARP** 57s * ![Device Profiles Explained](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=95s) **Device Profiles Explained** 1m35s * ![WARP Operating Modes](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=132s) **WARP Operating Modes** 2m12s * ![Split Tunneling](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=224s) **Split Tunneling** 3m44s * ![Conclusion](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=296s) **Conclusion** 4m56s #### Client architecture The Cloudflare One Client consists of: * **Graphical User Interface (GUI)**: Control panel that allows end users to view the client's [status](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/connectivity-status/) and perform actions such as turning the Cloudflare One Client on or off. * **WARP daemon (or service)**: Core background component responsible for establishing secure tunnels (using WireGuard or MASQUE) and handling all client functionality on your device. Refer to [client architecture](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/) for more information on how the Cloudflare One Client interacts with a device's operating system to route traffic. #### Client installation details The GUI and daemon (or service) have different names and are stored in the following locations: Windows | Windows | | | -------------------- | ------------------------------------------------------------------------------------------------------------- | | **Service / Daemon** | C:\\Program Files\\Cloudflare\\Cloudflare WARP\\warp-svc.exe | | **GUI application** | C:\\Program Files\\Cloudflare\\Cloudflare WARP\\Cloudflare WARP.exe | | **Logs Location** | DaemonC:\\ProgramData\\Cloudflare\\GUI LogsC:\\Users\\.WARP\\AppData\\Localor%LOCALAPPDATA%\\Cloudflare | macOS | macOS | | | -------------------- | --------------------------------------------------------------------------------- | | **Service / Daemon** | /Applications/Cloudflare WARP.app/Contents/Resources/CloudflareWARP | | **GUI application** | /Applications/Cloudflare WARP.app/Contents/MacOS/Cloudflare WARP | | **Logs Location** | Daemon/Library/Application Support/Cloudflare/GUI Logs\~/Library/Logs/Cloudflare/ | Linux | Linux | | | -------------------- | ------------------------------------------------- | | **Service / Daemon** | /bin/warp-svc | | **GUI application** | /bin/warp-taskbar | | **Logs Location** | /var/log/cloudflare-warp//var/lib/cloudflare-warp | Along with the Cloudflare One Client GUI and daemon, `warp-cli` and `warp-diag` are also [installed](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/) on the machine and added to the system path for use from any terminal session. [warp-diag](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/) is a command-line diagnostics tool that collects logs, configuration details, and connectivity data from the Cloudflare One Client to help troubleshoot issues. `warp-cli` is the command-line interface (CLI) for managing and configuring the Cloudflare One Client, allowing users to connect, disconnect, and adjust settings programmatically. #### Client modes The Cloudflare One Client operates in several modes, each with different traffic handling capabilities: Each client mode offers a different set of Zero Trust features. | Client mode | DNS Filtering | Network Filtering | HTTP Filtering | Service mode (displayed in warp-cli settings) | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ----------------- | -------------- | --------------------------------------------- | | [**Traffic and DNS mode (default)**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-and-dns-mode-default) | ✅ | ✅ | ✅ | WarpWithDnsOverHttps | | [**DNS only mode**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) | ✅ | ❌ | ❌ | DnsOverHttps | | [**Traffic only mode**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-only-mode) | ❌ | ✅ | ✅ | TunnelOnly | | [**Local proxy mode**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) | ❌ | ❌ | ✅ | WarpProxy | | [**Posture only mode**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#posture-only-mode) | ❌ | ❌ | ❌ | PostureOnly | ## 2\. Collect diagnostic logs You can collect diagnostic logs in two ways: the [Cloudflare dashboard](#option-a-collect-logs-via-the-cloudflare-dashboard) or the [warp-diag](#option-b-collect-logs-via-the-cli) command-line interface (CLI). ### Option A: Collect logs via the Cloudflare dashboard Collect client diagnostic logs remotely from the Cloudflare One dashboard by using Digital Experience Monitoring's (DEX) remote captures. Best practice To troubleshoot effectively, Cloudflare recommends reproducing the issue and noting your timestamps immediately before collecting logs. Though recreating the issue may not be possible in all cases, reproducing the issue right before diagnostic log collection or during the window that a packet capture (PCAP) is running will help you troubleshoot with greater visibility. Refer to [diagnostic log retention window](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#log-retention-window) to learn more. #### Start a remote capture Devices must be actively connected to the Internet for remote captures to run. To capture data from a remote device: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **DEX** \> **Remote captures**. 