--- title: Cloudflare One description: Learn how to secure self-hosted and SaaS applications with Cloudflare One. Configure a unified dashboard for seamless access and security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Cloudflare One Secure your organization with Cloudflare One — a cloud security platform that replaces legacy perimeters with Cloudflare's global network. Available on all plans Cloudflare One is Cloudflare's [Secure Access Service Edge (SASE) ↗](https://www.cloudflare.com/learning/access-management/what-is-sase/) platform. SASE is an architectural model that unifies enterprise networking services with Zero Trust security. [Zero Trust ↗](https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/) is a security model designed around the principle of least privilege. In the past, once you logged into a corporate network, you were "trusted" to move around freely. Zero Trust changes that. It assumes that threats can exist both outside and inside the network. Therefore, every request is authenticated and authorized based on identity and context before granting access. The Cloudflare One platform allows organizations to move away from a patchwork of hardware appliances and point solutions. Instead, it consolidates security and networking through a unified control plane that includes products like [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/), [Secure Web Gateway (SWG)](https://developers.cloudflare.com/cloudflare-one/traffic-policies/), [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/), [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/), [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/), [Cloud Access Security Broker (CASB)](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/), and [Email security](https://developers.cloudflare.com/cloudflare-one/email-security/). Refer to our [SASE reference architecture](https://developers.cloudflare.com/reference-architecture/architectures/sase/) to learn how to plan, deploy, and manage SASE architecture with Cloudflare. [ Get started ](https://developers.cloudflare.com/cloudflare-one/setup/) [ Cloudflare dashboard ](https://dash.cloudflare.com/) [ Implementation guides ](https://developers.cloudflare.com/cloudflare-one/implementation-guides/) ## Products **[Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)** Authenticate users accessing your applications, seamlessly onboard third-party users, and log every event and request. **[Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/)** Securely connect your resources to Cloudflare without exposing a public IP by using Cloudflare Tunnel, which establishes outbound-only connections from your infrastructure to Cloudflare's global network via the lightweight `cloudflared` daemon. **[Secure Web Gateway (SWG)](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)** Inspect and filter DNS, network, HTTP, and egress traffic to enforce your company's Acceptable Use Policy (UAP), block risky sites with custom blocklists and threat intelligence, and enhance visibility and protection across SaaS applications. **[Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)** Protect corporate devices by privately sending traffic from those devices to Cloudflare's global network, build device posture rules, and enforce security policies anywhere. **[Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/)** Mitigate the impact of attacks by executing all browser code in the cloud and securely browse high-risk or sensitive websites in a remote browser. **[Cloud Access Security Broker (CASB)](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/)** Protect users and sensitive data at rest in SaaS applications and cloud environments, scan for misconfigurations, and detect insider threats as well as unsanctioned application usage to prevent data leaks and compliance violations. **[Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)** Scan your web traffic and SaaS applications for the presence of sensitive data such as social security numbers, financial information, secret keys, and source code. **[Email security](https://developers.cloudflare.com/cloudflare-one/email-security/)** Configure policies to manage your inbox, automatically move emails based on disposition, and use screen criteria to investigate messages. **[Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/)** Monitor device, network, and application performance across your Zero Trust organization. --- ## More resources [SASE video series](https://developers.cloudflare.com/learning-paths/sase-overview-course/series/evolution-corporate-networks-1/) New to Zero Trust and SASE? Get started with our introductory SASE video series. [Reference architecture](https://developers.cloudflare.com/reference-architecture/architectures/sase/) Explore our reference architecture to learn how to evolve your network and security architecture to Cloudflare One, our SASE platform. [Plans](https://www.cloudflare.com/plans/zero-trust-services/) Cloudflare Zero Trust offers both Free and Paid plans. Access to certain features depends on a customer's plan type. [Limits](https://developers.cloudflare.com/cloudflare-one/account-limits/) Learn about account limits. These limits may be increased on Enterprise accounts. [Support](https://developers.cloudflare.com/cloudflare-one/troubleshooting/) Find troubleshooting guides for Cloudflare One products and learn how to collect information for Support. [Community](https://community.cloudflare.com/) Ask questions, get answers, and share tips. Note Enterprise customers can preview this product as a [non-contract service](https://developers.cloudflare.com/billing/understand/preview-services/), which provides full access, free of metered usage fees, limits, and certain other restrictions. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}}]} ``` --- --- title: Get started description: Set up Cloudflare Zero Trust for your organization. Choose a use case to get started with a guided quick-start. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Get started Set up Cloudflare Zero Trust to protect your users, devices, and networks. Complete the prerequisites below, then choose a use case to get started. ## Prerequisites Before you begin any use case, you need a Cloudflare account and a Zero Trust organization. ### 1\. Create a Cloudflare account Sign up for a [Cloudflare account ↗](https://dash.cloudflare.com/sign-up) and enable two-factor authentication. ### 2\. Create a Zero Trust organization 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), select **Zero Trust**. 2. On the onboarding screen, choose a team name. The team name is a unique, internal identifier for your Zero Trust organization. Users will enter this team name when they enroll their device manually, and it will be the subdomain for your App Launcher (as relevant). Your business name is the typical entry. You can find your team name in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) by going to **Zero Trust** \> **Settings**. 3. Complete your onboarding by selecting a subscription plan and entering your payment details. If you chose the **Zero Trust Free plan**, this step is still needed but you will not be charged. ## What would you like to do? These use cases match the guided onboarding in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). To follow along in the dashboard, select **Get Started**. [Replace your VPN](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/) Give remote users, offices, and devices secure access to private networks and applications without a traditional VPN. [Secure access to private apps from any browser](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/) Provide browser-based access to internal web applications, SSH servers, and RDP sessions without installing software on user devices. [Filter DNS to block threats](https://developers.cloudflare.com/cloudflare-one/traffic-policies/initial-setup/dns/) Set up DNS filtering to block malware, phishing, and unwanted content across your network in minutes. [Secure web traffic from threats](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/concepts/) Inspect and filter all Internet-bound traffic from your users to block threats, enforce acceptable use policies, and prevent data loss. Note For in-depth deployment guides that cover policy design and advanced configuration, refer to [Implementation guides](https://developers.cloudflare.com/cloudflare-one/implementation-guides/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}}]} ``` --- --- title: Replace your VPN description: Replace your traditional VPN with Cloudflare Zero Trust. Choose a connection scenario to get started. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Replace your VPN Cloudflare One uses Cloudflare's global network and Zero Trust Network Access (ZTNA) to replace traditional VPNs. After you securely connect your devices and resources to Cloudflare, you can set policies to verify every request based on identity and context, reducing your attack surface and improving performance for remote users. For more background, refer to [Why should you replace your VPN?](https://developers.cloudflare.com/learning-paths/replace-vpn/concepts/why-vpn/) How you set this up depends on what needs to connect to what. Choose the scenario that matches your use case: [Device to network](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/device-to-network/) Connect remote users to internal applications and services through a secure connection. Best for remote access to private networks. [Device to device](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/device-to-device/) Create secure, direct connections between two or more devices through Cloudflare's network using Mesh IPs. Best for device-to-device communication. [Network to network](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/network-to-network/) Connect two or more private networks bidirectionally through Cloudflare. Best for linking offices, data centers, or cloud environments. Note For in-depth guidance on policy design and device posture checks, refer to the [Replace your VPN learning path](https://developers.cloudflare.com/learning-paths/replace-vpn/concepts/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/setup/replace-vpn/","name":"Replace your VPN"}}]} ``` --- --- title: Device to device description: Create a secure connection between two devices using Cloudflare Mesh and Cloudflare's network. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) # Device to device Create a secure connection between two devices so they can communicate directly through Cloudflare's network, without needing to be on the same physical network. This is useful when you need to remotely access a specific device, for example connecting to a home computer from a laptop at a coffee shop. To explore other connection scenarios, refer to [Replace your VPN](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/). ## How it works The [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) is an app that you install on each device you want to connect. When you enroll a device in your Cloudflare account, it is assigned a [Mesh IP](https://developers.cloudflare.com/cloudflare-one/networks/routes/reserved-ips/#device-ips). Devices use their Mesh IPs to communicate with each other through Cloudflare's network. This works for most common types of network traffic, including web requests, remote desktop, file sharing, and ping. Only devices enrolled in your Cloudflare account can reach these addresses, so they are not accessible to anyone outside your organization. No tunnel infrastructure or network configuration is required, and the connection does not disrupt existing traffic on your network. For more details, refer to [Connect client devices](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/client-devices/). ## Prerequisites * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up) * Two Linux, Windows, macOS, Android, or iOS devices you want to connect together. ## Step 1: Enroll your first device Enrollment permissions control which users can connect devices to your account. In this step, you set an enrollment email and download the Cloudflare One Client. The email you provide becomes the first allowed login for your organization, and anyone with that email address can enroll a device. 1. In the Cloudflare dashboard, go to **Networking** \> **Mesh**. [ Go to **Mesh** ](https://dash.cloudflare.com/?to=/:account/mesh) 2. Select **Add a node**, then follow the wizard. The wizard configures enrollment permissions and Mesh connectivity automatically. 3. Download the Cloudflare One Client on your first device from the [downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). 4. Open the client, enter your team name, and sign in with your email. ## Step 2: Enroll your second device Both devices must be enrolled in your Cloudflare account for the connection to work. 1. Download the Cloudflare One Client on your second device. 2. Open the client, enter the same team name, and sign in. 3. The client should show as **Connected** on both devices. ## Step 3: Verify your connection Both devices are now connected through Cloudflare's network using their assigned Mesh IPs. To view your device's assigned Mesh IP: 1. In the Cloudflare dashboard, go to **Networking** \> **Mesh**. [ Go to **Mesh** ](https://dash.cloudflare.com/?to=/:account/mesh) 2. Your connected devices appear with their Mesh IPs. To test connectivity, `ping` the Mesh IP of one device from the other. ## Recommended next steps After verifying your connection, consider securing your connected devices with policies and access controls: * **Set up Gateway policies**: By default, all enrolled devices can reach each other over the Mesh IP space. Gateway policies let you scan, filter, and log traffic between your devices. For more information, refer to [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/), [Network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/), and [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). * **Create an Access application**: Restrict access to specific destinations on enrolled devices with identity-based rules. For more information, refer to [Secure a private IP or hostname](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). For in-depth guidance on policy design and device posture checks, refer to the [Replace your VPN learning path](https://developers.cloudflare.com/learning-paths/replace-vpn/concepts/). ## Troubleshoot If you have issues connecting, try these steps: * **Windows users**: Windows Firewall blocks device-to-device traffic by default. You may need to add a firewall rule that allows incoming traffic from `100.96.0.0/12`. For details, refer to [Connect client devices](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/client-devices/). * [Troubleshoot the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/): resolve connection and enrollment issues. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/setup/replace-vpn/","name":"Replace your VPN"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/setup/replace-vpn/device-to-device/","name":"Device to device"}}]} ``` --- --- title: Device to network description: Connect a remote device to a private network using Cloudflare Tunnel and the Cloudflare One Client. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) # Device to network Connect a remote device to a private network so your users can securely access internal applications and services from anywhere, without the security risks and performance bottlenecks of a traditional VPN. To explore other connection scenarios, refer to [Replace your VPN](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/). This guide follows the same steps as the **Get Started** onboarding wizard in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). ## How it works [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) is a network connector that creates an outbound-only connection between your private network and Cloudflare. No open inbound ports or firewall changes are required. The [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) is an app that you install on each user's device. It routes traffic through Cloudflare and into the tunnel, so users can reach internal resources from anywhere. ## Prerequisites * A Cloudflare account with a Zero Trust organization. If you have not set this up, refer to [Get started](https://developers.cloudflare.com/cloudflare-one/setup/). * A Linux, Windows, or macOS device on your private network to run the tunnel. * A Linux, Windows, or macOS device to install the Cloudflare One Client on. ## Step 1: Assign a Tunnel Cloudflare Tunnel establishes an outbound connection between your resources and Cloudflare. This is how new devices can reach your private network. You can install Tunnel on any Windows, Mac, or Linux device currently in your private network. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), select the **Get Started** tab. 2. For **Replace my client-based or site-to-site VPN**, select **Get started**. 3. For **Device to network**, select **Continue**. 4. On the **Connect a remote device to a private network** screen, select **Continue**. 5. On the **Assign a Tunnel** screen, use the dropdown to choose an existing tunnel or create a new one. 6. Select **Continue**. ## Step 2: Set your Tunnel's IP range Add the IP range of your private network to the tunnel. This defines which internal resources your remote users can reach. Your tunnel accepts traffic to this range from devices enrolled in your Zero Trust organization. 1. Enter your IP range (for example, `10.0.1.0/24`). 2. Select **Continue**. Note If you are not sure of your IP range, check your router or network settings. ## Step 3: Deploy your Tunnel Install the `cloudflared` connector on a device in your private network and run the tunnel. This service creates the secure connection between your network and Cloudflare. 1. Select your device's operating system and architecture. 2. Copy the install command and run it on your device. For Windows, open Command Prompt as an administrator. For all other operating systems, use a terminal window. For macOS, the command looks similar to: Terminal window ``` brew install cloudflared && sudo cloudflared service install ``` For Windows and Linux, the dashboard provides a download link and install command for your selected architecture. For more download options, refer to [Downloads](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/). 3. After `cloudflared` connects, the dashboard confirms the tunnel is active. 4. Select **Continue**. ## Step 4: Enroll your devices Device enrollment controls which users can connect their devices to your private network through Cloudflare. In this step, you register your first device by providing an email address and installing the Cloudflare One Client. 1. Enter the email you want to use to enroll your first device. 2. Select your device's operating system. 3. Select **Download to continue** to download the Cloudflare One Client, or copy the download link to send to a different device. 4. Select **Continue**. Note You can manage device enrollment permissions later in **Team & Resources** \> **Devices**. ## Step 5: Complete Cloudflare One Client setup On your device, complete the Cloudflare One Client installation wizard. Then connect the Cloudflare One Client to your Zero Trust organization. For comprehensive OS-specific instructions, refer to [Manual deployment](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/). 1. Open the Cloudflare One Client. On macOS, select the Cloudflare icon in your status bar. On Windows, select the Cloudflare icon in your system tray. 2. Go to **Preferences** \> **Account** \> **Login to Cloudflare Zero Trust**. 3. Enter your team name when prompted. Your team name is the unique identifier for your Zero Trust organization and was set when the organization was created. The dashboard displays your team name on this screen for easy reference. Note To find or change your team name, go to **Settings** \> **Team name** and select **Edit**. 4. Complete the authentication steps. 5. The Cloudflare One Client should show as **Connected**. 6. Select **Continue** in the dashboard. ## Step 6: Verify your connection The dashboard confirms that you are securely connected. You now have remote access between your device and your private network resources. To verify connectivity, try reaching a resource on your private network (for example, `http://10.0.1.100` or `ssh 10.0.1.50`). ## Recommended next steps After verifying your connection, consider securing your private network with policies and access controls: * **Set up Gateway policies**: By default, all enrolled devices can reach your entire private network. Gateway policies let you scan, filter, and log traffic between your devices and your private network. For more information, refer to [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/), [Network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/), and [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). * **Create an Access application**: Restrict access to specific applications or hostnames on your private network with identity-based rules. For more information, refer to [Secure a private IP or hostname](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). * **Explore more with Zero Trust**: Review your tunnel, policies, and connected devices in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). For in-depth guidance on policy design and device posture checks, refer to the [Replace your VPN learning path](https://developers.cloudflare.com/learning-paths/replace-vpn/concepts/). ## Troubleshoot If you have issues connecting, refer to these resources: * [Troubleshoot WARP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/): resolve Cloudflare One Client connection and enrollment issues. * [Troubleshoot tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/): diagnose tunnel connectivity and routing problems. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/setup/replace-vpn/","name":"Replace your VPN"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/setup/replace-vpn/device-to-network/","name":"Device to network"}}]} ``` --- --- title: Network to network description: Connect two private networks using Cloudflare Mesh nodes and Cloudflare's network. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Linux ](https://developers.cloudflare.com/search/?tags=Linux)[ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) # Network to network Connect two separate private networks so devices on each network can send and receive traffic in both directions through Cloudflare. This is useful when you need to link office locations, data centers, or cloud environments. For example, employees in one office could access a file server, printer, or internal application in another office. To explore other connection scenarios, refer to [Replace your VPN](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/). ## How it works [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) (formerly WARP Connector) lets you deploy mesh nodes — lightweight network connectors that you install on a single Linux device in each network. That device handles traffic for the entire network: it sends outbound traffic to Cloudflare and receives inbound traffic back, then passes it to the right device on the network. Because of this, other devices on the network do not need to install any software. ## Prerequisites * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up). * A Linux device or virtual machine on your first private network. This is where you install your first mesh node. * A second Linux device or virtual machine on a separate private network. This is where you install your second mesh node. Note Mesh nodes are currently Linux-only. For more details on requirements, refer to [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/). ## Step 1: Create your first mesh node 1. In the Cloudflare dashboard, go to **Networking** \> **Mesh**. [ Go to **Mesh** ](https://dash.cloudflare.com/?to=/:account/mesh) 2. Select **Add a node**. 3. Enter a name for the node (for example, `office-a`). 4. Follow the wizard to configure enrollment and device profile settings. 5. Copy the install commands from the wizard and run them on your Linux device. 6. After the node connects, the dashboard confirms it is online. ## Step 2: Add a route for the first network 1. Go to the node detail page for your first node. 2. Select the **Routes** tab. 3. Select **Add a route**. 4. Enter the IP range of your first network (for example, `10.0.0.0/24`). 5. Select **Create**. ## Step 3: Create your second mesh node Repeat [Step 1](#step-1-create-your-first-mesh-node) on a Linux device in your second network. Give it a distinct name (for example, `office-b`). ## Step 4: Add a route for the second network Repeat [Step 2](#step-2-add-a-route-for-the-first-network) for your second node, entering the IP range of your second network (for example, `192.168.1.0/24`). The IP range must not overlap with your first network. ## Step 5: Forward device traffic If the mesh node is installed on your network's router (the device that serves as the default gateway), other devices on the network automatically send traffic through it. No additional configuration is needed, and you can skip this step. If the mesh node is installed on a different device, other devices on the network need a static route so they know to send cross-network traffic to the mesh node. Without this route, devices do not know where to send traffic destined for the other network. For details on routing options, refer to [Routes](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/routes/). ## Step 6: Verify your connection Devices on both networks can now communicate through Cloudflare. To verify connectivity, try reaching a device on the opposite network (for example, `ping 192.168.1.100` from a device on your first network). ## Recommended next steps After verifying your connection, consider securing your connected networks with policies and access controls: * **Set up Gateway policies**: By default, all traffic between your network segments flows through Cloudflare without restriction. Gateway policies let you scan, filter, and log traffic between your networks. For more information, refer to [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/), [Network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/), and [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). * **Create an Access application**: Restrict access to specific services or hosts on your connected networks with identity-based rules. For more information, refer to [Secure a private IP or hostname](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). * **Enable high availability**: Deploy multiple replicas of each mesh node for automatic failover. For more information, refer to [High availability](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/high-availability/). For in-depth guidance on policy design and device posture checks, refer to the [Replace your VPN learning path](https://developers.cloudflare.com/learning-paths/replace-vpn/concepts/). ## Troubleshoot If you have issues connecting, refer to these resources: * [Tips and best practices](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/tips/): review common Cloudflare Mesh configuration tips and troubleshooting strategies. * [Troubleshoot tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/): diagnose tunnel connectivity and routing problems. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/setup/replace-vpn/","name":"Replace your VPN"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/setup/replace-vpn/network-to-network/","name":"Network to network"}}]} ``` --- --- title: Secure private apps description: Provide browser-based access to internal web applications, SSH servers, and remote desktops without installing software on user devices. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Secure private apps Cloudflare Access lets users reach internal applications through a browser without a VPN or client software on their device. You connect your application to Cloudflare using a secure connection called a tunnel, then protect it with policies that control who can access it. For more background, refer to [What is clientless access?](https://developers.cloudflare.com/learning-paths/clientless-access/concepts/what-is-clientless-access/). How you set this up depends on the type of application you are securing. Choose the scenario that matches your use case: [Private web application](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/private-web-app/) Connect an internal web application to Cloudflare and control who can access it. Best for applications like company intranets, internal wikis, or admin panels. [Clientless SSH](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/clientless-ssh/) Provide in-browser command line access to an internal server without SSH client software on the user's device. [In-browser remote desktop](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/in-browser-rdp/) Provide in-browser remote desktop access to Windows hosts without remote desktop client software on the user's device. Note For in-depth guidance on clientless access and advanced configuration, refer to the [Clientless access learning path](https://developers.cloudflare.com/learning-paths/clientless-access/concepts/what-is-clientless-access/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/setup/secure-private-apps/","name":"Secure private apps"}}]} ``` --- --- title: Clientless SSH description: Provide in-browser SSH access to an internal server through Cloudflare Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) # Clientless SSH Provide secure, in-browser command line access to an internal server without SSH client software on the user's device. This is useful when you need to give developers or IT staff remote access to servers for administration or troubleshooting from any browser. To explore other access scenarios, refer to [Secure private apps](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/). This guide follows the same steps as the **Get Started** experience in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). ## How it works [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) connects your private network to Cloudflare without opening any ports on your network. You install `cloudflared`, a connector service that runs in the background, on a device that can reach your server. It creates a secure connection from your network out to Cloudflare, so no firewall changes are required. [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/) sits in front of the server and verifies who each user is before letting them through. Users sign in through a browser using an email one-time PIN or your identity provider, then interact with the server through an in-browser terminal. For details on connection methods and advanced configuration, refer to [Connect to SSH in the browser](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-browser-rendering/). ## Prerequisites * A Cloudflare account with a Zero Trust organization. If you have not set this up, refer to [Get started](https://developers.cloudflare.com/cloudflare-one/setup/). * An [active domain on your Cloudflare account](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/). A public subdomain is created on this domain for your application. * A Linux, Windows, or macOS device on your private network that can reach the server. This is where you install the tunnel. * A server on your private network with SSH enabled. ## Step 1: Define your application In this step, you describe the internal server you want to make available through Cloudflare. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), select the **Get Started** tab. 2. For **Set up secure access to private apps from any browser**, select **Get started**. 3. For **Configure clientless SSH access to an internal service**, select **Continue**. 4. On the **Zero Trust SSH terminal directly from your browser** screen, select **Continue**. 5. Enter a name for your application. 6. Enter the hostname or IP address of the server. Use the IP address if you are not sure (for example, `10.10.1.25`). 7. Enter the SSH port (the default is `22`). 8. Select **Continue**. ## Step 2: Select a public domain Your application needs a public URL so users can reach it from a browser. Cloudflare creates a public URL on one of your existing domains for the application. 1. Select a domain from the dropdown. 2. Enter a subdomain (for example, `grafana`). A preview of the full URL appears (for example, `grafana.example.com`). 3. Select **Continue**. ## Step 3: Add your first policy An Access policy controls who can reach your application. In this step, you create a simple policy using email-based one-time PINs. Users you add here receive a one-time PIN by email when they try to access the application. 1. Enter the email addresses of users you want to grant access to. 2. Select **Continue**. Note You can add your identity provider (for example, Okta or Google Workspace) to the application later. For more information, refer to [Identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). ## Step 4: Assign a tunnel A tunnel connects your private network to Cloudflare so traffic can reach your application. You can select an existing tunnel or create a new one. 1. In the **Choose or create a Tunnel** dropdown, select an existing tunnel or enter a name to create a new one. 2. Select **Continue**. ## Step 5: Deploy your tunnel Install `cloudflared` on a device in your private network that can reach the application. The dashboard generates commands specific to your operating system. 1. Select your operating system from the dropdown. 2. Copy and run the commands shown in the dashboard. For Windows, open Command Prompt as an administrator. For all other operating systems, use a terminal window. 3. After the tunnel connects, select **Continue**. ## Step 6: Review details The dashboard confirms that your application is available and protected behind Cloudflare Access. ## Recommended next steps * **Test your application**: 1. Select **Test login** on the success screen. 2. On the Access login screen, enter one of the email addresses you added to your Access policy. 3. Select **Send me a code**. 4. Enter the code from your email and select **Sign in**. * **Explore more with Zero Trust**: Review your applications and policies in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) under **Zero Trust** \> **Access controls**, and your tunnels under **Zero Trust** \> **Networks** \> **Connectors**. * **Configure an identity provider**: Replace email one-time PINs with your organization's identity provider for a seamless login experience. For more information, refer to [Identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). For in-depth guidance on clientless access, refer to the [Clientless access learning path](https://developers.cloudflare.com/learning-paths/clientless-access/concepts/what-is-clientless-access/). ## Troubleshoot If you have issues connecting, refer to these resources: * [Troubleshoot tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/): diagnose tunnel connectivity and routing problems. * [Troubleshooting](https://developers.cloudflare.com/cloudflare-one/troubleshooting/): resolve common Zero Trust errors and issues. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/setup/secure-private-apps/","name":"Secure private apps"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/setup/secure-private-apps/clientless-ssh/","name":"Clientless SSH"}}]} ``` --- --- title: In-browser remote desktop description: Provide in-browser remote desktop access to Windows hosts through Cloudflare Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks)[ Windows ](https://developers.cloudflare.com/search/?tags=Windows) # In-browser remote desktop Provide secure, in-browser remote desktop access to Windows hosts without Remote Desktop Protocol (RDP) client software on the user's device. This is useful when you need to give IT staff or support teams remote access to Windows machines for administration or troubleshooting from any browser. To explore other access scenarios, refer to [Secure private apps](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/). This guide follows the same steps as the **Get Started** experience in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). ## How it works [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) connects your private network to Cloudflare without opening any ports on your network. You install `cloudflared`, a connector service that runs in the background, on a device that can reach the Windows host. It creates a secure connection from your network out to Cloudflare, so no firewall changes are required. [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/) sits in front of the host and verifies who each user is before letting them through. Users sign in through a browser using an email one-time PIN or your identity provider, then interact with the Windows desktop through an in-browser remote desktop session. For details on supported operating systems, connection methods, and known limitations, refer to [Connect to RDP in a browser](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/). ## Prerequisites * A Cloudflare account with a Zero Trust organization. If you have not set this up, refer to [Get started](https://developers.cloudflare.com/cloudflare-one/setup/). * An [active domain on your Cloudflare account](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/). A public subdomain is created on this domain for your application. * A Linux, Windows, or macOS device on your private network that can reach the Windows host. This is where you install the tunnel. * A Windows host on your private network that accepts Remote Desktop connections. ## Step 1: Define your application In this step, you describe the Windows host you want to make available through Cloudflare. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), select the **Get Started** tab. 2. For **Set up secure access to private apps from any browser**, select **Get started**. 3. For **Enable in-browser remote desktop sessions to Windows hosts**, select **Continue**. 4. On the **Zero Trust RDP client directly from your browser** screen, select **Continue**. 5. Enter a name for your application. 6. Enter the local IP address of the Windows host (for example, `10.10.1.25`). 7. Enter the RDP port (the default is `3389`). 8. Select **Continue**. ## Step 2: Select a public domain Your application needs a public URL so users can reach it from a browser. Cloudflare creates a public URL on one of your existing domains for the application. 1. Select a domain from the dropdown. 2. Enter a subdomain (for example, `grafana`). A preview of the full URL appears (for example, `grafana.example.com`). 3. Select **Continue**. ## Step 3: Add your first policy An Access policy controls who can reach your application. In this step, you create a simple policy using email-based one-time PINs. Users you add here receive a one-time PIN by email when they try to access the application. 1. Enter the email addresses of users you want to grant access to. 2. Select **Continue**. Note You can add your identity provider (for example, Okta or Google Workspace) to the application later. For more information, refer to [Identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). ## Step 4: Assign a tunnel A tunnel connects your private network to Cloudflare so traffic can reach your application. You can select an existing tunnel or create a new one. 1. In the **Choose or create a Tunnel** dropdown, select an existing tunnel or enter a name to create a new one. 2. Select **Continue**. ## Step 5: Deploy your tunnel Install `cloudflared` on a device in your private network that can reach the application. The dashboard generates commands specific to your operating system. 1. Select your operating system from the dropdown. 2. Copy and run the commands shown in the dashboard. For Windows, open Command Prompt as an administrator. For all other operating systems, use a terminal window. 3. After the tunnel connects, select **Continue**. ## Step 6: Review details The dashboard confirms that your application is available and protected behind Cloudflare Access. ## Recommended next steps * **Test your application**: 1. Select **Test login** on the success screen. 2. On the Access login screen, enter one of the email addresses you added to your Access policy. 3. Select **Send me a code**. 4. Enter the code from your email and select **Sign in**. * **Explore more with Zero Trust**: Review your applications and policies in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) under **Zero Trust** \> **Access controls**, and your tunnels under **Zero Trust** \> **Networks** \> **Connectors**. * **Configure an identity provider**: Replace email one-time PINs with your organization's identity provider for a seamless login experience. For more information, refer to [Identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). For in-depth guidance on clientless access, refer to the [Clientless access learning path](https://developers.cloudflare.com/learning-paths/clientless-access/concepts/what-is-clientless-access/). ## Troubleshoot If you have issues connecting, refer to these resources: * [Troubleshoot tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/): diagnose tunnel connectivity and routing problems. * [Troubleshooting](https://developers.cloudflare.com/cloudflare-one/troubleshooting/): resolve common Zero Trust errors and issues. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/setup/secure-private-apps/","name":"Secure private apps"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/setup/secure-private-apps/in-browser-rdp/","name":"In-browser remote desktop"}}]} ``` --- --- title: Private web application description: Connect a private web application to Cloudflare and protect it with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) # Private web application Connect a self-hosted web application to Cloudflare so authorized users can access it from a browser without a VPN. This is useful when you need to give employees or contractors secure access to applications like company intranets, internal wikis, or admin panels. To explore other access scenarios, refer to [Secure private apps](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/). This guide follows the same steps as the **Get Started** experience in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com). ## How it works [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) connects your private network to Cloudflare without opening any ports on your network. You install `cloudflared`, a connector service that runs in the background, on a device that can reach your application. It creates a secure connection from your network out to Cloudflare, so no firewall changes are required. [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/) sits in front of the application and verifies who each user is before letting them through. Users sign in through a browser using an email one-time PIN or your identity provider. ## Prerequisites * A Cloudflare account with a Zero Trust organization. If you have not set this up, refer to [Get started](https://developers.cloudflare.com/cloudflare-one/setup/). * An [active domain on your Cloudflare account](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/). A public subdomain is created on this domain for your application. * A Linux, Windows, or macOS device on your private network that can reach the application. This is where you install the tunnel. * A running web application on your private network (for example, `http://10.10.1.25` or `http://grafana.local`). ## Step 1: Define your application In this step, you describe the internal application you want to make available through Cloudflare. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), select the **Get Started** tab. 2. For **Set up secure access to private apps from any browser**, select **Get started**. 3. For **Connect a private web application**, select **Continue**. 4. On the **Connect and access private web applications** screen, select **Continue**. 5. Enter a name for your application (for example, `grafana-gcp`). 6. Enter the hostname or IP address where the application is running. Use the IP address if you are not sure (for example, `10.10.1.25`). 7. Select the protocol your application uses (HTTP or HTTPS). 8. Enter the port your application listens on. This is usually part of the URL you use to access the application locally (for example, the `80` in `http://10.10.1.25:80`). 9. Select **Continue**. ## Step 2: Select a public domain Your application needs a public URL so users can reach it from a browser. Cloudflare creates a public URL on one of your existing domains for the application. 1. Select a domain from the dropdown. 2. Enter a subdomain (for example, `grafana`). A preview of the full URL appears (for example, `grafana.example.com`). 3. Select **Continue**. ## Step 3: Add your first policy An Access policy controls who can reach your application. In this step, you create a simple policy using email-based one-time PINs. Users you add here receive a one-time PIN by email when they try to access the application. 1. Enter the email addresses of users you want to grant access to. 2. Select **Continue**. Note You can add your identity provider (for example, Okta or Google Workspace) to the application later. For more information, refer to [Identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). ## Step 4: Assign a tunnel A tunnel connects your private network to Cloudflare so traffic can reach your application. You can select an existing tunnel or create a new one. 1. In the **Choose or create a Tunnel** dropdown, select an existing tunnel or enter a name to create a new one. 2. Select **Continue**. ## Step 5: Deploy your tunnel Install `cloudflared` on a device in your private network that can reach the application. The dashboard generates commands specific to your operating system. 1. Select your operating system from the dropdown. 2. Copy and run the commands shown in the dashboard. For Windows, open Command Prompt as an administrator. For all other operating systems, use a terminal window. 3. After the tunnel connects, select **Continue**. ## Step 6: Review details The dashboard confirms that your application is available and protected behind Cloudflare Access. ## Recommended next steps * **Test your application**: 1. Select **Test login** on the success screen. 2. On the Access login screen, enter one of the email addresses you added to your Access policy. 3. Select **Send me a code**. 4. Enter the code from your email and select **Sign in**. * **Explore more with Zero Trust**: Review your applications and policies in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) under **Zero Trust** \> **Access controls**, and your tunnels under **Zero Trust** \> **Networks** \> **Connectors**. * **Configure an identity provider**: Replace email one-time PINs with your organization's identity provider for a seamless login experience. For more information, refer to [Identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). For in-depth guidance on clientless access, refer to the [Clientless access learning path](https://developers.cloudflare.com/learning-paths/clientless-access/concepts/what-is-clientless-access/). ## Troubleshoot If you have issues connecting, refer to these resources: * [Troubleshoot tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/): diagnose tunnel connectivity and routing problems. * [Troubleshooting](https://developers.cloudflare.com/cloudflare-one/troubleshooting/): resolve common Zero Trust errors and issues. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/setup/","name":"Get started"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/setup/secure-private-apps/","name":"Secure private apps"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/setup/secure-private-apps/private-web-app/","name":"Private web application"}}]} ``` --- --- title: Implementation guides description: View implementation guides for Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Implementation guides Implementation guides cover deployment steps and best practices for specific Cloudflare One use cases. [Secure web traffic from threats](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/concepts/) Inspect and filter all Internet-bound traffic from your users to block threats, enforce acceptable use policies, and prevent data loss. [Replace your VPN](https://developers.cloudflare.com/learning-paths/replace-vpn/concepts/) Give users secure, auditable network and application access. [Secure private apps without a client](https://developers.cloudflare.com/learning-paths/clientless-access/concepts/) Provide browser-based access to internal web applications, SSH servers, and RDP sessions without installing software on user devices. [Secure your email with Email security](https://developers.cloudflare.com/learning-paths/secure-your-email/concepts/) Use Cloudflare's Email security to protect your Microsoft 365 email inbox from phishing and malware attacks. [Holistic AI security with Cloudflare One](https://developers.cloudflare.com/learning-paths/holistic-ai-security/concepts/) Monitor and secure generative AI usage within your organization. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/implementation-guides/","name":"Implementation guides"}}]} ``` --- --- title: Concepts description: Secure browser-based access without device clients. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/learning-paths/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Concepts Review the concepts behind clientless access. ## Objectives By the end of this module, you will be able to: * Understand the purpose and benefits of clientless access. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/learning-paths/","name":"Learning Paths"}},{"@type":"ListItem","position":3,"item":{"@id":"/learning-paths/clientless-access/concepts/","name":"Concepts"}}]} ``` --- --- title: Concepts description: Monitor and secure generative AI usage. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/learning-paths/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Concepts The goal of this learning path is to provide Cloudflare One users with the strategy and tools to securely adopt generative AI within their organizations. This guide will help address new security challenges and mitigate risks like shadow AI and data loss. ## Objectives * Determine risk tolerance: Identify areas of concern and risk tolerance for AI use to establish a baseline for your organization's AI security strategy. * Monitor AI usage: Utilize Cloudflare One's tools, such as the Shadow IT dashboard and API CASB integrations, to gain visibility into both sanctioned and unsanctioned AI application usage. * Build security policies: Create granular security policies using Cloudflare Gateway to control AI usage, prevent data loss with DLP, and manage user behavior through actions like blocking or redirecting. * Secure sanctioned models: Apply Zero Trust principles to sanctioned AI models and internal services like Model Context Protocol (MCP) servers to ensure secure access and protect sensitive data from being exposed. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/learning-paths/","name":"Learning Paths"}},{"@type":"ListItem","position":3,"item":{"@id":"/learning-paths/holistic-ai-security/concepts/","name":"Concepts"}}]} ``` --- --- title: Concepts description: Replace your VPN with Cloudflare Zero Trust. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/learning-paths/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Concepts Concepts explain the basic ideas behind how Cloudflare Zero Trust works. ## Objectives By the end of this module, you will be able to: * Explain how Cloudflare works. * Describe the purpose of a VPN. * Understand the benefits of switching to a Zero Trust architecture. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/learning-paths/","name":"Learning Paths"}},{"@type":"ListItem","position":3,"item":{"@id":"/learning-paths/replace-vpn/concepts/","name":"Concepts"}}]} ``` --- --- title: Concepts description: Secure Internet traffic and SaaS apps. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/learning-paths/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Concepts Learn the core concepts of using Cloudflare Zero Trust functionality to provide granular security policy for devices and networks accessing the Internet. ## Objectives By the end of this module, you will be able to: * Understand what products and features Cloudflare offers. * Describe how Cloudflare implements Internet traffic and SaaS app security. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/learning-paths/","name":"Learning Paths"}},{"@type":"ListItem","position":3,"item":{"@id":"/learning-paths/secure-internet-traffic/concepts/","name":"Concepts"}}]} ``` --- --- title: Concepts description: Protect your organization from email phishing attacks. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/learning-paths/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Concepts Review the concepts behind Cloudflare's Email security. ## Objectives By the end of this module, you will be able to: * Explain how Cloudflare works. * Describe what Email security is. * Understand how Cloudflare prevents email-based phishing attacks. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/learning-paths/","name":"Learning Paths"}},{"@type":"ListItem","position":3,"item":{"@id":"/learning-paths/secure-your-email/concepts/","name":"Concepts"}}]} ``` --- --- title: Videos description: Videos for Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Videos [ Build and secure your SASE corporate network ](https://developers.cloudflare.com/learning-paths/sase-overview-course/series/evolution-corporate-networks-1/) Dive into Cloudflare's Secure Access Service Edge (SASE) platform and learn how it's been designed to revolutionize the idea of the corporate network. [ Understand and troubleshoot Cloudflare WARP ](https://developers.cloudflare.com/learning-paths/warp-overview-course/series/warp-basics-1/) In this series, we cover the basics of Cloudflare WARP, share useful troubleshooting tips, and explain the warp-diag logs in detail. [ What's a Cloudflare Tunnel? ](https://developers.cloudflare.com/videos/what-is-cf-tunnel/) Cloundflare Tunnel is like a private, secure pathway from your computer to the Internet, so you don't have to leave the front door (your network) wide open. [ Add your domain to Cloudflare ](https://developers.cloudflare.com/videos/the-online-address-book/) To begin using a Cloudflare Tunnel, you need a domain name. Learn how DNS works and how Cloudlare manages your domain through the metaphor of an online address book. [ Set up Access policies for your tunnel ](https://developers.cloudflare.com/videos/set-up-access-policies/) Set up access policies using Cloudflare Access to verify the identity of every user. [ Set up Cloudflare Tunnel ](https://developers.cloudflare.com/videos/set-up-cf-tunnel) Set up Cloudflare Tunnel to create a secure link between your private environment and the Cloudflare edge. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/video-tutorials/","name":"Videos"}}]} ``` --- --- title: Insights description: Insights resources and guides for Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Insights Cloudflare One offers observability tools to monitor and troubleshoot your environment: * [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) to monitor overall Cloudflare One usage. * [Analytics Dashboards](https://developers.cloudflare.com/cloudflare-one/insights/analytics/) to review organizational traffic trends and policy insights. * [Logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/) for event-level investigation. * [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for device, network, and application performance. ## Troubleshooting workflow example A user reports they cannot reach an internal application behind [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/). To address the issue: 1. Check the [Analytics overview dashboard](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) to review if other users are experiencing similar issues. 2. Review [Logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/) to examine the user's authentication attempts and blocked requests. 3. Use [DEX](https://developers.cloudflare.com/cloudflare-one/insights/dex/) to evaluate the user's device health and network performance. ## How to use these tools together ### Onboarding After onboarding your devices and users, use these tools to confirm everything is set up correctly and to monitor your organization's activity. 1. Start with [Logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/) to validate initial configuration and confirm that authentication is successful. 2. Use [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) to confirm expected patterns and policy activity. If your device is experiencing connectivity issues, Cloudflare recommends starting with [troubleshooting WARP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide/) as WARP misconfiguration is the most common cause of connectivity issues. ### Daily monitoring 1. Use [Analytics Dashboards](https://developers.cloudflare.com/cloudflare-one/insights/analytics/) to understand trends and for visualizations of your log data. Administrators typically start with Analytics Dashboards because they offer: * A high-level view of activity across your products, like Access, or security use cases, such as AI and shadow IT. * Visibility into trends, provided through time-series graphs, to track the evolution of key metrics (such as [DNS queries](https://developers.cloudflare.com/cloudflare-one/insights/analytics/gateway/#dns-query-analytics), [network sessions](https://developers.cloudflare.com/cloudflare-one/insights/analytics/gateway/#network-session-analytics), [HTTP requests](https://developers.cloudflare.com/cloudflare-one/insights/analytics/gateway/#http-request-analytics), and [CASB posture/content findings](https://developers.cloudflare.com/cloudflare-one/insights/analytics/data-analytics/)) over time. 2. Use [Logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/) as needed for event-level verification. Use Logs when you need to: * Investigate a specific event; for example, a user's [failed authentication attempt](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/) when trying to log in to an application. * Validate identity or device details; for example, confirming which user made the request, how they authenticated, and whether their device met required [posture conditions](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/posture-logs/). * Confirm policy matches; for example, verifying which [specific rule](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#rule-types) allowed, blocked, or challenged a user's request and why it was applied. ### User-reported issues Users may report problems like slow or failing connections to internal apps. 1. Start with [Analytics Dashboards](https://developers.cloudflare.com/cloudflare-one/insights/analytics/) to review whether the issue impacts others. 2. Check [Logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/) for failed authentication attempts, blocked requests, or unexpected policy matches. 3. Use [DEX](https://developers.cloudflare.com/cloudflare-one/insights/dex/) to diagnose device- or network-level causes with [synthetic tests](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) and [device monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}}]} ``` --- --- title: Analytics overview description: Reference information for Analytics overview in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Analytics ](https://developers.cloudflare.com/search/?tags=Analytics) # Analytics overview The Cloudflare One Analytics overview provides a dashboard that reports on how Cloudflare One is protecting your organization and networks. Use this page to monitor usage and potential security concerns within your organization. To view the Analytics overview, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com) and go to **Overview**. The Analytics overview includes reports and insights across the following products and categories: * [Global status](#global-status) of your Zero Trust Organization * [Access](#access) * Gateway * [HTTP traffic](#proxy-traffic) * [Network traffic](#gateway-network-requests) * [DNS traffic](#dns-traffic) * [Firewall policies](#gateway-insights) Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## Global status In **Global status**, you can view a report on your organization's Cloudflare One adoption that contains the following metrics: * Access apps configured * Gateway HTTP policies * Gateway network policies * Gateway DNS policies * SaaS integrations * Data Loss Prevention (DLP) profiles You can also view a report on your [seat usage](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management/) across your Zero Trust Organization that contains the following metrics. A seat is a billable unit consumed when a user authenticates to your Zero Trust organization. * Total seats * Used seats * Unused seats ## Access In **Access**, you can view a report on your [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/) configuration that contains: **Metrics:** * Total access attempts * Granted access * Denied (policy violation) * Active logins over time * Top applications with most logins **Filters:** * Access data by country ## Gateway ### Proxy traffic In **Proxy traffic**, you can view a report on your [Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) HTTP traffic that contains: **Metrics:** * Total requests over time * Allowed requests * Blocked requests * Isolated requests (served through [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/)) * Do not inspect requests * Top bandwidth consumers (GB) * Top denied users **Filters:** * Gateway HTTP traffic data by country ### Gateway (network requests) In **Gateway (network requests)**, you can view a report on your Gateway network traffic that contains: **Metrics:** * Total sessions * Authenticated sessions * Blocked sessions * Audit SSH sessions * Allowed sessions * Override sessions * Top bandwidth consumers in GB * Top denied users **Filters:** * Gateway network traffic data by country ### DNS traffic In **DNS traffic**, you can view a report on your Gateway DNS traffic that contains: **Metrics:** * Total DNS queries * Allowed DNS queries * Blocked DNS queries * Override DNS queries * Safe Search DNS queries * Restricted DNS queries * Other DNS queries **Filters:** * Gateway DNS traffic by query type * Gateway DNS traffic by country ### Gateway insights In **Gateway insights**, you can view a report on your Gateway firewall policies that contains the following metrics: * Top domain blocking policies * Most user queries * Top devices * Top countries ### CASB metrics In **CASB**, you can review instances of security issues — such as misconfigurations, unauthorized user activity, and shadow IT — found in your SaaS integrations by [Cloudflare CASB](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/). * Integrations by number of findings * [DLP](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) findings by profile name ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/analytics-overview/","name":"Analytics overview"}}]} ``` --- --- title: Access event analytics description: Reference information for Access event analytics in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication) # Access event analytics Access event analytics allows you to review login attempts to the applications you protect behind [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). Access event analytics are powered by [Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/). To view Access event analytics: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights**. 2. Go to **Dashboards**. 3. Select **Access event analytics**. Access Event Analytics aggregates authentication activity based on your [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/). The [Application Access Report](https://developers.cloudflare.com/cloudflare-one/insights/analytics/application-access/) dashboard offers a summary of overall Access activity, while [Access event analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/access/) dashboard provides a view of login events. You can export the Application Access Report to a PDF to share with stakeholders. Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## Available insights The Access event analytics dashboard includes a time-series chart of authentication events, allowing you to identify spikes in login activity over a selected period. * Events are displayed on the vertical axis. * Time (in your local timezone) is shown along the horizontal axis. The Access event analytics dashboard also shows data on your usage patterns with metrics including: * Top used applications * Top users * Top IP addresses * Top identities * Top countries * Top application types These insights help you detect anomalies, and optimize policy rules. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/analytics/","name":"Dashboards"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/analytics/access/","name":"Access event analytics"}}]} ``` --- --- title: AI security description: Reference information for AI security in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ MCP ](https://developers.cloudflare.com/search/?tags=MCP) # AI security The AI security report dashboard summarizes your organization's AI usage and potential security risks. To view the AI security report dashboard: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights**. 2. Go to **Dashboards**. 3. Select **AI security report**. Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## Prerequisites To populate the AI security report dashboard, you must have: * [Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) enabled to inspect outbound HTTP and DNS traffic. * User traffic to SaaS AI applications (for example, ChatGPT or Gemini) sent through Cloudflare Gateway. * [Model Context Protocol (MCP) servers](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/) behind [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/) policies. ## Available insights The AI security report dashboard includes the following panels and metrics: * [Top 5 visited AI applications by user count](#top-5-visited-ai-applications-by-user-count) * [Statuses applied to AI applications by application count](#statuses-applied-to-ai-applications-by-application-count) * [Data uploaded to Artificial Intelligence applications by status](#data-uploaded-to-artificial-intelligence-applications-by-status) * [MCP servers behind Access over time](#mcp-servers-behind-access-over-time) * [Access login events to MCP servers](#access-login-events-to-mcp-servers) ### Top 5 visited AI applications by user count Displays the most accessed AI tools in your organization and the number of users visiting each application in a time-series graph. Each bar represents user activity for a specific AI application (for example, ChatGPT or Gemini) over time. Use this chart to monitor adoption trends and detect new or unauthorized AI tools being accessed. ### Statuses applied to AI applications by application count Reports the total number of AI applications identified and their review statuses. Statuses include: * Unreviewed — Applications not yet evaluated by administrators. * In Review — Applications currently under review for approval. * Unapproved — Applications that are restricted or blocked. * Approved — Applications explicitly permitted for organizational use. ### Data uploaded to Artificial Intelligence applications by status Reports the amount of data transferred to AI tools, broken down by review status (Unreviewed, In Review, Unapproved, Approved). Use this report to understand whether sensitive data is being sent to unapproved or unreviewed AI applications. ### MCP servers behind Access over time Displays the number of Model Context Protocol (MCP) servers protected by [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/) policies over time. Use this panel to verify that newly deployed MCP servers are protected. ### Access login events to MCP servers Reports the number of login events to MCP servers protected by Access policies. Use this panel to identify unusual login patterns, such as spikes in access from unexpected users. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/analytics/","name":"Dashboards"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/analytics/ai-security/","name":"AI security"}}]} ``` --- --- title: Application Access Report description: Reference information for Application Access Report in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SSO ](https://developers.cloudflare.com/search/?tags=SSO)[ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication) # Application Access Report The Application Access Report provides a high-level summary of [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) usage across your organization. This dashboard helps administrators monitor authentication patterns, identity provider usage, and Access configuration metrics. If Access is not configured in your account, the dashboard appears empty. The Application Access Report is powered by [Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/). To view the Application Access Report dashboard: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights**. 2. Go to **Dashboards**. 3. Select **Application Access Report**. The [Application Access Report](https://developers.cloudflare.com/cloudflare-one/insights/analytics/application-access/) dashboard offers a summary of overall Access activity, while [Access event analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/access/) dashboard provides a view of login events. You can export the Application Access Report to a PDF to share with stakeholders. Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## Prerequisites To populate the Application Access Report dashboard, you must have: * At least one [Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/) configured in your account. * Users authenticating to these applications through Cloudflare Access. ## Available insights The Application Access Report dashboard includes the following panels and metrics: * [Summary of Access activity](#summary-of-access-activity) * [Access events](#access-events) * [Access decisions by event count](#access-decisions-by-event-count) * [Access applications by event count](#access-applications-by-event-count) * [Access events by type](#access-events-by-type) * [Top counts of event details](#top-counts-of-event-details) * [Access admin metrics](#access-admin-metrics) ### Summary of Access activity The Summary of Access activity section shows a time series of Access login events over a selected period and a summary of login events. You can filter a time period in the upper right corner of the dashboard. ### Access events Shows a time series of Access login events over a selected period. Each bar represents the number of login events in the x-axis time interval. You can use this graph to review user authentication activity and detect unusual login spikes. ### Access decisions by event count Displays the total number of Access decisions made, grouped by outcome (for example, **Granted** or **Denied**). ### Access applications by event count Shows a breakdown of authentication events by application type (for example, **Self-hosted**, **SaaS**, **Private network**, **Infrastructure** or **MCP Portal**). Use this view to determine which application types users most frequently access. ### Access events by type Categorizes authentication events by method, such as **SSO** or **Login** (direct credential-based authentication). This panel helps administrators understand how users are authenticating across applications and identity providers. ### Top counts of event details Lists the most common Access event attributes, including: * Application name — Displays the top accessed applications. * Identity provider — Shows which identity providers (IdPs) were most used. * Users — Lists top users by number of login events. * Countries — Displays top countries where users logged in. * IP addresses — Lists the top source IPs associated with login events. These insights help administrators identify usage patterns and trends. ### Access admin metrics Provides a summary of Access configurations made by admin in your organization, including: * Applications configured — Total number of Access-protected applications, broken down by type (for example, Self-hosted, SaaS, RDP, SSH, Private network, and [Cloudflare Dashboard SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/)). * Policies configured — Total number of Access policies, grouped by [policy action](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#actions) (for example, Allow, Block, Bypass, or Service Auth). This section helps administrators audit their Access setup and verify that expected resources and policies are in place. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/analytics/","name":"Dashboards"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/analytics/application-access/","name":"Application Access Report"}}]} ``` --- --- title: Data security analytics description: Reference information for Data security analytics in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Analytics ](https://developers.cloudflare.com/search/?tags=Analytics) # Data security analytics The Data security analytics dashboard reports security issues and sensitive data found within your SaaS applications, cloud environments, and HTTP traffic. It visualizes security findings and sensitive data detections collected from your Data Loss Prevention (DLP) and Cloud Access Security Broker (CASB) policies. If neither DLP nor CASB is configured in your account, the dashboard appears empty. To view the Data security analytics dashboard: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights**. 2. Go to **Dashboards**. 3. Select **Data security analytics**. Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## Prerequisites To populate this dashboard with partial data, you need at least one of the following: * At least one HTTP policy that references a [DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/). * At least one SaaS integration enrolled in [CASB](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/). * At least one Cloud integration enrolled in [CASB](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/). * At least one SaaS or Cloud integration enrolled in [CASB](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) and a DLP profile applied to it. ## Available insights The dashboard includes the following panels and metrics: * [SaaS and Cloud findings by count](https://developers.cloudflare.com/cloudflare-one/insights/analytics/data-analytics/#saas-and-cloud-findings-by-count) * [Posture findings by Severity](https://developers.cloudflare.com/cloudflare-one/insights/analytics/data-analytics/#posture-findings-by-severity) * [DLP matches in HTTP requests over time](https://developers.cloudflare.com/cloudflare-one/insights/analytics/data-analytics/#dlp-matches-in-http-requests-over-time) * Top integrations by posture findings * Top integrations by content findings * Top cloud resources by findings * Top users by DLP policies triggered ### SaaS and Cloud findings by count The SaaS and Cloud findings by count chart shows a time series view of Posture and Content findings. [Posture findings](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/manage-findings/#posture-findings) are configuration and access issues detected by CASB, such as misconfigurations, unauthorized user activity, and other data security issues. [Content findings](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/manage-findings/#content-findings) are instances of potential data exposure as identified by [DLP](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/). Each bar represents the total number of findings detected within a given time interval. You can use this view to observe patterns or spikes in findings over time. Hover over any bar to view the exact count of Posture and Content findings for that period. To review findings in detail, log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and go to **Zero Trust** \> **Cloud & SaaS findings** \> **Posture Findings** or **Content Findings**. ### Posture findings by Severity The Posture findings by severity chart displays the distribution of CASB findings based on their [severity levels](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/manage-findings/#severity-levels). Each segment of the circle represents the number of posture issues classified as `Critical`, `High`, `Medium`, or `Low`. To review findings in detail, log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and go to **Zero Trust** \> **Cloud & SaaS findings** \> **Posture Findings**. ### DLP matches in HTTP requests over time The DLP matches in HTTP requests over time chart displays when [DLP policies](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/) were triggered by users over a specified period of time. Unlike the SaaS and Cloud findings by count chart, which shows CASB findings from data at rest (files already stored in your connected SaaS applications), the DLP matches in HTTP requests over time chart shows DLP detections in HTTP traffic — data actively moving through your network. To review DLP detections in detail, log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and go to **Zero Trust** \> **Insights** \> **Logs** \> **HTTP request logs**. Use the **DLP profiles** or **DLP match data** filters to view HTTP requests that triggered a DLP policy. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/analytics/","name":"Dashboards"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/analytics/data-analytics/","name":"Data security analytics"}}]} ``` --- --- title: Gateway analytics (DNS, HTTP, network sessions) description: Reference information for Gateway analytics (DNS, HTTP, network sessions) in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Analytics ](https://developers.cloudflare.com/search/?tags=Analytics)[ GraphQL ](https://developers.cloudflare.com/search/?tags=GraphQL) # Gateway analytics (DNS, HTTP, network sessions) Gateway analytics include three separate dashboards: * HTTP request analytics. * DNS query analytics. * Network policy analytics. To review Gateway analytics: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights**. 2. Go to **Dashboards**. 3. Select your desired dashboard. Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## HTTP request analytics Your [Gateway HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) power the HTTP request analytics dashboard. If you are not using Gateway HTTP policies, the dashboard will appear empty. The HTTP request analytics dashboard helps you identify trends in how your HTTP policies apply over time. By visualizing allowed, [isolated](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) (rendered in a remote browser), and [Do Not Inspect](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) (bypassing TLS decryption) requests, the dashboard provides insights into traffic behavior and policy trends, making it easier to spot anomalies or shifts in usage patterns. To review a detailed description of an HTTP request and its associated policy: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights**. 2. Select **Logs**. 3. Select **HTTP request logs**. 4. Use the **Policy** filter to view HTTP requests that triggered a policy or other filters to narrow down your results. ### Provided analytics * HTTP Requests over time * Time series view of HTTP requests * Top Actions * Top Countries * Top Blocked Users * Top Bandwidth Consumers * Top Devices * Top Source IPs ## DNS query analytics Your [Gateway DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/) power the DNS query analytics dashboard. If you are not using Gateway DNS policies, the dashboard will appear empty. The DNS query analytics dashboard helps you identify trends in how your DNS policies apply over time. By visualizing allowed, blocked, and overridden (DNS response replaced by a policy-defined address) queries, the dashboard provides insights into traffic behavior and policy trends, making it easier to spot anomalies or shifts in usage patterns. To review a detailed description of a DNS query and its associated policy: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights**. 2. Select **Logs**. 3. Select **DNS query logs**. 4. Use the **Policy** filter to view DNS queries that triggered a policy or other filters to narrow down your results. ### Provided analytics * DNS Queries over time * Time series view of DNS queries * Top Actions * Top Countries * Top Blocked Users * Top Allowed Users * Top Blocked Devices ## Network policy analytics Your [Gateway network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) power the Network policy analytics dashboard. If you are not using Gateway network policies, the dashboard will appear empty. The Network policy analytics dashboard helps you identify trends in how your Gateway network policies apply over time. By visualizing allowed, blocked, and overridden (traffic rerouted by a policy-defined rule) sessions, the dashboard provides insights into traffic behavior and policy trends, making it easier to spot anomalies or shifts in usage patterns. To review a detailed description of a network session and its associated policy: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights**. 2. Select **Logs**. 3. Select **Network logs**. 4. Use the **Policy** filter to view network sessions that triggered a policy or other filters to narrow down your results. ### Provided analytics * Network Sessions over time * Time series view of network sessions * Top Actions * Top Countries * Top Blocked Users * Top Bandwidth Consumers * Top Devices * Top Source IPs ## GraphQL queries You can use the [GraphQL Analytics API](https://developers.cloudflare.com/analytics/graphql-api/) to query your Gateway Analytics data. Available [datasets](https://developers.cloudflare.com/analytics/graphql-api/features/data-sets/) for Gateway include: | Dataset | Description | | ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | gatewayL4DownstreamSessionsAdaptiveGroups | Metrics for Gateway network sessions from user devices to the Cloudflare global network. | | gatewayL4UpstreamSessionsAdaptiveGroups | Metrics for Gateway network sessions from the Cloudflare global network to user devices. | | gatewayL4SessionsAdaptiveGroups | Metrics for Gateway network sessions with adaptive sampling. | | gatewayL7RequestsAdaptiveGroups | Metrics for Gateway HTTP requests with adaptive sampling. | | gatewayResolverQueriesAdaptiveGroups | Metrics for Gateway DNS queries with adaptive sampling. | | gatewayResolverByRuleExecutionPerformanceAdaptiveGroups | Time to execute Gateway DNS policies on the Cloudflare global network. | | gatewayResolverByCustomResolverGroups | Metrics for Gateway DNS queries resolved using custom resolvers. | | gatewayResolverByCategoryAdaptiveGroups | Metrics for Gateway DNS queries sorted by [domain category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) with adaptive sampling. | To explore the schema, you can use a GraphQL client such as [GraphiQL ↗](https://github.com/graphql/graphiql/tree/main/packages/graphiql#readme) or [Altair ↗](https://altairgraphql.dev/). 1. [Create an API token](https://developers.cloudflare.com/analytics/graphql-api/getting-started/authentication/api-token-auth/) with the following permissions: | Type | Item | Permission | | ------- | ----------------- | ---------- | | Account | Account Analytics | Read | 2. In your GraphQL client, [add your API token](https://developers.cloudflare.com/analytics/graphql-api/getting-started/authentication/graphql-client-headers/) as an Authorization header. 3. Compose a query to access your Gateway Analytics datasets. For example, you can query the `gatewayResolverQueriesAdaptiveGroups` dataset to return the adaptive groups of DNS queries resolved by Gateway: ``` query GatewaySampleQuery($accountTag: string!, $start: Time) { viewer { accounts(filter: { accountTag: $accountTag }) { gatewayResolverQueriesAdaptiveGroups( filter: { datetime_gt: $start } limit: 10 ) { count dimensions { queryNameReversed resolverDecision } } } } } ``` [Run in GraphQL API Explorer](https://graphql.cloudflare.com/explorer?query=I4VwpgTgngBA4gQwC5gO4KgZQQWwA4A2YAiuNABQAkCAxjQPYgB2SAKggOYBcMAzkhACWTDgEIANDEr8EEJD1aCcYAJQwA3gCgYMAG6C0kDdp0xaDZkl7kAZoIIoIPdWbqMW7blPPu2nGAC+alqmphzIaBgASmC89AS6kKSQBrwAggAmCHhIgolwEIx41iahOnYOkM4wWSi5ygD6HPJSMnKBpWUESoItAIwADJ06wcOmFixjOhlKYEy8gvTzxmVloJBQAHK4YDGJELxgGVOmELHx+wAiYDSCC0snAWNPoS8dAUA&variables=N4IghgxhD2CuB2AXAKmA5iAXCAggYTwHkBVAOWQH0BJAERABoQBnRMAJ0SxACYAGbgGwBaXgFYRADmQBGAMyZuATky8ALAC0QAXyA) For more information, refer to [Compose a query in GraphiQL](https://developers.cloudflare.com/analytics/graphql-api/getting-started/compose-graphql-query/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/analytics/","name":"Dashboards"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/analytics/gateway/","name":"Gateway analytics (DNS, HTTP, network sessions)"}}]} ``` --- --- title: Network session analytics description: Reference information for Network session analytics in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Network session analytics The Network session analytics dashboard provides visibility into your Cloudflare One traffic patterns. This dashboard helps you understand how traffic flows through your network, including on-ramps (how traffic enters Cloudflare, such as the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/), [proxy endpoints (PAC files)](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/), [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/), or Cloudflare Tunnel) and off-ramps (how traffic exits Cloudflare, such as the public Internet or a [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/)). The dashboard is based on the [Zero Trust network sessions Logpush dataset](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/). For definitions on any field, refer to the dataset schema documentation. To review Network session analytics: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights** \> **Dashboards**. 2. Select **Network session analytics**. Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## Use cases The Network session analytics dashboard helps you: * **Understand traffic patterns**: Visualize how traffic flows through your network infrastructure. * **Monitor bandwidth usage**: Track upload, download, and total bytes transferred across your network. * **Identify connection issues**: Analyze connection close reasons to troubleshoot network problems. * **Track user and device activity**: Monitor unique users and devices accessing your network. ## Provided analytics ### Summary metrics * **Session count**: Total number of network sessions. Each session represents an individual TCP, UDP, ICMP, or ICMPv6 flow that passes through Gateway. * **Bytes total**: Total bytes transferred (upload + download) * **Unique users**: Number of distinct users ### Traffic by location * **World map**: Geographic visualization of network traffic by the Cloudflare data center where traffic entered the network (ingress) and where it exited (egress) * **Location list**: Top Cloudflare data center locations by ingress and egress session count with accompanying graph * **Change**: Shows the total change across ingress and egress for each location ### Top analytics * **Top protocols**: Most used network protocols (TCP, UDP, ICMP, ICMPv6) * **Top connection close reasons**: Common reasons for session termination: * Client closed * Origin closed * Client idle timeout * Client error * Unknown * Client TLS error * Origin unreachable * Too many new sessions for user * Origin TLS error * Origin unroutable For the full list of reasons for session termination, refer to [ConnectionCloseReason](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/#connectionclosereason). ## Related resources * [Zero Trust network sessions Logpush dataset](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/): View detailed logs for individual network sessions. * [Gateway network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/): Configure policies that apply to network traffic. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/analytics/","name":"Dashboards"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/analytics/network-sessions/","name":"Network session analytics"}}]} ``` --- --- title: Shadow IT SaaS analytics description: Reference information for Shadow IT SaaS analytics in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Analytics ](https://developers.cloudflare.com/search/?tags=Analytics) # Shadow IT SaaS analytics Shadow IT SaaS analytics provides visibility into the SaaS applications your users are visiting. The dashboard aggregates data from Gateway HTTP traffic to track application usage across your organization. This information allows you to create identity and device-driven Cloudflare One policies to secure your users and data. To access Shadow IT SaaS analytics: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights**. 2. Go to **Dashboards**. 3. Select **Shadow IT: SaaS analytics**. Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## Prerequisites To allow Cloudflare to discover shadow IT in your traffic, you must set up [HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/). ## Use Shadow IT SaaS analytics ### 1\. Review applications The first step in using the Shadow IT SaaS analytics dashboard is to review applications in the [Application Library](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/). The App Library synchronizes application review statuses with approval statuses from the Shadow IT Discovery SaaS analytics dashboard. To organize applications into their approval status for your organization, you can mark them as **Unreviewed** (default), **In review**, **Approved**, and **Unapproved**. | Status | API value | Description | | ---------- | ---------- | ------------------------------------------------------------------------------------------------------ | | Approved | approved | Applications that have been marked as sanctioned by your organization. | | Unapproved | unapproved | Applications that have been marked as unsanctioned by your organization. | | In review | in review | Applications in the process of being reviewed by your organization. | | Unreviewed | unreviewed | Unknown applications that are neither sanctioned nor being reviewed by your organization at this time. | To set the status of an application: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Team & Resources** \> **Applications**. 2. Locate the card for the application. 3. In the three-dot menu, select the option to mark your desired status. Once you mark the status of an application, its badge will change. You can filter applications by their status to review each application in the list for your organization. The review status for an application in the App Library and Shadow IT Discovery will update within one hour. Note Approval status does not impact a user's ability to access an application. Users are allowed or blocked according to your [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) and [Gateway policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/). To filter traffic based on approval status, use the [_Application Status_](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#application-approval-status) selector. ### 2\. Monitor usage Review the Shadow IT SaaS analytics dashboard for application usage. Filter the view based on: | Field | Description | | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | | Application | SaaS application's name and logo. | | Application type | [Application type](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/#app-types) assigned by Cloudflare One. | | Status | Application's approval status. | | Secured | Whether the application is currently secured behind Cloudflare Access. | | Users | Number of users who connected to the application over the period of time specified on the Shadow IT Discovery overview page. | To manage application statuses in bulk, select **Set Application Statuses** to review applications your users commonly visit and update their approval statuses. ### 3\. Create policies After marking applications, you can create [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) based on application review status. For example, you can create policies that: * Launch all **Unreviewed** and **In review** applications in an [isolated browser](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/common-policies/#1-isolate-unreviewed-or-in-review-applications). * [Block access](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/common-policies/#2-block-unapproved-applications) to all **Unapproved** applications. * Limit file upload capabilities for specific application statuses. To create an HTTP status policy directly from Shadow IT Discovery: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights**. 2. Select **Dashboards** \> **Shadow IT: SaaS analytics**. 3. Select **Set application statuses**. 4. Select **Manage HTTP status policies**, then choose an application status and select **Create policy**. ## Available insights The Shadow IT SaaS analytics dashboard includes several insights to help you monitor and manage SaaS application usage. * **Number of applications by status**: A breakdown of how many applications have been categorized into each [approval status](#1-review-applications). The list of applications is available in the [App Library](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/). * **Data uploaded per application status**: A time-series graph showing the amount of data uploaded to applications in the given status. * **Data downloaded per application status**: A time-series graph showing the amount of data downloaded from applications in the given status. * **User count per application status**: A time-series graph showing the number of unique users who have interacted with at least one application in a given status. A single user can appear in multiple status categories if they access applications with different statuses. For example, a user who accesses both an **Approved** application and an **Unapproved** application will be counted in both status categories. * **Top-N metrics**: A collection of metrics providing insights into top applications, users, devices, and countries. ### Understanding user counts The user count chart displays unique users in two ways: * **Time-series bars**: Show unique users per time interval (for example, per hour or per day). The same user can appear in multiple time intervals if they were active during those periods. * **Legend totals**: Show unique users across the entire selected time range, deduplicated. Each user is counted only once per status, regardless of how many time intervals they appeared in. For example, if User A accesses an Approved application every hour for three hours, they will appear in each hourly bar but will only be counted once in the legend total. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/analytics/","name":"Dashboards"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/analytics/shadow-it-discovery/","name":"Shadow IT SaaS analytics"}}]} ``` --- --- title: Digital experience description: Digital experience resources and guides for Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Digital experience Digital Experience Monitoring (DEX) provides visibility into device, network, and application performance across your Zero Trust organization. With DEX, you can monitor the state of your [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) deployment and resolve issues impacting end-user productivity. DEX is designed for IT and security teams who need to proactively monitor and troubleshoot device and network health across distributed environments. DEX is available on all Cloudflare Zero Trust and SASE plans. DEX is compatible with Cloudflare's [Customer Metadata Boundary](https://developers.cloudflare.com/data-localization/metadata-boundary/) (CMB) for the EU (European Union). When CMB is configured for the EU, customer logs are stored exclusively in the EU region. Refer to [Insights overview](https://developers.cloudflare.com/cloudflare-one/insights/) to learn how to use Analytics dashboards together with [Analytics Overview](https://developers.cloudflare.com/cloudflare-one/insights/analytics-overview/) and [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) for complete visibility and troubleshooting. ## When a user reports a problem If a user notifies that “the connection is not working” or “performance is slow,” DEX allows you to: * Use [device monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/) to check device health and endpoint connectivity. * Test network health and application responsiveness with [synthetic tests](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) — automated connectivity checks that run periodically from user devices. * Identify whether problems originate from the device (such as [issues with the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide/)), the network, or Cloudflare. ## Troubleshooting other Cloudflare One features Use DEX to troubleshoot other Cloudflare One features: * Test connectivity to a [SaaS application secured with Access](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/). * Verify that a website routed through [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) is reachable from user devices. * Confirm that users can successfully reach internal resources after configuring a [Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/). ### Get started To start using DEX for device, network, and application monitoring: 1. [Create a Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization). 2. [Install the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) and sign in to register your device to the organization. 3. Create [tests](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) to verify device connectivity to applications and networks. 4. [Monitor](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/) device and network health across your fleet using real-time and historical metrics. 5. Use [diagnostics](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/) to run speed tests and collect remote captures from user devices. 6. Set up [notifications](https://developers.cloudflare.com/cloudflare-one/insights/dex/notifications/) to get alerts when degraded connectivity or application performance is detected. ### Troubleshooting For help resolving common issues with Digital Experience Monitoring, refer to [Troubleshoot Digital Experience Monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/troubleshooting/). ### Directory Review all available documentation for DEX capabilities. * [ Device monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/) * [ Synthetic tests ](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) * [ Rules ](https://developers.cloudflare.com/cloudflare-one/insights/dex/rules/) * [ Diagnostics ](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/) * [ Notifications ](https://developers.cloudflare.com/cloudflare-one/insights/dex/notifications/) * [ IP visibility ](https://developers.cloudflare.com/cloudflare-one/insights/dex/ip-visibility/) * [ DEX MCP server ](https://developers.cloudflare.com/cloudflare-one/insights/dex/dex-mcp-server/) * [ Troubleshoot Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/troubleshooting/) * [ MCP server ](https://github.com/cloudflare/mcp-server-cloudflare/tree/main/apps/dex-analysis) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}}]} ``` --- --- title: DEX MCP server description: Reference information for DEX MCP server in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ MCP ](https://developers.cloudflare.com/search/?tags=MCP) # DEX MCP server The MCP server [(Model Context Protocol) ↗](https://cloudflare.com/learning/ai/what-is-model-context-protocol-mcp/) for Digital Experience Monitoring (DEX) is an AI tool that allows customers to ask a question like, "Show me the connectivity and performance metrics for the device used by carly‌@acme.com", and receive an answer that contains data from the DEX API. Any Cloudflare One customer using a Free, Pay-as-you-go, or Enterprise account can access the DEX MCP server. There are two primary options for connecting to the DEX MCP server: * [In Cloudflare's AI Playground](#cloudflare-ai-playground) * [With your preferred AI assistant](#ai-assistant) ## Cloudflare AI Playground Cloudflare's AI Playground allows you to quickly try out the DEX MCP server. You can test the DEX MCP server in less than one minute by visiting the AI Playground's website. 1. Copy the URL for the DEX MCP server: `https://dex.mcp.cloudflare.com/mcp`. 2. Open [playground.ai.cloudflare.com ↗](https://playground.ai.cloudflare.com) in a browser. 3. Find the section in the left sidebar titled **MCP Servers**. 4. Paste the URL for the DEX MCP server into the URL input box and select **Connect**. 5. Authenticate your Cloudflare account, and then start asking questions about your DEX data. Note You need to ask specific and explicit questions to get a response. For example, first you need to provide the following instruction: "Set XYZ as the active account". Then, you can ask a specific question: "Fetch the DEX test results for the user bob@‌acme.com over the past 24 hours". ## AI Assistant You can get a more flexible and robust experience by configuring the DEX MCP server with your preferred AI assistant (for example, Claude, Gemini, or ChatGPT). If you have any issues during the configuration process, you can ask your AI assistant for help with configuring an MCP server via URL. ### Claude You need a Claude Pro account (or higher subscription) to configure an MCP server. 1. Download the [Claude desktop client ↗](https://claude.ai/download). 2. Open the Claude desktop client, and log in or set up an account. 3. Expand the left sidebar menu, and select **Claude Code**. 4. Under **Desktop app**, select **Developer** to show the **Local MCP servers** page. 5. Select **Edit Config** and open the `claude_desktop_config.json` file in a text editor of your choice. 6. Copy the JSON configuration for the DEX MCP server and paste it into `claude_desktop_config.json`. Save the file. ``` { "globalShortcut": "", "mcpServers": { "cloudflare-dex-analysis": { "command": "npx", "args": ["mcp-remote", "https://dex.mcp.cloudflare.com/mcp"] } } } ``` 7. Fully close Claude by using the task manager to stop any background processes related to Claude. 8. Open Claude, and your DEX MCP server configuration should appear on the **Local MCP servers** page. 9. Authenticate your Cloudflare account and allow the DEX MCP server. 10. You can start asking Claude questions about DEX. As a simple test, you can ask "Are you connected to the DEX MCP server". ### Gemini CLI All tiers of Google AI Free, Pro, and Ultra offer an MCP server integration via the Gemini CLI. You will need to use a CLI of your choice and npm or homebrew to install and access the Gemini CLI. 1. Visit the GitHub page for the [Gemini CLI ↗](https://github.com/google-gemini/gemini-cli) and follow the installation instructions. 2. Navigate to the `settings.json` file for your Gemini CLI install and open it in a text editor of your choice. File path for the `settings.json` file * Windows: `%USERPROFILE%\.gemini\settings.json` * Mac and Linux: `~/.gemini/settings.json` 3. Copy the JSON configuration for the DEX MCP server and paste it into **settings.json**. Save the file. ``` { "globalShortcut": "", "mcpServers": { "cloudflare-dex-analysis": { "command": "npx", "args": ["mcp-remote", "https://dex.mcp.cloudflare.com/mcp"] } } } ``` 4. Run Gemini in your CLI of choice. 5. If everything is working as expected, the Gemini CLI will show the following message: `Using: 1 MCP server (ctrl+t to view)` 6. Authenticate the email associated with your Cloudflare account in the Gemini CLI. 7. You can start asking the Gemini CLI questions about DEX. As a simple test, you can ask "Are you connected to the DEX MCP server". ### ChatGPT You need a ChatGPT Pro or Business account to configure an MCP server. ChatGPT Free and Plus do not support MCP servers. 1. Download the [ChatGPT desktop app ↗](https://chatgpt.com/features/desktop). 2. Open the ChatGPT desktop app, and log in or set up an account. 3. Open the **Settings** menu and select **Connectors**. 4. Select the option to create a new Connector. 5. Provide a **Name** (like `DEX MCP`), **Description** (optional), and **MCP Server URL** for the Connector. The DEX MCP Server URL is: `https://dex.mcp.cloudflare.com/mcp`. 6. Create the new Connector. 7. Before you ask ChatGPT a question about DEX, select the **+** (plus) button next to the ChatGPT prompt box. 8. Select **Use Connectors** \> **Add Sources**, then select the DEX MCP as a source. 9. You can start asking ChatGPT questions about DEX. As a simple test, you can ask "Are you connected to the DEX MCP server". ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/dex-mcp-server/","name":"DEX MCP server"}}]} ``` --- --- title: Diagnostics description: Diagnostics tools for collecting captures, running speed tests, and troubleshooting device connectivity in Digital Experience Monitoring. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Diagnostics Diagnostics tools allow administrators to remotely investigate device connectivity and network performance issues. Use remote captures to collect packet captures and diagnostic logs from end-user devices, or run speed tests to measure network throughput and latency from the Cloudflare One client. To access diagnostics, go to the [Cloudflare One dashboard ↗](https://dash.cloudflare.com/one) and select **Insights** \> **Digital experience** \> **Diagnostics**. * [ Client packet capture ](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/client-packet-capture/) * [ Speed test ](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/speed-test/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/diagnostics/","name":"Diagnostics"}}]} ``` --- --- title: Client packet capture description: Feature documentation for Cloudflare One client packet captures. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) # Client packet capture Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | All plans | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2024.12.492.0 | | macOS | ✅ | 2024.12.492.0 | | Linux | ✅ | 2024.12.492.0 | | iOS | ❌ | | | Android | ❌ | | | ChromeOS | ❌ | | Remote captures allow administrators to collect packet captures (PCAPs) and Cloudflare One Client diagnostic logs directly from end user devices. A packet capture is a recording of network traffic at the packet level. This data can be used to troubleshoot network problems, investigate security incidents, and identify performance bottlenecks. ## Start a remote capture Devices must be actively connected to the Internet for remote captures to run. To capture data from a remote device: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **DEX** \> **Remote captures**. 2. Select up to 10 devices that you want to run a capture on. Devices must be [registered](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) in your Zero Trust organization. 3. Configure the types of captures to run. * **Packet captures (PCAP)**: Performs packet captures for traffic outside of the WARP tunnel (default network interface) and traffic inside of the WARP tunnel ([virtual interface](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/#ip-traffic)). * **Device diagnostic logs**: Generates a [Cloudflare One Client diagnostic log](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diag-logs) of the past 96 hours. To include a routing test for all IPs and domains in your [Split Tunnel configuration](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/), select **Test all routes**. Note **Test all routes** will extend the time for diagnostics to run and may temporarily impact device performance during the test. 4. Select **Run diagnostics**. DEX will now send capture requests to the configured devices. If the Cloudflare One Client is disconnected, the capture will time out after 10 minutes. ## Check remote capture status To view a list of captures, go to **Insights** \> **Digital experience** \> **Diagnostics**. The **Status** column displays one of the following options: * **Success**: The capture is complete and ready for download. Any partially successful captures will still upload to Cloudflare. For example, there could be a scenario where the PCAP succeeds on the primary network interface but fails on the WARP tunnel interface. You can [review PCAP results](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/client-packet-capture/#download-remote-captures) to determine which PCAPs succeeded or failed. * **Running**: The capture is in progress on the device. * **Pending Upload**: The capture is complete but not yet ready for download. * **Failed**: The capture has either timed out or encountered an error. To retry the capture, check the Cloudflare One Client version and [connectivity status](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/#fleet-status), then start a [new capture](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/client-packet-capture/#start-a-remote-capture). ## Download remote captures 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **DEX** \> **Remote captures**. 2. Find a successful capture. 3. Select the three-dot menu and select **Download**. This will download a ZIP file to your local machine called `.zip`. DEX will store capture data according to our [log retention policy](https://developers.cloudflare.com/cloudflare-one/insights/logs/#log-retention). ### Device PCAP contents The downloaded PCAP folder contains three files: * `capture-default.pcap`: Packet captures for the primary network interface. * `capture-tunnel.pcap`: Packet captures for traffic inside of the WARP tunnel. * `results.json`: Reports successful and failed packet captures. You can analyze `.pcap` files using Wireshark or another third-party packet capture tool. ### Diagnostic log files Refer to [Cloudflare One Client diagnostic logs](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diag-logs) for a description of each file. ## Diagnostics analyzer (beta) The diagnostics analyzer highlights what Cloudflare determines to be the most important detection events in a `warp-diag` log. You can use the detection report to help parse your [log files](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diag-logs) and identify the root cause of client issues. The diagnostics analyzer is only available for logs [collected via the dashboard](#collect-logs-via-the-dashboard). To access the diagnostics analyzer: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **DEX** \> **Remote captures**. 2. Locate an existing `warp-diag` log from the list or select **Run diagnostics** to generate a new `warp-diag` log. 3. Select the three dots for the `warp-diag` log that you want to analyze, then select **View Device Diag**. The **Overview** tab will display an [AI-generated summary](https://developers.cloudflare.com/fundamentals/reference/cloudy-ai-agent/) of the results, a list of detection events, and basic device information. Explanation of the fields | Field | Description | | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Detection type | A common Cloudflare One Client issue that can appear in the diagnostic logs. | | Occurrences | Number of times an issue was detected in the logs. | | Severity level | Indicates the impact of the issue on Cloudflare One Client functionality. The severity levels are: **Critical**: Issue causes complete loss of functionality. **Warning**: Issue causes degraded functionality but core features should still work. **No detection**: Issue was not detected in the logs. | | Operating system | OS and OS version of the device. | | Cloudflare One Client version | [Cloudflare One Client release version](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/) | | Profile ID | [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) UUID | | Service mode | [Client mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | | Configuration name | Name of the [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/) that the Cloudflare One Client is connected to. | | Device ID | ID generated by the Cloudflare One Client. | 4. Select a detection type for more information about the event and recommended next steps. Cloudflare DEX will store the `warp-diag` log and its detection report per our [log retention policy](https://developers.cloudflare.com/cloudflare-one/insights/logs/#log-retention). To save a copy onto your local machine, [download the log file](#download-remote-captures) and go to the **JSON file** tab to copy the report in JSON format. ## Limitations * Packet captures are subject to the following limits: | Limit Type | Maximum Value | | ----------- | ------------- | | Time limit | 600 seconds | | File size | 50 MB | | Packet size | 1500 bytes | * Cloudflare One Client diagnostic logs have no file size limit, but files larger than 100 MB cannot be uploaded to Cloudflare and must be shared directly with the admin. * Windows devices do not support concurrent remote captures. If you start a remote capture while another is in progress, the second capture will fail immediately. * PCAPs will fail on Windows if you have another third-party packet capture tool (such as, Packet Monitor `pktmon`) running. * On Windows, packet captures may fail on devices configured with a non-English language due to limitations with the underlying `PktMon` tool. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/diagnostics/","name":"Diagnostics"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/dex/diagnostics/client-packet-capture/","name":"Client packet capture"}}]} ``` --- --- title: Speed test description: Run speed tests from the Cloudflare One client to measure network throughput, latency, and quality scores for end user devices. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) # Speed test Speed tests allow administrators to remotely measure network performance from end-user devices running the [Cloudflare One client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/). Each test runs from the client to Cloudflare's network edge and reports metrics for internet speed, latency, and network quality. Speed tests help IT teams: * Objectively measure network performance with the Cloudflare One client turned on. * Identify performance bottlenecks affecting specific users, devices, or locations. * Respond to user reports of slow connectivity with concrete data. Feature compatibility Feature availability * All Cloudflare One plans Supported client modes * Traffic and DNS mode * Traffic only mode Supported operating systems: | System | Support | | -------- | ------- | | Windows | ✅ | | macOS | ✅ | | Linux | ✅ | | iOS | ❌ | | Android | ❌ | | ChromeOS | ❌ | To run a speed test from a device: 1. In [Zero Trust ↗](https://dash.cloudflare.com/one), go to **Insights** \> **Digital experience** \> **Diagnostics**. 2. Select **Run diagnostics**. 3. Search for a device by user email, device name, or device ID. 4. Select the device, then select **Device speed test**. The test runs in the background on the selected device. Results appear in the diagnostics view once the test completes. ## Speed test metrics Each speed test reports the following metrics: ### Internet speed | Metric | Description | | ------------------- | -------------------------------------------------------------------------------------------------- | | Download throughput | The rate at which data is received by the device from Cloudflare's network edge, measured in Mbps. | | Upload throughput | The rate at which data is sent from the device to Cloudflare's network edge, measured in Mbps. | ### Latency | Metric | Description | | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | Download latency | The round-trip time measured during an active download, reflecting latency under load. | | Upload latency | The round-trip time measured during an active upload, reflecting latency under load. | | Unloaded latency | The baseline round-trip time measured when no significant data transfer is occurring. This reflects the inherent latency of the connection. | | Jitter | The variation in latency over time. High jitter can cause inconsistent performance in real-time applications. | ### Network quality score Network quality scores estimate the end-user experience for common application types based on the measured speed and latency values. | Score | Description | | --------------- | ------------------------------------------------------------------------------------------------------- | | Video streaming | Rates the connection quality for video streaming applications based on throughput and latency. | | Video streaming | Estimates the connection quality for video streaming applications based on throughput and latency. | | Web chat / RTC | Estimates the connection quality for real-time communication applications such as video calls and VoIP. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/diagnostics/","name":"Diagnostics"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/dex/diagnostics/speed-test/","name":"Speed test"}}]} ``` --- --- title: IP visibility description: Reference information for IP visibility in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ IPv4 ](https://developers.cloudflare.com/search/?tags=IPv4)[ IPv6 ](https://developers.cloudflare.com/search/?tags=IPv6)[ Windows ](https://developers.cloudflare.com/search/?tags=Windows)[ Linux ](https://developers.cloudflare.com/search/?tags=Linux)[ MacOS ](https://developers.cloudflare.com/search/?tags=MacOS) # IP visibility Feature availability | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2025.1.861.0 | | macOS | ✅ | 2025.1.861.0 | | Linux | ✅ | 2025.1.861.0 | | iOS | ❌ | | | Android | ❌ | | | ChromeOS | ❌ | | DEX's IP visibility gives administrators insight into three different IP types per device: 1. **Device**: The private IP address of an end-user device. 2. **ISP**: The public IP that the ISP assigns when it routes the end-user device's traffic. 3. **Gateway**: The router's private IP (the router the end device is connected to.) Note The ISP IP is only visible to users with the [Zero Trust PII role](https://developers.cloudflare.com/cloudflare-one/roles-permissions/#cloudflare-zero-trust-pii). DEX's IP visibility supports both IPv6 and IPv4 addresses. IP information helps IT administrators troubleshoot network issues and identify device locations. Common uses include: * Identifying which access point or network segment a user is connected to * Verifying that network access control (NAC) policies are applied correctly * Diagnosing firewall restrictions on specific VLANs (virtual local area networks) * Troubleshooting Layer 2 (data link layer) and DHCP (Dynamic Host Configuration Protocol) issues * Indirectly determining user identity and device location ## View a device's IP information To view IP information for a user device: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Team & Resources** \> **Devices** \> **Your devices**. 2. Select a device, then select **View details**. 3. Go to **IP details**. 