Proxy traffic through Gateway

With Cloudflare Gateway, you can log and filter DNS, network, and HTTP traffic from devices running the Cloudflare One Client. This includes traffic to the public Internet and traffic directed to your private network. DNS filtering is enabled by default since the Cloudflare One Client sends DNS queries to Cloudflare's public DNS resolver, 1.1.1.1. To enable network and HTTP filtering, you will need to allow Cloudflare Gateway to proxy that traffic.

Enable the proxy

Dashboard

1. Go to Traffic policies > Traffic settings.
2. In Proxy and inspection, turn on Allow Secure Web Gateway to proxy traffic.
3. Select TCP.
4. Select UDP (required to proxy traffic to internal DNS resolvers).
5. (Recommended) To proxy traffic for diagnostic tools such as ping and traceroute, select ICMP. You may also need to update your system to allow ICMP traffic through cloudflared.

Terraform (v5)

1. Add the following permission to your cloudflare_api_token ↗:

   • Zero Trust Write

2. Turn on the TCP and/or UDP proxy using the cloudflare_zero_trust_device_settings ↗ resource:

   resource "cloudflare_zero_trust_device_settings "global_warp_settings" {
     account_id            = var.cloudflare_account_id
     gateway_proxy_enabled = true
     gateway_udp_proxy_enabled = true
   }

Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your split tunnel settings. For more information on how Gateway forwards traffic, refer to Gateway proxy.