2. Select up to 10 devices that you want to run a capture on. Devices must be [registered](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) in your Zero Trust organization. 3. Configure the types of captures to run. * **Packet captures (PCAP)**: Performs packet captures for traffic outside of the WARP tunnel (default network interface) and traffic inside of the WARP tunnel ([virtual interface](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/#ip-traffic)). * **Device diagnostic logs**: Generates a [Cloudflare One Client diagnostic log](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diag-logs) of the past 96 hours. To include a routing test for all IPs and domains in your [Split Tunnel configuration](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/), select **Test all routes**. Note **Test all routes** will extend the time for diagnostics to run and may temporarily impact device performance during the test. You must select Device Diagnostic Logs. You can also choose to run a PCAP and reproduce the issue in the window the PCAP is running to gain further network insight. The scope of this troubleshooting covers only client diagnostic logs. If not choosing PCAPs, reproduce the issue right before running diagnostics. 4. Select **Run diagnostics**. DEX will now send capture requests to the configured devices. If the Cloudflare One Client is disconnected, the capture will time out after 10 minutes. #### Check remote capture status To view a list of captures, go to **DEX** \> **Remote captures**. The **Status** column displays one of the following options: * **Success**: The capture is complete and ready for download. Any partially successful captures will still upload to Cloudflare. For example, there could be a scenario where the PCAP succeeds on the primary network interface but fails on the WARP tunnel interface. You can [review PCAP results](https://developers.cloudflare.com/cloudflare-one/insights/dex/remote-captures/#download-remote-captures) to determine which PCAPs succeeded or failed. * **Running**: The capture is in progress on the device. * **Pending Upload**: The capture is complete but not yet ready for download. * **Failed**: The capture has either timed out or encountered an error. To retry the capture, check the Cloudflare One Client version and [connectivity status](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/#fleet-status), then start a [new capture](https://developers.cloudflare.com/cloudflare-one/insights/dex/remote-captures/#start-a-remote-capture). #### Download remote captures 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **DEX** \> **Remote captures**. 2. Find a successful capture. 3. Select the three-dot menu and select **Download**. This will download a ZIP file to your local machine called `.zip`. DEX will store capture data according to our [log retention policy](https://developers.cloudflare.com/cloudflare-one/insights/logs/#log-retention). After you have your diagnostic files, go to [Review key files](#option-b-collect-logs-via-the-cli) to continue troubleshooting. AI-assisted troubleshooting The [diagnostics analyzer](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#diagnostics-analyzer-beta) uses AI to parse a device's client diagnostic log and summarizes key events, likely causes, and recommended next steps in a concise summary. After you run a [DEX remote capture](#option-a-collect-logs-via-the-cloudflare-dashboard) for client diagnostics: 1. Go to **Insights** \> **Digital experience** and select the **Diagnotics** tab. 2. Find your capture in the list of captures. 3. Select the three-dot icon next to **Status** \> select **View Device Diag** to generate an AI summary. This analyzer is available for logs collected via the dashboard. ### Option B: Collect logs via the CLI Collect client diagnostic logs on your desktop using the `warp-diag` CLI. To view client logs on desktop devices: * [ macOS ](#tab-panel-3937) * [ Windows ](#tab-panel-3938) * [ Linux ](#tab-panel-3939) 1. Open a Terminal window. 2. Run the `warp-diag` tool: Terminal window ``` warp-diag ``` This will place a `warp-debugging-info--