4. Review the IP details for your selected device's most recent session. ## View a device's IP history DEX's IP visibility allows you to review an event log of a device's IP history for the last seven days. To view a device's IP history: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Team & Resources** \> **Devices** \> **Your devices**. 2. Select a device > **View details** \> go to **IP details**. 3. Select **View all ISPs**. ## Troubleshoot with IP visibility While IP visibility allows you to inspect a device's IP information, use [DEX's live analytics](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/#available-metrics) to review which Cloudflare data center the device is connected to. When traffic leaves a Cloudflare One Client-connected end-user device, it will hit a [Cloudflare data center](https://developers.cloudflare.com/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#identify-the-cloudflare-data-center-serving-your-request). To find which Cloudflare data center a device is connected to: 1. Follow the steps listed in [View IP information](#view-a-devices-ip-history) to find a device's IP information. 2. On the device page, select **Colocation & client** or find the **Client** table at the top of the page. 3. In the **Client** table, find **Colocation** to review which Cloudflare data center your selected device's outbound (egress) traffic is routed through. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/ip-visibility/","name":"IP visibility"}}]} ``` --- --- title: Device monitoring description: Device monitoring in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Device monitoring Monitor performance and network status for your organization's [fleet](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/#fleet-status) (all devices with the Cloudflare One Client installed and connected to your Zero Trust organization) or individual [user devices](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/#device-monitoring). Network and device performance data helps IT administrators troubleshoot performance issues, investigate network connectivity problems, and monitor device health. ## Device overview A fleet is a collection of user devices. All devices in a fleet have the Cloudflare One Client installed and are connected to a [Cloudflare Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization). To view fleet status: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Digital experience**. 2. Review the information under **Live analytics**. ### View metrics The **Device overview** tab shows real-time and historical connectivity metrics for all devices in your organization. To view analytics on a per-device level, go to [Device monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/#device-monitoring). ### Available metrics * **Devices connected by colo**: Number of devices connected to a given [Cloudflare data center ↗](https://www.cloudflarestatus.com/). * **Connectivity status**: Percentage of devices in a given Cloudflare One Client state. | Status | Description | | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Connected | The Cloudflare One Client has successfully established a connection to the Cloudflare global network. | | Disconnected | The Cloudflare One Client has been intentionally or unintentionally disconnected from the Cloudflare global network. | | Paused | A user or administrator has taken an explicit action to temporarily turn off WARP, for example by entering an [admin override code](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-admin-override-codes). Paused clients will [auto-connect](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#auto-connect) after a timeout period. | | Connecting | The Cloudflare One Client is pending connection, but is actively trying to establish a connection to the Cloudflare global network. | * **Mode**: [Client mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) deployed on the device. * **Colo**: Percentage of devices connected to a given Cloudflare data center. * **Platform**: Operating system of the device. * **Major Version**: Cloudflare One Client version installed on the device. * **Device Status Over Time**: Cloudflare One Client connection status over the selected time period. * **Connection Methods Over Time**: Client mode used by the device over the selected time period. ## Device monitoring Review network and device performance for a device enrolled in your fleet. ### View a device's performance To view a device's network and device performance metrics: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Team & Resources** \> **Devices** \> **Your devices**. 2. Select a device > **View details**. 3. Select the **DEX** tab. 4. In **Device Monitoring**, scroll down to **Network performance** and **Device Performance**. ### Network and device performance metrics #### Network performance metrics * **Unique networks over time**: How many unique SSIDs (Wi-Fi network names) the device was connected to. * **Network I/O**: How much data the device transferred (uploads and downloads) over the primary network interface. #### Device performance metrics * **Battery percentage and cycles**: Displays battery percentage and [battery cycles ↗](https://support.apple.com/en-us/102888) over time. Use this metric to debug potential performance issues possibly related to battery health or power-saving measures that trigger at low-battery levels. * **CPU usage**: CPU utilization over time. Use this metric to debug slow system performance due to high CPU usage. * **Memory utilization**: Memory utilization over time. Use this metric to debug performance issues related to an overtaxed memory. * **Disk I/O**: Displays number of disk read/write operations over time. Use this metric to debug performance errors due to heavy disk operations. ## Export DEX device state event logs The log data for all [DEX device state events](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fdevice%5Fstate%5Fevents/) can be exported to [R2](https://developers.cloudflare.com/r2/), a cloud bucket, or a SIEM via [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/monitoring/","name":"Device monitoring"}}]} ``` --- --- title: Notifications description: Reference information for Notifications in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Notifications Administrators can receive alerts when Cloudflare detects connectivity issues with the Cloudflare One Client or degraded application performance. Notifications can be delivered via email, webhook, and third-party services. ## Manage notifications DEX notifications are configured on the [Cloudflare dashboard ↗](https://dash.cloudflare.com/). For more information, refer to [Create a notification](https://developers.cloudflare.com/notifications/get-started/#create-a-notification). ## Available notifications Device connectivity anomaly **Who is it for?** Zero Trust customers who want to be notified when Cloudflare detects a spike or drop in the number of devices connected to the WARP client. **Other options / filters** * **Alert configuration**: Choose when to trigger a notification. Available options are _Connectivity spike_, _Connectivity drop_, and _Connectivity spike or drop_. * Filters: * **Colo**: Cloudflare data center that the device is connected to. * **Platform**: Operating system of the device. * **Version**: WARP client version (for example, `2024.3.409.0`). * **Mode**: [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) deployed on the device. **Included with** All Cloudflare Zero Trust plans. **What should you do if you receive one?** Review your [fleet status](https://developers.cloudflare.com/cloudflare-one/insights/dex/fleet-status/) to investigate why the spike or drop occurred and which devices are impacted. **Additional information** To learn more about the alert logic, refer to [Z-score](https://developers.cloudflare.com/cloudflare-one/insights/dex/notifications/#z-score). DEX test latency **Who is it for?** Zero Trust customers who wish to receive alerts when there is a spike or drop in application latency, as measured by the HTTP test [Resource Fetch time](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/http/#test-results) or Traceroute test [Round trip time](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/traceroute/#test-results). Requires setting up a [DEX test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/). **Other options / filters** * **Alert configuration**: Choose when to trigger a notification. Available options are _Latency spike_, _Latency drop_, and _Latency spike or drop_. * Filters: * **Colo**: Cloudflare data center that the device is connected to. * **Platform**: Operating system of the device. * **Version**: WARP client version (for example, `2024.3.409.0`). * **Test name**: Choose which DEX test the alert should monitor. You will receive individual notifications for each test. **Included with** All Cloudflare Zero Trust plans. **What should you do if you receive one?** View your [test results](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/view-results/) to investigate why the spike occurred. **Additional information** To learn more about the alert logic, refer to [Z-score](https://developers.cloudflare.com/cloudflare-one/insights/dex/notifications/#z-score). DEX test low availability **Who is it for?** Zero Trust customers who wish to receive alerts when the percentage of successful HTTP or traceroute requests to an application drops below the selected service-level objective (SLO). Requires setting up a [DEX test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/). **Other options / filters** * **Service Level Objective (SLO)**: Specify the availability threshold that will trigger an alert. Enter a percentage in `xx.x` format (for example, `98.0`). * Filters: * **Colo**: Cloudflare data center that the device is connected to. * **Platform**: Operating system of the device. * **Version**: WARP client version (for example, `2024.3.409.0`). * **Test name**: Choose which DEX test the alert should monitor. You will receive individual notifications for each test. **Included with** All Cloudflare Zero Trust plans. **What should you do if you receive one?** View your [test results](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/view-results/) to investigate why the degradation occurred. **Additional information** To learn more about the alert logic, refer to [SLO](https://developers.cloudflare.com/cloudflare-one/insights/dex/notifications/#slo). ## Alert logic ### Z-score Cloudflare uses a z-score to detect unusual traffic spikes or drops. A [z-score ↗](https://en.wikipedia.org/wiki/Standard%5Fscore) is the number of standard deviations the current value is from the mean. Cloudflare calculates the mean and standard deviation by comparing the current five minutes to the past four hours. This is measured every five minutes. To trigger an alert, the z-score value must be above 3.5 or below -3.5, which indicates the current value is significantly different from the recent baseline. ### SLO A service-level objective (SLO) measures the percentage of valid events that succeeded. It is defined as (good events / valid events) \* 100, where valid events are those that could be measured in a given time period. DEX notifications evaluate both a short window (five minutes) and a long window (one hour) and trigger an alert if availability falls below the SLO threshold in either window. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/notifications/","name":"Notifications"}}]} ``` --- --- title: Rules description: Reference information for Rules in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Rules DEX rules allow you to create and manage testing policies for targeted user groups within your [fleet](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) (all devices with the Cloudflare One Client installed and connected to your Zero Trust organization). After creating a rule, you can use it to define the scope of a [test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) to specific groups such as departments (like finance or sales), devices, and/or users. You can apply and reuse rules on your desired tests. Use DEX rules to scope a test to a specific group within your fleet for more precise problem detection and resolution. ## Create a rule To create a rule: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Digital experience**. 2. Select the **Rules** tab. 3. Select **Add a rule**. 4. Give your rule a name and build your desired expressions. 5. Select **Create rule** to finalize your rule. ### Selectors Selectors are required categories in a DEX rule expression that define a group within a fleet. The selector(s) you have defined in a rule will determine which group a test will impact. Review the available selectors and their scope in the following list. | Selector | Description | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **User email** | For specifying [user emails](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#user-email). | | **User group emails** | For specifying [group emails](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#user-group-email). | | **User group IDs** | For specifying [group IDs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#user-group-ids). | | **User group names** | For specifying a [group name](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#user-group-names). | | **Operating systems** | For specifying operating systems. | | **Operating system version** | For specifying an operating system version (use Operator in) or versions (use Operator is). | | **Managed network** | For specifying users accessing the network from the office (managed network) compared to those accessing remotely. | | **SAML attributes** | For specifying a value from the [SAML Attribute Assertion](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#saml-attributes). | | **Colos** | For specifying a Cloudflare data center (colocation) that users are connected to. | ## Add a rule to a test After you have created a rule, you can add it to a test. If you do not add a rule to a test, the test will run on your entire device fleet. To add a rule to a test: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Digital experience**. 2. Select the **Tests** tab. 3. Choose an existing test and select **Edit**, or select **Add a test** to make a new test. 4. Under **Select DEX rules**, select the rule you would like to apply. 5. Select **Save test** for an existing rule or **Add rule** for the new test. Note It may take up to 10 minutes for newly updated settings to propagate to devices. To view which tests a rule is being applied to: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Digital experience**. 2. Select the **Rules** tab. 3. Choose a rule and select **Edit**. 4. Select the **DEX tests** tab and review the list of tests that include your selected rule. ## Create a test using a rule You can create a new test from the [DEX test dashboard as described above](https://developers.cloudflare.com/cloudflare-one/insights/dex/rules/#add-a-rule-to-a-test) or directly from the DEX rules dashboard. To create a new test using a rule from DEX rules: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Digital experience**. 2. Select the **Rules** tab. 3. Select a rule and select **Edit**. 4. Select the **DEX tests** tab. 5. You will be able to review all the tests that currently include this rule. To create a new test, select **Create a test using this rule**. 6. Enter all required information, making sure that the box next to your rule name is checked. 7. Select **Add test**. ## Related resources * [DEX HTTP test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/http/) \- Assess the accessibility of a web application. * [DEX Traceroute test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/traceroute/) \- Measure the network path of an IP packet from an end-user device to a server. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/rules/","name":"Rules"}}]} ``` --- --- title: Synthetic tests description: Synthetic tests resources and guides for Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Synthetic tests With Digital Experience Monitoring (DEX), you can test if your devices can connect to a private or public endpoint through the Cloudflare One Client. Tests allow you to monitor availability for a given application and investigate performance issues reported by your end users. DEX tests will only run when the Cloudflare One Client is turned on, whereas [fleet status](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/#fleet-status) metrics are always available. To control which users or groups run a test, use [DEX rules](https://developers.cloudflare.com/cloudflare-one/insights/dex/rules/). * [ HTTP test ](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/http/) * [ Traceroute test ](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/traceroute/) * [ View test results ](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/view-results/) ## Export DEX application test logs You can use [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/) to export [DEX application test](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fapplication%5Ftests/) data to [R2](https://developers.cloudflare.com/r2/) (Cloudflare's object storage), a third-party cloud storage bucket, or a Security Information and Event Management (SIEM) tool. This is useful if you need to retain test data beyond the [7-day log retention period](https://developers.cloudflare.com/cloudflare-one/insights/logs/#log-retention) or correlate DEX data with other log sources. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/tests/","name":"Synthetic tests"}}]} ``` --- --- title: HTTP test description: Reference information for HTTP test in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Windows ](https://developers.cloudflare.com/search/?tags=Windows)[ MacOS ](https://developers.cloudflare.com/search/?tags=MacOS)[ Linux ](https://developers.cloudflare.com/search/?tags=Linux)[ Android ](https://developers.cloudflare.com/search/?tags=Android) # HTTP test Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | All plans | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2023.3.381 | | macOS | ✅ | 2023.3.381 | | Linux | ✅ | 2023.3.398 | | iOS | ❌ | | | Android | ✅ | 1.0 | | ChromeOS | ✅ | 1.0 | An HTTP test sends a `GET` request from an end-user device to a specific web application. You can use the response metrics to troubleshoot connectivity issues. For example, you can check whether the application is inaccessible for all users in your organization, or only certain ones. HTTP tests run periodically from devices that have the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) installed and turned on. You can use them to verify that an internal application is reachable after a configuration change or to monitor a SaaS application for outages that affect your organization. ## Create a test To set up an HTTP test for an application: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Digital experience**. 2. Select the **Tests** tab. 3. Select **Add a Test**. 4. Fill in the following fields: * **Name**: Enter any name for the test. * **Target**: Enter the URL of the website or application that you want to test (for example, `https://jira.site.com`). Both public and private hostnames are supported. If testing a private hostname, ensure that the domain is on your [local domain fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) list. * **Source device profiles**: (Optional) Select the [device profiles](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) that you want to run the test on. If no profiles are selected, the test will run on all supported devices connected to your Zero Trust organization. * **Test type**: Select _HTTP Get_. * **Test frequency**: Specify how often the test will run. Input a minute value between 5 and 60. 5. Select **Add test**. 6. After the test is created and running, you can [view the results](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/view-results/) of your test. ## Test results An HTTP test measures the following data: | Data | Description | | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Resource fetch time | Total time of all steps of the request, measured from [startTime to responseEnd ↗](https://developer.mozilla.org/en-US/docs/Web/API/Performance%5FAPI/Resource%5Ftiming). | | Server response time | Round-trip time for the device to receive a response from the target. | | DNS response time | Round-trip time for the DNS query to resolve. | | HTTP status codes | [Status code ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status) returned by the target. | Use these metrics together to identify where in the connection a problem occurs. For example, a high DNS response time with a normal server response time points to a DNS resolution issue rather than a problem with the target server. ## Export DEX application test logs You can use [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/) to export [DEX application test](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fapplication%5Ftests/) data to [R2](https://developers.cloudflare.com/r2/) (Cloudflare's object storage), a third-party cloud storage bucket, or a Security Information and Event Management (SIEM) tool. This is useful if you need to retain test data beyond the [7-day log retention period](https://developers.cloudflare.com/cloudflare-one/insights/logs/#log-retention) or correlate DEX data with other log sources. ## Related resources * [DEX rules](https://developers.cloudflare.com/cloudflare-one/insights/dex/rules/) \- Define which users or groups a test applies to, using selectors such as user email, user group, operating system, or managed network. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/tests/","name":"Synthetic tests"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/dex/tests/http/","name":"HTTP test"}}]} ``` --- --- title: Traceroute test description: Reference information for Traceroute test in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Windows ](https://developers.cloudflare.com/search/?tags=Windows)[ MacOS ](https://developers.cloudflare.com/search/?tags=MacOS)[ Android ](https://developers.cloudflare.com/search/?tags=Android) # Traceroute test Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | All plans | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2023.5.587 | | macOS | ✅ | 2023.5.589 | | Linux | ❌ | | | iOS | ❌ | | | Android | ✅ | 1.0 | | ChromeOS | ✅ | 1.0 | A traceroute test measures the network path of an IP packet from an end-user device to a server. The packet passes through a series of intermediate routers — each called a "hop" — and the test records the response time and packet loss at each one. You can use the results to troubleshoot network issues by identifying which hop along the path is causing increased latency or dropped packets. ## Create a test To set up a traceroute test for an application: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Digital experience**. 2. Select the **Tests** tab. 3. Select **Add a Test**. 4. Fill in the following fields: * **Name**: Enter any name for the test. * **Target**: Enter the IP address of the server you want to test (for example, `192.0.2.0`). You can test either a public-facing endpoint or a private endpoint you have connected to Cloudflare. * **Source device profiles**: (Optional) Select the [device profiles](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) that you want to run the test on. A device profile defines Cloudflare One Client settings for a specific set of devices in your organization. If no profiles are selected, the test will run on all supported devices connected to your Zero Trust organization. * **Test type**: Select _Traceroute_. * **Test frequency**: Specify how often the test will run. Input a minute value between 5 and 60. 5. Select **Add test**. Next, [view the results](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/view-results/) of your test. ## Test results A traceroute test measures the following data: | Data | Description | | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Network path | IP address, average response time, and packet loss for each hop (router) between the device and the target. This is the core traceroute data — it maps the route your traffic takes. | | Round trip time | Time, in milliseconds, between sending out a packet and receiving a response from the target. This is the end-to-end latency measurement. | | Number of hops | Number of routers encountered between the device and the target. | | Packet loss | Percentage of IP packets that failed to receive a response. | | Availability | Percentage of tests where at least one packet reached the destination. A value below 100% means the destination was completely unreachable during some test runs. | | Last seen ISP | The Internet Service Provider that is managing the connection from the device to Cloudflare. (Only available on macOS and Windows.) DEX looks up the IP address of the ISP in a geolocation database and returns the corresponding [ASO (Autonomous System Organization) and ASN (Autonomous System Number) ↗](https://www.cloudflare.com/learning/network-layer/what-is-an-autonomous-system/). If the ASO and ASN are Unknown, it means this information is unavailable in the geolocation data provider. | ## Export DEX application test logs You can use [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/) to export [DEX application test](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fapplication%5Ftests/) data to [R2](https://developers.cloudflare.com/r2/) (Cloudflare's object storage), a third-party cloud storage bucket, or a Security Information and Event Management (SIEM) tool. This is useful if you need to retain test data beyond the [7-day log retention period](https://developers.cloudflare.com/cloudflare-one/insights/logs/#log-retention) or correlate DEX data with other log sources. ## Related resources * [DEX rules](https://developers.cloudflare.com/cloudflare-one/insights/dex/rules/) \- Define which users or groups a test applies to, using selectors such as user email, user group, operating system, or managed network. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/tests/","name":"Synthetic tests"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/dex/tests/traceroute/","name":"Traceroute test"}}]} ``` --- --- title: View test results description: View test results in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # View test results Use the results of a Digital Experience Monitoring (DEX) test to monitor availability and performance for a specific application. DEX stores test results for 7 days on all plans, according to the [log retention policy](https://developers.cloudflare.com/cloudflare-one/insights/logs/#log-retention). ## Prerequisites * At least one [test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) has been created under **DEX** \> **Tests**. * Admins must have at least the [Cloudflare Zero Trust Reporting role](https://developers.cloudflare.com/cloudflare-one/roles-permissions/#zero-trust-roles). ## View results for all devices To view an overview of test results for all devices: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Digital experience**. 2. Select the **Tests** tab. 3. Select a test to view detailed results. ## View results for an individual device To view analytics on a per-device level: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Team & Resources** \> **Devices** \> **Your devices**. 2. Select the device you want to view, and then select **View details**. 3. Select the **Tests** tab. 4. Select a test to view detailed results. ## Export DEX application test logs You can use [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/) to export [DEX application test](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fapplication%5Ftests/) data to [R2](https://developers.cloudflare.com/r2/) (Cloudflare's object storage), a third-party cloud storage bucket, or a Security Information and Event Management (SIEM) tool. This is useful if you need to retain test data beyond the [7-day log retention period](https://developers.cloudflare.com/cloudflare-one/insights/logs/#log-retention) or correlate DEX data with other log sources. ## Related resources * [DEX HTTP test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/http/) \- Send a `GET` request from enrolled devices to a web application and measure response times. * [DEX Traceroute test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/traceroute/) \- Map the network route between a device and a server, showing each hop along the path. * [DEX rules](https://developers.cloudflare.com/cloudflare-one/insights/dex/rules/) \- Define which users or groups a test applies to, using selectors such as user email, user group, operating system, or managed network. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/tests/","name":"Synthetic tests"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/dex/tests/view-results/","name":"View test results"}}]} ``` --- --- title: Troubleshoot Digital Experience Monitoring description: Resolve common issues with Digital Experience Monitoring (DEX), including data visibility problems and remote capture failures. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) # Troubleshoot Digital Experience Monitoring Review common troubleshooting scenarios for Digital Experience Monitoring (DEX). ## Data visibility ### No data displayed for certain users If you do not see DEX data for specific users in your organization, verify the following: * **Client version**: Ensure the users are running a version of the Cloudflare One Client that supports DEX. * **DEX enabled**: Confirm that DEX is enabled for the [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) assigned to those users. * **Traffic routing**: DEX requires that traffic to Cloudflare's orchestration API is not blocked by local firewalls or SSL-inspecting proxies. ### Fleet status not updating The Fleet status dashboard can take several minutes to reflect changes in device connectivity. If a device remains in an incorrect state, try disconnecting and reconnecting the Cloudflare One Client to force a status update. ## Remote captures ### Remote capture fails to start Remote captures require the Cloudflare One Client to be connected and able to communicate with the Cloudflare control plane. If a capture fails to start: * Verify the device status in the Zero Trust dashboard. * Ensure the device has sufficient disk space to store the capture files before upload. * Check for any local firewall rules that might be blocking the capture command. --- ## How to contact Support If you cannot resolve the issue, [open a support case](https://developers.cloudflare.com/support/contacting-cloudflare-support/). Please provide a [remote capture](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/client-packet-capture/) from the Zero Trust dashboard for the affected device. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/dex/","name":"Digital experience"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/dex/troubleshooting/","name":"Troubleshoot Digital Experience Monitoring"}}]} ``` --- --- title: Logs description: Logs resources and guides for Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Logs Review detailed logs for your Zero Trust organization. * [ Dashboard logs ](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/) * [ Logpush integration ](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/) ## Log retention Cloudflare stores Zero Trust logs for different periods of time based on the service and plan type: | Free | Standard | Access | Gateway | Enterprise | | | ----------------------- | --------- | --------- | --------- | ---------- | ------------------------------- | | **Admin logs** | 18 months | 18 months | 18 months | 18 months | 18 months | | **Access logs** | 24 hours | 30 days | 30 days | 24 hours | 180 days | | **DNS logs** | 24 hours | 30 days | 24 hours | 30 days | 180 days[1](#user-content-fn-1) | | **Network logs** | 24 hours | 30 days | 24 hours | 30 days | 30 days | | **HTTP logs** | 24 hours | 30 days | 24 hours | 30 days | 30 days | | **DEX logs** | 7 days | 7 days | 7 days | 7 days | 7 days | | **Device posture logs** | 30 days | 30 days | 30 days | 30 days | 30 days | ## Log Explorer Beta Log Explorer users can store Zero Trust logs directly within Cloudflare in an [R2 bucket](https://developers.cloudflare.com/r2/) and access them with the dashboard or API. Log Explorer supports the following Zero Trust datasets: * [Access requests](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/access%5Frequests/) (`FROM access_requests`) * [CASB Findings](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/casb%5Ffindings/) (`FROM casb_findings`) * [Device posture results](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/device%5Fposture%5Fresults/) (`FROM device_posture_results`) * [Gateway DNS](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/gateway%5Fdns/) (`FROM gateway_dns`) * [Gateway HTTP](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/gateway%5Fhttp/) (`FROM gateway_http`) * [Gateway Network](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/gateway%5Fnetwork/) (`FROM gateway_network`) * [Zero Trust Network Session Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/) (`FROM zero_trust_network_sessions`) For more information, refer to [Log Explorer](https://developers.cloudflare.com/log-explorer/). ## Customer Metadata Boundary You can use Cloudflare Zero Trust with the Data Localization Suite to restrict data storage to a specific geographic region. For more information, refer to [Customer Metadata Boundary](https://developers.cloudflare.com/data-localization/metadata-boundary/). ## Data privacy For more information on how we use this data, refer to our [Privacy Policy ↗](https://www.cloudflare.com/application/privacypolicy/). ## Footnotes 1. Enterprise users on per query plans cannot store DNS logs via Cloudflare. You can still export logs via [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). For more information, contact your account team. [↩](#user-content-fnref-1) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}}]} ``` --- --- title: Dashboard logs description: View user activity, policy decisions, and connection logs in the Cloudflare One dashboard. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Dashboard logs The following logs are available in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com/). Use these logs to review user activity, policy decisions, and connection details for your Zero Trust deployment. [Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/)[Admin activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/admin-activity-logs/)[Gateway activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/)[Posture logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/posture-logs/)[SCIM provisioning logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/scim-logs/)[SSH command logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/ssh-command-logs/)[Tunnel audit logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/tunnel-audit-logs/) For additional datasets and long-term log storage, refer to [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}}]} ``` --- --- title: Access authentication logs description: Use Access authentication logs to review authentication events and requests to protected URI paths and infrastructure targets. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging) # Access authentication logs Access authentication logs help you track who accessed your protected applications, when they accessed them, and whether they were allowed in. Use these logs to investigate suspicious login attempts, audit user activity, or troubleshoot access issues. Cloudflare Access generates two types of audit logs: * **[Authentication audit logs](#authentication-logs)** record each login attempt (successful or failed) by a user or service to an Access application. * **[Per-request audit logs](#per-request-logs)** record individual HTTP requests that authenticated users make to protected [application paths](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/app-paths/) and infrastructure targets. ## Authentication logs Cloudflare Access logs an authentication event whenever a user or service attempts to log in to an application, whether the attempt succeeds or not. [Identity-based authentication](#identity-based-authentication) refers to login attempts that were evaluated based on who the user is — for example, their email address, identity provider (IdP) group, SAML group, or OIDC claim. [Non-identity authentication](#non-identity-authentication) refers to login attempts that were evaluated based on context rather than user identity — for example, IP address, device posture, country, valid certificate, or service token. Note Authentication logs do not capture the user's actions during a self-hosted or SaaS application session. To audit individual requests made during a session, refer to [Per-request logs](#per-request-logs). ### Identity-based authentication #### View Access authentication logs * [ Dashboard ](#tab-panel-4947) * [ API ](#tab-panel-4948) To view logs for identity-based authentication events: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights** \> **Logs**. 2. Select **Access authentication logs**. Log viewer (beta) Access authentication logs use an updated log viewer with enhanced filtering capabilities. To switch to the classic view, select **Return to old logs**. 3. (Optional) Filter the logs that display in the log viewer. You can filter logs by their timestamp and event details (such as the Access application, user email, policy decision, and more). Tip Querying for fewer fields improves log loading performance. 4. Select an individual timestamp to investigate the event in more detail. The [Access authentication logs](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/logs/subresources/access%5Frequests/methods/list/) API endpoint provides a custom URL to export audit log events for your account. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Audit Logs Read` Get Access authentication logs ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/logs/access_requests?limit=25&direction=desc&since=2020-07-01T05%3A20%3A00Z&until=2020-10-01T05%3A20%3A00Z" \ --request GET \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` Response ``` { "success": true, "errors": [], "messages": [], "result": [ { "user_email": "michelle@example.com", "ip_address": "198.41.129.166", "app_uid": "df7e2w5f-02b7-4d9d-af26-8d1988fca630", "app_domain": "test.example.com/admin", "action": "login", "connection": "saml", "allowed": false, "created_at": "2014-01-01T05:20:00.12345Z", "ray_id": "187d944c61940c77" } ] } ``` #### Explanation of the fields Identity-based authentication logs contain the following fields: ##### Basic information | Field | Description | | ---------------- | ------------------------------------------------------------------------------------------------------------------------ | | **App** | Name of the Access application. | | **User email** | Email address of the authenticating user. | | **User ID** | Unique identifier (UUID) of the authenticating user. | | **IP address** | IP address of the authenticating user. | | **App UID** | Unique identifier (UUID) of the Access application. | | **App domain** | URL of the Access application. | | **App type** | Specifies the type of Access application: self-hosted, browser SSH, browser VNC, browser RDP, SaaS, or infrastructure. | | **Event** | Type of authentication event, such as a login attempt. | | **Connection** | Identity provider used to authenticate (for example, saml, onetimepin, google-apps). | | **Allow** | Whether the authentication attempt was allowed (true) or denied (false). | | **Request time** | Timestamp of the authentication event. | | **Ray ID** | A unique identifier for every request through Cloudflare. Useful for tracing a specific request through Cloudflare logs. | | **Country** | Country associated with the user's IP address. | ##### Infrastructure applications Cloudflare Access logs the following information when the user authenticates to an [infrastructure application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/): | Field | Description | | ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Hostname** | Hostname of the infrastructure target. | | **Target ID** | UUID of the infrastructure target. | | **SSH user** | The UNIX user, such as root, that the authenticating user specified when connecting to the infrastructure target. | | **SSH logs** | SSH commands that the user ran on the target. Requires configuring an [SSH encryption key](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#ssh-command-logs) before the session begins. | ### Non-identity authentication To retrieve logs for non-identity authentication events, use the [GraphQL Analytics API](https://developers.cloudflare.com/analytics/graphql-api/tutorials/querying-access-login-events/). These logs are not available in the Cloudflare One dashboard. ## Per-request logs Users who have authenticated through Access have access to authorized URL paths for the duration of their session. Cloudflare provides several ways to audit these requests. ### Using Cloudflare Logs Enterprise customers have access to detailed logs of requests on their Cloudflare dashboard. Enterprise customers also have access to Cloudflare's Logpush service, which can be configured from the Cloudflare dashboard or API. For more information about Cloudflare HTTP and infrastructure logging, refer to [Cloudflare Logs](https://developers.cloudflare.com/logs/). Once a member of your team authenticates to reach an HTTP resource behind Access, Cloudflare generates a JSON Web Token (JWT) for that user that contains their SSO identity. Cloudflare signs this token using RS256 (RSA Signature with SHA-256), an asymmetric algorithm, and makes the public key available so that you can verify the token is authentic. When a user requests a URL, Access appends the user identity from that token as a request header, which Cloudflare logs as the request passes through the network. Your team can collect these logs in your preferred third-party Security information and event management (SIEM) software or storage destination by using [Cloudflare Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). When enabled with the Access user identity field, the logs export to your systems as JSON similar to the example below. ``` { "ClientIP": "198.51.100.206", "ClientRequestHost": "jira.widgetcorp.tech", "ClientRequestMethod": "GET", "ClientRequestURI": "/secure/Dashboard/jspa", "ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "EdgeEndTimestamp": "2019-11-10T09:51:07Z", "EdgeResponseBytes": 4600, "EdgeResponseStatus": 200, "EdgeStartTimestamp": "2019-11-10T09:51:07Z", "RayID": "5y1250bcjd621y99", "RequestHeaders":{"cf-access-user":"srhea"} }, { "ClientIP": "198.51.100.206", "ClientRequestHost": "jira.widgetcorp.tech", "ClientRequestMethod": "GET", "ClientRequestURI": "/browse/EXP-12", "ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36", "EdgeEndTimestamp": "2019-11-10T09:51:27Z", "EdgeResponseBytes": 4570, "EdgeResponseStatus": 200, "EdgeStartTimestamp": "2019-11-10T09:51:27Z", "RayID": "yzrCqUhRd6DVz72a", "RequestHeaders":{"cf-access-user":"srhea"} } ``` ### Using the `cf-access-user` field In addition to the HTTP request fields available in Cloudflare Enterprise logging, requests made to applications behind Access include the `cf-access-user` field, which contains the user identity string. This offers another tool for auditing user behavior. To add the `cf-access-user` field to your HTTP request logs, you must add it as a custom field. Refer to [Custom fields](https://developers.cloudflare.com/logs/logpush/logpush-job/custom-fields/) for instructions. Keep in mind that Access does not log all interactions. Per-request audit logs can indicate that a specific user visited `domain.com/admin` and then `domain.com/admin/panel`, but the logs only capture interactions that result in a new HTTP request. Purely client-side interactions that do not generate server requests are not logged. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/","name":"Access authentication logs"}}]} ``` --- --- title: Admin activity logs description: Monitor when a member on your account creates, updates, or deletes configurations. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging) # Admin activity logs Admin activity logs record configuration changes made by members of your Cloudflare account. These logs are useful for auditing who changed a policy or setting and investigating unexpected configuration changes. Use these logs to monitor when a member creates, updates, or deletes configurations in your [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#create-a-zero-trust-organization). To view admin activity logs, log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and go to **Zero Trust** \> **Insights** \> **Logs** \> **Admin activity logs**. ## Explanation of the fields | Field | Description | Example Value | | --------------- | ------------------------------------------------ | ------------------------------------------------------------------------------------------ | | Email | User who performed the action | [josephli@cloudflare.com](mailto:josephli@cloudflare.com) | | Product | Cloudflare product being modified | Tunnel | | Resource | Specific resource type within the product | Route | | Event | Action performed (Create, Update, Delete) | Create | | Date | Timestamp of when the action occurred | April 30, 2026 • 12:19 AM | | User IP Address | IP address of the user who made the change | 2a09:bac6:6447:523::83:30 | | Interface | How the change was initiated | API | | Audit record | Unique identifier for the audit log entry | caf1a547-17cc-484a-b4ce-5d3b32771a8f | | Old value | Previous configuration state (empty for creates) | | | New value | New configuration state after the change | JSON object with fields like comment, network, tun\_type, tunnel\_id, virtual\_network\_id | ## Export admin activity logs Enterprise users can export admin activity logs to a third-party storage destination or SIEM using [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). For a list of all available fields, refer to [Audit Logs V2](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/audit%5Flogs%5Fv2/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/admin-activity-logs/","name":"Admin activity logs"}}]} ``` --- --- title: Gateway activity logs description: Review DNS queries, network traffic, and HTTP requests inspected by Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging) # Gateway activity logs Gateway activity logs record the DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted [SSH command logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/ssh-command-logs/) for sessions proxied by Gateway. Enterprise users can generate more detailed logs with [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). * [ Manage PII ](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/manage-pii/) Private source IP substitution Gateway logs show the public IP address in the **Source IP** field. Private IP addresses are translated to public addresses via network address translation (NAT). To see the user's original private IP, refer to the **Source internal IP** field in the DNS, Network, or HTTP log details below. ## View Gateway activity logs To view Gateway activity logs: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights** \> **Logs**. 2. Choose a type of Gateway log: * **DNS query logs** * **Network logs** * **HTTP request logs** Log viewer (beta) Gateway logs use an updated log viewer with enhanced filtering capabilities. To switch to the classic view, select **Return to old logs**. 3. (Optional) Filter the logs that display in the log viewer. You can filter logs by their timestamp and event details (such as host, URL, user email, policy action, and more). Tip Querying for fewer fields improves log loading performance. 4. Select an individual timestamp to investigate the event in more detail. ## Selective logging By default, Gateway logs all events, including DNS queries and HTTP requests that are allowed and not a risk. You can choose to disable logging entirely or only log blocked requests. To customize what Gateway logs: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. Under **Traffic logging** \> **Log traffic activity**, choose your preference for DNS, Network, and HTTP logs. These settings only apply to logs displayed in Cloudflare One. Logpush data is unaffected. ## DNS logs ### Explanation of the fields #### Basic information | Field | Description | | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Query name** | Name of the domain that was queried. | | **Query ID** | UUID of the query assigned by Cloudflare. | | **Email** | Email address of the user who registered the Cloudflare One Client where traffic originated from. If a non-identity on-ramp (such as a [proxy endpoint](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/)) or machine-level authentication (such as a [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/)) was used, this value will be non\_identity@.cloudflareaccess.com. | | **Action** | The [Action](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#actions) Gateway applied to the query (such as Allow or Block). | | **Time** | Date and time of the DNS query. | | **Resolver decision** | The reason why Gateway applied a particular **Action** to the request. Refer to the [list of resolver decisions](#resolver-decisions). | | **Resolved IPs** | Resolved IP addresses in the response. | | **CNAMEs** | CNAME records in the query. | #### Configuration information | Field | Description | | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **DNS location** | [User-configured location](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) from where the DNS query was made. | | **Policy name** | Name of the matched policy. | | **Policy ID** | ID of the matched policy. | | **Policy description** | Description of the matched policy. | | **DoH subdomain** | DoH subdomain of the DNS location. | | **Protocol** | Protocol that was used to make the DNS query (such as https). | #### Identities | Field | Description | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Email** | Email address of the user who registered the Cloudflare One Client where traffic originated from. | | **User ID** | UUID of the user. Each unique email address in your organization will have a UUID associated with it. | | **Registration ID** | UUID of the user's Cloudflare One Client registration. A unique registration ID is generated each time a device is registered for a particular email. The same physical device may have multiple registration IDs. | | **Device name** | Display name of the device returned by the operating system to the Cloudflare One Client. Typically this is the hostname of a device. Not all devices will have a device name. Device names are not guaranteed to be unique. | | **Device ID** | UUID of the device connected with the Cloudflare One Client. Each physical device in your organization will have a UUID. | | **Last authenticated** | Date and time the user last authenticated their Zero Trust session. | #### DNS query details | Field | Description | | ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------- | | **Query ID** | UUID of the query assigned by Cloudflare. | | **Query type** | Type of [DNS query ↗](https://en.wikipedia.org/wiki/List%5Fof%5FDNS%5Frecord%5Ftypes). | | **Initial query domain categories** | [Content categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) that the domain belongs to. | | **Matched categories** | Name of the Gateway policy category that match the domain. | | **Matched indicator feed names** | Name of the indicator feeds that matched a Gateway policy. | | **Query indicator feed names** | Name of the indicator feeds that a matched domain or IP belongs to. | | **Resolved continent IP geolocation** | Continent code of the resolved IP address. | | **Resolved country IP geolocation** | Country code of the resolved IP address. | | **DoT subdomain** | DoT subdomain of the DNS location. | | **Source IP** | Public source IP address of the DNS query. | | **Source IP continent** | Continent code of the source IP address. | | **Source IP country** | Country code of the source IP address. | | **Source internal IP** | Private IP address assigned by the user's local network. | | **Application name** | Name of the application that matched the domain. | | **Resolver IP** | Public IP address of the DNS resolver. | | **Port** | Port that was used to make the DNS query. | | **Location ID** | ID of the DNS location where the query originated. | | **Scheduling - Time zone** | Time zone of the DNS query source. | | **Scheduling - Time zone inferred method** | Method used to determine the DNS query source's time zone. | #### DNS response details | Field | Description | | ------------------------------- | ------------------------------------------------------------------------------------------ | | **Resolved CNAME categories** | Content categories associated with the resolved CNAME records in the response. | | **Resolved IP categories** | Content categories associated with the resolved IPs in the response. | | **Resolved IPs** | Resolved IPs in the response. | | **Authoritative nameserver IP** | IP address of the authoritative nameserver answering the DNS query. | | **EDE errors** | [Extended DNS error codes ↗](https://www.rfc-editor.org/rfc/rfc8914.html) in the response. | #### Custom resolver | Field | Description | | -------------------------- | ------------------------------------------------------------ | | **Address** | Address of your custom resolver. | | **Policy** | Name of the matched resolver policy. | | **Response** | Status of the custom resolver response. | | **Time (in milliseconds)** | Duration of time it took for the custom resolver to respond. | ### Resolver decisions | Name | Value | Description | | ---------------------- | ----- | ----------------------------------------------------------- | | blockedByCategory | 3 | Domain or hostname matched a category in a Block policy. | | allowedOnNoLocation | 4 | Allowed because query did not match a Gateway DNS location. | | allowedOnNoPolicyMatch | 5 | Allowed because query did not match a policy. | | blockedAlwaysCategory | 6 | Domain or hostname is always blocked by Cloudflare. | | overrideForSafeSearch | 7 | Response was overridden by a Safe Search policy. | | overrideApplied | 8 | Response was overridden by an Override policy. | | blockedRule | 9 | IP address in the response matched a Block policy. | | allowedRule | 10 | IP address in the response matched an Allow policy. | ## Network logs Failed connection logs Gateway only logs TCP connections that were successfully established. If a connection is not complete (such as a TCP SYN with no SYN ACK), Gateway does not record it in network logs. To log failed connections, use [network session logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/). These logs are available for Enterprise users via [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/) or [GraphQL](https://developers.cloudflare.com/cloudflare-one/insights/analytics/gateway/#graphql-queries). ### Explanation of the fields #### Basic information | Field | Description | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Source IP** | IP address of the user sending the packet. | | **Source Internal IP** | Private IP address assigned by the user's local network. | | **Destination IP** | IP address of the packet's target. | | **Action** | The Gateway [Action](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). | | **Session ID** | ID of the unique session. | | **Time** | Date and time of the session. | #### Matched policies | Field | Description | | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **DNS location** | [User-configured location](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) from where the DNS query was made. | | **Policy name** | Name of the matched policy. | | **Policy ID** | ID of the policy enforcing the decision Gateway made. | | **Policy description** | Description of the matched policy. | #### Identities | Field | Description | | ---------------------- | ----------------------------------------------------------------------------------------------- | | **Email** | Email address of the user sending the packet. This is generated by the Cloudflare One Client. | | **User ID** | ID of the user sending the packet. This is generated by the Cloudflare One Client. | | **Registration ID** | ID of the user's device registration. This is generated by the Cloudflare One Client. | | **Device name** | Name of the device that sent the packet. | | **Device ID** | ID of the physical device that sent the packet. This is generated by the Cloudflare One Client. | | **Last authenticated** | Date and time the user last authenticated with Zero Trust. | #### Network query details | Field | Description | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Source IP** | IP address of the user sending the packet. | | **Source port** | Source port number for the packet. | | **Source country** | Country code for the packet source. | | **Source IP continent** | Continent code of the source IP address. | | **Source IP country** | Country code of the source IP address. | | **Destination IP** | IP address of the packet's target. | | **Destination port** | Destination port number for the packet. | | **Destination IP continent** | Continent code of the IP address for the packet's destination. | | **Destination IP country** | Country code of the IP address for the packet's destination. | | **Transport protocol** | Protocol over which the packet was sent. | | **Detected Protocol** | The detected [network protocol](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/). | | **SNI** | Host whose Server Name Indication (SNI) header Gateway will filter traffic against. | | **Virtual Network** | [Virtual network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) that the client is connected to. | | **Category details** | Category or categories associated with the packet. | | **Proxy endpoint** | [PAC file proxy endpoint](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) Gateway forwarded traffic to, if applicable. | | **Application ID** | ID of the application that matched the domain. | | **Application name** | Name of the application that matched the domain. | ## HTTP logs Note Gateway does not log HTTP bodies. The exception is error requests: when an HTTP request results in an error, Gateway logs the first 512 bytes of the request for 30 days for internal troubleshooting. ### Explanation of the fields #### Basic information | Field | Description | | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Host** | Hostname in the HTTP header for the HTTP request. Gateway will log the SNI in this field if it responded to the request with a Do Not Inspect action. If Gateway does not receive the SNI, this field will be empty. | | **Email** | Email address of the user who made the HTTP request. This is generated by the Cloudflare One Client. | | **Action** | The Gateway [Action](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). | | **Request ID** | Unique ID of the request. | | **Time** | Date and time of the HTTP request. | | **Source internal IP** | Private IP address assigned by the user's local network. | | **User agent** | User agent header sent in the request by the originating device. | | **Policy details** | Policy corresponding to the decision Gateway made based on the traffic criteria of the request. | | **DLP profiles** | Name of the matched [DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/). | | **DLP profile entries** | Name of the matched entry within the DLP profile. | | **Uploaded/downloaded file** | Information about the file transferred in the request found by [enhanced file detection](#enhanced-file-detection). Details include: File nameFile typeFile sizeFile hash (for Allowed requests only)Content typeDirection (Upload/Download)Action (Block/Allow) | #### Matched policies | Field | Description | | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **DNS location** | [User-configured location](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) from where the DNS query was made. | | **Policy name** | Name of the matched policy. | | **Policy ID** | ID of the matched policy. | | **Policy description** | Description of the matched policy. | | **Matched category ID** | ID of the category matched in the policy. | | **Matched category name** | Name of the category matched in the policy. | #### Identities | Field | Description | | ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | | **Email** | Email address of the user who made the HTTP request. This is generated by the Cloudflare One Client. | | **User ID** | ID of the user who made the request. This is generated by the Cloudflare One Client. | | **Registration ID** | ID of the user's device registration. This is generated by the Cloudflare One Client. | | **Device name** | Name of the device that made the request. | | **Device ID** | ID of the physical device that made the request. This is generated by the Cloudflare One Client on the device that created the request. | | **Last authenticated** | Date and time the user last authenticated with Zero Trust. | #### HTTP query details | Field | Description | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **HTTP Version** | HTTP version of the origin that Gateway connected to on behalf of the user. | | **HTTP Method** | HTTP method used for the request (such as GET or POST). | | **HTTP Status Code** | [HTTP status code](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/) returned in the response. | | **URL** | Full URL of the HTTP request. | | **Referer** | Referer request header containing the address of the page making the request. | | **Source IP** | Public source IP address of the HTTP request. | | **Source Port** | Port that was used to make the HTTP request. | | **Source IP continent** | Continent code of the HTTP request. | | **Source IP country** | Country code of the HTTP request. | | **Destination IP** | Public IP address of the destination requested. | | **Destination Port** | Port of the destination requested. | | **Destination IP continent** | Continent code of the destination requested. | | **Destination IP country** | Country code of the destination requested. | | **Blocked file reason** | Reason why the file was blocked if a file transfer occurred or was attempted. | | **Category details** | Detailed information on the category the blocked file belongs to. | | **Application ID** | ID of the application that matched the domain. | | **Application name** | Name of the application that matched the domain. | | **Categories** | [Content categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) that the domain belongs to. | | **Proxy endpoint** | [PAC file proxy endpoint](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) Gateway forwarded traffic to, if applicable. | | **Virtual Network** | [Virtual network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) that the client is connected to. | | **Sandbox scanned** | Status of the [file quarantine](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/file-sandboxing/). | #### File detection details | Field | Description | | ---------------- | -------------------------------------------------- | | **Name** | Name of the detected file. | | **Type** | File type of the detected file. | | **Size** | Size of the detected file. | | **Hash** | Hash of the detected file, generated by DLP. | | **Content type** | MIME type of the detected file. | | **Direction** | Upload or download direction of the detected file. | | **Action** | The Action Gateway applied to the request. | ### Enhanced file detection Enhanced file detection is an optional feature that extracts more file information from HTTP traffic. When turned on, Gateway reads file information from the HTTP body rather than the HTTP headers, providing greater accuracy and reliability. This feature may have a minor impact on performance for file-heavy organizations. To turn on enhanced file detection: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. In **Proxy and inspection settings**, turn on **Inspect HTTPS requests with TLS decryption**. 3. In **Policy settings**, turn on **Allow enhanced file detection**. ### Isolate requests When a user creates an [isolation policy](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/), Gateway logs isolation-related requests in two stages: 1. **Initial request** — The request that triggers isolation is logged with an Isolate action. Because this request is not yet isolated, the `is_isolated` field returns `false`. 2. **Subsequent requests** — After Zero Trust returns the result to the user in an isolated browser, Gateway logs all subsequent requests in the isolated browser with the action (such as Allow or Block), and the `is_isolated` field returns `true`. ## Limitations If a connection closes before Gateway inspects and filters the traffic, Gateway logs the event with an Unknown action. Gateway activity logs are not available in the dashboard if you turn on the [Customer Metadata Boundary (CMB)](https://developers.cloudflare.com/data-localization/metadata-boundary/) within Cloudflare Data Localization Suite (DLS). CMB restricts where customer traffic metadata and logs are stored by region. Enterprise users with CMB turned on can still export logs via [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). For more information, refer to [DLS product compatibility](https://developers.cloudflare.com/data-localization/compatibility/#zero-trust). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/","name":"Gateway activity logs"}}]} ``` --- --- title: Manage PII description: How Manage PII works in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Privacy ](https://developers.cloudflare.com/search/?tags=Privacy) # Manage PII Cloudflare Gateway gives you multiple ways to safely handle your employees' personally identifiable information (PII) in activity logs: * **Redact PII** (default) — PII is stored in logs but hidden from view. Only the Super Administrator and users with the [Cloudflare Zero Trust PII role](https://developers.cloudflare.com/cloudflare-one/roles-permissions/#cloudflare-zero-trust-pii) can view redacted PII. The underlying data is preserved — redaction only controls who can see it. * **[Exclude PII](#exclude-pii)** — PII is not stored in logs at all. No user, including the Super Administrator, can retrieve it. Only the Super Administrator can assign roles and determine who has permission to view PII. To add or remove the Cloudflare Zero Trust PII role for a user in your organization, refer to [Roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/). ## Types of PII Cloudflare Gateway can log the following types of PII: * Source IP * User email * User ID * Device ID * URL * Referer * User agent ## Exclude PII When you exclude PII, Gateway logs activity without storing any employee PII. This differs from the default redaction behavior — excluded PII is not stored and cannot be retrieved by any role, including the Super Administrator. Warning Excluding PII is irreversible for the period it is active. If you turn on this setting and later turn it off, logs captured while the setting was on will permanently lack PII data. Changes to this setting do not affect PII already stored in previous logs. To turn on the setting to exclude PII: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Traffic settings**. 2. In **Traffic logging**, turn on **Exclude personally identifiable information (PII) from logs**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/","name":"Gateway activity logs"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/manage-pii/","name":"Manage PII"}}]} ``` --- --- title: Posture logs description: Monitor the results of device posture checks performed on your users' devices. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging) # Posture logs Posture logs show the results of [device posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/) — security requirements such as OS version, disk encryption, or endpoint protection status — reported by the Cloudflare One Client. Use these logs to identify which devices are passing or failing your organization's posture requirements and to troubleshoot individual check results. To view device posture logs, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Insights** \> **Logs** \> **Posture logs**. Logs will only display if you have configured [device posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/) for your Zero Trust organization. Enterprise users can generate more detailed logs with [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ## Explanation of the fields ### Device details | Field | Description | | ----------------- | ---------------------------------------------------------------------------------------- | | **Name** | Display name of the device as reported by the operating system (typically the hostname). | | **ID** | Device ID generated by the Cloudflare One Client. | | **Serial number** | Serial number of the device. | | **Manufacturer** | Manufacturer of the device (for example, Dell, Apple, Lenovo). | | **Model** | Model of the device (for example, MacBook Pro, ThinkPad X1). | ### User details | Field | Description | | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Email** | Email used to register the device with Zero Trust. | | **User ID** | Unique identifier (UUID) of the user who registered the device. | | **Registration ID** | UUID of the user's Cloudflare One Client registration. A unique registration ID is generated each time a device is registered. The same physical device may have multiple registration IDs if multiple users share the device. | ### Posture details | Field | Description | | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Name** | Name of the [device posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). | | **Type** | Whether the check is a [Cloudflare One Client check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/) (evaluated locally on the device) or a [service provider check](https://developers.cloudflare.com/cloudflare-one/integrations/service-providers/) (evaluated by a third-party integration). | | **Rule ID** | UUID of the device posture check. | | **Conditions met** | Whether the device passed or failed the posture check criteria. Evaluates to true if the **Received values** match the **Expected values**. | | **Expected values** | Values required to pass the device posture check. Compare with **Received values** to diagnose why a device failed. | | **Received values** | Actual values detected on the device by the Cloudflare One Client or service provider. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/posture-logs/","name":"Posture logs"}}]} ``` --- --- title: SCIM provisioning logs description: Reference information for SCIM provisioning logs in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SCIM ](https://developers.cloudflare.com/search/?tags=SCIM) # SCIM provisioning logs SCIM (System for Cross-domain Identity Management) activity logs allow administrators to audit how [SCIM provisioning](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) events in an identity provider (such as create, update, and delete) affect a user's identity and group membership in Zero Trust. You can compare your Zero Trust SCIM logs with your identity provider's SCIM logs to track how identity data is shared between the two services and pinpoint the source of any provisioning errors. ## View SCIM logs For an overview of SCIM events across all users, log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and go to **Zero Trust** \> **Insights** \> **Logs** \> **SCIM provisioning logs**. This page lists the inbound SCIM requests that your identity providers have sent to Cloudflare. You can select an individual request to view more details about the SCIM operation. To investigate how SCIM events impacted a specific user, go to their [User Registry identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/users/). View their last seen identity and group memberships, and track how their identity has changed over time. Note New users must first [register the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/) or authenticate to an Access application before SCIM provisioning can begin. ## Log fields SCIM provisioning logs show the following information for each inbound SCIM request: * **IdP name**: Name of the identity provider that sent the request * **Timestamp**: Date and time of the request * **Action**: HTTP request method (`POST`, `PUT`, `PATCH`, `DELETE`). `POST` indicates a resource was created, `PUT` indicates a full resource replacement, `PATCH` indicates a partial update, and `DELETE` indicates a resource was removed. * **User email**: User who received the SCIM identity update * **Group name**: Group that received the SCIM identity update * **Resource type**: Whether the request modified a group or a user (`GROUP` or `USER`) * **CF resource ID**: Persistent identifier for the user or group created by Cloudflare SCIM. Use this ID to look up the resource in Zero Trust. * **IDP resource ID**: Identifier for the user or group provided by the identity provider. Use this ID to match the log entry with the corresponding record in your identity provider. * **Outcome**: Whether the SCIM request was applied successfully (`SUCCESS` or `ERROR`) * **Request body**: HTTP request body containing the data that was added, modified, or removed * **JSON log**: SCIM request log in JSON format ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/scim-logs/","name":"SCIM provisioning logs"}}]} ``` --- --- title: SSH command logs description: Review SSH commands a user ran on a target. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging)[ SSH ](https://developers.cloudflare.com/search/?tags=SSH) # SSH command logs SSH command logs record the commands that users run on infrastructure targets protected by [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). Use these logs to audit user activity on your SSH servers and investigate specific sessions. To view SSH command logs, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Insights** \> **Logs** \> **SSH command logs**. ## Prerequisites To generate SSH command logs, you must: 1. Set up [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) for your SSH servers. 2. [Enable SSH command logging](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#ssh-command-logs) by uploading an encryption public key. Cloudflare uses this key to encrypt your logs so that only you can read their contents. ## View SSH logs SSH command logs displayed in the dashboard are encrypted using the public key you provided during setup. The logs are not readable in the dashboard — you must download and decrypt them locally. To view the contents of the logs: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Logs** \> **SSH command logs**. 2. Filter the logs using the name of your SSH application. 3. Select the SSH session for which you want to export command logs. 4. In the side panel, scroll down to **SSH logs** and select **Download**. 5. Decrypt the log using the [SSH Logging CLI ↗](https://github.com/cloudflare/ssh-log-cli/) and the private key that corresponds to the public key you uploaded. ## Log fields | Field | Description | | --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Session ID** | Unique identifier for the SSH session. | | **User email** | Email address of the user who initiated the SSH session. | | **Target ID** | Identifier of the infrastructure target being accessed. Corresponds to the target you configured in Access for Infrastructure. | | **Client address** | Source IP address of the SSH connection. | | **Server address** | Destination IP address of the SSH server. | | **Session start datetime** | Timestamp when the SSH session started. | | **Session finish datetime** | Timestamp when the SSH session ended. | | **Program type** | Type of SSH program: shell (interactive terminal), exec (single command execution), x11, direct-tcpip, or forwarded-tcpip. Note that x11, direct-tcpip, and forwarded-tcpip correspond to SSH features that are [not currently supported](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#known-limitations) by Access for Infrastructure. | | **Payload** | Captured request/response data in [asciicast v2 ↗](https://docs.asciinema.org/manual/asciicast/v2/) format, a structured terminal recording format. Includes commands for exec programs. | | **Error** | SSH error message, if an error occurred during the session. | ## Export SSH logs with Logpush Enterprise users can export SSH command logs to external storage or analysis destinations using [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). Unlike dashboard logs, Logpush payloads are not encrypted with a customer-provided public key — secure access to your storage destination accordingly. For a list of all available fields, refer to [SSH Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/ssh%5Flogs/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/ssh-command-logs/","name":"SSH command logs"}}]} ``` --- --- title: Tunnel audit logs description: Review Cloudflare Tunnel connection events. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging) # Tunnel audit logs [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) creates outbound-only connections between your infrastructure and Cloudflare. Tunnel audit logs record when these connections start, stop, or register new DNS records. Audit logs for Tunnel are available in the [account section of the Cloudflare dashboard ↗](https://dash.cloudflare.com/?account=audit-log), which you can find by selecting your name or email in the upper right-hand corner of the dashboard. For general audit log features such as filtering and retention, refer to [Audit Logs](https://developers.cloudflare.com/fundamentals/account/account-security/audit-logs/). The following actions are logged: | Action | Description | | ------------ | ---------------------------------------------------------------------------------------------------------- | | Registered | A tunnel connector (cloudflared) started and connected to Cloudflare's global network. | | Unregistered | A tunnel connector disconnected from Cloudflare's global network. | | CNAME add | A tunnel registered a new DNS record (CNAME or AAAA) to route traffic to an application behind the tunnel. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/","name":"Dashboard logs"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/dashboard-logs/tunnel-audit-logs/","name":"Tunnel audit logs"}}]} ``` --- --- title: Logpush integration description: Logpush integration in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging) # Logpush integration Enterprise-only With Cloudflare's [Logpush](https://developers.cloudflare.com/logs/logpush/) service, you can configure the automatic export of Zero Trust logs — including DNS queries, HTTP requests, device posture checks, and other events generated by Cloudflare One services — to third-party storage destinations or to third-party security information and event management (SIEM) solutions. Once exported, your team can analyze and audit the data as needed. ## Export Zero Trust logs with Logpush To configure Logpush for Zero Trust logs: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Logs**. 2. Select **Manage Logpush**. 3. In Logpush, select **Create a Logpush job**. A Logpush job defines which dataset to export and where to send it. 4. Choose a [Logpush destination](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/). 5. Follow the service-specific instructions to configure and validate your destination. 6. Choose the [Zero Trust datasets](#zero-trust-datasets) to export. 7. Enter a **Job name**, any [filters](https://developers.cloudflare.com/logs/logpush/logpush-job/filters/) you would like to add to narrow which logs are included (for example, only logs from a specific user or action), and the data fields you want to include in the logs. 8. (Optional) In **Advanced settings**, choose the timestamp format you prefer and whether you want to turn on log sampling. Log sampling delivers a randomly-sampled subset of logs rather than every event, which can reduce storage volume for high-traffic datasets. 9. Select **Submit**. The setup of your Logpush integration is now complete. Logpush will begin delivering logs in batches to your selected destination. You can configure multiple destinations and add additional fields to your logs by returning to the **Logpush** page. For more information on supported destinations, refer to [Enable destinations](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/). ## Zero Trust datasets Logpush supports all [dashboard logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/) as well as additional datasets not available in the Cloudflare One dashboard. Refer to [Logpush datasets](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/) for a list of all available fields. | Dataset | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [Access Requests](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/access%5Frequests/) | HTTP requests to sites protected by Cloudflare Access | | [Audit Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/audit%5Flogs/) | Authentication events through Cloudflare Access | | [Browser Isolation User Actions](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/biso%5Fuser%5Factions/) | Data transfer actions performed by a user in the remote browser, such as copy, paste, and download events | | [CASB Findings](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/casb%5Ffindings/) | Security issues detected by Cloudflare's Cloud Access Security Broker (CASB) | | [Device Posture Results](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/device%5Fposture%5Fresults/) | Device posture status from the Cloudflare One Client | | [DEX Application Tests](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fapplication%5Ftests/) | Digital Experience Monitoring (DEX) automated connectivity check results from the Cloudflare One Client | | [DEX Device State Events](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fdevice%5Fstate%5Fevents/) | Digital Experience Monitoring (DEX) device event data like connectivity, CPU usage, and Disk I/O from the Cloudflare One Client | | [Gateway DNS](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/gateway%5Fdns/) | DNS queries inspected by Cloudflare Gateway | | [Gateway HTTP](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/gateway%5Fhttp/) | HTTP requests inspected by Cloudflare Gateway | | [Gateway Network](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/gateway%5Fnetwork/) | Network packets inspected by Cloudflare Gateway | | [MCP Portal Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/mcp%5Fportal%5Flogs/) | Requests made through [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) | | [SSH Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/ssh%5Flogs/) | SSH command logs for [Access for Infrastructure targets](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) | | [WARP Config Changes](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/warp%5Fconfig%5Fchanges/) | Event logs that Cloudflare generates whenever a device changes [profiles](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) | | [WARP Toggle Events](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/warp%5Ftoggle%5Fchanges/) | Event logs that Cloudflare generates whenever a device toggles the Cloudflare One Client on or off | | [Zero Trust Network Session Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/) | Network session logs for all traffic proxied through Cloudflare Gateway across all supported on-ramps | ## Verify regional map application If you are using [Regional Services](https://developers.cloudflare.com/data-localization/regional-services/) with Cloudflare One, you can configure which subset of Cloudflare data centers decrypt and route your traffic. This allows you to accommodate regional restrictions like GDPR or meet compliance requirements that include geographic restrictions on data flows or processing. To verify that your regional map is being applied correctly, check the `IngressColoName` field in your [Zero Trust Network Session logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/#ingresscoloname). This field shows the name of the Cloudflare data center where traffic ingressed. Since regionalization is applied upstream from Gateway, the ingress data center will be located within your configured regional map, confirming that traffic is being processed in the correct region. ## Parse DNS logs Logpush logs the following fields for each DNS query: * Query name * Query type * Query class * Response TTL * Response data Logpush provides DNS response data in two formats. `ResourceRecords` contains the raw DNS response in [Base64-encoded binary format ↗](https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.3), which is compact but requires decoding before it is human-readable. `ResourceRecordsJSON` contains the same data in JSON, with the record name, type, class, TTL, and response data already parsed. For example: ``` { "ResourceRecords": [ { "type": "5", "data": "d3d3LmV4YW1wbGUuY29tAAABAAUAAABleGFtcGxlLmNvbQ==" }, { "type": "1", "data": "ZXhhbXBsZS5jb20AAAEAAQAAAQIDBAUGBwgJ" } ], "ResourceRecordsJSON": "[{\"name\":\"www.example.com\",\"type\":\"CNAME\",\"class\":\"IN\",\"ttl\":300,\"rdata\":\"example.com.\"},{\"name\":\"example.com\",\"type\":\"A\",\"class\":\"IN\",\"ttl\":300,\"rdata\":\"203.0.113.0\"}]" } ``` ## Additional Logpush guides * [ Email security logs ](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/) * [ IDS logs ](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/ids-logs/) * [ Network Firewall log filters ](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/network-firewall-log-filters/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/logpush/","name":"Logpush integration"}}]} ``` --- --- title: Email security logs description: Email security logs in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging) # Email security logs Email security allows you to configure Logpush to export two types of log data: detection logs (records of threats identified in email traffic) and user action logs (records of administrative actions taken via the API or the dashboard). Each log type requires separate configuration. ## Enable detection logs Detection logs record each threat identified by Email security, including metadata such as the message sender, recipient, and detection verdict. To enable detection logs, refer to [Enable destinations](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/). When configuring the Logpush job, select **Email security alerts** as the dataset. ## Enable user action logs User action logs record all administrative actions taken via the [API](https://developers.cloudflare.com/api/resources/email%5Fsecurity/) or the dashboard. Before you can enable user action logs for Email security, you must have a Logpush job configured for your storage destination. Refer to [Enable destinations](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/) to enable logs on destinations such as Cloudflare R2, HTTP, Amazon S3, and more. Once you have configured your destination, you can set up user action logs: 1. In the Cloudflare dashboard, go to the **Logpush** page. [ Go to **Logpush** ](https://dash.cloudflare.com/?to=/:account/logs) 2. Select your storage destination. 3. Select the three dots > **Edit**. 4. Under **Configure logpush job**: * **Job name**: Enter the job name, if it is not already prepopulated. * **If logs match** \> Select **Filtered logs** to capture only Email security events: * **Field**: Choose `ResourceType` (the type of resource that was changed). * **Operator**: Choose `starts with`. * **Value**: Enter `email_security`. 1. Select **Submit**. You can now view logs via the Cloudflare dashboard. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/logpush/","name":"Logpush integration"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/logpush/email-security-logs/","name":"Email security logs"}}]} ``` --- --- title: IDS logs description: IDS logs in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging) # IDS logs You can use Logpush with [Cloudflare Network Firewall IDS](https://developers.cloudflare.com/cloudflare-network-firewall/about/ids/) (Intrusion Detection System) to export logs of detected threats. IDS monitors your network traffic for a wide range of known threat signatures, including attacks such as ransomware, data exfiltration, and network scanning. ## Set up Logpush for IDS 1. Consult the [Logpush Destination docs](https://developers.cloudflare.com/logs/logpush/logpush-job/api-configuration/#destination) to learn about what destinations Logpush supports. The documentation will also instruct you on how to correctly format the destination URL for Logpush. 2. Follow the [Manage Logpush with cURL](https://developers.cloudflare.com/logs/logpush/examples/example-logpush-curl/) tutorial to validate your Logpush destination and define a Logpush job. ## Notes on using Logpush with IDS * Magic IDS is an account-scoped dataset. Unlike zone-specific datasets that apply to a single domain, account-scoped datasets use a different API endpoint. Replace the string `/zone/` in the Cloudflare API URLs in the tutorial with `/account/`. * Consult the [Magic IDS Detection fields doc](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/magic%5Fids%5Fdetections/) to know what fields you want configured for the job. * When creating the Logpush job, the dataset field should equal `magic_ids_detections`. * Timestamps default to `unixnano` format (nanoseconds since the Unix epoch, January 1, 1970). If your destination expects a different format (such as RFC 3339), refer to [Logpush Options](https://developers.cloudflare.com/logs/logpush/logpush-job/api-configuration/#options) for available timestamp formats. In the Logpush API configuration string, options are appended after the field list. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/logpush/","name":"Logpush integration"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/logpush/ids-logs/","name":"IDS logs"}}]} ``` --- --- title: Network Firewall log filters description: Network Firewall log filters in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging) # Network Firewall log filters You can apply [Log filters](https://developers.cloudflare.com/logs/logpush/logpush-job/filters/) to your Logpush job to export only specific Cloudflare Network Firewall events. The examples below show common filter configurations using the Logpush API. Each filter uses a JSON structure with `where` clauses containing `key` (the log field to filter on), `operator` (the comparison, such as `eq` for equals or `!eq` for not equals), and `value` (the value to match). The filters in this guide use the following log fields: * `MitigationSystem` — Identifies which Cloudflare system sampled the packet. For Network Firewall events, this value is `magic-firewall`. * `RulesetID` — The unique identifier of the managed ruleset containing the rule that matched the packet, if any. An empty string indicates no managed ruleset matched. * `Outcome` — The action that Cloudflare systems took on the packet (`pass` or `drop`). * `Verdict` — The action that Cloudflare systems determined should be taken on the packet (`pass` or `drop`). For disabled rules, `Verdict` may differ from `Outcome` because the rule evaluated the packet but did not enforce its action. ## Filter by enabled or disabled rules Use the filter examples below to filter your Cloudflare Network Firewall traffic to display events for enabled or disabled rules. The example below [creates a Logpush job](https://developers.cloudflare.com/api/resources/logpush/subresources/jobs/methods/create/) that only displays fields relevant to Cloudflare Network Firewall, and the filter only displays events for disabled rules. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Logs Write` Create Logpush job ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/logpush/jobs" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "destination_conf": "", "output_options": { "field_names": [ "ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol", "IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict" ] }, "filter": "{\"where\":{\"or\":[{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"!eq\",\"value\":\"\"},{\"key\":\"Outcome\",\"operator\":\"eq\",\"value\":\"pass\"},{\"key\":\"Verdict\",\"operator\":\"eq\",\"value\":\"drop\"}]}]}}" }' ``` The example below [creates a Logpush job](https://developers.cloudflare.com/api/resources/logpush/subresources/jobs/methods/create/) that only displays fields relevant to Cloudflare Network Firewall, and the filter only displays events for enabled rules. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Logs Write` Create Logpush job ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/logpush/jobs" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "destination_conf": "", "output_options": { "field_names": [ "ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol", "IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict" ] }, "filter": "{\"where\":{\"or\":[{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"!eq\",\"value\":\"\"},{\"or\":[{\"key\":\"Outcome\",\"operator\":\"eq\",\"value\":\"drop\"},{\"key\":\"Verdict\",\"operator\":\"eq\",\"value\":\"pass\"}]}]}]}}" }' ``` ## Filter by allowed or blocked traffic Use the filter examples below to filter your Cloudflare Network Firewall traffic to display events for allowed or blocked traffic. The example below [creates a Logpush job](https://developers.cloudflare.com/api/resources/logpush/subresources/jobs/methods/create/) that only displays fields relevant to Cloudflare Network Firewall, and the filter only displays events where no explicit action was taken — that is, a packet passed through the firewall without matching any rule. By default, Cloudflare Network Firewall permits unmatched traffic. This is identified by an empty `RulesetID`. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Logs Write` Create Logpush job ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/logpush/jobs" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "destination_conf": "", "output_options": { "field_names": [ "ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol", "IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict" ] }, "filter": "{\"where\":{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"eq\",\"value\":\"\"}]}}" }' ``` The example below [creates a Logpush job](https://developers.cloudflare.com/api/resources/logpush/subresources/jobs/methods/create/) that only displays fields relevant to Cloudflare Network Firewall, and the filter only displays events where explicit action was taken. The example includes both enabled and disabled Cloudflare Network Firewall rules. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Logs Write` Create Logpush job ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/logpush/jobs" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "destination_conf": "", "output_options": { "field_names": [ "ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol", "IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict" ] }, "filter": "{\"where\":{\"and\":[{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"},{\"key\":\"RulesetID\",\"operator\":\"!eq\",\"value\":\"\"}]}}" }' ``` ## Filter to only Network Firewall events If your Logpush job includes events from multiple Cloudflare mitigation systems, use the filter below to include only Cloudflare Network Firewall events. The example below [creates a Logpush job](https://developers.cloudflare.com/api/resources/logpush/subresources/jobs/methods/create/) that filters on `MitigationSystem` to include only Network Firewall traffic. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Logs Write` Create Logpush job ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/logpush/jobs" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "destination_conf": "", "output_options": { "field_names": [ "ColoName", "Datetime", "Direction", "IPDestinationAddress", "IPDestinationSubnet", "IPProtocol", "IPSourceAddress", "IPSourceSubnet", "Outcome", "RuleID", "RulesetID", "SampleInterval", "Verdict" ] }, "filter": "{\"where\":{\"key\":\"MitigationSystem\",\"operator\":\"eq\",\"value\":\"magic-firewall\"}}" }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/logs/","name":"Logs"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/logs/logpush/","name":"Logpush integration"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/logs/logpush/network-firewall-log-filters/","name":"Network Firewall log filters"}}]} ``` --- --- title: Network visibility description: Network visibility in Zero Trust analytics. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Network visibility ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/network-visibility/","name":"Network visibility"}}]} ``` --- --- title: Diagnostics description: Capture and analyze network packets passing through Cloudflare to diagnose connectivity and security issues. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Diagnostics Packet captures allow you to record raw network traffic data passing through Cloudflare's network so you can inspect it offline in tools like Wireshark. This is useful for diagnosing connectivity issues, verifying firewall rules, or investigating unexpected traffic patterns. Cloudflare supports two types of packet captures: full and sample. Full packet captures are the default behavior. Note The maximum packet capture runtime is 24 hours for sample and full packet captures. ## Sample packet captures Sample packet captures collect historical data on network traffic that has already passed through Cloudflare's network. They will not collect any new traffic sent to Cloudflare's network after the packet capture has started. All sample packet captures will complete immediately after they are started because they query historical traffic data. Sample packet captures can be viewed in the Cloudflare dashboard. They only include the first 160 bytes of each packet, which is useful for capturing packet headers but will not provide detailed packet data. The sample data is collected across all Cloudflare's data centers to build a PCAP file. This allows you to get a global picture of traffic across all data centers. You should use full packet captures if you need to collect data on packets that pass through your network less frequently. ## Full packet captures Full packet captures actively monitor Cloudflare's network for packets that match the selected filters, and capture the complete packet data, including the payload. The matching packet data is saved to a cloud storage bucket that is owned and configured by you. You must [configure a bucket](https://developers.cloudflare.com/cloudflare-one/insights/network-visibility/diagnostics/buckets/) before starting a full packet capture. Full packet captures will collect new traffic sent to Cloudflare's network after the packet capture has started, and include the full packet data. This type of capture cannot be viewed in the Cloudflare dashboard. You can download them from a cloud storage bucket and analyze them in Wireshark or another packet capture tool. Refer to the articles in this section to learn how to use packet captures. * [ Packet captures ](https://developers.cloudflare.com/cloudflare-one/insights/network-visibility/diagnostics/packet-captures/) * [ Buckets ](https://developers.cloudflare.com/cloudflare-one/insights/network-visibility/diagnostics/buckets/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/network-visibility/","name":"Network visibility"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/network-visibility/diagnostics/","name":"Diagnostics"}}]} ``` --- --- title: Buckets description: Configure cloud storage buckets for full packet captures. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ S3 ](https://developers.cloudflare.com/search/?tags=S3) # Buckets Before you can begin a full packet capture, you must configure a cloud storage bucket where Cloudflare can write the captured traffic data. Setting up a bucket is not required for sample packet captures, which complete immediately and can be downloaded directly from the API. You can configure an Amazon S3 or Google Cloud Platform bucket to use as a target. You can also [use R2](#r2) as a target using the API. ## Set up a bucket Learn how to set up a bucket for use with full packet captures. * [ Dashboard ](#tab-panel-4949) * [ API ](#tab-panel-4950) 1. In the [Cloudflare One ↗](https://one.dash.cloudflare.com) dashboard, go to **Network visibility** \> **Diagnostics**. 2. Select the **Buckets** tab > **Add a bucket**. 3. Select a bucket service and select **Next**. 4. Enter the information related to your bucket for your service provider. 5. When you are done, select **Next**. The **Prove ownership** step of the **Bucket configuration** displays. Before you can begin using a bucket, you must first enable destinations. Follow the destination setup steps for your provider, then return here to validate ownership. Refer to the [Amazon S3](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/aws-s3/#create-and-get-access-to-an-s3-bucket) or [Google Cloud Storage](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/google-cloud-storage/#create-and-get-access-to-a-gcs-bucket) documentation and follow the steps for those specific services. Next, validate the bucket and confirm ownership. ## Validate a bucket After the initial bucket setup, you need to confirm you have access to the bucket via an ownership challenge. This verification prevents Cloudflare from writing capture data to a bucket you do not control. After you validate your bucket, you can begin using it to collect full packet captures. * [ Dashboard ](#tab-panel-4951) * [ API ](#tab-panel-4952) 1. From the **Prove ownership** step of the **Bucket configuration**, locate the **Ownership token** field. 2. Find the ownership challenge file that Cloudflare placed in your bucket, copy its contents, and enter them in the **Ownership token** field. 3. When you are done, select **Create**. The **Packet captures** page displays. The **Buckets** tab displays a list of the buckets associated with your account. Refer to the **Status** column to see the status of your bucket configuration. The `bucket` field should be the URI of the bucket. For Amazon S3, the `bucket` field is in the form `s3:///?region=`, and for Google Cloud Storage the form is `gs:///`. Ownership challenge request example ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ "destination_conf": "'${bucket}'" }' ``` The response has a `"filename"` parameter which contains the content of the `ownership-challenge` text. Find the file in your bucket and copy the contents of the file. Ownership challenge response example ``` { "result": { "id": "cc20c2d6c62e11ecbe646b173af3b6b9", "status": "pending", "submitted": "2022-04-22T18:54:13.397413Z", "validated": "", "destination_conf": "gs://bucket-test", // Ensure you use a bucket that you created and registered in the Cloudflare dashboard. "filename": "ownership-challenge-1234.txt" }, "success": true, "errors": [], "messages": [] } ``` Validate the bucket by inserting the copied text in the `ownership_text` below: Bucket validation example ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership/validate \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ "destination_conf": "'${bucket}'", "ownership_challenge": "'${ownership_text}'" }' ``` Bucket validation response ``` { "result": { "id": "cc20c2d6c62e11ecbe646b173af3b6b9", "status": "success", "submitted": "2022-04-22T18:54:13.397413Z", "validated": "2022-04-27T14:54:46.440548Z", "destination_conf": "gs://", // Ensure you use a bucket that you created and registered in the Cloudflare dashboard "filename": "ownership-challenge-1234.txt" }, "success": true, "errors": [], "messages": [] } ``` If the `status` shows `success`, the bucket is configured and ready to use. The bucket status displays one of the following options: * **Success:** The bucket is fully verified and ready to use. * **Pending:** The challenge response was initiated but is pending verification. Bucket verification can take five to ten minutes to finish processing. * **Failed:** The bucket could not be validated. If this occurs, verify that Cloudflare has write access to your bucket and that you submitted the correct contents of the ownership challenge file. ## List configured buckets View a list of all buckets configured on your account. * [ Dashboard ](#tab-panel-4953) * [ API ](#tab-panel-4954) 1. In the [Cloudflare One ↗](https://one.dash.cloudflare.com) dashboard, go to _**Insights** \> Network visibility_ \> **Diagnostics**. 2. Select the **Buckets** tab. The list of buckets associated with your account displays. Bucket list request example ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " ``` Bucket list response example ``` { "result": [ { "id": "9a993aa6c58711ec89d3037647342e63", "status": "success", "submitted": "2022-04-26T16:58:24.550762Z", "validated": "2022-04-26T17:01:18.426458Z", "destination_conf": "s3://test-bucket?region=us-east-1", "filename": "ownership-challenge-1234.txt" } ], "success": true, "errors": [], "messages": [] } ``` To learn how to collect packet captures, refer to [Collect packet captures](https://developers.cloudflare.com/cloudflare-network-firewall/packet-captures/collect-pcaps/). ## R2 You can also use [Cloudflare R2](https://developers.cloudflare.com/r2/) as a storage destination for packet captures. R2 bucket configuration is available through the API only. Note When you validate an R2 bucket, exclude the `access-key-id` and `secret-access-key` parameters from the `destination_conf` URL. Only include them in the initial registration request. ### Create bucket and API token 1. In the Cloudflare dashboard, go to the **R2** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/r2/overview) 2. Select **Create bucket**. 3. Give your bucket a name > **Create bucket**. 4. Go to the R2 Overview page, and select **Manage R2 API Tokens**. 5. Select **Create API Token**. 6. In **Permissions**, choose **Object Read & Write**. Make sure you also select **Apply to specific buckets only**, and select the bucket you have created for PCAPs from the drop-down menu. 7. Select **Create API Token**. 8. Make sure you copy the **Secret Access Key** and **Access Key ID** values, as you will need them for the next step. ### Create initial request Create your initial request to R2: Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/ownership \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ "destination_conf": "r2://?account-id=&access-key-id=&secret-access-key=" }' ``` The [response](https://developers.cloudflare.com/api/resources/magic%5Ftransit/subresources/pcaps/subresources/ownership/methods/create/) has a `"filename"` parameter with the name of a file that Cloudflare wrote to your R2 bucket. You need to download it for the next step. Example: ``` { "errors": [], "messages": [], "result": { "destination_conf": "", "filename": "ownership-challenge-9883874ecac311ec8475433579a6bf5f.txt", "id": "9883874ecac311ec8475433579a6bf5f", "status": "success", "submitted": "2020-01-01T08:00:00Z", "validated": "2020-01-01T08:00:00Z" }, "success": true } ``` ### Validate bucket ownership Refer to the [Validate a bucket](#validate-a-bucket) API instructions for more details on the entire process to [validate your R2 bucket](https://developers.cloudflare.com/api/resources/magic%5Ftransit/subresources/pcaps/subresources/ownership/methods/validate/). When specifying the R2 destination for this validation, exclude the secret and access keys from the URL. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/network-visibility/","name":"Network visibility"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/network-visibility/diagnostics/","name":"Diagnostics"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/network-visibility/diagnostics/buckets/","name":"Buckets"}}]} ``` --- --- title: Packet captures description: Request, monitor, and download packet captures to diagnose network issues. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) # Packet captures Packet captures record network traffic flowing through Cloudflare's network so you can analyze individual packets for troubleshooting or security investigations. The output is contained within one or more files in PCAP format, which you can open in tools like [Wireshark ↗](https://www.wireshark.org/). There are two capture types: * **Sample** captures query historical traffic data that has already passed through Cloudflare's network. They complete immediately and can be downloaded directly from the API, or from the Cloudflare dashboard. * **Full** captures actively monitor for new traffic matching your filters and write the complete packet data to a cloud storage bucket you own. Before starting a full capture, you must first [configure a bucket](https://developers.cloudflare.com/cloudflare-one/insights/network-visibility/diagnostics/buckets/). Note Packet captures are available for Cloudflare Advanced Network Firewall users. For access, contact your account team. ## Send a packet capture request Currently, when a packet capture is requested, packets flowing through Cloudflare's global network via the Magic Transit system are captured. The default API field for this is `"system": "magic-transit"`, both for the request and response. Note For help determining which data center to select for a packet capture, go to [https://cloudflare.com/cdn-cgi/trace ↗](https://cloudflare.com/cdn-cgi/trace) and refer to the `colo` field. Note some data centers can be regional such as `ORD` while other names may be more specific like `ord02`. Either of these names can be used for this same field. ### Packet capture limits **Sample and full** * `time_limit`: The minimum value is `1` second and maximum value is `300` seconds. * `packet_limit`: The minimum value is `1` packet and maximum value is `10000` packets. **Full** * `byte_limit`: The minimum value is `1` byte and maximum value is `1000000000` bytes (1 GB). * [ Dashboard ](#tab-panel-4959) * [ API ](#tab-panel-4960) 1. In the Cloudflare dashboard, go to the **Network health** page. [ Go to **Network health** ](https://dash.cloudflare.com/?to=/:account/networking-insights/health) 2. Go to the **Diagnostics** tab. 3. In **Network packet captures**, select **Start a capture**. 4. Choose the type of capture you want to perform, and select **Next**. 5. Fill out the required fields to begin the capture and then select **Start**. The **Network packet captures** page displays a list of captures. The PCAPs API needs both `system` and `type` to be specified to start a capture. A PCAP's `system` is the product or logical subsystem where packets are captured, and a PCAP's `type` is how the captured packets are built into a PCAP file. Currently, you can only send one collect request per minute for sample PCAPs, and you can only have one running or pending full PCAP at a time. Full PCAP For full PCAP requests, refer to the required parameters listed at [Create full PCAP requests](https://developers.cloudflare.com/api/resources/magic%5Ftransit/subresources/pcaps/methods/create/). Note that full packet captures require two more parameters than sample packets. The full PCAP request endpoint also contains optional fields you can use to limit the amount of packets captured. Both full and sample packet requests contain an optional `filter_v1` parameter you can use to filter packets by IPv4 Source address, for example. For a full list of the filter options, refer to the [API reference](https://developers.cloudflare.com/api/resources/magic%5Ftransit/subresources/pcaps/methods/create/). Leave `filter_v1` empty to collect all packets without any filtering. Full PCAP example request ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ "filter_v1": {}, "time_limit": 300, "packet_limit": 10000, "byte_limit": 100000000, "type": "full", "colo": "ORD", "system": "magic-transit", "destination_conf": "${BUCKET}" }' ``` While the collection is in progress, the response returns the `status` field as `pending`. You must wait for the PCAP collection to complete before downloading the file. When the PCAP is ready to download, the status changes to `success`. Full PCAP example response ``` { "result": { "id": "7d7c88382f0b4d5daa9587aa45a1a877", "submitted": "2022-06-02T18:38:22.269047Z", "filter_v1": {}, "time_limit": 300, "status": "pending", "type": "full", "system": "magic-transit", "packet_limit": 10000, "byte_limit": 100000000, "colo": "ORD", "destination_conf": "gs://" // Ensure you use a bucket that you created and registered in the Cloudflare dashboard }, "success": true, "errors": [], "messages": [] } ``` Sample PCAP To create a sample PCAP request, send a JSON body with the required parameter listed at [Create sample PCAP request](https://developers.cloudflare.com/api/resources/magic%5Ftransit/subresources/pcaps/methods/create/). Note The API uses `"type": "simple"` for sample captures. Use `simple` as the type value in your API requests. Leave `filter_v1` empty to collect all packets without any filtering. Sample PCAP example request ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data '{ "filter_v1": { "source_address": "1.2.3.4", "source_port": 123, "destination_address": "5.6.7.8", "destination_port": 80, "protocol": 6 }, "time_limit": 300, "packet_limit": 10000, "type": "simple", "system": "magic-transit" }' ``` The response is a JSON body that contains the details of the job running to build the packet capture. The response contains a unique identifier for the packet capture request along with the details sent in the request. Sample PCAP example response ``` { "result": { "id": "6d1f0aac13cd40e3900d29f5dd0e8a2b", "submitted": "2021-12-20T17:29:20.641845Z", "filter_v1": { "source_address": "1.2.3.4", "source_port": 123, "destination_address": "5.6.7.8", "destination_port": 80, "protocol": 6 }, "time_limit": 60, "status": "pending", "packets_remaining": 0, "type": "simple", "system": "magic-transit" }, "success": true, "errors": [], "messages": [] } ``` ## Check packet capture status * [ Dashboard ](#tab-panel-4955) * [ API ](#tab-panel-4956) 1. In the Cloudflare dashboard, go to [Network health ↗](https://dash.cloudflare.com/?to=/:account/networking-insights/health). 2. Go to the **Diagnostics** tab. 3. Locate your capture under **Network packet captures**. To check the status of a running job, send a request to the endpoint and specify the PCAP identifier. The PCAP identifier is received in the response of a collect request as shown in the previous step. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/{pcap_id} \ --header 'X-Auth-Email: ' \ --header 'X-Auth-Key: ' ``` The response will be similar to the one received when requesting a PCAP collection. Sample PCAP example result ``` { "result": { "id": "6d1f0aac13cd40e3900d29f5dd0e8a2b", "submitted": "2021-12-20T17:29:20.641845Z", "filter_v1": { "source_address": "1.2.3.4", "source_port": 123, "destination_address": "5.6.7.8", "destination_port": 80, "protocol": 6 }, "time_limit": 120, "status": "success", "packets_remaining": 0, "type": "simple", "system": "magic-transit" }, "success": true, "errors": [], "messages": [] } ``` The capture status displays one of the following options: * **Complete** (API: `success`): The capture is done and ready for download. * **In progress** (API: `pending`): Packets have been captured but the PCAP file is still being assembled. * **Failure**: The capture failed. For full captures, verify that your bucket is correctly configured and that Cloudflare has write access to it. For sample captures, verify your filter configuration. ## Download packet captures After your request finishes processing, you can download your packet captures. * [ Dashboard ](#tab-panel-4957) * [ API ](#tab-panel-4958) 1. In the [Cloudflare One ↗](https://one.dash.cloudflare.com) dashboard, go to **Network visibility** \> **Diagnostics**. 2. In **Packet captures**, select **Start a capture**. 3. Locate your packet capture you want to download, and select **Download**. Packet captures are available to download when the **Status** displays **Success**. Full captures can produce multiple PCAP files per capture because the capture can run across multiple machines at the data center. To merge these into a single file for analysis, refer to [Wireshark's mergecap documentation ↗](https://www.wireshark.org/docs/man-pages/mergecap.html). **Full PCAPs** To obtain full PCAPs, download the files from the bucket specified in `destination_conf` after the PCAP's status is `success`. You may find multiple files named `pcap_.pcap` per capture as captures can occur across multiple machines. **Sample PCAPs** Once the sample PCAP collection is complete, you can download the PCAP by specifying the PCAP identifier used earlier. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/{pcap_id}/download \ --header 'X-Auth-Email: ' \ --header 'X-Auth-Key: ' \ --output download.pcap ``` ## List packet captures * [ Dashboard ](#tab-panel-4961) * [ API ](#tab-panel-4962) 1. In the Cloudflare dashboard, go to the **Network health** page. [ Go to **Network health** ](https://dash.cloudflare.com/?to=/:account/networking-insights/health) 2. Go to the **Diagnostics** tab. The list of packet captures associated with your account displays under **Network packet captures**. To view a list of sent requests, use the following command: List request example ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " ``` The response returns an array that includes up to 50 sent requests, which includes completed and ongoing requests. List response example ``` { "result": [ { "id": "43adab5adeca4dab9c51f4b7f70f2ec3", "submitted": "2021-12-15T03:04:09.277394Z", "filter_v1": {}, "time_limit": 120, "status": "success", "packets_remaining": 0, "type": "simple", "system": "magic-transit" } ], "success": true, "errors": [], "messages": [] } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/insights/","name":"Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/insights/network-visibility/","name":"Network visibility"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/insights/network-visibility/diagnostics/","name":"Diagnostics"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/insights/network-visibility/diagnostics/packet-captures/","name":"Packet captures"}}]} ``` --- --- title: Access controls description: Access controls resources and guides for Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Access controls Learn how to secure your self-hosted and SaaS applications with Zero Trust policies. * [ Applications ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/) * [ Policies ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) * [ AI controls ](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/) * [ Service credentials ](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/) * [ Access settings ](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/) * [ Authenticate coding agents ](https://developers.cloudflare.com/cloudflare-one/access-controls/authenticate-agents/) * [ Event subscriptions ](https://developers.cloudflare.com/cloudflare-one/access-controls/event-subscriptions/) * [ Troubleshoot Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/troubleshooting/) ## Troubleshooting For help resolving common issues with Cloudflare Access, refer to [Troubleshoot Access](https://developers.cloudflare.com/cloudflare-one/access-controls/troubleshooting/). Refer to our [reference architecture](https://developers.cloudflare.com/reference-architecture/architectures/sase/) for an understanding on how to architect a Zero Trust and SASE solution. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}}]} ``` --- --- title: App Launcher description: App Launcher in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SSO ](https://developers.cloudflare.com/search/?tags=SSO) # App Launcher With the Access App Launcher, users can open all applications that they have access to from a single dashboard. The App Launcher is available at a team domain unique to your Cloudflare Zero Trust account, for example `mycompany.cloudflareaccess.com`. Users log in using one of the identity providers configured for the account. Once Access authenticates the user, the App Launcher displays applications they are authorized to use, in the form of application tiles. Selecting an application tile launches the application's hostname, sending the user to that tool as part of their SSO flow. ![App Launcher portal](https://developers.cloudflare.com/_astro/app-launcher.BA8TF5r4_23joar.webp) ## Enable the App Launcher By default, the App Launcher is disabled. To enable it, you must configure a policy that defines which users can access the App Launcher. To enable the App Launcher: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Access settings**. 2. Under the **Manage your App Launcher** card, select **Manage**. 3. On the **Policies** tab, [build a policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to define who can access your App Launcher portal. These rules do not impact permissions for the applications secured behind Access. 4. On the **Authentication** tab, choose the identity providers users can authenticate with. 5. Select **Save**. The App Launcher is now available at `.cloudflareaccess.com`. You can always edit your App Launcher rules by going to **Access controls** \> **Access settings**. ## Add a tile to the App Launcher Tiles have a one-to-one relationship with each application you create in Access. The tile names displayed in the Access App Launcher portal correspond to the application names listed under **Access controls** \> **Applications**. For example, if you create one application for general access to your Jira deployment and a separate application that restricts requests to a particular Jira path, a user authorized for both will see separate tiles for each. If you add multiple hostnames to a single application, the user will only see the domain selected in the application's **App Launcher** settings. To show an Access application in the App Launcher: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select an application and select **Configure**. 3. Go to **Experience settings**. 4. Select **Show application in App Launcher**. The App Launcher link will only appear for users who are allowed by your Access policies. Blocked users will not see the app in their App Launcher. Note This toggle does not impact the user's ability to reach the application. Allowed users can always reach the application via a direct link, regardless of whether the toggle is enabled. Blocked users will never have access to the application. 5. (Optional) To use a custom logo for the application tile, select **Use custom logo** and enter a link to your desired image. Note If you are having issues specifying a custom logo, check that the image is served from an HTTPS endpoint. For example, `http://www.example.com/upload/logo.png` will not work. However, `https://www.example.com/upload/logo.png` will. 6. In **Application domains**, choose a domain to use for the App Launcher link. 7. (Optional) In **Tags**, add [custom tags](https://developers.cloudflare.com/cloudflare-one/reusable-components/tags/) so that users can more easily find the application in their App Launcher. ## Customize App Launcher appearance To customize the App Launcher with your own branding, messages, and links, refer to the [Custom pages documentation](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/app-launcher-customization/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/access-settings/","name":"Access settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/access-settings/app-launcher/","name":"App Launcher"}}]} ``` --- --- title: Independent MFA description: Independent MFA in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication) # Independent MFA Independent multi-factor authentication (MFA) allows you to enforce MFA requirements directly in Access without relying on your identity provider (IdP). Users authenticate with their IdP as usual, and Access prompts for an additional authentication method before granting access to the application. Because you can [configure MFA at the application and policy level](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/mfa-requirements/#independent-mfa), you can enforce stricter authentication methods like hardware security keys on sensitive applications without requiring them across your entire organization. This allows you to add additional security where it matters most while avoiding MFA fatigue for your broader user population. ## Supported MFA methods | MFA method | Description | | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Authenticator application | Time-based one-time passwords (TOTP) generated by apps such as Google Authenticator, Microsoft Authenticator, or Authy. Access supports one TOTP authenticator per user at a time. | | Security key | YubiKeys and hardware security keys that support the [WebAuthn ↗](https://www.w3.org/TR/webauthn-2/) standard. Users can enroll multiple security keys. | | Biometrics | Built-in device authenticators that use [WebAuthn ↗](https://www.w3.org/TR/webauthn-2/), including Apple Touch ID, Apple Face ID, and Windows Hello. Users can enroll multiple biometrics. | ## Turn on independent MFA Before you can [enforce independent MFA on applications and policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/mfa-requirements/#independent-mfa), you must turn on independent MFA at the organization level. * [ Dashboard ](#tab-panel-4840) * [ API ](#tab-panel-4841) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Access settings**. 2. Under **Allow multi-factor authentication (MFA)**, select the [MFA methods](#supported-mfa-methods) you want to allow in your organization. 3. Set an **Authentication duration**. This determines how long a user can log in to Access without being prompted for MFA again. If the user does not have an active MFA session for the required authenticator method, they must complete MFA in addition to IdP authentication. 4. (Optional) To avoid double prompting a user for MFA, you can enable [**Use identity provider MFA**](#use-identity-provider-mfa). This will check the AMR value passed from the identity provider at the time of authentication, if that AMR value passes an allowed MFA method, the user will not be prompted for MFA for the duration configured. 5. (Optional) To apply your MFA methods and authentication duration to all Access applications, select **Apply global MFA settings by default**. You can [override the global MFA settings](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application) for individual applications and policies. Note The [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) is exempt from the global MFA requirement. Users must be able to access the App Launcher without MFA to enroll their authenticators. 6. Select **Save**. 1. Get your existing Zero Trust organization configuration: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Organizations, Identity Providers, and Groups Revoke` * `Access: Organizations, Identity Providers, and Groups Write` * `Access: Organizations, Identity Providers, and Groups Read` Get your Zero Trust organization ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 2. Send a `PUT` request to update your organization's MFA settings. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Organizations, Identity Providers, and Groups Write` Update your Zero Trust organization ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "auth_domain": "your-team-name.cloudflareaccess.com", "name": "Your Team Name", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h" }, "mfa_required_for_all_apps": false }' ``` Set `allowed_authenticators` to an array containing one or more of: * `totp` — Authenticator application (time-based one-time passwords). * `biometrics` — Biometrics (Touch ID, Face ID, Windows Hello). * `security_key` — Security keys (YubiKeys). Set `session_duration` to a duration string (for example, `30m`, `1h`, `24h`). To require MFA on every access, use `0m`. After you turn on independent MFA, users can [enroll authenticators](#enroll-authenticators) through the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/). ## Restrict authenticators by AAGUID An [AAGUID ↗](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#authenticator-attestation-guid) (Authenticator Attestation GUID) is a 128-bit identifier that indicates the make and model of a [WebAuthn ↗](https://www.w3.org/TR/webauthn-2/) authenticator. By restricting enrollment to a specific set of AAGUIDs, you can require that users only enroll approved hardware, such as FIPS-validated security keys or company-issued devices. AAGUID restrictions apply at enrollment time only. Access verifies the AAGUID when a user registers an authenticator, not when they authenticate. As a result, AAGUID restrictions are configured at the organization level. Warning Some authenticators do not send an AAGUID during WebAuthn registration, including: * Apple devices using iCloud Keychain passkeys. * YubiKey 4 and earlier models using U2F (CTAP1). Users cannot enroll these authenticators when AAGUID restrictions are turned on. Before turning on AAGUID restrictions, confirm that your required authenticators are in the [FIDO Alliance Metadata Service ↗](https://fidoalliance.org/metadata/). ### 1\. Create an AAGUID list AAGUIDs are managed using [Lists](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). Create a list of type **AAGUID**, then reference the list in your organization's MFA configuration. * [ Dashboard ](#tab-panel-4838) * [ API ](#tab-panel-4839) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Resources** \> **Lists**. 2. Select **Create new list**. 3. Enter a **List name** (for example, `Approved security keys`) and an optional description. 4. Set **List type** to **MFA AAGUIDs**. 5. Add one or more AAGUID entries: * To add predefined AAGUIDs, select authenticators from the **Known authenticators** list. * To add a custom AAGUID, fill out the following fields: * **MFA AAGUIDs** — The AAGUID of the authenticator, in 32-character hexadecimal format without dashes (for example, `8c39ee867f9a4a959ba3f6b097e5c2ee`). * **Description** — An optional label such as the authenticator's name and model. 6. Select **Save**. Send a `POST` request to create the list: Create Zero Trust list ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/lists" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Approved security keys", "description": "AAGUIDs for MFA enrollment", "type": "AAGUID", "items": [ { "value": "8c39ee867f9a4a959ba3f6b097e5c2ee", "description": "YubiKey Bio Series - FIDO Edition (Enterprise Profile)" } ] }' ``` The response contains an `id` (UUID) for the list. Use this ID when you assign the list to your organization's MFA configuration. Tip You can look up AAGUIDs for common authenticators in the [FIDO Alliance Metadata Service ↗](https://fidoalliance.org/metadata/). Most vendors also publish AAGUIDs for their hardware on their support sites. ### 2\. Assign an AAGUID list to your organization * [ Dashboard ](#tab-panel-4844) * [ API ](#tab-panel-4845) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Access settings**. 2. Under **Allow multi-factor authentication (MFA)**, go to **Limit MFA to specific authentication methods**. 3. Select an existing [AAGUID list](#1-create-an-aaguid-list). 4. Select **Save**. After you save, only authenticators whose AAGUIDs appear in the list can be enrolled. Users with previously enrolled authenticators outside the list can continue to use them until they are [deleted by an administrator](#delete-a-user-authenticator). 1. Get your existing Zero Trust organization configuration: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Organizations, Identity Providers, and Groups Revoke` * `Access: Organizations, Identity Providers, and Groups Write` * `Access: Organizations, Identity Providers, and Groups Read` Get your Zero Trust organization ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 2. Send a `PUT` request to assign the list. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request. Set `mfa_config.required_aaguids` to the ID of your AAGUID list. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Organizations, Identity Providers, and Groups Write` Update your Zero Trust organization ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "auth_domain": "your-team-name.cloudflareaccess.com", "name": "Your Team Name", "mfa_config": { "allowed_authenticators": [ "security_key", "totp", "biometrics" ], "session_duration": "24h", "required_aaguids": "05ddacda-5131-41ab-9eeb-6763f8dce3be" } }' ``` To remove the restriction, set `required_aaguids` to `null`. Note AAGUID requirements and [AMR matching](#use-identity-provider-mfa) cannot both be turned on at the organization level. If AAGUID requirements are turned on, Access skips AMR matching even when the identity provider returns a matching AMR value. ## Use identity provider MFA If your identity provider already prompts users for MFA, you can configure Access to accept that MFA instead of prompting again. Access checks the Authentication Method Reference (AMR) claim returned by the IdP, as defined in [RFC 8176 ↗](https://datatracker.ietf.org/doc/html/rfc8176). If the AMR value matches an [allowed authenticator type](#supported-mfa-methods) for the application or policy, Access skips the independent MFA prompt. ### Supported AMR values | AMR value | Matches Access authenticator type | Description | | --------- | --------------------------------- | ------------------------------------- | | hwk | Security key | Proof-of-possession of a hardware key | | swk | Security key | Proof-of-possession of a software key | | otp | Authenticator application | One-time password | | face | Biometrics | Facial recognition | | fpt | Biometrics | Fingerprint | | iris | Biometrics | Iris scan | | retina | Biometrics | Retina scan | | vbm | Biometrics | Voice biometric | Access ignores AMR values that do not map to a supported authenticator type (for example, `pwd`, `sms`, `tel`, `geo`, `kba`, `sc`, `pin`, `user`, `mca`, `rba`, `wia`). ### Turn on AMR matching * [ Dashboard ](#tab-panel-4846) * [ API ](#tab-panel-4847) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Access settings**. 2. Under **Allow multi-factor authentication (MFA)**, turn on **Use identity provider MFA**. 3. Under **Authentication Method Reference (AMR) matching duration**, set how long a successful IdP MFA remains valid. During this period, users can log in to Access without an additional MFA prompt. You can set a custom duration (default 24 hours) or check for a [valid AMR value](#supported-amr-values) on every login. 4. Select **Save**. 1. Get your existing Zero Trust organization configuration: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Organizations, Identity Providers, and Groups Revoke` * `Access: Organizations, Identity Providers, and Groups Write` * `Access: Organizations, Identity Providers, and Groups Read` Get your Zero Trust organization ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 2. Send a `PUT` request to update your organization's AMR matching settings. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Organizations, Identity Providers, and Groups Write` Update your Zero Trust organization ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "auth_domain": "your-team-name.cloudflareaccess.com", "name": "Your Team Name", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h", "amr_matching_enabled": true, "amr_session_duration": "1h" } }' ``` ### When AMR matching is skipped Access does not apply AMR matching in the following cases: * [AAGUID requirements](#restrict-authenticators-by-aaguid) are turned on at the organization level. AAGUID information is not present in the IdP's AMR claim, so Access cannot verify that the IdP's MFA came from an approved device. * The IdP does not return an `amr` claim. * The IdP returns only AMR values that do not map to an [allowed authenticator type](#supported-mfa-methods) for the application or policy. * The user's AMR matching session has expired because they last performed MFA via their IdP longer ago than the configured AMR matching duration. In these cases, Access falls back to checking for existing MFA sessions. If there are no valid MFA sessions, Access prompts the user to complete independent MFA. Note Identity providers differ in how they populate the `amr` claim. Some providers, including Okta, may return provider-specific values such as `pop` that are not part of RFC 8176\. Test the behavior with your IdP before relying on AMR matching for production applications. ## Turn off independent MFA Warning Turning off independent MFA removes MFA protection on all Access applications. Before turning off independent MFA, verify that your Access policies provide adequate coverage. Remove [custom MFA settings](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/mfa-requirements/) from any applications and policies that use it, then turn off independent MFA at the organization level. To turn off independent MFA for the organization: * [ Dashboard ](#tab-panel-4842) * [ API ](#tab-panel-4843) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Access settings**. 2. Under **Allow multi-factor authentication (MFA)**, turn off **Apply global MFA settings by default**. 3. Turn off all MFA methods (**Biometrics**, **Security key**, and **Authenticator application**). If you get an error updating MFA settings, ensure that you have removed custom MFA settings from all applications and policies. 1. Get your existing Zero Trust organization configuration: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Organizations, Identity Providers, and Groups Revoke` * `Access: Organizations, Identity Providers, and Groups Write` * `Access: Organizations, Identity Providers, and Groups Read` Get your Zero Trust organization ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 2. Send a `PUT` request with an empty `allowed_authenticators` array. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Organizations, Identity Providers, and Groups Write` Update your Zero Trust organization ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "auth_domain": "your-team-name.cloudflareaccess.com", "name": "Your Team Name", "mfa_config": { "allowed_authenticators": [] } }' ``` ## Enroll authenticators Users enroll authenticators through the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/). If a user already has at least one authenticator enrolled, Access requires them to [verify with an existing MFA method](#mfa-verification-for-authenticator-changes) before they can add a new authenticator. To enroll an authenticator: 1. Go to your organization's App Launcher at `.cloudflareaccess.com`. 2. Log in with your identity provider or with a one-time PIN (OTP). 3. Go to **Account** \> **MFA devices** \> **Add an MFA device**. Note Administrators can also share a direct enrollment link to help onboard users: `.cloudflareaccess.com/AddMfaDevice` 4. If you already have an MFA device enrolled, complete the MFA verification prompt. 5. Select the authenticator type you want to enroll and follow the on-screen instructions. Authenticator application 1. Select **Authenticator application**. 2. Scan the QR code with your authenticator app (for example, Google Authenticator, Microsoft Authenticator, or Authy). Alternatively, you can manually enter the setup key into your authenticator app. Use SHA1 as the hash function and set the time-step size to 30 seconds. 3. Enter the 6-digit time-based one-time password (TOTP) generated by your authenticator app to verify enrollment. Note You can only have one TOTP authenticator enrolled at a time. If you use multiple devices, scan the same QR code on each device during enrollment. To replace an existing TOTP authenticator, delete it first and then enroll a new one. Security key 1. Select **Security key**. 2. When your browser prompts you, insert your security key and follow the on-screen instructions. 3. After your browser confirms the registration, the security key is enrolled. You can enroll multiple security keys for backup purposes. Biometrics 1. Select **Biometrics** \> **Register biometrics**. 2. You will be prompted to enroll with an authenticator type that is available on your device (for example, **Add macOS Touch ID** or **Add Windows Hello**). 3. After your browser confirms the registration, the platform authenticator is enrolled. You can now use these authenticators to log in to your organization's applications. ### Delete an authenticator Users can delete their own authenticators from the App Launcher. If the user has at least one authenticator enrolled, Access requires them to [verify with an existing MFA method](#mfa-verification-for-authenticator-changes) before they can remove a device. 1. Go to your organization's App Launcher at `.cloudflareaccess.com`. 2. Go to **Account** \> **MFA devices**. 3. Select the 3-dot menu next to the MFA device, then select **Remove MFA device**. 4. If you have other MFA devices enrolled, complete the MFA verification prompt. Administrators can also [delete authenticators on behalf of users](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/#delete-a-user-authenticator). ### MFA verification for authenticator changes When a user has at least one authenticator enrolled, Access requires MFA verification before the user can add or remove an authenticator from the App Launcher. This verification step is separate from the IdP login and uses the user's existing independent MFA device. After the user completes MFA verification, they have 10 minutes to add or remove authenticators without additional prompts. This window is tied to the current device. After 10 minutes, or if the user switches to a different device, Access requires MFA verification again. This prevents an attacker with compromised IdP credentials from modifying a user's enrolled authenticators. Even if an attacker gains access to the user's IdP session, they cannot bypass the independent MFA verification step without also possessing the user's enrolled authenticator. If a user loses their only authenticator and cannot verify, an administrator can delete it to allow re-enrollment. Refer to [Manage user authenticators](#manage-user-authenticators). Note MFA verification is not required when a user enrolls their first authenticator, since they do not yet have an MFA device to verify with. ## Manage user authenticators Administrators can view and delete authenticators enrolled by users. This is useful for resolving lockouts or responding to security events. ### View user authenticators To view a user's enrolled authenticators: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Team & Resources** \> **Users**. 2. Select a user. 3. Go to **MFA devices**. Each entry shows the authenticator's ID, its user-configured name, and the MFA method. ### Delete a user authenticator If a user is locked out or you need to revoke an authenticator for security reasons, you can delete it from the dashboard or API. * [ Dashboard ](#tab-panel-4836) * [ API ](#tab-panel-4837) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Team & Resources** \> **Users**. 2. Select the user whose authenticator you want to delete. 3. Under **MFA devices**, find the authenticator and select **Delete**. The user will need to enroll a new authenticator the next time they access an application that requires MFA. Send a `DELETE` request to remove a specific authenticator: Delete a user's MFA device ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users/$USER_ID/mfa_authenticators/$AUTHENTICATOR_ID" \ --request DELETE \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` Parameters: * `user_id` — The UUID of the user. You can find this in the user details under **Team & Resources** \> **Users**. * `authenticator_id` — The unique identifier for the authenticator. ### Lockout recovery If a user loses access to all of their enrolled authenticators: 1. [Delete](#delete-a-user-authenticator) the user's authenticators. 2. The user can then access a protected application and will be provided a link to enroll a new authenticator. 3. Alternatively, share the direct enrollment link with the user: `.cloudflareaccess.com/AddMfaDevice`. Tip To prevent lockouts, users should enroll multiple authenticators (for example, a security key and an authenticator application) when available. ## Related links * [Enforce MFA on applications and policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/mfa-requirements/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/access-settings/","name":"Access settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/access-settings/independent-mfa/","name":"Independent MFA"}}]} ``` --- --- title: Require Access protection description: Require Access protection in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Security ](https://developers.cloudflare.com/search/?tags=Security) # Require Access protection Cloudflare Access allows you to require Access protection for all hostnames in your account. When this setting is turned on, traffic to any hostname without a matching [Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/) is automatically blocked. This deny-by-default approach prevents accidental exposure of internal resources to the public Internet. Without this setting, a developer could deploy a new application or create a DNS record and inadvertently expose the resource before configuring an Access application. ## Turn on Access protection Warning Turning on Access protection blocks traffic to any hostname that does not have an Access application. Before turning on this setting, verify that all publicly accessible hostnames have an [Access application with an Allow or Bypass policy](#allow-traffic-to-a-hostname). 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com) and go to **Zero Trust** \> **Access controls** \> **Access settings**. 2. Turn on **Block traffic to all domains in this account**. You will see a dialog confirming you understand the scope of this change. Select **Confirm**. Traffic to all hostnames in the account is now blocked unless an Access application exists for the hostname. 3. (Optional) Under **Hostnames to Exempt**, select specific domains to exempt from the **Block traffic to all domains in this account** setting. Traffic to exempted hostnames is allowed even if no Access application exists. Note Cloudflare recommends limiting exemptions to hostnames that host only public-facing content. Internal applications should have an Access application configured. ## Allow traffic to a hostname To allow traffic to a hostname when **Block traffic to all domains in this account** is turned on: 1. [Create an Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for the hostname. 2. Add an [Allow policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#allow) to grant access to authorized users. 3. (Optional) Add a [Bypass policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#bypass) if the hostname should be publicly accessible without authentication. ## Blocked request behavior When a user attempts to access a hostname without an Access application, Cloudflare displays a block page with `Error 1050: This resource is blocked by this account's Default-Deny policy.` The user cannot proceed until an administrator creates an Access application for that hostname. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/access-settings/","name":"Access settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/access-settings/require-access-protection/","name":"Require Access protection"}}]} ``` --- --- title: Session management description: Session management in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ JSON web token (JWT) ](https://developers.cloudflare.com/search/?tags=JSON%20web%20token%20%28JWT%29)[ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication) # Session management A user session determines how long a user can access an Access application without re-authenticating. ## Session durations When a user logs in to an application protected by Access, Access validates their identity against your Access policies and generates two signed JSON Web Tokens (JWTs): | Token | Description | Expiration | Storage | | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | | Global session token | Stores the user's identity from the IdP and provides single sign-on (SSO) functionality for all Access applications. | [Global session duration](#global-session-duration) | Your Cloudflare team domain | | [Application token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) | Allows the user to access a specific Access application. | [Policy session duration](#policy-session-duration), which defaults to the [application session duration](#application-session-duration) | The hostname protected by the Access application | The user can access the application for the entire duration of the application token's lifecycle. When the application token expires, Cloudflare will automatically issue a new application token if the global token is still valid (and the user's identity still passes your Access policies). If the global token has also expired, the user will be prompted to re-authenticate with the IdP. The global token expiration is usually set to equal or exceed the application token expiration. Setting a longer global token provides a more secure way to allow for longer user sessions, since the global token cannot be used to directly access an application. In summary, Access checks sessions from most specific to least specific: 1. **[Client session](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/)** (if enabled) — Overrides all other durations. The user re-authenticates when this expires. 2. **[Policy session](#policy-session-duration)** — Controls access to a specific application for users matching a specific policy. 3. **[Application session](#application-session-duration)** — The default policy session duration for all policies in the application. 4. **[Global session](#global-session-duration)** — Controls how often the user must log in to the IdP across all applications. Refer to the [Order of enforcement](#order-of-enforcement) flowchart for a visual representation. Note Access and the Cloudflare One Client will evaluate identity based on a user's last-known state. If a user authenticates via your Identity Provider, but later authenticates with a different method (such as One-Time PIN), Access will no longer evaluate the user's Identity Provider group memberships. Identity Provider group memberships are created and managed by the IdP and group membership data can only persist in an IdP-based authentication. ### Global session duration The global session duration determines how often Cloudflare Access prompts the user to log in to their identity provider. You can set a global session duration between 15 minutes and one month. The default value is 24 hours. To set the global session duration: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Access settings**. 2. Under **Set your global session duration**, select **Edit**, 3. Select the desired timeout duration from the dropdown menu. 4. Select **Save**. The user will be required to re-authenticate with the IdP after this period of time. ### Policy session duration The policy session duration determines how long the user can access a self-hosted Access application. When the user's session expires, Access rechecks their stored user identity against the application's Access policies. By default, the policy session duration is equal to the [application session duration](#application-session-duration). To configure more granular permissions for specific users, you can change the policy session duration to a value ranging from immediate timeout to one month. For example, you may wish to set the application session duration to seven days for engineers, but set a policy session duration to 24 hours for contractors. To set the policy session duration: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Policies**. 2. Choose a policy and select **Configure**. 3. Select a **Session Duration** from the dropdown menu. 4. Save the policy. Users who match this policy will be issued an application token with this expiration time. ### Application session duration The application session duration is the default [policy session duration](#policy-session-duration) for all policies in an Access application. Available session durations range from immediate timeout to one month. The default value is 24 hours. To set the application session duration: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Choose an application and select **Configure**. 3. Select a **Session Duration** from the dropdown menu. 4. Save the application. Users who match a policy configured with a _Same as application session timeout_ duration will be issued an application token with this expiration time. #### SaaS applications Application session durations only control the front door to a SaaS app; Access does not control how long the user can stay in the SaaS app itself. For example, if the user logs out of the SaaS app and then comes back to it, a valid Access application token allows them to re-authenticate without another login. The SaaS app issues its own authorization cookie that manages the user's session within the app. #### SSH, RDP, and VNC Cloudflare does not control the length of an active SSH, VNC, or RDP session. [Application session durations](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/) determine the window in which a user can initiate a new connection or refresh an existing one. ### Cloudflare One Client session duration When [Authenticate with Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/#configure-client-sessions-in-access) is enabled for an Access application, the Cloudflare One Client session duration takes precedence over all other session durations (application, policy, and global). As long as the Cloudflare One Client session is valid and the user is running the Cloudflare One Client, the user will not be prompted to re-authenticate with the IdP — even if the global session has expired. ### MFA session duration If you use [independent multi-factor authentication (MFA)](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/), the MFA session duration determines how long a user can log in to Cloudflare Access without being prompted for MFA. The MFA session is independent of the global, policy, and application session durations. When logging in to an Access app with [MFA enabled](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application), users must complete an MFA challenge if their last MFA authentication falls outside the configured session duration. After authenticating with their identity provider, users are prompted for MFA. The [CF\_Device cookie](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#cf%5Fdevice) ensures both authentication steps occur on the same device. MFA session durations do not affect how long a user has access to the application (that is controlled by the [application token](#session-durations)). ### Order of enforcement The following flowchart illustrates how Access enforces user sessions for a self-hosted application. flowchart TB %% Accessibility accTitle: Access session durations accDescr: Flowchart describing the order of enforcement for Access sessions %% In with user traffic start["User goes to Access application"] start--"Authenticate with Cloudflare One Client enabled" -->warpsession[Device client session expired?] start-- "Authenticate with Cloudflare One Client disabled" --> policysession[Policy session expired?] warpsession--"Yes"-->idp[Prompt to log in to IdP] warpsession--"No"-->accessgranted[Access granted] policysession--"Yes"-->globalsession[Global session expired?] policysession--"No"-->accessgranted globalsession--"Yes"-->idp globalsession--"No"-->refreshtoken[Check identity against Access policies] refreshtoken-->accessgranted idp-->refreshtoken ## Revoke user sessions Access provides two options for revoking user sessions: per-application and per-user. ### Per-Application To immediately terminate all active sessions for a specific application: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Locate the application for which you would like to revoke active sessions and select **Configure**. 3. Select **Revoke existing tokens**. Unless there are changes to rules in the policy, users can start a new session if their profile in your identity provider is still active. ### Per-User Access can immediately revoke a single user session across all applications in your account. However, if the user's identity profile is still active, they can generate a new session. If you want to permanently revoke a user's access: 1. Disable their account in your identity provider so that they cannot authenticate. 2. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Team & Resources** \> **Users**. 3. Select the checkbox next to the user you want to revoke. 4. Select **Action** \> **Revoke**. The user will no longer be able to log in to any application protected by Access. The user will still count towards your seat subscription until you [remove the user](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management) from your account. ### Subsequent Logins When administrators revoke a user's Cloudflare Access token, that user will not be able to log in again for up to 1 minute. If they attempt to do so, Cloudflare Access will display an error. ## Log out as a user To log out of Access, the end user can visit either of the following URLs: * `/cdn-cgi/access/logout` * `.cloudflareaccess.com/cdn-cgi/access/logout` This action [revokes the user's session](#per-user) across all applications. Access will immediately clear the authorization cookie from the user's browser, and all previously issued tokens will stop being accepted in 20-30 seconds. The only difference between these two URLs is which domain the authorization cookie is deleted from. For example, going to `/cdn-cgi/access/logout` will remove the application cookie and make the logout action feel more instantaneous. You can use these URLs to create custom logout buttons or links directly within your application. Note At this time, end users cannot log themselves out on a per-application basis. ## AJAX Pages that rely heavily on AJAX or single-page applications can block sub-requests due to an expired Access token without prompting the user to re-authenticate. You can configure Access to provide a `401` response on sub-requests with an expired session token. We recommend using this response code to either force a page refresh or to display a message to the user that their session has expired. In order to receive a `401` for an expired session, add the following header to all AJAX requests: `X-Requested-With: XMLHttpRequest` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/access-settings/","name":"Access settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/access-settings/session-management/","name":"Session management"}}]} ``` --- --- title: Allow MCP servers to access self-hosted applications description: Allow MCP servers to access self-hosted applications in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ MCP ](https://developers.cloudflare.com/search/?tags=MCP) # Allow MCP servers to access self-hosted applications MCP servers often need to call internal applications on behalf of authenticated users. For example, an MCP server that helps employees interact with internal tools needs to forward the user's identity to those downstream services (the internal applications the MCP server connects to) so that each request is authorized with the correct permissions. The [Linked App Token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/linked-app-token/) policy selector enables this by allowing an Access policy on one application to accept tokens issued for another. There are two ways to set this up depending on how your MCP server is deployed. ## Self-hosted MCP server (recommended) If your MCP server is a [self-hosted Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/), Cloudflare Access handles authentication automatically. The MCP server receives the user's JWT from Access in the `Cf-Access-Jwt-Assertion` header and should forward it to downstream applications in the `Cf-Access-Token` header. No OAuth implementation is needed in your MCP server code. flowchart LR accTitle: Self-hosted MCP server accessing internal applications User --> client["MCP client"] client --> mcp["MCP server
(self-hosted app)"] mcp -- "Cf-Access-Token: <JWT>" --> app1["Internal API
(self-hosted app)"] mcp -- "Cf-Access-Token: <JWT>" --> app2["Company wiki
(self-hosted app)"] idp[Identity provider] <--> mcp ### Prerequisites * Add your downstream applications (for example, your `Internal API` and `Company wiki`) as [self-hosted Access applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). * Add your MCP server as a [self-hosted Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). ### 1\. Configure downstream applications On each self-hosted application that the MCP server needs to access (for example, the `Internal API` and `Company wiki` apps), create a Linked App Token policy: * [ Dashboard ](#tab-panel-4848) * [ API ](#tab-panel-4849) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select the downstream application and select **Edit**. 3. Go to the **Policies** tab and select **Create new policy**. 4. Set the policy **Action** to _Service Auth_. Note The Linked App Token selector only works with the [Service Auth](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth) action, similar to service token rules. 5. For **Selector**, select _Linked App Token_. 6. For **Value**, select the MCP server application. For example, | Action | Rule type | Selector | Value | | ------------ | --------- | ---------------- | -------------- | | Service Auth | Include | Linked App Token | mcp-server-app | 7. Save the policy. 8. In the downstream application, add the policy to the **Access policies** list. 9. Save the application. 1. Get the `uid` of the MCP server application: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Revoke` * `Access: Apps and Policies Write` * `Access: Apps and Policies Read` List Access applications ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` Response ``` { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "uid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "type": "self_hosted", "name": "mcp-server-app", ... } ``` 2. Create an Access policy on the downstream application, replacing the `app_uid` value with the `uid` of the MCP server application: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow requests from MCP server", "decision": "non_identity", "include": [ { "linked_app_token": { "app_uid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" } } ] }' ``` Note The `linked_app_token` rule type only works with [non\_identity decisions](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth), similar to service token rules. ### 2\. Configure your MCP server In your MCP server code, forward the `Cf-Access-Jwt-Assertion` header from incoming requests as the `Cf-Access-Token` header on outgoing requests to the downstream application: ``` Cf-Access-Token: ``` Access will now validate the JWT token against the Linked App Token rule and propagate the user's identity to the downstream application. ## SaaS MCP server (Access for SaaS with OAuth) If your MCP server is registered as an [Access for SaaS OIDC application](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/secure-mcp-servers/) and implements [MCP OAuth ↗](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization), it receives an OAuth `access_token` from Cloudflare Access. The MCP server forwards this token to downstream self-hosted applications in the `Authorization: Bearer` header. This approach requires your MCP server to implement the OAuth authorization code flow. Use the [self-hosted MCP server approach](#self-hosted-mcp-server-recommended) if you want Cloudflare to handle authentication for you. flowchart LR accTitle: SaaS MCP server accessing internal applications User --> client["MCP client"] client --> mcp["MCP server
(Access for SaaS app)"] mcp -- "Authorization: Bearer <token>" --> app1["Internal API
(self-hosted app)"] mcp -- "Authorization: Bearer <token>" --> app2["Company wiki
(self-hosted app)"] idp[Identity provider] <--> mcp ### Prerequisites * Add your downstream applications (for example, your `Internal API` and `Company wiki`) as [self-hosted Access applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). * Add your MCP server as an [Access for SaaS OIDC application](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/secure-mcp-servers/#access-for-saas-application). ### 1\. Configure downstream applications On each self-hosted application that the MCP server needs to access (for example, the `Internal API` and `Company wiki` apps), create a Linked App Token policy: * [ Dashboard ](#tab-panel-4850) * [ API ](#tab-panel-4851) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select the downstream application and select **Edit**. 3. Go to the **Policies** tab and select **Create new policy**. 4. Set the policy **Action** to _Service Auth_. Note The Linked App Token selector only works with the [Service Auth](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth) action, similar to service token rules. 5. For **Selector**, select _Linked App Token_. 6. For **Value**, select the MCP server application. For example, | Action | Rule type | Selector | Value | | ------------ | --------- | ---------------- | -------------- | | Service Auth | Include | Linked App Token | mcp-server-app | 7. Save the policy. 8. In the downstream application, add the policy to the **Access policies** list. 9. Save the application. 1. Get the `uid` of the MCP server application: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Revoke` * `Access: Apps and Policies Write` * `Access: Apps and Policies Read` List Access applications ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` Response ``` { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "uid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "type": "saas", "name": "mcp-server-app", ... } ``` 2. Create an Access policy on the downstream application, replacing the `app_uid` value with the `uid` of the MCP server application: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow requests from MCP server", "decision": "non_identity", "include": [ { "linked_app_token": { "app_uid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" } } ] }' ``` Note The `linked_app_token` rule type only works with [non\_identity decisions](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth), similar to service token rules. ### 2\. Configure your MCP server Configure the MCP server to forward the `access_token` in outgoing requests: ``` Authorization: Bearer ACCESS_TOKEN ``` ## Known limitations * The Linked App Token policy can only be added to [self-hosted applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). It cannot be added to [SaaS applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/) or other application types. * This feature works best with applications that rely on the [Cloudflare Access JWT](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) for authentication and identity. If the downstream application implements its own authentication layer after Cloudflare Access, requests that pass Access validation may still be rejected by the application itself. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/ai-controls/","name":"AI controls"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/ai-controls/linked-apps/","name":"Allow MCP servers to access self-hosted applications"}}]} ``` --- --- title: MCP server portals description: MCP server portals in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ MCP ](https://developers.cloudflare.com/search/?tags=MCP) # MCP server portals An MCP server portal centralizes multiple [Model Context Protocol (MCP) servers ↗](https://www.cloudflare.com/learning/ai/what-is-model-context-protocol-mcp/) onto a single HTTP endpoint. ![MCP clients connect through an MCP portal to access internal MCP servers and SaaS MCP servers.](https://developers.cloudflare.com/_astro/mcp-portal.B5web1ii_2x3Bsf.webp) This guide explains how to add MCP servers to Cloudflare Access, create an MCP portal with customized tools and policies, and connect users to the portal using an MCP client. ## Key features MCP server portals provide the following capabilities: * **Streamlined access to multiple MCP servers**: MCP server portals support both unauthenticated MCP servers and MCP servers secured using OAuth (for example, via [Access for SaaS](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/secure-mcp-servers/) or a [third-party OAuth provider](https://developers.cloudflare.com/agents/model-context-protocol/authorization/)). Users log in to the portal URL through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth. * **Customized tools per portal**: Admins can tailor an MCP portal to a particular use case by choosing the specific tools and prompt templates that they want to make available to users through the portal. This allows users to access a curated set of tools and prompts — the less external context exposed to the AI model, the better the AI responses tend to be. * **Context optimization**: Portals support query parameter options that reduce context window usage by minimizing or hiding tool definitions. Refer to [Optimize context](#optimize-context) for details. * **Non-browser client support**: MCP clients authenticate to the portal using a standard OAuth 2.0 authorization code flow via [managed OAuth](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/managed-oauth/). Non-browser clients receive a `401` response with a `WWW-Authenticate` header pointing to Access's OAuth discovery endpoints, rather than a browser redirect. * **Code mode**: Code mode is available by default on all portals. It collapses all upstream tools into a single `code` tool. The AI agent writes JavaScript that calls typed methods for each tool, and the code runs in an isolated [Dynamic Worker](https://developers.cloudflare.com/workers/runtime-apis/bindings/worker-loader/) environment. This keeps context window usage fixed regardless of how many tools are available. Refer to [code mode](#code-mode) for connection instructions. * **Observability**: Once the user's AI agent is connected to the portal, Cloudflare Access logs the individual requests made using the tools in the portal. You can optionally route portal traffic through [Cloudflare Gateway](#route-portal-traffic-through-gateway) for richer HTTP logging and data loss prevention (DLP) scanning. ## Prerequisites * An [active domain on Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) * Domain uses either a [full setup](https://developers.cloudflare.com/dns/zone-setups/full-setup/) or a [partial (CNAME) setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/) * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured on Cloudflare Zero Trust ## Add an MCP server Add individual MCP servers to Cloudflare Access to bring them under centralized management. To add an MCP server: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **AI controls**. 2. Go to the **MCP servers** tab. 3. Select **Add an MCP server**. 4. Enter any name for the server. 5. (Optional) Enter a custom string for the **Server ID**. 6. In **HTTP URL**, enter the full URL of your MCP server. For example, if you want to add the [Cloudflare Documentation MCP server ↗](https://github.com/cloudflare/mcp-server-cloudflare/tree/main/apps/docs-vectorize), enter `https://docs.mcp.cloudflare.com/mcp`. 7. Add [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to show or hide the server in an [MCP server portal](#create-a-portal). The MCP server link will only appear in the portal for users who match an Allow policy. Users who do not pass an Allow policy will not see this server through any portals. Warning Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/secure-mcp-servers/). 8. Select **Save and connect server**. 9. If the MCP server supports OAuth, you will be redirected to log in to your OAuth provider. You can log in to any account on the MCP server. The account used to authenticate will serve as the admin credential for that MCP server. You can [configure an MCP portal](#create-a-portal) to use this admin credential to make requests. Cloudflare Access will validate the server connection and fetch a list of tools and prompts. Once the server is successfully connected, the [server status](#server-status) will change to **Ready**. You can now add the MCP server to an [MCP server portal](#create-a-portal). ### Server status The MCP server status indicates the synchronization status of the MCP server to Cloudflare Access. | Status | Description | | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | Error | The server's authentication failed due to expired or incorrect credentials. To fix the issue, [reauthenticate the server](#reauthenticate-the-mcp-server). | | Waiting | The server's tools, prompts, and resources are being synchronized. | | Ready | The server was successfully synchronized and all tools, prompts, and resources are available. | ### Reauthenticate the MCP server To reauthenticate an MCP server in Cloudflare Access: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **AI controls**. 2. Go to the **MCP servers** tab. 3. Select the server that you want to reauthenticate, then select **Edit**. 4. Select **Authenticate server**. You will be redirected to log in to your OAuth provider. The account used to authenticate will serve as the new admin credential for this MCP server. ### Synchronize the MCP server Cloudflare Access automatically synchronizes with your MCP server every 24 hours. To manually refresh the MCP server in Zero Trust: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **AI controls**. 2. Go to the **MCP servers** tab and find the server that you want to refresh. 3. Select the three dots > **Sync capabilities**. The MCP server page will show the updated list of tools and prompts. New tools and prompts are automatically enabled in the MCP server portal. ## Create a portal To create an MCP server portal: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **AI controls**. 2. Select **Add MCP server portal**. 3. Enter any name for the portal. 4. Under **Custom domain**, select a domain for the portal URL. Domains must belong to an active zone in your Cloudflare account. You can optionally specify a subdomain. 5. [Add MCP servers](#add-an-mcp-server) to the portal. 6. (Optional) Under **MCP servers**, configure the tools and prompts available through the portal. 7. (Optional) Configure **Require user auth** for servers that support OAuth: - `Enabled`: (default) User will be prompted to utilize their own login credentials to establish a connection with the MCP server. - `Disabled`: Users who are connected to the portal will automatically have access to the MCP server via its [admin credential](#reauthenticate-the-mcp-server). 8. Add [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to define the users who can connect to the portal URL. 9. Select **Add an MCP server portal**. 10. (Optional) [Customize the login experience](#customize-login-settings) for the portal. Users can now [connect to the portal](#connect-to-a-portal) at `https://./mcp` using an MCP client. ### Customize login settings Cloudflare Access automatically creates an Access application for each MCP server portal. You can customize the portal login experience by updating Access application settings: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Find the portal that you want to configure, then select the three dots > **Edit**. 3. To configure identity providers for the portal: 1. Go to **Authentication**. 2. Select the [identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) that you want to enable for your application. 3. (Recommended) If you plan to only allow access via a single identity provider, turn on **Apply instant authentication**. End users will not be shown the [Cloudflare Access login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. 4. To customize the block page: 1. Go to **Additional settings**. 2. **Custom block pages**: Choose what users will see when they are denied access to the application. * **Cloudflare default**: Reload the [login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/) and display a block message below the Cloudflare Access logo. The default message is `That account does not have access`, or you can enter a custom message. * **Redirect URL**: Redirect to the specified website. * **Custom page template**: Display a [custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-block-page/) hosted in Cloudflare One. 5. Select **Save**. ## Code mode [Code mode](https://developers.cloudflare.com/agents/api-reference/codemode/) is turned on by default on all MCP server portals. It reduces context window usage by collapsing all tools in the portal into a single `code` tool. Instead of loading a separate tool definition for each upstream MCP server tool, the connected AI agent writes JavaScript that calls typed `codemode.*` methods. The generated code runs in an isolated [Dynamic Worker](https://developers.cloudflare.com/workers/runtime-apis/bindings/worker-loader/) environment, which keeps authentication credentials and environment variables out of the model context. To use code mode, the MCP client must request it when connecting to the portal URL. Refer to [Connect with code mode](#connect-with-code-mode) for the required query parameter. Code mode is useful for portals that aggregate many MCP servers or servers that expose a large number of tools. Context window usage stays fixed regardless of how many tools are available through the portal. ### Connect with code mode To use code mode, append the `?codemode=search_and_execute` query string parameter to your portal URL when [connecting](#connect-to-a-portal) from an MCP client. For example, if your portal URL is `https://./mcp`, connect to: ``` https://./mcp?codemode=search_and_execute ``` For MCP clients with server configuration files, use the portal URL with the query string parameter: MCP client configuration with code mode ``` { "mcpServers": { "example-portal": { "command": "npx", "args": [ "-y", "mcp-remote@latest", "https://./mcp?codemode=search_and_execute" ] } } } ``` When code mode is active, the portal advertises a single `code` tool to connected MCP clients. The AI agent discovers available tools by inspecting the typed method signatures in the Dynamic Worker environment and composes multiple tool calls into a single code execution. For more information on building with code mode, refer to the [code mode SDK reference](https://developers.cloudflare.com/agents/api-reference/codemode/). ### Turn off code mode To turn off code mode for a portal: * [ Dashboard ](#tab-panel-4852) * [ API ](#tab-panel-4853) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **AI controls**. 2. Find the portal you want to configure, then select the three dots > **Edit**. 3. Under **Basic information**, turn off **Code mode**. 1. Get your existing MCP portal configuration: Read details of an MCP Portal ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/portals/$ID" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 2. Send a `PUT` request to the [Update a MCP Portal](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/ai%5Fcontrols/subresources/mcp/subresources/portals/methods/update/) endpoint with `allow_code_mode` set to `false`. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request. Update a MCP Portal ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/portals/$ID" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "allow_code_mode": false }' ``` ## Route portal traffic through Gateway When Gateway routing is turned on, calls to MCP servers protected by your MCP server portal appear in your [Gateway HTTP logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/) alongside the rest of your organization's HTTP traffic. You can then create [Data Loss prevention (DLP) policies](#example-gateway-policy) to detect and block sensitive data from leaving your users' devices and being sent to your upstream MCP servers. ### Enable Gateway routing To route MCP server portal traffic through Gateway: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **AI controls**. 2. Find the portal you want to configure, then select the three dots > **Edit**. 3. Under **Basic information**, turn on **Route traffic through Cloudflare Gateway**. 4. Select **Save**. Portal traffic will now appear in your [Gateway HTTP logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). To apply DLP scanning, [create a Gateway HTTP policy](#example-gateway-policy). ### Example Gateway policy To scan traffic for sensitive data, [create a Gateway HTTP policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/) that matches both the MCP server and a predefined or custom [DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/). Gateway HTTP policies for MCP portal traffic must explicitly target the MCP server — this differs from typical Gateway HTTP policies which apply to all inspected traffic. Ensure that your policy matches the upstream MCP server (for example, `https://example-mcp-server.example.workers.dev/mcp`) rather than the portal URL (`https://./mcp`). For example, the following policy blocks traffic that contains [credentials and secrets](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#credentials-and-secrets) or [financial information](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#financial-information): | Selector | Operator | Value | Logic | Action | | ----------- | -------- | -------------------------------------------------- | ----- | ------ | | Host | in | example-mcp-server.example.workers.dev | And | Block | | DLP Profile | in | _Credentials and Secrets_, _Financial Information_ | | | Note DLP [AI prompt profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#ai-prompt) do not apply to MCP server portal traffic. ## Connect to a portal Users can connect to your MCP server running at `https://./mcp` using [Workers AI Playground ↗](https://playground.ai.cloudflare.com/), [MCP inspector ↗](https://github.com/modelcontextprotocol/inspector), or [other MCP clients](https://developers.cloudflare.com/agents/guides/remote-mcp-server/#connect-your-mcp-server-to-claude-and-other-mcp-clients) that support remote MCP servers. To test in Workers AI Playground: 1. Go to [Workers AI Playground ↗](https://playground.ai.cloudflare.com/). 2. Under **MCP Servers**, enter `https://./mcp` for the portal URL. 3. Select **Connect**. 4. In the popup window, log in to your Cloudflare Access identity provider. 5. The popup window will list the MCP servers in the portal that require authentication. For each of these MCP servers, select **Connect** and follow the login prompts. 6. Select **Done** to complete the portal authentication process. Workers AI Playground will show a **Connected** status and list the available tools. You can now ask the AI model to complete a task using an available tool. Requests made to an MCP server will appear in your [portal logs](#view-portal-logs). For MCP clients with server configuration files, we recommend using the `npx` command with the `mcp-remote@latest` argument: MCP client configuration for MCP portals ``` { "mcpServers": { "example-mcp-server": { "command": "npx", "args": [ "-y", "mcp-remote@latest", "https://..com/mcp" ] } } } ``` We do not recommend using the `serverURL` parameter since it may cause issues with portal session creation and management. ### Portal homepage When users visit the portal domain (`https://./`) in a browser, the portal displays a homepage with connection details and setup instructions. Note Do not visit the MCP endpoint URL (`https://./mcp`) directly in a browser. The `/mcp` path is intended for MCP clients only and will return an `invalid token` error if accessed in a browser. The homepage shows: * The portal name and your organization branding (if configured in Cloudflare Access) * The MCP endpoint URL with a copy button * Per-client connection instructions for Claude Desktop, Workers AI Playground, OpenCode, Windsurf, and other MCP clients with OS-specific file paths Authenticated users see their email address and a **Sign out** button in the session bar. Users who are not authenticated can still view the homepage and connection instructions. ### Sign out of a portal To end a portal session, select **Sign out** from the [portal homepage](#portal-homepage) (`https://./`). The sign-out flow: 1. Revokes all portal-level OAuth grants for your user. 2. Deletes all upstream MCP server OAuth states associated with your session. 3. Redirects through Cloudflare Access logout. After sign-out, the portal displays a confirmation page with a summary of the revoked sessions. To reconnect, visit the portal homepage and authenticate again. ## Optimize context MCP server portals support context optimization options that reduce how many tokens tool definitions consume in the model's context window. These options are useful when a portal aggregates many MCP servers or servers that expose a large number of tools. To use context optimization, append the `optimize_context` query parameter to your portal URL when connecting from an MCP client. ### Minimize tools The `minimize_tools` option strips tool descriptions and input schemas from all upstream tools, leaving only their names. The portal exposes a special `query` tool that agents use to search and retrieve full tool definitions on demand. Agents can discover tools without loading all definitions upfront. This option provides up to 5x savings in token usage, though querying tool definitions before use adds a small amount of overhead. To connect with `minimize_tools`, use the following portal URL: ``` https://./mcp?optimize_context=minimize_tools ``` For MCP clients with server configuration files: MCP client configuration with minimize\_tools ``` { "mcpServers": { "example-portal": { "command": "npx", "args": [ "-y", "mcp-remote@latest", "https://./mcp?optimize_context=minimize_tools" ] } } } ``` ### Search and execute The `search_and_execute` option hides all upstream tools and exposes only two tools to the agent: `query` and `execute`. The `query` tool searches and retrieves tool definitions. The `execute` tool runs the upstream tools. The generated code runs in an isolated [Dynamic Worker](https://developers.cloudflare.com/workers/runtime-apis/bindings/worker-loader/) environment, which keeps authentication credentials and environment variables out of the model context. This option reduces the initial token cost of portal tools to a small constant, regardless of how many tools are available. However, the agent becomes fully reliant on `query` to discover tools before it can call them. To connect with `search_and_execute`, use the following portal URL: ``` https://./mcp?optimize_context=search_and_execute ``` For MCP clients with server configuration files: MCP client configuration with search\_and\_execute ``` { "mcpServers": { "example-portal": { "command": "npx", "args": [ "-y", "mcp-remote@latest", "https://./mcp?optimize_context=search_and_execute" ] } } } ``` For more information on the code mode pattern behind `search_and_execute`, refer to the [Code mode SDK reference](https://developers.cloudflare.com/agents/api-reference/codemode/). ## Manage portal sessions Once connected to a portal, users can manage their upstream MCP server sessions without leaving their MCP client. The portal uses [MCP elicitations ↗](https://modelcontextprotocol.io/specification/2025-03-26/server/elicitation) to provide a server selection page where you can enable or disable servers, log out of individual servers, and reauthenticate. ### Return to the server selection page To manage your server connections during an active session, ask your AI agent to take you back to the server selection page. For example, prompt your agent with: > Take me back to the server selection page. The portal returns an authorization URL. Open this URL in your web browser to access the server selection page: ``` https://./authorize?elicitationId= ``` From this page you can: * **Enable or disable servers** — Toggle individual upstream MCP servers on or off. Disabling a server removes its tools from the active session, which reduces context window usage. * **Log out and reauthenticate** — Log out of a server and log back in if you need to change which data the server has access to. For example, you may need to reauthenticate with different permissions. ### Enable or disable a server inline You can also enable or disable a specific server directly from your MCP client without visiting the server selection page. For example: > Enable the wiki server. > Disable my Jira server. The portal toggles the server and updates the active tool list immediately. Disabling a server removes its tools from the session, which reduces context window usage. ### Reauthenticate a server When an upstream MCP server token expires, the portal prompts you to reauthenticate from within your MCP client. Open the provided URL in your browser and complete the login to restore the session. If your MCP client does not display the reauthentication prompt, you can manually clear cached credentials: Note This command clears credentials for all MCP servers using `mcp-remote@latest`, not just MCP portals. Terminal window ``` rm -rf ~/.mcp-auth ``` After clearing credentials, reconnect to the portal from your MCP client. ### Authorize new servers When an admin adds a new upstream MCP server to a portal, the portal automatically prompts connected users to authorize the new server. The portal batches admin changes and redirects you to the authorization flow once, rather than interrupting for each individual server update. ## View portal logs Portal logs allow you to monitor user activity through an MCP server portal. You can view logs on a per-portal or per-server basis. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **AI controls**. 2. Find the portal or server that you want to view logs for, then select the three dots > **Edit**. 3. Select **Logs**. ### Log fields | Field | Description | | ---------- | --------------------------------------------------- | | Time | Date and time of the request | | Status | Whether the server successfully returned a response | | Server | Name of the MCP server that handled the request | | Capability | The tool used to process the request | | Duration | Processing time for the request in milliseconds | ### Export logs with Logpush Availability Only available on Enterprise plans. You can automatically export MCP portal logs to third-party storage destinations or security information and event management (SIEM) tools using [Logpush](https://developers.cloudflare.com/logs/logpush/). This allows you to integrate with your existing security workflows and retain logs for as long as your business requires. To set up a Logpush job for MCP portal logs, refer to [Logpush integration](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). For a list of available log fields, refer to [MCP portal logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/mcp%5Fportal%5Flogs/). ## Troubleshooting ### After authenticating to the portal, my user receives the error `No allowed servers available, check your Zero Trust Policies`. 1. An MCP portal and server must both have an attached Access policy. Ensure that all MCP servers assigned to the portal have their own associated policy. 2. The server's admin authentication may be expired. Check that the [server's status](#server-status) is **Ready**. If the status shows an error, [reauthenticate the server](#reauthenticate-the-mcp-server). ### The portal URL does not prompt for authentication when it is added to an MCP client. 1. Verify that the portal has an assigned Access policy. 2. Verify that the portal URL does not have any applied [Workers](https://developers.cloudflare.com/workers/configuration/routing/custom-domains/), [Page Rules](https://developers.cloudflare.com/rules/page-rules/manage/), [custom hostname](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/) definitions, or any other configuration that may interfere with its ability to connect to the MCP client. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/ai-controls/","name":"AI controls"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/ai-controls/mcp-portals/","name":"MCP server portals"}}]} ``` --- --- title: Secure MCP servers description: Secure MCP servers with Cloudflare Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ MCP ](https://developers.cloudflare.com/search/?tags=MCP) # Secure MCP servers You can secure [Model Context Protocol (MCP) servers ↗](https://www.cloudflare.com/learning/ai/what-is-model-context-protocol-mcp/) with Cloudflare Access. There are two approaches depending on how your MCP server handles authentication: | Approach | Best for | Auth handled by | | --------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | | [Self-hosted application](#self-hosted-application-recommended) | MCP servers where you want Access to handle all authentication and authorization | Cloudflare Access | | [Access for SaaS (OIDC)](#access-for-saas-application) | MCP servers that implement their own OAuth flow and need Cloudflare as the identity/token provider | Your MCP server code, with Access as the OIDC provider | ## Self-hosted application (recommended) The following guide deploys a remote MCP server on [Cloudflare Workers](https://developers.cloudflare.com/workers/) and protects it with a [self-hosted Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). Cloudflare Access handles the full OAuth flow automatically — the MCP server does not need to implement any authorization logic. When users connect using an MCP client, Access prompts them to log in to your [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) and only grants access if they pass your [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors). ### Prerequisites * Create a [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization). * Configure [One-time PIN](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/) or connect a third-party [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). ### 1\. Deploy an example MCP server To deploy our [example MCP server ↗](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access-self-hosted) to your Cloudflare account: * [ Dashboard ](#tab-panel-4854) * [ CLI ](#tab-panel-4855) 1. Select the following button to launch the quickstart flow: [![Deploy to Workers](https://deploy.workers.cloudflare.com/button)](https://deploy.workers.cloudflare.com/?url=https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access-self-hosted) 2. Select the account that contains your Zero Trust organization. 3. On the **Create an application** page, configure the following fields: * **Git account**: Select an existing account or connect a new GitHub or GitLab account. * **Create private Git repository**: Choose whether the project repository should be public or private. * **Project name**: `mcp-access-self-hosted` We will configure `TEAM_DOMAIN` and `POLICY_AUD` in a later step. 4. Select **Create and deploy**. The MCP server will be deployed to your `*.workers.dev` subdomain at `mcp-access-self-hosted..workers.dev`. A new git repository will be set up on your GitHub or GitLab account for your MCP server, configured to automatically deploy to Cloudflare each time you push a change or merge a pull request to the main branch of the repository. You can use the [Wrangler CLI](https://developers.cloudflare.com/workers/wrangler) to create the MCP server on your local machine and deploy it to Cloudflare. Prerequisites * Install [npm ↗](https://docs.npmjs.com/getting-started) * Install [Node.js ↗](https://nodejs.org/en/) 1. Open a terminal and clone our example project: Terminal window ``` npm create cloudflare@latest -- mcp-access-self-hosted --template=cloudflare/ai/demos/remote-mcp-cf-access-self-hosted ``` During setup, select the following options: - For _Do you want to add an AGENTS.md file to help AI coding tools understand Cloudflare APIs?_, choose `No`. - For _Do you want to use git for version control?_, choose `No`. - For _Do you want to deploy your application?_, choose `No` (we will be making some changes before deploying). 2. Go to the project directory: Terminal window ``` cd mcp-access-self-hosted ``` 3. You can now deploy the Worker to Cloudflare's global network: Terminal window ``` npx wrangler deploy ``` The Worker will be deployed to your `*.workers.dev` subdomain at `mcp-access-self-hosted..workers.dev`. ### 2\. Create a self-hosted Access application * [ Dashboard ](#tab-panel-4862) * [ API ](#tab-panel-4863) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **Self-hosted and private**. 4. Select **Add public hostname** and enter your Worker URL (for example, `mcp-access-self-hosted..workers.dev`). 5. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to define the users who can access the MCP server (for example, allow emails ending in `@yourcompany.com`). 6. Configure how users will authenticate: 1. Select the [identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) you want to enable for your application. 2. (Recommended) If you plan to only allow access via a single IdP, turn on **Apply instant authentication**. End users will not be shown the [Cloudflare Access login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. 3. (Optional) Turn on **Authenticate with Cloudflare One Client** to allow users to authenticate to the application using their [ Cloudflare One Client session identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/). 7. Select **Create**. 8. On the application details page, go to **Additional settings** \> **AUD tag** and copy the value. You will need this value to configure your MCP server. 1. Make a `POST` request to the [Access applications](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/applications/methods/create/) endpoint: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Add an Access application ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "MCP server", "type": "self_hosted", "domain": "mcp-access-self-hosted..workers.dev", "policies": [ "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" ], "allowed_idps": [] }' ``` 2. Copy the `aud` value returned in the response. ### 3\. Configure your MCP server The MCP server validates the `Cf-Access-Jwt-Assertion` header on each request by checking the JWT signature against your team's public keys and verifying the issuer and audience claims. You need to provide your team domain and the application's AUD tag so the server knows which keys to fetch and which audience to expect. To configure the environment variables for our [example MCP server](#1-deploy-an-example-mcp-server): * [ Dashboard ](#tab-panel-4858) * [ CLI ](#tab-panel-4859) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to the **Workers & Pages** page. [ Go to **Workers & Pages** ](https://dash.cloudflare.com/?to=/:account/workers-and-pages) 2. Select the `mcp-access-self-hosted` Worker. 3. Go to **Settings**. 4. Under **Variables and Secrets**, update each variable with the corresponding value: | Workers variable | Value | | ---------------- | --------------------------------------------------------------------------------------------- | | TEAM\_DOMAIN | https://.cloudflareaccess.com | | POLICY\_AUD | The AUD tag copied from your [Access application](#2-create-a-self-hosted-access-application) | 1. Open `wrangler.jsonc` in an editor and update the `vars` section with your Access application details: JSONC ``` "vars": { "TEAM_DOMAIN": "https://.cloudflareaccess.com", "POLICY_AUD": "" } ``` 2. Redeploy the Worker: Terminal window ``` npx wrangler deploy ``` ### 4\. Test the connection You can now connect to your MCP server at `https://mcp-access-self-hosted..workers.dev/mcp` using [Workers AI Playground ↗](https://playground.ai.cloudflare.com/), [MCP inspector ↗](https://github.com/modelcontextprotocol/inspector), or [other MCP clients](https://developers.cloudflare.com/agents/guides/remote-mcp-server/#connect-your-mcp-server-to-claude-and-other-mcp-clients) that support remote MCP servers. To test in Workers AI Playground: 1. Go to [Workers AI Playground ↗](https://playground.ai.cloudflare.com/). 2. Under **MCP Servers**, enter `https://mcp-access-self-hosted..workers.dev/mcp` for the MCP server URL. 3. Select **Connect**. 4. Follow the prompts to log in to your identity provider. Workers AI Playground will show a **Connected** status. Access will authenticate the user and inject the `Cf-Access-Jwt-Assertion` header, which the MCP server validates before serving requests. ## Access for SaaS application If your MCP server needs to act as its own OAuth client — for example, because it runs outside of Cloudflare or needs to manage tokens directly — you can register it as an Access for SaaS OIDC application. In this setup, the MCP server implements the OAuth authorization code flow against Cloudflare Access and receives an `access_token` that it can use to call downstream services. The following guide walks through the Access for SaaS approach. It deploys a remote MCP server on [Cloudflare Workers](https://developers.cloudflare.com/workers/) that uses Cloudflare Access as an OAuth Single Sign-On (SSO) provider. When users connect to the MCP server using an MCP client, they will be prompted to log in to your [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) and are only granted access if they pass your [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors). ### Prerequisites * Create a [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization). * Configure [One-time PIN](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/) or connect a third-party [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). ### 1\. Deploy an example MCP server To deploy our [example MCP server ↗](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) to your Cloudflare account: * [ Dashboard ](#tab-panel-4856) * [ CLI ](#tab-panel-4857) 1. Select the following button to launch the quickstart flow: [![Deploy to Workers](https://deploy.workers.cloudflare.com/button)](https://deploy.workers.cloudflare.com/?url=https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) 2. Select the account that contains your Zero Trust organization. 3. On the **Create an application** page, configure the following fields: * **Git account**: Select an existing account or connect a new GitHub or GitLab account. * **Create private Git repository**: Choose whether the project repository should be public or private. * **Project name**: `mcp-server-cf-access` * **Select KV namespace**: _Create new_ * **Name your KV namespace**: `OAUTH_KV` We will configure `ACCESS_CLIENT_ID` and the other secret values in a later step. 4. Select **Create and deploy**. The MCP server will be deployed to your `*.workers.dev` subdomain at `mcp-server-cf-access..workers.dev`. A new git repository will be set up on your GitHub or GitLab account for your MCP server, configured to automatically deploy to Cloudflare each time you push a change or merge a pull request to the main branch of the repository. You can use the [Wrangler CLI](https://developers.cloudflare.com/workers/wrangler) to create the MCP server on your local machine and deploy it to Cloudflare. Prerequisites * Install [npm ↗](https://docs.npmjs.com/getting-started) * Install [Node.js ↗](https://nodejs.org/en/) 1. Open a terminal and clone our example project: Terminal window ``` npm create cloudflare@latest -- mcp-server-cf-access --template=cloudflare/ai/demos/remote-mcp-cf-access ``` During setup, select the following options: - For _Do you want to add an AGENTS.md file to help AI coding tools understand Cloudflare APIs?_, choose `No`. - For _Do you want to use git for version control?_, choose `No`. - For _Do you want to deploy your application?_, choose `No` (we will be making some changes before deploying). 2. Go to the project directory: Terminal window ``` cd mcp-server-cf-access ``` 3. Create a [Workers KV namespace](https://developers.cloudflare.com/kv/concepts/kv-namespaces/) to store the key. The binding name should be `OAUTH_KV` if you want to run the example as written. Terminal window ``` npx wrangler kv namespace create "OAUTH_KV" ``` The command will output the binding name and KV namespace ID: ``` { "kv_namespaces": [ { "binding": "OAUTH_KV", "id": "" } ] } ``` 4. Open `wrangler.jsonc` in an editor and insert your `OAUTH_KV` namespace ID: JSONC ``` "kv_namespaces": [ { "binding": "OAUTH_KV", "id": "" } ], ``` 5. You can now deploy the Worker to Cloudflare's global network: Terminal window ``` npx wrangler deploy ``` The Worker will be deployed to your `*.workers.dev` subdomain at `mcp-server-cf-access..workers.dev`. ### 2\. Create an Access for SaaS app * [ Dashboard ](#tab-panel-4864) * [ API ](#tab-panel-4865) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **SaaS application**. 4. In **Application**, enter a custom name (for example, `MCP server`) and select the textbox that appears below. 5. Select **OIDC** as the authentication protocol. 6. Select **Add application**. 7. In **Redirect URLs**, enter the authorization callback URL for your MCP server. The callback URL for our [example MCP server](#1-deploy-an-example-mcp-server-1) is`https://mcp-server-cf-access..workers.dev/callback`. 8. Copy the following values to input into our example MCP server. Other MCP servers may require different sets of input values. * **Client secret** * **Client ID** * **Token endpoint** * **Authorization endpoint** * **Key endpoint** 9. (Optional) Under **Advanced settings**, turn on [**Refresh tokens**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas/#advanced-settings) if you want to reduce the number of times a user needs to log in to the identity provider. 10. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to define the users who can access the MCP server. 11. Configure how users will authenticate: 1. Select the [identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) you want to enable for your application. 2. (Recommended) If you plan to only allow access via a single IdP, turn on **Apply instant authentication**. End users will not be shown the [Cloudflare Access login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. 3. (Optional) Turn on **Authenticate with Cloudflare One Client** to allow users to authenticate to the application using their [ Cloudflare One Client session identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/). 12. Select **Create**. 1. Make a `POST` request to the [Access applications](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/applications/methods/create/) endpoint: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Add an Access application ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "MCP server", "type": "saas", "saas_app": { "auth_type": "oidc", "redirect_uris": [ "https://mcp-server-cf-access..workers.dev/callback" ], "grant_type": [ "authorization_code", "refresh_tokens" ], "refresh_token_options": { "lifetime": "90d" } }, "policies": [ "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" ], "allowed_idps": [] }' ``` 2. Copy the `client_id` and `client_secret` returned in the response. 3. Build the OAuth endpoint URLs using your team name and the `client_id` returned in the response: | Endpoint | URL | | ---------------------- | -------------------------------------------------------------------------------------------- | | Token endpoint | https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//token | | Authorization endpoint | https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//authorization | | Key endpoint | https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//jwks | ### 3\. Configure your MCP server Your MCP server needs to perform an OAuth 2.0 authorization flow to get an `access_token` from the SaaS app created in [Step 2](#2-create-an-access-for-saas-app). When setting up the OAuth client on your MCP server, you will need to paste in the OAuth endpoints and credentials from the Access for SaaS app. To add OAuth endpoints and credentials to our [example MCP server](#1-deploy-an-example-mcp-server-1): * [ Dashboard ](#tab-panel-4860) * [ CLI ](#tab-panel-4861) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to the **Workers & Pages** page. [ Go to **Workers & Pages** ](https://dash.cloudflare.com/?to=/:account/workers-and-pages) 2. Select the `mcp-server-cf-access` Worker. 3. Go to **Settings**. 4. Under **Variables and Secrets**, update each secret with the corresponding value obtained from the [Access for SaaS app](#2-create-an-access-for-saas-app). | Workers secret | SaaS app field | | -------------------------- | ---------------------- | | ACCESS\_CLIENT\_ID | Client ID | | ACCESS\_CLIENT\_SECRET | Client secret | | ACCESS\_TOKEN\_URL | Token endpoint | | ACCESS\_AUTHORIZATION\_URL | Authorization endpoint | | ACCESS\_JWKS\_URL | Key endpoint | Note Use the Client ID, Client secret, and OAuth endpoints copied from the Cloudflare One dashboard. Do not use the OAuth values from your [third-party identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/). 5. For `COOKIE_ENCRYPTION_KEY`, you can use the following command to generate a random string: Terminal window ``` openssl rand -hex 32 ``` Enter the output of this command into `COOKIE_ENCRYPTION_KEY`. 1. Create the following [Workers secrets](https://developers.cloudflare.com/workers/configuration/secrets/): Terminal window ``` npx wrangler secret put ACCESS_CLIENT_ID npx wrangler secret put ACCESS_CLIENT_SECRET npx wrangler secret put ACCESS_TOKEN_URL npx wrangler secret put ACCESS_AUTHORIZATION_URL npx wrangler secret put ACCESS_JWKS_URL ``` 2. When prompted to enter a secret value, paste the corresponding values obtained from the [Access for SaaS app](#2-create-an-access-for-saas-app). | Workers secret | SaaS app field | | -------------------------- | ---------------------- | | ACCESS\_CLIENT\_ID | Client ID | | ACCESS\_CLIENT\_SECRET | Client secret | | ACCESS\_TOKEN\_URL | Token endpoint | | ACCESS\_AUTHORIZATION\_URL | Authorization endpoint | | ACCESS\_JWKS\_URL | Key endpoint | Note Use the Client ID, Client secret, and OAuth endpoints copied from the Cloudflare One dashboard. Do not use the OAuth values from your [third-party identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/). 3. Generate a random string for the cookie encryption key: Terminal window ``` openssl rand -hex 32 ``` Store the output of this command in a Workers secret: Terminal window ``` npx wrangler secret put COOKIE_ENCRYPTION_KEY ``` ### 4\. Test the connection You can now connect to your MCP server at `https://mcp-server-cf-access..workers.dev/mcp` using [Workers AI Playground ↗](https://playground.ai.cloudflare.com/), [MCP inspector ↗](https://github.com/modelcontextprotocol/inspector), or [other MCP clients](https://developers.cloudflare.com/agents/guides/remote-mcp-server/#connect-your-mcp-server-to-claude-and-other-mcp-clients) that support remote MCP servers. To test in Workers AI Playground: 1. Go to [Workers AI Playground ↗](https://playground.ai.cloudflare.com/). 2. Under **MCP Servers**, enter `https://mcp-server-cf-access..workers.dev/mcp` for the MCP server URL. 3. Select **Connect**. 4. A popup window will appear requesting access to the MCP server. Select **Approve**. 5. Follow the prompts to log in to your identity provider. Workers AI Playground will show a **Connected** status. The MCP server should successfully obtain an `access_token` from Cloudflare Access. ## Next steps To allow the MCP server to make authenticated requests to other self-hosted applications on behalf of the user, create a [Linked App Token](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/linked-apps/) policy on the downstream application. The MCP server forwards the `Cf-Access-Jwt-Assertion` header it receives from Access as a `Cf-Access-Token` header to the downstream application. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/ai-controls/","name":"AI controls"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/ai-controls/secure-mcp-servers/","name":"Secure MCP servers"}}]} ``` --- --- title: Add bookmarks description: Add bookmarks in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Add bookmarks With Cloudflare One, you can show applications on the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) even if those applications are not secured behind Access. This way, users can access all the applications they need to work, all in one place — regardless of whether those applications are protected by Access. Links to applications not protected by Access can be added as bookmarks. You can assign [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to control which users see the bookmark in the App Launcher. Users who do not match an Allow policy will not see the bookmark tile. Unlike policies for other Access application types, bookmark policies only affect visibility in the App Launcher and do not control access to the destination URL. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **Bookmarks**. 3. Name your application. 4. Enter your **Application URL**, for example `https://mybookmark.com`. 5. (Optional) To restrict who can see the bookmark, select an existing policy or create a new one. If you do not add any policies, the bookmark is visible to all users in your organization. * To use an existing policy, select **Select existing policies** and choose the policies you want to apply. Refer to [supported policies](#supported-policies) for policy limitations. * To create a new policy, select **Create new policy** and [build your policy rules](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). 6. Select **Next**. 7. Turn on **App Launcher visibility** if you want the application to be visible in the App Launcher. The toggle does not impact the ability for users to reach the application. 8. (Optional) To add a custom logo for your application, select **Custom** and enter the image URL. Note If you are having issues specifying a custom logo, check that the image is served from an HTTPS endpoint. For example, `http://www.example.com/upload/logo.png` will not work. However, `https://www.example.com/upload/logo.png` will. 9. Select **Save**. The application will show up on the Applications page labeled as `BOOKMARK`. You can always edit or delete your bookmarks, as you would any other application. ## Authentication logs Bookmark applications do not generate individual [Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/#authentication-logs) when a user selects the bookmark tile. Only the authentication event to the App Launcher itself is logged. ## Supported bookmark policies Bookmark policies support all [Access policy selectors](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors), including * Identity-based selectors (such as emails, email domains, or identity provider groups) * Location-based selectors (such as country or IP ranges) * Device posture checks (requires installing the Cloudflare One Client) The following policy features are not supported for bookmark applications: * [Isolate application](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/) * [Purpose justification](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/require-purpose-justification/) * [Temporary authentication](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/temporary-auth/) If you attempt to assign a policy that uses an unsupported feature, the dashboard will display an error. Device posture policies To show bookmarks only to users on managed devices, assign a policy that requires device posture checks (such as [Require Gateway](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/require-gateway/)). The bookmark will only appear in the App Launcher for users whose devices satisfy the posture requirements. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/bookmarks/","name":"Add bookmarks"}}]} ``` --- --- title: Choose an application type description: Learn which Cloudflare Access application type fits your deployment. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Choose an application type Cloudflare Access sits in front of your applications and checks every request against your Access policies before letting users through. It supports several application types, each designed for a different use case. Your choice depends on where your application is hosted, how users connect to it, and what level of control you need over sessions and authorization. Most teams start with self-hosted applications and expand to SaaS applications, infrastructure targets, or a combination over time. ## Compare application types The following table summarizes the key differences between each application type. For detailed setup instructions, refer to the section for each type. | Self-hosted application | SaaS application | Infrastructure application | Bookmark | | | ------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | | **What it protects** | Resources you own and manage: public web apps, private network destinations, and Cloudflare Workers | Third-party SaaS tools your team uses (Salesforce, Atlassian, Workday) | Individual servers and infrastructure targets, reachable over public or private network | External URLs displayed in the App Launcher (not gated by Access authentication) | | **Requires Cloudflare One Client** | Depends on destination type and [policy requirements](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) | No | Yes | No | | **Clientless access available** | Yes (public hostnames, browser isolation, cloudflared access CLI) | Not applicable — users access the SaaS app directly | No | Not applicable | | **Authentication and authorization** | Access policies with session management and application tokens signed to the application | Access policies with SAML/OIDC assertion | Infrastructure policies with protocol-aware authorization (ports, usernames) | Visibility-only policies for the App Launcher | | **Private network routing required** | Only for private destinations | No | Yes | No | | **Session and token management** | Full (application tokens, session duration, forced re-authentication) | Full | Full | None | | **Audit logging** | Authentication events and per-request Access logs | Authentication events | Authentication events, SSH command logs | App Launcher authentication only | | **Use when** | Most use cases — web apps, private apps, Zero Trust networking, Workers | Enforcing compliance for SaaS apps, supporting multiple identity providers for SSO | Granular server access control with protocol-level authorization | Organizing links in a single portal | ## Self-hosted applications Self-hosted applications are the most versatile application type and account for the majority of Access deployments. A self-hosted application represents any resource where you control where traffic goes — whether that is a public website on Cloudflare DNS, a non-web service on your private network connected with a Cloudflare Tunnel, or a Worker running on Cloudflare. Self-hosted applications use the full Access policy engine, including session management, application tokens, forced re-authentication, device posture checks, and identity provider groups. ### Public hostname applications If your application is already on the public Internet with DNS managed through Cloudflare (or a partial CNAME setup, where your DNS is hosted elsewhere but Cloudflare proxies the traffic), you can place Access in front of it by matching the application's hostname. Cloudflare proxies the request, presents a login page, and only forwards traffic to your origin after the user passes your Access policies. This is the most common starting point. You do not need to install anything on the user's device — authentication happens entirely in the browser. For setup instructions, refer to [Add a self-hosted public application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). ### Private applications You can also use self-hosted applications to protect resources on your private network by targeting specific private IPs, hostnames, or CIDR ranges (blocks of IP addresses, for example `10.0.0.0/8`) with an attached port or port range. This is the primary method for building Zero Trust network access on Cloudflare. Private network applications require that users route traffic through Cloudflare — typically by running the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) on their device. You must also connect your private network to Cloudflare using a [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) or [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/). With private network applications, you define the same types of Access policies as you do for public applications, but apply them to private destinations. This gives you granular, identity-aware control over who can reach what on your network — replacing broad VPN-level access with per-application or per-service policies. Access policies are reusable, so you can apply the same policy across multiple applications. For setup instructions, refer to [Add a self-hosted private application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). ### Protecting Workers Self-hosted applications can also protect a Cloudflare Worker directly by name, rather than by hostname or IP. When you select a Worker as the destination, you can cover the Worker together with all of its preview deployments, or cover the preview deployments only. This is the safest and most straightforward way to put authentication in front of a Worker. Instead of configuring individual routes on the Worker and managing authentication at the route level, you link the entire Worker (and optionally its preview deployments) to an Access application. Any request to the Worker on any route passes through Access first. ### CLI access with cloudflared Self-hosted applications support client-side `cloudflared` authentication. Users can install `cloudflared` on their device and run `cloudflared access login ` from the command line to authenticate through your Access policies without the Cloudflare One Client installed. This is useful for SSH sessions, API calls, and other command-line workflows where a browser-based login flow is impractical. For more information, refer to [cloudflared authentication](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/). ## SaaS applications SaaS applications are for third-party tools that your organization uses but does not host — services like Salesforce, Atlassian, Slack, or Workday. With a SaaS application, you configure Cloudflare Access as the single sign-on (SSO) provider for the third-party service using SAML or OIDC, the two most common identity federation protocols. When users sign in to the SaaS application, they are redirected to Cloudflare. Cloudflare redirects to your configured identity provider for authentication, then evaluates your Access policies against the authenticated user. If the user passes both checks, Cloudflare issues a signed credential (a SAML assertion or OIDC token) back to the SaaS application confirming the user's identity. ### When to use SaaS applications Use a SaaS application when you want to: * **Enforce consistent Access policies across third-party tools.** Apply the same identity, device posture, and location requirements that you use for your internal applications to external SaaS tools. * **Aggregate multiple identity providers.** Cloudflare can federate authentication across multiple identity providers (IdPs), which means you can swap or add identity providers without reconfiguring each SaaS application individually. This is not typically possible with direct SSO integrations. * **Apply Cloudflare-specific controls.** Enforce requirements that your SaaS provider cannot check on its own — for example, requiring the Cloudflare One Client or passing a device posture check before granting access to the SaaS tool. ### Limitations SaaS applications require that the third-party tool supports SAML or OIDC federation. Not all SaaS tools offer this, and some impose restrictions on the number of SSO integrations or the features available through federated authentication. Check your SaaS vendor's documentation for SSO compatibility. For setup instructions, refer to [SaaS applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/). ## Infrastructure applications Infrastructure applications provide protocol-aware access control for servers and infrastructure targets, whether reachable over a public hostname or a private network. Unlike self-hosted applications, which evaluate whether a user can reach a destination, infrastructure applications also control what a user can do after connecting — which usernames they can authenticate as, which ports they can access, and which commands they can run. Infrastructure applications require the Cloudflare One Client. For targets on your private network, you must also connect the network to Cloudflare through [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) or [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/). ### When to use infrastructure applications Use an infrastructure application when you need: * **Protocol-level authorization.** Define policies that grant specific users access to specific ports and usernames on a target server. * **Command logging.** All SSH sessions and commands are logged for compliance and auditing. You can export logs to a storage service or SIEM using [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). * **Short-lived certificates.** Eliminate long-lived SSH keys by authenticating users with certificates that expire quickly. This removes the risk of a stolen or forgotten key granting permanent access to your servers. Infrastructure applications support SSH. You can still use [self-hosted applications](#self-hosted-applications) to secure access to servers over other protocols (including SSH), but infrastructure applications are the only way to supplementally control user authorization. For setup instructions, refer to [Add an infrastructure application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/). ## Bookmarks Bookmarks are not secured by Access. A bookmark is a link to any URL that you want to display in the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) alongside your other applications. You can assign Access policies to bookmarks, but those policies only control whether the bookmark tile is visible in the App Launcher — they do not protect the destination URL. Use bookmarks to give users a single portal where they can find all of the tools they use, including external applications that are not integrated with Cloudflare. For setup instructions, refer to [Add bookmarks](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/bookmarks/). ## Private network applications (legacy) Note Not recommended for new deployments. Use a [self-hosted application](#private-applications) to secure private network destinations instead. The legacy private network application type creates Gateway Network policies to control access to a private IP address. When you add a legacy private network application, Cloudflare generates two Gateway rules — one Allow rule and one Block rule — because Gateway Network policies are not default-deny (unlike Access policies, which require an explicit Allow rule before any user can reach a protected application). Legacy private network applications do not support per-session management, application tokens, or the full set of features available in Access policies. This application type is deprecated for new customers and remains available to existing customers. If you are currently using legacy private network applications, we strongly recommend migrating to [self-hosted private network applications](#private-applications) for more comprehensive policy controls and session management. For more information, refer to [Private network applications (legacy)](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/choose-application-type/","name":"Choose an application type"}}]} ``` --- --- title: Add web applications description: How Add web applications works in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Add web applications Cloudflare Access allows you to secure your web applications by acting as an identity-aware proxy. Access sits in front of your application and checks each request against your [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) before allowing it through. You can use signals from your existing identity providers (IdPs), device posture providers, and [other selectors](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors) to control who can reach the application. ![Cloudflare Access verifies a user's identity before granting access to your application.](https://developers.cloudflare.com/_astro/diagram-saas.BmFlwn8e_Z853ac.webp) You can protect the following types of web applications: * [**SaaS applications**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/) consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration. * **Self-hosted applications** consist of internal applications that you host in your own environment. These can be the data center versions of tools like the Atlassian suite or applications created by your own team. Setup requirements for a self-hosted application depend on whether the application is publicly accessible on the Internet or restricted to users on a private network. * [**Public hostname applications**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) are web applications that have public DNS records. Anyone on the Internet can access the application by entering the URL in their browser and authenticating through Cloudflare Access. Securing access to a public website requires a Cloudflare DNS [full setup](https://developers.cloudflare.com/dns/zone-setups/full-setup/) or [partial CNAME setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/). * [**Private network applications**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) do not have public DNS records, meaning they are not reachable from the public Internet. To connect using a private IP or private hostname, the user's traffic must route through Cloudflare Gateway. The preferred method is to install the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) on the user's device. Alternative options include forwarding traffic from a [network location](https://developers.cloudflare.com/cloudflare-wan/), using [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/), or [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). * [**Model Context Protocol (MCP) servers**](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/) are web applications that enable generative AI tools to read and write data within your business applications. For example, Salesforce provides an [MCP server ↗](https://github.com/salesforcecli/mcp) for developers to interact with resources in their Salesforce tenant using GitHub Copilot or other AI code editors. * [**Cloudflare Dashboard SSO**](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/) is a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}}]} ``` --- --- title: Authorization cookie description: Learn how Cloudflare Access uses CF_Authorization cookies to secure self-hosted web applications. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Cookies ](https://developers.cloudflare.com/search/?tags=Cookies)[ JSON web token (JWT) ](https://developers.cloudflare.com/search/?tags=JSON%20web%20token%20%28JWT%29) # Authorization cookie When you protect a site with Cloudflare Access, Cloudflare checks every HTTP request bound for that site to ensure that the request has a valid `CF_Authorization` cookie. If a request does not include the cookie, Access will block the request. ## Access JWTs The `CF_Authorization` cookie contains the user's identity in the form of a [JSON Web Token (JWT) ↗](https://www.cloudflare.com/learning/access-management/token-based-authentication/). Cloudflare securely creates these tokens through the OAUTH or SAML integration between Cloudflare Access and the configured identity provider. Access generates two separate `CF_Authorization` tokens depending on the domain: * **Global session token**: Generated when a user logs in to Access. This token is stored as a cookie at your team domain (for example, `https://.cloudflareaccess.com`) and prevents a user from needing to log in to each application. * [**Application token**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/): Generated for each application that a user reaches. This token is stored as a cookie on the protected domain (for example, `https://jira.site.com`) and may be used to [validate requests](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json) on your origin. ### Multi-domain applications Cloudflare Access allows you to protect and manage multiple domains in a single [self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). After a user has successfully authenticated to one domain, Access will automatically issue a `CF_Authorization` cookie when they go to another domain in the same Access application. This means that users only need to authenticate once to a multi-domain application. For Access applications with five or fewer domains, Access preemptively sets the cookie for all domains through a series of redirects when the user first authenticates. This allows single-page applications (SPAs) to retrieve data from other subdomains without requiring the user to visit each subdomain individually. Wildcarded subdomains (for example, `*.example.com`) cannot receive preemptive cookies because Access does not know which concrete subdomain to redirect to. Wildcarded paths are supported. For Access applications with more than five domains, Access does not preemptively set cookies. Instead, cookies are issued as the user visits each domain. This avoids the latency that would result from redirecting through a large number of domains during authentication. ## Access cookies The following Access cookies are essential to Access functionality. Cookies that are marked as required cannot be opted out of. The following cookies are not used for tracking or analytics. ### CF\_Authorization (team domain) | Details | Expiration | HttpOnly | SameSite | Required? | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------- | --------- | | [JSON web token (JWT)](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#access-jwts) set on the cloudflareaccess.com [team domain](https://developers.cloudflare.com/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) that contains the user's identity and enables Access to perform single sign-on (SSO) | ViewIf set, adheres to [global session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#global-session-duration).If not, adheres to [application session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#application-session-duration).If neither are set, defaults to 24 hours. | Yes | None | Required | ### CF\_Authorization (Access application domain) | Details | Expiration | HttpOnly | SameSite | Required? | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | ---------------------------- | --------- | | [JSON web token (JWT)](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#access-jwts) set on the domain protected by Access that allows Access to confirm that the user has been authenticated and is authorized to reach the origin | ViewIf set, adheres to [policy session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#policy-session-duration).If not, adheres to [application session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#application-session-duration).If neither are set, defaults to 24 hours. | Admin choice (Default: None) | Admin choice (Default: None) | Required | ### CF\_Binding | Details | Expiration | HttpOnly | SameSite | Required? | | ------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------- | --------- | | Refer to [Binding cookie](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#binding-cookie) | ViewIf set, adheres to [policy session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#policy-session-duration).If not, adheres to [application session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#application-session-duration).If neither are set, defaults to 24 hours. | Yes | None | Optional | ### CF\_Session | Details | Expiration | HttpOnly | SameSite | Required? | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -------- | -------- | --------- | | [CSRF ↗](https://www.cloudflare.com/learning/security/threats/cross-site-request-forgery/) token used on the cloudflareaccess.com [team domain](https://developers.cloudflare.com/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) | 4 hours | Yes | None | Required | ### CF\_AppSession | Details | Expiration | HttpOnly | SameSite | Required? | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -------- | -------- | --------- | | [CSRF ↗](https://www.cloudflare.com/learning/security/threats/cross-site-request-forgery/) token used per application domain, scoped to individual applications behind Access | 24 hours | Yes | None | Required | ### CF\_Device | Details | Expiration | HttpOnly | SameSite | Required? | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -------- | -------- | --------- | | Cookie set on the cloudflareaccess.com [team domain](https://developers.cloudflare.com/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name), used to prevent abuse of [one-time PIN](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/) and [multi-factor authentication](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/) flows | 30 days | Yes | Strict | Required | ## Cookie settings Cloudflare Access provides optional security settings that can be added to the browser cookies generated by Access for an authenticated user. * [SameSite](#samesite-attribute) * [HttpOnly flag](#httponly) * [Binding cookie](#binding-cookie) * [Cookie path](#cookie-path-attribute) To enable these settings: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Locate the application you would like to configure and select **Configure**. 3. Select **Advanced settings** and scroll down to **Cookie settings**. 4. Configure the desired cookie settings. 5. Select **Save**. ### SameSite Attribute The [SameSite ↗](https://web.dev/samesite-cookies-explained/) Attribute selector restricts the cookie to only being sent if the cookie's defined site matches the site being requested in the browser. This adds protection against [cross-site request forgery (CSRF) ↗](https://en.wikipedia.org/wiki/Cross-site%5Frequest%5Fforgery). The selector options are: * **None** \- Cookies will be sent in all contexts, including cross-origin requests. * **Lax** \- Cookies are allowed to be sent with top-level navigations and will be sent along with GET requests initiated by third party websites. * **Strict** \- Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites. Refer to the [Mozilla documentation ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value) for more information. Warning If you are receiving the `ERR_TOO_MANY_REDIRECTS` errors, make sure your `SameSite` setting is set to None or Lax. Setting the `SameSite` setting to Strict can result in too many redirects. #### When not to use SameSite Do not enable `SameSite` restrictions if you have additional sites or applications that rely on a specific application's authorization cookie. ### HttpOnly The `HttpOnly` flag is a cookie attribute that prevents the cookie from being accessed by any client-side scripts, reducing the likelihood of Cross-Site Scripting (XSS) attacks. This flag is enabled by default. #### When not to use HttpOnly Do not enable `HttpOnly` if: * You are using the Access application for non-browser based tools (such as SSH or RDP). * You have software that relies on being able to access a user's cookie generated by Access. ### Binding cookie The binding cookie (`CF_Binding`) is an optional cookie issued when a user successfully authenticates. The binding cookie is sent by the user's browser and tied to a specific application's `CF_Authorization` cookie. This cookie is stripped at Cloudflare's network and never forwarded to the origin server. The `CF_Authorization` cookie cannot be used without the associated binding cookie, which prevents a stolen `CF_Authorization` cookie from being reused by an attacker. If a request arrives at Cloudflare's network with a valid `CF_Authorization` cookie but without the expected binding cookie, Cloudflare rejects the request. #### When not to use Binding Cookie Do not enable Binding Cookie if: * You are using the Access application for non-browser based tools (such as SSH or RDP). * You have enabled [incompatible Cloudflare products](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/#product-compatibility) on the application domain, such as [Zaraz](https://developers.cloudflare.com/zaraz) or [Google tag gateway](https://developers.cloudflare.com/google-tag-gateway/). Enabling Binding Cookie alongside these products can cause an authentication redirect loop (`ERR_TOO_MANY_REDIRECTS`). * You have turned on [Authenticate with Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/) for the application. ### Cookie Path Attribute The Cookie Path Attribute adds the application's path URL to the `CF_Authorization` cookie. When enabled, a user who logs in to `example.com/path1` must re-authenticate to access `example.com/path2`. When disabled, the `CF_Authorization` cookie is only scoped to the domain and subdomain. ## Allow third-party cookies in the browser By default, some browsers block all third-party cookies in private browsing mode, including the `CF_Authorization` cookie. For XHR requests to work in private windows, you will need to exempt your application and team domain from the browser's tracking protection system. To enable third-party cookies for an Access application: Chrome 1. Go to **Settings** \> **Privacy and security** \> **Cookies and other site data**. 2. Under **Sites that can always use cookies**, add the following URLs: * Hostname of your Access application (for example, `https://jira.site.com`) * `https://.cloudflareaccess.com` Safari 1. Go to **Safari** \> **Settings** \> **Privacy**. 2. Deselect **Block all cookies**. Firefox 1. Go to **Settings** \> **Privacy & Security**. 2. Scroll down to **Cookies and Site Data**. 3. Select **Manage Exceptions**. 4. Enter the URL of your Access application (for example, `https://jira.site.com`) and select **Allow**. 5. Enter `https://.cloudflareaccess.com` and select **Allow**. 6. Select **Save Changes**. Brave 1. Go to `brave://settings/cookies`. 2. Under **Sites that can always use cookies**, add the following URLs: * Hostname of your Access application (for example, `https://jira.site.com`) * `https://.cloudflareaccess.com` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/","name":"Authorization cookie"}}]} ``` --- --- title: Application token description: Learn how Cloudflare Access uses application tokens to secure your origin. Understand JWT structure and payloads. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ JSON web token (JWT) ](https://developers.cloudflare.com/search/?tags=JSON%20web%20token%20%28JWT%29) # Application token Cloudflare Access includes the application token with all authenticated requests to your origin. A typical JWT looks like this: `eyJhbGciOiJSUzI1NiIsImtpZCI6IjkzMzhhYmUxYmFmMmZlNDkyZjY0.eyJhdWQiOlsiOTdlMmFhZ TEyMDEyMWY5MDJkZjhiYzk5ZmMzNDU5MTNh.zLYsHmLEginAQUXdygQo08gLTExWNXsN4jBc6PKdB` As shown above, the JWT contains three Base64-URL values separated by dots: * [Header](#header) * [Payload](#payload) * [Signature](#signature) Unless your application is connected to Access through Cloudflare Tunnel, your application must [validate the token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) to ensure the security of your origin. Validation of the header alone is not sufficient — the JWT and signature must be confirmed to avoid identity spoofing. ## Header ``` { "alg": "RS256", "kid": "9338abe1baf2fe492f646a736f25afbf7b025e35c627be4f60c414d4c73069b8", "typ": "JWT" } ``` * `alg` identifies the encoding algorithm. * `kid` identifies the key used to sign the token. * `typ` designates the token format. ## Payload The payload contains the actual claim and user information to pass to the application. Payload contents vary depending on whether you authenticated to the application with an identity provider or with a [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/). ### Identity-based authentication ``` { "aud": ["32eafc7626e974616deaf0dc3ce63d7bcbed58a2731e84d06bc3cdf1b53c4228"], "email": "user@example.com", "exp": 1659474457, "iat": 1659474397, "nbf": 1659474397, "iss": "https://yourteam.cloudflareaccess.com", "type": "app", "identity_nonce": "6ei69kawdKzMIAPF", "sub": "7335d417-61da-459d-899c-0a01c76a2f94", "country": "US" } ``` | Field | Description | | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | aud | [Application audience (AUD) tag](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#get-your-aud-tag) of the Access application. | | email | The email address of the authenticated user, verified by the identity provider. | | exp | The expiration timestamp for the token (Unix time). | | iat | The issuance timestamp for the token (Unix time). | | nbf | The not-before timestamp for the token (Unix time), used to check if the token was received before it should be used. | | iss | The Cloudflare Access domain URL for the application. | | type | The type of Access token (app for application token or org for global session token). | | identity\_nonce | A cache key used to get the [user's identity](#user-identity). | | sub | The ID of the user. This value is unique to an email address per account. The user would get a different sub if they are [removed](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management/#remove-a-user) and re-added to your Zero Trust organization, or if they log into a different organization. | | country | The country where the user authenticated from. | #### Custom SAML attributes and OIDC claims Access allows you to add custom SAML attributes and OIDC claims to your JWT for enhanced verification, if supported by your identity provider. This is configured when you setup your [SAML](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-saml/) or [OIDC](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/) provider. #### User identity User identity is useful for checking application permissions. For example, your application can validate that a given user is a member of an Okta or Microsoft Entra ID group such as `Finance-Team`. Due to cookie size limits and bandwidth considerations, the application token only contains a subset of the user's identity. To get the user's full identity, send the `CF_Authorization` cookie to `https://.cloudflareaccess.com/cdn-cgi/access/get-identity`. Your request should be structured as follows: Terminal window ``` curl -H 'cookie: CF_Authorization=' https://.cloudflareaccess.com/cdn-cgi/access/get-identity ``` Access will return a JSON structure containing the following data: | Field | Description | | ---------------------- | ------------------------------------------------------------------------------------------ | | email | The email address of the user. | | idp | Data from your identity provider. | | geo | The country where the user authenticated from. | | user\_uuid | The ID of the user. | | devicePosture | The device posture attributes. | | account\_id | The account ID for your organization. | | iat | The timestamp indicating when the user logged in. | | ip | The IP address of the user. | | auth\_status | The status if authenticating with mTLS. | | common\_name | The common name on the mTLS client certificate. | | service\_token\_id | The Client ID of the service token used for authentication. | | service\_token\_status | True if authentication was through a service token instead of an IdP. | | is\_warp | True if the user enabled WARP. | | is\_gateway | True if the user enabled the Cloudflare One Client and authenticated to a Zero Trust team. | | gateway\_account\_id | An ID generated by the Cloudflare One Client when authenticated to a Zero Trust team. | | device\_id | The ID of the device used for authentication. | | version | The version of the get-identity object. | | device\_sessions | A list of all sessions initiated by the user. | ### Service token authentication ``` { "type": "app", "aud": ["32eafc7626e974616deaf0dc3ce63d7bcbed58a2731e84d06bc3cdf1b53c4228"], "exp": 1659474457, "iss": "https://yourteam.cloudflareaccess.com", "common_name": "e367826f93b8d71185e03fe518aff3b4.access", "iat": 1659474397, "sub": "" } ``` | Field | Description | | ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | type | The type of Access token (app for application token or org for global session token). | | aud | The [application audience (AUD) tag](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#get-your-aud-tag) of the Access application. | | exp | The expiration timestamp of the JWT (Unix time). | | iss | The Cloudflare Access domain URL for the application. | | common\_name | The Client ID of the service token (CF-Access-Client-Id). | | iat | The issuance timestamp of the JWT (Unix time). | | sub | Contains an empty string when authentication was through a service token. | ## Signature Cloudflare generates the signature by signing the encoded header and payload using the SHA-256 algorithm (RS256). In RS256, a private key signs the JWTs and a separate [public key](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#access-signing-keys) verifies the signature. For more information on JWTs, refer to [jwt.io ↗](https://jwt.io/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/","name":"Authorization cookie"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/","name":"Application token"}}]} ``` --- --- title: CORS description: CORS in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ CORS ](https://developers.cloudflare.com/search/?tags=CORS) # CORS Cross-Origin Resource Sharing ([CORS ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)) is a mechanism that uses HTTP headers to grant a web application running on one origin permission to reach selected resources in a different origin. The web application executes a cross-origin HTTP request when it requests a resource that has a different origin from its own, including domain, protocol, or port. For a CORS request to reach a site protected by Access, the request must include a valid `CF-Authorization` cookie. This may require additional configuration depending on the type of request: * [Simple requests ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple%5Frequests) are sent directly to the origin, without triggering a preflight request. For configuration instructions, refer to [Allow simple requests](#allow-simple-requests). * [Preflighted requests ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#preflighted%5Frequests) cause the browser to send an OPTIONS request before sending the actual request. The OPTIONS request checks which methods and headers are allowed by the origin. For configuration instructions, refer to [Allow preflighted requests](#allow-preflighted-requests). Important * Do not troubleshoot CORS in Incognito mode, as this will cause disruptions with Access due to `CF-Authorization` being blocked as a third-party cookie on cross origin requests. * Safari, in particular Safari 13.1, handles cookies in a unique format. In some cases, this can cause CORS to fail. This will be dependent on Apple releasing a patch for handling cookies. This is known to impact macOS 10.15.4 when running Safari 13.1 (15609.1.20.111.8). ## Allow simple requests If you make a simple CORS request to an Access-protected domain and have not yet logged in, the request will return a `CORS error`. There are two ways you can resolve this error: * **Option 1** — [Log in and refresh the page](#authenticate-manually). * **Option 2** — [Create a Cloudflare Worker which automatically sends an authentication token](#send-authentication-token-with-cloudflare-worker). This method only works if both sites involved in the CORS exchange are behind Access. ### Authenticate manually 1. Visit the target domain in your browser. You will see the Access login page. 2. Log in to the target domain. This generates a `CF-Authorization` cookie. 3. Refresh the page that made the CORS request. The refresh resends the request with the newly generated cookie. ## Allow preflighted requests If you make a preflighted cross-origin request to an Access-protected domain, the OPTIONS request will return a `403` error. This error occurs regardless of whether you have logged in to the domain. This is because the browser never includes cookies with OPTIONS requests, by design. Cloudflare will therefore block the preflight request, causing the CORS exchange to fail. There are three ways you can resolve this error: * **Option 1** — [Bypass OPTIONS requests to origin](#bypass-options-requests-to-origin). * **Option 2** — [Configure Cloudflare to respond to the OPTIONS request](#configure-response-to-preflight-requests). * **Option 3** — [Create a Cloudflare Worker which automatically sends an authentication token](#send-authentication-token-with-cloudflare-worker). This method only works if both sites involved in the CORS exchange are behind Access. ### Bypass OPTIONS requests to origin You can configure Cloudflare to send OPTIONS requests directly to your origin server. To bypass Access for OPTIONS requests: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Locate the origin that will be receiving OPTIONS requests and select **Configure**. 3. Go to **Advanced settings** \> **Cross-Origin Resource Sharing (CORS) settings**. 4. Turn on **Bypass options requests to origin**. This will remove all existing CORS settings for this application. It is still important to enforce CORS for the Access JWT -- this option should only be used if you have CORS enforcement established in your origin server. ### Configure response to preflight requests You can configure Cloudflare to respond to the OPTIONS request on your behalf. The OPTIONS request never reaches your origin. After the preflight exchange resolves, the browser will then send the main request which does include the authentication cookie (assuming you have logged into the Access-protected domain). To configure how Cloudflare responds to preflight requests: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Locate the origin that will be receiving OPTIONS requests and select **Configure**. 3. Go to **Advanced settings** \> **Cross-Origin Resource Sharing (CORS) settings**. 4. Configure these [CORS settings ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#the%5Fhttp%5Fresponse%5Fheaders) to match the response headers sent by your origin. For example, if you have configured `api.mysite.com`to return the following headers: ``` headers: { 'Access-Control-Allow-Origin': 'https://example.com', 'Access-Control-Allow-Credentials' : true, 'Access-Control-Allow-Methods': 'GET, OPTIONS', 'Access-Control-Allow-Headers': 'office', 'Content-Type': 'application/json', } ``` then go to `api.mysite.com` in Access and configure **Access-Control-Allow-Origin**, **Access-Control-Allow-Credentials**, **Access-Control-Allow-Methods**, and **Access-Control-Allow-Headers**.![Example CORS settings configuration in Cloudflare One](https://developers.cloudflare.com/_astro/CORS-settings.C9-43Ja__Zwvcyt.webp) 5. Select **Save**. 6. (Optional) You can check your configuration by sending an OPTIONS request to the origin with `curl`. For example, Terminal window ``` curl --head --request OPTIONS https://api.mysite.com \ --header 'origin: https://example.com' \ --header 'access-control-request-method: GET' ``` should return a response similar to: ``` HTTP/2 200 date: Tue, 24 May 2022 21:51:21 GMT vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers access-control-allow-origin: https://example.com access-control-allow-methods: GET access-control-allow-credentials: true expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=A%2FbOOWJio%2B%2FjuJv5NC%2FE3%2Bo1zBl2UdjzJssw8gJLC4lE1lzIUPQKqJoLRTaVtFd21JK1d4g%2BnlEGNpx0mGtsR6jerNfr2H5mlQdO6u2RdOaJ6n%2F%2BS%2BF9%2Fa12UromVLcHsSA5Y%2Fj72tM%3D"}],"group":"cf-nel","max_age":604800} nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} server: cloudflare cf-ray: 7109408e6b84efe4-EWR ``` ## Send authentication token with Cloudflare Worker If you have two sites protected by Cloudflare Access, `example.com` and `api.mysite.com`, requests made between the two will be subject to CORS checks. Users who log in to `example.com` will be issued a cookie for `example.com`. When the user's browser requests `api.mysite.com`, Cloudflare Access looks for a cookie specific to `api.mysite.com`. The request will fail if the user has not already logged in to `api.mysite.com`. To avoid having to log in twice, you can create a Cloudflare Worker that automatically sends authentication credentials to `api.mysite.com`. ### Prerequisites * [Workers account](https://developers.cloudflare.com/workers/get-started/guide/) * `wrangler` installation * `example.com` and `api.mysite.com` domains [protected by Access](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/) ### 1\. Generate a service token Follow [these instructions](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) to generate a new Access service token. Copy the `Client ID` and `Client Secret` to a safe place, as you will use them in a later step. ### 2\. Add a Service Auth policy 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Find your `api.mysite.com` application and select **Configure**. 3. Select the **Policies** tab. 4. Add the following policy: | Action | Rule type | Selector | | ------------ | --------- | ------------- | | Service Auth | Include | Service Token | ### 3\. Create a new Worker Open a terminal and run the following command: npm yarn pnpm ``` npm create cloudflare@latest -- authentication-worker ``` ``` yarn create cloudflare authentication-worker ``` ``` pnpm create cloudflare@latest authentication-worker ``` This will prompt you to install the [create-cloudflare ↗](https://www.npmjs.com/package/create-cloudflare) package and lead you through setup. For setup, select the following options: * For _What would you like to start with?_, choose `Hello World example`. * For _Which template would you like to use?_, choose `Worker only`. * For _Which language do you want to use?_, choose `JavaScript`. * For _Do you want to use git for version control?_, choose `Yes`. * For _Do you want to deploy your application?_, choose `No` (we will be making some changes before deploying). Go to your project directory. Terminal window ``` cd authentication-worker ``` Open `/src/index.js` and delete the existing code and paste in the following example: JavaScript ``` // The hostname where your API lives const originalAPIHostname = "api.mysite.com"; export default { async fetch(request, env) { // Change just the host. If the request comes in on example.com/api/name, the new URL is api.mysite.com/api/name const url = new URL(request.url); url.hostname = originalAPIHostname; // If your API is located on api.mysite.com/anyname (without "api/" in the path), // remove the "api/" part of example.com/api/name // url.pathname = url.pathname.substring(4) // Best practice is to always use the original request to construct the new request // to clone all the attributes. Applying the URL also requires a constructor // since once a Request has been constructed, its URL is immutable. const newRequest = new Request(url.toString(), request); newRequest.headers.set("cf-access-client-id", env.CF_ACCESS_CLIENT_ID); newRequest.headers.set("cf-access-client-secret", env.CF_ACCESS_CLIENT_SECRET); try { const response = await fetch(newRequest); // Copy over the response const modifiedResponse = new Response(response.body, response); // Delete the set-cookie from the response so it doesn't override existing cookies modifiedResponse.headers.delete("set-cookie"); return modifiedResponse; } catch (e) { return new Response(JSON.stringify({ error: e.message }), { status: 500, }); } }, }; ``` Then, deploy the Worker to your Cloudflare account: Terminal window ``` npx wrangler deploy ``` ### 4\. Configure the Worker 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to the **Workers & Pages** page. [ Go to **Workers & Pages** ](https://dash.cloudflare.com/?to=/:account/workers-and-pages) 2. Select your newly created Worker. 3. In the **Triggers** tab, go to **Routes** and add `example.com/api/*`. The Worker is placed on a subpath of `example.com` to avoid making a cross-origin request. 4. In the **Settings** tab, select **Variables**. 5. Under **Environment Variables**, add the following [secret variables](https://developers.cloudflare.com/workers/configuration/environment-variables/#add-environment-variables-via-the-dashboard): * `CF_ACCESS_CLIENT_ID` \= `` * `CF_ACCESS_CLIENT_SECRET` \= `` The Client ID and Client Secret are copied from your [service token](#1-generate-a-service-token). 1. Enable the **Encrypt** option for each variable and select **Save**. ### 5\. Update HTTP request URLs Modify your `example.com` application to send all requests to `example.com/api/` instead of `api.mysite.com`. HTTP requests should now work seamlessly between two different Access-protected domains. When a user logs in to `example.com`, the browser makes a request to the Worker instead of to `api.mysite.com`. The Worker adds the Access service token to the request headers and then forwards the request to `api.mysite.com`. Since the service token matches a Service Auth policy, the user no longer needs to log in to `api.mysite.com`. ## Troubleshooting In general, we recommend the following steps when troubleshooting CORS issues: 1. Capture a HAR file with the issue described, as well as the JS console log output recorded simultaneously. This is because the HAR file alone will not give full visibility on the reason behind cross-origin issues. 2. Ensure that the application has set `credentials: 'same-origin'` in all fetch or XHR requests. 3. If you are using the [cross-origin setting ↗](https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/crossorigin) on script tags, these must be set to "use-credentials". CORS is failing on the same domain CORS checks do not occur on the same domain. If this error occurs, it is likely the request is being sent without the `CF-Authorization` cookie. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/","name":"Authorization cookie"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/","name":"CORS"}}]} ``` --- --- title: Validate JWTs description: Validate JWTs in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ JSON web token (JWT) ](https://developers.cloudflare.com/search/?tags=JSON%20web%20token%20%28JWT%29) # Validate JWTs When Cloudflare sends a request to your origin, the request will include an [application token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) as a `Cf-Access-Jwt-Assertion` request header. Requests made through a browser will also pass the token as a `CF_Authorization` cookie. Cloudflare signs the token with a key pair unique to your account. You should validate the token with your public key to ensure that the request came from Access and not a malicious third party. We recommend validating the `Cf-Access-Jwt-Assertion` header instead of the `CF_Authorization` cookie, since the cookie is not guaranteed to be passed. ## Access signing keys The public key for the signing key pair is located at `https://.cloudflareaccess.com/cdn-cgi/access/certs`, where `` is your Cloudflare One team name. By default, Access rotates the signing key every 6 weeks. This means you will need to programmatically or manually update your keys as they rotate. Previous keys remain valid for 7 days after rotation to allow time for you to make the update. You can also manually rotate the key using the [API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/keys/methods/rotate/). This can be done for testing or security purposes. As shown in the example below, `https://.cloudflareaccess.com/cdn-cgi/access/certs` contains two public keys: the current key used to sign all new tokens, and the previous key that has been rotated out. * `keys`: both keys in JWK format * `public_cert`: current key in PEM format * `public_certs`: both keys in PEM format ``` { "keys": [ { "kid": "1a1c3986a44ce6390be42ec772b031df8f433fdc71716db821dc0c39af3bce49", "kty": "RSA", "alg": "RS256", "use": "sig", "e": "AQAB", "n": "5PKw-...-AG7MyQ" }, { "kid": "6c3bffef71bb0a90c9cbef3b7c0d4a1c7b4b8b76b80292a623afd9dac45d1c65", "kty": "RSA", "alg": "RS256", "use": "sig", "e": "AQAB", "n": "pwVn...AA6Hw" } ], "public_cert": { "kid": "6c3bffef71bb0a90c9cbef3b7c0d4a1c7b4b8b76b80292a623afd9dac45d1c65", "cert": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- " }, "public_certs": [ { "kid": "1a1c3986a44ce6390be42ec772b031df8f433fdc71716db821dc0c39af3bce49", "cert": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- " }, { "kid": "6c3bffef71bb0a90c9cbef3b7c0d4a1c7b4b8b76b80292a623afd9dac45d1c65", "cert": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- " } ] } ``` Avoid key rotation issues * Validate tokens using the external endpoint rather than saving the public key as a hard-coded value. * Do not fetch the current key from `public_cert`, since your origin may inadvertently read an expired value from an outdated cache. Instead, match the `kid` value in the JWT to the corresponding certificate in `public_certs`. ## Verify the JWT manually To verify the token manually: 1. Copy the JWT from the `Cf-Access-Jwt-Assertion` request header. 2. Go to [jwt.io ↗](https://jwt.io/). 3. Select the RS256 algorithm. 4. Paste the JWT into the **Encoded** box. 5. In the **Payload** box, ensure that the `iss` field points to your team domain (`https://.cloudflareaccess.com`). `jwt.io` uses the `iss` value to fetch the public key for token validation. 6. Ensure that the page says **Signature Verified**. You can now trust that this request was sent by Access. ## Programmatic verification You can run an automated script on your origin server to validate incoming requests. The provided sample code gets the application token from a request and checks its signature against your public key. You will need to insert your own team domain and Application Audience (AUD) tag into the sample code. ### Get your AUD tag Cloudflare Access assigns a unique AUD tag to each application. The `aud` claim in the token payload specifies which application the JWT is valid for. To get the AUD tag: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Configure** for your application. 3. From **Additional settings**, copy the **Application Audience (AUD) Tag**. You can now paste the AUD tag into your token validation script. The AUD tag will never change unless you delete or recreate the Access application. ### Cloudflare Workers example When Cloudflare Access is in front of your [Worker](https://developers.cloudflare.com/workers), your Worker still needs to validate the JWT that Cloudflare Access adds to the `Cf-Access-Jwt-Assertion` header on the incoming request. The following code will validate the JWT using the [jose NPM package ↗](https://www.npmjs.com/package/jose): * [ JavaScript ](#tab-panel-4866) * [ TypeScript ](#tab-panel-4867) JavaScript ``` import { jwtVerify, createRemoteJWKSet } from "jose"; export default { async fetch(request, env, ctx) { // Verify the POLICY_AUD environment variable is set if (!env.POLICY_AUD) { return new Response("Missing required audience", { status: 403, headers: { "Content-Type": "text/plain" }, }); } // Get the JWT from the request headers const token = request.headers.get("cf-access-jwt-assertion"); // Check if token exists if (!token) { return new Response("Missing required CF Access JWT", { status: 403, headers: { "Content-Type": "text/plain" }, }); } try { // Create JWKS from your team domain const JWKS = createRemoteJWKSet( new URL(`${env.TEAM_DOMAIN}/cdn-cgi/access/certs`), ); // Verify the JWT const { payload } = await jwtVerify(token, JWKS, { issuer: env.TEAM_DOMAIN, audience: env.POLICY_AUD, }); // Token is valid, proceed with your application logic return new Response(`Hello ${payload.email || "authenticated user"}!`, { headers: { "Content-Type": "text/plain" }, }); } catch (error) { // Token verification failed const message = error instanceof Error ? error.message : "Unknown error"; return new Response(`Invalid token: ${message}`, { status: 403, headers: { "Content-Type": "text/plain" }, }); } }, }; ``` TypeScript ``` import { jwtVerify, createRemoteJWKSet } from "jose"; interface Env { POLICY_AUD: string; TEAM_DOMAIN: string; } export default { async fetch(request: Request, env: Env, ctx: ExecutionContext): Promise { // Verify the POLICY_AUD environment variable is set if (!env.POLICY_AUD) { return new Response("Missing required audience", { status: 403, headers: { "Content-Type": "text/plain" }, }); } // Get the JWT from the request headers const token = request.headers.get("cf-access-jwt-assertion"); // Check if token exists if (!token) { return new Response("Missing required CF Access JWT", { status: 403, headers: { "Content-Type": "text/plain" }, }); } try { // Create JWKS from your team domain const JWKS = createRemoteJWKSet( new URL(`${env.TEAM_DOMAIN}/cdn-cgi/access/certs`) ); // Verify the JWT const { payload } = await jwtVerify(token, JWKS, { issuer: env.TEAM_DOMAIN, audience: env.POLICY_AUD, }); // Token is valid, proceed with your application logic return new Response( `Hello ${payload.email || "authenticated user"}!`, { headers: { "Content-Type": "text/plain" }, } ); } catch (error) { // Token verification failed const message = error instanceof Error ? error.message : "Unknown error"; return new Response(`Invalid token: ${message}`, { status: 403, headers: { "Content-Type": "text/plain" }, }); } }, }; ``` #### Required environment variables Add these [environment variables](https://developers.cloudflare.com/workers/configuration/environment-variables/) to your Worker: * `POLICY_AUD`: Your application's [AUD tag](#get-your-aud-tag) * `TEAM_DOMAIN`: `https://.cloudflareaccess.com`, where `` is replaced with your actual team name. You can set these variables by adding them to your Worker's [Wrangler configuration file](https://developers.cloudflare.com/workers/wrangler/configuration/), or via the Cloudflare dashboard under **Workers & Pages** \> **your-worker** \> **Settings** \> **Environment Variables**. ### Golang example ``` package main import ( "context" "fmt" "net/http" "github.com/coreos/go-oidc/v3/oidc" ) var ( ctx = context.TODO() teamDomain = "https://test.cloudflareaccess.com" certsURL = fmt.Sprintf("%s/cdn-cgi/access/certs", teamDomain) // The Application Audience (AUD) tag for your application policyAUD = "4714c1358e65fe4b408ad6d432a5f878f08194bdb4752441fd56faefa9b2b6f2" config = &oidc.Config{ ClientID: policyAUD, } keySet = oidc.NewRemoteKeySet(ctx, certsURL) verifier = oidc.NewVerifier(teamDomain, keySet, config) ) // VerifyToken is a middleware to verify a CF Access token func VerifyToken(next http.Handler) http.Handler { fn := func(w http.ResponseWriter, r *http.Request) { headers := r.Header // Make sure that the incoming request has our token header // Could also look in the cookies for CF_AUTHORIZATION accessJWT := headers.Get("Cf-Access-Jwt-Assertion") if accessJWT == "" { w.WriteHeader(http.StatusUnauthorized) w.Write([]byte("No token on the request")) return } // Verify the access token ctx := r.Context() _, err := verifier.Verify(ctx, accessJWT) if err != nil { w.WriteHeader(http.StatusUnauthorized) w.Write([]byte(fmt.Sprintf("Invalid token: %s", err.Error()))) return } next.ServeHTTP(w, r) } return http.HandlerFunc(fn) } func MainHandler() http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Write([]byte("welcome")) }) } func main() { http.Handle("/", VerifyToken(MainHandler())) http.ListenAndServe(":3000", nil) } ``` ### Python example `pip` install the following: * flask * requests * PyJWT * cryptography Python ``` from flask import Flask, request import requests import jwt import json import os app = Flask(__name__) # The Application Audience (AUD) tag for your application POLICY_AUD = os.getenv("POLICY_AUD") # Your CF Access team domain TEAM_DOMAIN = os.getenv("TEAM_DOMAIN") CERTS_URL = "{}/cdn-cgi/access/certs".format(TEAM_DOMAIN) def _get_public_keys(): """ Returns: List of RSA public keys usable by PyJWT. """ r = requests.get(CERTS_URL) public_keys = [] jwk_set = r.json() for key_dict in jwk_set['keys']: public_key = jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(key_dict)) public_keys.append(public_key) return public_keys def verify_token(f): """ Decorator that wraps a Flask API call to verify the CF Access JWT """ def wrapper(): # Check for the POLICY_AUD environment variable if not POLICY_AUD: return "missing required audience", 403 token = '' if 'CF_Authorization' in request.cookies: token = request.cookies['CF_Authorization'] else: return "missing required cf authorization token", 403 keys = _get_public_keys() # Loop through the keys since we can't pass the key set to the decoder valid_token = False for key in keys: try: # decode returns the claims that has the email when needed jwt.decode(token, key=key, audience=POLICY_AUD, algorithms=['RS256']) valid_token = True break except: pass if not valid_token: return "invalid token", 403 return f() return wrapper @app.route('/') @verify_token def hello_world(): return 'Hello, World!' if __name__ == '__main__': app.run() ``` ### JavaScript (Node.js) example JavaScript ``` const express = require("express"); const jose = require("jose"); // The Application Audience (AUD) tag for your application const AUD = process.env.POLICY_AUD; // Your CF Access team domain const TEAM_DOMAIN = process.env.TEAM_DOMAIN; const CERTS_URL = `${TEAM_DOMAIN}/cdn-cgi/access/certs`; const JWKS = jose.createRemoteJWKSet(new URL(CERTS_URL)); // verifyToken is a middleware to verify a CF authorization token const verifyToken = async (req, res, next) => { // Check for the AUD environment variable if (!AUD) { return res.status(403).send({ status: false, message: "missing required audience", }); } const token = req.headers["cf-access-jwt-assertion"]; // Make sure that the incoming request has our token header if (!token) { return res.status(403).send({ status: false, message: "missing required cf authorization token", }); } try { const result = await jose.jwtVerify(token, JWKS, { issuer: TEAM_DOMAIN, audience: AUD, }); req.user = result.payload; next(); } catch (err) { return res.status(403).send({ status: false, message: "invalid token", }); } }; const app = express(); app.use(verifyToken); app.get("/", (req, res) => { res.send("Hello World!"); }); app.listen(3333); ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/","name":"Authorization cookie"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/","name":"Validate JWTs"}}]} ``` --- --- title: Managed OAuth description: Allow non-browser clients to authenticate with Access-protected applications using a standard OAuth 2.0 flow. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication)[ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API) # Managed OAuth When you protect an application with Cloudflare Access, by default non-browser clients — such as CLIs, AI agents, SDKs, and scripts — cannot complete the browser-based login redirect. They receive a `302` redirect with no usable token or authorization endpoint. Managed OAuth solves this by turning Access into a standard OAuth 2.0 authorization server for your application. Access enforces the same policies as a browser login, and your origin sees no difference. Note If you run your own OAuth server behind an Access application and rely on your own `WWW-Authenticate` headers, do not enable this feature. Enabling managed OAuth replaces the `401` response behavior on the protected application. ## Prerequisites * A [self-hosted Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) or an [MCP server portal](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) * An OAuth client that supports [RFC 8707 ↗](https://datatracker.ietf.org/doc/html/rfc8707) ## Enable managed OAuth on a self-hosted application * [ Dashboard ](#tab-panel-4868) * [ API ](#tab-panel-4869) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Find the application you want to configure, then select the three dots on the right > **Edit**. 3. Go to the **Advanced settings** tab and turn on **Managed OAuth**. 4. (Optional) Configure [Managed OAuth settings](#managed-oauth-settings). 5. Select **Save**. 1. Get your existing Access application configuration: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` * `Access: Apps and Policies Read` Get an Access application ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_ID" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 2. Make a `PUT` request and set `oauth_configuration.enabled` to `true`. To avoid overwriting your existing configuration, the request body should contain all fields returned by the previous `GET` request. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Update an Access application ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_ID" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "oauth_configuration": { "enabled": true } }' ``` To test, open an RFC 8707-compliant OAuth client and make a request to your application. The client should open a browser window prompting you to log in to Access. Refer to the [Authorization flow](#authorization-flow) section for more details. ## Enable managed OAuth on an MCP server portal Managed OAuth is available on [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) and is the mechanism that allows MCP clients to authenticate users through the portal without a browser cookie flow. * [ Dashboard ](#tab-panel-4870) * [ API ](#tab-panel-4871) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **AI controls**. 2. Find the portal you want to configure, then select the three dots on the right > **Edit**. 3. Go to the **Advanced settings** tab, turn on **Managed OAuth**. 4. (Optional) Configure [Managed OAuth settings](#managed-oauth-settings). 5. Select **Save**. 1. Get your existing configuration for the portal's underlying Access application: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` * `Access: Apps and Policies Read` Get an Access application ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_ID" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 2. Make a `PUT` request and set `oauth_configuration.enabled` to `true`. To avoid overwriting your existing configuration, the request body should contain all fields returned by the previous `GET` request. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Update an Access application ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_ID" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "oauth_configuration": { "enabled": true } }' ``` To test, open an MCP client and [connect to the MCP portal](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/#connect-to-a-portal). The client should open a browser window prompting you to log in to Access. Refer to the [Authorization flow](#authorization-flow) section for more details. ## Managed OAuth settings * [ Dashboard ](#tab-panel-4872) * [ API ](#tab-panel-4873) Configure these settings in the **Advanced settings** tab of your [self-hosted app](#enable-managed-oauth-on-a-self-hosted-application) or [MCP server portal](#enable-managed-oauth-on-an-mcp-server-portal). * **Allow localhost clients**: Allow any client with redirect URIs on `localhost`. * **Allow loopback clients**: Allow any client with redirect URIs on `127.0.0.1`. * **Allowed redirect URIs**: Redirect URIs allowed for dynamically registered clients (for example, `https://playground.ai.cloudflare.com/*`). The URL must use `https`. Paths may end in `/*` to match all sub-paths. * **Grant session duration**: How long the OAuth refresh token remains valid. * **Access token lifetime**: How long an OIDC Access token can be used to authenticate with your application. Cloudflare recommends configuring a short **Access token lifetime** (default 15 minutes) in conjunction with a longer **Grant session duration**. When the access token expires, Cloudflare uses the refresh token to issue a new one after re-evaluating the user against your Access policies. When the refresh token expires, the user must re-authenticate with the identity provider. Configure these settings via the `oauth_configuration` object on the [Access applications](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/applications/methods/update/) endpoint. | Dashboard setting | API field | | ----------------------- | ------------------------------------------------------- | | Allow localhost clients | dynamic\_client\_registration.allow\_any\_on\_localhost | | Allow loopback clients | dynamic\_client\_registration.allow\_any\_on\_loopback | | Allowed redirect URIs | dynamic\_client\_registration.allowed\_uris | | Grant session duration | grant.session\_duration | | Access token lifetime | grant.access\_token\_lifetime | 1. Get your existing Access application configuration: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` * `Access: Apps and Policies Read` Get an Access application ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_ID" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 2. Make a `PUT` request with your Managed OAUth settings. To avoid overwriting your existing configuration, the request body should contain all fields returned by the previous `GET` request. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Update an Access application ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_ID" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "oauth_configuration": { "enabled": true, "dynamic_client_registration": { "enabled": true, "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://playground.ai.cloudflare.com/*" ] }, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } } }' ``` ## Authorization flow When managed OAuth is enabled, Access returns a `401` response instead of a `302` redirect to non-browser clients. The `401` includes a `WWW-Authenticate` header that points the client to Access's OAuth discovery metadata. The authorization flow proceeds as follows: 1. The client fetches the OAuth authorization server metadata from the `/.well-known/` endpoint: ``` https:///.well-known/oauth-authorization-server ``` This endpoint conforms to [RFC 8414 ↗](https://datatracker.ietf.org/doc/html/rfc8414) and [RFC 9728 ↗](https://datatracker.ietf.org/doc/html/rfc9728) and returns the authorization and token endpoint URLs for the application. 2. The client initiates an authorization code flow. It opens the user's browser to the Access authorization endpoint, where the user logs in to their IdP as usual. 3. Access issues an OAuth access token to the client. The client uses this token in subsequent requests to the protected application. ## Managed OAuth vs service tokens Both managed OAuth and [service tokens](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) allow non-browser clients to authenticate with Access-protected applications, but they serve different use cases: | Managed OAuth | Service tokens | | | ------------------------- | -------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | | **Authentication model** | User-based — the end user logs in through their identity provider | Machine-based — a shared secret authenticates the service itself | | **Best for** | Interactive CLI tools, AI agents, SDKs where a human initiates the request | Fully automated systems, cron jobs, CI/CD pipelines, server-to-server communication | | **User identity** | Access knows which user made the request | No user identity — requests are attributed to the service token | | **Policy enforcement** | Can use identity-based policies (for example, require specific groups or emails) | Requires a [Service Auth](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth) policy action | | **Credential management** | No shared secrets to distribute — users authenticate with their own credentials | Requires distributing and rotating Client ID and Client Secret | Use managed OAuth when you want non-browser clients to authenticate users the same way a browser would — the user logs in once, and the client receives an OAuth token to make requests on their behalf. Use service tokens when no human is involved and you need a machine identity to access your application programmatically. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/managed-oauth/","name":"Managed OAuth"}}]} ``` --- --- title: SaaS applications description: SaaS applications in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # SaaS applications Cloudflare Access allows you to add an additional authentication layer to your SaaS applications. When you integrate a SaaS application with Access, users log in to the application with Cloudflare as the Single Sign-On provider. The user is then redirected to the configured identity providers for that application and are only granted access if they pass your Access policies. Cloudflare integrates with the majority of SaaS applications that support the SAML or OIDC authentication protocol. If you do not see your application listed below, refer to our [generic SAML](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas/) or [generic OIDC](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas/) guide and consult your SaaS application's documentation. * [ Generic OIDC application ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas/) * [ Generic SAML application ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas/) * [ Adobe Acrobat Sign ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/adobe-sign-saas/) * [ Area 1 ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/area-1/) * [ Asana ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/asana-saas/) * [ Atlassian Cloud ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/atlassian-saas/) * [ AWS ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/aws-sso-saas/) * [ Braintree ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/braintree-saas/) * [ Coupa ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/coupa-saas/) * [ Digicert ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/digicert-saas/) * [ DocuSign ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/docusign-access/) * [ Dropbox ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/dropbox-saas/) * [ GitHub Enterprise Cloud ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/github-saas/) * [ Google Cloud ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-cloud-saas/) * [ Google Workspace ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-workspace-saas/) * [ Grafana ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-saas-oidc/) * [ Grafana Cloud ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-cloud-saas-oidc/) * [ Greenhouse Recruiting ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/greenhouse-saas/) * [ Hubspot ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/hubspot-saas/) * [ Ironclad ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/ironclad-saas/) * [ Jamf Pro ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/jamf-pro-saas/) * [ Miro ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/miro-saas/) * [ PagerDuty ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/pagerduty-saml-saas/) * [ Pingboard ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/pingboard-saas/) * [ Salesforce (OIDC) ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-oidc/) * [ Salesforce (SAML) ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-saml/) * [ ServiceNow (OIDC) ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-oidc/) * [ ServiceNow (SAML) ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-saml/) * [ Slack ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/slack-saas/) * [ Smartsheet ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/smartsheet-saas/) * [ SparkPost ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/sparkpost-saas/) * [ Tableau Cloud ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/tableau-saml-saas/) * [ Workday ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/workday-saas/) * [ Zendesk ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/zendesk-sso-saas/) * [ Zoom ](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/zoom-saas/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}}]} ``` --- --- title: Adobe Acrobat Sign description: Integrate Adobe Acrobat Sign with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Adobe Acrobat Sign **Last reviewed:** almost 2 years ago This guide covers how to configure [Adobe Acrobat Sign ↗](https://helpx.adobe.com/sign/using/enable-saml-single-sign-on.html) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Adobe Acrobat Sign account * A [claimed domain ↗](https://helpx.adobe.com/sign/using/claim-domain-names.html) in Adobe Acrobat Sign ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, enter `Adobe Sign` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Copy the **Access Entity ID or Issuer**, **Public key**, and **SSO endpoint**. 7. Keep this window open without selecting **Select configuration**. You will finish this configuration in step [3\. Finish adding a SaaS application to Cloudflare One](#3-finish-adding-a-saas-application-to-cloudflare-one). ## 2\. Add a SAML SSO provider to Adobe Sign 1. In Adobe Acrobat Sign, select your profile picture > your name > **Account Settings** \> **SAML Settings**. 2. Turn **SAML Allowed** on. 3. Enter a hostname (for example, `yourcompanyname`). Users can use this URL or `https://secure.adobesign.com/public/login` to sign in via SSO. 4. (Optional) For **Single Sign On Login Message**, enter a custom message (for example, `Log in via SSO`). The default message is **Sign in using your corporate credentials**. 5. Fill in the following fields: * **Entity ID/Issuer URL**: Access Entity ID or Issuer from application configuration in Cloudflare One. * **Login URL/SSO Endpoint**: SSO endpoint from application configuration in Cloudflare One. * **IdP Certificate**: Public key from application configuration in Cloudflare One. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 6. Copy the **Entity ID/SAML Audience** and **Assertion Consumer URL**. 7. Select **Save**. ## 3\. Finish adding a SaaS application to Cloudflare One 1. In your open Cloudflare One window, fill in the following fields: * **Entity ID**: Entity ID/SAML Audience from Adobe Acrobat Sign SAML SSO configuration. * **Assertion Consumer Service URL**: Assertion Consumer URL from Adobe Acrobat Sign SAML SSO configuration. * **Name ID format**: _Email_ 2. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 4\. Test the integration and finalize configuration 1. Open an incognito browser window and go to your Adobe Sign hostname URL or `https://secure.adobesign.com/public/login`. Select the option to sign in via SSO (**Sign in using your corporate credentials** if you have not configured a custom message). You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. Note If you receive an error while testing SSO integration, go to your profile picture > your name > **Account Settings** \> **SAML Errors** for more information. 1. Once this is successful, you can make sign in via SSO mandatory. Select your profile picture > your name > **Account Settings** \> **SAML Settings**, and then turn on **SAML Mandatory**. Keeping **Allow Acrobat Sign Account Administrators to log in using their Acrobat Sign Credentials** turned on will allow administrators to log in even if your account experiences SSO issues. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/adobe-sign-saas/","name":"Adobe Acrobat Sign"}}]} ``` --- --- title: Area 1 description: Integrate Area 1 with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Area 1 **Last reviewed:** almost 2 years ago Access to Area 1 Beginning October 1, 2025, access and support for Email Security (formerly Area 1) will only be available through the Cloudflare dashboard. Your Email Security protection will not change, but you will no longer be able to access the Area 1 dashboard or send support requests to `@area1security.com` email addresses. For help accessing the Cloudflare dashboard, reach out to [successteam@cloudflare.com](mailto:successteam@cloudflare.com). [Cloudflare Area 1 ↗](https://www.cloudflare.com/products/zero-trust/email-security/) is an email security platform that protects your organization's inbox from phishing, spam, and other malicious messages. This guide covers how to configure Area 1 as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to your Area 1 account * Your user's email in Area 1 matches their email in Cloudflare One ## 1\. Add Area 1 to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **SaaS application**. 4. In the **Application** field, enter `Area 1` and select **Area 1**. (Area 1 is not currently listed in the default drop-down menu.) 5. Enter the following values for your application configuration: | **Entity ID** | https://horizon.area1security.com | | ---------------------------------- | ------------------------------------------------ | | **Assertion Consumer Service URL** | https://horizon.area1security.com/api/users/saml | | **Name ID Format** | _Email_ | 6. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 7. Save the application. ## 2\. Configure SSO for Area 1 Finally, you will need to configure Area 1 to allow users to log in through Cloudflare Access. 1. In your [Area 1 portal ↗](https://horizon.area1security.com/), go to **Settings** \> **SSO**. 2. Turn on **Single Sign On**. 3. (Optional) To require users to sign in through Access, set **SSO Enforcement** to _All_. When SSO is enforced, users will no longer be able to sign in with their Area 1 credentials. 4. In **SAML SSO Domain**, enter `.cloudflareaccess.com`. 5. Get your Metadata XML file: 1. In Cloudflare One, copy the **SSO Endpoint** for your application. ![Copy SSO settings for a SaaS application from Cloudflare One](https://developers.cloudflare.com/_astro/saas-sso-endpoint.ubdoNRaM_1plwk8.webp) 2. In a new browser tab, paste the **SSO Endpoint** and append `/saml-metadata` to the end of the URL. For example, `https://.cloudflareaccess.com/cdn-cgi/access/sso/saml//saml-metadata`. 3. Copy the resulting metadata. 6. Return to the Area 1 portal and paste the metadata into **Metadata XML**. ![Configure SSO in the Area 1 portal](https://developers.cloudflare.com/_astro/area1-sso-config.DWq80iDZ_Z1BhExl.webp) 7. Select **Update Settings**. If you added the application to your App Launcher, you can test the integration by going to `.cloudflareaccess.com`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/area-1/","name":"Area 1"}}]} ``` --- --- title: Asana description: Asana in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Asana **Last reviewed:** almost 2 years ago This guide covers how to configure [Asana ↗](https://help.asana.com/hc/en-us/articles/14075208738587-Authentication-and-access-management-options-for-paid-plans#gl-saml) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Super admin access to an Asana Enterprise, Enterprise+, or Legacy Enterprise account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, select _Asana_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `https://app.asana.com/` * **Assertion Consumer Service URL**: `https://app.asana.com/-/saml/consume` * **Name ID format**: _Email_ 7. Copy the **SSO endpoint** and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Add a SAML SSO provider to Asana 1. In Asana, select your profile picture > **Admin console** \> **Security** \> **SAML authentication**. 2. Under **SAML options**, select _Optional_. 3. Fill in the following fields: * Sign-in page URL: SSO endpoint from application configuration in Cloudflare One. * X.509 certificate: Public key from application configuration in Cloudflare One. Wrap the public key in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 4. Select **Save changes**. ## 3\. Test the integration and require SSO 1. Open an incognito browser window and go to your Asana URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 2. After this is successful, you may want to require users to log in via SSO. In Asana, select your profile picture > **Admin console** \> **Security** \> **SAML authentication**. Under **SAML options**, select **Required for all members, except guest accounts**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/asana-saas/","name":"Asana"}}]} ``` --- --- title: Atlassian Cloud description: Integrate Atlassian Cloud with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Atlassian Cloud **Last reviewed:** almost 2 years ago This guide covers how to configure [Atlassian Cloud ↗](https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-an-identity-provider/) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to an Atlassian Cloud account * Atlassian Guard Standard subscription * A [domain ↗](https://support.atlassian.com/user-management/docs/verify-a-domain-to-manage-accounts/) verified in Atlassian Cloud ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, select _Atlassian_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Copy the **Access Entity ID or Issuer**, **Public key**, and **SSO endpoint**. 7. Keep this window open. You will finish this configuration in step [4\. Finish adding a SaaS application to Cloudflare One](#4-finish-adding-a-saas-application-to-cloudflare-one). ## 2\. Create a x.509 certificate 1. Paste the **Public key** in a text editor. 2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. ## 3\. Configure an identity provider and SAML SSO in Atlassian Cloud 1. In Atlassian Cloud, go to **Security** \> **Identity providers**. 2. Select **Other provider** \> **Choose**. 3. For **Directory name**, enter your desired name. For example, you could enter `Cloudflare Access`. 4. Select **Add** \> **Set up SAML single sign-on** \> **Next**. Note This screen will advise you to create an authentication policy before proceeding. You will do this in step [5\. Create an application policy to test integration](#5-create-an-authentication-policy-to-test-integration). 5. Fill in the following fields: * **Identity provider Entity ID**: Access Entity ID or Issuer from application configuration in Cloudflare One. * **Identity provider SSO URL**: SSO endpoint from application configuration in Cloudflare One. * **Public x509 certificate**: Paste the entire x.509 certificate from step [2\. Create a x.509 certificate](#2-create-a-x509-certificate). 6. Select **Next**. 7. Copy the **Service provider entity URL** and **Service provider assertion consumer service URL**. 8. Select **Next**. 9. Under **Link domain**, select the domain you want to use with SAML SSO. 10. Select **Next** \> **Stop and save SAML**. ## 4\. Finish adding a SaaS application to Cloudflare One 1. In your open Cloudflare One window, fill in the following fields: * **Entity ID**: Service provider entity URL from Atlassian Cloud SAML SSO set-up. * **Assertion Consumer Service URL**: Service provider assertion consumer service URL from Atlassian Cloud SAML SSO set-up. * **Name ID format**: _Email_ 2. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 5\. Create an authentication policy to test integration To enable SSO for users in Atlassian Cloud, create an [Atlassian authentication policy ↗](https://support.atlassian.com/security-and-access-policies/docs/configure-authentication-policies-for-your-organization/): 1. In Atlassian Cloud, go to **Security** \> **Authentication policies**. 2. Select **Add policy**. 3. Under **Directory**, select the identity provider you used to configure SAML SSO. 4. For **Policy name**, enter your desired name. 5. Select **Add**. 6. In **Settings**, turn on **Enforce single sign-on**. 7. In **Members**, select **Add members**. 8. In **Individual Users**, select your desired test user(s) in the dropdown, and select **Add members**. 9. In **Settings**, select **Update** \> **Update**. ## 6\. Test the integration Open an incognito browser window and log in with the credentials of the test user you added to the test authentication policy. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. When this is successful, turn on **Enforce single sign-on** in your desired authentication policy, or add the desired users to the application policy created in step [5\. Create an Application Policy to test Integration](#5-create-an-authentication-policy-to-test-integration). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/atlassian-saas/","name":"Atlassian Cloud"}}]} ``` --- --- title: AWS description: Integrate AWS with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # AWS **Last reviewed:** about 2 years ago This guide covers how to configure [AWS ↗](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to an AWS account ## 1\. Get AWS URLs 1. In the AWS admin panel, search for `IAM Identity Center`. 2. Go to **IAM Identity Center** \> **Settings**. 3. In the **Identity source** tab, select the **Actions** dropdown and select _Change identity source_. 4. Change the identity source to **External identity provider**. 5. Copy the values shown in **Service provider metadata**. You will need these values when configuring the SaaS application in Cloudflare One. Next, we will obtain **Identity provider metadata** from Cloudflare One. ## 2\. Add a SaaS application to Cloudflare One 1. In a separate tab or window, open the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, select _Amazon AWS_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: IAM Identity Center issuer URL * **Assertion Consumer Service URL**: IAM Identity Center Assertion Consumer Service (ACS) URL * **Name ID format**: _Email_ 7. (Optional) Additional SAML attribute statements can be passed from your IdP to AWS SSO. To learn more about AWS Attribute mapping, refer to [Attribute mappings - AWS Single Sign-On ↗](https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html#supportedidpattributes). 8. AWS supports uploading a metadata XML file. To download your SAML metadata from Access: 1. Copy the **SAML Metadata endpoint**. 2. In a separate browser window, go to the SAML Metadata endpoint (`https://.cloudflareaccess.com/cdn-cgi/access/sso/saml/xxx/saml-metadata`). 3. Save the page as `access_saml_metadata.xml`. 9. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 10. Save the application. ## 3\. Complete AWS configuration 1. Return to the **IAM Identity Center** \> **Settings** \> **Change identity source** tab. 2. Under **IdP SAML metadata**, upload your `access_saml_metadata.xml` file. 3. Select **Next** to review settings, type **ACCEPT** and select **Change identity source** to confirm changes. 4. Confirm that **Provisioning** is set to _Manual_. Important Access for SaaS does not currently support [SCIM provisioning](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/). Make sure that: 1. Users are created in both your identity provider and AWS. 2. Users have matching usernames in your identity provider and AWS. 3. Usernames are email addresses. This is the only format AWS supports with third-party SSO providers. ## 4\. Test the integration To test the connection, go to your **AWS access portal URL**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/aws-sso-saas/","name":"AWS"}}]} ``` --- --- title: Braintree description: Integrate Braintree with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Braintree **Last reviewed:** almost 2 years ago This guide covers how to configure [Braintree ↗](https://developer.paypal.com/braintree/articles/guides/single-sign-on-sso) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Braintree production or sandbox account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, enter `Braintree` and select the textbox that appears below. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields with temporary values: * **Entity ID**: `placeholder` * **Assertion Consumer Service URL**: `https://www.placeholder.com` * **Name ID format**: _Email_ 7. Copy the **SSO endpoint** and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Enable SSO Configuration in Braintree 1. In Braintree, create a [support ticket ↗](https://developer.paypal.com/braintree/help). 2. In **Search Issues**, enter `Login and password issues` and select the corresponding value. 3. In **Issue Details**, fill in the following: * **Merchant ID**: Your Braintree Merchant ID. This is the 16-digit value that follows `/merchants/`in your Braintree Control Panel URL. * **Email domain(s) to be used in user IDs**: The email domain(s) that should be allowed to sign in to your account via SSO. * **Single Sign-on HTTP POST Binding URL**: SSO endpoint from application configuration in Cloudflare One * **Certificate for validation**: Public key from application configuration in Cloudflare One. 4. Select whether you are using a **Production** or **Sandbox** account. 5. Fill out the **Your contact information** fields and select **Submit a help request**. 6. When you receive an email stating SSO has been successfully configured for your account, you can proceed to the next step. ## 3\. Finish adding a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Braintree** \> **Edit** \> **Overview**. 3. Replace the temporary values for **Entity ID** and **Assertion Consumer Service URL** with the link provided in the successful SSO configuration email from Braintree support. You will use the same link for both values. 4. Select **Save Application**. ## 4\. Test the integration and add SSO users 1. In your Braintree Control Panel, select the **settings** icon > **Team**. 2. Select your desired test user. 3. Under **Single Sign-On**, select **Enable**. 4. Open an incognito browser window. In the address bar, paste `https://id.sandbox.braintreegateway.com` for a sandbox account or`https://id.braintreegateway.com` for a production account. 5. In **Your corporate email address** field, type your test user's email. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 6. Upon successful sign-in, you can enable SSO for other users using steps 4.1 - 4.3. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/braintree-saas/","name":"Braintree"}}]} ``` --- --- title: Coupa description: Coupa in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Coupa **Last reviewed:** almost 2 years ago This guide covers how to configure [Coupa ↗](https://compass.coupa.com/en-us/products/product-documentation/integration-technical-documentation/coupa-core-user-authentication/coupa-saml-sso-setup) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Coupa Stage or Production account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, enter `Coupa` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**:`sso-stg1.coupahost.com` for a stage account or `sso-prd1.coupahost.com` for a production account * **Assertion Consumer Service URL**: `https://sso-stg1.coupahost.com/sp/ACS.saml2` for a stage account or `https://sso-prd1.coupahost.com/sp/ACS.saml2` for a production account * **Name ID format**: _Email_ 7. Copy the **Access Entity ID or Issuer** and **SAML Metadata Endpoint**. 8. In **Default relay state**, enter `https://.coupahost.com/sessions/saml_post`. 9. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 10. Save the application. ## 2\. Download the metadata file 1. Paste the SAML metadata endpoint from application configuration in Cloudflare One in a web browser. 2. Follow your browser-specific steps to download the URL's contents as an `.xml` file. ## 3\. Add a SAML SSO provider in Coupa 1. In Coupa, go to **Setup** \> **Company Setup** \> **Security Controls**. 2. Under **Sign in using SAML**, turn on **Sign in using SAML**. 3. In **Upload IdP metadata**, select **Choose File**, and upload the `.xml` file you downloaded in step [2\. Download the metadata file](#2-download-the-metadata-file). 4. Turn on **Advanced Options**. 5. For **Sign in page URL** and **Timeout URL**, enter `https://sso-stg1.coupahost.com/sp/startSSO.ping?PartnerIdpId=&TARGET=https://.coupahost.com/sessions/saml_post` using the Access Entity ID or Issuer from application configuration in Cloudflare One. 6. Select **Save**. ## 3\. Create a test user and test the integration 1. In Coupa, go to **Setup** \> **Company Setup** \> **Users**. 2. Select **Create**, then enter the user details for your test user. For **Login** and **Single Sign-On ID**, enter the user's email address. 3. Select **Save**. 4. Open an incognito browser window and go to your Coupa URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 5. Once the login is successful, you can configure other users for SSO by adding their email to the **Single Sign-On ID** field in **Setup** \> **Company Setup** \> **Users** \> user's name. Note You can use the following URL to bypass SSO and login via a username and password: `https://.coupahost.com/sessions/support_login`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/coupa-saas/","name":"Coupa"}}]} ``` --- --- title: Digicert description: Integrate Digicert with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Digicert **Last reviewed:** almost 2 years ago This guide covers how to configure [Digicert ↗](https://docs.digicert.com/en/certcentral/manage-account/saml-admin-single-sign-on-guide/configure-saml-single-sign-on.html) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Digicert account * [SAML ↗](https://docs.digicert.com/en/certcentral/manage-account/saml-admin-single-sign-on-guide/saml-single-sign-on-prerequisites.html) enabled in your Digicert account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, enter `Digicert` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `https://www.digicert.com/account/sso/metadata` * **Assertion Consumer Service URL**: `https://www.digicert.com/account/sso/` * **Name ID format**: _Email_ 7. Copy the **SAML Metadata endpoint**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Add a SAML SSO provider in Digicert 1. In Digicert, select **Settings** \> **Single Sign-On** \> **Set up SAML**. 2. Under **How will you send data from your IDP?**, turn on **Use a dynamic URL**. 3. Under **Use a dynamic URL**, paste the SAML Metadata endpoint from application configuration in Cloudflare One. 4. Under **How will you identify a user?**, turn on **NameID**. 5. Under **Federation Name**, enter a name (for example, `Cloudflare Access`). Your users will select this name when signing in. 6. Select **Save SAML Settings**. ## 3\. Test and Enable SSO in Digicert 1. In Digicert, select **Settings** \> **Single Sign-On**. 2. Copy the **SP Initiated Custom SSO URL**. 3. Paste the URL into an incognito browser window and sign in. Upon successful sign in, SAML SSO is fully enabled. 4. (Optional) By default, users can choose to sign in directly or with SSO. To require SSO sign in, go to **Account** \> **Users**. Turn on **Only allow this user to log in through SAML/OIDC SSO** in the user details of the desired user. Note Users can sign in using service provider initiated SSO by using the **SP Initiated Custom SSO URL**. Alternatively, users can go to `www.digicert.com/account`, select **Sign in with SSO**, and enter the name of the identity provider configured in step [2\. Add a SAML SSO provider in Digicert](#2-add-a-saml-sso-provider-in-digicert). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/digicert-saas/","name":"Digicert"}}]} ``` --- --- title: DocuSign description: Integrate DocuSign with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # DocuSign **Last reviewed:** almost 2 years ago This guide covers how to configure [Docusign ↗](https://support.docusign.com/s/document-item?bundleId=rrf1583359212854&topicId=ozd1583359139126.html) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Docusign account that has Single Sign-On available * A [domain ↗](https://support.docusign.com/s/document-item?bundleId=rrf1583359212854&topicId=gso1583359141256.html) verified in Docusign ## 1\. Create the Access for SaaS application 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **SaaS application**. 4. Use the following configuration: * Set the **Application** to _DocuSign_. * Put placeholder values in **EntityID** and **Assertion Consumer Service URL** (for example, `https://example.com`). We'll come back and update these. * Set **Name ID Format** to: _Unique ID_. 5. DocuSign requires SAML attributes to do Just In Time user provisioning. Ensure you are collecting SAML attributes from your IdP: * Group * username * department * firstName * lastName * phone 6. These IdP SAML values can then be mapped to the following DocuSign SAML attributes: * Email * Surname * Givenname 7. Set an Access policy (for example, create a policy based on _Emails ending in @example.com_). 8. Copy and save the **SSO Endpoint**, **Entity ID** and **Public Key**. 9. Transform the **Public Key** into a fingerprint: 1. Copy the **Public Key** Value. 2. Paste the **Public Key** into VIM or another code editor. 3. Wrap the value in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 4. Set the file extension to `.crt` and save. ## 2\. Configure your DocuSign SSO instance 1. Ensure you have a domain claimed in DocuSign. 2. From the DocuSign Admin dashboard, select **Identity Providers**. 3. On the Identity Providers page, select **ADD IDENTITY PROVIDER**. Use the following mappings from the saved Access Application values: * **Name**: Pick your desired name. * **Identity Provider Issuer**: Entity ID. * **Identity Provider Login URL**: Assertion Consumer Service URL. 4. Save the Identity Provider. 5. Upload your certificate to the _DocuSign Identity Provider_ menu. 6. Configure your SAML Attribute mappings. The Attribute Names should match the values in **IdP Value** in your Access application. 7. Go back to the Identity Provider's screen and select **Actions** \> **Endpoints**. Copy and save the following: * Service Provider Issuer URL. * Service Provider Assertion Consumer Service URL. ## 3\. Finalize your Cloudflare configuration 1. Go back to your DocuSign application under **Access controls** \> **Applications**. 2. Select **Edit**. 3. Use the following mappings: * EntityID->Service Provider Issuer URL. * Assertion Consumer Service URL -> Service Provider Assertion Consumer Service URL. 4. Save the application. When ready, enable the SSO for your DocuSign account and you will be able to login to DocuSign via Cloudflare SSO and your Identity Provider. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/docusign-access/","name":"DocuSign"}}]} ``` --- --- title: Dropbox description: Dropbox in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Dropbox **Last reviewed:** almost 2 years ago This guide covers how to configure [Dropbox ↗](https://help.dropbox.com/security/sso-admin) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Dropbox Advanced, Business Plus, or Enterprise account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, select `Dropbox`. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `Dropbox` * **Assertion Consumer Service URL**: `https://www.dropbox.com/saml_login` * **Name ID format**: _Email_ 7. Copy the **SSO endpoint** and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Create a certificate file 1. Paste the **Public key** in a text editor. 2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 3. Set the file extension as `.pem` and save. ## 3\. Add a SAML SSO provider to Dropbox 1. In Dropbox, go to your profile picture > **Settings** \> **Admin Console** \> **Security** \> **Single sign-on**. 2. For **Single sign-on**, select _Optional_. 3. Select **Add Identity provider sign-in URL**. 4. Paste the SSO endpoint from application configuration in Cloudflare One and select **Done**. 5. Select **Add X.509 certificate** and upload the `.pem` file from step [2\. Create a certificate file](#2-create-a-certificate-file). 6. Copy **SSO sign-in URL**. This is your custom Dropbox SSO URL. 7. Select **Save**. ## 3\. Test the integration and require SSO 1. Open an incognito browser window and go to your custom Dropbox SSO URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 2. After this is successful, you may want to require users to log in via SSO. Go to your profile picture > **Settings** \> **Admin Console** \> **Security** \> **Single sign-on**. For **Single sign-on**, select _Required_. Dropbox will send an email to your users notifying them of the change. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/dropbox-saas/","name":"Dropbox"}}]} ``` --- --- title: Generic OIDC application description: Generic OIDC application in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SSO ](https://developers.cloudflare.com/search/?tags=SSO) # Generic OIDC application This page provides generic instructions for setting up a SaaS application in Cloudflare Access using the OpenID Connect (OIDC) authentication protocol. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to the account of the SaaS application ## 1\. Get SaaS application URL In your SaaS application account, obtain the **Redirect URL** (also known as the callback URL). This is the SaaS endpoint where users are redirected to after they authenticate with Cloudflare Access. Some SaaS applications provide the Redirect URL after you [configure the SSO provider](#3-configure-sso-in-your-saas-application). ## 2\. Add your application to Access 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **SaaS application**. 4. Select your **Application** from the drop-down menu. If your application is not listed, enter a custom name in the **Application** field and select the textbox that appears below. 5. Select **OIDC**. 6. Select **Add application**. 7. In **Scopes**, select the user attributes that you want Access to send in the ID token. For more information about configuring OIDC scopes and claims, refer to [OIDC claims](#oidc-claims). 8. In **Redirect URLs**, enter the callback URL obtained from the SaaS application. 9. (Optional) Enable [Proof of Key Exchange (PKCE) ↗](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. 10. Copy the following values to input into your SaaS application. Different SaaS applications may require different sets of input values. | Field | Description | | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Client secret | Credential used to authorize Access as an SSO provider | | Client ID | Unique identifier for this Access application | | Configuration endpoint | If supported by your SaaS application, you can configure OIDC using this endpoint instead of manually entering the URLs listed below. https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//.well-known/openid-configuration | | Issuer | Base URL for this OIDC integration https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc/ | | Token endpoint | Returns the user's ID token https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//token | | Authorization endpoint | URL where users authenticate with Access https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//authorization | | Key endpoint | Returns the current public keys used to [verify the Access JWT](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//jwks | | User info endpoint | Returns all user claims in JSON format https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//userinfo | 11. Under **Access policies**, add an existing policy or [create a new policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. 12. Configure how users will authenticate: 1. Select the [identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) you want to enable for your application. 2. (Recommended) If you plan to only allow access via a single IdP, turn on **Apply instant authentication**. End users will not be shown the [Cloudflare Access login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. 3. (Optional) Turn on **Authenticate with Cloudflare One Client** to allow users to authenticate to the application using their [ Cloudflare One Client session identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/). 13. (Optional) Go to **Additional settings** to customize the application experience: * **App Launcher customization**: Configure how this application appears to users in the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/). If **Show application in App Launcher** is enabled, then you must enter an **App Launcher URL**. The App Launcher URL is provided by the SaaS application. It may match the base URL portion of **Redirect URL** (`https://.example-app.com`) but could be a different value. * **Custom block pages**: Choose what users will see when they are denied access to the application. * **Cloudflare default**: Reload the [login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/) and display a block message below the Cloudflare Access logo. The default message is `That account does not have access`, or you can enter a custom message. * **Redirect URL**: Redirect to the specified website. * **Custom page template**: Display a [custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-block-page/) hosted in Cloudflare One. 14. Select **Create**. ## 3\. Configure SSO in your SaaS application Next, configure your SaaS application to require users to log in through Cloudflare Access. Refer to your SaaS application documentation for instructions on how to configure a third-party OIDC SSO provider. ## 4\. Test the integration Open an incognito browser window and go to the SaaS application's login URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. ## OIDC claims OIDC claims refer to the user identity characteristics that Cloudflare Access shares with your OIDC SaaS application upon successful authentication. An OIDC scope defines a set of OIDC claims. By default, Cloudflare Access passes all [standard claims ↗](https://openid.net/specs/openid-connect-core-1%5F0.html#StandardClaims) that are included in the `openid`, `email`, `profile`, and `groups` scopes (if available). | Scope | Description | | ------- | ----------------------------------------------------------------- | | openid | Includes a unique identifier for the user (required). | | email | Includes the user's email address. | | profile | Includes the user's name and all custom OIDC claims from the IdP. | | groups | Include the user's IdP group membership. | In your Access application, you can configure the OIDC scopes and claims that Access sends to the SaaS provider. For example, you can remove the `groups` scope if your SaaS application does not need to receive user group information. ### Filter groups In **Group filter regex**, you can enter a regular expression to define the identity provider groups that you want to include in the `groups` scope. For example, if you enter the expression `(^TEAM-Engineering-.$)|(^TEAM-Product-.$)`, only groups with names like TEAM-Engineering-A or TEAM-Product-B would get passed to the SaaS application. ### Add claims To add additional OIDC claims onto the ID token sent to your SaaS application, configure the following fields for each claim: * **Name**: OIDC claim name * **Scope**: Select the OIDC scope where this claim should be included. In most cases, we recommend selecting `profile` since it already includes other custom claims from the IdP. * **IdP claim**: The identity provider value that should map to this OIDC claim. You can select any [SAML attribute](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-saml/#saml-headers-and-attributes) or [OIDC claim](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) that was configured in a Zero Trust IdP integration. * **Required**: If a claim is marked as required but is not provided by an IdP, Cloudflare will fail the authentication request and show an error page. * **Add per IdP claim**: (Optional) If you turned on multiple identity providers for the SaaS application, you can choose different attribute mappings for each IdP. These values will override the parent **IdP claim**. ## Advanced settings ### Access token lifetime The OIDC Access token authorizes users to connect to the SaaS application through Cloudflare Access. You can set an **Access token lifetime** to determine the window in which the token can be used to establish authentication with the SaaS application — if it expires, the user must re-authenticate through Cloudflare Access. To balance security and user convenience, Cloudflare recommends configuring a short Access token lifetime in conjunction with a longer **Refresh token lifetime** (if supported by your application). When the access token expires, Cloudflare will use the refresh token to obtain a new access token after checking the user's identity against your Access policies. When the refresh token expires, the user will need to log back in to the identity provider. The refresh token lifetime should be less than your [global session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/), otherwise the global session would take precedence. Note OIDC Access tokens only control the front door to a SaaS app; Access does not control how long the user can stay in the SaaS app itself. For example, if the user logs out of the SaaS app and then comes back to it, a valid Access token allows them to re-authenticate without another login. The SaaS app issues its own authorization cookie that manages the user's session within the app. ### OIDC flows Some SaaS applications require SSO providers to provide tokens to the browser without backend authentication. Access for SaaS supports the following OIDC flows: * **No additional OIDC flows**: (Default) Recommended unless your application requires additional flows. * **Hybrid flows**: Used by applications that require information from the ID token before authenticating the user. * **Implicit flows**: (Not recommended) Typically used by frontend applications that cannot store secrets and which do not support **PKCE without client secret**. Cloudflare allows various `response_type` values in the authorization request depending on the selected flow. For example, the implicit flow allows Cloudflare to return the ID token, Access token, or both the ID token and Access token from the Authorization endpoint. | response\_type values | Default flow | Hybrid flow | Implicit flow | | --------------------- | ------------ | ----------- | ------------- | | code | ✅ | ✅ | ❌ | | id\_token | ❌ | ✅ | ✅ | | token | ❌ | ✅ | ✅ | To include `id_token` in the authorization request, turn on **Return ID Token from Authorization Endpoint**. To include `token`, turn on **Return Access Token from Authorization Endpoint** Note [Refresh tokens](#access-token-lifetime) are not supported with Hybrid or Implicit flows. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas/","name":"Generic OIDC application"}}]} ``` --- --- title: Generic SAML application description: Generic SAML application in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Generic SAML application This page provides generic instructions for setting up a SaaS application in Cloudflare Access using the SAML authentication protocol. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to the account of the SaaS application ## 1\. Get SaaS application URLs Obtain the following URLs from your SaaS application account: * **Entity ID**: A unique URL issued for your SaaS application, for example `https://.my.salesforce.com`. * **Assertion Consumer Service URL**: The service provider's endpoint for receiving and parsing SAML assertions. ## 2\. Add your application to Access 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **SaaS application**. 4. Select your **Application** from the drop-down menu. If your application is not listed, enter a custom name in the **Application** field and select the textbox that appears below. 5. Select **SAML**. 6. Select **Add application**. 7. Enter the **Entity ID** and **Assertion Consumer Service URL** obtained from your SaaS application account. 8. Select the **Name ID Format** expected by your SaaS application (usually _Email_). 9. (Optional) Configure any additional [SAML attribute statements](#saml-attributes) required by your SaaS application. 10. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. IdP groups If you are using Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled `groups` with all of the user's associated groups as attribute values. 1. Under **Access policies**, add an existing policy or [create a new policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. 2. Configure how users will authenticate: 1. Select the [identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) you want to enable for your application. 2. (Recommended) If you plan to only allow access via a single IdP, turn on **Apply instant authentication**. End users will not be shown the [Cloudflare Access login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. 3. (Optional) Turn on **Authenticate with Cloudflare One Client** to allow users to authenticate to the application using their [ Cloudflare One Client session identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/). 3. (Optional) Go to **Additional settings** to customize the application experience: * **App Launcher customization**: Configure how this application appears to users in the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/). * **Custom block pages**: Choose what users will see when they are denied access to the application. * **Cloudflare default**: Reload the [login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/) and display a block message below the Cloudflare Access logo. The default message is `That account does not have access`, or you can enter a custom message. * **Redirect URL**: Redirect to the specified website. * **Custom page template**: Display a [custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-block-page/) hosted in Cloudflare One. 4. Select **Create**. ## 3\. Configure SSO in your SaaS application Next, configure your SaaS application to require users to log in through Cloudflare Access. Refer to your SaaS application documentation for instructions on how to configure a third-party SAML SSO provider. You will need the following values from the Cloudflare One: * **SSO endpoint** * **Access Entity ID or Issuer** * **Public key** You can either manually enter this data into your SaaS application or upload a metadata XML file. The metadata is available at the URL: `/saml-metadata`. ### Validate SAML Response When acting as a SAML identity provider, Cloudflare will sign both the SAML Response and the SAML Assertion using the SHA-256 algorithm. The SaaS application can validate this signature using the **Public key** that you upload to the SaaS application. ## 4\. Test the integration Open an incognito browser window and go to the SaaS application's login URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. ## SAML attributes [SAML attributes](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-saml/#saml-headers-and-attributes) refer to the user identity characteristics that Cloudflare Access shares with your SAML SaaS application upon successful authentication. By default, Cloudflare Access passes the following attributes (if available) to the SaaS application: * `id` \- UUID of the user's Access identity * `name` \- Full name of the user (for example, `John Doe`) * `email` \- User's email address * `groups` \- Identity provider group membership In Access for SaaS, you can add additional SAML attributes or customize the SAML statement sent to the SaaS application. This allows you to integrate SaaS applications which have specific SAML attribute requirements. ### SAML attribute statements To send additional SAML attributes to your SaaS application, configure the following fields for each attribute: * **Name**: SAML attribute name * **SAML friendly name**: (Optional) A human readable name for the SAML attribute * **Name format**: Specify the **Name** format expected by the SaaS application: * `Unspecified`: (default) No specific format required. * `URI`: Name is in a format such as `urn:ietf:params:scim:schemas:core:2.0:User:userName` or `urn:oid:2.5.4.42`. * `Basic`: Name is a normal string such as `userName`. * **IdP claim**: The identity provider value that should map to this SAML attribute. You can select any [SAML attribute](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-saml/#saml-headers-and-attributes) or [OIDC claim](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) that was configured in a Cloudflare One IdP integration. * **Required**: If an attribute is marked as required but is not provided by an IdP, Cloudflare will fail the authentication request and show an error page. * **Add per IdP claim**: (Optional) If you turned on multiple identity providers for the SaaS application, you can choose different attribute mappings for each IdP. These values will override the parent **IdP claim**. ### JSONata transforms In **Advanced settings** \> **Transformation**, you can enter a [JSONata ↗](https://jsonata.org/) script that modifies a copy of the [User Registry identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/users/). This is useful for setting default values, excluding email addresses, or ensuring usernames meet arbitrary criteria. Access will send the modified user identity to the SaaS application as SAML attributes. Note JSONata transformations are not compatible with [SAML attribute statements](#saml-attribute-statements). JSONata transformations will override any specified SAML attributes. For example, the following JSONata script merges group names into a list and adds an `eduPersonPrincipalName` field which maps to the user email. JSONata expression ``` $merge([$, {"groups": groups.name, 'eduPersonPrincipalName': email}]) ``` Here is an example of a user identity before applying the JSONata transform: User identity before JSONata transform ``` { "account_id": "699d98642c564d2e855e9661899b7252", "amr": [ "pwd" ], "auth_status": "NONE", "common_name": "", "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", "device_sessions": { "49e653db-991e-11ee-af26-2243bf8c3428": { "last_authenticated": 1703004275 } }, "devicePosture": { "8534a230-e85e-4183-8964-a4b7dcf72986": { "rule_name": "Warp", "success": true, "type": "warp" } }, "email": "jdoe@company.com", "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU", "geo": { "country": "US" }, "groups": [ { "id": "12fdf91a-fb23-41b3-995a-de2f72c61d0e", "name": "IdentityProtection-RiskyUser-RiskLevel-low" }, { "id": "12348f47-8234-4860-a03f-c2a1513f267b", "name": "Global Administrator" }, { "id": "11235980-87d7-4917-b0aa-74c01914c40e", "name": "Application Administrator" } ], "iat": 1659474397, "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M", "idp": { "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47", "type": "azureAD" } } ``` Result after applying the example JSONata script: ``` { "account_id": "699d98642c564d2e855e9661899b7252", "amr": [ "pwd" ], "auth_status": "NONE", "common_name": "", "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", "device_sessions": { "49e653db-991e-11ee-af26-2243bf8c3428": { "last_authenticated": 1703004275 } }, "devicePosture": { "8534a230-e85e-4183-8964-a4b7dcf72986": { "rule_name": "Warp", "success": true, "type": "warp" } }, "email": "jdoe@company.com", "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU", "geo": { "country": "US" }, "groups": [ "IdentityProtection-RiskyUser-RiskLevel-low", "Global Administrator", "Application Administrator" ], "iat": 1659474397, "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M", "idp": { "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47", "type": "azureAD" }, "eduPersonPrincipalName": "jdoe@company.com" } ``` For more JSONata transform use cases, refer to the following examples. Remove groups attribute The following JSONata script removes the `groups` SAML attribute. This can be useful if your SaaS application does not need to receive user group information. JSONata expression ``` $ ~> |$|{}, ['groups']| ``` Result after applying the JSONata transform: ``` { "account_id": "699d98642c564d2e855e9661899b7252", "amr": [ "pwd" ], "auth_status": "NONE", "common_name": "", "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", "device_sessions": { "49e653db-991e-11ee-af26-2243bf8c3428": { "last_authenticated": 1703004275 } }, "devicePosture": { "8534a230-e85e-4183-8964-a4b7dcf72986": { "rule_name": "Warp", "success": true, "type": "warp" } }, "email": "jdoe@company.com", "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU", "geo": { "country": "US" }, "iat": 1659474397, "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M", "idp": { "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47", "type": "azureAD" } } ``` Rename groups field and remove group ID The following JSONata script changes the `groups.name` field from `name` to `group_name` and removes the `groups.id` field: JSONata expression ``` { "account_id": account_id, "amr": amr, "auth_status": auth_status, "common_name": common_name, "devicePosture": devicePosture, "device_id": device_id, "device_sessions": device_sessions, "email": email, "gateway_account_id": gateway_account_id, "geo": geo, "groups": $map($.groups, function($group) { {"group_name": $group.name}}), "iat": iat, "id": id, "idp": idp } ``` Result after applying the JSONata transform: ``` { "account_id": "699d98642c564d2e855e9661899b7252", "amr": [ "pwd" ], "auth_status": "NONE", "common_name": "", "devicePosture": { "8534a230-e85e-4183-8964-a4b7dcf72986": { "rule_name": "Warp", "success": true, "type": "warp" } }, "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", "device_sessions": { "49e653db-991e-11ee-af26-2210bf8c3428": { "last_authenticated": 1703004275 } }, "email": "jdoe@company.com", "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU", "geo": { "country": "US" }, "groups": [ { "group_name": "IdentityProtection-RiskyUser-RiskLevel-low" }, { "group_name": "Global Administrator" }, { "group_name": "Application Administrator" } ], "iat": 1659474397, "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M", "idp": { "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47", "type": "azureAD" } } ``` Filter groups by name The following JSONata script filters groups to those that match a regular expression. JSONata expression ``` $merge([$, { "groups": $filter(groups, function($v) { $contains($v.name, /Administrator/) }) }]) ``` Result after applying the JSONata transform: ``` { "account_id": "699d98642c564d2e855e9661899b7252", "amr": [ "pwd" ], "auth_status": "NONE", "common_name": "", "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", "device_sessions": { "49e653db-991e-11ee-af26-2243bf8c3428": { "last_authenticated": 1703004275 } }, "devicePosture": { "8534a230-e85e-4183-8964-a4b7dcf72986": { "rule_name": "Warp", "success": true, "type": "warp" } }, "email": "jdoe@company.com", "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU", "geo": { "country": "US" }, "groups": [ { "id": "12348f47-8234-4860-a03f-c2a1513f267b", "name": "Global Administrator" }, { "id": "11235980-87d7-4917-b0aa-74c01914c40e", "name": "Application Administrator" } ], "iat": 1659474397, "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M", "idp": { "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47", "type": "azureAD" } } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas/","name":"Generic SAML application"}}]} ``` --- --- title: GitHub Enterprise Cloud description: Integrate GitHub Enterprise Cloud with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # GitHub Enterprise Cloud **Last reviewed:** almost 2 years ago This guide covers how to configure [GitHub Enterprise Cloud ↗](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * A GitHub Enterprise Cloud subscription * Access to a GitHub account as an organization owner ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, select _GitHub_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `https://github.com/orgs/` * **Assertion Consumer Service URL**: `https://github.com/orgs//saml/consume` * **Name ID format**: _Email_ 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Create an X.509 certificate 1. Paste the **Public key** in a text editor. 2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. ## 3\. Configure an identity provider and SAML SSO in GitHub Enterprise Cloud 1. In your GitHub organization page, go to **Settings** \> **Authentication security**. 2. Under **SAML single sign-on**, turn on **Enable SAML authentication**. 3. Fill in the following fields: * **Sign on URL**: SSO endpoint from application configuration in Cloudflare One. * **Issuer**: Access Entity ID or Issuer from application configuration in Cloudflare One. * **Public certificate**: Paste the entire x.509 certificate from step [2\. Create a x.509 certificate](#2-create-a-x509-certificate). ## 4\. Test the integration Select **Test SAML configuration**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. When this is successful, select **Save**. You can also turn on **Require SAML SSO authentication for all members of your organization** if you want to enforce SSO login with Cloudflare Access. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/github-saas/","name":"GitHub Enterprise Cloud"}}]} ``` --- --- title: Google Cloud description: Integrate Google Cloud with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Google Cloud **Last reviewed:** almost 2 years ago This guide covers how to configure [Google Cloud ↗](https://support.google.com/cloudidentity/topic/7558767) as a SAML application in Cloudflare One. Warning When configuring Google Cloud with Access, the following limitations apply: * Users will not be able to log in using [Google](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/google/) or [Google Workspace](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/google-workspace/) as an identity provider after Google Cloud is configured with Access. * The integration of Access as a single sign-on provider for your Google Cloud account does not work for Google super admins. It will work for other users. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Google Workspace account * [Cloud Identity Free or Premium ↗](https://support.google.com/cloudidentity/answer/7389973) set up in your organization's Google Cloud account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, select _Google Cloud_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `google.com` * **Assertion Consumer Service URL**: `https://www.google.com/a//acs` * **Name ID format**: _Email_ 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Create a x.509 certificate 1. Paste the Public key from application configuration in Cloudflare One into a text editor. 2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 3. Set the file extension as `.crt` and save. ## 3\. Create an SSO provider in Google Cloud 1. In your [Google Admin console ↗](https://admin.google.com/), go to **Security** \> **Authentication** \> **SSO with third party IdP**. 2. Select **Third-party SSO profile for your organization** \> **Add SSO Profile**. 3. Turn on **Set up SSO with third-party identity provider**. 4. Fill in the following information: * **Sign-in page URL**: SSO endpoint from application configuration in Cloudflare One. * **Sign-out page URL**: `https://.cloudflareaccess.com/cdn-cgi/access/logout`, where `` is your Cloudflare One team name. * **Verification certificate**: Upload the `.crt` certificate file from step [2\. Create a x.509 certificate](#2-create-a-x509-certificate). 5. (Optional) Turn on **Use a domain specific issuer**. If you select this option, Google will send an issuer specific to your Google Cloud domain (`google.com/a/` instead of the standard `google.com`). ## 4\. Test the integration Open an incognito browser window and go to your Google Cloud URL (`https://console.cloud.google.com/a/`). Sign in using credentials that do not belong to a super admin account. ## Troubleshooting `Error: "G Suite - This account cannot be accessed because the login credentials could not be verified."` If you see this error, it is likely that the public key and private key do not match. Confirm that your certificate file includes the correct public key. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-cloud-saas/","name":"Google Cloud"}}]} ``` --- --- title: Google Workspace description: Integrate Google Workspace with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Google Workspace **Last reviewed:** almost 2 years ago This guide covers how to configure [Google Workspace ↗](https://support.google.com/a/topic/7579248?ref%5Ftopic=7556686&sjid=14539485562330725560-NA) as a SAML application in Cloudflare One. Note The integration of Access as a single sign-on provider for your Google Workspace account does not work for Google super admins. It will work for other users. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Google Workspace account ## 1\. Create an application in Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **SaaS application**. 4. Fill in the following information: * **Application**: _Google_. * **Entity ID**: Use the value provided to you by Google when [configuring your SAML SSO provider ↗](https://saml-doc.okta.com/SAML%5FDocs/How-to-Enable-SAML-2.0-in-Google-Apps.html). * **Assertion Consumer Service URL**: `https://www.google.com/a//acs`, where `` is your Google Workspace domain. * **Name ID Format**: _Email_. Warning When you put your Google Workspace behind Access, users will not be able to log in using [Google](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/google/) or [Google Workspace](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/google-workspace/) as an identity provider. To secure Google Workspace behind Access and avoid an [authentication loop](https://developers.cloudflare.com/cloudflare-one/access-controls/troubleshooting/#google-workspace-redirect-loop), you must configure a different identity provider (not Google or Google Workspace) for authentication. 1. [Create an Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for your application. For example, you could allow users with an `@your_domain.com` email address. 2. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. These values will be used to configure Google Workspace. 3. Save the application. ## 2\. Create a certificate from your public key 1. Copy and then paste your **Public key** into a text editor. 2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. For example, ``` -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ``` 3. Set the file extension as `.crt` and save. ## 3\. Create an SSO provider in Google Workspace 1. Log in to your [Google Admin console ↗](https://admin.google.com/). 2. Go to **Security** \> **Authentication** \> **SSO with third party IdP**. 3. Select **Third-party SSO profile for your organization**. 4. Enable **Set up SSO with third-party identity provider**. 5. Fill in the following information: * **Sign-in page URL**: Copy and then paste your **SSO endpoint** from Cloudflare One. * **Sign-out page URL**: `https://.cloudflareaccess.com/cdn-cgi/access/logout`, where `` is your Cloudflare One team name. * **Verification certificate**: Upload the certificate file containing your public key. 6. (Optional) Enable **Use a domain specific issuer**. If you select this option, Google will send an issuer specific to your Google Workspace domain (`google.com/a/` instead of the standard `google.com`). ## 4\. Test the integration 1. In your [Google Admin console ↗](https://admin.google.com/), go to **Apps** \> **Google Workspace** \> **Gmail** \> **Setup**. 2. Copy your Gmail **Web address**. 3. Open an incognito browser window and go to your Gmail web address (for example, `https://mail.google.com/a/`). An Access login screen should appear. ## Troubleshooting `Error: "G Suite - This account cannot be accessed because the login credentials could not be verified."` If you see this error, it is likely that the public key and private key do not match. Confirm that your certificate file includes the correct public key. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-workspace-saas/","name":"Google Workspace"}}]} ``` --- --- title: Grafana Cloud description: Integrate Grafana Cloud with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SSO ](https://developers.cloudflare.com/search/?tags=SSO) # Grafana Cloud **Last reviewed:** almost 2 years ago This guide covers how to configure [Grafana Cloud ↗](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/authorization/#configure-oauth-20-with-generic-oauth) as an OIDC application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Grafana Cloud account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **SaaS application**. 4. For **Application**, enter `Grafana Cloud` and select the corresponding textbox that appears. 5. For the authentication protocol, select **OIDC**. 6. Select **Add application**. 7. In **Scopes**, select the attributes that you want Access to send in the ID token. 8. In **Redirect URLs**, enter `https:///login/generic_oauth`. 9. (Optional) Enable [Proof of Key Exchange (PKCE) ↗](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. 10. Copy the **Client secret**, **Client ID**, **Token endpoint**, and **Authorization endpoint**. 11. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 12. (Optional) In **Experience settings**, configure [App Launcher settings](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https:///login`. 13. Save the application. ## 2\. Add a SSO provider to Grafana Cloud 1. In Grafana Cloud, select the **menu** icon > **Administration** \> **Authentication** \> **Generic OAuth**. 2. (Optional) For **Display name**, enter a new display name (for example, `Cloudflare Access`). Users will select **Sign in with (display name)** when signing in via SSO. 3. Fill in the following fields: * **Client Id**: Client ID from application configuration in Cloudflare One * **Client secret**: Client secret from application configuration in Cloudflare One * **Scopes**: Delete `user:email` and enter the scopes configured in Cloudflare One * **Auth URL**: Authorization endpoint from application configuration in Cloudflare One * **Token URL**: Token endpoint from application configuration in Cloudflare One 4. Select **Save**. ## 3\. Test the integration Open an incognito browser window and go to your Grafana domain (`https:///login`). Select **Sign in with (display name)**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-cloud-saas-oidc/","name":"Grafana Cloud"}}]} ``` --- --- title: Grafana description: Integrate Grafana with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SSO ](https://developers.cloudflare.com/search/?tags=SSO) # Grafana **Last reviewed:** almost 2 years ago This guide covers how to configure [Grafana ↗](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/) as an OIDC application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Grafana account Note You can also configure OIDC SSO for Grafana using a [configuration file ↗](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/#configure-generic-oauth-authentication-client-using-the-grafana-configuration-file) instead of using Grafana's user interface (UI), as documented in this guide. ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **SaaS application**. 4. For **Application**, select _Grafana_. 5. For the authentication protocol, select **OIDC**. 6. Select **Add application**. 7. In **Scopes**, select the attributes that you want Access to send in the ID token. 8. In **Redirect URLs**, enter `https:///login/generic_oauth`. 9. (Optional) Enable [Proof of Key Exchange (PKCE) ↗](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. 10. Copy the **Client secret**, **Client ID**, **Token endpoint**, and **Authorization endpoint**. 11. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 12. (Optional) In **Experience settings**, configure [App Launcher settings](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https:///login`. 13. Save the application. ## 2\. Add a SSO provider to Grafana 1. In Grafana, select the **menu** icon > **Administration** \> **Authentication** \> **Generic OAuth**. 2. (Optional) For **Display name**, enter a new display name (for example, `Cloudflare Access`). Users will select **Sign in with (display name)** when signing in via SSO. 3. Fill in the following fields: * **Client Id**: Client ID from application configuration in Cloudflare One * **Client secret**: Client secret from application configuration in Cloudflare One * **Scopes**: Delete `user:email` and enter the scopes configured in Cloudflare One * **Auth URL**: Authorization endpoint from application configuration in Cloudflare One * **Token URL**: Token endpoint from application configuration in Cloudflare One 4. Select **Save**. ## 3\. Test the integration Log out, then select **Sign in with (display name)**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-saas-oidc/","name":"Grafana"}}]} ``` --- --- title: Greenhouse Recruiting description: Integrate Greenhouse Recruiting with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Greenhouse Recruiting **Last reviewed:** almost 2 years ago This guide covers how to configure [Greenhouse Recruiting ↗](https://support.greenhouse.io/hc/en-us/articles/360040753811-Configure-single-sign-on-SSO-for-Greenhouse-Recruiting) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to an Advanced or Expert Greenhouse Recruiting site ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, enter `Greenhouse` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Copy the **SAML Metadata endpoint**. 7. Keep this window open. You will finish this configuration in step [4\. Finish adding a SaaS application to Cloudflare One](#4-finish-adding-a-saas-application-to-cloudflare-one). ## 2\. Download the metadata file 1. Paste the SAML Metadata endpoint from application configuration in Cloudflare One in a web browser. 2. Follow your browser-specific steps to download the URL's contents as an `.xml` file. ## 3\. Add a SAML SSO provider to Greenhouse 1. In Greenhouse Recruiting, go to the **Configure** icon > **Dev Center** \> **Single sign-on**. 2. Copy the **SSO Assertion Consumer URL**. 3. Under **Upload XML file**, select **Choose a file**, and upload the `.xml` file created in step [2\. Download the metadata file](#2-download-the-metadata-file). 4. Change the **Entity ID** to `greenhouse.io`. 5. Keep this window open without selecting **Begin testing**. You will finish this configuration in step [5\. Test the integration and finalize configuration](#5-test-the-integration-and-finalize-configuration). ## 4\. Finish adding a SaaS application to Cloudflare One 1. In your open Cloudflare One window, fill in the following fields: * **Entity ID**: `greenhouse.io` * **Assertion Consumer Service URL**: SSO Assertion Consumer URL from SSO configuration in Greenhouse Recruiting. * **Name ID format**: _Email_ 2. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 5\. Test the integration and finalize configuration 1. In your open Greenhouse Recruiting window, select **Begin Testing** \> **Proceed**. 2. Open an incognito browser window and go to your Greenhouse Recruiting URL. Choose the SSO login option. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 3. Once SSO sign in is successful, go to the **Configure** icon > **Dev Center** \> **Single sign-on**. 4. Select **Finalize Configuration**. 5. In the text field, enter `CONFIGURE`. 6. Select **Finalize**. Now, users will only be able to sign in with SSO. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/greenhouse-saas/","name":"Greenhouse Recruiting"}}]} ``` --- --- title: Hubspot description: Integrate Hubspot with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Hubspot **Last reviewed:** almost 2 years ago This guide covers how to configure [Hubspot ↗](https://knowledge.hubspot.com/account-security/set-up-single-sign-on-sso) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Hubspot Enterprise plan account ## 1\. Configure Hubspot 1. Go to **Settings** \> **Account**, then go to **Defaults** \> **Security**. 2. Select _Single Sign-on_. 3. Copy the values for _Audience URI_ and _Sign on URL_. ## 2\. Configure Cloudflare Access 1. In Cloudflare One, go to **Access controls** \> **Applications**, select **Create new application**, and select **SaaS application**. 2. Set the **Application type** to _Hubspot_. 3. Use the following Hubspot field mappings: | Hubspot values | Cloudflare values | | -------------- | ------------------------------ | | Audience URI | Entity ID | | Sign On URL | Assertion Consumer Service URL | 4. Set **NameID** to _Email_. 5. Add any desired [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to your application. 6. Copy the **SSO endpoint** and **Access Entity ID**. 7. Save the application. ## 3\. Create a x.509 certificate 1. Paste the **Public key** in a text editor. 2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. ## 4\. Finalize Hubspot configuration 1. Use the following field mappings: | Cloudflare value | Hubspot value | | ---------------- | ------------------------------------ | | SSO endpoint | Identity Provider Single Sign-on URL | | Entity ID | Identity Provider Identifier | | Public key | Certificate | 2. Select **Verify** to validate the integration. Your configuration is now complete. Hubspot SSO can be switched on for specific users or the entire account. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/hubspot-saas/","name":"Hubspot"}}]} ``` --- --- title: Ironclad description: Integrate Ironclad with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Ironclad **Last reviewed:** almost 2 years ago This guide covers how to configure [Ironclad ↗](https://support.ironcladapp.com/hc/articles/12286012625559-Set-Up-Generic-SSO-SAML-Integration) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Ironclad site ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, enter `Ironclad` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Copy the **SSO Endpoint** and **Public key**. 7. Keep this window open. You will finish this configuration in step [3\. Finish adding a SaaS application to Cloudflare One](#3-finish-adding-a-saas-application-to-cloudflare-one). ## 2\. Add a SAML SSO provider to Ironclad 1. In Ironclad, select your profile picture > **Company settings** \> **Integrations** \> **SAML**. 2. Select **Add SAML Configuration** \> **Show Additional IdP Settings**. 3. Copy the **Callback** value. 4. Fill in the following fields: * **Entry Point**: SSO endpoint from application configuration in Cloudflare One. * **Identity Provider Certificate**: Public key from application configuration in Cloudflare One. The key will automatically be wrapped in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 5. Select **Save**. ## 3\. Finish adding a SaaS application to Cloudflare One 1. In your open Cloudflare One window, fill in the following fields: * **Entity ID**: `ironcladapp.com` * **Assertion Consumer Service URL**: Callback from Ironclad SAML SSO set-up. * **Name ID format**: _Email_ 2. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 4\. Add a test user to Ironclad and test the integration 1. In Ironclad, select your profile picture > **Company settings** \> **Users & Groups**. 2. Select **Invite User**. 3. For **Email addresses**, add your desired email address for your test user. 4. For **Sign-in Method**, ensure **Sign in with (your-team-domain.cloudflareaccess.com)** is selected 5. Select **Invite**. 6. In the invitation email sent to the test user, select **Join now**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 7. Once this is successful, you can contact your account team or `support@ironcladapp.com` to migrate existing users to SSO login. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/ironclad-saas/","name":"Ironclad"}}]} ``` --- --- title: Jamf Pro description: Integrate Jamf Pro with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Jamf Pro **Last reviewed:** almost 2 years ago This guide covers how to configure [Jamf Pro ↗](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Single%5FSign-On.html) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Jamf Pro account ## 1\. Collect Jamf Pro information 1. In Jamf Pro, go to **Settings** \> **Systems** \> **Single Sign-On** \> **Edit**. 2. Copy the pre-populated URL in **Entity ID**. 3. Paste the URL in a web browser to download the Jamf metadata file. 4. Open the `metadata.xml` file in a text editor, and copy the values for **Entity ID** and **Assertion Consumer Service**. ## 2\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, enter `Jamf` or `Jamf Pro` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: Entity ID value from Jamf Pro metadata file. * **Assertion Consumer Service URL**: Assertion Consumer Service value from Jamf Pro metadata file. * **Name ID format**: _Email_ 7. Copy the **SAML Metadata endpoint**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 3\. Edit Access SAML Metadata 1. Paste the **SAML Metadata endpoint** from application configuration in Cloudflare One into a browser. 2. Copy the file and paste it into a text editor. 3. Change `WantAuthnRequestsSigned="true"` to `WantAuthnRequestsSigned="false"`. 4. Set the file extension as `.xml` and save. ## 4\. Add a SAML SSO provider to Jamf Pro 1. In Jamf Pro, go to **Settings** \> **Single Sign-On** \> **Edit**. 2. In Identity Provider menu, select **Other**. 3. Label **Other provider** as `Cloudflare`. 4. Fill in the following fields: * **Entity ID**: Entity ID from Jamf Pro metadata file. * **Identity Provider Metadata Source**: Select **Metadata File** and upload the `.xml` file from step [2\. Edit Access SAML Metadata](#2-add-a-saas-application-to-cloudflare-one). * **Identity Provider User Mapping**: _Name ID_ * **Jamf Pro User Mapping**: _Email_ 5. Turn on **Single Sign On**. Note The Failover Login URL located on this page can be used to log in if your SSO does not work. ## 5\. Test the Integration Log out of Jamf Pro and open an incognito browser window. Go to your Jamf Pro URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/jamf-pro-saas/","name":"Jamf Pro"}}]} ``` --- --- title: Miro description: Integrate Miro with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Miro **Last reviewed:** almost 2 years ago This guide covers how to configure [Miro ↗](https://help.miro.com/hc/articles/360017571414-Single-sign-on-SSO) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Miro Business or Enterprise plan account * A [verified domain ↗](https://help.miro.com/hc/articles/360034831793-Domain-control) added to your Miro account (Enterprise plan), or be prepared to do so during SSO configuration (Business or Enterprise plan) ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, enter `Miro` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `https://miro.com/` * **Assertion Consumer Service URL**: `https://miro.com/sso/saml` * **Name ID format**: _Email_ 7. Copy the **SSO endpoint** and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Add a SAML SSO provider to Miro * [ business plan ](#tab-panel-4874) * [ enterprise plan ](#tab-panel-4875) 1. In Miro, select your profile picture > **Settings** \> **\*\*Security\*\***. 2. Turn on **SSO/SAML**. 3. Fill in the following fields: * **SAML Sign-in URL**: SSO endpoint from application configuration in Cloudflare One * **Key x509 Certificate**: Public key from application configuration in Cloudflare One 4. In **Domain**, enter the domain you want to configure SSO for and select **Enter**. 5. Enter an email address from that domain and select **send verification**. 6. Once you receive a verification email, select the link in the email, then select **Save**. When the domain is successfully configured, the **VERIFY EMAIL** label next to the domain in the SSO/SAML configuration page will disappear. 7. If you have additional domains you want to configure SSO for, repeat steps 4-6 for each domain. 1. In Miro, select your profile picture > **Settings** \> **\*\*Security and Compliance\*\* > \*\*Authentication\*\* > \*\*Single sign-on\*\***. 2. Turn on **SSO/SAML**. 3. Fill in the following fields: * **SAML Sign-in URL**: SSO endpoint from application configuration in Cloudflare One * **Key x509 Certificate**: Public key from application configuration in Cloudflare One 4. In **Domain**, enter the domain you want to configure SSO for and select **Enter**. 5. If you have not previously \[verified the domain\](https://help.miro.com/hc/articles/360034831793-Domain-control), enter an email address from that domain and select **send verification**. 6. Once you receive a verification email, select the link in the email, then select **Save**. When the domain is successfully configured, the **VERIFY EMAIL** label next to the domain in the SSO/SAML configuration page will disappear. 7. If you have additional domains you want to configure SSO for, repeat steps 4-6 for each domain. ## 3\. Test the integration In the Miro SAML/SSO configuration page, select **Test SSO Configuration**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. If the login is successful, you will receive a **SSO configuration test was successful** message. Note When testing the integration, you do not have to use an email from a domain you have configured for SSO or a user configured in Miro. The only requirement is that the user is already configured in your identity provider. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/miro-saas/","name":"Miro"}}]} ``` --- --- title: PagerDuty description: Integrate PagerDuty with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # PagerDuty **Last reviewed:** almost 2 years ago This guide covers how to configure [PagerDuty ↗](https://support.pagerduty.com/docs/sso) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a PagerDuty site ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, select _PagerDuty_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `https://.pagerduty.com` * **Assertion Consumer Service URL**: ` https://.pagerduty.com/sso/saml/consume` * **Name ID format**: _Email_ 7. Copy the **SSO endpoint** and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Create a x.509 certificate 1. Paste the **Public key** in a text editor. 2. Amend the public key so each row is a maximum of 64 characters long. Originally, each full row of the public key is 65 characters long. 3. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. ## 3\. Add a SAML SSO provider to PagerDuty 1. In PagerDuty, select your profile picture and go to **Account Settings** \> **Single Sign-on**. 2. Turn on **SAML**. 3. In **X.509 Certificate**, paste the entire x.509 certificate from step [2\. Create a x.509 certificate](#2-create-a-x509-certificate). 4. In **Login URL**, paste the SSO endpoint from application configuration in Cloudflare One. 5. Select **Save Changes**. ## 4\. Test the integration and finalize SSO configuration 1. Open an incognito window and paste your PagerDuty URL into the address bar. Select **Sign In With Single Sign-On**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 2. In an incognito window, paste your PagerDuty URL and select **Sign In With Single Sign-On**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 3. Once SSO sign in is successful, select your profile picture and go to **Account Settings** \> **Single Sign-on**. 4. Turn off **Allow username/password login** and select **Save Changes**. Now, users will only be able to sign in with SSO. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/pagerduty-saml-saas/","name":"PagerDuty"}}]} ``` --- --- title: Pingboard description: Integrate Pingboard with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Pingboard **Last reviewed:** almost 2 years ago This guide covers how to configure [Pingboard ↗](https://support.pingboard.com/hc/en-us/articles/360046585994-Set-Up-a-Custom-SSO-Solution) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Pingboard account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, enter `Pingboard` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `http://app.pingboard.com/sp` * **Assertion Consumer Service URL**: `https://sso-demo.pingboard.com/auth/saml/consume` * **Name ID format**: _Email_ 7. Copy the **SAML Metadata endpoint**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Add a SAML SSO provider to Pingboard 1. In Pingboard, go to **Account** \> **Add-Ons**. 2. Under **Third-Party Integrations**, select **Custom SSO**. 3. In a web browser, paste the SAML Metadata endpoint you copied from the application configuration in Cloudflare One. Next, copy the contents of the displayed page. 4. In Pingboard, under **IdP Metadata**, paste the contents from the SAML Metadata endpoint. 5. (Optional) Under **Sign in with**, enter a name (for example, `Cloudflare Access`). Your users will select this name when signing in. ## 3\. Test the integration Open an incognito browser window and go to your Pingboard URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/pingboard-saas/","name":"Pingboard"}}]} ``` --- --- title: Salesforce (OIDC) description: Integrate Salesforce (OIDC) with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Salesforce ](https://developers.cloudflare.com/search/?tags=Salesforce) # Salesforce (OIDC) **Last reviewed:** almost 2 years ago This guide covers how to configure [Salesforce ↗](https://help.salesforce.com/s/articleView?id=sf.sso%5Fprovider%5Fopenid%5Fconnect.htm&type=5) as an OpenID Connect (OIDC) application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Salesforce account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, select _Salesforce_. 4. For the authentication protocol, select **OIDC**. 5. Select **Add application**. 6. In **Scopes**, select the attributes that you want Access to send in the ID token. 7. In **Redirect URLs**, enter the callback URL obtained from Salesforce (`https://.my.salesforce.com/services/authcallback/`). Refer to [Add a SSO provider to Salesforce](#2-add-a-sso-provider-to-salesforce) for instructions on obtaining this value. 8. (Optional) Enable [Proof of Key Exchange (PKCE) ↗](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. 9. Copy the following values: * **Client ID** * **Client Secret** * **Authorization endpoint** * **Token endpoint** * **User info endpoint** 10. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 11. (Optional) In **Experience settings**, configure [App Launcher settings](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://.my.salesforce.com`. 12. Save the application. ## 2\. Add a SSO provider to Salesforce 1. In Salesforce, go to **Setup**. 2. In the **Quick Find** box, enter `auth` and select **Auth providers**. 3. Select **New**. 4. For the provider type, select **OpenID Connect**. 5. Enter a name for the SSO provider (for example, `Cloudflare Access`). 6. Fill in the following fields with values obtained from Cloudflare Access: * **Consumer Key**: Client ID * **Consumer Secret**: Client Secret * **Authorize Endpoint URL**: Authorization endpoint * **Token endpoint URL**: Token endpoint * **User Info Endpoint URL**: User info endpoint * **Token Issuer**: Issuer 7. (Optional) Enable **Use Proof Key for Code Exchange** if you enabled it in Access. 8. In **Default Scopes**, enter a space-separated list of the scopes you configured in Access (for example, `openid email profile groups`). 9. Select **Save**. 10. Copy the **Callback URL**: ``` https://.my.salesforce.com/services/authcallback/ ``` 11. In Cloudflare One, paste the Callback URL into the **Redirect URL** field. To test the integration, open an incognito browser window and go to the **Test-Only Initialization URL** ( `https://.my.salesforce.com/services/auth/test/`) ## 3\. Enable Single Sign-On in Salesforce 1. Enable Cloudflare Access as an identity provider on your Salesforce domain: 1. In the **Quick Find** box, enter `domain` and select **My Domain**. 2. In **Authentication Configuration**, select **Edit**. 3. In **Authentication Service**, turn on the Cloudflare Access provider. 2. (Optional) To require users to login with Cloudflare Access: 1. In the **Quick Find** box, enter `single sign-on` and select **Single Sign-On Settings**. 2. Turn on **Disable login with Salesforce credentials**. To test, open an incognito browser window and go to your Salesforce domain (`https://.my.salesforce.com`). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-oidc/","name":"Salesforce (OIDC)"}}]} ``` --- --- title: Salesforce (SAML) description: Learn to configure Salesforce as a SAML app in Cloudflare One. Follow step-by-step instructions for adding SaaS apps and enabling SSO. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML)[ Salesforce ](https://developers.cloudflare.com/search/?tags=Salesforce) # Salesforce (SAML) **Last reviewed:** almost 2 years ago This guide covers how to configure [Salesforce ↗](https://help.salesforce.com/s/articleView?id=sf.sso%5Fsaml.htm&type=5) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Salesforce account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, select _Salesforce_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `https://.my.salesforce.com` or `https://.my.salesforce.com?so=`, if your account was created before summer 2019 or does not have a My Domain subdomain. * **Assertion Consumer Service URL**: `https://.my.salesforce.com` or `https://.my.salesforce.com?so=`, if your account was created before summer 2019 or does not have a My Domain subdomain. * **Name ID format**: _Email_ Note If you are unsure of which URL to use in the **Entity ID** and **Assertion Consumer Service URL** fields, you can check your Salesforce account's metadata. In Salesforce, go to the **Single Sign-On Settings** page and select **Download Metadata**. In this file, you will find the correct URLs to use. 1. Copy the **SSO endpoint**, **Public key**, and **Access Entity ID or Issuer**. 2. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 2\. Create a certificate file 1. Paste the **Public key** in a text editor. 2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 3. Set the file extension as `.crt` and save. ## 3\. Add a SAML SSO provider to Salesforce 1. In Salesforce, go to **Setup**. 2. In the **Quick Find** box, enter `single sign-on` and select **Single Sign-On Settings**. 3. In **SAML Single Sign-On Settings**, select **New**. 4. Fill in the following fields: * **Name:** Name of the SSO provider (for example, `Cloudflare Access`). Users will select this name when signing in to Salesforce. * **API name:** (this will pre-populate) * **Issuer:** Paste the Access Entity ID or Issuer from application configuration in Cloudflare One. * **Identity Provider Certificate**: Upload the `.crt` certificate file from [2\. Create a certificate file](#2-create-a-certificate-file). * **Entity ID**: `https://.my.salesforce.com` * **SAML Identity type:** If the user's Salesforce username is their email address, select _Assertion contains the User's Salesforce username_. Otherwise, select _Assertion contains the Federation ID from the User object_ and make sure the user's Federation ID matches their email address. Configure Federation IDs 1. In the **Quick Find** box, enter `users` and select **Users**. 2\. Select the user. 3\. Verify that the user's **Federation ID** matches the email address used to authenticate to Cloudflare Access. * **Identity Provider Login URL**: SSO endpoint provided in Cloudflare One for this application. 5. Select **Save**. ## 4\. Enable Single Sign-On in Salesforce 1. Configure Single Sign-On settings: 1. In the **Quick Find** box, enter `single sign-on` and select **Single Sign-On Settings**. 2. (Optional) To require users to login with Cloudflare Access, turn on **Disable login with Salesforce credentials**. 3. Turn on **SAML Enabled**. 4. Turn on **Make federation ID case-insensitive**. 2. Enable Cloudflare Access as an identity provider on your Salesforce domain: 1. In the **Quick Find** box, enter `domain` and select **My Domain**. 2. In **Authentication Configuration**, select **Edit**. 3. In **Authentication Service**, turn on the Cloudflare Access provider. To test, open an incognito browser window and go to your Salesforce domain (`https://.my.salesforce.com`). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-saml/","name":"Salesforce (SAML)"}}]} ``` --- --- title: ServiceNow (OIDC) description: Integrate ServiceNow (OIDC) with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ ServiceNow ](https://developers.cloudflare.com/search/?tags=ServiceNow) # ServiceNow (OIDC) **Last reviewed:** almost 2 years ago This guide covers how to configure [ServiceNow ↗](https://docs.servicenow.com/bundle/washingtondc-platform-security/page/integrate/single-sign-on/task/create-OIDC-configuration-SSO.html) as an OIDC application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a ServiceNow account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, enter `ServiceNow` and select the corresponding textbox that appears. 4. For the authentication protocol, select **OIDC**. 5. Select **Add application**. 6. In **Scopes**, select the attributes that you want Access to send in the ID token. 7. In **Redirect URLs**, enter `https://.service-now.com/navpage.do`. 8. (Optional) Enable [Proof of Key Exchange (PKCE) ↗](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. 9. Copy the **Client secret** and **Client ID**. 10. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 11. (Optional) In **Experience settings**, configure [App Launcher settings](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://.service-now.com`. 12. Save the application. ## 2\. Add the Multiple Provider Single Sign-On Installer Plugin to ServiceNow 1. In ServiceNow, select **All**. 2. In the search bar, enter `System Applications`, and under **All Available Applications**, select **All**. 3. In the search bar, enter `Integration - Multiple Provider Single Sign-On Installer`. 4. Select **Install**. 5. Ensure that **Install now** is selected, and select **Install**. ## 3\. Add and Test an OIDC SSO provider in ServiceNow 1. Select **All**. 2. In the search bar enter `Multi-Provider SSO`, and select **Identity Providers**. 3. Select **New** \> **OpenID Connect**. 4. In the pop-up, fill in the following fields: * **Name**: Name of the SSO (for example, `Cloudflare Access`). Unless otherwise configured, users will select this name when signing in to ServiceNow. * **Client ID**: **Client ID** from application configuration in Cloudflare One. * **Client Secret**: **Client Secret** from application configuration in Cloudflare One. * **Well Known Configuration URL**: `https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//.well-known/openid-configuration`. 5. Select **Import**. 6. Ensure **Active** is turned on 7. Turn on **Show as Login option**, and for **SSO label** enter a label for the user login screen, if desired. 8. Select **Update**. ## 4\. Test the integration For SSO to appear on the login screen, you must have [account recovery ↗](https://docs.servicenow.com/bundle/washingtondc-platform-security/page/integrate/single-sign-on/concept/sso-acct-recovery.html) enabled and configured for at least one admin account. After account recovery is configured, log out of ServiceNow and open an incognito browser window. Go to your ServiceNow URL. Select the SSO name you just configured, which will prompt you to sign in with your identity provider. When the integration is successful, you can go back to the OIDC configuration screen to turn on **Default** and/or **Auto Redirect IDP**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-oidc/","name":"ServiceNow (OIDC)"}}]} ``` --- --- title: ServiceNow (SAML) description: Integrate ServiceNow (SAML) with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML)[ ServiceNow ](https://developers.cloudflare.com/search/?tags=ServiceNow) # ServiceNow (SAML) **Last reviewed:** almost 2 years ago This guide covers how to configure [ServiceNow ↗](https://docs.servicenow.com/bundle/washingtondc-platform-security/page/integrate/single-sign-on/task/t%5FCreateASAML2Upd1SSOConfigMultiSSO.html) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a ServiceNow account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, enter `ServiceNow` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `https://.service-now.com` * **Assertion Consumer Service URL**: `https://.service-now.com/navpage.do` * **Name ID format**: _Email_ 7. Copy the **SAML Metadata endpoint**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Add the Multiple Provider Single Sign-On Installer Plugin to ServiceNow 1. In ServiceNow, select **All**. 2. In the search bar, enter `System Applications`, and under **All Available Applications**, select **All**. 3. In the search bar, enter `Integration - Multiple Provider Single Sign-On Installer`. 4. Select **Install**. 5. Ensure that **Install now** is selected, and select **Install**. ## 3\. Add and Test a SAML SSO provider in ServiceNow 1. Select **All**. 2. In the search bar enter `Multi-Provider SSO`, and select **Identity Providers**. 3. Select **New** \> **SAML**. 4. In the pop-up, ensure that **URL** is selected. 5. Paste the **SAML Metadata endpoint** from application configuration in Cloudflare One in the empty field. 6. Select **Import**. 7. (Optional) Change the **Name** field to a more recognizable name. 8. Turn off **Sign AuthnRequest**. 9. Select **Update**. 10. In the pop-up, select **Cancel** and then **\>**. 11. Select the **Name** of the configuration you just completed. 12. Select **Test Connection**. 13. If the test succeeds, select **Activate**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-saml/","name":"ServiceNow (SAML)"}}]} ``` --- --- title: Slack description: Integrate Slack with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML)[ Slack ](https://developers.cloudflare.com/search/?tags=Slack) # Slack **Last reviewed:** almost 2 years ago This guide covers how to configure [Slack ↗](https://slack.com/help/articles/203772216-SAML-single-sign-on) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Slack Business+ or Enterprise Grid plan account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, select _Slack_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `https://slack.com` * **Assertion Consumer Service URL**: `https://.slack.com/sso/saml` * **Name ID format**: The format expected by Slack, usually _Email_ 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Create a x.509 certificate 1. Paste the **Public key** in a text editor. 2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. ## 3\. Add a SAML SSO provider to Slack * [ business+ plan ](#tab-panel-4876) * [ enterprise grid plan ](#tab-panel-4877) 1. In Slack, go to **Settings & administrations** \> **Workspace settings** \> **Authentication**. 2. Select **Configure**. 3. Turn on **Test**. Configuration changes will not apply until **Configure** is turned on. 4. Fill in the following fields: * **Service Provider Issuer URL**: Ensure set to `https://slack.com`. * **SAML SSO URL**: SSO endpoint from application configuration in Cloudflare One. * **Identity Provider Issuer**: Access Entity ID or Issuer from application configuration in Cloudflare One. * **Public Certificate**: Paste the entire x.509 certificate from step [2\. Create a x.509 certificate](#2-create-a-x509-certificate). 5. Under **Advanced Options**, select **Expand**. 6. For **AuthnContextClassRef**, ensure _urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport_ is selected. 7. Ensure **Sign the AuthnRequest** is turned off. 8. For **SAML Response Signing**, turn on **Sign the Response** and **Sign the Assertion**. 9. In the main configuration page under **Settings**, choose whether SSO is _required_, _partially required_, or _optional_ for workspace members. 10. (Optional) Under **Customize**, enter a **Sign in Button Label**. 11. Test your set-up. If all works well, turn **Test** to **Configure**. 1. In Slack, go to **Settings & administration** \> **Organization settings** \> **Security** \> **SSO Settings**. 2. For **SSO name**, enter your desired name. 3. Fill in the following fields: * **SAML 2.0 Endpoint URL**: SSO endpoint from application configuration in Cloudflare One. * **Identity Provider Issuer URL**: Access Entity ID or Issuer from application configuration in Cloudflare One. * **Service Provider Issuer URL**: Ensure set to `https://slack.com`. * **x.509 Certificate**: Paste the entire x.509 certificate from step [2\. Create a x.509 certificate](#2-create-a-x509-certificate). 4. For **AuthnContextClassRef**, ensure _urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport_ is selected. 5. Ensure **Sign the AuthnRequest** is turned off. 6. For **SAML Response Signing**, turn on **Sign the Response** and **Sign the Assertion**. 7. Select **Test Configuration**. 8. If all works well, select **Turn on SSO** or **Add SSO**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/slack-saas/","name":"Slack"}}]} ``` --- --- title: Smartsheet description: Integrate Smartsheet with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Smartsheet **Last reviewed:** almost 2 years ago This guide covers how to configure [Smartsheet ↗](https://help.smartsheet.com/articles/2483123-domain-level-saml-configuration) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Smartsheet Enterprise account * A [domain ↗](https://help.smartsheet.com/articles/2483051-domain-management) verified in Smartsheet Note In Smartsheet, SSO is configured for a domain. If you have multiple plans using the same domain, the SSO configuration will apply to all Smartsheet users in that domain, regardless of their plan type. ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, enter `Smartsheet` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `urn:amazon:cognito:sp:us-east-1_xww1cbP43` * **Assertion Consumer Service URL**: `https://saml.authn.smartsheet.com/saml2/idpresponse` * **Name ID format**: _Unique ID_ 7. Copy the **SAML Metadata endpoint**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Create and test a SAML SSO provider in Smartsheet 1. In your Smartsheet Admin Center, go to **Settings** \> **Authentication** \> **Add a SAML IdP**. 2. In **Other IdP (Customize)**, select **Configure**. 3. Select **Next**. 4. Under **XML URL**, paste the SAML Metadata endpoint from application configuration in Cloudflare One. 5. Under **Name SAML IdP**, enter a name (for example, `Cloudflare Access`). 6. Select **Save & Next**. 7. Select **Verify connection** and sign in via Access. If validation is successful, you will see a **SAML IdP Successfully Connected!** message. Close the configuration verification page. 8. Turn on **I have successfully verified the connection**. 9. Select **Save & Next**. 10. Under **Assign domains to SAML IdP**, select your desired domain. 11. Select **Save and Next** and then **Finish**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/smartsheet-saas/","name":"Smartsheet"}}]} ``` --- --- title: SparkPost description: SparkPost in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # SparkPost **Last reviewed:** over 2 years ago This guide covers how to configure [SparkPost or SparkPost EU ↗](https://support.sparkpost.com/docs/my-account-and-profile/sso) as a SAML application in Cloudflare Zero Trust. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a SparkPost or SparkPost EU account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, enter `SparkPost` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: * `https://api.sparkpost.com` for SparkPost accounts * `https://api.eu.sparkpost.com` for SparkPost EU accounts * `https://` for SparkPost accounts with dedicated tenants * **Assertion Consumer Service URL**: * `https://api.sparkpost.com/api/v1/users/saml/consume` for SparkPost accounts * `https://api.eu.sparkpost.com/api/v1/users/saml/consume` for SparkPost EU accounts * `https:///api/v1/users/saml/consume` for SparkPost accounts with dedicated tenants * **Name ID format**: _Email_ 7. Copy the **SAML Metadata endpoint**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Download the metadata file 1. Paste the SAML metadata endpoint from application configuration in Cloudflare One in a web browser. 2. Follow your browser-specific steps to download the URL's contents as an `.xml` file. ## 3\. Add a SAML SSO provider to SparkPost 1. In SparkPost, select your profile picture > **Account Settings**. 2. Under **Single Sign-On**, select **Provision SSO**. 3. Under **Upload your Security Assertion Markup Language (SAML)**, select **select a file** and upload the `.xml` file you created in step [2\. Download the metadata file](#2-download-the-metadata-file). 4. Select **Provision SSO**. 5. Select **Enable SSO**. ## 4\. Add a test user and test the integration 1. In SparkPost, current users must be deleted and re-invited to use SSO. To create a test user, select your profile picture > **Users** \> name of the user > **Delete User**. Then, select **Invite User** and fill in the necessary information. Alternatively, invite a new user. An invitation email will be sent. 2. Go to the link sent in the invitation email. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 3. Once SSO is successful, you can turn on SSO for the rest of your current users by deleting and then re-inviting them. Note The SparkPost SSO login link is `https://app.sparkpost.com/auth/sso`. Alternatively, you can go to the usual sign in page and select **Log in with Single Sign-On**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/sparkpost-saas/","name":"SparkPost"}}]} ``` --- --- title: Tableau Cloud description: Integrate Tableau Cloud with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Tableau Cloud **Last reviewed:** almost 2 years ago This guide covers how to configure [Tableau Cloud ↗](https://help.tableau.com/current/online/en-us/saml%5Fconfig%5Fsite.htm) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Tableau Cloud site ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, select _Tableau_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Copy the **SAML Metadata endpoint**. 7. Keep this window open. You will finish this configuration in step [4\. Finish adding a SaaS application to Cloudflare One](#4-finish-adding-a-saas-application-to-cloudflare-one). ## 2\. Download the metadata file 1. Paste the SAML Metadata endpoint from application configuration in Cloudflare One in a web browser. 2. Follow your browser-specific steps to download the URL's contents as an `.xml` file. ## 3\. Add a SAML SSO provider to Tableau Cloud 1. In Tableau Cloud, go to **Settings** \> **Authentication**. 2. Turn on **Enable an additional authentication method**. For **select authentication type**, select _SAML_. 3. Under **1\. Get Tableau Cloud metadata**, copy the **Tableau Cloud entity ID** and **Tableau Cloud ACS URL**. 4. Under **4\. Upload metadata to Tableau**, select **Choose a file**, and upload the `.xml` file created in step [2\. Download the metadata file](#2-download-the-metadata-file) 5. Under **5\. Map attributes**, turn on **Full name**. For **Name (full name)**, enter `name`. 6. (Optional) Choose whether users who are accessing embedded views will **Authenticate in a separate pop-up window** or **Authenticate using an inline frame**. 7. Select **Save Changes**. ## 4\. Finish adding a SaaS application to Cloudflare One 1. In your open Cloudflare One window, fill in the following fields: * **Entity ID**: Tableau Cloud entity ID from Tableau Cloud SAML SSO set-up. * **Assertion Consumer Service URL**: Tableau Cloud ACS URL from Tableau Cloud SAML SSO set-up. * **Name ID format**: _Email_ 2. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 5\. Test the integration and set default authentication type 1. In Tableau Cloud, go to **Settings** \> **Authentication**. 2. Under **7\. Test Configuration**, select **Test Configuration**. 3. Sign in. If your sign-in is successful, **You are now signed in as (username)** will appear at the top of the page. 4. Close the pop-up window. 5. (Optional) Under **Default Authentication Type for Embedded Views**, turn on **cloudflareaccess.com (SAML)**. You can also configure the default authentication type for individual users under **Users** \> **Actions** \> **Authentication**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/tableau-saml-saas/","name":"Tableau Cloud"}}]} ``` --- --- title: Workday description: Integrate Workday with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Workday **Last reviewed:** almost 2 years ago This guide covers how to configure [Workday ↗](https://doc.workday.com/admin-guide/en-us/authentication-and-security/authentication/saml/dan1370796470811.html?toc=1.5.1) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Workday account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, enter `Workday` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `http://www.workday.com` * **Assertion Consumer Service URL**: `https://.myworkday.com//login-saml.flex` for a production account or `https://-impl.myworkday.com//login-saml.flex` for a preview sandbox account * **Name ID format**: _Email_ 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Download the metadata file 1. Paste the SAML Metadata endpoint from application configuration in Cloudflare One in a web browser. 2. Follow your browser-specific steps to download the URL's contents as an `.xml` file. ## 3\. Add a SAML SSO provider to Workday 1. In Workday, go to **Account Administration** \> **Actions** \> **Edit Tenant Setup - Security**. 2. Under **SAML Setup**, turn on **Enable SAML Authentication**. 3. In the **SAML Identity Providers** table, select **+**. 4. Fill in the following fields: * **Identity Provider Name**: Your desired name for the identity provider (for example, `Cloudflare Access`) * **Issuer**: Access Entity ID or Issuer from application configuration in Cloudflare One * **IdP SSO Service URL**: SSO endpoint from application configuration in Cloudflare One 5. Under **x509 Certificate**, select the menu icon > **Create x509 Public Key**. 6. Under **Name**, enter a unique name (for example, `access`). 7. Under **Certificate**, paste the Public key from application configuration in Cloudflare One. 8. Select **OK**. 9. If you want to enable SP-initiated login (login initiated by going to your Workday URL), fill in the following fields: * **SP Initiated**: Turn on. * **Service Provider ID**: `http://www.workday.com` * **Sign SP-initiated request**: Turn off. 10. Under **Single Sign-On**, add one or both of the following entries to the **Redirection URLs** grid. For each entry, if your user groups will use the same authentication option to sign in, select **Single URL**. If they will use different authentication options, select **Authentication selector**. * IdP-initiated SSO: Under **Login Redirect URL**, enter `.cloudflareaccess.com`. * SP-initiated SSO: Under **Login Redirect URL**, enter `https:////login.flex?redirect=n`. 1. In Workday, create an [authentication rule ↗](https://doc.workday.com/admin-guide/en-us/authentication-and-security/authentication/authentication-policies/dan1370796466772.html). 2. Under **Authentication Conditions**, add conditions that will apply only to your test user. 3. Under **Allowed Authentication Types**, select **Specific**, then **SAML**. 4. Select **Done**. 5. Complete the following step: * **If you have enabled SP-initiated login**: Open an incognito browser window, go to your Workday URL, and enter your test user's email. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. * **If you have not enabled SP-initiated login**: Go to your App Launcher at `https://.cloudflareaccess.com`. Select the **Workday** tile. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 6. Once login is successful, you can configure your security settings further, such as adding [user groups ↗](https://doc.workday.com/admin-guide/en-us/authentication-and-security/configurable-security/security-groups/user-based-security-groups/dan1370796695367.html?toc=2.2.12.0) or [authentication rules ↗](https://doc.workday.com/admin-guide/en-us/authentication-and-security/authentication/authentication-policies/dan1370796466772.html) to configure different login rules for different groups of users. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/workday-saas/","name":"Workday"}}]} ``` --- --- title: Zendesk description: Integrate Zendesk with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Zendesk **Last reviewed:** about 2 years ago This guide covers how to configure [Zendesk ↗](https://support.zendesk.com/hc/en-us/articles/4408887505690-Enabling-SAML-single-sign-on#topic%5Fu54%5Fwc3%5Fz2b) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to your Zendesk account ## Configure Zendesk and Cloudflare 1. Go to your Zendesk administrator dashboard, typically available at `.zendesk.com/admin/security/sso`. 2. In a separate tab or window, open the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), select your account, and go to **Zero Trust** \> **Access controls** \> **Applications**. 3. Select **Create new application**, then choose **SaaS application**. 4. Input the following values in the Cloudflare One application configuration: | Cloudflare One field | Value | | ---------------------------------- | ----------------------------------------------- | | **Entity ID** | https://.zendesk.com | | **Assertion Consumer Service URL** | contents of **SAML SSO URL** in Zendesk account | | **Name ID Format** | _Email_ | 5. (Optional) Configure these Attribute Statements to include a user's first and last name: | Cloudflare attribute name | IdP attribute value | | ------------------------- | --------------------------------------------------------------- | | | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | | | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Zendesk will [use the user's email address as their name ↗](https://support.zendesk.com/hc/en-us/articles/203663676#topic%5Fdzb%5Fgl5%5F2v) if the name is not provided. 6. To determine who can access Zendesk, [create an Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). 7. Copy the **SSO Endpoint** and **Public Key**. 8. Transform the public key into a fingerprint: 1. Open a [fingerprint calculator ↗](https://www.samltool.com/fingerprint.php). 2. Paste the **Public Key** into **X.509 cert**. 3. Wrap the value with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 4. Set **Algorithm** to _SHA256_ and select **Calculate Fingerprint**. 5. Copy the **Formatted FingerPrint** value. 9. Add the Cloudflare values to the following Zendesk fields: | Cloudflare IdP field | Zendesk field | | ------------------------------------------- | --------------------------- | | **SSO Endpoint** | **SAML SSO URL** | | **Public Key** (transformed to fingerprint) | **Certificate Fingerprint** | 10. Go to `https://.zendesk.com/admin/security/staff_members` and enable **External Authentication** \> **Single Sign On**. Users should now be able to log in to Zendesk if their Email address exists in the Zendesk user list. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/zendesk-sso-saas/","name":"Zendesk"}}]} ``` --- --- title: Zoom description: Integrate Zoom with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Zoom **Last reviewed:** almost 2 years ago This guide covers how to configure [Zoom ↗](https://support.zoom.com/hc/en/article?id=zm%5Fkb&sysparm%5Farticle=KB0060673) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Zoom Business, Education, or Enterprise account * An [associated domain ↗](https://support.zoom.com/hc/en/article?id=zm%5Fkb&sysparm%5Farticle=KB0066259) configured in your Zoom account * A [vanity URL ↗](https://support.zoom.com/hc/en/article?id=zm%5Fkb&sysparm%5Farticle=KB0061540) configured in your Zoom account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, select _Zoom_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: ` https://.zoom.us` * **Assertion Consumer Service URL**: `https://.zoom.us/saml/SSO` * **Name ID format**: _Email_ 7. Copy the **Access Entity ID or Issuer**, **Public key**, and **SSO endpoint**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Add a SAML SSO provider in Zoom 1. In Zoom, go to **Advanced** \> **Single Sign-On**. 2. For **Vanity URL**, select the vanity URL you want to configure SSO for. 3. Fill out the following fields: * **Sign in page URL**: SSO endpoint from application configuration in Cloudflare One * **Identity Provider Certificate**: Public key from application configuration in Cloudflare One * **Service Provider (SP) Entity ID**: `yourvanityurl.zoom.us` (no `https://`) * **Issuer (DP Entity ID)**: Access Entity ID or Issuer from application configuration in Cloudflare One 4. For **Binding**, select _http-redirect_. 5. For **Signature Hash Algorithm**, ensure **SHA-256** is selected. 6. Under **Security**, turn off **Sign SAML request** and **Sign SAML logout request**. 7. Select **Save Changes**. 8. Go to **Advanced** \> **Security**. 9. Under **Sign-in Methods**, ensure **Allow users to sign in with Single Sign-On (SSO)** is turned on. ## 3\. Test the integration Open an incognito browser window, go to your Zoom vanity URL, and select **Sign in**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. Once this is successful, you can require SSO for users in your associated domain(s) by completing the following steps: 1. In Zoom, go to **Advanced** \> **Security**. 2. Under **Sign-in Methods**, turn on **Require users to sign in with SSO if their e-mail address belongs to one of the domains below**. 3. Under **Select Domains**, turn on the domains that you want to require SSO for. 4. (Optional) Under **Specify users who can bypass SSO sign-in**, add your desired users. 5. Select **Save**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/zoom-saas/","name":"Zoom"}}]} ``` --- --- title: Publish a self-hosted application to the Internet description: Publish a self-hosted web application with Cloudflare Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Publish a self-hosted application to the Internet You can securely publish internal tools and applications by adding Cloudflare Access as an authentication layer between the end user and your origin server. This page describes how to make a web application accessible to anyone on the Internet via a public hostname. To make the application available over a private IP or hostname, refer to [Add a self-hosted private application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). ## Prerequisites * An [active domain on Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) * Domain uses either a [full setup](https://developers.cloudflare.com/dns/zone-setups/full-setup/) or a [partial (CNAME) setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/) Note If your domain uses a [partial (CNAME) setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/), refer to [Partial (CNAME) setup](#partial-cname-setup) for additional DNS configuration steps. ## 1\. Add your application to Access 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **Self-hosted and private**. 4. Select **Add public hostname**. 5. In the **Domain** dropdown, select the domain that will represent the application. Domains must belong to an active zone in your Cloudflare account. You can use [wildcards](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/app-paths/) to protect multiple parts of an application that share a root path. Alternatively, to use a [Cloudflare for SaaS custom hostname](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access/), select **Switch to custom input** and enter your custom hostname. 6. Under **Access policies**, add an existing policy or [create a new policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. 7. Configure how users will authenticate: 1. Select the [identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) you want to enable for your application. 2. (Recommended) If you plan to only allow access via a single IdP, turn on **Apply instant authentication**. End users will not be shown the [Cloudflare Access login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. 3. (Optional) Turn on **Authenticate with Cloudflare One Client** to allow users to authenticate to the application using their [ Cloudflare One Client session identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/). 8. (Optional) Configure [independent MFA](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application) for the application. 9. In **Session Duration**, choose how often the user's [application token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) should expire. Cloudflare checks every HTTP request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to [Session management](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/). 10. (Optional) Go to the **Additional settings** tab to customize the application experience: * **App Launcher customization**: Configure how this application appears to users in the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/). * **Custom block pages**: Choose what users will see when they are denied access to the application. * **Cloudflare default**: Reload the [login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/) and display a block message below the Cloudflare Access logo. The default message is `That account does not have access`, or you can enter a custom message. * **Redirect URL**: Redirect to the specified website. * **Custom page template**: Display a [custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-block-page/) hosted in Cloudflare One. * [**Cross-Origin Resource Sharing (CORS) settings**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/) * [**Cookie settings**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#cookie-settings) * **401 Response for Service Auth policies**: Return a `401` response code when a user (or machine) makes a request to the application without the correct [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/). 11. Select **Create**. ## 2\. Connect your origin to Cloudflare [Set up a Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/) to publish your internal application. Only users who match your Access policies will be granted access. Note We recommend [creating an Access application](#1-add-your-application-to-access) before setting up the tunnel route. If you do not have an Access application in place, the published application will be available to anyone on the Internet. If your application is already publicly routable, a tunnel is not strictly required. However, you will then need to protect your origin IP using [other methods](https://developers.cloudflare.com/fundamentals/security/protect-your-origin-server/). ## 3\. Validate the Access token To secure your origin, you must validate the [application token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/) issued by Cloudflare Access. Token validation ensures that any requests which bypass Cloudflare Access (for example, due to a network misconfiguration) are rejected. One option is to configure the Cloudflare Tunnel daemon, `cloudflared`, to validate the token on your behalf. This is done by enabling [**Protect with Access**](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/origin-parameters/#access) in your Cloudflare Tunnel settings. Alternatively, if you do not wish to perform automatic validation with Cloudflare Tunnel, you can instead [manually configure your origin](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) to check all requests for a valid token. Users can now connect to your self-hosted application after authenticating with Cloudflare Access. ## Partial (CNAME) setup If your domain uses a [partial (CNAME) setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/), Cloudflare does not manage your DNS zone. You must manually create DNS records at your external provider after adding a published application route to your tunnel. ### Add a published application route In the tunnel configuration, [add a published application route](https://developers.cloudflare.com/cloudflare-one/networks/routes/add-routes/#add-a-published-application-route) that maps a hostname to your internal service. For example, set the hostname to `app.example.com` and point it to `http://localhost:8080`. ### Create a CNAME record at your DNS provider In a [full DNS setup](https://developers.cloudflare.com/dns/zone-setups/full-setup/), Cloudflare automatically creates DNS records when you add a published application route to a tunnel. In a partial (`CNAME`) setup, you must add a CNAME record at the DNS provider that hosts your domain (your authoritative DNS provider). At your external DNS provider, create a CNAME record with the following values: * **Name**: The hostname you configured in the tunnel (for example, `app.example.com`) * **Target**: `.cdn.cloudflare.net` (for example, `app.example.com.cdn.cloudflare.net`) Note The zone apex (for example, `example.com`) cannot use a CNAME record due to [DNS specification restrictions ↗](https://datatracker.ietf.org/doc/html/rfc1912#section-2.4). Some DNS providers work around this with [CNAME flattening](https://developers.cloudflare.com/dns/zone-setups/partial-setup/#cname-flattening), which resolves the CNAME at the provider level. If your provider does not support CNAME flattening, use a subdomain instead. ## Product compatibility When using Access self-hosted applications, the majority of Cloudflare products will be compatible with your application. However, the following products are not supported: * [Automatic Platform Optimization](https://developers.cloudflare.com/automatic-platform-optimization) * [Zaraz](https://developers.cloudflare.com/zaraz) * [Google tag gateway for advertisers](https://developers.cloudflare.com/google-tag-gateway) You can disable Zaraz for a specific application - instead of across your entire zone - using a [Configuration Rule](https://developers.cloudflare.com/rules/configuration-rules/) scoped to the application domain. Google tag gateway is configured at the zone level and cannot be scoped to specific hostnames. To use Access binding cookie on a hostname, disable Google tag gateway for the entire zone. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/","name":"Publish a self-hosted application to the Internet"}}]} ``` --- --- title: Linked App Token description: Forward Access JWTs between linked applications. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Linked App Token The **Linked App Token** policy selector allows an Access policy on one application to accept tokens issued for another application. This is useful when one application needs to make authenticated requests to another on behalf of a user — for example, an MCP server calling internal APIs, or a microservice forwarding user identity to a downstream service. Linked App Token supports two flows: * [**Self-hosted to self-hosted**](#self-hosted-to-self-hosted) — A self-hosted application forwards its Access JWT to another self-hosted application. This is the simplest setup and requires no additional OAuth configuration. * [**SaaS to self-hosted**](#saas-to-self-hosted) — An Access for SaaS application (such as an [MCP server using OAuth](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/secure-mcp-servers/#access-for-saas-application)) sends its OAuth access token to a self-hosted application. ## Self-hosted to self-hosted In this flow, Application A is a [self-hosted Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) that needs to make requests to Application B, another self-hosted Access application. When a user authenticates to Application A, Cloudflare Access sends the user's JWT to Application A in the `Cf-Access-Jwt-Assertion` header. Application A can then forward that token to Application B in the `Cf-Access-Token` header. Access will validate the token against the Linked App Token rule on Application B's policy and allow the request if the token was issued for Application A. flowchart LR accTitle: Self-hosted to self-hosted linked app token flow User --> appA["Application A
(self-hosted)"] appA -- "Cf-Access-Token: <JWT>" --> appB["Application B
(self-hosted)"] idp[Identity provider] <--> appA ### Prerequisites * Two [self-hosted Access applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) ### 1\. Create a Linked App Token policy Create a policy on Application B (the downstream application that will receive forwarded requests): * [ Dashboard ](#tab-panel-4878) * [ API ](#tab-panel-4879) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select Application B and select **Edit**. 3. Go to the **Policies** tab and select **Create new policy**. 4. Set the policy **Action** to _Service Auth_. Note The Linked App Token selector only works with the [Service Auth](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth) action, similar to service token rules. 5. For **Selector**, select _Linked App Token_. 6. For **Value**, select Application A. For example, | Action | Rule type | Selector | Value | | ------------ | --------- | ---------------- | ------------- | | Service Auth | Include | Linked App Token | application-a | 7. Save the policy. 8. In Application B, add the policy to the **Access policies** list. 9. Save the application. 1. Get the `uid` of Application A: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Revoke` * `Access: Apps and Policies Write` * `Access: Apps and Policies Read` List Access applications ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` Response ``` { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "uid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "type": "self_hosted", "name": "application-a", ... } ``` 2. Create an Access policy on the downstream application, replacing the `app_uid` value with the `uid` of Application A: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow requests from Application A", "decision": "non_identity", "include": [ { "linked_app_token": { "app_uid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" } } ] }' ``` Note The `linked_app_token` rule type only works with [non\_identity decisions](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth), similar to service token rules. ### 2\. Forward the Access JWT When Cloudflare Access authenticates a user to Application A, it sends a signed JWT in the `Cf-Access-Jwt-Assertion` request header. Application A must forward this token to Application B in the `Cf-Access-Token` header: ``` Cf-Access-Token: ``` When Access receives the request to Application B, it will: 1. Extract the token from the `Cf-Access-Token` header. 2. Validate that the token was issued for Application A (matching the `app_uid` in the Linked App Token rule). 3. If valid, allow the request. The user's identity from the token is propagated to the upstream headers and audit log. ## SaaS to self-hosted In this example an [Access for SaaS application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/) (for example, an MCP server that implements [OAuth ↗](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization)) needs to make requests to a self-hosted Access application. The SaaS app obtains an OAuth access token from Cloudflare Access and sends it to the self-hosted application in the `Authorization: Bearer` header. flowchart LR accTitle: SaaS to self-hosted linked app token flow User --> appA["Application A
(Access for SaaS)"] appA -- "Authorization: Bearer <token>" --> appB["Application B
(self-hosted)"] idp[Identity provider] <--> appA ### Prerequisites * A [self-hosted Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) * An [Access for SaaS OIDC application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/) ### 1\. Create a Linked App Token policy Create a policy on the self-hosted application (Application B): * [ Dashboard ](#tab-panel-4880) * [ API ](#tab-panel-4881) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select the self-hosted app (Application B) and select **Edit**. 3. Go to the **Policies** tab and select **Create new policy**. 4. Set the policy **Action** to _Service Auth_. Note The Linked App Token selector only works with the [Service Auth](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth) action, similar to service token rules. 5. For **Selector**, select _Linked App Token_. 6. For **Value**, select the Access for SaaS app (Application A). For example, | Action | Rule type | Selector | Value | | ------------ | --------- | ---------------- | ------------- | | Service Auth | Include | Linked App Token | application-a | 7. Save the policy. 8. In the self-hosted app (Application B), add the policy to the **Access policies** list. 9. Save the application. 1. Get the `uid` of the Access for SaaS app (Application A): Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Revoke` * `Access: Apps and Policies Write` * `Access: Apps and Policies Read` List Access applications ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` Response ``` { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "uid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "type": "saas", "name": "my-saas-app", ... } ``` 2. Create an Access policy on the downstream application, replacing the `app_uid` value with the `uid` of the Access for SaaS app (Application A): Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow requests from SaaS app", "decision": "non_identity", "include": [ { "linked_app_token": { "app_uid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" } } ] }' ``` Note The `linked_app_token` rule type only works with [non\_identity decisions](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth), similar to service token rules. ### 2\. Configure token forwarding The SaaS application must forward the OAuth `access_token` to the self-hosted application in an HTTP header: ``` Authorization: Bearer ACCESS_TOKEN ``` The end-to-end flow is: 1. The user authenticates against the Access for SaaS app via OAuth. 2. Upon success, the application receives an `access_token`. 3. The application makes a request to the self-hosted application with the token in the `Authorization: Bearer` header. 4. Cloudflare Access inspects the token and validates it against the `linked_app_token` rule. If valid, the request is allowed. ## Known limitations * The Linked App Token policy can only be added to [self-hosted applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). It cannot be added to [SaaS applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/) or other application types. * This feature works best with applications that rely on the [Cloudflare Access JWT](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) for authentication and identity. If the downstream application implements its own authentication layer after Cloudflare Access, requests that pass Access validation may still be rejected by the application itself. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/linked-app-token/","name":"Linked App Token"}}]} ``` --- --- title: Non-HTTP applications description: How Non-HTTP applications works in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SSH ](https://developers.cloudflare.com/search/?tags=SSH)[ RDP ](https://developers.cloudflare.com/search/?tags=RDP)[ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) # Non-HTTP applications Cloudflare offers both client-based and clientless ways to grant secure access to non-HTTP applications. Note Non-HTTP applications require [connecting your private network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/) to Cloudflare. For more details, refer to our [Replace your VPN](https://developers.cloudflare.com/learning-paths/replace-vpn/connect-private-network/) implementation guide. ## Cloudflare One Client Users can connect by installing the Cloudflare One Client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access any private route. To restrict access, [create a self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) for a private IP range, port range, and/or hostname and build [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) or [Gateway firewall rules](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) that allow or block specific users. If you would like to define how users access specific infrastructure servers within your network, [create an infrastructure application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) in Access for Infrastructure. Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including: * Define fine-grained policies to govern who has access to specific servers and exactly how a user may access that server. * Eliminate SSH keys by using short-lived certificates to authenticate users. * Export SSH command logs to a storage service or SIEM solution using [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ## Clientless access Clientless access methods are suited for organizations that cannot deploy the Cloudflare One Client or need to support third-party contractors where installing a client is not possible. Clientless access requires onboarding a domain to Cloudflare and configuring a public hostname in order to make the server reachable. Command logging is not supported. ### Browser-rendered terminal Cloudflare's [browser-based terminal](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/browser-rendering/) allows users to connect over SSH, RDP, and VNC without any configuration. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser. For RDP connections, users must authenticate to the Windows server using their Windows username and password in addition to being authenticated by Cloudflare Access. ### Client-side cloudflared Users can log in to the application by installing `cloudflared` on their device and running a hostname-specific command in their terminal. For more information, refer to [cloudflared authentication](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/). ## Related resources To connect to an application over a specific protocol, refer to these tutorials: * [SSH](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/) * [SMB](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb/) * [RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}}]} ``` --- --- title: Browser-rendered terminal description: Browser-rendered terminal in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SSH ](https://developers.cloudflare.com/search/?tags=SSH)[ RDP ](https://developers.cloudflare.com/search/?tags=RDP) # Browser-rendered terminal Cloudflare can render SSH, VNC, and RDP applications in a browser without the need for client software or end-user configuration changes. For SSH and VNC, user email prefixes must match their username on the server. RDP leverages your existing Windows usernames and passwords for authenticating to the Windows server; Cloudflare does not manage any credentials on the Windows server. ## Limitations * Browser rendering is only supported for [self-hosted public applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/), not private IPs or hostnames. * You can only render a browser-rendered terminal on domains and subdomains, not on specific paths. * Cloudflare does not control the length of an active SSH, VNC, or RDP session. [Application session durations](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/) determine the window in which a user can initiate a new connection or refresh an existing one. * Cloudflare uses TLS to secure the egress RDP connection to your Windows server. We do not currently validate the chain of trust. ## Turn on browser rendering ### SSH and VNC To turn on browser rendering for an SSH or VNC application: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/). Select **Configure**. 3. Turn on **Allow access through browser-based RDP, SSH, or VNC sessions**, then select _SSH_ or _VNC_. Note Ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications. 4. Select **Save**. When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser. ### RDP To set up browser-rendering for RDP, refer to our [browser-based RDP guide](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/). ### SSH key exchange algorithms Cloudflare's browser-rendered SSH terminal supports the following Key Exchange (KEX) algorithms: * `curve25519-sha256@libssh.org` * `curve25519-sha256` * `ecdh-sha2-nistp256` * `ecdh-sha2-nistp384` * `ecdh-sha2-nistp521` For browser-rendered SSH connections to work, you may need to update the `sshd_config` file on your server to accept these algorithms. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/browser-rendering/","name":"Browser-rendered terminal"}}]} ``` --- --- title: Client-side cloudflared description: Client-side cloudflared in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Client-side cloudflared With Cloudflare Zero Trust, users can connect to non-HTTP applications via a public hostname without installing the Cloudflare One Client. This method requires you to onboard a domain to Cloudflare and install `cloudflared` on both the server and the user's device. Users log in to the application by running a `cloudflared access` command in their terminal. `cloudflared` will launch a browser window and prompt the user to authenticate with your identity provider. Note Automated services should only authenticate with `cloudflared` if they cannot use a [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/). Cloudflared authentication relies on WebSockets to establish a connection. WebSockets have a known limitation where persistent connections may close unexpectedly. We recommend either a [Service Auth policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth) or using [Warp to Tunnel routing](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/) in these instances. For examples of how to connect to Access applications with client-side `cloudflared`, refer to these tutorials: * [Connect through Access using a CLI](https://developers.cloudflare.com/cloudflare-one/tutorials/cli/) * [Connect through Access using kubectl](https://developers.cloudflare.com/cloudflare-one/tutorials/kubectl/) * [Connect to SSH with client-side cloudflared](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-cloudflared-authentication/) * [Connect over RDP with cloudflared](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/#connect-to-rdp-server-with-cloudflared-access) * [Connect over SMB with cloudflared](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb/) * [Connect over arbitrary TCP with cloudflared](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/arbitrary-tcp/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/","name":"Client-side cloudflared"}}]} ``` --- --- title: Arbitrary TCP description: Arbitrary TCP in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ TCP ](https://developers.cloudflare.com/search/?tags=TCP)[ SSH ](https://developers.cloudflare.com/search/?tags=SSH) # Arbitrary TCP Cloudflare Access provides a mechanism for end users to authenticate with their single sign-on (SSO) provider and connect to resources over arbitrary TCP without being on a virtual private network (VPN). ## Requirements * A Cloudflare account * A site active on Cloudflare * The `cloudflared` daemon installed on the host and client machines > Cloudflare Access requires you to first [add a site ↗](https://dash.cloudflare.com/sign-up) to Cloudflare. You can use any site you have registered; the site does not need to be the same one you use for customer traffic and it does not need to match sites in your internal DNS. > > Adding the site to Cloudflare requires changing your domain's authoritative DNS to point to Cloudflare's nameservers. Once configured, all requests to that hostname will be sent to Cloudflare's network first, where Access policies can be applied. ## **Connect the host to Cloudflare** ### 1\. Install the Cloudflare daemon on the host machine The Cloudflare daemon, `cloudflared`, will maintain a secure, persistent, outbound-only connection from the machine to Cloudflare. Arbitrary TCP traffic will be proxied over this connection using [Cloudflare Tunnel ↗](https://www.cloudflare.com/products/tunnel/). Follow [these instructions](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/) to download and install `cloudflared` on the machine hosting the resource. ### 2\. Authenticate the Cloudflare daemon Run the following command to authenticate `cloudflared` into your Cloudflare account. Terminal window ``` cloudflared tunnel login ``` `cloudflared` will open a browser window and prompt you to login to your Cloudflare account. If you are working on a machine that does not have a browser, or a browser window does not launch, you can copy the URL from the command-line output and visit the URL in a browser on any machine. Once you login, Cloudflare will display the sites that you added to your account. Select the site where you will create a subdomain to represent the resource. For example, if you plan to share the service at `tcp.site.com` select `site.com` from the list. Once selected, `cloudflared` will download a wildcard certificate for the site. This certificate will allow `cloudflared` to create a DNS record for a subdomain of the site. ### 3\. Secure the subdomain with Cloudflare Access Next, protect the subdomain you plan to register with a Cloudflare Access policy. Follow [these instructions](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to build a new policy to control who can connect to the resource. For example, if you share the resource at `tcp.site.com`, build a policy to only allow your team members to connect to that subdomain. ### 4\. Connect the resource to Cloudflare `cloudflared` can proxy connections to nonstandard ports. Run the following command to connect the resource to Cloudflare, replacing the `tcp.site.com` and `7870` values with your site and port. Terminal window ``` cloudflared tunnel --hostname tcp.site.com --url tcp://localhost:7870 ``` `cloudflared` will confirm that the connection has been established. The process needs to be configured to stay alive and autostart. If the process is terminated, end users will not be able to connect. ## **Connect from a client machine** ### 1\. Install the Cloudflare daemon on the client machine Follow the same steps above to download and install `cloudflared` on the client desktop that will connect to the resource. `cloudflared` will need to be installed on each user device that will connect. ### 2\. Connect to the resource Run the following command to create a connection from the device to Cloudflare. Any available port can be specified. Terminal window ``` cloudflared access tcp --hostname tcp.site.com --url localhost:9210 ``` This command can be wrapped as a desktop shortcut so that end users do not need to use the command line. Point the client application to the selected port. When the client launches, `cloudflared` will launch a browser window and prompt the user to authenticate with your SSO provider. **Common issues** * Ensure that the machine's firewall permits egress on ports 80 and 443, otherwise `cloudflared` will return an error. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/","name":"Client-side cloudflared"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/arbitrary-tcp/","name":"Arbitrary TCP"}}]} ``` --- --- title: Enable automatic cloudflared authentication description: Enable automatic cloudflared authentication in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication) # Enable automatic cloudflared authentication When users connect to an Access application through `cloudflared`, the browser prompts them to allow access by displaying this page: ![Access request prompt page displayed after logging in with cloudflared.](https://developers.cloudflare.com/_astro/access-screen.BXZJ23p9_Mn6VE.webp) Automatic `cloudflared` authentication allows users to skip this login page if they already have an active IdP session. To enable automatic `cloudflared` authentication: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Locate your application and select **Configure**. 3. Go to **Authentication**. 4. Turn on **Allow automatic Cloudflared authentication**. 5. Select **Save**. This option will still prompt a browser window in the background, but authentication will now happen automatically. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/","name":"Client-side cloudflared"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication/","name":"Enable automatic cloudflared authentication"}}]} ``` --- --- title: Add an infrastructure application description: Add an infrastructure application in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SSH ](https://developers.cloudflare.com/search/?tags=SSH)[ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication) # Add an infrastructure application Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | All plans | | System | Availability | | -------- | ------------ | | Windows | ✅ | | macOS | ✅ | | Linux | ✅ | | iOS | ✅ | | Android | ✅ | | ChromeOS | ✅ | Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach. Note Access for Infrastructure currently only supports [SSH](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). To connect using other protocols, [add a self-hosted private application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). For browser-based SSH, RDP, or VNC, refer to [browser-rendered terminal](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/browser-rendering/). ## Prerequisites * [Connect your infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/) to Cloudflare using `cloudflared` or Cloudflare Mesh. * [Deploy the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) on user devices in Traffic and DNS mode. ## 1\. Add a target A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare. Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server. To create a new target: * [ Dashboard ](#tab-panel-4882) * [ API ](#tab-panel-4883) * [ Terraform ](#tab-panel-4884) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Targets**. 2. Select **Add a target**. 3. In **Target hostname**, enter a user-friendly name for the target. We recommend using the server hostname, for example `production-server`. The target hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the targets secured by an Access application; they are not used for DNS address resolution. Hostname format restrictions * Case insensitive * Contain no more than 253 characters * Contain only alphanumeric characters, `-`, or `.` (no spaces allowed) * Start and end with an alphanumeric character 4. In **IP addresses**, enter the IPv4 and/or IPv6 address of the target resource. The dropdown menu will not populate until you type in the full IP address. Note If the target IP does not appear in the dropdown, go to **Networks** \> **Routes** and confirm that the IP routes through Cloudflare Tunnel. 1. In the dropdown menu, select the IP address and [virtual network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) where the resource is located. This IP address and virtual network pairing is now assigned to this target and cannot be reused in another target by design. 2. Select **Add target**. Make a `POST` request to the [Infrastructure Access Targets](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/infrastructure/subresources/targets/methods/create/) endpoint: Create new target ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } } }' ``` Provider versions The following example requires Cloudflare provider version `>=4.45.0`. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/api%5Ftoken): * `Zero Trust Write` 2. Configure the [cloudflare\_zero\_trust\_infrastructure\_access\_target ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero%5Ftrust%5Finfrastructure%5Faccess%5Ftarget) resource: ``` resource "cloudflare_zero_trust_infrastructure_access_target" "infra-ssh-target" { account_id = var.cloudflare_account_id hostname = "infra-access-target" ip = { ipv4 = { ip_addr = "187.26.29.249" virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55" } ipv6 = { ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0" virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55" } } } ``` Next, create an Access application to secure the target. ## 2\. Add an infrastructure application * [ Dashboard ](#tab-panel-4885) * [ API ](#tab-panel-4886) * [ Terraform (v4) ](#tab-panel-4887) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **Infrastructure**. 4. Enter any name for the application. 5. In **Target criteria**, select the target hostname(s) that you want to secure. This application definition will apply to all targets that share the selected hostname, including any targets added in the future. Similarly, if you later decide to change the hostname for a target, the renamed target will no longer be covered by this application. 6. Enter the **Protocol** and **Port** that will be used to connect to the server. 7. (Optional) If a protocol runs on more than one port, select **Add new target criteria** and reconfigure the same target hostname and protocol with a different port number. Note Access for Infrastructure only supports assigning one protocol per port. You can reuse a port/protocol pairing across infrastructure applications, but the port cannot be reassigned to another protocol. 8. Select **Next**. 9. To secure your targets, configure a policy that defines who can connect and how they can connect: 1. Enter any name for your policy. 2. Create a rule that matches the users who are allowed to reach the targets. For more information, refer to [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) and review the list of [infrastructure policy selectors](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#infrastructure-policy-selectors). 3. In **Connection context**, configure the following settings: * **SSH user**: Enter the UNIX usernames that users can log in as (for example, `root` or `ec2-user`). * **Allow users to log in as their email alias**: (Optional) When selected, users who match your policy definition will be able to access the target using their lowercased email address prefix. For example, `Jdoe@company.com` could log in as `jdoe`. Note Cloudflare will not create new users on the target. UNIX users must already be present on the server. 10. Select **Add application**. Make a `POST` request to the [Access applications](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/applications/methods/create/) endpoint: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Add an Access application ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Example infrastructure app", "type": "infrastructure", "target_criteria": [ { "target_attributes": { "hostname": [ "infra-access-target" ] }, "port": 22, "protocol": "SSH" } ], "policies": [ { "name": "Allow a specific email", "decision": "allow", "include": [ { "email": { "email": "jdoe@company.com" } } ], "connection_rules": { "ssh": { "usernames": [ "root", "ec2-user" ] } } } ] }' ``` Provider versions The following example requires Cloudflare provider version `>=4.45.0`. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/api%5Ftoken): * `Access: Apps and Policies Write` 2. Use the [cloudflare\_zero\_trust\_access\_application ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero%5Ftrust%5Faccess%5Fapplication) resource to create an infrastructure application: ``` resource "cloudflare_zero_trust_access_application" "infra-app" { account_id = var.cloudflare_account_id name = "Example infrastructure app" type = "infrastructure" target_criteria { port = 22 protocol = "SSH" target_attributes { name = "hostname" values = ["infra-access-target"] } } } ``` 3. Use the [cloudflare\_zero\_trust\_access\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero%5Ftrust%5Faccess%5Fpolicy) resource to add an infrastructure policy to the application: ``` resource "cloudflare_zero_trust_access_policy" "infra-app-policy" { application_id = cloudflare_zero_trust_access_application.infra-app.id account_id = var.cloudflare_account_id name = "Allow a specific email" decision = "allow" precedence = 1 include { email = ["jdoe@company.com"] } connection_rules { ssh { usernames = ["root", "ec2-user"] } } } ``` The targets in this application are now secured by your infrastructure policies. ## 3\. (Recommended) Modify order of precedence in Gateway By default, Cloudflare will evaluate Access application policies after evaluating all [Gateway network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/). To evaluate Access applications before or after specific Gateway policies: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies**. In **Network**, [create a Network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) with the following configuration: | Selector | Operator | Value | Action | | ---------------------------- | -------- | --------- | ------ | | Access Infrastructure Target | is | _Present_ | Allow | 2. Update the policy's [order of precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence)using the dashboard or API. This Gateway policy will apply to all Access for Infrastructure targets, including RDP and SSH. Note Users must pass the policies in your Access application before they are granted access. The Gateway Allow policy is strictly for routing and connectivity purposes. ## 4\. Configure the server Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial: * [SSH](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#6-configure-ssh-server) ## 5\. Connect as a user Users connect to the target's IP address using their preferred client software. The user must be logged into the Cloudflare One Client on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) to allow connections to the target's private hostname. ### Connect to different VNET To connect to targets that are in different VNETS, users will need to [switch their connected virtual network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/#connect-to-a-virtual-network) in the Cloudflare One Client. Note If a user is connected to a target in VNET-A and needs to connect to a target in VNET-B, switching their VNET will not break any existing connections to targets within VNET-A. At present, connections are maintained between VNETs. ### Display available targets Feature availability | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2024.9.346.0 | | macOS | ✅ | 2024.9.346.0 | | Linux | ✅ | 2024.9.346.0 | | iOS | ❌ | | | Android | ❌ | | | ChromeOS | ❌ | | Users can use `warp-cli` to display a list of targets they can access. On the device, open a terminal and run the following command: Terminal window ``` warp-cli target list ``` ``` ╭──────────────────────────────────────┬──────────┬───────┬───────────────────────┬──────────────────────┬────────────╮ │ Target ID │ Protocol │ Port │ Attributes │ IP (Virtual Network) │ Usernames │ ├──────────────────────────────────────┼──────────┼───────┼───────────────────────┼──────────────────────┼────────────┤ │ 0193f22a-9df3-78e3-b5bb-7ab631903306 │ SSH │ 22 │ hostname: do-target │ 10.116.0.3 (a1net) │ alice │ ├──────────────────────────────────────┼──────────┼───────┼───────────────────────┼──────────────────────┼────────────┤ │ 0193f22a-9df3-78e3-b5bb-7ab631903306 │ SSH │ 23 │ hostname: do-target │ 10.116.0.3 (a1net) │ root │ ├──────────────────────────────────────┼──────────┼───────┼───────────────────────┼──────────────────────┼────────────┤ │ 01943cff-6130-7989-8bff-cbc02b59a2b1 │ SSH │ 80 │ hostname: az-target │ 172.16.0.0 (b1net) │ alice, bob │ ╰──────────────────────────────────────┴──────────┴───────┴───────────────────────┴──────────────────────┴────────────╯ ``` You can optionally add flags to filter the output. For example: Terminal window ``` warp-cli target list --attribute hostname=do-target --username root ``` To view all available filters, type `warp-cli target list --help`. ## Revoke a user's session To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target. ## Infrastructure policy selectors The following [Access policy selectors](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors) are available for securing infrastructure applications: * Email * Emails ending in * SAML group * Country * Authentication method * Device posture * Entra group, GitHub organization, Google Workspace group, Okta group ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/","name":"Add an infrastructure application"}}]} ``` --- --- title: Private network applications (legacy) description: Private network applications (legacy) in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) # Private network applications (legacy) Warning The Private Network application type can no longer be created from the dashboard. If you do not already have a legacy private network application, use a [self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) to secure a private IP address instead. Existing **Private Network** applications continue to function and can still be managed. These applications were originally configured with the following steps: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications** \> **Add an application**. 2. Select **Private Network**. 3. Name your application. 4. For **Application type**, select _Destination IP_. 5. For **Value**, enter the IP address for your application (for example, `10.128.0.7`). Note If you would like to create a policy for an IP/CIDR range instead of a specific IP address, you can build a [Gateway Network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) using the **Destination IP** selector. 6. Configure your [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) visibility and logo. 7. Select **Next**. You will see two auto-generated Gateway Network policies: one that allows access to the destination IP and another that blocks access. 8. Modify the policies to include additional identity-based conditions. For example: * **Policy 1** | Selector | Operator | Value | Logic | Action | | -------------- | ------------- | --------------- | ----- | ------ | | Destination IP | in | 10.128.0.7 | And | Allow | | User Email | matches regex | .\*@example.com | | | * **Policy 2** | Selector | Operator | Value | Action | | -------------- | -------- | ---------- | ------ | | Destination IP | in | 10.128.0.7 | Block | Policies are evaluated in [numerical order](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence), so a user with an email ending in @example.com will be able to access `10.128.0.7` while all others will be blocked. For more information on building network policies, refer to our [dedicated documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/). 9. Select **Add application**. Your application will appear on the **Applications** page. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app/","name":"Private network applications (legacy)"}}]} ``` --- --- title: Secure a private IP or hostname description: Secure a private IP or hostname in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) # Secure a private IP or hostname You can configure a self-hosted Access application to manage access to specific IPs or hostnames on your private network. Note This feature replaces the legacy [private network app type](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app/). ## Prerequisites * Private IPs and hostnames are reachable over the Cloudflare One Client, Cloudflare WAN (formerly Magic WAN) or Browser Isolation. For more details, refer to [Connect a private network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/). * Private hostnames route to your custom DNS resolver through [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) or [Gateway resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/). * Public IPs and hostnames can be used to define a private application, however the IP or hostname must route through Cloudflare via [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/), [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/), or [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/configuration/how-to/configure-routes/). * (Optional) Turn on [Gateway TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) if you want to use Access JWTs to manage [HTTPS application sessions](#https-applications). ## Add your application to Access 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **Self-hosted and private**. 4. To add an application using its private IP: 1. Select **Add private IP**. 2. In **IP address**, enter the private IP or CIDR range that represents the application (for example, `10.0.0.1` or `172.16.0.0/12`). 3. In **Port**, enter a single port or a port range used by your application (for example, `22` or `8000-8099`). Comma-separated lists of ports (such as `80, 443`) are not supported. To add multiple ports for a specific IP, you can select **Add private IP** and repeat the IP address with the other port. Alternatively, create a new Access application for the other port. 5. To add an application using its private hostname: 1. Select **Add private hostname**. 2. In **Hostname**, enter the private hostname of the application (for example, `wiki.internal.local`). You can use [wildcards](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/app-paths/) with private hostnames to protect multiple parts of an application that share a root path. 3. In **Port**, enter a single port or a port range used by your application (for example, `22` or `8000-8099`). Note * **HTTPS applications**: Private hostnames explicitly set to port `443` (not including port ranges such as `441-444`) must have a valid Server Name Indicator (SNI). * **Non-HTTPS applications**: Private hostnames on non-`443` ports do not require a valid SNI value will be assigned an initial resolved IP in the CGNAT space. Ensure that the following IP addresses are not blocked by any firewalls or excluded from Gateway traffic: * **IPv4**: `100.80.0.0/16` * **IPv6**: `2606:4700:0cf1:4000::/64` For more details on private hostname routing, refer to [Connect a private hostname](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/#prerequisites) 6. Under **Access policies**, add an existing policy or [create a new policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. 7. Configure how users will authenticate: 1. Select the [identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) you want to enable for your application. 2. (Recommended) If you plan to only allow access via a single IdP, turn on **Apply instant authentication**. End users will not be shown the [Cloudflare Access login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. 3. (Recommended) Turn on **Authenticate with Cloudflare One Client** to allow users to authenticate to the application using their [Cloudflare One Client session identity](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/). Turn this on if your application is not in the browser and cannot handle a `302` redirect. 8. (Optional) Configure [independent MFA](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application) for the application. 9. In **Session Duration**, choose how often the user's [application token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) should expire. Cloudflare checks every HTTP request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to [Session management](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/). If the application is non-HTTPS or you do not have TLS decryption turned on, the session is tracked by the Cloudflare One Client per application. 10. (Optional) Go to the **Additional settings** tab to customize the application experience: * **App Launcher customization**: Configure how this application appears to users in the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/). * **Allow clientless access**: Allow users to access this private hostname or IP without the Cloudflare One Client. Users who pass your Access policies will see a tile in their App Launcher which points to a prefixed URL such as `https://.cloudflareaccess.com/browser/https://wiki.internal.local/`. The link will route traffic to the application through [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). This setting is useful for users on unmanaged devices or contractors who cannot install a device client. Note Ensure your [remote browser permissions](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) allow users of this application to open Clientless Web Isolation links. * **Custom block pages**: Choose what users will see when they are denied access to the application. * **Cloudflare default**: Reload the [login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/) and display a block message below the Cloudflare Access logo. The default message is `That account does not have access`, or you can enter a custom message. * **Redirect URL**: Redirect to the specified website. * **Custom page template**: Display a [custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-block-page/) hosted in Cloudflare One. * The following settings only apply to private hostnames and require [Gateway TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/): * [**Cross-Origin Resource Sharing (CORS) settings**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/) * [**Cookie settings**](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#cookie-settings) * **401 Response for Service Auth policies**: Return a `401` response code when a user (or machine) makes a request to the application without the correct [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/). 11. Select **Create**. Users can now connect to your private application after authenticating with Cloudflare Access. ## Authentication flow ### HTTPS applications If [Gateway TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is turned on and a user is accessing an HTTPS application on port `443`, Cloudflare Access will present a login page in the browser and issue an [application token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) to your origin. This is the same cookie-based authentication flow used by [self-hosted public apps](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). If [Gateway TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is turned off, session management is [handled in the Cloudflare One Client](#non-https-applications) instead of in the browser. ### Non-HTTPS applications The Cloudflare One Client manages sessions for all non-HTTPS applications. Users will receive an `Authentication required` pop-up notification from the Cloudflare One Client. When the user selects the notification, the Cloudflare One Client will open a browser window with your Access login page. Ensure that your operating system allows notifications for the Cloudflare One Client. Your device may not display notifications if focus, do not disturb, or screen sharing settings are turned on. To turn on client notifications on macOS devices running DisplayLink software, you may have to allow system notifications when mirroring your display. For more information, refer to the [macOS documentation ↗](https://support.apple.com/guide/mac-help/change-notifications-settings-mh40583/mac). ## Order of precedence ### Access vs Gateway policies By default, Cloudflare will evaluate Access application policies after evaluating all [Gateway network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/). To evaluate Access applications before or after specific Gateway policies: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies**. In **Network**, [create a Network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) with the following configuration: | Selector | Operator | Value | Action | | ------------------ | -------- | --------- | ------ | | Access Private App | is | _Present_ | Allow | 2. Update the policy's [order of precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence)using the dashboard or API. Note Users must pass the policies in your Access application before they are granted access. The Gateway Allow policy is strictly for routing and connectivity purposes. ### Private hostname vs private IP An Access application defined by a private hostname takes precedence over an Access application defined by a private IP. For example, assume App-1 points to `wiki.internal.local` and App-2 points to `10.0.0.1`, but `wiki.internal.local` resolves to `10.0.0.1`. Users who go to `wiki.internal.local` will never match App-2; they will be allowed or blocked strictly based on App-1 Access policies (and [Gateway policies](#access-vs-gateway-policies)). ## Limitations ### Browser Isolation is not compatible with apps on non-`443` ports Browser Isolation is not compatible with [self-hosted private applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) that use private IPs or hostnames on ports other than `443`. Trying to access self-hosted applications on non-`443` ports will result in a Gateway block page. To use Browser Isolation for an application on a private IP address with a non-`443` port, configure a [private network application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app/) instead. ### Google Chrome restricts access to private hostnames Starting with [Chrome 142 ↗](https://developer.chrome.com/release-notes/142), the browser restricts requests from websites to local IP addresses, including the Gateway initial resolved IP CGNAT range (`100.80.0.0/16`). Because this range falls within `100.64.0.0/10`, Chrome categorizes these addresses as belonging to a local network. When a website loaded from a public IP makes subrequests to a domain resolved through an initial resolved IP, Chrome treats this as a public-to-local network request and displays a prompt asking the user to allow access to devices on the local network. Chrome will block requests to these domains until the user accepts this prompt. This commonly occurs when an Egress policy matches broadly used domains (such as `cloudfront.net` or `github.com`), causing subrequests from public pages to resolve to the `100.80.0.0/16` range. #### Iframes If the affected request originates from within an iframe (for example, an application embedded in a third-party portal), the iframe must declare the `local-network-access` permission for the browser prompt to appear in the parent frame: * **Chrome 142-144**: Use the `allow="local-network-access"` attribute on the iframe element. * **Chrome 145+**: The permission was split into `allow="local-network"` and `allow="loopback-network"`. If iframes are nested, every iframe in the chain must include the appropriate attribute. Since third-party applications control their own iframe attributes, this may not be configurable by the end user. #### Workarounds To avoid this issue, choose one of the following options: * **Override IP address space classification (Chrome 146+)**: Use the [LocalNetworkAccessIpAddressSpaceOverrides ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessIpAddressSpaceOverrides) Chrome Enterprise policy to reclassify the `100.80.0.0/16` range as public. This is the most targeted fix because it only changes the classification for the initial resolved IP range rather than disabling security checks entirely. * **Allow specific URLs (Chrome 140+)**: Use the [LocalNetworkAccessAllowedForUrls ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessAllowedForUrls) Chrome Enterprise policy to exempt specific websites from Local Network Access checks. Note that `https://*` is a valid entry to disable checks for all URLs. * **Allow specific URLs (Chrome 146+)**: Use the [LocalNetworkAllowedForUrls ↗](https://chromeenterprise.google/policies/#LocalNetworkAllowedForUrls) Chrome Enterprise policy, which replaces `LocalNetworkAccessAllowedForUrls` starting in Chrome 146. * **Opt out of Local Network Access restrictions (Chrome 142-152)**: Use the [LocalNetworkAccessRestrictionsTemporaryOptOut ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessRestrictionsTemporaryOptOut) Chrome Enterprise policy to completely opt out of Local Network Access restrictions. This is a temporary policy and will be removed after Chrome 152. * **Disable the Chrome feature flag**: Go to `chrome://flags` and set the **Local Network Access Checks** flag to _Disabled_. This approach is suitable for individual users but not for enterprise-wide deployment. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/","name":"Secure a private IP or hostname"}}]} ``` --- --- title: Short-lived certificates (legacy) description: Short-lived certificates (legacy) in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SSH ](https://developers.cloudflare.com/search/?tags=SSH) # Short-lived certificates (legacy) Note Not recommended for new deployments. We recommend using [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) to configure short-lived certificates for SSH. Cloudflare Access can replace traditional SSH keys with short-lived certificates issued to your users based on the token generated by their Access login. In traditional models, users generate an SSH key pair and administrators grant access to individual SSH servers by deploying their users' public keys to those servers. These SSH keys can remain unchanged on these servers for months or years. Cloudflare Access removes the burden of managing SSH keys, while also improving security by replacing long-lived SSH keys with ephemeral SSH certificates. ## 1\. Secure the server behind Cloudflare Access Cloudflare Access short-lived certificates can work with any modern SSH server, whether it is behind Access or not. However, we recommend putting your server behind Access for added security and features, such as auditability and browser-based terminals. To secure your server behind Cloudflare Access: 1. [Connect the server to Cloudflare](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/) as a published application. 2. Create a [self-hosted Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for the server. Note If you do not wish to use Access, refer instead to our [SSH proxy instructions](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/ssh-logging/). ## 2\. Ensure Unix usernames match user SSO identities Cloudflare Access will take the identity from a token and, using short-lived certificates, authorize the user on the target infrastructure. The simplest setup is one where a user's Unix username matches their email address prefix. Issued short-lived certificates will be valid for the user's email address prefix. For example, if a user in your Okta or GSuite organization is registered as `jdoe@example.com`, they would log in to the SSH server as `jdoe`. For testing purposes, you can run the following command to generate a Unix user on the machine: Terminal window ``` sudo adduser jdoe ``` Advanced setup: Differing usernames SSH certificates include one or more `principals` in their signature which indicate the Unix usernames the certificate is allowed to log in as. Cloudflare Access will always set the principal to the user's email address prefix. For example, when `jdoe@example.com` tries to connect, Access issues a short-lived certificate authorized for the principal `jdoe`. By default, SSH servers authenticate the Unix username against the principals listed in the user's certificate. You can configure your SSH server to accept principals that do not match the Unix username. Note If you would like to use short-lived certificates with the browser-based terminal, the user's email address prefix needs to matches their Unix username. **Username matches a different email** To allow `jdoe@example.com` to log in as the user `johndoe`, add the following to the server's `/etc/ssh/sshd_config`: ``` Match user johndoe AuthorizedPrincipalsCommand /bin/echo 'jdoe' AuthorizedPrincipalsCommandUser nobody ``` This tells the SSH server that, when someone tries to authenticate as the user `johndoe`, check their certificate for the principal `jdoe`. This would allow the user `jdoe@example.com` to sign into the server with a command such as: Terminal window ``` ssh johndoe@server ``` **Username matches multiple emails** To allow multiple email addresses to log in as `vmuser`, add the following to the server's `/etc/ssh/sshd_config`: ``` Match user vmuser AuthorizedPrincipalsFile /etc/ssh/vmusers-list.txt ``` This tells the SSH server to load a list of principles from a file. Then, in `/etc/ssh/vmusers-list.txt`, list the email prefixes that can log in as `vmuser`, one per line: ``` jdoe bwayne robin ``` **Username matches all users** To allow any Access user to log in as `vmuser`, add the following command to the server's `/etc/ssh/sshd_config`: ``` Match user vmuser AuthorizedPrincipalsCommand /bin/bash -c "echo '%t %k' | ssh-keygen -L -f - | grep -A1 Principals" AuthorizedPrincipalsCommandUser nobody ``` This command takes the certificate presented by the user and authorizes whatever principal is listed on it. **Allow all users** To allow any Access user to log in with any username, add the following to the server's `/etc/ssh/sshd_config`: ``` AuthorizedPrincipalsCommand /bin/bash -c "echo '%t %k' | ssh-keygen -L -f - | grep -A1 Principals" AuthorizedPrincipalsCommandUser nobody ``` Since this will put the security of your server entirely dependent on your Access configuration, make sure your [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/) are correctly configured. ## 3\. Generate a short-lived certificate public key 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Service credentials** \> **SSH**. 2. Select **Add a certificate**. 3. In the **Application** dropdown, choose the Access application that represents your SSH server. 4. Select **Generate certificate**. A new row will appear in the short-lived certificates table with the name of your Access application. 5. Select the short-lived certificate for your application. 6. Copy its **CA public key**. You can return to copy this public key at any time. ## 4\. Save your public key 1. Copy the public key generated from the dashboard in Step 3. 1. Use the following command to change directories to the SSH configuration directory on the remote target machine: Terminal window ``` cd /etc/ssh ``` 2. Once there, you can use the following command to both generate the file and open a text editor to input/paste the public key. Terminal window ``` vim ca.pub ``` 3. In the `ca.pub` file, paste the public key without any modifications. ca.pub ``` ecdsa-sha2-nistp256 open-ssh-ca@cloudflareaccess.org ``` The `ca.pub` file can hold multiple keys, listed one per line. Empty lines and comments starting with `#` are also allowed. 4. Save the `ca.pub` file. In some systems, you may need to use the following command to force the file to save depending on your permissions: Terminal window ``` :w !sudo tee % :q! ``` ## 5\. Modify your `sshd_config` file Configure your SSH server to trust the Cloudflare SSH CA by updating the `sshd_config` file on the remote target machine. 1. While in the `/etc/ssh` directory on the remote machine, open the `sshd_config` file. Terminal window ``` sudo vim /etc/ssh/sshd_config ``` 2. Press `i` to enter insert mode, then add the following lines at the top of the file, above all other directives: ``` PubkeyAuthentication yes TrustedUserCAKeys /etc/ssh/ca.pub ``` Be aware of your include statements If there are any include statements below these lines, the configurations in those files will not take precedence. 3. Press `esc` and then type `:x` and press `Enter` to save and exit. ## 6\. Restart your SSH server Once you have modified your `sshd` configuration, reload the SSH service on the remote machine for the changes to take effect. * [ Debian/Ubuntu ](#tab-panel-4888) * [ CentOS/RHEL ](#tab-panel-4889) For Debian/Ubuntu: Terminal window ``` sudo systemctl reload ssh ``` For CentOS/RHEL 7 and newer: Terminal window ``` sudo systemctl reload sshd ``` ## 7\. Connect as a user ### Configure your client SSH config On the client side, [configure your device](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/) to use Cloudflare Access to reach the protected machine. To use short-lived certificates, you must include the following settings in your SSH config file (`~/.ssh/config`). To save time, you can use the following cloudflared command to print the required configuration command: Terminal window ``` cloudflared access ssh-config --hostname vm.example.com --short-lived-cert ``` If you prefer to configure manually, this is an example of the generated SSH config: ``` Match host vm.example.com exec "/usr/local/bin/cloudflared access ssh-gen --hostname %h" HostName vm.example.com ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h IdentityFile ~/.cloudflared/vm.example.com-cf_key CertificateFile ~/.cloudflared/vm.example.com-cf_key-cert.pub ``` ### Connect through a browser-based terminal End users can connect to the SSH session without any configuration by using Cloudflare's browser-based terminal. To enable, refer to [Browser-rendered terminal](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/browser-rendering/). By default, the browser-based terminal prompts the user for a username/password login. If you would like to use certificate based authentication, make sure you have [created a short-lived certificate](#3-generate-a-short-lived-certificate-public-key) for the specific Access application configured for browser-rendered SSH. --- Your SSH server is now protected behind Cloudflare Access — users will be prompted to authenticate with your identity provider before they can connect. You can also enable SSH command logging by configuring a [Gateway Audit SSH policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/ssh-logging/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/","name":"Non-HTTP applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy/","name":"Short-lived certificates (legacy)"}}]} ``` --- --- title: Authenticate coding agents description: Grant coding agents like Claude Code, OpenCode, and Windsurf access to resources protected by Cloudflare Access using cloudflared or service tokens. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ AI ](https://developers.cloudflare.com/search/?tags=AI)[ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication) # Authenticate coding agents Coding agents such as Claude Code, OpenCode, and Windsurf often need to reach resources protected by [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/). When a resource is behind Access, unauthenticated requests receive a redirect or `403` error instead of the expected response. Your agent needs a way to authenticate before it can reach the resource. This page covers two authentication methods: * [**cloudflared**](#use-cloudflared) — authenticates under your user identity. Use for interactive development where you can complete a browser login. * [**Service tokens**](#use-service-tokens) — authenticates with a static credential pair. Use for headless or automated workflows where no browser is available. Note Cloudflare Access also supports Managed OAuth for protected resources, which you can use to grant authorization to coding agents. ## Use cloudflared With `cloudflared`, your agent authenticates under your user identity. On first use, `cloudflared` opens a browser window for an interactive login. After that, the session persists for the [session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/) configured for the application. After the session expires, the next request requires a new browser login. ### Prerequisites [Download and install cloudflared](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/). ### Make requests with cloudflared access curl For direct requests to a protected resource, use `cloudflared access curl`. This handles authentication automatically and does not require token management. Terminal window ``` cloudflared access curl https://example.com/api/endpoint ``` If this is the first request in a session, `cloudflared` opens a browser for the user to authenticate. Prompt the user to complete the login if needed. ### Use a reusable token Some agents make HTTP requests using their own client libraries instead of calling `cloudflared` directly. In this case, log in to get a token and pass it as a header: Terminal window ``` CF_TOKEN=$(cloudflared access login https://example.com) curl --header "cf-access-token: $CF_TOKEN" https://example.com/api/endpoint ``` The token is valid for the session duration configured for the application. For more information, refer to [Connect through Access using a CLI](https://developers.cloudflare.com/cloudflare-one/tutorials/cli/) and [Client-side cloudflared](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/). ## Use service tokens Service tokens are static credential pairs that authenticate requests without a browser login. Use them for automated workflows where no user is present. 1. [Create a service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/#create-a-service-token) and save the **Client ID** and **Client Secret**. 2. In the Access application's policy configuration, add a [Service Auth policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth). This policy type accepts service token credentials instead of requiring an identity provider login. Use the **Service Token** selector and select the token you created. | Action | Rule type | Selector | Value | | ------------ | --------- | ------------- | ---------------- | | Service Auth | Include | Service Token | Your agent token | 3. Store the Client ID and Client Secret in a secure location on your machine that your agent can read. 4. Include both values as headers in requests to the protected resource: Terminal window ``` curl --header "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \ --header "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \ https://example.com/api/endpoint ``` For more information, refer to [Service tokens](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/). ## Configure your agent Add an `AGENTS.md` file to your project root with the following skill definition. This instructs coding agents to automatically detect Cloudflare Access-protected resources and authenticate using the standard OAuth 2.0 flow with PKCE (RFC 9728). ``` --- name: access-oauth description: "Detect Cloudflare Access-protected websites and authenticate via the standard OAuth 2.0 flow (RFC 9728 resource metadata, dynamic client registration, authorization code + PKCE)" license: MIT compatibility: opencode metadata: category: authentication audience: developers --- # Access OAuth Authentication Authenticate to Cloudflare Access-protected resources using standard OAuth 2.0 (resource metadata discovery, dynamic client registration, authorization code with PKCE). ## When to Use Use this skill when: - You need to access a URL that returns HTTP 401 - The response contains a `www-authenticate: Bearer` header with a `resource_metadata` URL - The resource metadata indicates it is a Cloudflare Access-protected resource - You want to authenticate interactively through the user's IdP ## Step 1: Detect a Protected Resource Make a request and inspect the response headers: ```bash curl -sI -L 2>&1 ``` Look for a **401** response with a `www-authenticate` header like: ``` www-authenticate: Bearer realm="OAuth", error="invalid_token", error_description="Missing or invalid access token", resource_metadata="https:///.well-known/cloudflare-access-protected-resource/" ``` If you see this header, the site supports the OAuth flow. Proceed to Step 2. The JSON body of the 401 will also contain: ```json { "error": "invalid_token", "error_description": "Missing or invalid access token", "resource_metadata": "https:///.well-known/cloudflare-access-protected-resource/" } ``` ### If No `www-authenticate` Header If the 401 does not include `www-authenticate` with `resource_metadata`, the site may not support this OAuth flow. Fall back to `cloudflared access curl` or browser-based authentication. ## Step 2: Fetch Resource Metadata Fetch the resource metadata URL from the `www-authenticate` header: ```bash curl -s https:///.well-known/cloudflare-access-protected-resource/ ``` Expected response: ```json { "resource": "https://", "protected": true, "team_domain": ".cloudflareaccess.com", "authorization_servers": ["https://.cloudflareaccess.com"], "authentication_method": "cloudflared", "authentication_method_description": "Use `cloudflared access curl`...", "authentication_method_documentation": "https://developers.cloudflare.com/cloudflare-one/tutorials/cli/" } ``` Extract the **authorization server** URL from `authorization_servers[0]` (e.g. `https://.cloudflareaccess.com`). ## Step 3: Fetch OAuth Authorization Server Metadata ```bash curl -s https://.cloudflareaccess.com/.well-known/oauth-authorization-server ``` Expected response: ```json { "issuer": ".cloudflareaccess.com", "authorization_endpoint": "https://.cloudflareaccess.com/cdn-cgi/access/oauth/authorization", "token_endpoint": "https://.cloudflareaccess.com/cdn-cgi/access/oauth/token", "response_types_supported": ["code"], "response_modes_supported": ["query"], "grant_types_supported": ["authorization_code", "refresh_token"], "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post", "none" ], "revocation_endpoint": "https://.cloudflareaccess.com/cdn-cgi/access/oauth/revoke", "registration_endpoint": "https://.cloudflareaccess.com/cdn-cgi/access/oauth/registration", "code_challenge_methods_supported": ["S256"] } ``` Verify that: - `"none"` is in `token_endpoint_auth_methods_supported` (allows public clients) - `"authorization_code"` is in `grant_types_supported` - `"S256"` is in `code_challenge_methods_supported` - A `registration_endpoint` is present Extract the **registration_endpoint**, **authorization_endpoint**, and **token_endpoint**. ## Step 4: Dynamic Client Registration Register a public OAuth client: ```bash curl -s -X POST \ -H "Content-Type: application/json" \ -d '{ "redirect_uris": ["http://localhost:8400/callback"], "token_endpoint_auth_method": "none", "grant_types": ["authorization_code"], "response_types": ["code"], "resource": "https://" }' ``` Expected response: ```json { "client_id": "", "redirect_uris": ["http://localhost:8400/callback"], "grant_types": ["authorization_code"], "response_types": ["code"], "token_endpoint_auth_method": "none", "registration_client_uri": "...", "client_id_issued_at": 1234567890 } ``` Save the **client_id**. ## Step 5: Generate PKCE Challenge Generate a code verifier and S256 challenge. Ensure the challenge starts with an alphanumeric character to avoid URL parsing issues: ```bash while true; do CODE_VERIFIER=$(openssl rand -base64 32 | tr -d '=' | tr '/+' '_-') CODE_CHALLENGE=$(printf '%s' "$CODE_VERIFIER" | openssl dgst -sha256 -binary | base64 | tr -d '=' | tr '/+' '_-') if [[ "$CODE_CHALLENGE" =~ ^[a-zA-Z0-9] ]]; then break fi done ``` **Important**: The code challenge MUST start with `[a-zA-Z0-9]`. A leading `-` or `_` can cause URL parameter parsing failures on the authorization server. ## Step 6: Authorization Code Flow with Local Callback Start a local HTTP server to catch the callback, then direct the user to the authorization URL. ### Build the Authorization URL ``` ? client_id=& redirect_uri=http%3A%2F%2Flocalhost%3A8400%2Fcallback& response_type=code& code_challenge=& code_challenge_method=S256& resource= ``` ### Start the Callback Listener and Prompt the User Run a Python HTTP server on port 8400 that captures the authorization code: ```python python3 -c ' import http.server, urllib.parse class Handler(http.server.BaseHTTPRequestHandler): def do_GET(self): parsed = urllib.parse.urlparse(self.path) params = urllib.parse.parse_qs(parsed.query) if "code" in params: code = params["code"][0] with open("/tmp/oauth_code.txt", "w") as f: f.write(code) self.send_response(200) self.send_header("Content-Type", "text/html") self.end_headers() self.wfile.write(b"

Got it!

Authorization code received. You can close this tab.

") print(f"CODE={code}", flush=True) elif "error" in params: err = params.get("error", [""])[0] desc = params.get("error_description", [""])[0] self.send_response(200) self.send_header("Content-Type", "text/html") self.end_headers() self.wfile.write(f"

Error

{err}: {desc}

".encode()) print(f"ERROR: {err} - {desc}", flush=True) else: self.send_response(400) self.end_headers() self.wfile.write(b"Unexpected request") print(f"Unexpected: {self.path}", flush=True) import threading threading.Thread(target=self.server.shutdown).start() def log_message(self, format, *args): pass print("Listening on http://localhost:8400 ...", flush=True) print("Open the authorization URL in your browser.", flush=True) http.server.HTTPServer(("", 8400), Handler).serve_forever() ' ``` **Important**: Use a timeout of at least 120000ms for this bash command since the user needs time to authenticate in the browser. Tell the user to open the authorization URL in their browser. After they authenticate with their IdP, the browser will redirect to `http://localhost:8400/callback?code=`, the server will capture it and shut down. ## Step 7: Exchange Code for Token ```bash curl -s -X POST \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=authorization_code" \ -d "code=" \ -d "client_id=" \ -d "redirect_uri=http://localhost:8400/callback" \ -d "code_verifier=" ``` Expected response: ```json { "access_token": "oauth:", "token_type": "bearer", "expires_in": 900, "scope": "", "resource": "https:///", "refresh_token": "oauth:" } ``` Save the **access_token** and **refresh_token**. ## Step 8: Access the Protected Resource ```bash curl -s https:/// \ -H "Authorization: Bearer " ``` This should now return the actual content behind Cloudflare Access. ## Step 9: Refresh the Token (if needed) If the access token expires (default 900 seconds), use the refresh token: ```bash curl -s -X POST \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=refresh_token" \ -d "refresh_token=" \ -d "client_id=" ``` ## Quick Reference: Full Flow Summary ``` 1. curl -sI # Detect 401 + www-authenticate header 2. curl -s # Get authorization server 3. curl -s /.well-known/oauth-authorization-server # Get endpoints 4. POST # Register public client 5. Generate PKCE code_verifier + challenge # S256, alphanumeric start 6. Start localhost:8400 listener # Catch callback 7. User opens authorization URL # Browser-based IdP auth 8. POST # Exchange code for token 9. curl -H "Authorization: Bearer " # Access resource ``` ## Troubleshooting | Problem | Cause | Fix | | ------------------------------------------------------- | ------------------------------------------------------------------- | -------------------------------------------------------------------------- | | `code_challenge_method must be S256 for public clients` | Code challenge starts with `-` or `_`, corrupting the URL parameter | Regenerate until challenge starts with `[a-zA-Z0-9]` | | `invalid_grant` on token exchange | Code expired or verifier mismatch | Redo the auth flow; codes are single-use and short-lived | | 401 after using token | Token expired (default 15 min) | Use refresh token to get a new access token | | No `www-authenticate` header | Site doesn't support OAuth resource metadata | Fall back to `cloudflared access curl` or browser auth | | No `registration_endpoint` in AS metadata | Dynamic registration not enabled | Must use a pre-registered client or different auth method | | Port 8400 already in use | Previous listener didn't shut down | Kill the process or use a different port (update redirect_uri accordingly) | ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/authenticate-agents/","name":"Authenticate coding agents"}}]} ``` --- --- title: Event subscriptions description: Reference information for Event subscriptions in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ JSON ](https://developers.cloudflare.com/search/?tags=JSON) # Event subscriptions [Event subscriptions](https://developers.cloudflare.com/queues/event-subscriptions/) allow you to receive messages when events occur across your Cloudflare account. Cloudflare products (e.g., [KV](https://developers.cloudflare.com/kv/), [Workers AI](https://developers.cloudflare.com/workers-ai/), [Workers](https://developers.cloudflare.com/workers/)) can publish structured events to a [queue](https://developers.cloudflare.com/queues/), which you can then consume with Workers or [HTTP pull consumers](https://developers.cloudflare.com/queues/configuration/pull-consumers/) to build custom workflows, integrations, or logic. For more information on [Event Subscriptions](https://developers.cloudflare.com/queues/event-subscriptions/), refer to the [management guide](https://developers.cloudflare.com/queues/event-subscriptions/manage-event-subscriptions/). ## Available Access events #### `application.created` Triggered when an application is created. **Example:** ``` { "type": "cf.access.application.created", "source": { "type": "access" }, "payload": { "id": "app-12345678-90ab-cdef-1234-567890abcdef", "name": "My Application" }, "metadata": { "accountId": "f9f79265f388666de8122cfb508d7776", "eventSubscriptionId": "1830c4bb612e43c3af7f4cada31fbf3f", "eventSchemaVersion": 1, "eventTimestamp": "2025-05-01T02:48:57.132Z" } } ``` #### `application.deleted` Triggered when an application is deleted. **Example:** ``` { "type": "cf.access.application.deleted", "source": { "type": "access" }, "payload": { "id": "app-12345678-90ab-cdef-1234-567890abcdef", "name": "My Application" }, "metadata": { "accountId": "f9f79265f388666de8122cfb508d7776", "eventSubscriptionId": "1830c4bb612e43c3af7f4cada31fbf3f", "eventSchemaVersion": 1, "eventTimestamp": "2025-05-01T02:48:57.132Z" } } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/event-subscriptions/","name":"Event subscriptions"}}]} ``` --- --- title: Policies description: Configure Policies in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Policies Cloudflare Access determines who can reach your application by applying the Access policies you configure. Every Access policy has four building blocks: * [**Actions**](#actions): What happens when a user matches the policy (Allow, Block, Bypass, or Service Auth) * [**Rule types**](#rule-types): How criteria are combined (Include, Require, or Exclude) * [**Selectors**](#selectors): The attributes being checked (for example, email domain, country, or device posture) * **Values**: The specific values to match against (for example, `@example.com`) ## Cloudflare Access policy actions Actions let you grant or deny permission to a certain user or user group. You can set only one action per policy. ### Allow The Allow action in Cloudflare Access allows users that meet certain criteria to reach an application behind Access. The following table shows an example Cloudflare Access Allow policy that lets any user with an `@example.com` email address, as validated against an IdP, reach the application: | Action | Rule type | Selector | Value | | ------ | --------- | ---------------- | ------------ | | Allow | Include | Emails ending in | @example.com | You can add a Require rule in the same policy action to enforce additional checks. Finally, if the policy contains an Exclude rule, users meeting that definition are prevented from reaching the application. For example, the following table shows an Allow policy with Require and Exclude rules. This configuration lets any user from Portugal with an `@team.com` email address, as validated against an IdP, reach the application, except for `user-1` and `user-2`: | Action | Rule type | Selector | Value | | ------- | ---------------- | -------------------------------- | -------- | | Allow | Include | Country | Portugal | | Require | Emails Ending In | @team.com | | | Exclude | Email | user-1@team.com, user-2@team.com | | ### Block The Block action in Cloudflare Access prevents users who meet certain criteria from reaching an application. For example, the following table shows a Block policy that blocks requests from Russian source IPs that are not on your [list of approved IPs](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). | Action | Rule type | Selector | Value | | ------- | --------- | ---------------------- | ------------------ | | Block | Include | Country | Russian Federation | | Exclude | IP list | Corporate IP allowlist | | Block policies are best used in conjunction with [Allow policies](#allow) as a way to carve out exceptions in those Allow policies. Since Access is deny by default, users who do not match a Block policy will still be denied access unless they explicitly match an Allow policy. ### Bypass The Bypass action in Cloudflare Access disables Access enforcement for specific traffic. Warning Bypass does not enforce any Access security controls and requests are not logged. Bypass policies should be tested before deploying to production. Consider using [Service Auth](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth) if you would like to enforce policies and maintain logging without requiring user authentication. As Bypass does not enforce Access security controls, Bypass policies do not support identity-based [rule types](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#rule-types). When making Bypass policies, you will not be able to apply certain identity-based [selectors](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors) (such as email). The Bypass action disables any Access enforcement for traffic that meets the defined rule criteria. Bypass is typically used to enable applications that require specific endpoints to be public. For example, some applications have an endpoint under the `/admin` route that must be publicly routable. In this situation, you could create an Access application for the domain `test.example.com/admin/` and add the Bypass policy shown in the following table: | Action | Rule type | Selector | Value | | ------ | --------- | -------- | -------- | | Bypass | Include | Everyone | Everyone | As part of implementing a Zero Trust security model, Cloudflare does not recommend using Bypass to grant direct permanent access to your internal applications. To enable seamless and secure access for on-network employees, use Cloudflare Tunnel to [connect your private network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/) and have users connect through the Cloudflare One Client. Note When applying a Bypass action, security settings revert to the defaults configured for the zone and any configured Page Rules. If **Always use HTTPS** is enabled for the site, then traffic to the bypassed destination continues in HTTPS. If **Always use HTTPS** is disabled, traffic is HTTP. #### Bypass policy product incompatibility Bypass policies which contain [device posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/) rules will not function when: * [Zaraz](https://developers.cloudflare.com/zaraz/) is enabled for the zone protected by Access * A [Worker](https://developers.cloudflare.com/workers/) intercepts the request To work around these limitations and bypass Access, we recommend changing the policy action to [Service Auth](#service-auth). ### Service Auth Service Auth rules in Cloudflare Access enforce authentication flows that do not require an identity provider IdP login, such as service tokens and mutual TLS. The following table shows an example Cloudflare Access Service Auth policy configuration: | Action | Rule type | Selector | | ------------ | --------- | ----------------- | | Service Auth | Include | Valid certificate | ## Cloudflare Access rule types Rule types work like logical operators and determine how your criteria are combined to evaluate a user. All Access policies must contain at least one Include rule. This Include rule defines the initial pool of eligible users who can access an application. You can then add Exclude and Require rules to narrow the scope. ### Include The Include rule in Cloudflare Access is similar to an OR logical operator. In case more than one Include rule is specified, users need to meet only one of the criteria. ### Exclude The Exclude rule in Cloudflare Access works like a NOT logical operator. A user meeting any Exclusion criteria will not be allowed access to the application. ### Require The Require rule in Cloudflare Access works like an AND logical operator. A user must meet all specified Require rules to be allowed access. #### Require rules with OR operators By default, any values added to a Require rule are concatenated by an AND operator. For example, let's say you want to grant access to an application to both the full-time employees and the contractors, and only the ones based in specific countries — say Portugal and the United States. If you set up a rule with the following configuration: | Action | Rule type | Selector | Value | | ------- | ---------------- | --------------------------------- | ----------------------- | | Allow | Require | Country | United States, Portugal | | Require | Emails ending in | @cloudflare.com, @contractors.com | | This policy requires the user to be in the United States AND Portugal simultaneously, and have an email ending in both `@cloudflare.com` AND `@contractors.com`. Therefore, nobody will have access to the application. **Solution:** Use a [rule group](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/) to convert AND logic to OR logic within a Require rule. 1. Create a rule group called `Country requirements` that includes users in Portugal OR the United States: | Rule type | Selector | Value | | --------- | -------- | ----------------------- | | Include | Country | United States, Portugal | 2. Create a policy that requires the rule group, and that also includes users with emails ending in either `@cloudflare.com` OR `@contractors.com`: | Action | Rule type | Selector | Value | | ------- | ---------------- | --------------------------------- | -------------------- | | Allow | Require | Rule group | Country requirements | | Include | Emails ending in | @cloudflare.com, @contractors.com | | ## Cloudflare Access selectors When you add a rule to your Cloudflare Access policy, you will be asked to specify the criteria, or attributes, you want users to meet. These attributes are available for all Access application types, including [SaaS](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/), [self-hosted](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/), and [non-HTTP](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/) applications. Non-identity attributes are polled continuously, meaning they are evaluated with each new HTTP request for changes during the [user session](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/). If you have configured [SCIM provisioning](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership. | Selector | Description | Checked at login | Checked continuously1 | Identity-based selector? | | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | --------------------- | ------------------------ | | Emails | you@company.com | ✅ | ❌ | ✅ | | Emails ending in | @company.com | ✅ | ❌ | ✅ | | External Evaluation | Allows or denies access based on [custom logic](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/external-evaluation/) in an external API. | ✅ | ❌ | ✅ | | IP ranges | 192.168.100.1/24 (supports IPv4/IPv6 addresses and CIDR ranges) | ✅ | ✅ | ❌ | | Country | Uses the IP address to determine country. | ✅ | ✅ | ❌ | | Everyone | Allows, denies, or bypasses access to everyone. | ✅ | ❌ | ❌ | | Common Name | The request will need to present a valid certificate with an expected common name. | ✅ | ✅ | ❌ | | Valid Certificate | The request will need to present any valid client certificate. | ✅ | ✅ | ❌ | | Service Token | The request will need to present the correct service token headers configured for the specific application. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | | Any Access Service Token | The request will need to present the headers for any [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) created for this account. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | | User Risk Score | The user's current [risk score](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/) (Low, Medium, or High). Acts as a threshold — users with a score at or below the specified level pass the check. This selector only displays for Enterprise plans. | ✅ | ✅ | ✅ | | Linked App Token | Checks for a valid [OAuth access token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/linked-app-token/) issued to a specific Access application. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | | Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ | ✅ | | Authentication Method | Checks the [multi-factor authentication](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/mfa-requirements/#identity-provider-based-mfa) method used by the user, if supported by the identity provider. To enforce MFA independently of your IdP, refer to [independent MFA](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/). | ✅ | ❌ | ✅ | | Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/). | ✅ | ❌ | ✅ | | SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-saml/) identity provider. | ✅ | ❌ | ✅ | | OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/) identity provider. | ✅ | ❌ | ✅ | | Device posture | Checks device posture signals from the Cloudflare One Client or a third-party service provider. This selector only displays after you create a [device posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). | ✅ | ✅ | ❌ | | Warp | Checks that the device is connected to the Cloudflare One Client, including the consumer version. This selector only displays after you enable the [WARP posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/require-warp/). | ✅ | ✅ | ❌ | | Gateway | Checks that the device is connected to your Zero Trust instance through the Cloudflare One Client. This selector only displays after you enable the [Gateway posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/require-gateway/). | ✅ | ✅ | ❌ | 1 For SaaS applications, Access can only enforce policies at the time of initial sign on and when reissuing the SaaS session. Once the user has authenticated to the SaaS app, session management falls solely within the purview of the SaaS app. ## Connection context in Cloudflare Access Connection context settings allow you to control how users interact with an application after they have been granted access. While [selectors](#selectors) determine who can access an application, connection context settings determine what actions users can take during their session. The available connection context settings depend on the application type. Connection context is configured per policy, allowing you to grant different permissions to different groups of users. For example, you could allow full-time employees to copy data from a remote RDP session while restricting contractors to read-only access. | Application type | Available settings | | --------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------- | | [Infrastructure (SSH)](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) | Allowed UNIX usernames | | [Browser-based RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/#clipboard-controls) | Clipboard controls (copy/paste restrictions) | ## Cloudflare Access policy order of execution Cloudflare Access policies are evaluated based on their action type and order you set. Bypass and Service Auth policies are evaluated first, from top to bottom as shown in the UI. Then, Block and Allow policies are evaluated based on their order from top to bottom. For example, if you have policies arranged as follows: * Allow A * Block B * Service Auth C * Bypass D * Allow E The policies will execute in this order: Service Auth C > Bypass D > Allow A > Block B > Allow E. Once a user matches an Allow or Block policy, evaluation stops and no subsequent policies can override the decision. ## Common Cloudflare Access misconfigurations If you add any of the following rules to an Allow policy, anyone will be able to access your application. ### Include everyone The following table shows a Cloudflare Access policy that includes everyone: | Rule type | Selector | Value | | --------- | -------- | -------- | | Include | Everyone | Everyone | ### Include all valid emails The following table shows a Cloudflare Access policy that includes all users with valid email login methods: | Rule type | Selector | Value | | --------- | ------------- | ------------ | | Include | Login Methods | One-time PIN | ## Additional Cloudflare Access resources [API and Terraform](https://developers.cloudflare.com/cloudflare-one/api-terraform/) provide programmatic ways to manage your Access policies and configurations. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}}]} ``` --- --- title: Application paths description: How Application paths works in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Application paths Application paths define the URLs protected by an Access policy. When adding a self-hosted application to Access, you can choose to protect the entire website by entering its apex domain, or alternatively, protect specific subdomains and paths. ## Policy inheritance Cloudflare Zero Trust allows you to create unique rules for parts of an application that share a root path. Imagine an example application is deployed at `dashboard.com/eng` that anyone on the engineering team should be able to access. However, a tool deployed at `dashboard.com/eng/exec` should only be accessed by the executive team. When multiple rules are set for a common root path, the more specific rule takes precedence. For example, when setting rules for `dashboard.com/eng` and `dashboard.com/eng/exec` separately, the more specific rule for `dashboard.com/eng/exec` takes precedence, and no rule is inherited from `dashboard.com/eng`. If no separate, specific rule is set for `dashboard.com/eng/exec`, it will inherit any rules set for `dashboard.com/eng`. ## Wildcards When you create an application for a specific subdomain or path, you can use asterisks (`*`) as wildcards. Wildcards allow you to extend the application you are creating to multiple subdomains or paths in a given apex domain. ### Examples #### Match all subdomains of an apex domain A wildcard in the **Subdomain** field only matches that specific subdomain level. It does not cover the apex domain or multiple levels of the subdomain. If you want to cover multiple subdomain levels, you can use multiple wildcards. | Application | Covers | Does not cover | | -------------- | ---------------------------------- | ------------------------------- | | \*.example.com | alpha.example.com beta.example.com | example.com foo.bar.example.com | #### Match all paths of an apex domain To protect an apex domain and all of the paths under it, leave the **Path** field empty. Alternatively, use a wildcard in the **Path** field. | Application | Covers | Does not cover | | ------------------------------ | ---------------------------------------------- | ----------------- | | example.com or example.com/\* | example.com example.com/alpha example.com/beta | alpha.example.com | #### Match multi-level subdomains Using a wildcard in the **Subdomain** field does not cover the parent subdomain nor the apex domain. | Application | Covers | Does not cover | | ------------------- | -------------------------------------------- | ---------------------------- | | \*.test.example.com | alpha.test.example.com beta.test.example.com | test.example.com example.com | #### Partially match subdomains Using a wildcard at the beginning or end of the **Subdomain** field does not cover multiple levels of the subdomain. | Application | Covers | Does not cover | | ------------------ | -------------------------------------- | --------------------- | | \*test.example.com | test.example.com alphatest.example.com | beta.test.example.com | #### Match multi-level paths Using a wildcard in the **Path** field does not cover the parent path nor the apex domain. | Application | Covers | Does not cover | | -------------------- | ------------------------------------------- | ----------------------------- | | example.com/alpha/\* | example.com/alpha/one example.com/alpha/two | example.com/alpha example.com | #### Partially match paths Using a wildcard in the middle of the **Path** field covers multiple segments of the URL. | Application | Covers | | --------------------- | ------------------------------------------------------------------- | | example.com/foo\*/bar | example.com/foo/bar example.com/food/bar example.com/food/stuff/bar | ### Limitations * At most one wildcard in between each dot in the **Subdomain**. For example, `foo*bar*baz.example.com` is not allowed. * At most one wildcard in between each slash in the **Path**. For example, `example.com/foo*bar*baz` is not allowed. ## Subdomain setups [Subdomain setups](https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/) allow you to manage a child domain separately from its parent domain. In Access application paths, your configured child domains will appear in the **Domain** dropdown menu. If you [split out a subdomain](https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/setup/) which already has an Access application, you will need to re-save the Access application to associate it with the new child domain. ## Unsupported URLs ### Port numbers Port numbers are not supported in Access application paths. If a request includes a port number in the URL, Access will strip the port number and redirect the request to the default HTTP/HTTPS port. ### Query strings Query strings (such as`?foo=bar`) are not supported in Access application paths. ### Anchor links Since anchor links are processed by the browser and not the server, Access applications do not support `#` characters in the URL. For example, requests to `dashboard.com/#settings` will redirect to `dashboard.com`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/app-paths/","name":"Application paths"}}]} ``` --- --- title: Common policies description: Commonly used Cloudflare Access policies for securing applications. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Common policies The following Cloudflare Access policies are commonly used to secure applications. Refer to the [Access policies page](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for a comprehensive list of available actions, rule types, and selectors. To learn how to create and manage policies, refer to [Manage Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/). ## Allow employees by email domain The most basic Access policy grants access to anyone who authenticates with an email address belonging to your organization. This is a good starting point when you first protect an application with Access and want to restrict it to employees using your corporate [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). * [ Dashboard ](#tab-panel-4890) * [ API ](#tab-panel-4891) * [ Terraform ](#tab-panel-4892) | Action | Rule type | Selector | Value | | ------ | --------- | ---------------- | ------------ | | Allow | Include | Emails ending in | @example.com | Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow employees by email domain", "decision": "allow", "include": [ { "email_domain": { "domain": "example.com" } } ] }' ``` Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Access: Apps and Policies Write` Configure the [cloudflare\_zero\_trust\_access\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fpolicy) resource: ``` resource "cloudflare_zero_trust_access_policy" "allow_employees_by_email_domain" { account_id = var.cloudflare_account_id name = "Allow employees by email domain" decision = "allow" include = [{ email_domain = { domain = "example.com" } }] } ``` You can add multiple email domains to the Include rule if your organization uses more than one domain (for example, `@example.com` and `@example.co.uk`). ## Allow employees from specific countries Organizations that operate in specific regions or need to comply with data residency requirements can restrict application access to users in approved countries. This policy is useful when you want to limit where employees can connect from, while still allowing exceptions for individual users such as traveling executives. Because Require rules use AND logic, you cannot add multiple countries directly to a single Require rule — that would require the user to be in all countries simultaneously. Instead, first create a [rule group](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/) that lists the approved countries: * [ Dashboard ](#tab-panel-4893) * [ API ](#tab-panel-4894) * [ Terraform ](#tab-panel-4895) | Rule type | Selector | Value | | --------- | -------- | ----------------------- | | Include | Country | United States, Portugal | Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Organizations, Identity Providers, and Groups Write` Create an Access group ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/groups" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Approved countries", "include": [ { "geo": { "country_code": "US" } }, { "geo": { "country_code": "PT" } } ] }' ``` Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Access: Apps and Policies Write` Configure the [cloudflare\_zero\_trust\_access\_group ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fgroup) resource: ``` resource "cloudflare_zero_trust_access_group" "approved_countries" { account_id = var.cloudflare_account_id name = "Approved countries" include = [ { geo = { country_code = "US" } }, { geo = { country_code = "PT" } }, ] } ``` Then reference the rule group in your Access policy: * [ Dashboard ](#tab-panel-4926) * [ API ](#tab-panel-4927) * [ Terraform ](#tab-panel-4928) | Action | Rule type | Selector | Value | | ------- | ---------- | -------------------------------------- | ------------ | | Allow | Include | Emails ending in | @example.com | | Require | Rule group | Approved countries | | | Exclude | Email | user-1@example.com, user-2@example.com | | Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow employees from specific countries", "decision": "allow", "include": [ { "email_domain": { "domain": "example.com" } } ], "require": [ { "group": { "id": "" } } ], "exclude": [ { "email": { "email": "user-1@example.com" } }, { "email": { "email": "user-2@example.com" } } ] }' ``` Replace `` with the `id` returned when you created the rule group above. To look up existing groups, use the [List Access groups](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/groups/methods/list/) endpoint. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Access: Apps and Policies Write` Configure the [cloudflare\_zero\_trust\_access\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fpolicy) resource: ``` resource "cloudflare_zero_trust_access_policy" "allow_employees_from_specific_countries" { account_id = var.cloudflare_account_id name = "Allow employees from specific countries" decision = "allow" include = [{ email_domain = { domain = "example.com" } }] require = [{ group = { id = cloudflare_zero_trust_access_group.approved_countries.id } }] exclude = [ { email = { email = "user-1@example.com" } }, { email = { email = "user-2@example.com" } }, ] } ``` The `cloudflare_zero_trust_access_group.approved_countries` reference points to the [cloudflare\_zero\_trust\_access\_group ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fgroup) resource created above. ## Require device posture for sensitive applications For applications that contain sensitive data, you can verify that users connect from managed devices that meet your organization's security baseline. The following example combines identity verification with [device posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/) to ensure that the device is running a supported [OS version](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/os-version/) and is connected through the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/), which is enforced by the [Require Gateway check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/require-gateway/). Note Before creating this policy, [create device posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/) for each requirement and [enable the Require Gateway posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/require-gateway/). * [ Dashboard ](#tab-panel-4911) * [ API ](#tab-panel-4912) * [ Terraform ](#tab-panel-4913) | Action | Rule type | Selector | Value | | ------- | ---------- | ------------------------- | ------------------- | | Allow | Include | Okta Groups | Full-Time Employees | | Require | Gateway | Gateway | | | Require | OS Version | Latest version of Windows | | Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Require device posture for sensitive apps", "decision": "allow", "include": [ { "okta": { "name": "Full-Time Employees", "identity_provider_id": "" } } ], "require": [ { "device_posture": { "integration_uid": "" } }, { "device_posture": { "integration_uid": "" } } ] }' ``` Replace the `okta` rule with the [appropriate rule for your identity provider](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/policies/methods/create/). To get your identity provider ID, use the [List Access identity providers](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/identity%5Fproviders/methods/list/) endpoint. To get the integration UIDs for your device posture checks, use the [List device posture checks](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/devices/subresources/posture/methods/list/) endpoint. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Access: Apps and Policies Write` Configure the [cloudflare\_zero\_trust\_access\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fpolicy) resource: ``` resource "cloudflare_zero_trust_access_policy" "require_device_posture" { account_id = var.cloudflare_account_id name = "Require device posture for sensitive apps" decision = "allow" include = [{ okta = { name = "Full-Time Employees" identity_provider_id = cloudflare_zero_trust_access_identity_provider.okta.id } }] require = [ { device_posture = { integration_uid = cloudflare_zero_trust_device_posture_rule.gateway_check.id } }, { device_posture = { integration_uid = cloudflare_zero_trust_device_posture_rule.os_version_check.id } }, ] } ``` * Replace the `okta` rule with the appropriate [cloudflare\_zero\_trust\_access\_identity\_provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fidentity%5Fprovider) resource for your identity provider. To configure the identity provider resource, refer to [Identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). * To configure the [cloudflare\_zero\_trust\_device\_posture\_rule ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Fdevice%5Fposture%5Frule) resources referenced above, refer to [Device posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). To reuse these device requirements across multiple applications, create a [rule group](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/) called "Corporate device requirements" that contains the posture checks. You can then reference this rule group in the Require field of any policy. ## Require MFA for high-security applications For applications that handle financial data, production infrastructure, or other high-value resources, you can require that users authenticate with multi-factor authentication (MFA) in addition to their identity provider credentials. This ensures that a compromised password alone is not sufficient to gain access. Access supports two approaches to enforcing MFA: ### Identity provider-based MFA If your identity provider reports the authentication method used during login, you can add an **Authentication method** selector to require a specific MFA method such as a hardware security key. * [ Dashboard ](#tab-panel-4917) * [ API ](#tab-panel-4918) * [ Terraform ](#tab-panel-4919) | Action | Rule type | Selector | Value | | ------- | --------------------- | ------------ | --------- | | Allow | Include | Okta Groups | Employees | | Require | Authentication method | Security key | | | Require | Gateway | _(enabled)_ | | Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Require MFA for high-security apps", "decision": "allow", "include": [ { "okta": { "name": "Employees", "identity_provider_id": "" } } ], "require": [ { "auth_method": { "auth_method": "swk" } }, { "device_posture": { "integration_uid": "" } } ] }' ``` The `auth_method` value uses [RFC 8176 ↗](https://datatracker.ietf.org/doc/html/rfc8176#section-2) authentication method reference values. For example, `swk` represents a software-secured key (security key). Replace the `okta` rule with the [appropriate rule for your identity provider](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/policies/methods/create/). To get your identity provider ID, use the [List Access identity providers](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/identity%5Fproviders/methods/list/) endpoint. To get ``, use the [List device posture checks](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/devices/subresources/posture/methods/list/) endpoint. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Access: Apps and Policies Write` Configure the [cloudflare\_zero\_trust\_access\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fpolicy) resource: ``` resource "cloudflare_zero_trust_access_policy" "require_mfa" { account_id = var.cloudflare_account_id name = "Require MFA for high-security apps" decision = "allow" include = [{ okta = { name = "Employees" identity_provider_id = cloudflare_zero_trust_access_identity_provider.okta.id } }] require = [ { auth_method = { auth_method = "swk" } }, { device_posture = { integration_uid = cloudflare_zero_trust_device_posture_rule.gateway_check.id } }, ] } ``` The `auth_method` value uses [RFC 8176 ↗](https://datatracker.ietf.org/doc/html/rfc8176#section-2) authentication method reference values. For example, `swk` represents a software-secured key (security key). * Replace the `okta` rule with the appropriate [cloudflare\_zero\_trust\_access\_identity\_provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fidentity%5Fprovider) resource for your identity provider. To configure the identity provider resource, refer to [Identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). * To configure the [cloudflare\_zero\_trust\_device\_posture\_rule ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Fdevice%5Fposture%5Frule) resource referenced above, refer to [Device posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). ### Independent MFA If you want to enforce MFA directly in Access without relying on your IdP, you can use [independent MFA](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/). Independent MFA is not configured through policy selectors. Instead, you first [turn on independent MFA](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/#turn-on-independent-mfa) at the organization level, then enable it for specific applications or policies through a settings panel. Access will prompt users for a second factor (such as a security key, authenticator app, or biometrics) after they authenticate with your IdP. For the full details on both approaches, refer to [Enforce MFA](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/mfa-requirements/). ## Allow contractor access with email-based authentication When you collaborate with external contractors or partners who are not part of your corporate identity provider, you can grant them access using a [one-time PIN (OTP)](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/). OTP sends a short-lived code to the contractor's email address, allowing them to authenticate without needing an account in your IdP. Note Before creating this policy, [enable OTP as a login method](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/#set-up-otp) in your identity provider settings. * [ Dashboard ](#tab-panel-4920) * [ API ](#tab-panel-4921) * [ Terraform ](#tab-panel-4922) | Action | Rule type | Selector | Value | | ------- | ------------- | ---------------- | ------------------------------------ | | Allow | Include | Emails ending in | @contractor-a.com, @contractor-b.com | | Require | Login methods | One-time PIN | | Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow contractor access with OTP", "decision": "allow", "include": [ { "email_domain": { "domain": "contractor-a.com" } }, { "email_domain": { "domain": "contractor-b.com" } } ], "require": [ { "login_method": { "id": "" } } ] }' ``` To get the ID of your OTP identity provider, use the [List Access identity providers](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/identity%5Fproviders/methods/list/) endpoint. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Access: Apps and Policies Write` Configure the [cloudflare\_zero\_trust\_access\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fpolicy) resource: ``` resource "cloudflare_zero_trust_access_policy" "allow_contractor_access_with_otp" { account_id = var.cloudflare_account_id name = "Allow contractor access with OTP" decision = "allow" include = [ { email_domain = { domain = "contractor-a.com" } }, { email_domain = { domain = "contractor-b.com" } }, ] require = [{ login_method = { id = cloudflare_zero_trust_access_identity_provider.otp.id } }] } ``` To configure the [cloudflare\_zero\_trust\_access\_identity\_provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fidentity%5Fprovider) resource for OTP (configured with `type = "onetimepin"`), refer to [One-time PIN](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/). Warning Adding `Login Methods: One-time PIN` as an Include rule without restricting email domains allows anyone with any email address to receive a code and access the application. Always pair OTP with specific email domains or an email list in the Include rule. ## Isolate contractor access to internal applications When contractors or other external users need to view internal applications but should not be able to download, copy, or transfer data to their unmanaged devices, you can serve the application in a [remote browser](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/). This gives external users read-only visibility into the application while keeping sensitive data from leaving your environment. Note Before creating this policy, you must turn on [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). * [ Dashboard ](#tab-panel-4905) * [ API ](#tab-panel-4906) * [ Terraform ](#tab-panel-4907) | Action | Rule type | Selector | Value | | ------ | --------- | ---------------- | ------------------------------------ | | Allow | Include | Emails ending in | @contractor-a.com, @contractor-b.com | **Additional settings**: Turn on **Isolate application**. First, enable Clientless Web Isolation on your account if you have not already: Patch Zero Trust account configuration ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "settings": { "browser_isolation": { "url_browser_isolation_enabled": true } } }' ``` Then, create the Access policy with `isolation_required` set to `true`: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Isolate contractor access", "decision": "allow", "include": [ { "email_domain": { "domain": "contractor-a.com" } }, { "email_domain": { "domain": "contractor-b.com" } } ], "isolation_required": true }' ``` First, configure the [cloudflare\_zero\_trust\_gateway\_settings ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Fgateway%5Fsettings) resource to enable Clientless Web Isolation on your account if you have not already: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Zero Trust Write` ``` resource "cloudflare_zero_trust_gateway_settings" "gateway_settings" { account_id = var.cloudflare_account_id settings = { browser_isolation = { url_browser_isolation_enabled = true } } } ``` Then, configure the [cloudflare\_zero\_trust\_access\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fpolicy) resource with `isolation_required` set to `true`: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Access: Apps and Policies Write` ``` resource "cloudflare_zero_trust_access_policy" "isolate_contractor_access" { account_id = var.cloudflare_account_id name = "Isolate contractor access" decision = "allow" isolation_required = true include = [ { email_domain = { domain = "contractor-a.com" } }, { email_domain = { domain = "contractor-b.com" } }, ] } ``` To restrict what users can do inside the isolated session, create a companion [Gateway HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) that matches traffic to the application domain. Set the action to **Isolate** and disable interactive controls in the [policy settings](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings). Example Gateway HTTP policy | Selector | Operator | Value | Action | | -------- | -------- | ---------------- | ------- | | Domain | in | wiki.example.com | Isolate | **Policy settings**: | Setting | Value | | -------------- | ------------ | | Copy | Do not allow | | Paste | Do not allow | | Keyboard | Do not allow | | File downloads | Do not allow | | File uploads | Do not allow | | Printing | Do not allow | For more information, refer to [Isolate self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/). ## Block requests from high-risk countries If your organization restricts access from certain countries due to internal policy or regulatory requirements such as [OFAC sanctions ↗](https://orpa.princeton.edu/export-controls/sanctioned-countries) or [ITAR regulations ↗](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries), you can create a Block policy that denies access from those regions. Adding a corporate IP allowlist as an Exclude rule ensures that employees connecting through trusted office networks are not inadvertently blocked. Note Before creating this policy, [create a list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) with your approved IP ranges. * [ Dashboard ](#tab-panel-4908) * [ API ](#tab-panel-4909) * [ Terraform ](#tab-panel-4910) | Action | Rule type | Selector | Value | | ------- | --------- | ---------------------- | ------------------ | | Block | Include | Country | Russian Federation | | Exclude | IP list | Corporate IP allowlist | | Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block requests from high-risk countries", "decision": "deny", "include": [ { "geo": { "country_code": "RU" } } ], "exclude": [ { "ip_list": { "id": "" } } ] }' ``` To get the ID of your IP list, use the [List Zero Trust lists](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/lists/methods/list/) endpoint. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Access: Apps and Policies Write` Configure the [cloudflare\_zero\_trust\_access\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fpolicy) resource: ``` resource "cloudflare_zero_trust_access_policy" "block_high_risk_countries" { account_id = var.cloudflare_account_id name = "Block requests from high-risk countries" decision = "deny" include = [{ geo = { country_code = "RU" } }] exclude = [{ ip_list = { id = cloudflare_zero_trust_list.corporate_ip_allowlist.id } }] } ``` To configure the [cloudflare\_zero\_trust\_list ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Flist) resource referenced above (configured with `type = "IP"`), refer to [Lists](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). Block policies are best used together with [Allow policies](#allow-employees-by-email-domain) to carve out exceptions. Because Access denies all requests by default, users who do not match a Block policy are still denied unless they match an Allow policy. ## Exclude high-risk users If your organization uses [Cloudflare User Risk Scores](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/) to flag users with anomalous behavior, you can exclude high-risk users from accessing sensitive applications. This is useful as a dynamic safeguard that automatically restricts access when a user's behavior triggers a risk level change, without requiring manual intervention. * [ Dashboard ](#tab-panel-4914) * [ API ](#tab-panel-4915) * [ Terraform ](#tab-panel-4916) | Action | Rule type | Selector | Value | | ------- | --------------- | ---------------- | ------------ | | Allow | Include | Emails ending in | @example.com | | Exclude | User risk score | _High_ | | Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Exclude high-risk users", "decision": "allow", "include": [ { "email_domain": { "domain": "example.com" } } ], "exclude": [ { "user_risk_score": { "user_risk_score": [ "high" ] } } ] }' ``` Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Access: Apps and Policies Write` Configure the [cloudflare\_zero\_trust\_access\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fpolicy) resource: ``` resource "cloudflare_zero_trust_access_policy" "exclude_high_risk_users" { account_id = var.cloudflare_account_id name = "Exclude high-risk users" decision = "allow" include = [{ email_domain = { domain = "example.com" } }] exclude = [{ user_risk_score = { user_risk_score = ["high"] } }] } ``` In this example, any user scored as high risk is excluded even if they match the Include rule. To learn how risk scores are calculated and how to configure risk behaviors, refer to [User risk score](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/). ## Authenticate a service using a service token Automated services such as CI/CD pipelines, monitoring systems, and backend APIs need to access protected applications without an interactive login. Service Auth policies allow machine-to-machine communication by authenticating requests that present valid [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) headers. For additional security, you can restrict the token to requests from specific IP ranges, ensuring the token can only be used from known infrastructure. Note Before creating this policy, [create a service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/#create-a-service-token). * [ Dashboard ](#tab-panel-4923) * [ API ](#tab-panel-4924) * [ Terraform ](#tab-panel-4925) | Action | Rule type | Selector | Value | | ------------ | --------- | ------------- | ---------------- | | Service Auth | Include | Service Token | My service token | | Require | IP ranges | 192.0.2.0/24 | | Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Authenticate service with service token", "decision": "non_identity", "include": [ { "service_token": { "token_id": "" } } ], "require": [ { "ip": { "ip": "192.0.2.0/24" } } ] }' ``` To get the ID of your service token, use the [List service tokens](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/service%5Ftokens/methods/list/) endpoint. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Access: Apps and Policies Write` Configure the [cloudflare\_zero\_trust\_access\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fpolicy) resource: ``` resource "cloudflare_zero_trust_access_policy" "authenticate_service_with_token" { account_id = var.cloudflare_account_id name = "Authenticate service with service token" decision = "non_identity" include = [{ service_token = { token_id = cloudflare_zero_trust_access_service_token.my_service_token.id } }] require = [{ ip = { ip = "192.0.2.0/24" } }] } ``` To configure the [cloudflare\_zero\_trust\_access\_service\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fservice%5Ftoken) resource referenced above, refer to [Service tokens](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/). ## Authenticate a service using mutual TLS For environments that require certificate-based authentication, you can use [mutual TLS (mTLS)](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) to verify that a connecting client presents a valid certificate with an expected identity. mTLS is useful for authenticating automated systems and IoT devices that do not use an identity provider, or as an additional authentication factor for team members who also log in through an IdP. Note Before creating this policy, [upload a certificate authority (CA)](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration) to your Access configuration. To restrict access to a specific client, use the **Common Name** selector to match the identity in the client certificate: * [ Dashboard ](#tab-panel-4899) * [ API ](#tab-panel-4900) * [ Terraform ](#tab-panel-4901) | Action | Rule type | Selector | Value | | ------------ | --------- | ----------- | -------- | | Service Auth | Include | Common Name | John Doe | Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Authenticate service with mTLS", "decision": "non_identity", "include": [ { "common_name": { "common_name": "John Doe" } } ] }' ``` Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Access: Apps and Policies Write` Configure the [cloudflare\_zero\_trust\_access\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fpolicy) resource: ``` resource "cloudflare_zero_trust_access_policy" "authenticate_service_with_mtls" { account_id = var.cloudflare_account_id name = "Authenticate service with mTLS" decision = "non_identity" include = [{ common_name = { common_name = "John Doe" } }] } ``` To allow any client presenting a valid certificate signed by your CA, use the **Valid Certificate** selector. This selector is useful when you trust all certificates issued by your CA and do not need to check a specific Common Name. * [ Dashboard ](#tab-panel-4896) * [ API ](#tab-panel-4897) * [ Terraform ](#tab-panel-4898) | Action | Rule type | Selector | | ------------ | --------- | ----------------- | | Service Auth | Include | Valid Certificate | Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Authenticate service with valid certificate", "decision": "non_identity", "include": [ { "certificate": {} } ] }' ``` Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Access: Apps and Policies Write` Configure the [cloudflare\_zero\_trust\_access\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fpolicy) resource: ``` resource "cloudflare_zero_trust_access_policy" "authenticate_service_with_valid_certificate" { account_id = var.cloudflare_account_id name = "Authenticate service with valid certificate" decision = "non_identity" include = [{ certificate = {} }] } ``` ## Require purpose justification for sensitive applications For applications such as database admin tools, production consoles, or HR systems, you can require users to provide a written reason each time they access the application. This creates an audit trail that helps security teams understand why access was requested. The justification prompt appears after the user authenticates and before they reach the application. For more information, refer to [Require purpose justification](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/require-purpose-justification/). * [ Dashboard ](#tab-panel-4929) * [ API ](#tab-panel-4930) * [ Terraform ](#tab-panel-4931) | Action | Rule type | Selector | Value | | ------- | ---------- | ------------------------- | ----------------- | | Allow | Include | Okta Groups | IT Administrators | | Require | Gateway | Gateway | | | Require | OS Version | Latest version of Windows | | **Additional settings**: Turn on **Purpose justification**. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Require purpose justification for sensitive apps", "decision": "allow", "include": [ { "okta": { "name": "IT Administrators", "identity_provider_id": "" } } ], "require": [ { "device_posture": { "integration_uid": "" } }, { "device_posture": { "integration_uid": "" } } ], "purpose_justification_required": true, "purpose_justification_prompt": "Please enter a justification for accessing this application." }' ``` Replace the `okta` rule with the [appropriate rule for your identity provider](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/policies/methods/create/). To get your identity provider ID, use the [List Access identity providers](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/identity%5Fproviders/methods/list/) endpoint. To get the integration UIDs for your device posture checks, use the [List device posture checks](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/devices/subresources/posture/methods/list/) endpoint. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Access: Apps and Policies Write` Configure the [cloudflare\_zero\_trust\_access\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fpolicy) resource: ``` resource "cloudflare_zero_trust_access_policy" "require_purpose_justification" { account_id = var.cloudflare_account_id name = "Require purpose justification for sensitive apps" decision = "allow" purpose_justification_required = true purpose_justification_prompt = "Please enter a justification for accessing this application." include = [{ okta = { name = "IT Administrators" identity_provider_id = cloudflare_zero_trust_access_identity_provider.okta.id } }] require = [ { device_posture = { integration_uid = cloudflare_zero_trust_device_posture_rule.gateway_check.id } }, { device_posture = { integration_uid = cloudflare_zero_trust_device_posture_rule.windows_version.id } }, ] } ``` * Replace the `okta` rule with the appropriate [cloudflare\_zero\_trust\_access\_identity\_provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fidentity%5Fprovider) resource for your identity provider. To configure the identity provider resource, refer to [Identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). * To configure the [cloudflare\_zero\_trust\_device\_posture\_rule ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Fdevice%5Fposture%5Frule) resources referenced above, refer to [Device posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). You can combine purpose justification with [temporary authentication](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/temporary-auth/) to additionally require approval from a designated reviewer before granting access. ## Bypass a public endpoint Some applications have endpoints that must be publicly reachable, such as OAuth callback URLs, webhook receivers, or health check paths. You can create a Bypass policy scoped to a specific [application path](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/app-paths/) to disable Access enforcement for that endpoint only. For example, if your application is `app.example.com`, you could create a separate Access application for `app.example.com/oauth/callback` and apply the following Bypass policy: * [ Dashboard ](#tab-panel-4902) * [ API ](#tab-panel-4903) * [ Terraform ](#tab-panel-4904) | Action | Rule type | Selector | Value | | ------ | --------- | -------- | -------- | | Bypass | Include | Everyone | Everyone | Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Create an Access reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Bypass public endpoint", "decision": "bypass", "include": [ { "everyone": {} } ] }' ``` Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Access: Apps and Policies Write` Configure the [cloudflare\_zero\_trust\_access\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fpolicy) resource: ``` resource "cloudflare_zero_trust_access_policy" "bypass_public_endpoint" { account_id = var.cloudflare_account_id name = "Bypass public endpoint" decision = "bypass" include = [{ everyone = {} }] } ``` Warning Bypass disables all Access security controls and request logging for matching traffic. Scope Bypass policies as narrowly as possible and never use them as a persistent access mechanism for users or services. If you need to allow automated traffic while maintaining authentication and logging, use a [Service Auth](#authenticate-a-service-using-a-service-token) policy instead. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/common-policies/","name":"Common policies"}}]} ``` --- --- title: External Evaluation rules description: External Evaluation rules in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ JavaScript ](https://developers.cloudflare.com/search/?tags=JavaScript)[ JSON web token (JWT) ](https://developers.cloudflare.com/search/?tags=JSON%20web%20token%20%28JWT%29) # External Evaluation rules With Cloudflare Access, you can create Allow or Block policies which evaluate the user based on custom criteria. This is done by adding an **External Evaluation** rule to your policy. The **External Evaluation** selector requires two values: * **Evaluate URL** — the API endpoint containing your business logic. * **Keys URL** — the key that Access uses to verify that the response came from your API After the user authenticates with your identity provider, Access sends the user's identity to the external API at **Evaluate URL**. The external API returns a True or False response to Access, which will then allow or deny access to the user. To protect against man-in-the-middle attacks, Access signs all requests with your Access account key and checks that responses are signed by the key at **Keys URL**. You can set up External Evaluation rules using any API service, but to get started quickly we recommend using [Cloudflare Workers](https://developers.cloudflare.com/workers/). ## Set up external API and key with Cloudflare Workers ### Prerequisites * [Workers account](https://developers.cloudflare.com/workers/get-started/guide/) * Install [npm ↗](https://docs.npmjs.com/getting-started) * Install [Node.js ↗](https://nodejs.org/en/) * Application protected by Access ### 1\. Create a new Worker 1. Open a terminal and clone our example project. Terminal window ``` npm create cloudflare@latest my-worker -- --template https://github.com/cloudflare/workers-access-external-auth-example ``` 2. Go to the project directory. Terminal window ``` cd my-worker ``` 3. Create a [Workers KV namespace](https://developers.cloudflare.com/kv/concepts/kv-namespaces/) to store the key. The binding name should be `KV` if you want to run the example as written. Terminal window ``` npx wrangler kv namespace create "KV" ``` The command will output the binding name and KV namespace ID, for example ``` [[kv_namespaces]] binding = "KV" id = "YOUR_KV_NAMESPACE_ID" ``` 4. Open the [Wrangler configuration file](https://developers.cloudflare.com/workers/wrangler/configuration/) in an editor and insert the following: * `[[kv_namespaces]]`: Add the output generated in the previous step. * ``: your Cloudflare One team name. * [ wrangler.jsonc ](#tab-panel-4932) * [ wrangler.toml ](#tab-panel-4933) JSONC ``` { "$schema": "./node_modules/wrangler/config-schema.json", "name": "my-worker", "workers_dev": true, // Set this to today's date "compatibility_date": "2026-05-08", "main": "index.js", "kv_namespaces": [ { "binding": "KV", "id": "YOUR_KV_NAMESPACE_ID" } ], "vars": { "TEAM_DOMAIN": ".cloudflareaccess.com", "DEBUG": false } } ``` TOML ``` "$schema" = "./node_modules/wrangler/config-schema.json" name = "my-worker" workers_dev = true # Set this to today's date compatibility_date = "2026-05-08" main = "index.js" [[kv_namespaces]] binding = "KV" id = "YOUR_KV_NAMESPACE_ID" [vars] TEAM_DOMAIN = ".cloudflareaccess.com" DEBUG = false ``` ### 2\. Program your business logic 1. Open `index.js` and modify the `externalEvaluation` function to perform logic on any identity-based data sent by Access. Note * Sample code is available in our [GitHub repository ↗](https://github.com/cloudflare/workers-access-external-auth-example). * To view a list of identity-based data fields, log in to your Access application and append `/cdn-cgi/access/get-identity` to the URL. For example, if `www.example.com` is behind Access, visit `https://www.example.com/cdn-cgi/access/get-identity`. 1. Deploy the Worker to Cloudflare's global network. Terminal window ``` npx wrangler deploy ``` The Worker will be deployed to your `*.workers.dev` subdomain at `my-worker..workers.dev`. ### 3\. Generate a key To generate an RSA private/public key pair: 1. Open a browser and go to `https://my-worker..workers.dev/keys`. 2. (Optional) Verify that the key has been stored in the `KV` namespace: 1. In the Cloudflare dashboard, go to the **Workers KV** page.[ Go to **Workers KV** ](https://dash.cloudflare.com/?to=/:account/workers/kv/namespaces) 2. Select **View** next to `my-worker-KV`. Other key formats (such as DSA) are not supported at this time. ### 4\. Create an External Evaluation rule 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Policies**. 2. Edit an existing policy or select **Add a policy**. 3. Add the following rule to your policy: | Rule Type | Selector | Evaluate URL | Keys URL | | --------- | ------------------- | ------------------------------------------------ | ----------------------------------------------------- | | Include | External Evaluation | https://my-worker..workers.dev/ | https://my-worker..workers.dev/keys/ | 1. Save the policy. 2. Go to **Access controls** \> **Applications** and edit the application for which you want to apply the External Evaluation rule. 3. In the **Policies** tab, add the policy that contains the External Evaluation rule. 4. Select **Save**. When a user logs in to your application, Access will now check their email, device, location, and other identity-based data against your business logic. ### Troubleshooting the Worker To debug your External Evaluation rule: 1. Go to your Worker directory. Terminal window ``` cd my-worker ``` 2. Open the [Wrangler configuration file](https://developers.cloudflare.com/workers/wrangler/configuration/) in an editor and set the `debug` variable to `TRUE`. 3. Deploy your changes. Terminal window ``` npx wrangler deploy ``` 4. Next, start a session to output realtime logs from your Worker. Terminal window ``` wrangler tail -f pretty ``` 5. Log in to your Access application. The session logs should show an incoming and outgoing JWT. The incoming JWT was sent by Access to the Worker API, while the outgoing JWT was sent by the Worker back to Access. 6. To decode the contents of a JWT, you can copy the token into [jwt.io ↗](https://jwt.io/). The incoming JWT should contain the user's identity data. The outgoing JWT should look similar to: JavaScript ``` { "success": true, "iat": 1655409315, "exp": 1655409375, "nonce": "9J2E9Xg6wYj8tlnA5MV4Zgp6t8rzmS0Q" } ``` Access checks the outgoing JWT for all of the following criteria: * Token was signed by **Keys URL**. * Expiration date has not elapsed. * API returns `"success": true`. * `nonce` is unchanged from the incoming JWT. The `nonce` value is unique per request. If any condition fails, the External Evaluation rule evaluates to false. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/external-evaluation/","name":"External Evaluation rules"}}]} ``` --- --- title: Rule groups description: How Rule groups works in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API) # Rule groups A rule group is a collection of Access rules that can be configured once and then quickly applied across many Access policies. Rule groups use the same [rule types](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#rule-types) and [selectors](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors) shown in the Access policy builder. Note Rule groups are distinct from groups in your identity provider, like Okta groups. Rule groups can contain a mix of individual users, groups from identity providers, and service authentication options like service tokens. ## Create a rule group To create an Access rule group: * [ Dashboard ](#tab-panel-4934) * [ API ](#tab-panel-4935) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Policies**, and select the **Rule groups** tab. 2. Select **Add a group**. 3. Enter a name for the group (for example, `Lisbon-team`). 4. Specify as many rules as needed to define your user group. For example, the following rules define a team based in Lisbon, Portugal: | Rule type | Selector | Value | | --------- | ---------------- | --------- | | Include | Country | Portugal | | Require | Emails Ending In | @team.com | 5. Select **Save**. Send a `POST` request to the [/access/groups](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/groups/methods/create/) endpoint: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Organizations, Identity Providers, and Groups Write` Create an Access group ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/groups" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Lisbon-team", "include": [ { "geo": { "country_code": "PT" } } ], "exclude": [], "require": [ { "email_domain": { "domain": "team.com" } } ], "is_default": false }' ``` You can now add this group to an Access policy using the _Rule groups_ selector. ## Use cases ### IP-based rules We recommend using rule groups to define any IP address-based rules you configure in policies. Keeping IP addresses in one place allows you to modify or remove addresses once, rather than in each policy, and reduces the potential for mistakes. Note If adding more than one IP address or range to a rule group, use an Include rule for the IPs. If you do not use an Include rule, the policy will require traffic to originate from all ranges. ### Country requirements You can create a rule group that consists of countries to allow or block. Access will treat the countries in the Include rule with an OR logical operator. When building policies for an Access application, you can assign this rule group to a Require policy to require at least one of the countries inside of the group. For an example policy, refer to [Require rules with OR operators](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#require-rules-with-or-operators). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/groups/","name":"Rule groups"}}]} ``` --- --- title: Isolate self-hosted application description: Isolate self-hosted application in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Isolate self-hosted application Note Requires [Cloudflare Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/). With Access policies, you can require users to open self-hosted applications in a secure [remote browser](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/). Because the remote browser is directly integrated into our Secure Web Gateway platform, [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) can be applied to isolated applications without needing to install the Cloudflare One Client. This allows you to distribute internal applications to unmanaged users while retaining control over sensitive data. ## Prerequisites Your browser must [allow third-party cookies](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#allow-third-party-cookies-in-the-browser) on the application domain. ## Enable Browser Isolation 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Browser isolation** \> **Browser isolation settings**. 2. Turn on **Allow users to open a remote browser without the device client**. 1. Go to **Access controls** \> **Applications**. 2. Choose a [self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) and select **Configure**. 3. Go to **Policies**. 4. Choose an [Allow policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) and select **Configure**. 5. Under **Additional settings**, turn on **Isolate application**. 6. Save the policy. Browser Isolation is now enabled for users who match this policy. After the user logs into Access, the application will launch in a remote browser. To confirm that the application is isolated, refer to [Check if a web page is isolated](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/#3-check-if-a-web-page-is-isolated). You can optionally add another Allow policy for users on managed devices who do not require isolation. ## Policies for isolated applications Traffic to the isolated Access application is filtered by your Gateway [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). Useful policies include: * [Identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) to allow or block requests based on user identity. * [Data Loss Prevention policies](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) to log or block transmission of sensitive data. * [Isolation policies](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) to disable browser actions such as copy/paste, printing, or file downloads. For example, if your application is hosted on `internal.site.com`, the following policy blocks users from uploading and downloading credit card numbers within the remote browser: | Selector | Operator | Value | Logic | Action | | ----------- | -------- | --------------------- | ----- | ------ | | Domain | in | internal.site.com | And | Block | | DLP Profile | in | Financial Information | | | ## Product compatibility For a list of products that are incompatible with the **Isolate application** feature, refer to [Product Compatibility](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/#product-compatibility) . ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/isolate-application/","name":"Isolate self-hosted application"}}]} ``` --- --- title: Enforce MFA description: Enforce MFA in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML)[ JSON web token (JWT) ](https://developers.cloudflare.com/search/?tags=JSON%20web%20token%20%28JWT%29)[ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication) # Enforce MFA Cloudflare Access supports two methods of enforcing multi-factor authentication (MFA): * **[Identity provider-based MFA](#identity-provider-based-mfa)** — Require specific MFA methods reported by your identity provider (IdP). * **[Independent MFA](#independent-mfa)** — Prompt users for a second factor directly in Access, without relying on a third-party identity provider. ## Identity provider-based MFA You can require that users log in with specific MFA methods provided by their identity provider. For example, you can create rules that only allow users to reach a given application if they authenticate with a security key through their IdP. IdP-based MFA enforcement is only available with the following identity providers: * [Okta](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/okta/) * [Microsoft Entra ID (formerly Azure AD)](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/entra-id/) * [Generic OIDC](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/) * [Generic SAML 2.0](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-saml/) To enforce an IdP MFA requirement on an application: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Find the application for which you want to enforce MFA and select **Configure**. Alternatively, [create a new application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/). 3. Go to **Policies**. 4. If your application already has a policy containing an identity requirement, find it and select **Configure**. Note The policy should contain an Include rule that uses identity-based selectors. For example, the Include rule could allow users who are part of a [rule group](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/), email domain, or identity provider group. 5. Add the following rule to the policy: | Rule type | Selector | Value | | --------- | --------------------- | ------------------------------------ | | Require | Authentication method | mfa - multiple-factor authentication | 6. Save the policy. Important If the user fails to present the required MFA method, Cloudflare Access rejects the user, even if they successfully log in to the identity provider with an alternative method. ### Authentication methods in the JWT When users authenticate with their identity provider, the IdP shares their username with Cloudflare Access. Access writes that value into the JSON Web Token (JWT) generated for the user. Certain identity providers also share the MFA method presented by the user. Access can add these values into the JWT. For example, if the user authenticated with their password and a security key, the IdP can send a confirmation to Cloudflare Access. Access then stores that method in the JWT issued to the user. Cloudflare Access follows [RFC 8176 ↗](https://tools.ietf.org/html/rfc8176), Authentication Method Reference Values, to define authentication methods. ## Independent MFA Independent MFA prompts users for a second factor directly in Access. This allows you to enforce MFA requirements without relying on your IdP's MFA configuration. You can configure MFA requirements at three levels: | Level | Description | | ----------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- | | [Organization](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/) | Enforce MFA by default for all applications in your account. | | [Application](#configure-independent-mfa-for-an-application) | Require or turn off MFA for a specific application. | | [Policy](#configure-independent-mfa-for-a-policy) | Require or turn off MFA for users who match a specific policy. | Settings at lower levels (policy) override settings at higher levels (organization), giving you granular control over MFA enforcement. ### Prerequisites Before you configure independent MFA on applications or policies, you must [turn on independent MFA](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/) at the organization level. Tip At the organization level, you can also [restrict which authenticators can be enrolled using AAGUIDs](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/#restrict-authenticators-by-aaguid) and \[skip independent MFA when the identity provider already performed MFA\](/cloudflare-one/access-controls/access-settings/independent-mfa/#use-identity-provider-mfa. ### Configure independent MFA for an application Each application has three MFA options: | Option | Behavior | | -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Respect global enforcement setting** | Uses the [organization-level](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/) MFA configuration. If MFA is required globally, users must complete MFA. If MFA is not required globally, users are not prompted. This is the default. | | **Custom MFA settings** | Overrides the organization setting with application-specific allowed authenticators and session duration. | | **Disable MFA** | Users are not prompted for independent MFA when accessing this application, even if MFA is required globally. | To configure MFA for an application: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Find the application you want to configure and select **Configure**. 3. Scroll down to **Authentication** and select the **MFA**.tab. 4. Select one of the following options: * To inherit the organization setting, select **Respect global enforcement setting**. * To set custom requirements, select **Custom MFA settings**, then configure the [allowed MFA methods](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/#supported-mfa-methods) and [authentication duration](#mfa-session-duration). * To exempt the application from MFA, select **Disable MFA**. 5. Select **Save**. ### Configure independent MFA for a policy Each policy has the same three MFA options described in [Configure independent MFA for an application](#configure-independent-mfa-for-an-application). Policy-level settings override application-level settings. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Policies**. 2. Choose an **Allow** policy and select **Configure**. 3. Under **Multi-factor authentication (MFA)**, select an option: * To inherit the application or organization setting, select **Respect global enforcement setting**. * To set custom requirements for users who match this policy, select **Custom MFA settings**, then configure the [allowed MFA methods](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/#supported-mfa-methods) and [authentication duration](#mfa-session-duration). * To exempt users who match this policy from MFA, select **Disable MFA**. 4. Select **Save**. ### MFA session duration The MFA session duration determines how long a successful MFA authentication remains valid. After the MFA session expires, the user must complete MFA again on their next Cloudflare Access login in addition to completing IdP authentication. You can require users to complete MFA on each Access login or set a custom duration. MFA session durations are only checked during the login flow and do not affect a user's existing session. Access checks MFA sessions from most specific to least specific: 1. **Policy MFA session duration** — If set, applies to users who match the policy. 2. **Application MFA session duration** — If set, applies to all users accessing the application. 3. **Global MFA session duration** — The default for all applications that do not specify their own duration. ### Precedence example Consider the following configuration: flowchart TD subgraph org["Organization"] orgSettings["**Apply global MFA settings by default**,
**MFA methods**: Authenticator app + Security key,
**Authentication duration**: 24 hours"] end subgraph appA["Application A"] appASettings["**Respect global enforcement setting**
(inherits organization settings)"] subgraph policies["Policies"] policy1["Policy 1
**Custom MFA settings**,
**MFA methods**: Security keys only,
**Authentication duration**: 1 hour"] policy2["Policy 2
**Disable MFA**"] end end subgraph appB["Application B"] appBSettings["**Disable MFA**"] end orgSettings --> appASettings orgSettings -.->|"overridden"| appBSettings appASettings -.->|"overridden by"| policy1 appASettings -.->|"overridden by"| policy2 In this example: * Users who access Application A and match Policy 1 must use a security key and re-authenticate every hour. * Users who access Application A and match Policy 2 are not prompted for MFA. * Users who access Application A and match neither policy must use an authenticator application or a security key, with a 24-hour session. * Users who access Application B are not prompted for MFA. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/mfa-requirements/","name":"Enforce MFA"}}]} ``` --- --- title: Manage Access policies description: Manage Access policies in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API) # Manage Access policies Access policies define the users who can log in to your Access applications. You can create, edit, or delete policies at any time and reuse policies across multiple applications. ## Create a policy To create a reusable Access policy: 1. In [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Policies**. 2. Select **Add a policy**. 3. Enter a **Policy name**. 4. Choose an [**Action**](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#actions) for the policy. 5. Choose a [**Session duration**](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/) for the policy. 6. Configure as many [**Rules**](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#rule-types) as needed. 7. (Optional) Configure additional settings for users who match this policy: * [Isolate application](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/). * [Purpose justification](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/require-purpose-justification/) * [Temporary authentication](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/temporary-auth/) * [Independent MFA](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/mfa-requirements/#independent-mfa) 8. Select **Save**. You can now add this policy to an [Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/). ## Edit a policy To make changes to an existing Access policy: 1. In [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Policies**. 2. Locate the policy you want to update and select **Configure**. 3. Once you have made the necessary changes, select **Save**. The updated policy is now in effect for all associated Access applications. ## Delete a policy To delete a reusable Access policy: 1. In [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Policies** and locate the policy you want to delete. 2. If the policy is used by an application, remove the policy from all associated applications. 3. Select **Delete**. 4. A pop-up message will ask you to confirm your decision to delete the policy. Select **Delete**. ## Test your policies You can test your Access policies against all existing user identities in your Zero Trust organization. For the policy tester to work, users must have logged into the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) or any other Access application at some point in time. Cloudflare will use the most recent device that was authenticated with Access to test your policies. ### Test a single policy The Access policy builder allows you to test your rules before saving any changes. To test an individual Access policy: 1. In [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Policies**. 2. Locate the policy you want to test and select **Configure**. 3. Go to **Policy tester** and select **Test policies**. The policy tester reports the percentage of active users who are allowed or denied access to an application based on this policy. You can expand the test results to view a list of allowed or blocked users. ### Test all policies in an application You can test your Access application policies against your user population before deploying changes to your users. After saving your changes, you can also perform a more detailed policy test for a specific user. To test if users have access to an application: 1. In [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Locate the application you want to test and select **Configure**. 3. Go to **Policies** \> **Policy tester**. 4. To test all active users in your organization, select **Test policies**. The policy tester reports the percentage of users who are allowed or denied access to this application based on all configured policies. You can expand the test results to view a list of allowed or blocked users. 5. To perform a detailed test on a single user: a. If you made any changes to your policies, first save the application. b. Select **testing a single user**. c. Enter their email address and select **Test policies**. The single user test results will show: * Whether the user is allowed or denied access to this application based on all configured policies. * The user's identity from their most recent Access login attempt. * Whether the user matches individual Allow, Block, or Bypass policies. ## Legacy policies Legacy policies are scoped to a specific application and cannot be added to newly created Access applications. ### Migrate to reusable policies To migrate legacy policies to reusable policies: 1. [Create a reusable policy](#create-a-policy) that will replace the legacy policy. 2. Go to the Access application associated with the legacy policy. 3. Add the reusable policy to the application and remove the legacy policy. 4. Repeat these steps for each legacy policy. If you have duplicate legacy policies, you can replace them with a single reusable policy. ### Convert a legacy policy You can use the API to convert a legacy policy into a reusable policy. To convert a legacy policy, make a `PUT` request with an empty request body: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Convert an Access application policy to a reusable policy ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_ID/policies/$POLICY_ID/make_reusable" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` The policy is now removed from the applications endpoint (`/access/apps/$APP_ID/policies`) and managed using the [reusable policies endpoints](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/policies/)(`/access/policies/$POLICY_ID`). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/policy-management/","name":"Manage Access policies"}}]} ``` --- --- title: Require purpose justification description: Require purpose justification in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Require purpose justification Cloudflare Access allows security and IT teams to present users with a purpose justification screen directly after they log in to an Access application. This allows organizations to audit not only for who is accessing their resources, but also for why they are requesting access. The purpose justification screen will show for any new sessions of an application. For example, if an Access application has a session time of eight hours, a user will see the purpose justification screen once every eight hours. Configuring a purpose justification screen is done as part of configuring an Access policy. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Choose an application and select **Configure**. 3. Go to **Policies**. 4. Choose an **Allow** policy and select **Configure**. 5. Under **Additional settings**, turn on **Purpose justification**. 6. (Optional) Set a custom purpose justification message. This will appear on the purpose justification screen and will be visible to the user. 7. Save the policy. Users who match this policy will see the following screen: ![Finalized purpose justification screen displaying custom message.](https://developers.cloudflare.com/_astro/purpose-justification.Bgv25E7i_nwUeM.webp) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/require-purpose-justification/","name":"Require purpose justification"}}]} ``` --- --- title: Temporary authentication description: Temporary authentication in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication) # Temporary authentication With Cloudflare Access, you can require that users obtain approval before they can access a specific self-hosted application or SaaS application. The administrator will receive an email notification to approve or deny the request. Unlike a typical Allow policy, the user will have to request access at the end of each session. This allows you to define the users who should have persistent access and those who must request temporary access. ## Set up temporary authentication 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Choose a **Self-hosted** or **SaaS** application and select **Configure**. 3. Choose an **Allow** policy and select **Configure**. 4. Under **Additional settings**, turn on [**Purpose justification**](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/require-purpose-justification/). 5. Turn on **Temporary authentication**. 6. Enter the **Email addresses of the approvers**. Note Your approvers must be authenticated by Access. If they do not have an active session, Access will verify their identity against your [App Launcher Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/). 7. Save the policy. Temporary authentication is now enabled for users who match this policy. You can optionally add a second **Allow** policy for users who should have persistent access. Be sure the policy order is set to allow persistent users through. ## Temporary authentication requests ![Temporary authentication request page shown to users](https://developers.cloudflare.com/_astro/temp-auth-request.WnwXx8ul_1vy5pt.webp) Approvers will receive a request similar to the example below. The approver can then grant access for a set amount of time, up to a maximum of 24 hours. ![Temporary authentication approval page shown to administrators](https://developers.cloudflare.com/_astro/temp-auth-approval.D0-hjStz_1KlkRx.webp) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/policies/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/policies/temporary-auth/","name":"Temporary authentication"}}]} ``` --- --- title: Mutual TLS description: Mutual TLS in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ mTLS ](https://developers.cloudflare.com/search/?tags=mTLS) # Mutual TLS [Mutual TLS (mTLS) authentication ↗](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/) requires both the client and the server to present certificates during the TLS handshake. In the Cloudflare Access implementation, the CA you upload is used to verify the client certificate (server certificate verification is handled by standard TLS). Access mTLS serves two purposes: * **Authenticate devices that do not use an identity provider** — Automated systems and IoT devices can prove their identity by presenting a client certificate instead of logging in through an IdP. * **Add a second authentication factor** — Team members who log in through an IdP can also be required to present a valid client certificate, providing an additional layer of security. When you upload a root certificate authority (CA) to Access, only requests from devices with a matching client certificate are allowed through. When a request reaches the application, Access asks the client to present a certificate. If the client cannot present a valid certificate, the request is blocked. If the client presents a valid certificate, Access completes a key exchange to verify. ![mTLS handshake diagram](https://developers.cloudflare.com/_astro/mtls.BbZYLY1o_tux4L.webp) Important The mTLS certificate is used only to verify the client certificate. It does not control the SSL certificate presented during the [server hello ↗](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/). ## Enforce mTLS authentication ### Prerequisites * An [Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for the hostname that you would like to secure with mTLS. * A CA that issues client certificates for your devices. * The CA certificate can be from a publicly trusted CA or self-signed. * In the certificate `Basic Constraints`, the attribute `CA` must be set to `TRUE`. * The certificate must use one of the signature algorithms listed below: Allowed signature algorithms `x509.SHA1WithRSA` `x509.SHA256WithRSA` `x509.SHA384WithRSA` `x509.SHA512WithRSA` `x509.ECDSAWithSHA1` `x509.ECDSAWithSHA256` `x509.ECDSAWithSHA384` `x509.ECDSAWithSHA512` ### Add mTLS to your Access application 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Service credentials** \> **Mutual TLS**. 2. Select **Add mTLS Certificate**. 3. Enter any name for the root CA. 4. In **Certificate content**, paste the contents of your root CA. If the client certificate is directly signed by the root CA, you only need to upload the root. If the client certificate is signed by an intermediate certificate, you must upload the entire CA chain (intermediate and root). For example: ``` -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ``` Do not include any SSL/TLS server certificates; Access only uses the CA chain to verify the connection between the user's device and Cloudflare. 1. In **Associated hostnames**, enter the fully-qualified domain names (FQDN) that will use this certificate. These FQDNs will be the hostnames used for the resources being protected in the [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). You must associate the Root CA with the FQDN that the application being protected uses. 2. Save the policy. 3. Go to **Access controls** \> **Policies**. 4. [Create an Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/#create-a-policy) using one of the following [selectors](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors): * **Valid Certificate**: Any client certificate that can authenticate with the Root CA will be allowed to proceed. * **Common Name**: Only client certificates with a specific common name will be allowed to proceed. 5. If this is for a client who does not need to log in through an IdP, set the policy **Action** to _Service Auth_. **Example mTLS policy** | Action | Rule type | Selector | Value | | ------------ | --------- | ----------- | -------- | | Service Auth | Include | Common Name | John Doe | 6. Save the policy, then go to **Access controls** \> **Applications**. 7. Select the application you would like to enforce mTLS on and select **Configure**. The application must be included in the **Associated hostnames** list from Step 5. 8. In the **Policies** tab, add your mTLS policy. 9. Save the application. You can now authenticate to the application using a client certificate. For instructions on how to present a client certificate, refer to [Test mTLS](#test-mtls). ## Test mTLS ### Test using cURL To test the application protected by an mTLS policy: 1. First, attempt to curl the site without a client certificate. This curl command example is for the site `example.com` that has an [Access application and policy](#add-mtls-to-your-access-application) set for `https://auth.example.com`: Terminal window ``` curl -sv https://auth.example.com ``` Without a client certificate in the request, a `403 forbidden` response displays and the site cannot be accessed. 2. Now, add your client certificate and key to the request: Terminal window ``` curl -sv https://auth.example.com --cert example.pem --key key.pem ``` When the authentication process completes successfully, a `CF_Authorization Set-Cookie` header returns in the response. Warning Cloudflare Gateway cannot inspect traffic to mTLS-protected domains. If a device has the Cloudflare One Client turned on and passes HTTP requests through Gateway, access will be blocked unless you [bypass HTTP inspection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) for the domain. ### Test in a browser To access an mTLS-protected application in a browser, the client certificate must be imported into your browser's certificate manager. Instructions vary depending on the browser. Your browser may use the operating system's root store or its own internal trust store. The following example demonstrates how to add a client certificate to the macOS system keychain: Important The command adds the client certificate to the trusted store on your device. Only proceed if you are comfortable doing so and intend to keep these testing certificates safeguarded. 1. Navigate to the directory containing the client certificate and key. 1. Open the `client.pem` file in Keychain Access. If prompted, enter your local password. 2. In **Keychain**, choose the access option that suits your needs and select **Add**. 3. In the list of certificates, locate the newly installed certificate. Keychain Access will mark this certificate as not trusted. Right-click the certificate and select **Get Info**. 4. Select **Trust**. Under **When using this certificate**, select _Always Trust_. Assuming your browser uses the macOS system store, you can now connect to the mTLS application through the browser. ## Generate mTLS certificates You can use open source private key infrastructure (PKI) tools to generate certificates to test the mTLS feature in Cloudflare Access. ### OpenSSL This section covers how to use [OpenSSL ↗](https://www.openssl.org/) to generate a root and intermediate certificate, and then issue client certificates that can authenticate against the CA chain. #### Generate the root CA 1. Generate the root CA private key: Terminal window ``` openssl genrsa -aes256 -out rootCA.key 4096 ``` When prompted, enter a password to use with `rootCA.key`. 2. Create a self-signed root certificate called `rootCA.pem`: Terminal window ``` openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem ``` You will be prompted to enter your private key password and fill in some optional fields. For testing purposes, you can leave the optional fields blank. #### Generate an intermediate certificate 1. Generate the intermediate CA private key: Terminal window ``` openssl genrsa -aes256 -out intermediate.key 4096 ``` When prompted, enter a password to use with `intermediate.key`. 2. Create a certificate signing request (CSR) for the intermediate certificate: Terminal window ``` openssl req -new -sha256 -key intermediate.key -out intermediate.csr ``` You will be prompted to enter your private key password and fill in some optional fields. For testing purposes, you can leave the optional fields blank. 3. Create a CA Extension file called `v3_intermediate_ca.ext`. For example, ``` subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, cRLSign, keyCertSign ``` Make sure that `basicConstraints` includes the `CA:true` property. This property allows the intermediate certificate to act as a CA and sign client certificates. 4. Sign the intermediate certificate with the root CA: Terminal window ``` openssl x509 -req -in intermediate.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out intermediate.pem -days 1825 -sha256 -extfile v3_intermediate_ca.ext ``` #### Create a CA chain file 1. Combine the intermediate and root certificates into a single file: Terminal window ``` cat intermediate.pem rootCA.pem > ca-chain.pem ``` The intermediate certificate should be at the top of the file, followed by its signing certificate. 2. Upload the contents of `ca-chain.pem` to Cloudflare Access. For instructions, refer to [Add mTLS to your Access application](#add-mtls-to-your-access-application). #### Generate a client certificate 1. Generate a private key for the client: Terminal window ``` openssl genrsa -out client.key 2048 ``` 2. Create a CSR for the client certificate: Terminal window ``` openssl req -new -key client.key -out client.csr ``` You will be prompted to fill in some optional fields. For testing purposes, you can set **Common Name** to something like `John Doe`. 3. Sign the client certificate with the intermediate certificate: Terminal window ``` openssl x509 -req -in client.csr -CA intermediate.pem -CAkey intermediate.key -CAcreateserial -out client.pem -days 365 -sha256 ``` 4. Validate the client certificate against the certificate chain: Terminal window ``` openssl verify -CAfile ca-chain.pem client.pem ``` ``` client.pem: OK ``` You can now use the client certificate (`client.pem`) and its key (`client.key`) to [test mTLS](#test-mtls). ### Cloudflare PKI This guide uses [Cloudflare's PKI toolkit ↗](https://github.com/cloudflare/cfssl) to generate a root CA and client certificates from JSON files. #### 1\. Install dependencies The process requires two packages from Cloudflare's PKI toolkit: * `cf-ssl` * `cfssljson` You can install these packages from the [Cloudflare SSL GitHub repository ↗](https://github.com/cloudflare/cfssl). You will need a working installation of Go, version 1.12 or later. Alternatively, you can [download the packages ↗](https://github.com/cloudflare/cfssl) directly. Use the instructions under Installation to install the toolkit, and ensure that you install all of the utility programs in the toolkit. #### 2\. Generate the root CA 1. Create a new directory to store the root CA. 2. Within that directory, create two new files: * **CSR**. Create a file named `ca-csr.json` and add the following JSON blob, then save the file. ``` { "CN": "Access Testing CA", "key": { "algo": "rsa", "size": 4096 }, "names": [ { "C": "US", "L": "Austin", "O": "Access Testing", "OU": "TX", "ST": "Texas" } ] } ``` * **config**. Create a file named `ca-config.json` and add the following JSON blob, then save the file. ``` { "signing": { "default": { "expiry": "8760h" }, "profiles": { "server": { "usages": ["signing", "key encipherment", "server auth"], "expiry": "8760h" }, "client": { "usages": ["signing", "key encipherment", "client auth"], "expiry": "8760h" } } } } ``` 3. Now, run the following command to generate the root CA with those files. Terminal window ``` cfssl gencert -initca ca-csr.json | cfssljson -bare ca ``` 4. The command will output a root certificate (`ca.pem`) and its key (`ca-key.pem`). Terminal window ``` ls ``` ``` ca-config.json ca-csr.json ca-key.pem ca.csr ca.pem ``` 5. Upload the contents of `ca.pem` to Cloudflare Access. For instructions, refer to [Add mTLS to your Access application](#add-mtls-to-your-access-application). #### 3\. Generate a client certificate To generate a client certificate that will authenticate against the uploaded root CA: 1. Create a file named `client-csr.json` and add the following JSON blob: ``` { "CN": "James Royal", "hosts": [""], "key": { "algo": "rsa", "size": 4096 }, "names": [ { "C": "US", "L": "Austin", "O": "Access", "OU": "Access Admins", "ST": "Texas" } ] } ``` 2. Now, use the following command to generate a client certificate with the Cloudflare PKI toolkit: Terminal window ``` cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json | cfssljson -bare client ``` The command will output a client certificate file (`client.pem`) and its key (`client-key.pem`). You can now use these files to [test mTLS](#test-mtls). #### Create a certificate revocation list You can use the Cloudflare PKI toolkit to generate a certificate revocation list (CRL), as well. This list will contain client certificates that are revoked. 1. Get the serial number from the client certificate generated earlier. Add that serial number, or any others you intend to revoke, in hex format in a text file. This example uses a file named `serials.txt`. 2. Create the CRL with the following command. Terminal window ``` cfssl gencrl serials.txt ../mtls-test/ca.pem ../mtls-test/ca-key.pem | base64 -D > ca.crl ``` You will need to add the CRL to your server or enforce the revocation in a Cloudflare Worker. An example Worker Script can be found on the [Cloudflare GitHub repository ↗](https://github.com/cloudflare/access-crl-worker-template). ## Add Client-Cert and Client-Cert-Chain headers (RFC 9440) [RFC 9440 ↗](https://datatracker.ietf.org/doc/html/rfc9440) defines the `Client-Cert` and `Client-Cert-Chain` HTTP header fields for passing client certificate information to origin servers. You can construct these headers using [request header modification rules](https://developers.cloudflare.com/rules/transform/request-header-modification/) with the following Ruleset Engine fields: * [cf.tls\_client\_auth.cert\_rfc9440](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Frfc9440/) — The client leaf certificate encoded in RFC 9440 formatting (see reference). * [cf.tls\_client\_auth.cert\_chain\_rfc9440](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fchain%5Frfc9440/) — The certificate chain (excluding the leaf certificate) encoded in RFC 9440 formatting (see reference). As indicated in field definitions, the fields may be set to either an empty string or a valid RFC 9440 encoding. Proper usage depends on a couple of factors discussed in the following sections. ### Security considerations Important Before constructing `Client-Cert` or `Client-Cert-Chain` headers, you must address the following security concerns. Failing to do so can expose your origin server to forged or unverified certificate data. The `cert_rfc9440` and `cert_chain_rfc9440` fields are populated **regardless of the certificate validation result**. This means a client can present an invalid, expired, or self-signed certificate, and the fields will still contain the encoded certificate data. Always check the following fields before trusting the values: * [cf.tls\_client\_auth.cert\_verified](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fverified/) — Returns `true` when the client certificate is valid. * [cf.tls\_client\_auth.cert\_revoked](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Frevoked/) — Returns `true` when the client certificate has been revoked. A client can also include its own `Client-Cert` or `Client-Cert-Chain` headers on a request to inject arbitrary values. As described in the [RFC 9440 security considerations ↗](https://datatracker.ietf.org/doc/html/rfc9440#name-security-considerations), you must unconditionally remove any existing `Client-Cert` and `Client-Cert-Chain` headers from incoming requests, regardless of certificate validity. This prevents a client from injecting forged certificate data that your origin would trust. See [Enable mTLS](https://developers.cloudflare.com/ssl/client-certificates/enable-mtls/) for details on how to configure mTLS and certificate validation. ### Size limits The encoded leaf certificate is limited to 10 KiB and the encoded chain is limited to 16 KiB. If the encoded value exceeds the limit, the corresponding field contains an empty string. Use the following fields to check for this condition: * [cf.tls\_client\_auth.cert\_rfc9440\_too\_large](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Frfc9440%5Ftoo%5Flarge/) — Returns `true` when the encoded certificate exceeds 10 KiB. * [cf.tls\_client\_auth.cert\_chain\_rfc9440\_too\_large](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fchain%5Frfc9440%5Ftoo%5Flarge/) — Returns `true` when the encoded chain exceeds 16 KiB. ### Example Transform Rules Here we provide an example on how to securely use these fields to construct trusted `Client-Cert` and `Client-Cert-Chain` headers to be forwarded to your origin. The origin can then rely on the presence of the headers to be certain the client presented a valid certificate. Note: the `Client-Cert-Chain` header may be omitted when the client did not present any intermediates (only a leaf certificate). You need to create the following request header modification rules. The **Remove** rules must be placed before the **Set dynamic** rules so that client-injected headers are stripped on every request before the validated values are set. #### Rule 1 — Remove Client-Cert header This rule unconditionally removes any `Client-Cert` header sent by the client. Text in **Expression Editor**: ``` true ``` Selected operation under **Modify request header**: _Remove_ **Header name**: `Client-Cert` #### Rule 2 — Remove Client-Cert-Chain header This rule unconditionally removes any `Client-Cert-Chain` header sent by the client. Text in **Expression Editor**: ``` true ``` Selected operation under **Modify request header**: _Remove_ **Header name**: `Client-Cert-Chain` #### Rule 3 — Set Client-Cert header This rule sets the `Client-Cert` header only when the client presented a valid, non-revoked certificate that is within the size limit. Text in **Expression Editor**: ``` cf.tls_client_auth.cert_verified and not cf.tls_client_auth.cert_revoked and not cf.tls_client_auth.cert_rfc9440_too_large ``` Selected operation under **Modify request header**: _Set dynamic_ **Header name**: `Client-Cert` **Value**: `cf.tls_client_auth.cert_rfc9440` #### Rule 4 — Set Client-Cert-Chain header This rule sets the `Client-Cert-Chain` header only when the client presented a valid, non-revoked certificate and the chain is non-empty and within the size limit. Text in **Expression Editor**: ``` cf.tls_client_auth.cert_verified and not cf.tls_client_auth.cert_revoked and cf.tls_client_auth.cert_chain_rfc9440 ne "" and not cf.tls_client_auth.cert_chain_rfc9440_too_large ``` Selected operation under **Modify request header**: _Set dynamic_ **Header name**: `Client-Cert-Chain` **Value**: `cf.tls_client_auth.cert_chain_rfc9440` ### Cloudflare Workers You can also construct RFC 9440 headers in a [Cloudflare Worker](https://developers.cloudflare.com/workers/)using the [tlsClientAuth](https://developers.cloudflare.com/ssl/client-certificates/client-certificate-variables/#workers-variables)properties on the incoming request. The same security considerations mentioned above apply. ## Forward a client certificate (legacy) In addition to enforcing mTLS authentication for your host, you can also forward a client certificate to your origin server as an HTTP header. This setup is often helpful for server logging. To avoid adding the certificate to every single request, the certificate is only forwarded on the first request of an mTLS connection. Warning This process is only available on accounts with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/). ### Cloudflare API The most common approach to forwarding a certificate is to use the Cloudflare API to [update an mTLS certificate's hostname settings](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/certificates/subresources/settings/methods/update/). Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Mutual TLS Certificates Write` Update an mTLS certificate's hostname settings ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/access/certificates/settings" \ --request PUT \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" \ --json '{ "settings": [ { "hostname": "", "china_network": false, "client_certificate_forwarding": true } ] }' ``` Once `client_certificate_forwarding` is set to `true`, every request within an mTLS connection will now include the following headers: * `Cf-Client-Cert-Der-Base64` * `Cf-Client-Cert-Sha256` Note The `Cf-Client-Cert-Der-Base64` and `Cf-Client-Cert-Sha256` headers are a Cloudflare-proprietary mechanism. For a standardized approach, use [RFC 9440 Client-Cert and Client-Cert-Chain headers](https://developers.cloudflare.com/ssl/client-certificates/forward-a-client-certificate/#add-client-cert-and-client-cert-chain-headers-rfc-9440). ### Managed Transforms You can also [modify HTTP response headers](https://developers.cloudflare.com/rules/transform/response-header-modification/) using Managed Transforms to pass along **TLS client auth headers**. ### Cloudflare Workers Additionally, Workers can provide details around the [client certificate](https://developers.cloudflare.com/workers/runtime-apis/bindings/mtls/). JavaScript ``` const tlsHeaders = { "X-CERT-ISSUER-DN": request.cf.tlsClientAuth.certIssuerDN, "X-CERT-SUBJECT-DN": request.cf.tlsClientAuth.certSubjectDN, "X-CERT-ISSUER-DN-L": request.cf.tlsClientAuth.certIssuerDNLegacy, "X-CERT-SUBJECT-DN-L": request.cf.tlsClientAuth.certSubjectDNLegacy, "X-CERT-SERIAL": request.cf.tlsClientAuth.certSerial, "X-CERT-FINGER": request.cf.tlsClientAuth.certFingerprintSHA1, "X-CERT-VERIFY": request.cf.tlsClientAuth.certVerify, "X-CERT-NOTBE": request.cf.tlsClientAuth.certNotBefore, "X-CERT-NOTAF": request.cf.tlsClientAuth.certNotAfter, }; ``` ## Known limitations mTLS does not currently work for: * Cloudflare Pages site served on a [custom domain](https://developers.cloudflare.com/pages/configuration/custom-domains/) * Cloudflare R2 public bucket served on a [custom domain](https://developers.cloudflare.com/r2/buckets/public-buckets/#connect-a-bucket-to-a-custom-domain) ## Notifications for mutual TLS certificates Cloudflare will send the following [notifications](https://developers.cloudflare.com/notifications/) before your mutual TLS certificates expire: Access mTLS Certificate Expiration Alert **Who is it for?** [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) customers that use client certificates for mutual TLS authentication. This notification will be sent 30 and 14 days before the expiration of the certificate. **Other options / filters** None. **Included with** Purchase of [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) and/or [Cloudflare for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/). **What should you do if you receive one?** Upload a [renewed certificate](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/service-credentials/","name":"Service credentials"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/","name":"Mutual TLS"}}]} ``` --- --- title: Service tokens description: Service tokens in Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ JSON web token (JWT) ](https://developers.cloudflare.com/search/?tags=JSON%20web%20token%20%28JWT%29)[ Authentication ](https://developers.cloudflare.com/search/?tags=Authentication) # Service tokens You can provide automated systems with service tokens to authenticate against your Cloudflare One policies. Cloudflare Access will generate service tokens that consist of a Client ID and a Client Secret. Automated systems or applications can then use these values to reach an application protected by Access. This section covers how to create, renew, and revoke a service token. ## Create a service token * [ Dashboard ](#tab-panel-4936) * [ API ](#tab-panel-4937) * [ Terraform (v5) ](#tab-panel-4938) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Service credentials** \> **Service Tokens**. 2. Select **Create Service Token**. 3. Name the service token. The name allows you to easily identify events related to the token in the logs and to revoke the token individually. 4. Choose a **Service Token Duration**. This sets the expiration date for the token. 5. Select **Generate token**. You will see the generated Client ID and Client Secret for the service token, as well as their respective request headers. 6. Copy the Client Secret. Warning This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token. 1. Make a `POST` request to the [Access Service Tokens](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/service%5Ftokens/methods/create/) endpoint: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Service Tokens Write` Create a service token ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/service_tokens" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "CI/CD token", "duration": "8760h" }' ``` 2. Copy the `client_id` and `client_secret` values returned in the response. Response ``` "result": { "client_id": "88bf3b6d86161464f6509f7219099e57.access", "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5", "created_at": "2025-09-25T22:26:26Z", "expires_at": "2026-09-25T22:26:26Z", "id": "3537a672-e4d8-4d89-aab9-26cb622918a1", "name": "CI/CD token", "updated_at": "2025-09-25T22:26:26Z", "duration": "8760h", "client_secret_version": 1 } ``` Warning This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api%5Ftoken): * `Access: Service Tokens Write` 2. Configure the [cloudflare\_zero\_trust\_access\_service\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fservice%5Ftoken) resource: ``` resource "cloudflare_zero_trust_access_service_token" "example_service_token" { account_id = var.cloudflare_account_id name = "Example service token" duration = "8760h" lifecycle { create_before_destroy = true } } ``` 3. Get the Client ID and Client Secret of the service token: Example: Output to CLI 1. Output the Client ID and Client Secret to the Terraform state file: ``` output "example_service_token_client_id" { value = cloudflare_zero_trust_access_service_token.example_service_token.client_id } output "example_service_token_client_secret" { value = cloudflare_zero_trust_access_service_token.example_service_token.client_secret sensitive = true } ``` 2. Apply the configuration: Terminal window ``` terraform apply ``` 3. Read the Client ID and Client Secret: Terminal window ``` terraform output -raw example_service_token_client_id ``` Terminal window ``` terraform output -raw example_service_token_client_secret ``` Example: Store in HashiCorp Vault ``` resource "vault_generic_secret" "example_service_token" { path = "kv/cloudflare/example_service_token" data_json = jsonencode({ "CLIENT_ID" = cloudflare_access_service_token.example_service_token.client_id "CLIENT_SECRET" = cloudflare_access_service_token.example_service_token.client_secret }) } ``` You can now configure your Access applications and [device enrollment permissions](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/device-enrollment/#check-for-service-token) to accept this service token. Make sure to set the policy action to [**Service Auth**](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#service-auth); otherwise, Access will prompt for an identity provider login. ## Connect your service to Access ### Initial request To authenticate to an Access application using your service token, add the following to the headers of any HTTP request: `CF-Access-Client-Id: ` `CF-Access-Client-Secret: ` For example, Terminal window ``` curl -H "CF-Access-Client-Id: " -H "CF-Access-Client-Secret: " https://app.example.com ``` If the service token is valid, Access generates a JWT scoped to the application in the form of a [CF\_Authorization cookie](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/). You can use this cookie to authenticate [subsequent requests](#subsequent-requests) to the application. #### Authenticate with a single header You can configure a self-hosted Access application to accept a service token in a single HTTP header, as an alternative to the `CF-Access-Client-Id` and `CF-Access-Client-Secret` pair of headers. This is useful for authenticating SaaS services that only support sending one custom header in a request (for example, the `Authorization` header). To authenticate using a single header: 1. Get your existing Access application configuration: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` * `Access: Apps and Policies Read` Get an Access application ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_ID" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 2. Make a `PUT` request with the name of the header you want to use for service token authentication. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Update an Access application ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_ID" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "domain": "app.example.com", "type": "self_hosted", "read_service_tokens_from_header": "Authorization" }' ``` 3. Add the header to any HTTP request. For example, Terminal window ``` curl -H "Authorization: {\"cf-access-client-id\": \"\", \"cf-access-client-secret\": \"\"}" https://app.example.com ``` ### Subsequent requests After you have [authenticated to the application](#initial-request) using the service token, add the resulting `CF_Authorization` cookie to the headers of all subsequent requests: Terminal window ``` curl -H "cookie: CF_Authorization=" https://app.example.com ``` If you prefer to use a raw header, send the value as `cf-access-token`: Terminal window ``` curl -H "cf-access-token: " https://app.example.com ``` All requests with this cookie will succeed until the JWT expires. Note If your Access application only has Service Auth policies, you must send the service token on every subsequent request. You can only use the JWT if the application has at least one Allow policy. ## Renew service tokens Service tokens expire according to the token duration you selected when you created the token. To renew the service token: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Service credentials** \> **Service Tokens**. 2. Locate the token you want to renew. 3. To extend the token's lifetime by one year, select **Refresh**. 4. To extend the token's lifetime by more than a year: 1. Select **Edit**. 2. Choose a new **Service Token Duration**. 3. Select **Save**. The expiration date will be extended by the selected amount of time. ## Revoke service tokens If you need to revoke access before the token expires, simply delete the token. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Service credentials** \> **Service Tokens**. 2. **Delete** the token you need to revoke. Services that rely on a deleted service token can no longer reach your application. Note When editing an Access application, selecting **Revoke existing tokens** revokes existing sessions but does not prevent the user from starting a new session. As long as the Client ID and Client Secret are still valid, they can be exchanged for a new token on the next request. To revoke access, you must delete the service token. ## Set a token expiration alert An alert can be configured to notify a week before a service token expires to allow an administrator to invoke a token refresh. Expiring Access Service Token Alert **Who is it for?** [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) customers who want to receive a notification when their service token is about to expire. **Other options / filters** None. **Included with** Purchase of Access **What should you do if you receive one?** Extend the expiration date of the service token. For more details, refer to [Renew your service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/#renew-service-tokens). To configure a service token expiration alert: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com), go to the **Notifications** page.[ Go to **Notifications** ](https://dash.cloudflare.com/?to=/:account/notifications) 2. Select **Add**. 3. Select _Expiring Access Service Token_. 4. Enter a name for your alert and an optional description. 5. (Optional) Add other recipients for the notification email. 6. Select **Save**. Your alert has been set and is now visible on the **Notifications** page. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/service-credentials/","name":"Service credentials"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/service-credentials/service-tokens/","name":"Service tokens"}}]} ``` --- --- title: Troubleshoot Access description: Resolve common issues with Cloudflare Access, including authentication loops, CORS errors, and identity provider integration problems. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging)[ SAML ](https://developers.cloudflare.com/search/?tags=SAML)[ CORS ](https://developers.cloudflare.com/search/?tags=CORS)[ SSH ](https://developers.cloudflare.com/search/?tags=SSH) # Troubleshoot Access Review common troubleshooting scenarios for Cloudflare Access. ## Authentication and login ### AJAX/CORS errors Cloudflare Access requires that the `credentials: same-origin` parameter be added to JavaScript when using the Fetch API to include cookies. AJAX requests fail if this parameter is missing, resulting in an error such as `No Access-Control-Allow-Origin header is present on the requested resource`. For more information, refer to [CORS settings](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/). ### SAML verification failure The error `SAML Verify: Invalid SAML response, SAML Verify: No certificate selected to verify` occurs when the identity provider (IdP) does not include the signing public key in the SAML response. Cloudflare Access requires the public key to match the **Signing certificate** uploaded to Zero Trust. Configure your IdP to include the public key in the response. ### Identity provider user/group info error The error `Failed to fetch user/group information from the identity provider` occurs when Cloudflare lacks the necessary API permissions to communicate with your IdP. Review the [SSO integration guide](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) for your specific IdP and ensure the application has the correct permissions (for example, Microsoft Entra or Okta). ### Google Workspace redirect loop If you place your Google Workspace behind Access, you cannot use Google or Google Workspace as an identity provider for that application. This creates an infinite redirect cycle because both systems depend on each other to complete the login. ### Invalid session error The error `Invalid session. Please try logging in again` indicates that Access was unable to validate your `CF_Session` cookie. This can happen if software or a firewall on your device interferes with requests to Access. Ensure that the same browser instance is used to both initiate and complete the sign-in. ### Firefox Private Window Firefox's default tracking prevention in Private Windows may prevent the `CF_authorization` cookie from being sent, especially for XHR requests. To resolve this, you may need to exempt your application domain and your [team domain](https://developers.cloudflare.com/cloudflare-one/glossary/#team-name) from tracking protection. ### Workers routes on the login path If you have a Cloudflare Worker route assigned to your application's login path, the Worker may overwrite the `cf-authorization` cookie. To prevent this, ensure your Worker script does not modify or strip the `Set-Cookie` header for Access cookies. ## Identity providers ### OTP email not received If a user does not receive a one-time PIN (OTP) email: * **Policy denial**: If the user's email address does not match any **Allow** policies for the application, Cloudflare will not send an OTP email. The login page will still display a message saying the email was sent to prevent account enumeration. * **Email suppression**: The user's email may be on a suppression list due to previous delivery failures. Check your email logs or contact Support to clear suppressions. ### OTP code already used The error `This One-Time PIN has already been used` occurs when the OTP code has already been redeemed before the user enters it. OTP codes are single-use and expire 10 minutes after the initial request. This error most commonly occurs when an email security or anti-phishing tool on your network automatically follows links in emails, consuming the code before you have a chance to enter it. To resolve the issue, select **Request new code** on the login page. If the error recurs consistently, add `noreply@notify.cloudflare.com` to your email security tool's allowlist to prevent it from scanning Cloudflare authentication emails. For setup instructions, refer to [One-time PIN login](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/). ### Google Super Admin login If you use Access as the SSO provider for your Google Workspace, Google Super Admins cannot sign in via Access when accessing `admin.google.com`. Google requires Super Admins to use their original Google password to ensure they can always access the admin console. ### Missing SAML attributes If you receive a `Required attributes are missing` error during SAML authentication, verify that your IdP is sending the mandatory **email** attribute. Additionally, check for typos in attribute names (for example, `groups` vs `gropus`) in your [IdP configuration](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). ## Applications and certificates ### SSH short-lived certificates The error `Error 0: Bad Request. Please create a ca for application` appears if a certificate has not been generated for the Access application. Refer to [SSH short-lived certificates](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy/) to generate a CA for the application. ### SSH "Origin auth failed" This error often indicates a configuration issue on the target server's SSH daemon (`sshd`): * **SSHD config**: Verify that `PubkeyAuthentication` is set to `yes` and `TrustedUserCAKeys` points to the correct Cloudflare CA file. * **Multiple auth methods**: Cloudflare Access for Infrastructure currently does not support `AuthenticationMethods` with multiple comma-separated requirements (for example, `publickey,keyboard-interactive`). ### Team domain change error The error `Access api error auth_domain_cannot_be_updated_dash_sso` occurs if you try to change your team domain while [Cloudflare dashboard SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/) is enabled. Dashboard SSO does not currently support team domain changes. ### Long-lived SSH sessions disconnect All connections proxied through Cloudflare Gateway, including traffic to [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) SSH targets, have a maximum guaranteed duration of 10 hours. If a connection is active during a Gateway release, it will be terminated 10 hours later. To prevent unexpected disconnects, we recommend terminating sessions on a predefined schedule (for example, an 8-hour idle timeout). You can configure this using `ChannelTimeout` in your SSH server or client configuration. --- ## How to contact Support If you cannot resolve the issue, [open a support case](https://developers.cloudflare.com/support/contacting-cloudflare-support/). Please provide a [HAR file](https://developers.cloudflare.com/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#generate-a-har-file) captured while reproducing the error and the **Ray ID** if an error page is displayed. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/troubleshooting/","name":"Troubleshoot Access"}}]} ``` --- --- title: Traffic policies description: Filter DNS, network, and HTTP traffic with Cloudflare Gateway traffic policies. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS)[ Video ](https://developers.cloudflare.com/search/?tags=Video) # Traffic policies A Secure Web Gateway (SWG) is a security service that sits between an organization's users and the Internet. It inspects outbound traffic to enforce security policies, block threats, and prevent data loss. Core SWG capabilities include: * **URL and domain filtering** – Controls which websites users can access. * **Anti-malware scanning** – Inspects files in transit for malicious code. * **Application control** – Manages which applications users can reach and what actions they can perform. * **Data Loss Prevention (DLP)** – Detects and blocks sensitive data before it leaves the network.fprotecting * **Traffic inspection** – Decrypts and examines encrypted (HTTPS) traffic for hidden threats. ## The need for an SWG Traditional network security relied on hardware firewalls at the perimeter of a corporate network. That model assumed users, applications, and data all lived inside the same network boundary. Modern organizations face a different reality: * **Distributed workforce** – Employees connect from home networks, public Wi-Fi, and mobile devices, outside any corporate perimeter. * **Cloud and SaaS adoption** – Business-critical applications and data have moved to cloud platforms like Microsoft 365, Google Workspace, and Salesforce. * **Expanding threat surface** – Phishing, ransomware, command-and-control botnets, and data exfiltration attempts target users regardless of their location. Without an SWG, organizations lose visibility into what websites and applications users access, what threats reach user devices, and what data leaves the organization. An SWG restores that visibility and control by inspecting traffic in the cloud, close to users, rather than forcing all traffic through a central data center. Cloudflare Gateway is Cloudflare's SWG, built into the [Cloudflare One ↗](https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/) SASE platform. It inspects and filters traffic at the DNS, network (Layer 4), and HTTP (Layer 7) layers. For more information on how SWGs work, refer to the [Cloudflare Learning Center ↗](https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/). ## Traffic policy types Every organization needs a way to control what users can reach on the Internet — blocking malware sites, restricting risky applications, and deciding how traffic exits the corporate network. Think of traffic policies as a set of security checkpoints, each inspecting a different layer of your traffic before it is allowed through. ### How Gateway relates to traditional firewalls If you are familiar with traditional network security, Gateway's policy layers map to familiar firewall functions: * **DNS policies** correspond to DNS-layer filtering (blocking domains before connections are established). * **Network policies** correspond to a Layer 4 stateful firewall, sometimes called Firewall-as-a-Service (FWaaS), filtering by IP address, port, and protocol. * **HTTP policies** correspond to a Layer 7 application firewall (forward proxy with TLS decryption and deep packet inspection). Unlike hardware firewalls that sit at a single network perimeter, Gateway enforces these policies across Cloudflare's global network, protecting traffic regardless of where users connect. Gateway supports several policy types because network traffic can be inspected at different layers — from raw packets up to full HTTP requests. Each policy type gives you control at a specific layer: Packet filtering **[Packet filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/network-firewall-overview/)** inspects raw network packets and blocks traffic based on properties like source IP address or protocol. It does not need to know who the user is or what session they belong to. Use packet filtering to drop unwanted traffic before it reaches any other policy. DNS policies **[DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/)** check every DNS query your users make. When a query matches a policy rule, Gateway can block the domain from resolving — the site never loads because the domain name is never translated to an IP address. DNS policies act at the earliest stage of a connection, before any content is fetched. This makes them the fastest policy type to deploy and the broadest in scope. For more information on [DNS filtering ↗](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/), refer to the Cloudflare Learning Center. Use DNS policies to block malicious domains, restrict content categories, or prevent entire sites from loading. For full threat protection, pair DNS policies with HTTP policies — DNS blocks known bad domains, while HTTP catches threats hidden in allowed traffic. Network policies **[Network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/)** inspect individual TCP, UDP, and Generic Routing Encapsulation (GRE) packets. They can match on IP addresses, ports, protocols, and the server name sent at the start of an encrypted connection (Server Name Indication, or SNI). Use network policies to block access to specific ports or non-HTTP services such as SSH and RDP. HTTP policies **[HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/)** inspect the full content of web requests — including URLs, headers, and uploaded or downloaded files. Gateway decrypts HTTPS traffic so it can examine what DNS and network policies cannot see. This requires installing a [Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) on user devices. Use HTTP policies to block specific URLs, scan file uploads for sensitive data, block malware in downloads, [quarantine suspicious files](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/file-sandboxing/) for sandbox analysis, and control which accounts users can sign in to. For example, allow your company Google Workspace account but block personal Gmail. Egress policies **[Egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/)** control how traffic leaves your network by assigning fixed IP addresses that belong to your organization. Third-party services can recognize these IPs as yours. Use egress policies to connect to partners or services that only allow traffic from a known list of IP addresses. Resolver policies **[Resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/)** send DNS queries to specific DNS servers instead of the default Cloudflare resolver. Use resolver policies to resolve private hostnames on your internal network, route queries to your own DNS servers for compliance, or reach internal resources while connected through Cloudflare One. ### Identity and device context Gateway policies can go beyond network attributes (domains, IPs, ports) and incorporate user identity and device health into every decision. When users connect through the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/), Gateway can evaluate: * **User identity** – Email address, group membership, and authentication method from your [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) (for example, Okta, Microsoft Entra ID, or Google Workspace). * **Device posture** – Signals such as operating system version, disk encryption status, firewall state, and whether the device serial number matches a managed device list. For the full list of available checks, refer to [Device posture](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). These signals can be combined with traffic selectors to create context-aware policies. For example, you can create an HTTP policy that allows access to a sensitive SaaS application only when the user belongs to a specific group **and** the device has disk encryption turned on. For details on building policies with identity selectors, refer to [Identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/). Note When creating or editing policies, it may take up to 60 seconds for that policy to be updated across all of Cloudflare's data centers. ## Set up Cloudflare Gateway traffic policies Before you create Cloudflare Gateway traffic policies, you need connect the devices or networks you want to protect and confirm that Cloudflare Gateway can inspect their traffic. For each traffic policy type, follow this workflow: 1. Connect the devices or networks you want to protect. 2. Verify that Gateway is receiving traffic from your devices. 3. Set up recommended security policies — for example, block all [security threat categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) with a DNS policy. 4. Add policies specific to your organization's needs. For example, if your goal is to prevent employees from accessing known malware domains, you would start by enrolling devices with the Cloudflare One Client (step 1), confirm DNS queries appear in your Gateway logs (step 2), then create a DNS policy that blocks all security-risk categories (step 3). For step-by-step setup guides, refer to [DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/dns/), [Network](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/network/), and [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) policies. ### How to choose a Cloudflare Gateway policy type The following table maps common traffic-filtering goals to the best Cloudflare Gateway policy type: | Filtering goal | Policy type | Why | | -------------------------------------- | ---------------- | ---------------------------------------------------------------------- | | Block websites by URL | HTTP | Inspects the full URL path, not just the domain | | Block domains (all pages) | DNS | Prevents the domain from resolving | | Block non-HTTP traffic (SSH, RDP) | Network | Inspects TCP/UDP packets on any port | | Block malware and threats | DNS _and_ HTTP | DNS blocks known-bad domains. HTTP catches threats in allowed traffic. | | Assign static egress IPs | Egress | Lets third-party services identify your organization | | Drop traffic before other policies run | Packet filtering | Blocks by packet attributes without user context | | Route DNS to custom nameservers | Resolver | Overrides the default Cloudflare resolver | After you choose a Cloudflare Gateway policy type, continue with the matching setup guide to create the policy that fits your traffic-filtering goal. ### Choose a connection method The connection method (on-ramp) you use determines which policy types Gateway can enforce. The following table summarizes each method: | Connection method | DNS policies | Network policies | HTTP policies | Best for | | ---------------------------------------------------------------------------------------------------------------------------------- | ------------ | ---------------- | ------------------ | --------------------------------------------------------- | | [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) (WARP) | Yes | Yes | Yes | Roaming users on managed devices (laptops, phones) | | [DNS resolver](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) configuration | Yes | No | No | Unmanaged devices, entire networks, or initial rollout | | [Proxy endpoint](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) (PAC file) | No | No | Yes (browser only) | Browser-level HTTP filtering without a device agent | | [Network tunnel](https://developers.cloudflare.com/cloudflare-one/networks/) (IPsec/GRE via Magic WAN) | Yes | Yes | Yes | Branch offices, data centers, and site-level connectivity | * The **Cloudflare One Client** provides the broadest coverage and is the recommended method for per-device deployments. * **DNS resolver** configuration is the easiest to deploy (change a DNS setting on your router or device) and provides immediate protection, but it only enforces DNS policies. * **Proxy endpoints** enable HTTP inspection through browser proxy configuration without installing an agent, but they are limited to browser traffic. * **Network tunnels** route all site traffic through Gateway and are best for protecting entire office locations or data centers. You can combine multiple on-ramps. For example, use the Cloudflare One Client for remote employees and network tunnels for branch offices. ## How Gateway processes traffic When a user makes a request, Gateway inspects it at multiple layers before allowing the connection through. The following diagram shows the end-to-end flow: flowchart LR accTitle: Gateway traffic flow accDescr: Diagram showing how traffic flows from user device through an on-ramp to Cloudflare Gateway for policy evaluation, then to the destination. A["User device"] --> B["On-ramp"] B --> C["Cloudflare edge
(nearest location)"] C --> D["Policy evaluation"] D --> E["Destination
server"] E --> D D --> C C --> B B --> A 1. The user's device sends a request (DNS query, TCP connection, or HTTP request). 2. The request reaches Cloudflare through an **on-ramp** — the Cloudflare One Client, a DNS resolver configuration, a proxy endpoint, or a network tunnel. 3. Cloudflare processes the request at the **nearest edge location**, not a centralized data center. This keeps latency low regardless of where the user connects from. 4. Gateway evaluates the request against your configured policies in [order of enforcement](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/): DNS policies first, then network policies, then HTTP policies. 5. If policies allow the request, Gateway proxies it to the destination server and inspects the response on the return path. For details on how Gateway proxies traffic and establishes connections, refer to [Proxy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/). ## Troubleshoot Cloudflare Gateway policies For help resolving common issues with Cloudflare Gateway policies, refer to [Troubleshooting](https://developers.cloudflare.com/cloudflare-one/traffic-policies/troubleshooting/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}}]} ``` --- --- title: Applications and app types description: Reference information for Applications and app types in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ TLS ](https://developers.cloudflare.com/search/?tags=TLS) # Applications and app types Gateway allows you to create DNS, Network, and HTTP policies based on applications and application types. Because a single application often spans multiple hostnames, selecting an application by name is easier than writing separate rules for each hostname. You can select individual applications or application types to filter specific traffic on your network. ## Applications When you choose the _Application_ selector in a Gateway policy builder, the **Value** field will include all supported applications and their respective app types. Alternatively, you can use the [Gateway API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/app%5Ftypes/methods/list/) to fetch a list of applications, app types, and ID numbers. To manage a consolidated list of applications across Cloudflare One, you can use the [Application Library](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/). ## App types Gateway sorts applications into the following app type groups: | Value | Definition | | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Artificial Intelligence | AI assistance applications | | Business | Applications used for general business purposes | | Collaboration & Online Meetings | Business communication and collaboration applications | | Dating | Online dating applications | | Development | Software development and development operations applications | | Education | Applications used for educational purposes and e-learning | | Email | Email applications | | Entertainment & Events | Applications used for entertainment content and event information | | Encrypted DNS | DNS encryption applications | | File Sharing | File sharing applications | | Finance & Accounting | Financial and accounting applications | | Food & Drink | Applications related to food delivery and recipe services | | Gaming | Games and gaming applications | | Health & Fitness | Applications used for health monitoring and fitness tracking | | Human Resources | Employee management applications and workforce tools | | Instant Messaging | Instant messaging applications | | IT Management | IT deployment management applications | | Legal | Legal tools and applications | | Lifestyle | Applications related to lifestyle and personal interests | | Music & Audio Streaming | Applications used for streaming music and audio | | Navigation | Applications used for maps and navigation services | | News, Books, & Magazines | Applications delivering news, books, and magazine content | | Photography & Graphic Design | Applications used for photography and graphic design | | Productivity | Business and productivity applications | | Public Cloud | Public cloud infrastructure management applications | | Sales & Marketing | Sales and marketing applications | | Search Engines | Web search engines and applications | | Security | Information security applications, including shadow IT | | Shopping | Online shopping applications | | Social Networking | Social networking applications | | Sports | Sports streaming and news applications | | Travel | Travel related applications | | Video Streaming & Editing | Applications used for streaming and editing video | | [Do Not Inspect](#do-not-inspect-applications) | Applications incompatible with the TLS certificate required by the [Gateway proxy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/) | ## Application hostnames An application like Google Drive uses its own hostnames (for example, `drive.google.com`) and shared resources used by other applications (for example, `accounts.google.com` for login). Gateway separates these into [hostnames](#hostnames) and [support hostnames](#support-hostnames) so you can control the behavior of each application independently. ### Hostnames Hostnames are domains that are core to the application and not [used by other applications](#overlapping-hostnames). These are the domains that Gateway blocks when you block an application. The App Library surfaces these hostnames in the [Hostnames table](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/#overview) for an application. ### Support hostnames Support hostnames are shared resources that applications depend on for content delivery, authentication, or third-party integrations. Because multiple applications share these hostnames, blocking them can cause unexpected side effects. For example, assume that `file-sharing-service.com` relies on `content-delivery.com`. If you allow access to `file-sharing-service.com` and its associated subdomains but not `content-delivery.com`, some of the functionality of `file-sharing-service.com` may break when Gateway matches the traffic. To prevent this, Gateway only uses support hostnames in Allow policies — it will allow support hostname connections but will not block them. For example, many Google applications use `accounts.google.com` for authentication. If you create an Allow policy for an application that lists `accounts.google.com` as a support hostname, Gateway will allow both `accounts.google.com` and the application's own domains. ## Application controls When you use the [_Application_ selector](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#granular-controls) in an HTTP policy with the _is_ operator, you can choose specific actions and operations to match application traffic. Supported applications and operations include: Artificial Intelligence * ChatGPT * Google Gemini * Perplexity * Claude File Sharing * Box * Dropbox * Google Drive * WeTransfer * Hightail * ShareFile * Smash For more information, refer to [Application Granular Controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/granular-controls/). ## Usage ### Overlapping hostnames Overlapping hostnames are most common for vendors with many applications, such as Google or Meta. When you use the Application selector in Gateway policies, actions taken by Gateway will be limited to the specific application defined. Gateway will also log other applications that use the same hostnames, but it will not take action unless the application was matched by the policy. For example, both the Facebook and Facebook Messenger apps use the `chat-e2ee.facebook.com` hostname. When evaluating traffic to the Facebook Messenger app, Gateway will only take action on Facebook Messenger traffic but may log both the Facebook and Facebook Messenger apps. To ensure Gateway evaluates traffic with your desired precedence, order your most specific policies with the highest priority according to [order of precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#priority-within-a-policy-builder). ### Do Not Inspect applications Gateway automatically groups applications incompatible with TLS decryption into the _Do Not Inspect_ app type. As Cloudflare identifies incompatible applications, Gateway will periodically update this app type to add new applications. To ensure Gateway does not intercept any current or future incompatible traffic, you can [create a Do Not Inspect HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) with the entire _Do Not Inspect_ app type selected. When managing applications with the [Application Library](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/), Do Not Inspect applications will appear under the corresponding application. For example, the App Library will group _Google Drive (Do Not Inspect)_ under **Google Drive**. Install Cloudflare certificate manually to allow TLS decryption Instead of creating a Do Not Inspect policy for an application, you may be able to configure the application to [trust a Cloudflare certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications). Doing so will allow the application to function without losing visibility into your traffic. #### TLS decryption limitations Applications can be incompatible with [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) for various reasons: * **Certificate pinning**: Certificate pinning is a security mechanism used to prevent on-path attacks on the Internet by hardcoding information about the certificate that the application expects to receive. If the wrong certificate is received, even if it is trusted by the system, the application will refuse to connect. * **Non-web traffic**: Some applications send non-web traffic over TLS, such as Session Initiation Protocol (SIP) for voice and video calls and Extensible Messaging and Presence Protocol (XMPP) for chat. Gateway cannot inspect these protocols. #### Microsoft 365 integration To optimize performance for Microsoft 365 applications and services, you can bypass TLS decryption by turning on the Microsoft 365 traffic integration. This will create a [Do Not Inspect policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) for all [Microsoft 365 domains and IP addresses ↗](https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-ip-web-service) specified by Microsoft. This policy also uses Cloudflare intelligence to identify other Microsoft 365 traffic not explicitly defined. To turn on the Microsoft 365 integration: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings** \> **Policy settings**. 2. In **Bypass decryption of Microsoft 365 traffic**, select **Create policy**. 3. To verify the policy was created, select **View policy**. Alternatively, go to **Traffic policies** \> **HTTP policies**. A policy named Microsoft 365 Auto Generated will be enabled in your list. All future Microsoft 365 traffic will bypass Gateway logging and filtering. To disable this behavior, turn off or delete the policy. ### Terraform Terraform users can retrieve the app types list with the `cloudflare_zero_trust_gateway_app_types_list` data source. This allows you to create Gateway policies with the application's name rather than its numeric ID. For example: ``` data "cloudflare_zero_trust_gateway_app_types_list" "gateway_apptypes" { account_id = var.cloudflare_account_id } locals { apptypes_map = merge([ for c in data.cloudflare_zero_trust_gateway_app_types_list.gateway_apptypes.result : { (c.name) = c.id } ]...) } resource "cloudflare_zero_trust_gateway_policy" "zt_block_dns_apps" { account_id = var.cloudflare_account_id name = "DNS Blocked apps" action = "block" traffic = "any(app.ids[*] in {${join(" ", [ local.apptypes_map["Discord"], local.apptypes_map["GoToMeeting"], local.apptypes_map["Greenhouse"], local.apptypes_map["Zelle"], local.apptypes_map["Microsoft Visual Studio"] ])}})" } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/application-app-types/","name":"Applications and app types"}}]} ``` --- --- title: DNS policies description: Configure DNS policies in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS) # DNS policies DNS policies let you control which websites and services your users can reach by inspecting their DNS queries — the lookups that translate domain names into IP addresses. Because DNS policies act at the lookup stage, they work across all protocols and applications, not just web browsers. When a user makes a DNS request, [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) matches the request against the DNS policies you have set up for your organization. If the domain does not belong to any blocked categories, or if it matches an Allow or Override policy, the user's client receives an address based on DNS resolution from Cloudflare's public DNS resolver (1.1.1.1). You can also use a [resolver policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) to redirect DNS requests to a custom server. A DNS policy consists of an **Action** as well as a logical expression that determines the scope of the action. To build an expression, you need to choose a **Selector** and an **Operator**, and enter a value or range of values in the **Value** field. You can use **And** and **Or** logical operators to evaluate multiple conditions. * [Actions](#actions) * [Selectors](#selectors) * [Comparison operators](#comparison-operators) * [Value](#value) * [Logical operators](#logical-operators) When creating a DNS policy, you can select as many security risk categories and content categories as needed to fully secure your network. Unless a more specific selector is configured in a policy (for example, _User Email_ or _Source IP_), then the policy will be evaluated against all DNS queries that reach Gateway from your organization. If a condition in an expression joins a query attribute (such as _Source IP_) and a response attribute (such as _Resolved IP_), then the condition will be evaluated when the response is received. Terraform provider v4 precedence limitation To avoid conflicts, version 4 of the Terraform Cloudflare provider applies a hash calculation to policy precedence. For example, a precedence of `1000` may become `1000901`. This can cause errors when reordering policies. To avoid this issue, manually set the precedence of policies created with Terraform using the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint. To ensure your precedence is set correctly, Cloudflare recommends [upgrading your Terraform provider to version 5 ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade). ## Actions The action determines what Gateway does when a DNS query matches your policy conditions. You can assign one action per policy. These are the action types you can choose from: * [Allow](#allow) * [Block](#block) * [Override](#override) * [Safe Search](#safe-search) * [YouTube Restricted Mode](#youtube-restricted-mode) ### Allow API value: `allow` Available selectors **Traffic** * [Application](#application) * [Authoritative Nameserver IP](#authoritative-nameserver-ip) * [Content Categories](#content-categories) * [DNS CNAME Response Value](#dns-cname-record) * [DNS MX Response Value](#dns-mx-record) * [DNS PTR Response Value](#dns-ptr-record) * [DNS Resolver IP](#dns-resolver-ip) * [DNS TXT Response Value](#dns-txt-record) * [DOH Subdomain](#doh-subdomain) * [Domain](#domain) * [Host](#host) * [Indicator Feeds](#indicator-feeds) * [Location](#location) * [Query Record Type](#query-record-type) * [Resolved Continent IP Geolocation](#resolved-continent) * [Resolved Country IP Geolocation](#resolved-country) * [Resolved IP](#resolved-ip) * [Request Context Categories](#request-context-categories) * [Security Categories](#security-categories) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source IP](#source-ip) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) Policies with Allow actions explicitly permit DNS queries to resolve. Gateway uses a [first-match principle](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence), which means that if an Allow policy matches a query at a higher precedence than a Block policy, the query will be allowed to resolve. For example, the following configuration allows DNS queries to reach domains categorized as belonging to the Education content category: | Selector | Operator | Value | Action | | ------------------ | -------- | ----------- | ------ | | Content Categories | in | _Education_ | Allow | #### Disable DNSSEC validation DNSSEC (Domain Name System Security Extensions) verifies that DNS responses have not been tampered with by checking a cryptographic signature attached to the record. When you select **Disable DNSSEC validation**, Gateway will resolve DNS queries even if the signature cannot be validated. We do not recommend disabling DNSSEC validation unless you know that the validation failure is due to DNSSEC configuration issues and not malicious attacks. ### Block API value: `block` Available selectors **Traffic** * [Application](#application) * [Authoritative Nameserver IP](#authoritative-nameserver-ip) * [Content Categories](#content-categories) * [DNS CNAME Response Value](#dns-cname-record) * [DNS MX Response Value](#dns-mx-record) * [DNS PTR Response Value](#dns-ptr-record) * [DNS Resolver IP](#dns-resolver-ip) * [DNS TXT Response Value](#dns-txt-record) * [DOH Subdomain](#doh-subdomain) * [Domain](#domain) * [Host](#host) * [Indicator Feeds](#indicator-feeds) * [Location](#location) * [Query Record Type](#query-record-type) * [Resolved Continent IP Geolocation](#resolved-continent) * [Resolved Country IP Geolocation](#resolved-country) * [Resolved IP](#resolved-ip) * [Request Context Categories](#request-context-categories) * [Security Categories](#security-categories) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source IP](#source-ip) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) Policies with Block actions prevent DNS queries from resolving for destinations you specify within the Selector and Value fields. For example, the following configuration blocks DNS queries from reaching domains categorized as belonging to the Adult Themes content category: | Selector | Operator | Value | Action | | ------------------ | -------- | -------------- | ------ | | Content Categories | in | _Adult Themes_ | Block | #### Custom block page When choosing the Block action, turn on **Modify Gateway block behavior** to respond to queries with a block page to display to users who go to blocked websites. Optionally, you can override your global block page setting with a URL redirect for the specific DNS policy. For more information, refer to [Block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). If the block page is turned off for a policy, Gateway will respond to blocked queries with an `A` record (IPv4) of `0.0.0.0` or an `AAAA` record (IPv6) of `::`. Because no server responds at these addresses, the browser will display its default connection error page. To block the resolution of queries for DNS records with types other than `A` or `AAAA`, Gateway will respond with the `REFUSED (RCODE:5)` DNS return code. Gateway will block the request but will not display a block page. #### Cloudflare One Client block notifications Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/plans/zero-trust-services/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | Enterprise | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2024.1.159.0 | | macOS | ✅ | 2024.1.160.0 | | Linux | ❌ | | | iOS | ✅ | 1.7 | | Android | ✅ | 1.4 | | ChromeOS | ✅ | 1.4 | Turn on **Display block notification for Cloudflare One Client** to display notifications for Gateway block events. Blocked users will receive an operating system notification from the Cloudflare One Client with a custom message you set. If you do not set a custom message, the Cloudflare One Client will display a default message. Custom messages must be 100 characters or less. The Cloudflare One Client will only display one notification per minute. Upon selecting the notification, the Cloudflare One Client will direct your users to the [Gateway block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) you have configured. Optionally, you can direct users to a custom URL, such as an internal support form. When you turn on **Send policy context**, Gateway will append details of the matching request to the redirected URL as a query string. Not every context field will be included. Potential policy context fields include: Policy context fields | Field | Definition | Example | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------- | | User email | Email of the user that made the query. | &cf\_user\_email=user@example.com | | Site URL | Full URL of the original HTTP request or domain name in DNS query. | &cf\_site\_uri=https%3A%2F%2Fmalware.testcategory.com%2F | | URL category | [Domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) of the URL to be redirected. | &cf\_request\_categories=New%20Domains,Newly%20Seen%20Domains | | Original HTTP referer | For HTTP traffic, the original HTTP referer header of the HTTP request. | &cf\_referer=https%3A%2F%2Fexample.com%2F | | Rule ID | ID of the Gateway policy that matched the request. | &cf\_rule\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Source IP | Source IP address of the device that matched the policy. | &cf\_source\_ip=203.0.113.5 | | Device ID | UUID of the device that matched the policy. | &cf\_device\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Application names | Name of the application the redirected domain corresponds to, if any. | &cf\_application\_name=Salesforce | | Filter | The traffic type filter that triggered the block. | &cf\_filter=http, &cf\_filter=dns, &cf\_filter=av, or &cf\_filter=l4 | | Account ID | [Cloudflare account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) of the associated Zero Trust account. | &cf\_account\_id=d57c3de47a013c03ca7e237dd3e61d7d | | Query ID | ID of the DNS query for which the redirect took effect. | &cf\_query\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Connection ID | ID of the proxy connection for which the redirect took effect. | &cf\_connection\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Request ID | ID of the HTTP request for which the redirect took effect. | &cf\_request\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | Ensure that your operating system allows notifications for the Cloudflare One Client. Your device may not display notifications if focus, do not disturb, or screen sharing settings are turned on. To turn on client notifications on macOS devices running DisplayLink software, you may have to allow system notifications when mirroring your display. For more information, refer to the [macOS documentation ↗](https://support.apple.com/guide/mac-help/change-notifications-settings-mh40583/mac). ### Override API value: `override` Available selectors The Override action cannot be used with selectors evaluated during or after DNS resolution. **Traffic** * [Application](#application) * [Content Categories](#content-categories) * [DNS Resolver IP](#dns-resolver-ip) * [DOH Subdomain](#doh-subdomain) * [Domain](#domain) * [Host](#host) * [Location](#location) * [Query Record Type](#query-record-type) * [Resolved Continent IP Geolocation](#resolved-continent) * [Resolved Country IP Geolocation](#resolved-country) * [Security Categories](#security-categories) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source IP](#source-ip) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) Policies with Override actions replace the real DNS answer with a destination you specify. When a user queries a domain that matches the policy, Gateway returns your custom IP address or hostname instead of the actual DNS record. For example, you can provide a custom response IP of `1.2.3.4` for all queries to `www.example.com` with the following policy: | Selector | Operator | Value | Action | Override Hostname | | -------- | -------- | --------------- | -------- | ----------------- | | Hostname | is | www.example.com | Override | 1.2.3.4 | Note The Override action only supports queries for A, AAAA, and HTTPS records. If a query for a different type of record matches an Override policy, Gateway will return REFUSED. ### Safe Search API value: `safesearch` Available selectors **Traffic** * [Application](#application) * [Content Categories](#content-categories) * [DNS Resolver IP](#dns-resolver-ip) * [DOH Subdomain](#doh-subdomain) * [Domain](#domain) * [Host](#host) * [Location](#location) * [Query Record Type](#query-record-type) * [Resolved Continent IP Geolocation](#resolved-continent) * [Resolved Country IP Geolocation](#resolved-country) * [Security Categories](#security-categories) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source IP](#source-ip) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) SafeSearch is a feature of search engines that helps you filter explicit or offensive content. When you enable SafeSearch, the search engine filters explicit or offensive content and returns search results that are safe for children or at work. You can use Cloudflare Gateway to enable SafeSearch on search engines like Google, Bing, Yandex, YouTube and DuckDuckGo. For example, to enable SafeSearch for Google, you can create the following policy: | Selector | Operator | Value | Action | | -------- | -------- | ---------- | ----------- | | Domain | is | google.com | Safe Search | ### YouTube Restricted Mode API value: `ytrestricted` Available selectors **Traffic** * [Application](#application) * [Content Categories](#content-categories) * [DNS Resolver IP](#dns-resolver-ip) * [DOH Subdomain](#doh-subdomain) * [Domain](#domain) * [Host](#host) * [Location](#location) * [Query Record Type](#query-record-type) * [Resolved Continent IP Geolocation](#resolved-continent) * [Resolved Country IP Geolocation](#resolved-country) * [Security Categories](#security-categories) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source IP](#source-ip) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) Similarly, you can enforce YouTube Restricted mode by choosing the _YouTube Restricted_ action. YouTube Restricted Mode is an automated filter for adult and offensive content built into YouTube. To enable YouTube Restricted Mode, you could set up a policy like the following: | Selector | Operator | Value | Action | | ---------- | -------- | ----------- | ------------------ | | DNS Domain | is | youtube.com | YouTube Restricted | This setup ensures users will be blocked from accessing offensive sites using DNS. ## Selectors Gateway matches DNS queries against the following selectors, or criteria. Each selector is evaluated during a specific phase of the DNS resolution process: * **Before DNS resolution** — Gateway inspects properties of the incoming query (for example, the domain name or source IP) before looking up the answer. * **During DNS resolution** — Gateway inspects information discovered while resolving the query (for example, the authoritative nameserver IP). * **After DNS resolution** — Gateway inspects the DNS answer (for example, the resolved IP or CNAME record) after resolution completes. The Override action cannot be used with selectors evaluated during or after DNS resolution, because the override must be applied before the answer is returned. For more information on how evaluation phase interacts with precedence, refer to [order of enforcement](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#dns-policies). ### Application You can apply DNS policies to a growing list of popular web applications. Refer to [Application and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/) for more information. | UI name | API example | Evaluation phase | | ----------- | --------------------------- | --------------------- | | Application | any(app.ids\[\*\] in {505}) | Before DNS resolution | ### Authoritative Nameserver IP Use this selector to match against the IP address of the authoritative nameserver IP address. | UI name | API example | Evaluation phase | | --------------------------- | ------------------------------------------ | --------------------- | | Authoritative Nameserver IP | dns.authoritative\_ns\_ips == 198.51.100.0 | During DNS resolution | ### Content Categories Use this selector to filter domains belonging to specific [content categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#content-categories). | UI name | API example | Evaluation phase | | ------------------ | --------------------------------------- | --------------------- | | Content Categories | any(dns.content\_category\[\*\] in {1}) | Before DNS resolution | When using an Allow or Block action, you can optionally [block IP addresses](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#filter-traffic-by-resolved-ip-category) or [filter categories for CNAME records](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#ignore-cname-domain-categories). ### DNS CNAME Record Use this selector to filter DNS responses by their `CNAME` records. | UI name | API example | Evaluation phase | | ------------------------ | -------------------------------------------------------------- | -------------------- | | DNS CNAME Response Value | any(dns.response.cname\[\*\] in {"www.apple.com.edgekey.net"}) | After DNS resolution | Note If one CNAME record points to another CNAME record, each record in the chain will be evaluated. For example, if `abc.example.com` points to `xyz.example.com`, then your DNS policy will evaluate both `abc.example.com` and `xyz.example.com`. ### DNS MX Record Use this selector to filter DNS responses by their `MX` records. | UI name | API example | Evaluation phase | | --------------------- | ------------------------------------------------------------ | -------------------- | | DNS MX Response Value | any(dns.response.mx\[\*\] in {"gmail-smtp-in.l.google.com"}) | After DNS resolution | ### DNS PTR Record Use this selector to filter DNS responses by their `PTR` records. | UI name | API example | Evaluation phase | | ---------------------- | ----------------------------------------------------------- | -------------------- | | DNS PTR Response Value | any(dns.response.ptr\[\*\] in {"255.2.0.192.in-addr.arpa"}) | After DNS resolution | ### DNS Resolver IP Use this selector to apply policies to DNS queries that arrived to your Gateway Resolver IP address aligned with a registered DNS location. For most Gateway customers, this is an IPv4 anycast address and policies created using this IPv4 address will apply to all DNS locations. However, each DNS location has a dedicated IPv6 address and some Gateway customers have been supplied with a dedicated IPv4 address — these both can be used to apply policies to specific registered DNS locations. | UI name | API example | Evaluation phase | | --------------- | ------------------------------------------- | --------------------- | | DNS Resolver IP | any(dns.resolved\_ip\[\*\] == 198.51.100.0) | Before DNS resolution | ### DNS TXT Record Use this selector to filter DNS responses by their `TXT` records. | UI name | API example | Evaluation phase | | ---------------------- | --------------------------------------------- | -------------------- | | DNS TXT Response Value | any(dns.response.txt\[\*\] in {"your\_text"}) | After DNS resolution | ### DoH Subdomain (DNS over HTTPS) Use this selector to match against DNS queries that arrive via DNS-over-HTTPS (DoH) destined for the DoH endpoint configured for each DNS location. For example, you can use a DNS location with a DoH endpoint of `abcdefg.cloudflare-gateway.com` by choosing the DoH Subdomain selector and inputting a value of `abcdefg`. | UI name | API example | Evaluation phase | | ------------- | ------------------------------- | --------------------- | | DOH Subdomain | dns.doh\_subdomain == "abcdefg" | Before DNS resolution | ### Domain Use this selector to match against a domain and all subdomains. For example, you can match `example.com` and its subdomains, such as `www.example.com`. | UI name | API example | Evaluation phase | | ------- | --------------------------------------- | --------------------- | | Domain | any(dns.domains\[\*\] == "example.com") | Before DNS resolution | Gateway policies do not support domains with non-Latin characters directly. To use a domain with non-Latin characters, add it to a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). ### Host Use this selector to match against only the hostname specified. For example, you can match `test.example.com` but not `example.com` or `www.test.example.com`. | UI name | API example | Evaluation phase | | ------- | ------------------------- | --------------------- | | Host | dns.fqdn == "example.com" | Before DNS resolution | Gateway policies do not support hostnames with non-Latin characters directly. To use a hostname with non-Latin characters, add it to a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). Note Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`www.example.com`). To match this type of website, use the [Domain](#domain) selector instead of the Host selector. ### Indicator Feeds Use this selector to match against custom indicator feeds. You can use a [publicly available indicator feed](https://developers.cloudflare.com/security-center/indicator-feeds/#publicly-available-feeds) or a custom indicator feed assigned to your account by a designated third-party vendor. For more information on indicator feeds, refer to [Custom Indicator Feeds](https://developers.cloudflare.com/security-center/indicator-feeds/). | UI name | API example | Evaluation phase | | --------------- | ------------------- | --------------------- | | Indicator Feeds | dns.indicator\_feed | Before DNS resolution | When using an Allow or Block action, you can optionally [block IP addresses](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#filter-traffic-by-resolved-ip-category) or [filter categories for CNAME records](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#ignore-cname-domain-categories). ### Location Use this selector to apply policies to a specific [Gateway DNS location](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) or set of locations. | UI name | API example | Evaluation phase | | -------- | --------------------------------------------------------- | --------------------- | | Location | dns.location in {"location\_uuid\_1" "location\_uuid\_2"} | Before DNS resolution | ### Query Record Type Use this selector to choose the DNS resource record type that you would like to apply policies against. For example, you can match `A` records for a domain but not `MX` records. | UI name | API example | Evaluation phase | | ----------------- | ------------------------- | --------------------- | | Query Record Type | dns.query\_rtype == "TXT" | Before DNS resolution | ### Resolved Continent Use this selector to filter based on the continent that the query resolves to. Geolocation is determined from the IP address in the response. To specify a continent, enter its two-letter code into the **Value** field: * AF - Africa * AN - Antarctica * AS - Asia * EU - Europe * NA - North America * OC - Oceania * SA - South America * T1 - Tor network | UI name | API example | Evaluation phase | | --------------------------------- | ----------------------------- | -------------------- | | Resolved Continent IP Geolocation | dns.dst.geo.continent == "EU" | After DNS resolution | ### Resolved Country Use this selector to filter based on the country that the query resolves to. Geolocation is determined from the IP address in the response. To specify a country, enter its [ISO 3166-1 Alpha 2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | Evaluation phase | | ------------------------------- | --------------------------- | -------------------- | | Resolved Country IP Geolocation | dns.dst.geo.country == "RU" | After DNS resolution | ### Resolved IP Use this selector to filter based on the IP addresses that the query resolves to. | UI name | API example | Evaluation phase | | ----------- | -------------------------------------------- | -------------------- | | Resolved IP | any(dns.resolved\_ips\[\*\] == 198.51.100.0) | After DNS resolution | ### Request Context Categories Use this selector to match a dynamic list of [category IDs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#category-and-subcategory-ids) sent in the [EDNS (Extension Mechanisms for DNS) ↗](https://datatracker.ietf.org/doc/html/rfc6891) portion of a DNS query. EDNS allows extra metadata to be attached to a DNS query beyond the standard fields. Gateway reads category IDs from the EDNS OPT code `65050`. | UI name | API example | Evaluation phase | | -------------------------- | --------------------------------------------- | --------------------- | | Request Context Categories | dns.categories\_in\_request\_context\_matches | Before DNS resolution | ### Security Categories Use this selector to match domains (and optionally, [IP addresses](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#filter-traffic-by-resolved-ip-category)) belonging to specific [security categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories). | UI name | API example | Evaluation phase | | ------------------- | ---------------------------------------- | --------------------- | | Security Categories | any(dns.security\_category\[\*\] in {1}) | Before DNS resolution | When using an Allow or Block action, you can optionally [block IP addresses](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#filter-traffic-by-resolved-ip-category) or [filter categories for CNAME records](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#ignore-cname-domain-categories). ### Source Continent Use this selector to filter based on the continent where the query arrived to Gateway from. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a continent, enter its two-letter code into the **Value** field: | Continent | Code | | ------------- | ---- | | Africa | AF | | Antarctica | AN | | Asia | AS | | Europe | EU | | North America | NA | | Oceania | OC | | South America | SA | | Tor network | T1 | | UI name | API example | Evaluation phase | | ------------------------------- | ---------------------------------------- | --------------------- | | Source Continent IP Geolocation | dns.src.geo.continent == "North America" | Before DNS resolution | ### Source Country Use this selector to filter based on the country where the query arrived to Gateway from. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a country, enter its [ISO 3166-1 Alpha-2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | Evaluation phase | | ----------------------------- | --------------------------- | --------------------- | | Source Country IP Geolocation | dns.src.geo.country == "RU" | Before DNS resolution | ### Source IP Use this selector to apply policies to the source IP address of DNS queries. For example, this could be the WAN IP address of the stub resolver used by your organization to send queries to Gateway. | UI name | API example | Evaluation phase | | --------- | --------------------------- | --------------------- | | Source IP | dns.src\_ip == 198.51.100.0 | Before DNS resolution | ### Source Internal IP Use this selector to apply policies to the source internal IP address of a DNS query. For example, this could be the private IP address of the hosts behind [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/) (formerly Magic WAN) or [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) used by your organization to send queries to Gateway. | UI name | API example | Evaluation phase | | ------------------ | ---------------------------------- | --------------------- | | Source Internal IP | dns.src\_internal\_ip == 10.10.0.1 | Before DNS resolution | ### Users Use these selectors to match against identity attributes. | UI name | API example | Evaluation phase | | ----------------- | --------------------------------------------------------------------------------------------------------------- | --------------------- | | User Email | identity.email == "user@example.com" | Before DNS resolution | | User Name | identity.name == "Test User" | Before DNS resolution | | User Group IDs | any(identity.groups\[\*\].id in {"group\_id"}) | Before DNS resolution | | User Group Names | any(identity.groups\[\*\].name in {"group\_name"}) | Before DNS resolution | | User Group Emails | any(identity.groups\[\*\].email in {"group@example.com"}) | Before DNS resolution | | SAML Attributes | any(identity.saml\_attributes\["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"\] in {"Test User"}) | Before DNS resolution | ## Comparison operators Comparison operators are the way Gateway matches traffic to a selector. When you choose a **Selector** in the dashboard policy builder, the **Operator** dropdown menu will display the available options for that selector. | Operator | Meaning | | ------------------------ | ------------------------------------------------------------------------------------------------------------------ | | is | equals the defined value | | is not | does not equal the defined value | | in | matches at least one of the defined values | | not in | does not match any of the defined values | | in list | in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | not in list | not in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | matches regex | regex evaluates to true | | does not match regex | regex evaluates to false | | greater than | exceeds the defined number | | greater than or equal to | exceeds or equals the defined number | | less than | below the defined number | | less than or equal to | below or equals the defined number | ## Value In the **Value** field, you can input a single value when using an equality comparison operator (such as _is_) or multiple values when using a containment comparison operator (such as _in_). Additionally, you can use [regular expressions](#regular-expressions) (or regex) to specify a range of values for supported selectors. ### Regular expressions Regular expressions are evaluated using Rust. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for [Wildcards](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/app-paths/#wildcards). To evaluate if your regex matches, you can use [Rustexp ↗](https://rustexp.lpil.uk/). If you want to match multiple values, you can use the pipe symbol (`|`) as an OR operator. You do not need to use an escape character (`\`) before the pipe symbol. For example, the following expression evaluates to true when the hostname matches either `.*whispersystems.org` or `.*signal.org`: | Selector | Operator | Value | | -------- | ------------- | ------------------------------------ | | Host | matches regex | .\*whispersystems.org\|.\*signal.org | In addition to regular expressions, you can use [logical operators](#logical-operators) to match multiple values. ## Logical operators To evaluate multiple conditions in an expression, select the **And** logical operator. These expressions can be compared further with the **Or** logical operator. | Operator | Meaning | | -------- | --------------------------------------------- | | And | match all of the conditions in the expression | | Or | match any of the conditions in the expression | The **Or** operator will only work with conditions in the same expression group. For example, you cannot compare conditions in **Traffic** with conditions in Identity. ## Limitations ### Third-party filtering conflict Gateway will not properly filter traffic sent through third-party VPNs or other Internet filtering software, such as [iCloud Private Relay ↗](https://support.apple.com/102602) or [Google Chrome IP Protection ↗](https://github.com/GoogleChrome/ip-protection#ip-protection). To ensure your DNS policies apply to your traffic, Cloudflare recommends turning off software that may interfere with Gateway. To turn off iCloud Private Relay, refer to the Apple user guides for [macOS ↗](https://support.apple.com/guide/mac-help/use-icloud-private-relay-mchlecadabe0/) or [iOS ↗](https://support.apple.com/guide/iphone/protect-web-browsing-icloud-private-relay-iph499d287c2/). ### Cloudflare WAN forwarding To apply DNS policies to queries forwarded through [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/), you can either point your organization's DNS resolver to an IPv6, DNS over HTTPS (DoH), or DNS over TLS (DoT) endpoint or request a dedicated resolver IPv4 address. For more information, refer to [DNS resolver IPs and hostnames](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/). ### Fallback DNS Some applications (for example, WhatsApp and Android Studio) have backup DNS servers built into their code. If their primary DNS query is blocked by Gateway, these apps automatically retry the query against their built-in DNS servers (for example, Google's `8.8.8.8`), which bypasses your policies entirely. To mitigate this behavior, you create a [Gateway Network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) to block outbound DNS traffic on TCP/UDP port `53` to the fallback DNS servers. For example, to block Google's fallback DNS servers: | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ---------------- | ----- | ------ | | Protocol | in | _TCP_, _UDP_ | And | Block | | Destination Port | in | 53 | And | | | Destination IP | in | 8.8.8.8, 8.8.4.4 | | | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/dns-policies/","name":"DNS policies"}}]} ``` --- --- title: Common policies description: Reference information for Common policies in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS)[ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API)[ IPv4 ](https://developers.cloudflare.com/search/?tags=IPv4)[ IPv6 ](https://developers.cloudflare.com/search/?tags=IPv6) # Common policies The following Cloudflare Gateway DNS policies are commonly used to secure DNS traffic. Each example includes both dashboard and API instructions that you can adapt for your organization. For a baseline set of recommended policies, refer to [Secure your Internet traffic and SaaS apps](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies/). Refer to the [DNS policies page](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/) for a comprehensive list of other selectors, operators, and actions. ## Allow corporate domains This policy allows users to access official corporate domains. By deploying the policy with high [order of precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence), you ensure that employees can access trusted domains even if they fall under a blocked category like _Newly seen domains_ or _Login pages_. * [ Dashboard ](#tab-panel-5308) * [ API ](#tab-panel-5309) | Selector | Operator | Value | Action | Precedence | | -------- | -------- | ----------------- | ------ | ---------- | | Domain | in list | _Allowed domains_ | Allow | 1 | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow corporate domains", "description": "Allow any internal corporate domains added to a list", "precedence": 0, "enabled": true, "action": "allow", "filters": [ "dns" ], "traffic": "any(dns.domains[*] in $)", "identity": "" }' ``` To get the UUIDs of your lists, use the [List Zero Trust lists](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/lists/methods/list/) endpoint. ## Block security threats Block [security categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. * [ Dashboard ](#tab-panel-5332) * [ API ](#tab-panel-5333) * [ Terraform ](#tab-panel-5334) | Selector | Operator | Value | Action | | ------------------- | -------- | -------------------- | ------ | | Security Categories | in | _All security risks_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "All-DNS-SecurityCategories-Blocklist", "description": "Block security categories based on Cloudflare'\''s threat intelligence", "precedence": 20, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", "identity": "" }' ``` ``` resource "cloudflare_zero_trust_gateway_policy" "block_security_threats" { account_id = var.cloudflare_account_id name = "All-DNS-SecurityCategories-Blocklist" description = "Block security categories based on Cloudflare's threat intelligence" precedence = 20 enabled = true action = "block" filters = ["dns"] traffic = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})" } ``` ## Block content categories The categories included in this policy are not always a security threat, but blocking them can help minimize the risk that your organization is exposed to. For more information, refer to [domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/). * [ Dashboard ](#tab-panel-5335) * [ API ](#tab-panel-5336) * [ Terraform ](#tab-panel-5337) | Selector | Operator | Value | Action | | ------------------ | -------- | --------------------------------------------------------- | ------ | | Content Categories | in | _Questionable Content_, _Security Risks_, _Miscellaneous_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "All-DNS-ContentCategories-Blocklist", "description": "Block common content categories that may pose a risk", "precedence": 30, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})", "identity": "" }' ``` ``` resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" { account_id = var.cloudflare_account_id name = "All-DNS-ContentCategories-Blocklist" description = "Block common content categories that may pose a risk" enabled = true action = "block" filters = ["dns"] traffic = "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})" identity = "" } ``` ## Block a dynamic list of categories You can add a list of category IDs to the [EDNS (Extension Mechanisms for DNS) ↗](https://datatracker.ietf.org/doc/html/rfc6891) header of a request sent to Gateway as a JSON object using OPT code `65050`. EDNS allows extra metadata to be attached to a DNS query beyond the standard fields. For example: ``` { "categories": [2, 67, 125, 133] } ``` With the [Request Context Categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#request-context-categories) selector, you can block the category IDs sent with EDNS. This is useful to filter by categories not known at the time of creating a policy, or to enforce device-specific DNS content filtering without reaching your account limit. When Gateway uses this selector to block a DNS query, the request will return an Extended DNS Error (EDE) Code 15 (`Blocked`), along with a field containing an array of the matched categories. * [ Dashboard ](#tab-panel-5303) * [ API ](#tab-panel-5304) * [ Terraform ](#tab-panel-5305) | Selector | Operator | Value | Action | | ------------------------ | -------- | --------- | ------ | | Request Context Category | is | _Present_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "All-DNS-Bock-Category-Matches-In-Request", "description": "Block all category matches in the request EDNS context", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "dns.categories_in_request_context_matches", "identity": "" }' ``` ``` resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" { account_id = var.cloudflare_account_id name = "All-DNS-Bock-Category-Matches-In-Request" description = "Block all category matches in the request EDNS context" enabled = true action = "block" filters = ["dns"] traffic = "dns.categories_in_request_context_matches" identity = "" } ``` ## Block unauthorized applications Note After seven days, view your [Shadow IT SaaS Analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/shadow-it-discovery/) and block additional applications based on what your users are accessing. To minimize the risk of [shadow IT](https://www.cloudflare.com/learning/access-management/what-is-shadow-it/), some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools: * [ Dashboard ](#tab-panel-5338) * [ API ](#tab-panel-5339) * [ Terraform ](#tab-panel-5340) | Selector | Operator | Value | Action | | ----------- | -------- | ------------------------- | ------ | | Application | in | _Artificial Intelligence_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "All-DNS-Application-Blocklist", "description": "Block access to unauthorized AI applications", "precedence": 40, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(app.type.ids[*] in {25})", "identity": "" }' ``` ``` resource "cloudflare_zero_trust_gateway_policy" "block_unauthorized_apps" { account_id = var.cloudflare_account_id name = "All-DNS-Application-Blocklist" description = "Block access to unauthorized AI applications" enabled = true action = "block" filters = ["dns"] traffic = "any(app.type.ids[*] in {25})" identity = "" } ``` ## Block banned countries You can implement policies to block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization's requirements or through regulations including [EAR (Export Administration Regulations) ↗](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries), [OFAC (Office of Foreign Assets Control) ↗](https://orpa.princeton.edu/export-controls/sanctioned-countries), and [ITAR (International Traffic in Arms Regulations) ↗](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries). This policy blocks DNS queries that resolve to IP addresses geolocated in the countries you specify. * [ Dashboard ](#tab-panel-5306) * [ API ](#tab-panel-5307) | Selector | Operator | Value | Action | | ------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | | Resolved Country IP Geolocation | in | _Afghanistan_, _Belarus_, _Congo (Kinshasa)_, _Cuba_, _Iran_, _Iraq_, _Korea, North_, _Myanmar_, _Russian Federation_, _Sudan_, _Syria_, _Ukraine_, _Zimbabwe_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block banned countries", "description": "Block access to banned countries", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})", "identity": "" }' ``` ## Block top-level domains Blocking [frequently misused ↗](https://www.spamhaus.org/statistics/tlds/) top-level domains (TLDs) — the last segment of a domain name, such as `.com` or `.ru` — can reduce security risks, especially when there is no discernible advantage to be gained from allowing access. Similarly, restricting access to specific country-level TLDs may be necessary to comply with regulations like [ITAR ↗](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries) or [OFAC ↗](https://orpa.princeton.edu/export-controls/sanctioned-countries). * [ Dashboard ](#tab-panel-5310) * [ API ](#tab-panel-5311) | Selector | Operator | Value | Logic | Action | | -------- | ------------- | ------------------------------------------------------------- | ----- | ------ | | Domain | matches regex | \[.\](cn\|ru)$ | Or | Block | | Domain | matches regex | \[.\](rest\|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ | Or | | | Domain | matches regex | \[.\](zip\|mobi)$ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block top-level domains", "description": "Block top-level domains that are frequently used for malicious practices", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.domains[*] matches \"[.](cn|ru)$\") or any(dns.domains[*] matches \"[.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$\") or any(dns.domains[*] matches \"[.](zip|mobi)$\")", "identity": "" }' ``` ## Block phishing attacks To protect against [sophisticated phishing attacks ↗](https://blog.cloudflare.com/2022-07-sms-phishing-attacks/), you could prevent users from accessing phishing domains that are specifically targeting your organization. The following policy blocks specific keywords associated with an organization or its authentication services (such as _okta_, _2fa_, _cloudflare_ or _sso_), while still allowing access to official corporate domains. * [ Dashboard ](#tab-panel-5312) * [ API ](#tab-panel-5313) | Selector | Operator | Value | Logic | Action | | -------- | ------------- | ---------------------------------------------- | ----- | ------ | | Domain | not in list | _Corporate Domains_ | And | Block | | Domain | matches regex | .\*okta.\*\|.\*cloudflare.\*|.\*mfa.\*|.sso.\* | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block phishing attacks", "description": "Block attempts to phish specific domains targeting your organization", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "not(any(dns.domains[*] in $)) and any(dns.domains[*] matches \".*okta.*\\|.*cloudflare.*\\|.*mfa.*\\|.sso.*\")", "identity": "" }' ``` To get the UUIDs of your lists, use the [List Zero Trust lists](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/lists/methods/list/) endpoint. ## Block online tracking To safeguard user privacy, some organizations will block tracking domains such as `dig.whatsapp.com` as well as other tracking domains embedded at the OS level. This policy is implemented by creating a custom blocklist. Refer to [this repository ↗](https://github.com/nextdns/native-tracking-domains/tree/28991a0d5b2ab6d35588a74af82162ea7caff420/domains) for a list of widespread tracking domains that you can add to your blocklist. * [ Dashboard ](#tab-panel-5314) * [ API ](#tab-panel-5315) | Selector | Operator | Value | Action | | -------- | -------- | ---------------------- | ------ | | Domain | in list | _Top tracking domains_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block online tracking", "description": "Block domains used for tracking at an OS level", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.domains[*] in $)", "identity": "" }' ``` To get the UUIDs of your lists, use the [List Zero Trust lists](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/lists/methods/list/) endpoint. ## Block malicious IPs Block specific IP addresses that are known to be malicious or pose a threat to your organization. This policy is usually implemented by creating custom blocklists or by using blocklists provided by threat intelligence partners or regional Computer Emergency and Response Teams (CERTs). * [ Dashboard ](#tab-panel-5318) * [ API ](#tab-panel-5319) | Selector | Operator | Value | Action | | ----------- | -------- | --------- | ------ | | Resolved IP | in list | _DShield_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block malicious IPs", "description": "Block specific IP addresses that are known to be malicious or pose a threat to your organization", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.resolved_ips[*] in $)", "identity": "" }' ``` To get the UUIDs of your lists, use the [List Zero Trust lists](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/lists/methods/list/) endpoint. ## Turn on CIPA filter The CIPA (Children's Internet Protection Act) Filter is a collection of subcategories that encompass a wide range of topics that could be harmful or inappropriate for minors. It is used as a part of [Project Cybersafe Schools](https://developers.cloudflare.com/fundamentals/reference/policies-compliances/cybersafe/) to block access to unwanted or harmful online content. Upon creating this policy, your organization will have minimum [CIPA compliance ↗](https://www.fcc.gov/consumers/guides/childrens-internet-protection-act). * [ Dashboard ](#tab-panel-5316) * [ API ](#tab-panel-5317) | Selector | Operator | Value | Action | | ------------------ | -------- | ------------- | ------ | | Content Categories | in | _CIPA Filter_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Turn on CIPA filter", "description": "Block access to unwanted or harmful online content for children", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.content_category[*] in {182})", "identity": "" }' ``` ## Hide explicit search results SafeSearch is a feature of search engines that helps you filter explicit or offensive content. You can force SafeSearch on search engines like Google, Bing, Yandex, YouTube, and DuckDuckGo: * [ Dashboard ](#tab-panel-5320) * [ API ](#tab-panel-5321) | Selector | Operator | Value | Action | | ------------------ | -------- | ---------------- | ----------- | | Content Categories | in | _Search Engines_ | Safe Search | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Hide explicit search results", "description": "Force SafeSearch on search engines to filter explicit or offensive content", "enabled": true, "action": "safesearch", "filters": [ "dns" ], "traffic": "any(dns.content_category[*] in {145})", "identity": "" }' ``` ## Check user identity Configure access on a per user or group basis by adding [identity-based conditions](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) to your policies. * [ Dashboard ](#tab-panel-5322) * [ API ](#tab-panel-5323) | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ------------ | ----- | ------ | | Application | in | _Salesforce_ | And | Block | | User Group Names | in | Contractors | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Check user identity", "description": "Filter traffic based on a user identity group name", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(app.ids[*] in {606})", "identity": "any(identity.groups.name[*] in {\"Contractors\"})" }' ``` ## Restrict access to specific groups Filter DNS queries to allow only specific users access. The following example includes two policies. The first policy allows the specified group, while the second policy blocks all other users. To ensure the policies are evaluated properly, place the Allow policy above the Block policy. For more information, refer to the [order of precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence). ### 1\. Allow a group * [ Dashboard ](#tab-panel-5324) * [ API ](#tab-panel-5325) | Selector | Operator | Value | Logic | Action | | ------------------ | -------- | ----------------- | ----- | ------ | | Content Categories | in | _Social Networks_ | And | Allow | | User Group Names | in | Marketing | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow social media for Marketing", "description": "Allow access to social media sites for users in the Marketing group", "precedence": 1, "enabled": true, "action": "allow", "filters": [ "dns" ], "traffic": "any(dns.content_category[*] in {149})", "identity": "any(identity.groups.name[*] in {\"Marketing\"})" }' ``` ### 2\. Block all other users * [ Dashboard ](#tab-panel-5326) * [ API ](#tab-panel-5327) | Selector | Operator | Value | Action | | ------------------ | -------- | ----------------- | ------ | | Content Categories | in | _Social Networks_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block social media", "description": "Block social media for all other users", "precedence": 2, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.content_category[*] in {149})", "identity": "" }' ``` ## Control IP version Enterprise users can pair these policies with an [egress policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/) to control which IP version is used when Gateway connects to the destination server. Optionally, you can use the Domain selector to control the IP version for specific sites. Note To ensure traffic routes through your preferred IP version, turn off **Modify Gateway block behavior**. ### Force IPv4 Force users to connect with IPv4 by blocking `AAAA` (IPv6) record resolution. * [ Dashboard ](#tab-panel-5328) * [ API ](#tab-panel-5329) | Selector | Operator | Value | Action | | ----------------- | -------- | ------ | ------ | | Query Record Type | is | _AAAA_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Force IPv4", "description": "Force users to connect with IPv4 by blocking IPv6 resolution", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "dns.query_rtype == \"AAAA\"", "identity": "" }' ``` ### Force IPv6 Force users to connect with IPv6 by blocking `A` (IPv4) record resolution. * [ Dashboard ](#tab-panel-5330) * [ API ](#tab-panel-5331) | Selector | Operator | Value | Action | | ----------------- | -------- | ----- | ------ | | Query Record Type | is | _A_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Force IPv6", "description": "Force users to connect with IPv6 by blocking IPv4 resolution", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "dns.query_rtype == \"A\"", "identity": "" }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/dns-policies/","name":"DNS policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/dns-policies/common-policies/","name":"Common policies"}}]} ``` --- --- title: Test DNS filtering description: Test DNS filtering in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS) # Test DNS filtering This section covers how to validate your Gateway DNS configuration. Testing your policies after setup helps confirm that queries are being filtered as expected before you rely on them in production. ## Prerequisites Before you start, make sure your device is sending DNS queries to Gateway. You can do this in one of two ways: * **Cloudflare One Client** — If your device runs the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/), DNS queries route through Gateway automatically. * **DNS location** — If you are using a DNS-only deployment (without the Cloudflare One Client), verify that your network's DNS resolver points to your [Gateway DNS location's](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) IP address. ## Test a DNS policy Once you have created a DNS policy to block a domain, you can use either `dig` (a command-line DNS lookup tool, available on macOS and Linux) or `nslookup` (available on Windows) to see if the policy is working as intended. For example, if you created a policy to block `example.com`, you can do the following to see if Gateway is successfully blocking `example.com`: 1. Open your terminal. 2. Type `dig example.com` (`nslookup example.com` if you are using Windows) and press **Enter**. 3. In the `dig` output, check the `status:` field in the header line (the line starting with `;; ->>HEADER<<-`). If the [block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) is turned off for the policy, you should see `REFUSED` — a DNS response code meaning the server declined to answer the query: Terminal window ``` dig example.com ``` ``` ; <<>> DiG 9.10.6 <<>> example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 6503 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;example.com. IN A ;; Query time: 46 msec ;; SERVER: 172.64.36.1#53(172.64.36.1) ;; WHEN: Tue Mar 10 20:22:18 CDT 2020 ;; MSG SIZE rcvd: 29 ``` If the [block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) is enabled for the policy, you should see `NOERROR` (meaning the query was resolved) in the header with `162.159.36.12` and `162.159.46.12` as the answers. These are Cloudflare's block page IP addresses: Terminal window ``` dig example.com ``` ``` ; <<>> DiG 9.10.6 <<>> example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR id: 14531 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1452 ;; QUESTION SECTION: ;example.com. IN A ;;ANSWER SECTION: example.com. 60 IN A 162.159.36.12 example.com. 60 IN A 162.159.46.12 ;; Query time: 53 msec ;; SERVER: 172.64.36.1#53(172.64.36.1) ;; WHEN: Tue Mar 10 20:19:52 CDT 2020 ;; MSG SIZE rcvd: 83 ``` ### Test a security or content category If you are blocking a [security category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#security-categories) or a [content category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#content-categories), you can test that the policy is working by using the [test domain](#common-test-domains) associated with each category. Once you have configured your Gateway policy to block the category, the test domain will show a block page when you attempt to visit the domain in your browser, or will return `REFUSED` when you perform `dig` using the command-line interface. #### Test domain format * **One-word category** — For categories with one-word names (for example, _Malware_), the test domain uses the following format: ``` .testcategory.com ``` * **Multi-word category** — For categories with multiple words in the name (for example, _Parked & For Sale Domains_), the test domain uses the following format: * Remove any spaces between the words * Replace `&` with `and` * Lowercase all letters #### Common test domains | Category | Test domain | | ------------------------------- | -------------------------------------------- | | _Anonymizer_ | anonymizer.testcategory.com | | _Command and Control & Botnet_ | commandandcontrolandbotnet.testcategory.com | | _compromised Domain_ | compromiseddomain.testcategory.com | | _Cryptomining_ | cryptomining.testcategory.com | | _Malware_ | malware.testcategory.com | | _New Domains_ | newdomains.testcategory.com | | _Parked & For Sale Domains_ | parkedandforsaledomains.testcategory.com | | _Phishing_ | phishing.testcategory.com | | _Potentially Unwanted Software_ | potentiallyunwantedsoftware.testcategory.com | | _Private IP Address_ | privateipaddress.testcategory.com | | _Spam_ | spam.testcategory.com | | _Spyware_ | spyware.testcategory.com | | _Unreachable_ | unreachable.testcategory.com | ## Test EDNS configuration EDNS client subnet (ECS) is a DNS extension that sends a portion of the user's IP address to authoritative DNS nameservers, allowing them to return geographically optimal answers. Cloudflare sends the first `/24` of the user's IP address to preserve privacy while still providing location information. If you [enabled EDNS client subnet](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) for your DNS location, you can validate it as follows: 1. Obtain your DNS location's DoH (DNS over HTTPS) subdomain: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Networks** \> **Resolvers & Proxies** \> **DNS locations**. 2. Select the DNS location you are testing. 3. Note the value of **DNS over HTTPS**. 2. Open a terminal and run the following command: Terminal window ``` curl 'https://.cloudflare-gateway.com/dns-query?type=TXT&name=o-o.myaddr.google.com' -H 'Accept: application/dns-json' | json_pp ``` The output should contain your EDNS client subnet: ``` { "AD": false, "Answer": [ { "TTL": 60, "data": "\"108.162.218.211\"", "name": "o-o.myaddr.google.com", "type": 16 }, { "TTL": 60, "data": "\"edns0-client-subnet 136.62.0.0/24\"", "name": "o-o.myaddr.google.com", "type": 16 } ], "CD": false, "Question": [ { "name": "o-o.myaddr.google.com", "type": 16 } ], "RA": true, "RD": true, "Status": 0, "TC": false } ``` 3. To verify your EDNS client subnet, obtain your source IP address: Terminal window ``` curl ifconfig.me ``` ``` 136.62.12.156% ``` The source IP address should fall within the /24 range specified by your EDNS client subnet. ## Clear DNS cache Modern web browsers and operating systems are designed to cache DNS records for a set amount of time. When a request is made for a DNS record, the browser cache is the first location checked for the requested record. A DNS policy may not appear to work if the response is already cached. To clear your DNS cache: ChromeOS 1. Go to `chrome://net-internals/#dns`. 2. Select **Clear host cache**. Windows 1. Open the admin command prompt or PowerShell. 2. Run the following command: Terminal window ``` ipconfig /flushdns ``` macOS 1. Open Terminal. 2. Run the following commands: Terminal window ``` sudo killall -HUP mDNSResponder sudo killall mDNSResponderHelper sudo dscacheutil -flushcache ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/dns-policies/","name":"DNS policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering/","name":"Test DNS filtering"}}]} ``` --- --- title: Timed DNS policies description: Reference information for Timed DNS policies in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS)[ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API) # Timed DNS policies By default, Cloudflare Gateway policies apply at all times when turned on. With timed DNS policies, you can control when DNS policies are active — for example, to block social media only during work hours or to temporarily allow access to a restricted site for a maintenance window. You can configure a policy to be active during specific time periods or set the policy to expire after a certain duration. There are two timed DNS policy options: * [Policy duration](#policy-duration): The policy is active for a specific amount of time after being turned on (for example, 30 minutes). * [Policy schedule](#policy-schedule): The policy is active during a recurring weekly schedule (for example, weekdays from 9 AM to 5 PM). ## Policy duration You can use a time-based policy duration to set a specific time frame for the policy to turn on or configure an exact time for the policy to turn off. To set a duration for a DNS policy: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies** \> **DNS**. 2. Create a new DNS policy or choose an existing policy and select **Edit**. 3. In **Apply durations and schedules**, turn on **Policy duration**. 4. In **Input method**, choose the type of duration: * Choose _Duration_ and enter a specific amount of time until the policy turns off. * Choose _Exact end date_ and enter a specific date and time in your account's time zone for the policy to turn off. 5. Select **Save policy**. When a policy turns off, it will remain off until you turn it back on. Warning The duration timer does not pause when you turn the policy off. It is calculated as an absolute end time from when the policy was first turned on. For example, you can create a policy at 12:00 PM and set it to turn off after six hours. If you turn the policy off at 3:00 PM and turn it back on at 4:00 PM, the policy will still turn off at 6:00 PM — six hours after the original activation time, not six hours of cumulative active time. ### Reset a policy's duration When a policy's time duration expires, you can turn the policy back on for the duration you originally configured. To reset a policy's duration, select the policy and choose **Reset policy duration**. For policies with an exact end time, you can change the time before the policy turns off. Once the policy reaches its exact end time, you will need to edit the policy and set a new end time. To set a new exact end time: 1. Select the policy. 2. Choose **Edit**. 3. Turn on **Set a policy duration**. 4. In **Input method**, choose _Exact end date_. In **Date and time**, enter a new date and time for the policy to turn off. 5. Select **Save policy**. ## Policy schedule You can use Gateway to create a new DNS policy with a schedule or add a schedule to an existing policy. * [ Dashboard ](#tab-panel-5341) * [ API ](#tab-panel-5342) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies** \> **DNS**. 2. Create a new DNS policy or choose an existing policy and select **Edit**. 3. In **Apply durations and schedules**, turn on **Policy schedule**. 4. (Optional) In **Time Zone**, choose a time zone to apply the policy based on the time zone you select, regardless of the user's location. By default, Gateway will use the end user's time zone to apply the policy based on the local time of the user making the DNS query. 5. In **Schedule template**, choose a preset schedule, or choose _Custom schedule_ to define a custom schedule. You can choose up to three non-overlapping time ranges of 15 minute intervals. 6. Select **Save policy**. To schedule a policy with the API, use the [Create a Zero Trust Gateway rule endpoint](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/create/) with the `schedule` parameter set to your desired days of the week, times of day, and an optional time zone. For example: Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "action": "block", "name": "Block gambling sites on weekends", "traffic": "any(dns.content_category[*] in {\"Gambling\"})", "schedule": { "sat": "08:00-17:00", "sun": "08:00-17:00", "timezone": "Europe/Paris" } }' ``` The policy's schedule will appear in the Cloudflare dashboard under **Zero Trust** \> **Traffic policies** \> **Firewall policies** \> **DNS** when you select the policy. ### How Gateway determines time zone If you [assign a time zone](#example-fixed-time-zone) to your schedule, Gateway will always use the current time at that time zone regardless of the user's location. This allows you to enable a policy during a certain fixed time period. If you [do not specify a time zone](#example-users-time-zone), Gateway will enable the DNS policy based on the user's local time zone. The user's time zone is inferred from the IP geolocation of their source IP address. If Gateway is unable to determine the time zone from the source IP, it will fall back to the time zone of the data center where the query was received. Note Users on VPNs or corporate proxies may have their time zone inferred incorrectly, because their source IP geolocates to the VPN exit point rather than their physical location. If consistent enforcement is important, assign a fixed time zone to the schedule. #### Example: Fixed time zone The following command creates a DNS policy to block `facebook.com` only on weekdays from 8:00 AM - 12:30 PM and 1:30 PM - 5:00 PM in the Chicago, USA time zone. Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "office-no-facebook-policy", "action": "block", "traffic": "dns.fqdn == \"facebook.com\"", "enabled": true, "schedule": { "time_zone": "America/Chicago", "mon": "08:00-12:30,13:30-17:00", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "fri": "08:00-12:30,13:30-17:00" } }' ``` Refer to [this table ↗](https://en.wikipedia.org/wiki/List%5Fof%5Ftz%5Fdatabase%5Ftime%5Fzones#List) for a list of all time zone identifiers. #### Example: User's time zone The following command creates a DNS policy to block `clockin.com` only on weekends in the time zone where the user is currently located. Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "clock-in-policy", "action": "block", "traffic": "dns.fqdn == \"clockin.com\"", "enabled": true, "schedule": { "sat": "00:00-24:00", "sun": "00:00-24:00" } }' ``` Note Gateway will not change the policy's `enabled` status when inside or outside of the time period specified. When enabled, Gateway activates or deactivates the policy according to its schedule. When disabled, the policy is always deactivated. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/dns-policies/","name":"DNS policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/dns-policies/timed-policies/","name":"Timed DNS policies"}}]} ``` --- --- title: Domain categories description: Reference information for Domain categories in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS) # Domain categories Cloudflare Gateway allows you to block known and potential security risks on the public Internet, as well as specific categories of content. Domains are categorized by [Cloudforce One](https://developers.cloudflare.com/security-center/cloudforce-one/), Cloudflare's threat intelligence solution. To review the categories for a specific domain, use [Cloudflare Radar](https://developers.cloudflare.com/radar/glossary/#content-categories). Cloudflare categorizes domains into content categories and security categories, which cover security risks and security threats: * **Content categories**: An upstream vendor supplies content categories for domains. These categories help us organize domains into broad topic areas. However, the specific criteria and methods used by our vendor may not be disclosed. * **Security risks**: Cloudflare determines security risks for domains using internal models. These models analyze various factors, including the age of a domain and its reputation. This allows us to identify potentially risky domains. * **Security threats**: To identify malicious domains that pose security threats, Cloudflare employs a mix of internal data sources, machine learning models, commercial feeds, and open-source threat intelligence. You can block security and content categories by creating DNS or HTTP policies. Once you have configured your policies, you will be able to inspect network activity and the associated categories in your Gateway logs. To request changes to a domain's categorization, refer to [Change categorization](https://developers.cloudflare.com/security-center/investigate/change-categorization/). For more information on investigating potentially risky domains, refer to [Investigate threats](https://developers.cloudflare.com/security-center/investigate/investigate-threats/#domain). Subdomain category Subdomains that have not been assigned a category will inherit the category of their parent domain. When Gateway categorizes a subdomain, the subdomain will carry only its own category. Categorized subdomains will not inherit their parent domain's categories. ## Security categories | Category | Definition | | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Anonymizer | Sites that allow users to surf the Internet anonymously. | | Brand Embedding | Sites that imitate a verified brand, for example facobook.com. | | Command and Control & Botnet | Sites that are queried by compromised devices to exfiltrate information or potentially infect other devices in a network. | | Compromised Domain | Sites where a legitimate domain has been compromised or taken over and had malicious content planted or injected. | | Cryptomining | Sites that mine cryptocurrency by taking over the user's computing resources. | | DGA Domains | Domains generated programmatically by Domain Generation Algorithms (DGA) associated with malware. These algorithmically created domain names change frequently, making them harder to block individually. | | DNS Tunneling | Domains with detected DNS tunneling activity, including attempts to encode or exfiltrate data in DNS queries and responses (for example, in TXT records) or to use DNS for command-and-control (C2) communications. | | Malware | Sites hosting malicious content and other compromised websites. | | Phishing | Domains that are known for stealing personal information. | | Potentially Unwanted Software | Domains that distribute software that may come bundled with other less legitimate software or functionality, like toolbars, adware, and grayware. | | Private IP Address | Domains that resolve to private IP Addresses. | | Scam | Fraudulent websites and schemes designed to trick victims into giving away money or personal information. | | Spam | Sites that are known for targeting users with unwanted sweepstakes, surveys, and advertisements. | | Spyware | Sites that are known to distribute or contain code that displays unwanted advertisements or that gathers user information without the user's knowledge. | ## Content categories | Category | Definition | | ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Ads | Sites that are hosting content related to advertising. | | Adult Themes | Sites that are hosting content related to pornography, nudity, sexuality, and other adult themes. | | Business & Economy | Sites that are related to business, economy, finance, education, science and technology. | | Child Abuse | Sites hosting child abuse content. | | CIPA | Sites related to aiding schools and organizations in abiding by Children's Internet Protection Act (CIPA) requirements. | | Education | Sites hosting educational content that are not included in other categories like Science, Technology or Educational institutions. | | Entertainment | Sites that are hosting entertaining content that are not included in other categories like Comic books, Audio streaming, Video streaming etc. | | Gambling | Sites that are providing online gambling or are related to gambling. | | Government & Politics | Sites related to government and politics. | | Health | Sites containing information about health and fitness. | | Information Technology | Sites related to information technology. | | Internet Communication | Sites hosting applications that are used for communication like chat, mail etc. | | Job Search & Careers | Sites that facilitate searching for jobs and careers. | | Miscellaneous | Sites that are not included in the listed security and content categories. | | Questionable Content | Sites hosting content that are related to hacking, piracy, profanity and other questionable activities. | | Real Estate | Sites related to real estate. | | Religion | Sites hosting content about religion, alternative religion, religious teachings, religious groups, and spirituality. | | Security Risks | Sites that are [new or misconfigured](#security-risk-subcategories). We recommend that you allow or isolate this content category to avoid accidentally blocking trusted domains. | | Shopping & Auctions | Sites that are hosting content related to ecommerce, coupons, shopping, auctions and marketplaces. | | Social & Family | Sites related to society and lifestyle. | | Society & Lifestyle | Sites hosting information about lifestyle that are not included in other categories like fashion, food & drink etc. | | Sports | Sites related to sports & recreation. | | Technology | Sites hosting information about technology that are not included in the science category. | | Travel | Sites that contain information about listings, reservations, services for travel. | | Vehicles | Sites related vehicles, automobiles, including news, reviews, and other hobbyist information. | | Violence | Sites hosting and/or promoting violent content. | | Weather | Sites related to weather. | ### Miscellaneous subcategories | Category | Definition | | ------------- | ---------------------------------------------------------------------------- | | Login Screens | Sites hosting login screens that might also be included in other categories. | | Miscellaneous | Sites that do not belong to other content categories. | | No Content | Sites that have no content. | | Redirect | Domains that redirect to other sites. | | Unreachable | Domains that resolve to unreachable IP addresses. | ### Security risk subcategories | Category | Definition | | ------------------------- | ---------------------------------------------------------------------- | | New Domains | Domains registered within the past 30 days. | | Newly Seen Domains | Domains that were resolved for the first time within the past 30 days. | | Parked & For Sale Domains | Domains that are not connected to a hosting service. | ### Category and subcategory IDs | Category ID | Category Name | Subcategory ID | Subcategory Name | | ----------- | ---------------------- | -------------- | ------------------------------------------ | | 1 | Ads | 66 | Advertisements | | 2 | Adult Themes | 67 | Adult Themes | | 2 | Adult Themes | 125 | Nudity | | 2 | Adult Themes | 133 | Pornography | | 3 | Business & Economy | 186 | Brokerage & Investing | | 3 | Business & Economy | 75 | Business | | 3 | Business & Economy | 89 | Economy & Finance | | 3 | Business & Economy | 183 | Cryptocurrency | | 3 | Business & Economy | 185 | Personal Finance | | 6 | Education | 90 | Education | | 6 | Education | 91 | Educational Institutions | | 6 | Education | 189 | Reference | | 6 | Education | 144 | Science | | 6 | Education | 150 | Space & Astronomy | | 7 | Entertainment | 70 | Arts | | 7 | Entertainment | 74 | Audio Streaming | | 7 | Entertainment | 76 | Cartoons & Anime | | 7 | Entertainment | 79 | Comic Books | | 7 | Entertainment | 92 | Entertainment | | 7 | Entertainment | 96 | Fine Art | | 7 | Entertainment | 100 | Gaming | | 7 | Entertainment | 106 | Home Video/DVD | | 7 | Entertainment | 107 | Humor | | 7 | Entertainment | 116 | Magazines | | 7 | Entertainment | 120 | Movies | | 7 | Entertainment | 121 | Music | | 7 | Entertainment | 122 | News & Media | | 7 | Entertainment | 127 | Paranormal | | 7 | Entertainment | 139 | Radio | | 7 | Entertainment | 156 | Television | | 7 | Entertainment | 164 | Video Streaming | | 8 | Gambling | 99 | Gambling | | 9 | Government & Politics | 190 | Charity and Non-profit | | 9 | Government & Politics | 101 | Government/Legal | | 9 | Government & Politics | 137 | Politics, Advocacy, and Government-Related | | 10 | Health | 103 | Health & Fitness | | 10 | Health | 146 | Sex Education | | 12 | Internet Communication | 77 | Chat | | 12 | Internet Communication | 98 | Forums | | 12 | Internet Communication | 108 | Information Security | | 12 | Internet Communication | 110 | Instant Messengers | | 12 | Internet Communication | 111 | Internet Phone & VOIP | | 12 | Internet Communication | 118 | Messaging | | 12 | Internet Communication | 126 | P2P | | 12 | Internet Communication | 129 | Personal Blogs | | 12 | Internet Communication | 168 | Webmail | | 12 | Internet Communication | 172 | Photo Sharing | | 13 | Job Search & Careers | 113 | Job Search & Careers | | 15 | Miscellaneous | 115 | Login Screens | | 15 | Miscellaneous | 119 | Miscellaneous | | 15 | Miscellaneous | 124 | No Content | | 15 | Miscellaneous | 141 | URL Alias/Redirect | | 15 | Miscellaneous | 161 | Unreachable | | 17 | Questionable Content | 85 | Deceptive Ads | | 17 | Questionable Content | 87 | Drugs | | 17 | Questionable Content | 102 | Hacking | | 17 | Questionable Content | 135 | Profanity | | 17 | Questionable Content | 138 | Questionable Activities | | 17 | Questionable Content | 157 | Militancy, Hate & Extremism | | 17 | Questionable Content | 162 | Unreliable Information | | 18 | Real Estate | 140 | Real Estate | | 19 | Religion | 142 | Religion & Spirituality | | 20 | Safe for Kids | 143 | Safe for Kids | | 21 | Security threats | 68 | Anonymizer | | 21 | Security threats | 80 | Command and Control & Botnet | | 21 | Security threats | 187 | Compromised Domain | | 21 | Security threats | 83 | Cryptomining | | 21 | Security threats | 117 | Malware | | 21 | Security threats | 131 | Phishing | | 21 | Security threats | 188 | Potentially unwanted software | | 21 | Security threats | 134 | Private IP Address | | 21 | Security threats | 151 | Spam | | 21 | Security threats | 153 | Spyware | | 21 | Security threats | 175 | DNS Tunneling | | 21 | Security threats | 176 | Domain Generation Algorithm | | 21 | Security threats | 178 | Brand Embedding | | 21 | Security threats | 191 | Scam | | 22 | Shopping & Auctions | 73 | Auctions & Marketplaces | | 22 | Shopping & Auctions | 82 | Coupons | | 22 | Shopping & Auctions | 88 | Ecommerce | | 22 | Shopping & Auctions | 148 | Shopping | | 24 | Society & Lifestyle | 71 | Arts & Crafts | | 24 | Society & Lifestyle | 72 | Astrology | | 24 | Society & Lifestyle | 78 | Clothing | | 24 | Society & Lifestyle | 84 | Dating & Relationships | | 24 | Society & Lifestyle | 86 | Digital Postcards | | 24 | Society & Lifestyle | 93 | Parenting | | 24 | Society & Lifestyle | 94 | Fashion | | 24 | Society & Lifestyle | 97 | Food & Drink | | 24 | Society & Lifestyle | 104 | Hobbies & Interests | | 24 | Society & Lifestyle | 105 | Home & Garden | | 24 | Society & Lifestyle | 114 | Lifestyle | | 24 | Society & Lifestyle | 130 | Pets | | 24 | Society & Lifestyle | 132 | Photography | | 24 | Society & Lifestyle | 136 | Professional Networking | | 24 | Society & Lifestyle | 147 | Sexuality | | 24 | Society & Lifestyle | 149 | Social Networks | | 24 | Society & Lifestyle | 154 | Swimsuits | | 24 | Society & Lifestyle | 158 | Tobacco | | 24 | Society & Lifestyle | 173 | Body Art | | 24 | Society & Lifestyle | 174 | Lingerie & Bikini | | 24 | Society & Lifestyle | 181 | Alcohol | | 25 | Sports | 152 | Sports | | 26 | Technology | 69 | APIs | | 26 | Technology | 81 | Content Servers | | 26 | Technology | 95 | File Sharing | | 26 | Technology | 109 | Information Technology | | 26 | Technology | 123 | News, Portal & Search | | 26 | Technology | 145 | Search Engines | | 26 | Technology | 155 | Technology | | 26 | Technology | 159 | Translator | | 26 | Technology | 184 | Artificial Intelligence | | 26 | Technology | 192 | Remote Access | | 26 | Technology | 193 | Shareware/Freeware | | 26 | Technology | 194 | Keep Awake Software | | 27 | Travel | 160 | Travel | | 28 | Vehicles | 163 | Vehicles | | 29 | Violence | 165 | Violence | | 29 | Violence | 166 | Weapons | | 30 | Weather | 167 | Weather | | 31 | Always blocked | 170 | Child Abuse | | 32 | Security Risks | 128 | Parked & For Sale Domains | | 32 | Security Risks | 169 | New Domains | | 32 | Security Risks | 177 | Newly Seen Domains | | 34 | CIPA | 182 | CIPA Filter | ## Filtering options ### Filter traffic by resolved IP category When creating a DNS policy for security or content categories, you can optionally turn on **Filter traffic by resolved IP category** in the policy settings. When turned on, Gateway will block queries based on their resolved IP address in addition to the domain name. This setting may increase the number of false positives because domains in the blocked category can share IP addresses with legitimate domains. ### Ignore `CNAME` domain categories The categories for a site's Canonical Name (`CNAME`) records may differ from its `A` record. For example, `blog.example.com` may be categorized under Personal Blogs, while `example.com` is categorized under Technology. To limit matches for a DNS policy to only the root domain's categories, turn on **Ignore CNAME domain categories**. Regardless of this setting, `CNAME` domain categories will still appear in your Gateway [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/) logs. ## Categorization process Cloudflare's domain categorization engine begins with multiple data sources, including: 1. Cloudflare's proprietary data using our global network. 2. Third-party intelligence feeds. Cloudflare uses data from over 30 open-source intelligence feeds and premium commercial feeds, such as Avira and Zvelo. Then, the initial categorization is refined via: 1. Machine learning models. Our algorithms, including DGA Domains, DNS tunneling, and phishing detection models analyze patterns and behaviors to detect new and evolving threats. 2. Community feedback. Through a review process, Cloudflare assesses feedback by both our internal models and threat analysts. This ensures that our categorizations reflect the most current and accurate threat intelligence. ## Terraform Terraform users can retrieve the category list with the `cloudflare_zero_trust_gateway_categories_list` data source. This allows you to create Gateway policies with the category's name rather than its numeric ID. For example: ``` data "cloudflare_zero_trust_gateway_categories_list" "categories" { account_id = var.cloudflare_account_id } locals { main_categories_map = { for idx, c in data.cloudflare_zero_trust_gateway_categories_list.categories.result : c.name => c.id } subcategories_map = merge(flatten([ for idx, c in data.cloudflare_zero_trust_gateway_categories_list.categories.result : { for k, v in coalesce(c.subcategories, []) : v.name => v.id } ])...) } resource "cloudflare_zero_trust_gateway_policy" "zt_block_dns_tech_categories" { account_id = var.cloudflare_account_id name = "DNS Blocked" action = "block" traffic = "any(dns.content_category[*] in {${join(" ", [ local.main_categories_map["Technology"], local.subcategories_map["APIs"], local.subcategories_map["Artificial Intelligence"], local.subcategories_map["Content Servers"], local.subcategories_map["Translator"] ])}})" } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/domain-categories/","name":"Domain categories"}}]} ``` --- --- title: Egress policies description: Configure Egress policies in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ IPv4 ](https://developers.cloudflare.com/search/?tags=IPv4)[ IPv6 ](https://developers.cloudflare.com/search/?tags=IPv6) # Egress policies Note Only available on Enterprise plans. Many third-party services (for example, a bank or partner API) only allow connections from a known list of IP addresses. By default, traffic that exits through Cloudflare Gateway shares a source IP address with all other Cloudflare One Client users, so upstream services cannot identify your organization by IP alone. [Dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) solve this problem. They are static IP addresses assigned only to your account, which you can add to upstream allowlists. Egress policies control which dedicated egress IP is used for a given connection. You can match traffic on attributes such as user identity, source or destination IP address, and geolocation. Traffic that does not match an egress policy defaults to the most performant dedicated egress IP. Cloudflare does not publish Cloudflare One Client egress IP ranges. Cloudflare One Client egress IPs are not listed at [Cloudflare's IP Ranges ↗](https://cloudflare.com/ips). To obtain a dedicated Cloudflare One Client egress IP, contact your account team. Terraform provider v4 precedence limitation To avoid conflicts, version 4 of the Terraform Cloudflare provider applies a hash calculation to policy precedence. For example, a precedence of `1000` may become `1000901`. This can cause errors when reordering policies. To avoid this issue, manually set the precedence of policies created with Terraform using the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint. To ensure your precedence is set correctly, Cloudflare recommends [upgrading your Terraform provider to version 5 ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade). ## Load balancing Traffic that does not match any egress policy exits from the closest Cloudflare data center using a default Gateway egress IP. This applies whether your account uses dedicated egress IPs or the default shared IPs. If two data centers are equally close to the user, Gateway splits traffic between them. The load balancer keeps each user on the same egress IP regardless of which data center handles the request. ## Force IP version Some upstream services only accept connections over a specific IP version. To force all egress traffic to use IPv4 or IPv6 only, first verify you are [filtering DNS traffic](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/dns/), then create a DNS policy to [block AAAA or A records](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/common-policies/#control-ip-version). ## Example policies The following egress policy configures all traffic destined for a third-party network to use a static source IP: | Policy name | Selector | Operator | Value | Egress method | | --------------------------- | -------------- | -------- | -------------- | ------------------------------- | | Access third-party provider | Destination IP | is | 198.51.100.158 | Dedicated Cloudflare egress IPs | | Primary IPv4 address | IPv6 address | | -------------------- | ------------- | | 203.0.113.88 | 2001:db8::/32 | ### Secure access to SaaS applications Many SaaS providers (for example, Microsoft 365, Salesforce, or Workday) allow you to restrict access to connections from specific IP addresses. You can use dedicated egress IPs with Gateway to enforce this restriction: 1. **Obtain dedicated egress IPs** from your account team and note the assigned IPv4 and IPv6 addresses. 2. **Create an egress policy** that routes traffic destined for the SaaS provider through your dedicated egress IP. Use the Destination IP selector with the published IP ranges of the provider. Alternatively, use the Application selector (Beta) to match the provider by name. 3. **Add the egress IPs to the SaaS provider's allowlist** so the provider only accepts connections from your organization's IPs. 4. **Pair with HTTP policies** to add deeper controls. For example, block file uploads to personal accounts, enforce DLP profiles to prevent sensitive data from leaving the organization, or require [device posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/) before allowing access. This pattern ensures that access to the SaaS application is limited to traffic that passes through Gateway, where your security policies are enforced, and that the SaaS provider can verify traffic originates from your organization. ### Catch-all policy Without a catch-all policy, any traffic that does not match an explicit egress policy will attempt to use the closest dedicated egress IP location. To avoid unexpected IP assignments and maintain the best performance, create a catch-all policy that routes remaining traffic through the default Zero Trust IP range: | Policy name | Selector | Operator | Value | Egress method | | --------------------- | -------- | -------- | ---------------------- | -------------------------------- | | Default egress policy | Protocol | in | All options (Protocol) | Cloudflare default egress method | Gateway policies evaluate from [top to bottom](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) in the UI. Place the catch-all policy at the bottom of the list so that more specific policies are evaluated first. ## Egress methods When you configure your egress policy, you can choose whether to egress traffic using the default Cloudflare egress method or dedicated egress IPs. ### Use default Cloudflare egress method **Use default Cloudflare egress method** routes traffic through the default source IP range shared across all Zero Trust accounts. Traffic exits from the nearest Cloudflare data center, which provides the best performance. ### Use dedicated egress IPs **Use dedicated egress IPs (Cloudflare or BYOIP)** routes traffic through the primary IPv4 address and IPv6 range you select in the dropdown menus. When creating egress policies with dedicated egress IPs, you must set a secondary IPv4 address to ensure traffic resilience. You can set the secondary IPv4 address to `0.0.0.0` or a specific Cloudflare location different from your primary IPv4 address. If you set the secondary IPv4 address to `0.0.0.0`, Gateway will route traffic to the location closest to the user. If the physical location of your primary IPv4 address is not available, Gateway will route traffic to either the default Cloudflare egress range or the secondary location specified. If the data center associated with your primary IPv4 address goes down, Gateway fails over to the secondary data center to prevent traffic drops. A secondary IPv6 address is not required because IPv6 traffic can exit from any Cloudflare data center. You can use IPs provided by Cloudflare or [bring your own IP addresses (BYOIP)](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). To learn more about IPv4 and IPv6 egress behavior, refer to [Egress locations](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#egress-location). ## Selectors Selectors are the criteria that Gateway uses to match egress traffic against a policy. Gateway evaluates the following selectors: ### Application Beta You can apply egress policies to a growing list of popular web applications. Refer to [Application and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/) for more information. | UI name | API example | | ----------- | --------------------------- | | Application | any(app.ids\[\*\] in {505}) | This selector is only available for traffic onboarded to Traffic and DNS mode, PAC files, or Browser Isolation. For more information, refer to [Selector prerequisites](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). ### Content Categories Beta Applications within a specific [security category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#content-categories) as categorized by [Cloudflare Radar](https://developers.cloudflare.com/radar/glossary/#content-categories). | UI name | API example | | ------------------ | -------------------------------------------- | | Content Categories | any(net.fqdn.content\_category\[\*\] in {1}) | This selector is only available for traffic onboarded to Traffic and DNS mode, PAC files, or Browser Isolation. For more information, refer to [Selector prerequisites](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). ### Destination Continent The continent where the request is destined. Geolocation is determined from the target IP address. To specify a continent, enter its two-letter code into the **Value** field: | Continent | Code | | ------------- | ---- | | Africa | AF | | Antarctica | AN | | Asia | AS | | Europe | EU | | North America | NA | | Oceania | OC | | South America | SA | | Tor network | T1 | | UI name | API example | | ------------------------------------ | ----------------------------- | | Destination Continent IP Geolocation | net.dst.geo.continent == "EU" | ### Destination Country The country that the request is destined for. Geolocation is determined from the target IP address. To specify a country, enter its [ISO 3166-1 Alpha 2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | | ---------------------------------- | --------------------------- | | Destination Country IP Geolocation | net.dst.geo.country == "RU" | ### Destination IP The IP address of the request's target. | UI name | API example | | -------------- | ------------------------------------- | | Destination IP | any(net.dst.ip\[\*\] in {10.0.0.0/8}) | ### Destination Port The port number of the request's target. | UI name | API example | | ---------------- | -------------------- | | Destination Port | net.dst.port == 2222 | ### Device Posture With the Device Posture selector, admins can use signals from end-user devices to secure access to their internal and external resources. For example, a security admin can choose to limit all access to internal applications based on whether specific software is installed on a device and/or if the device or software are configured in a particular way. For more information on device posture checks, refer to [Device posture](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). | UI name | API example | | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Passed Device Posture Checks | any(device\_posture.checks.failed\[\*\] in {"1308749e-fcfb-4ebc-b051-fe022b632644"}), any(device\_posture.checks.passed\[\*\] in {"1308749e-fcfb-4ebc-b051-fe022b632644"})" | ### Domain Beta Use this selector to match against a domain and all subdomains. For example, you can match `example.com` and its subdomains, such as `www.example.com`. | UI name | API example | | ------- | -------------------------------------------- | | Domain | any(net.fqdn.domains\[\*\] == "example.com") | Gateway policies do not support domains with non-Latin characters directly. To use a domain with non-Latin characters, add it to a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). This selector is only available for traffic onboarded to Traffic and DNS mode, PAC files, or Browser Isolation. For more information, refer to [Selector prerequisites](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). ### Host Beta Use this selector to match against only the hostname specified. For example, you can match `test.example.com` but not `example.com` or `www.test.example.com`. | UI name | API example | | ------- | ------------------------------ | | Host | net.fqdn.host == "example.com" | Gateway policies do not support hostnames with non-Latin characters directly. To use a hostname with non-Latin characters, add it to a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). Note Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`www.example.com`). To match this type of website, use the [Domain](#domain) selector instead of the Host selector. This selector is only available for traffic onboarded to Traffic and DNS mode, PAC files, or Browser Isolation. For more information, refer to [Selector prerequisites](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). ### Protocol The protocol used to send the packet. | UI name | API example | | -------- | --------------------- | | Protocol | net.protocol == "tcp" | ### Proxy Endpoint The [proxy server](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) where your browser forwards HTTP traffic. | UI name | API example | | -------------- | ----------------------------------------------------------- | | Proxy Endpoint | proxy.endpoint == "3ele0ss56t.proxy.cloudflare-gateway.com" | ### Source Continent The continent of the user making the request. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a continent, enter its two-letter code into the **Value** field: | Continent | Code | | ------------- | ---- | | Africa | AF | | Antarctica | AN | | Asia | AS | | Europe | EU | | North America | NA | | Oceania | OC | | South America | SA | | Tor network | T1 | | UI name | API example | | ------------------------------- | ---------------------------------------- | | Source Continent IP Geolocation | net.src.geo.continent == "North America" | ### Source Country The country of the user making the request. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a country, enter its [ISO 3166-1 Alpha-2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | | ----------------------------- | --------------------------- | | Source Country IP Geolocation | net.src.geo.country == "RU" | ### Source Internal IP Use this selector to apply egress policies to a private IP address, assigned by a user's local network, that requests arrive to Gateway from. | UI name | API example | | ------------------ | ---------------------------------------------- | | Source Internal IP | net.src.internal\_src\_ip == "192.168.86.0/27" | ### Source IP The originating IP address or addresses of a device proxied by Gateway. | UI name | API example | | --------- | -------------------------------- | | Source IP | net.src.ip\[\*\] in {10.0.0.0/8} | ### Source Port The originating port of a device proxied by Gateway. | UI name | API example | | ----------- | ---------------------- | | Source Port | net.src.port == "2222" | ### Users Use these selectors to match against identity attributes. | UI name | API example | | ----------------- | --------------------------------------------------------------------------------------------------------------- | | User Email | identity.email == "user@example.com" | | User Name | identity.name == "Test User" | | User Group IDs | any(identity.groups\[\*\].id in {"group\_id"}) | | User Group Names | any(identity.groups\[\*\].name in {"group\_name"}) | | User Group Emails | any(identity.groups\[\*\].email in {"group@example.com"}) | | SAML Attributes | any(identity.saml\_attributes\["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"\] in {"Test User"}) | ### Virtual Network Use this selector to match all traffic routed through a specific [Virtual Network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) via the Cloudflare One Client. | UI name | API example | | --------------- | ------------------------------------------------------ | | Virtual Network | net.vnet\_id == "957fc748-591a-e96s-a15d-1j90204a7923" | ## Comparison operators Comparison operators are the way Gateway matches traffic to a selector. When you choose a **Selector** in the dashboard policy builder, the **Operator** dropdown menu will display the available options for that selector. | Operator | Meaning | | ------------------------ | ------------------------------------------------------------------------------------------------------------------ | | is | equals the defined value | | is not | does not equal the defined value | | in | matches at least one of the defined values | | not in | does not match any of the defined values | | in list | in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | not in list | not in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | matches regex | regex evaluates to true | | does not match regex | regex evaluates to false | | greater than | exceeds the defined number | | greater than or equal to | exceeds or equals the defined number | | less than | below the defined number | | less than or equal to | below or equals the defined number | ## Value You can input a single value or use regular expressions to specify a range of values. Gateway uses Rust to evaluate regular expressions. The Rust implementation is slightly different than regex libraries used elsewhere. To evaluate if your regex matches, you can use [Rustexp ↗](https://rustexp.lpil.uk/). ## Logical operators To evaluate multiple conditions in an expression, select the **And** logical operator. These expressions can be compared further with the **Or** logical operator. | Operator | Meaning | | -------- | --------------------------------------------- | | And | match all of the conditions in the expression | | Or | match any of the conditions in the expression | The **Or** operator will only work with conditions in the same expression group. For example, you cannot compare conditions in **Traffic** with conditions in **Identity** or **Device Posture**. ## Limitations ### Selector prerequisites The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors require additional setup before they work in egress policies. Before deploying policies with these selectors, refer to [Host selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/host-selectors). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/egress-policies/","name":"Egress policies"}}]} ``` --- --- title: Dedicated egress IPs description: How Dedicated egress IPs works in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ IPv4 ](https://developers.cloudflare.com/search/?tags=IPv4)[ IPv6 ](https://developers.cloudflare.com/search/?tags=IPv6) # Dedicated egress IPs Note Only available as an add-on to Zero Trust Enterprise plans. Many third-party services require you to allowlist specific source IP addresses before they accept connections. Dedicated egress IPs are static IP addresses assigned exclusively to your account — no other Cloudflare customer shares them. Each dedicated egress IP consists of an IPv4 address and an IPv6 range, both tied to a specific Cloudflare data center. Cloudflare provisions your account with at least two dedicated egress IPs in two different cities. You can request additional dedicated egress IPs at any time. Contact your account team to schedule a service window. ## Turn on egress IPs To start routing traffic through dedicated egress IPs: 1. Contact your account team to obtain a dedicated egress IP. 2. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 3. Turn on **Allow Secure Web Gateway to proxy traffic**. 4. Select **TCP**. 5. (Optional) Select **UDP**. This will allow HTTP/3 traffic to egress with your dedicated IPs. Dedicated egress IPs are now turned on for all network and HTTP traffic proxied by Gateway. To selectively turn on dedicated egress IPs for a subset of your traffic, refer to [egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/). ## Verify egress IPs To check if your device is using the correct dedicated egress IP: 1. Verify that the device is connected to your Zero Trust organization through the Cloudflare One Client. 2. Determine the source IPv4 address of your device by going to `https://ipv4.icanhazip.com/`. 3. Determine the source IPv6 address of your device by going to `https://ipv6.icanhazip.com/`. 4. Verify that the source IPv4 and IPv6 addresses match your dedicated egress IP. When testing against another origin, you may see either an IPv4 or IPv6 address. Gateway does not control which protocol is used — some origins only support one protocol, and when both are available, the client operating system and browser decide. For example, Windows [favors IPv6 by default ↗](https://learn.microsoft.com/troubleshoot/windows-server/networking/configure-ipv6-in-windows). ## IPs ### Bring your own IP address (BYOIP) If your organization already owns IPv4 or IPv6 addresses from a regional Internet registry, you can use them as dedicated egress IPs instead of Cloudflare-provided addresses. To obtain an IPv6 range, refer to [American Registry for Internet Numbers (ARIN) ↗](https://www.arin.net/resources/guide/ipv6/first%5Frequest/) or [Regional Internet Registry for Europe, Middle East and Central Asia (RIPE NCC) ↗](https://www.ripe.net/manage-ips-and-asns/ipv6/request-ipv6/). After you onboard your IP addresses, they appear as options when you create an [egress policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/) and choose **Use dedicated egress IPs (Cloudflare or BYOIP)** as the [egress method](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#egress-methods). BYOIP dedicated egress IPs do not support [IP geolocation](#ip-geolocation). For more information, refer to [Cloudflare BYOIP](https://developers.cloudflare.com/byoip/) or contact your account team. ### Cloudflare IPs If you do not have your own authority-provided IPv4 and IPv6 addresses, you can use dedicated egress IPs with a Cloudflare IP address. You can find your leased Gateway dedicated egress IPs on the dashboard under [**Address space** \> **Leased IPs** ↗](https://dash.cloudflare.com/?to=/:account/ip-addresses/address-space). ## Limitations ### Concurrent connections Each dedicated egress IP supports up to 40,000 concurrent connections per unique combination of destination IP and destination port. You can configure multiple origins for each combination of dedicated egress IP and source port. ### Unsupported traffic Dedicated egress IPs do not apply to the following traffic types. These connections use the default shared IPs because Cloudflare identifies them by other means (for example, tunnel ID or account context) rather than source IP. * DNS queries resolved through Gateway * Private networks connected to Zero Trust via Cloudflare Tunnel * Traffic destined for private networks connected to Zero Trust via [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/) * ICMP traffic (for example, `ping`) ### Traffic resilience To improve traffic resilience, assign your dedicated egress IPs to different Cloudflare data center locations. If you have multiple IPs in the same city, choose different data centers within that city. For more information, contact your account team. When creating egress policies with dedicated egress IPs, you must set a secondary IPv4 address to ensure traffic resilience. You can set the secondary IPv4 address to `0.0.0.0` or a specific Cloudflare location different from your primary IPv4 address. If you set the secondary IPv4 address to `0.0.0.0`, Gateway will route traffic to the location closest to the user. If the physical location of your primary IPv4 address is not available, Gateway will route traffic to either the default Cloudflare egress range or the secondary location specified. Fallback egress IPs If the location for your primary egress IPs goes down and there is no secondary backup IP address configured in the egress policy, Gateway will not properly route your traffic. Cloudflare recommends you always configure a fallback egress IP for every egress policy. ### IP geolocation Note IP geolocation will take at least six weeks to update across databases. Websites and services use third-party IP geolocation databases to determine where a visitor is located. When you turn on dedicated egress IPs, Gateway updates these databases so they associate your new IPs with the correct city. Until the databases finish updating, services like Google Search may show incorrect regional content — for example, directing users in India to the United States landing page. Your egress traffic geolocates to the city selected in your [egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/). Traffic that does not match an egress policy defaults to the closest dedicated egress location. Create a [catch-all egress policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#catch-all-policy) before dedicated egress IPs are assigned to your account to prevent incorrect geolocation while databases update. To verify that the IP geolocation has updated, check your dedicated egress IP in one of the supported databases: Supported IP geolocation databases * [Google ↗](https://developers.google.com/maps/documentation/geolocation/overview) * [MaxMind GeoIP ↗](https://www.maxmind.com/en/geoip-databases) * [TransUnion Neustar TruValidate IP Intelligence ↗](https://www.transunion.com/solution/truvalidate/digital-insights/ip-intelligence) * [Abstract IP Geolocation API ↗](https://www.abstractapi.com/ip-geolocation-api) * [DB-IP ↗](https://db-ip.com/) * [Digital Element ↗](https://www.digitalelement.com/) * [Geo Targetly ↗](https://geotargetly.com/) * [IP-API.com ↗](https://ip-api.com/) * [IP2Location ↗](https://lite.ip2location.com/) * [IPinfo.io ↗](https://ipinfo.io/) * [ip2c.org ↗](https://ip2c.org/) * [ipapi ↗](https://ipapi.com/) * [ipgeolocation.io ↗](https://ipgeolocation.io/) * [ipify ↗](https://www.ipify.org/) * [Ipstack ↗](https://ipstack.com/) ### Egress location Where your users' traffic physically exits the Cloudflare network depends on whether the connection uses IPv4 or IPv6. | Protocol | Destination proxied by Cloudflare | Physical egress location | IP geolocation | | -------- | --------------------------------- | ------------------------------------ | ------------------------------------ | | IPv4 | No | Data center with dedicated egress IP | Matches dedicated egress IP location | | IPv4 | Yes | Locally connected data center | Matches dedicated egress IP location | | IPv6 | No | Locally connected data center | Matches dedicated egress IP location | | IPv6 | Yes | Locally connected data center | Matches dedicated egress IP location | #### IPv4 IPv4 addresses are scarce, so Cloudflare must physically route IPv4 traffic to the data center where your dedicated address is provisioned. The user connects to the nearest Cloudflare data center, and Cloudflare internally routes the traffic to the dedicated egress location configured in your [egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/). As a result, the data center shown in the user's Cloudflare One Client preferences may differ from the actual egress location. Performance is better when users visit domains proxied by Cloudflare ([orange-clouded](https://developers.cloudflare.com/dns/proxy-status/) domains). In this case, IPv4 traffic physically exits from the most performant data center while still appearing to originate from your dedicated egress location. For example, assume you have a primary dedicated egress IP in Los Angeles and a secondary dedicated egress IP in New York. A user in Las Vegas would see Las Vegas as their connected data center. If they go to a site not proxied by Cloudflare ([gray-clouded](https://developers.cloudflare.com/dns/proxy-status/#dns-only-records)), such as `espn.com`, they will egress from Los Angeles (or whichever city is in the matching egress policy). If they go to an orange-clouded site such as `cloudflare.com`, they will physically egress from Las Vegas but use Los Angeles as their IP geolocation. IPv4 and IPv6 behavior IPv4 addresses are limited, so Cloudflare must physically route traffic to the data center where your dedicated IPv4 address is provisioned. IPv6 has virtually unlimited address space, so Cloudflare can assign IPv6 ranges from all geolocations to every data center. This means IPv6 traffic can egress locally while still appearing to originate from your configured geolocation. #### IPv6 Unlike IPv4, IPv6 traffic physically exits from the user's connected data center while still appearing to originate from the dedicated egress IP geolocation. This works because IPv6 has enough address space for Cloudflare to assign IPv6 ranges from all possible geolocations to every data center. Each account receives a /64 IPv6 range. In the example above, the Las Vegas user would physically egress from Las Vegas but their traffic would IP geolocate to Los Angeles. This means: | Attribute | Value | | --------------- | ------------------------------------------------------------------------------------------------------------- | | Physical egress | User's closest Cloudflare data center (Las Vegas) | | IP geolocation | Dedicated egress IP location configured in your egress policy (Los Angeles) | | Logs | Correct IP geolocation (Los Angeles) even though the physical egress is from a different location (Las Vegas) | ## Frequently asked questions (FAQ) ### Can I provision the same egress IP address to multiple data centers? No, egress IPs are limited to a single data center. ### Can my users in different locations egress from their closest data center via a single egress IP? No, traffic exits from the data center where the egress IP is provisioned. If your users are spread across multiple regions, reserve multiple egress IPs in different data centers and assign each user group to the closest one. ### Can I use dedicated egress IPs with traffic proxied via [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/)? Yes, your users will egress via their provisioned IP address. ### What happens when I use dedicated egress IPs with [Cloudflare Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/)? Your users will connect to the nearest data center, where the remote browser session will load. The remote browser will then egress via the data center with their provisioned egress IP. ### Do dedicated egress IPs work on the [Cloudflare China Network](https://developers.cloudflare.com/china-network/)? No, Gateway does not support dedicated egress IPs on the China Network. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/egress-policies/","name":"Egress policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/","name":"Dedicated egress IPs"}}]} ``` --- --- title: Egress through Cloudflare Tunnel description: Egress through Cloudflare Tunnel in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ AWS ](https://developers.cloudflare.com/search/?tags=AWS)[ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) # Egress through Cloudflare Tunnel Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | | ---------------------------------------------------------------------------------------------------------------------------------- | | Traffic and DNS mode | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2025.4.929.0 | | macOS | ✅ | 2025.4.929.0 | | Linux | ✅ | 2025.4.929.0 | | iOS | ✅ | 1.11 | | Android | ✅ | 2.4.2 | | ChromeOS | ✅ | 2.4.2 | Some third-party services only accept connections from specific source IPs listed in an Access Control List (ACL). If a non-Cloudflare IP (for example, an IP from your ISP or a cloud provider like AWS) is already on their allowlist, you can route traffic through a Cloudflare Tunnel so that it exits using that same IP. This is called source IP anchoring — it allows you to keep your existing egress IPs without purchasing [Cloudflare dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). For example, assume your banking service at `app.bank.com` expects traffic from an AWS IP. You install `cloudflared` in your AWS environment and add a public hostname route for `app.bank.com`. When users connect to `app.bank.com` through the Cloudflare One Client, Gateway applies your network policies and routes the filtered traffic through the Cloudflare Tunnel to AWS. The traffic then exits to the public Internet using your AWS egress IP. flowchart LR subgraph aws["AWS VPC"] cloudflared["cloudflared"] end subgraph cloudflare[Cloudflare] gateway["Gateway"] end subgraph internet[Internet] resolver[1.1.1.1] app[Application] end warp["Cloudflare One Client"]--"app.bank.com"-->gateway--"Network traffic"-->cloudflared gateway<-.DNS lookup.->resolver aws--AWS egress IP -->app To learn more about how Gateway applies hostname-based egress policies, refer to the [Cloudflare blog ↗](https://blog.cloudflare.com/egress-policies-by-hostname/). ## Prerequisites User traffic must be on-ramped to Gateway using one of the following methods: | On-ramp method | Compatibility | | --------------------------------------------------------------------------------------------------------------------------- | ------------------------- | | [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) | ✅ | | [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) | ✅ | | [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) | ✅ | | [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) | ✅ | | [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/) | 🚧[1](#user-content-fn-1) | Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | | ---------------------------------------------------------------------------------------------------------------------------------- | | Traffic and DNS mode | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2025.4.929.0 | | macOS | ✅ | 2025.4.929.0 | | Linux | ✅ | 2025.4.929.0 | | iOS | ✅ | 1.11 | | Android | ✅ | 2.4.2 | | ChromeOS | ✅ | 2.4.2 | ## Footnotes 1. Not compatible with [ECMP routing](https://developers.cloudflare.com/cloudflare-wan/reference/traffic-steering/#equal-cost-multi-path-routing). For hostname-based routing to work, DNS queries and the resulting network traffic must reach Cloudflare over the same IPsec/GRE tunnel. [↩](#user-content-fnref-1) ## 1\. Connect your private network [Connect your private network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/) to Cloudflare using `cloudflared`. For example, if you want traffic to egress from AWS, connect the private CIDR block of your AWS VPC. Note Requires `cloudflared` version 2025.7.0 or later. ## 2\. Add a public hostname route To route a public hostname through Cloudflare Tunnel: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Networks** \> **Routes** \> **Hostname routes**. 2. Select **Create hostname route**. 3. In **Hostname**, enter the public hostname that represents the application (for example, `app.bank.com`). The hostname should be accessible from the public Internet. 4. For **Tunnel**, select the Cloudflare Tunnel that is being used to connect the private network to Cloudflare. 5. Select **Create route**. ## 3\. Route network traffic through the Cloudflare One Client In your WARP [Split Tunnels](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) configuration, route the following IP addresses through the WARP tunnel to Gateway. ### Initial resolved IPs When users connect to a public hostname route, Gateway will assign an initial resolved IP to the DNS query from the following range: Gateway's network engine operates at Layer 3/Layer 4 of the [OSI model ↗](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/), where only IP addresses are available — not hostnames. The initial resolved IP acts as a signal: when a packet's destination IP falls within the `100.80.0.0/16` Carrier-Grade NAT (CGNAT) range, Gateway recognizes that the IP maps to a public hostname route and sends the traffic through the corresponding Cloudflare Tunnel. To route initial resolved IPs through the Cloudflare One Client: In your WARP [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/), configure [Split Tunnels](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) such that the initial resolved IPs route through the WARP tunnel. Configuration depends on your [Split Tunnels mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/#change-split-tunnels-mode): * **Exclude mode**: Delete `100.64.0.0/10` from your Split Tunnels list. We recommend [adding back the IP ranges](https://developers.cloudflare.com/cloudflare-one/networks/routes/reserved-ips/#split-tunnel-configuration) that are not explicitly used for Cloudflare One services. This reduces the risk of conflicts with existing private network configurations that may use the CGNAT address space. * **Include mode**: Add Split Tunnel entries for the following IP addresses: * **IPv4**: `100.80.0.0/16` * **IPv6**: `2606:4700:0cf1:4000::/64` ### Private network IPs Your private network's CIDR block should also route through the WARP tunnel. For a detailed configuration example, refer to [Connect a private network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-the-cloudflare-one-client). ## 4\. (Optional) Configure network policies You can build [Gateway network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) to filter HTTPS traffic to your public hostname on port `443`. For example, to restrict `app.bank.com` so that only certain users or groups can access it through your AWS egress IP, create two policies: one to allow authorized users, and one to block everyone else. 1. Allow company employees: | Selector | Operator | Value | Logic | Action | | ---------- | ------------- | --------------- | ----- | ------ | | SNI | in | app.bank.com | And | Allow | | User Email | matches regex | .\*@example.com | | | 2. Block everyone else on port `443`: | Selector | Operator | Value | Action | | -------- | -------- | ------------ | ------ | | SNI | in | app.bank.com | Block | Gateway does not support hostname-based filtering for traffic on non-`443` ports. To block traffic to `app.bank.com` on all ports, use the [Destination IP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/#destination-ip) selector and specify the public IP range of `app.bank.com`. ## 5\. Test the connection From a device, open a browser and go to `app.bank.com`. You can search for `app.bank.com` in your [Gateway DNS logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/); the **DNS response details** section should show the public resolved IPs as well as an initial resolved IP. You can also check your [Cloudflare Tunnel logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) to confirm that requests are routing through the tunnel to the public resolved IPs. ## Limitations ### Google Chrome restricts local network access Starting with [Chrome 142 ↗](https://developer.chrome.com/release-notes/142), the browser restricts requests from websites to local IP addresses, including the Gateway initial resolved IP CGNAT range (`100.80.0.0/16`). Because this range falls within `100.64.0.0/10`, Chrome categorizes these addresses as belonging to a local network. When a website loaded from a public IP makes subrequests to a domain resolved through an initial resolved IP, Chrome treats this as a public-to-local network request and displays a prompt asking the user to allow access to devices on the local network. Chrome will block requests to these domains until the user accepts this prompt. This commonly occurs when an Egress policy matches broadly used domains (such as `cloudfront.net` or `github.com`), causing subrequests from public pages to resolve to the `100.80.0.0/16` range. #### Iframes If the affected request originates from within an iframe (for example, an application embedded in a third-party portal), the iframe must declare the `local-network-access` permission for the browser prompt to appear in the parent frame: * **Chrome 142-144**: Use the `allow="local-network-access"` attribute on the iframe element. * **Chrome 145+**: The permission was split into `allow="local-network"` and `allow="loopback-network"`. If iframes are nested, every iframe in the chain must include the appropriate attribute. Since third-party applications control their own iframe attributes, this may not be configurable by the end user. #### Workarounds To avoid this issue, choose one of the following options: * **Override IP address space classification (Chrome 146+)**: Use the [LocalNetworkAccessIpAddressSpaceOverrides ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessIpAddressSpaceOverrides) Chrome Enterprise policy to reclassify the `100.80.0.0/16` range as public. This is the most targeted fix because it only changes the classification for the initial resolved IP range rather than disabling security checks entirely. * **Allow specific URLs (Chrome 140+)**: Use the [LocalNetworkAccessAllowedForUrls ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessAllowedForUrls) Chrome Enterprise policy to exempt specific websites from Local Network Access checks. Note that `https://*` is a valid entry to disable checks for all URLs. * **Allow specific URLs (Chrome 146+)**: Use the [LocalNetworkAllowedForUrls ↗](https://chromeenterprise.google/policies/#LocalNetworkAllowedForUrls) Chrome Enterprise policy, which replaces `LocalNetworkAccessAllowedForUrls` starting in Chrome 146. * **Opt out of Local Network Access restrictions (Chrome 142-152)**: Use the [LocalNetworkAccessRestrictionsTemporaryOptOut ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessRestrictionsTemporaryOptOut) Chrome Enterprise policy to completely opt out of Local Network Access restrictions. This is a temporary policy and will be removed after Chrome 152. * **Disable the Chrome feature flag**: Go to `chrome://flags` and set the **Local Network Access Checks** flag to _Disabled_. This approach is suitable for individual users but not for enterprise-wide deployment. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/egress-policies/","name":"Egress policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared/","name":"Egress through Cloudflare Tunnel"}}]} ``` --- --- title: Host selectors description: Configure Host selectors in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS) # Host selectors Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | Traffic and DNS mode | Enterprise | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2025.4.929.0 | | macOS | ✅ | 2025.4.929.0 | | Linux | ✅ | 2025.4.929.0 | | iOS | ✅ | 1.11 | | Android | ✅ | 2.4.2 | | ChromeOS | ✅ | 2.4.2 | Egress policies are evaluated at Layer 4 ([https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/ ↗](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/)) of the OSI model, where only IP addresses are available — not hostnames. The [Application](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#application), [Content Categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#content-categories), [Domain](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#domain), and [Host](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#host) selectors need to match traffic by hostname, so Gateway uses a two-step process: 1. When Gateway receives a DNS query for a hostname that matches one of these selectors, it initially resolves the query to a temporary IP in the `100.80.0.0/16` or `2606:4700:0cf1:4000::/64` range. 2. When traffic arrives with this temporary destination IP, Gateway can identify which hostname the connection belongs to, apply the correct egress policy, then replace the temporary IP with the real destination IP before forwarding the traffic. ![Example egress policy flow](https://developers.cloudflare.com/_astro/host-selector-diagram.MWSMsbT4_1rAw7C.webp) These selectors require additional configuration before they work. ## Turn on Host selectors To turn on the selectors for your account: * [ Dashboard ](#tab-panel-5343) * [ API ](#tab-panel-5344) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. In **Policy settings**, turn on **Allow egress policy host selectors**. Use the [Patch Zero Trust account configuration](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/configurations/methods/edit/) endpoint to update your Zero Trust configuration. For example: Patch Zero Trust account configuration ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "settings": { "host_selector": { "enabled": true } } }' ``` ## Prerequisites Traffic must be on-ramped to Gateway with the following methods: | On-ramp method | Compatibility | | --------------------------------------------------------------------------------------------------------------------------- | ------------- | | [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) | ✅ | | [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) | ✅ | | [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) | ✅ | | [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) | ❌ | | [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/) | ✅ | Traffic from unsupported on-ramp methods resolves using your default Gateway settings. If you use DNS locations to send DNS queries to Gateway (over IPv4, IPv6, DNS over TLS, or DNS over HTTPS), Gateway does not return the initial resolved IP and the host selectors do not apply. ### Configuration changes To configure your Zero Trust organization to use Host selectors with Egress policies: 1. Make sure you deploy the following version of the Cloudflare One Client on your users' devices: * **Desktop**: [Cloudflare One Client version 2025.4.929.0](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/) or later * **iOS**: [Cloudflare One Client version 1.11](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/#ios) or later * **Android and Chrome OS**: [Cloudflare One Client version 2.4.2](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/#android) or later. If you need to support devices running prior versions of WARP, add and deploy the following key-value pair to your devices' [WARP configuration file](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/) (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS): ``` doh_in_tunnel ``` 2. In your WARP [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/), configure [Split Tunnels](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) such that the initial resolved IPs route through the WARP tunnel. Configuration depends on your [Split Tunnels mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/#change-split-tunnels-mode): * **Exclude mode**: Delete `100.64.0.0/10` from your Split Tunnels list. We recommend [adding back the IP ranges](https://developers.cloudflare.com/cloudflare-one/networks/routes/reserved-ips/#split-tunnel-configuration) that are not explicitly used for Cloudflare One services. This reduces the risk of conflicts with existing private network configurations that may use the CGNAT address space. * **Include mode**: Add Split Tunnel entries for the following IP addresses: * **IPv4**: `100.80.0.0/16` * **IPv6**: `2606:4700:0cf1:4000::/64` The Cloudflare One Client must be set to _Traffic and DNS mode_ for traffic affected by these selectors to route correctly. ## Known issues ### Google Chrome restricts local network access Starting with [Chrome 142 ↗](https://developer.chrome.com/release-notes/142), the browser restricts requests from websites to local IP addresses, including the Gateway initial resolved IP CGNAT range (`100.80.0.0/16`). Because this range falls within `100.64.0.0/10`, Chrome categorizes these addresses as belonging to a local network. When a website loaded from a public IP makes subrequests to a domain resolved through an initial resolved IP, Chrome treats this as a public-to-local network request and displays a prompt asking the user to allow access to devices on the local network. Chrome will block requests to these domains until the user accepts this prompt. This commonly occurs when an Egress policy matches broadly used domains (such as `cloudfront.net` or `github.com`), causing subrequests from public pages to resolve to the `100.80.0.0/16` range. #### Iframes If the affected request originates from within an iframe (for example, an application embedded in a third-party portal), the iframe must declare the `local-network-access` permission for the browser prompt to appear in the parent frame: * **Chrome 142-144**: Use the `allow="local-network-access"` attribute on the iframe element. * **Chrome 145+**: The permission was split into `allow="local-network"` and `allow="loopback-network"`. If iframes are nested, every iframe in the chain must include the appropriate attribute. Since third-party applications control their own iframe attributes, this may not be configurable by the end user. #### Workarounds To avoid this issue, choose one of the following options: * **Override IP address space classification (Chrome 146+)**: Use the [LocalNetworkAccessIpAddressSpaceOverrides ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessIpAddressSpaceOverrides) Chrome Enterprise policy to reclassify the `100.80.0.0/16` range as public. This is the most targeted fix because it only changes the classification for the initial resolved IP range rather than disabling security checks entirely. * **Allow specific URLs (Chrome 140+)**: Use the [LocalNetworkAccessAllowedForUrls ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessAllowedForUrls) Chrome Enterprise policy to exempt specific websites from Local Network Access checks. Note that `https://*` is a valid entry to disable checks for all URLs. * **Allow specific URLs (Chrome 146+)**: Use the [LocalNetworkAllowedForUrls ↗](https://chromeenterprise.google/policies/#LocalNetworkAllowedForUrls) Chrome Enterprise policy, which replaces `LocalNetworkAccessAllowedForUrls` starting in Chrome 146. * **Opt out of Local Network Access restrictions (Chrome 142-152)**: Use the [LocalNetworkAccessRestrictionsTemporaryOptOut ↗](https://chromeenterprise.google/policies/#LocalNetworkAccessRestrictionsTemporaryOptOut) Chrome Enterprise policy to completely opt out of Local Network Access restrictions. This is a temporary policy and will be removed after Chrome 152. * **Disable the Chrome feature flag**: Go to `chrome://flags` and set the **Local Network Access Checks** flag to _Disabled_. This approach is suitable for individual users but not for enterprise-wide deployment. ### DNS Override policies bypass host selectors If a domain matches a [DNS Override policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#override), Gateway will not apply the initial resolved IP mapping for that domain. This means host-based egress selectors (Application, Content Categories, Domain, and Host) will not evaluate against traffic to the overridden domain. Traffic to these domains will use the default Cloudflare egress method. ### HTTPS DNS records not supported Host selectors do not support HTTPS DNS record types. When a domain uses HTTPS records for connection establishment, Gateway cannot map the DNS query to a hostname for egress policy evaluation. Traffic to these domains will use the default Cloudflare egress method instead of matching a host-based egress policy. If you need to apply egress policies to a domain that uses HTTPS records, use an IP-based selector (such as [Destination IP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#destination-ip)) instead. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/egress-policies/","name":"Egress policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/egress-policies/host-selectors/","name":"Host selectors"}}]} ``` --- --- title: Enable IDS description: Enable IDS in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API)[ Logging ](https://developers.cloudflare.com/search/?tags=Logging) # Enable IDS Cloudflare's Intrusion Detection System (IDS) is a Cloudflare Advanced Network Firewall feature you can use to actively monitor for a wide range of known threat signatures in your traffic. An IDS expands the security coverage of a firewall to analyze traffic against a broader threat database, detecting a variety of sophisticated attacks such as ransomware, data exfiltration, and network scanning based on signatures or “fingerprints” in network traffic. With Cloudflare's global anycast network, you get: * Cloudflare's entire global network capacity is now the capacity of your IDS. * Built-in redundancy and failover. Every server runs Cloudflare's IDS software, and traffic is automatically attracted to the closest network location to its source. * Continuous deployment for improvements to Cloudflare's IDS capabilities. Refer to [Enable IDS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/enable-ids/#enable-ids) for more information on enabling IDS and creating new rulesets. After IDS is enabled, your traffic will be scanned to find malicious traffic. The detections are logged to destinations that can be configured from the dashboard. Refer to [IDS logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/ids-logs/) for instructions on configuring a destination to receive the detections. Additionally, all traffic that is analyzed can be accessed via [network analytics](https://developers.cloudflare.com/analytics/network-analytics/). Refer to [GraphQL Analytics](https://developers.cloudflare.com/cloudflare-network-firewall/tutorials/graphql-analytics/) to query the analytics data. Cloudflare's IDS takes advantage of the threat intelligence powered by our global network and extends the capabilities of the Cloudflare Firewall to monitor and protect your network from malicious actors. ## Enable IDS You can enable IDS through the dashboard or via the API. Note This feature is available for Cloudflare Advanced Network Firewall users. For access, contact your account team. * [ Dashboard ](#tab-panel-5345) * [ API ](#tab-panel-5346) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies**. 2. Select **Policy settings** and turn on **IDS**. To start using IDS via the API, first create a new ruleset in the `magic-transit-ids-managed` phase with a rule which is enabled. 1. Follow instructions in the [Rulesets Engine Page](https://developers.cloudflare.com/ruleset-engine/basic-operations/view-rulesets/) to view all rulesets for your account. You must see a ruleset with phase `magic-transit-ids-managed` and kind `managed`. If not, please contact your account team. The managed ruleset ID will be used in the next step. 2. Create a new root ruleset with a single rule in the `magic_transit_ids_managed` phase by running: Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "IDS Execute ruleset", "description": "Ruleset to enable IDS", "kind": "root", "phase": "magic_transit_ids_managed", "rules": [ { "enabled": true, "expression": "true", "action": "execute", "description": "enable ids", "action_parameters": { "id": "${managed_ruleset_id}" } } ] }' ``` With this ruleset added, IDS will start inspecting packets and report any anomalous traffic. Next, you can [configure Logpush](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/use-logpush-with-ids/) to start receiving details about the anomalous traffic. 1. Use the rule created in the previous step to enable or disable IDS. The Rulesets API documentation describes [how to patch a rule](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update-rule/). For example, the following patch request to set the `enabled` field to `false` will disable IDS. The ruleset and rule ID from the ruleset created in the previous step are used below. Terminal window ``` curl --request PATCH \ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{root_ruleset_id}/rules/{rule_id} \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "enabled": false, "expression": "true", "action": "execute", "action_parameters": { "id": "${managed_ruleset_id}" } }' ``` Similarly, sending a patch request with the `enabled` field set to `true` will enable IDS. ## IDS rules IDS rules are run on a subset of packets. IDS also supports the current flows: * Cloudflare WAN to Cloudflare WAN. * Magic Transit ingress traffic (when egress traffic is handled through direct server return). * Magic Transit ingress and egress traffic when Magic Transit has the [Egress option enabled](https://developers.cloudflare.com/reference-architecture/architectures/magic-transit/#magic-transit-with-egress-option-enabled). ## Next steps You must configure Logpush to log detected risks. Refer to [Configure a Logpush destination](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/use-logpush-with-ids/) for more information. Additionally, all traffic that is analyzed can be accessed via [network analytics](https://developers.cloudflare.com/analytics/network-analytics/). Refer to [GraphQL Analytics](https://developers.cloudflare.com/cloudflare-network-firewall/tutorials/graphql-analytics/) to query the analytics data. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/enable-ids/","name":"Enable IDS"}}]} ``` --- --- title: Gateway policy expressions description: Learn about the expression syntax used to build Gateway DNS, HTTP, Network, Egress, and Resolver policies. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Gateway policy expressions Gateway policies use a wirefilter-based expression language to match traffic against selectors (criteria). This syntax is similar to, but distinct from, the [Rules language](https://developers.cloudflare.com/ruleset-engine/rules-language/) used by WAF, Rules, and other Cloudflare products. Refer to [Gateway versus Ruleset Engine](#gateway-versus-ruleset-engine) for details on the differences. Important The [Ruleset Engine documentation](https://developers.cloudflare.com/ruleset-engine/rules-language/) does not apply to Gateway policies. Gateway has its own set of selectors and fields specific to Zero Trust traffic filtering. For available selectors, refer to the documentation for each policy type: * [DNS policy selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#selectors) * [HTTP policy selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#selectors) * [Network policy selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/#selectors) * [Egress policy selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#selectors) * [Resolver policy selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/#selectors) ## Expression syntax Gateway expressions follow this pattern: ``` ``` For example: ``` dns.fqdn == "example.com" http.request.host == "api.example.com" identity.email == "user@company.com" ``` ### Operators Gateway supports the following operators: | Operator | Name | Example | | -------- | -------------------------- | --------------------------------------------------- | | \== | Equals | dns.fqdn == "example.com" | | != | Does not equal | http.request.host != "blocked.com" | | in | Value is in set | net.dst.port in {80 443} | | matches | Matches regular expression | http.request.host matches ".\*\\\\.example\\\\.com" | | \> | Greater than | http.upload.file.size > 10 | | \>= | Greater than or equal to | http.download.file.size >= 100 | | < | Less than | http.upload.file.size < 50 | | <= | Less than or equal to | http.download.file.size <= 200 | ### Logical operators Combine multiple conditions using logical operators: | Operator | Name | Example | | -------- | ----------- | ------------------------------------------------------------------- | | and | Logical AND | dns.fqdn == "example.com" and identity.email == "admin@company.com" | | or | Logical OR | net.dst.port == 80 or net.dst.port == 443 | | not | Logical NOT | not(identity.email == "guest@company.com") | ## Array handling Some Gateway fields return arrays (multiple values). Use the `any()` function to match if any element in the array meets the condition: ``` any(http.request.uri.content_category[*] in {17 85 102}) ``` ``` any(identity.groups[*].name in {"Engineering" "Security"}) ``` ``` any(http.request.domains[*] == "example.com") ``` The `[*]` notation indicates that the function should evaluate all elements in the array. ## List handling You can reference [lists](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) in your expressions using the list UUID: ``` http.request.host in $ ``` ``` any(http.request.domains[*] in $) ``` To find a list's UUID, go to **My Team** \> **Lists** in Zero Trust and select the list. The UUID appears in the browser URL. ## Common field patterns Each Gateway policy type has its own set of available fields. The following table shows the field prefixes used by each policy type: | Policy type | Field prefix | Example fields | | -------------- | ---------------- | --------------------------------------------------------- | | DNS | dns. | dns.fqdn, dns.content\_category, dns.src\_ip | | HTTP | http. | http.request.host, http.request.uri, http.request.domains | | Network | net. | net.dst.ip, net.dst.port, net.src.ip | | Identity | identity. | identity.email, identity.groups, identity.name | | Device posture | device\_posture. | device\_posture.checks.passed | For a complete list of available fields for each policy type, refer to the selectors documentation linked at the top of this page. ## Example expressions ### Block a domain in a DNS policy ``` dns.fqdn == "example.com" ``` ### Block multiple content categories in an HTTP policy ``` any(http.request.uri.content_category[*] in {17 85 102}) ``` ### Allow traffic from a specific user group ``` any(identity.groups[*].name in {"Engineering"}) ``` ### Block traffic to a destination IP range in a Network policy ``` net.dst.ip in {10.0.0.0/8} ``` ### Combine identity and traffic conditions ``` http.request.host == "internal.example.com" and identity.email matches ".*@company.com" ``` ## Gateway versus Ruleset Engine The following table summarizes the key differences between the Rules language\](/ruleset-engine/rules-language/) (supported by the Ruleset Engine) and Gateway policy expressions: | Ruleset Engine | Gateway | | | ------------------- | ---------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | | **Products** | WAF, Transform Rules, Cache Rules, Configuration Rules | DNS, HTTP, Network, Egress, Resolver policies | | **Field examples** | http.request.uri.path, cf.bot\_management.score, ip.src | dns.fqdn, http.request.host, identity.email | | **Identity fields** | Not available | Available (for example, identity.email, identity.groups) | | **DNS fields** | Not available | Available (for example, dns.fqdn, dns.content\_category) | | **Documentation** | [Rules language](https://developers.cloudflare.com/ruleset-engine/rules-language/) | [Traffic policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) | Note Do not reference the [Ruleset Engine fields reference](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/) when building Gateway policies. Gateway has its own field set documented on each policy type page. ## Related resources * [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/) * [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) * [Network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) * [Identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) * [Lists](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/expression-syntax/","name":"Gateway policy expressions"}}]} ``` --- --- title: Get started description: Best practices for deploying Cloudflare Gateway traffic policies in phases. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Get started This section covers best practices for setting up the following Gateway policy types: * [ DNS filtering ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/dns/) * [ Network filtering ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/network/) * [ HTTP filtering ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) For each type of policy, we recommend the following workflow: 1. Connect the devices and/or networks that you want to apply policies to. 2. Verify that Gateway is successfully proxying traffic from your devices. 3. Set up basic security and compatibility policies (recommended for most use cases). 4. Customize your configuration to the unique needs of your organization. ## Recommended deployment phases Most organizations roll out Gateway in phases, starting with the lowest-effort, highest-impact policy type and adding deeper inspection over time. ### Phase 1: DNS filtering DNS filtering requires the least deployment effort and provides immediate protection. * Point your network DNS to Gateway's resolver addresses, or deploy the Cloudflare One Client in DNS-only mode. * Block all [security threat categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) (malware, phishing, command and control). * Block [content categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#content-categories) that violate your acceptable use policy. * Review [DNS logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/) to gain visibility into Internet usage across your organization. For setup instructions, refer to [Set up DNS filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/dns/). ### Phase 2: Network policies After DNS filtering is in place, add network-level controls for non-HTTP traffic. * Deploy the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) and enable the [Gateway proxy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/) for TCP. * Block traffic to high-risk IP ranges or restrict which ports and protocols users can access. * Use [protocol detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/) to identify applications by traffic pattern rather than port number. * Enable network session logging for audit trails. For setup instructions, refer to [Set up network filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/network/). ### Phase 3: HTTP inspection HTTP inspection provides the deepest visibility and the most granular controls, but it requires additional setup. * Install the [Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) on user devices. * Enable [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) to inspect HTTPS traffic. * Create [Do Not Inspect](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policies for applications that use certificate pinning. * Block risky file types, enable [anti-virus scanning](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), and configure [DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) to detect sensitive data. * Use [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) to render high-risk sites in a remote browser. For setup instructions, refer to [Set up HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/). ### Phase 4: Egress control and full integration With all policy layers active, extend Gateway to cover your full network and integrate with other Cloudflare One services. * Connect branch offices and data centers with [network tunnels](https://developers.cloudflare.com/cloudflare-one/networks/) (IPsec/GRE via Magic WAN). * Configure [dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/) so third-party services can identify your organization's traffic. * Set up [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) to route internal DNS queries to your private DNS servers. * Monitor SaaS application usage with [CASB](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/). Note You do not need to complete every phase. Choose the phases that match your organization's security requirements and deployment timeline. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/get-started/","name":"Get started"}}]} ``` --- --- title: DNS filtering description: DNS filtering in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS) # DNS filtering Secure Web Gateway allows you to inspect DNS traffic — the queries your devices make to translate domain names like `example.com` into IP addresses — and control which websites users can visit. Because every connection starts with a DNS lookup, DNS filtering blocks threats at the earliest stage of a connection, before the device ever reaches the destination. Use DNS policies to block malware domains, phishing sites, or entire content categories across your organization. Note For a more detailed guide to filtering DNS queries and other traffic for your organization, refer to the [Secure your Internet traffic and SaaS apps](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/concepts/) implementation guide. ## 1\. Connect to Gateway You can filter DNS queries from individual devices (for example, employee laptops) or from entire network locations (for example, an office router). Choose the option that matches your deployment. ### Connect devices To filter DNS requests from an individual device such as a laptop or phone: 1. [Install the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/) on your device. The Cloudflare One Client is a lightweight agent that routes the device's DNS queries through Cloudflare so Gateway can inspect and filter them. 2. [Enroll the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/) in your organization's Zero Trust instance \[^1\]. This tells WARP which Gateway policies to enforce. 3. (Optional) If you want to display a [custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) instead of a generic browser error when a request is blocked, [install a Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device. ### Connect DNS locations To filter DNS requests from a network location such as an office or data center without installing software on each device: 1. [Add the location](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) to your Cloudflare One settings. A DNS location represents a network (such as an office) whose DNS queries you want to filter. 2. On your router, browser, or OS, change the DNS server setting to point to the Cloudflare address shown in the location setup UI. This forwards all DNS queries from that network through Gateway. Note Gateway uses different methods to identify which location a query comes from, depending on the protocol: * **IPv4 queries** — Gateway matches the query to a location based on the source IP address of your network. Under **Networks** \> **Resolvers & Proxies** \> **DNS locations**, verify that the **Source IPv4 Address** matches the public IP of the network you want to protect. * **IPv6, DNS over TLS (DOT), or DNS over HTTPS (DOH) queries** — Because these protocols may obscure the source IP, Gateway instead matches queries using the unique DNS forwarding address assigned to each location. Make sure your resolver is configured with the correct forwarding address for the location you want policies to apply to. ## 2\. Verify device connectivity To confirm that your device's DNS queries are flowing through Gateway: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. Under **Log traffic activity**, enable activity logging for all DNS logs. 3. On your device, open a browser and go to any website. 4. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights** \> **Logs** \> **DNS**. 5. Make sure DNS queries from your device appear. ## 3\. Create your first DNS policy A DNS policy has two parts: a **traffic condition** that defines which queries to match (for example, all queries to gambling sites) and an **action** that defines what to do with matching queries (for example, block them). To create a new DNS policy: * [ Dashboard ](#tab-panel-5347) * [ API ](#tab-panel-5348) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies**. 2. In the **DNS** tab, select **Add a policy**. 3. Name the policy. 4. Under **Traffic**, use the condition builder to define which DNS queries this policy applies to. Select a selector (such as **Security Categories**), an operator (such as **in**), and one or more values. 5. Choose an **Action** to take when traffic matches the condition. For example, we recommend adding a policy to block all [security categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories): | Selector | Operator | Value | Action | | ------------------- | -------- | -------------------- | ------ | | Security Categories | in | _All security risks_ | Block | 6. Select **Create policy**. 1. [Create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with the following permissions: | Type | Item | Permission | | ------- | ---------- | ---------- | | Account | Zero Trust | Edit | 2. (Optional) Configure your API environment variables to include your [account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) and API token. 3. Send a `POST` request to the [Create a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, the following request creates a policy that blocks all default [security categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories). The numeric IDs in the `traffic` field (such as `68`, `178`, `80`) correspond to Cloudflare's predefined security threat categories — refer to [domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) for the full mapping. The `precedence` field controls evaluation order when multiple policies match (`0` means this policy is evaluated first). Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block security threats", "description": "Block all default Cloudflare DNS security categories", "precedence": 0, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", "identity": "" }' ``` ``` { "success": true, "errors": [], "messages": [] } ``` The API will respond with a summary of the policy and the result of your request. For more information, refer to [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/). ## 4\. Add optional policies Once your first policy is active, refer to [common DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/common-policies) for other policies you may want to add. Common additions include blocking specific content categories (such as social media or streaming), enabling SafeSearch on search engines, and restricting DNS queries so devices can only use resolvers that you have approved. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/get-started/","name":"Get started"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/get-started/dns/","name":"DNS filtering"}}]} ``` --- --- title: HTTP filtering description: HTTP filtering in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ TLS ](https://developers.cloudflare.com/search/?tags=TLS) # HTTP filtering Secure Web Gateway allows you to inspect HTTP traffic and control which websites users can visit. DNS filtering can only block or allow entire domains (for example, all of `dropbox.com`). HTTP filtering goes deeper — it inspects full URLs and request content, so you can block a specific page like `dropbox.com/shared-folder`, scan file uploads for sensitive data, or enforce acceptable use policies based on what users are actually doing on a site. Note For a more detailed guide to filtering HTTP requests and other traffic for your organization, refer to the [Secure your Internet traffic and SaaS apps](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/concepts/) implementation guide. ## 1\. Connect to Gateway HTTP filtering requires three components working together: the Cloudflare One Client routes device traffic through Cloudflare, a root certificate lets Gateway decrypt HTTPS traffic so it can inspect URLs and content, and the Gateway proxy enables Gateway to intercept and evaluate HTTP requests. Without the certificate, Gateway can only see the domain name — not the full URL or request body. To filter HTTP requests from a device: 1. [Install the Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device. 2. [Install the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) on your device. 3. In the Cloudflare One Client Settings, log in to your organization's Cloudflare One instance. 4. [Enable the Gateway proxy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP. Optionally, enable the UDP proxy to also inspect QUIC traffic on port 443 — this covers HTTP/3, a newer protocol some browsers use by default. 5. To inspect HTTPS traffic, [enable TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption). TLS decryption allows Gateway to read encrypted requests. Without it, Gateway can see that a user visited `example.com` but not which specific page or what they uploaded. 6. (Optional) To scan file uploads and downloads for malware, [enable anti-virus scanning](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/). ## 2\. Verify device connectivity To verify your device is connected to Cloudflare One and traffic is flowing through Gateway: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. Under **Log traffic activity**, enable activity logging for all HTTP logs. 3. On your device, open a browser and go to any website. 4. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights** \> **Logs** \> **HTTP**. 5. Make sure HTTP requests from your device appear. After creating your first HTTP policy in the next step, you can test it by visiting a URL that your policy should block and confirming the request is denied. ## 3\. Create your first HTTP policy An HTTP policy defines which requests to match (for example, uploads to file-sharing sites) and the action to take (for example, block). To create a new HTTP policy: * [ Dashboard ](#tab-panel-5349) * [ API ](#tab-panel-5350) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies**. 2. In the **HTTP** tab, select **Add a policy**. 3. Name the policy. 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. 5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have configured TLS decryption, some applications that use [embedded certificates](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: | Selector | Operator | Value | Action | | ----------- | -------- | ---------------- | -------------- | | Application | in | _Do Not Inspect_ | Do Not Inspect | Cloudflare also recommends adding a policy to block [known threats](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence: | Selector | Operator | Value | Action | | ------------------- | -------- | -------------------- | ------ | | Security Categories | in | _All security risks_ | Block | 6. Select **Create policy**. 1. [Create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with the following permissions: | Type | Item | Permission | | ------- | ---------- | ---------- | | Account | Zero Trust | Edit | 2. (Optional) Configure your API environment variables to include your [account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) and API token. 3. Send a `POST` request to the [Create a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, if you have configured TLS decryption, some applications that use [embedded certificates](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Do not inspect applications", "description": "Bypass TLS decryption for unsupported applications", "precedence": 0, "enabled": true, "action": "off", "filters": [ "http" ], "traffic": "any(app.type.ids[*] in {16})", "identity": "", "device_posture": "" }' ``` ``` { "success": true, "errors": [], "messages": [] } ``` The API will respond with a summary of the policy and the result of your request. Cloudflare also recommends adding a policy to block [known threats](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence: Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block known risks", "description": "Block all default Cloudflare HTTP security categories", "precedence": 0, "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", "identity": "", "device_posture": "" }' ``` For more information, refer to [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). ## 4\. Add optional policies Refer to our list of [common HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/common-policies) for other policies you may want to create. Common additions include blocking file downloads by type, isolating risky websites in a [remote browser](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/), and adding Do Not Inspect rules for applications that break under TLS decryption (for example, apps that use certificate pinning to enforce their own certificates). Do Not Inspect rules tell Gateway to skip decryption for specific destinations so those applications continue to work. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/get-started/","name":"Get started"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/get-started/http/","name":"HTTP filtering"}}]} ``` --- --- title: Network filtering description: Network filtering in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SSH ](https://developers.cloudflare.com/search/?tags=SSH)[ RDP ](https://developers.cloudflare.com/search/?tags=RDP) # Network filtering Secure Web Gateway allows you to apply policies at the network level to control which websites and non-HTTP applications users can access. This is useful when you need to control traffic that is not web browsing — for example, blocking remote desktop connections or restricting file-transfer tools across your organization. Network policies inspect individual TCP and UDP packets (the low-level data units that carry all Internet traffic), which means you can filter traffic that [DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/dns/) and [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) policies cannot reach. DNS policies only see domain lookups, and HTTP policies only see web requests — network policies go deeper and can catch protocols like SSH (remote terminal access), RDP (remote desktop), and custom applications running on non-standard ports. Note For a more detailed guide to filtering network traffic and more for your organization, refer to the [Secure your Internet traffic and SaaS apps](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/concepts/) implementation guide. ## 1\. Connect to Gateway ### Connect devices To filter network traffic from a device such as a laptop or phone: 1. [Install the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) on your device. 2. In the Cloudflare One Client Settings, log in to your organization's Cloudflare One instance. 3. (Optional) If you want to display a [custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) when users are blocked, [install the Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device. Without the certificate, blocked users will see a generic browser connection error instead of an informative page. 4. [Enable the Gateway proxy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP. The Gateway proxy is what routes your device's traffic through Cloudflare so network policies can inspect it — without it enabled, your policies will have no effect. Optionally, enable the UDP proxy to also inspect QUIC traffic (a newer protocol used by HTTP/3 connections) on port 443. ### Connect private networks To filter traffic from private networks (internal corporate networks not exposed to the public Internet), refer to the [Cloudflare Tunnel guide](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). ## 2\. Verify device connectivity Verifying connectivity ensures that traffic from your device is actually flowing through Cloudflare before you build policies against it. To verify your device is connected to Cloudflare One: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. Under **Log traffic activity**, enable activity logging for all Network logs. This tells Cloudflare to record network-level traffic so you can confirm your device appears in the logs. 3. On your Cloudflare One Client device, open a browser and visit any website. This generates traffic that should appear in the logs. 4. Determine the **Source IP** for your device (the public-facing address Cloudflare sees for your connection): * [ Version 2026.2+ ](#tab-panel-5351) * [ Version 2026.1 and earlier ](#tab-panel-5352) 1. Open the Cloudflare One Client. 2. Go to **Profile**. 3. Note the **Client Interface IP**. This is the same address that will appear as the Source IP in your network logs. 1. Open the Cloudflare One Client. 2. Go to **Settings** (gear icon) **Preferences** \> **General**. 3. Note the **Public IP**. This is the same address that will appear as the Source IP in your network logs. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights** \> **Logs** \> **Network logs**. Before building network policies, make sure you see network logs from the Source IP assigned to your device. If no logs appear after a few minutes, check two things: first, verify that the [Gateway proxy is turned on](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy). Second, confirm that the device is enrolled in your Zero Trust organization by checking the Cloudflare One Client connection status. ## 3\. Create your first network policy A network policy has two parts: a matcher that selects which traffic to act on (for example, all packets destined for port 22, the default port for SSH) and an action that decides what to do with it (for example, block the connection). To create a new network policy: * [ Dashboard ](#tab-panel-5353) * [ API ](#tab-panel-5354) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies**. 2. In the **Network** tab, select **Add a network policy**. 3. Name the policy. 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. 5. Choose an **Action** to take when traffic matches the logical expression. For example, you can use a list of [device serial numbers](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/corp-device/) to ensure users can only access an application if they connect with the Cloudflare One Client from a company device: | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | ----------------------- | ----- | ------ | | SNI Domain | is | internalapp.com | And | Block | | Passed Device Posture Checks | not in | _Device serial numbers_ | | | 6. Select **Create policy**. 1. [Create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with the following permissions: | Type | Item | Permission | | ------- | ---------- | ---------- | | Account | Zero Trust | Edit | 2. (Optional) Configure your API environment variables to include your [account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) and API token. 3. Send a `POST` request to the [Create a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, you can use a list of [device serial numbers](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/corp-device/) to ensure users can only access an application if they connect with the Cloudflare One Client from a company device: Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Enforce device posture", "description": "Ensure only devices in Zero Trust organization can connect to application", "precedence": 0, "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "any(net.sni.domains[*] == \"internalapp.com\")", "identity": "", "device_posture": "not(any(device_posture.checks.passed[*] in {\"LIST_UUID\"}))" }' ``` ``` { "success": true, "errors": [], "messages": [] } ``` The API will respond with a summary of the policy and the result of your request. For more information, refer to [network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/). ## 4\. Add optional policies Refer to our list of [common network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/common-policies) for policies you may want to create. Common additions include blocking traffic to specific IP ranges, restricting access to non-standard ports (ports other than well-known ones like 80 for HTTP and 443 for HTTPS), and using protocol detection to identify applications like BitTorrent based on their traffic patterns rather than port numbers alone. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/get-started/","name":"Get started"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/get-started/network/","name":"Network filtering"}}]} ``` --- --- title: Global policies description: Reference information for Global policies in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS) # Global policies Cloudflare Zero Trust applies a set of global policies to all accounts. These policies prevent you from accidentally blocking Cloudflare services that Zero Trust depends on, such as the dashboard, API, and client registration. Zero Trust logs prepend an identifier to global policy names. For example, matches for the global policy **Allow Zero Trust Services** will appear in your logs with the name **Global Policy - Allow Zero Trust Services**. The following policies are sorted by [order of precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) within each policy type. ## DNS resolution policies Gateway enforces global DNS and resolver policies before any other policies. This ensures the traffic is not blocked by user policies and gets resolved with Cloudflare's public DNS resolver, [1.1.1.1](https://developers.cloudflare.com/1.1.1.1/). Each global DNS policy evaluates traffic based on the domain in the query. | Name | ID | Value | Action | | ----------------------------------------------------------------------------------------- | ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | | Allow DNS queries for cloudflareclient.com domain | 00000001-e139-4a1b-90d5-698d8fa371e0 | cloudflareclient.com | allow | | Resolve cloudflareclient.com through 1.1.1.1 | 00000001-e738-4554-823b-0b2c75af2c66 | cloudflareclient.com | resolve | | Allow DNS queries for content.browser.run domain | 00000001-9bff-4d83-a9e4-e5ed321fe0b9 | content.browser.run | allow | | Resolve content.browser.run through 1.1.1.1 | 00000001-0df5-472b-80c0-02888e7167ee | content.browser.run | resolve | | Allow DNS queries for edge.browser.run and cloudflarebrowser.com domains | 00000001-e2f1-4e99-bab3-91df88879587 | edge.browser.run and cloudflarebrowser.com | allow | | Resolve edge.browser.run and cloudflarebrowser.com through 1.1.1.1 | 00000001-b103-44c6-a114-7a784cdf3fb7 | edge.browser.run and cloudflarebrowser.com | resolve | | Allow DNS queries for help.teams.cloudflare.com and help.one.cloudflare.com domains | 00000001-b2fc-46db-b0f1-69ef3553bd7a | help.teams.cloudflare.com and help.one.cloudflare.com | allow | | Resolve help.teams.cloudflare.com and help.one.cloudflare.com through 1.1.1.1 | 00000001-ce13-486a-b006-ba0435ccb013 | help.teams.cloudflare.com and help.one.cloudflare.com | resolve | | Allow DNS queries for cloudflare-gateway.com domain | 00000001-e83d-492b-995e-351970cd5e8e | cloudflare-gateway.com | allow | | Resolve cloudflare-gateway.com through 1.1.1.1 | 00000001-d9bc-4913-a2f5-905dbb3ecf9a | cloudflare-gateway.com | resolve | | Allow DNS queries for cloudflarestatus.com domain | 00000001-78da-4f8a-b9ee-76563f1ec46b | cloudflarestatus.com | allow | | Resolve cloudflarestatus.com through 1.1.1.1 | 00000001-4d1d-43a3-9015-c49fc3a6da31 | cloudflarestatus.com | resolve | | Allow DNS queries for nel.cloudflare.com domain | 00000001-af28-4afa-8987-eadc21187e14 | nel.cloudflare.com | allow | | Resolve nel.cloudflare.com through 1.1.1.1 | 00000001-0034-45a0-8333-f339451fba46 | nel.cloudflare.com | resolve | | Allow DNS queries for api.cloudflare.com domain | 00000001-5eea-4932-8dd5-8e1ec9770396 | api.cloudflare.com | allow | | Resolve api.cloudflare.com through 1.1.1.1 | 00000001-4f0c-4f86-9b96-5d26123a194b | api.cloudflare.com | resolve | | Allow DNS queries for one.dash.cloudflare.com domain | 00000001-0f75-48a9-b3e1-925a974d2b65 | one.dash.cloudflare.com | allow | | Resolve one.dash.cloudflare.com through 1.1.1.1 | 00000001-3d84-41a6-bc84-3014685c0d81 | one.dash.cloudflare.com | resolve | | Allow DNS queries for one.dash.cloudflare.com domain | 00000001-a9fd-40de-a662-51d3a3ae0ad8 | one.dash.cloudflare.com and one.dash.fed.cloudflare.com | allow | | Resolve one.dash.cloudflare.com through 1.1.1.1 | 00000001-70f2-4eea-b711-201bca434ed4 | one.dash.cloudflare.com and one.dash.fed.cloudflare.com | resolve | | Allow DNS queries for dash.cloudflare.com domain | 00000001-0c2a-4b31-8606-3e5a1d87c1bf | dash.cloudflare.com and dash.fed.cloudflare.com | allow | | Resolve dash.cloudflare.com through 1.1.1.1 | 00000001-c47f-41f3-b234-d66c82b8d422 | dash.cloudflare.com and dash.fed.cloudflare.com | resolve | | Allow DNS queries for cloudflareportal.com, cloudflareok.com and cloudflarecp.com domains | 00000001-1c6c-4793-b48f-799eee6e0e31 | cloudflareportal.com, cloudflareok.com, and cloudflarecp.com | allow | | Resolve cloudflareportal.com, cloudflareok.com and cloudflarecp.com through 1.1.1.1 | 00000001-8c35-4d7d-9dbb-cb7350375b7b | cloudflareportal.com, cloudflareok.com, and cloudflarecp.com | resolve | | Allow DNS queries for cloudflareaccess.com domain | 00000001-d738-4dad-bac4-1a50201d9503 | cloudflareaccess.com | allow | | Resolve cloudflareaccess.com through 1.1.1.1 | 00000001-4404-4572-80f6-f7b098909460 | cloudflareaccess.com | resolve | | Allow DNS queries for blocked.teams.cloudflare.com domain | 00000001-76f4-4438-b8ab-a9da53f4a2f1 | blocked.teams.cloudflare.com and blocked.teams.fed.cloudflare.com | allow | | Resolve blocked.teams.cloudflare.com through 1.1.1.1 | 00000001-af3c-458f-aeb2-b3bb5d3fe1d5 | blocked.teams.cloudflare.com and blocked.teams.fed.cloudflare.com | resolve | | Allow DNS queries for developers.cloudflare.com domain | 00000001-4263-4808-8457-4d4329c91f66 | developers.cloudflare.com | allow | | Resolve developers.cloudflare.com through 1.1.1.1 | 00000001-9f91-4462-9270-78beca5b4dbc | developers.cloudflare.com | resolve | | Allow DNS queries for speed.cloudflare.com domain | 00000001-4fc0-4286-b783-6c442adda171 | speed.cloudflare.com | allow | | Resolve speed.cloudflare.com through 1.1.1.1 | 00000001-ec51-4471-9e78-bd47d46a3002 | speed.cloudflare.com | resolve | | Allow DNS requests to browser-rendered Access Apps | 00000001-1232-4a9f-a165-1e8ed59483c4 | \*.zero-trust-apps.cfdata.org, \*.zero-trust-apps-staging.cfdata.org, \*.zero-trust-apps.fed.cfdata.org, or \*.zero-trust-apps-staging.fed.cfdata.org | allow | | Resolve browser-rendered Access Apps domains through 1.1.1.1 | 00000001-9461-43c7-ba63-d0fdf9376bd4 | \*.zero-trust-apps.cfdata.org, \*.zero-trust-apps-staging.cfdata.org, \*.zero-trust-apps.fed.cfdata.org, or \*.zero-trust-apps-staging.fed.cfdata.org | resolve | ## Network proxy policies | Name | ID | Criteria | Value | Action | Description | | --------------------------------------------------- | ------------------------------------ | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Allow CF Network Error Logging L4 | 00000001-e4af-4b82-8f8c-c79c1d5d212e | Hostname | \*.nel.cloudflare.com | allow | Allows SNI domains for Cloudflare One Client registration. | | Allow CF Client | 00000001-8c3d-4e27-a01b-af8418000077 | Hostname | \*.cloudflareclient.com and \*.fed.cloudflareclient.com | allow | Allows Zero Trust client. | | Allow Gateway Proxy PAC | 00000001-776e-438d-9856-987d7053762b | Hostname | \*.cloudflare-gateway.com and \*.fed.cloudflare-gateway.com | allow | Allows Gateway proxy with [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/). | | Allow Zero Trust Services | 00000001-e1e8-421b-a0fe-895397489f28 | Hostname | one.dash.cloudflare.com, help.teams.cloudflare.com, blocked.teams.cloudflare.com, blocked.teams.fed.cloudflare.com, api.cloudflare.com, api.fed.cloudflare.com, cloudflarestatus.com, www.cloudflarestatus.com, one.dash.cloudflare.com, one.dash.fed.cloudflare.com, help.one.cloudflare.com, dash.cloudflare.com, dash.fed.cloudflare.com, and developers.cloudflare.com | allow | Allows Cloudflare Zero Trust services. | | Allow Access Apps L4 | 00000001-daa2-41e2-8a88-698af4066951 | Hostname | \*.cloudflareaccess.com and \*.fed.cloudflareaccess.com | allow | Allows [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) applications. | | Allow HTTP requests to browser-rendered Access Apps | 00000001-1f93-4476-8f92-9aa4407d1c5f | Hostname | \*.zero-trust-apps.cfdata.org, \*.zero-trust-apps-staging.cfdata.org, \*.zero-trust-apps.fed.cfdata.org, or \*.zero-trust-apps-staging.fed.cfdata.org | allow | Allows Cloudflare Access terminal applications [rendered in a browser](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/browser-rendering/#ssh-and-vnc). | ## HTTP inspection policies | Name | ID | Criteria | Value | Action | Description | | -------------------------------------- | ------------------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | | Prevent Account Change Block | 00000001-d1f2-461a-8253-501c8d882a15 | Hostname | \*.cloudflareclient.com and \*.fed.cloudflareclient.com; not notifications.cloudflareclient.com or notifications.fed.cloudflareclient.com | bypass | Ensures users cannot accidentally block themselves from making account changes. | | Bypass RBI Assets | 00000001-df61-4068-aa6c-0f684c3cd4e6 | Hostname | \*.content.browser.run | bypass | Required for [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/). | | Inspect RBI Urls | 00000001-3faa-4f59-98d4-0f6d6af4b6d0 | Hostname | \*.edge.browser.run and \*.cloudflarebrowser.com | bypass | Required for Browser Isolation. | | Allow Gateway Help Page | 00000001-8e9a-4429-b3c2-d267d0ce6114 | Hostname | help.teams.cloudflare.com and help.one.cloudflare.com | allow | Used by the Cloudflare One Client to check if Gateway is on by inspecting the certificate and checking if it is properly installed on the client device. | | Allow Gateway Services | 00000001-346f-4710-b444-eb62e369b5f7 | Capability | Gateway Block Page | allow | Ensures HTTP requests to render the Gateway block page are always allowed. | | Bypass Gateway DNS | 00000001-d9c0-46b0-8704-2ea5b9d7bdfc | Hostname | \*.cloudflare-gateway.com and \*.fed.cloudflare-gateway.com | bypass | Ensures requests to the cloudflare-gateway.com DNS endpoint will not be inspected. | | Bypass CF Status | 00000001-5399-4b71-a9fc-d4d90ccf0758 | Hostname | \*.cloudflarestatus.com | bypass | Bypasses cloudflarestatus.com so users can reach the status page in case of a Gateway outage. | | Bypass CF Network Error Logging | 00000001-dfe0-4737-8d1e-8191e8f637df | Hostname | \*.nel.cloudflare.com | bypass | Bypasses \*.nel.cloudflarestatus.com for Cloudflare's network error logging feature. | | Bypass CF API | 00000001-a424-43fb-b1f1-d3eb35ed7ddd | Hostname | api.cloudflare.com and api.fed.cloudflare.com | bypass | Bypasses Cloudflare's API endpoint. | | Prevent ZT Dashboard Lockout | 00000001-d38e-42db-96fe-60613b6b308f | Hostname | dash.teams.cloudflare.com, one.dash.cloudflare.com, and one.dash.fed.cloudflare.com | bypass | Prevents users from being locked out of the Zero Trust dashboard. | | Bypass CF Dashboard | 00000001-d343-4ded-908e-b3fe43c5e61e | Hostname | \*.dash.cloudflare.com and \*.dash.fed.cloudflare.com | bypass | Bypasses the Cloudflare dashboard and subdomains. | | Bypass Zero Trust Captive Portal Sites | 00000001-8b62-4367-919e-5c160a06ddf7 | Hostname | cloudflareportal.com, cloudflareok.com, and cloudflarecp.com | bypass | Bypasses the Zero Trust captive portal detection sites. | | Bypass OCSP | 00000001-34ce-47c7-ad0f-199f46eba194 | Application | Online Certificate Status Protocol | bypass | Enables OCSP stapling. | | Allow Access Apps L7 | 00000001-8d6b-4951-8a18-3bbc9010976c | Hostname | \*.cloudflareaccess.com and \*.fed.cloudflareaccess.com | allow | Allows Cloudflare Access applications. | | Prevent Block Page Loop | 00000001-48b1-4ade-93c1-f0f3759dc19c | Hostname | blocked.teams.cloudflare.com and blocked.teams.fed.cloudflare.com | bypass | Prevents an infinite loop on the Gateway block page. | | Always Blocked Categories | 00000001-bed5-462e-b0f1-2e2c3555e9f7 | Content Category | [Child Abuse category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#category-and-subcategory-ids) | block | Blocks child abuse materials (CSAM). | | Don't Isolate RBI Help Pages | 00000001-1a18-431f-9c9d-bce431f1002a | Hostname | developers.cloudflare.com and help.cloudflarebrowser.com | noisolate | Prevents browser isolation of Cloudflare developer docs and help pages to help users troubleshoot configuration issues. | | Don't AV Scan CF Speed | 00000001-c194-408f-87dd-9a366ce76e12 | Hostname | speed.cloudflare.com | noscan | Allows files transferred by the Cloudflare speed test. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/global-policies/","name":"Global policies"}}]} ``` --- --- title: HTTP policies description: Configure HTTP policies in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ TLS ](https://developers.cloudflare.com/search/?tags=TLS)[ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # HTTP policies Note To use HTTP policies, install a [Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) or a [custom certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/). HTTP policies allow you to filter all HTTP and HTTPS requests based on URLs, hostnames, HTTP methods, file types, and other request attributes. Unlike [network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) which operate at Layer 4 (TCP/UDP), HTTP policies operate at Layer 7 and can inspect the full content of web traffic. By default, Gateway inspects HTTP traffic on port `80` and, with [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) turned on, HTTPS traffic on port `443`. You can also configure Gateway to [inspect HTTP/HTTPS traffic on all ports](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). Gateway supports HTTP/3 inspection with the [UDP proxy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/http3/) turned on. An HTTP policy consists of an **Action** and a logical expression that determines the scope of the policy. To build an expression, choose a **Selector** and an **Operator**, then enter a value or range of values in the **Value** field. You can use **And** and **Or** logical operators to evaluate multiple conditions. * [Actions](#actions) * [Selectors](#selectors) * [Comparison operators](#comparison-operators) * [Value](#value) * [Logical operators](#logical-operators) If a condition in an expression joins a query attribute (such as _Source IP_) and a response attribute (such as _Resolved IP_), then the condition will be evaluated when the response is received. Terraform provider v4 precedence limitation To avoid conflicts, version 4 of the Terraform Cloudflare provider applies a hash calculation to policy precedence. For example, a precedence of `1000` may become `1000901`. This can cause errors when reordering policies. To avoid this issue, manually set the precedence of policies created with Terraform using the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint. To ensure your precedence is set correctly, Cloudflare recommends [upgrading your Terraform provider to version 5 ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade). ## Actions Actions in HTTP policies allow you to choose what to do with a given set of elements (domains, IP addresses, file types, and so on). You can assign one action per policy. ### Allow API value: `allow` Available selectors **Traffic** * [Access Infrastructure Target](#access-infrastructure-target) * [Access Private App](#access-private-app) * [Application](#application) * [Content Categories](#content-categories) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [DLP Profile](#dlp-profile) * [Domain](#domain) * [Download File Types](#download-and-upload-file-types) * [Download Mime Type](#download-and-upload-mime-type) * [Host](#host) * [HTTP Method](#http-method) * [HTTP Response](#http-response) * [Proxy Endpoint](#proxy-endpoint) * [Security Categories](#security-risks) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [Upload File Types](#download-and-upload-file-types) * [Upload Mime Type](#download-and-upload-mime-type) * [URL](#url) * [URL Path](#url-path) * [URL Path & Query](#url-path-and-query) * [URL Query](#url-query) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) The Allow action allows outbound traffic to reach destinations you specify within the [Selectors](#selectors) and [Value](#value) fields. For example, the following configuration allows traffic to reach all websites we categorize as belonging to the Education content category: | Selector | Operator | Value | Action | | ------------------ | -------- | ----------- | ------ | | Content Categories | in | _Education_ | Allow | #### Untrusted certificates The **Untrusted certificate action** determines how to handle insecure requests. | Option | Action | | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Error | Display Gateway error page. Matches the default behavior when no action is configured. | | Block | Display [block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) as set in the Cloudflare dashboard. | | Pass through | Bypass insecure connection warnings and seamlessly connect to the upstream. For more information on what statuses are bypassed, refer to [Troubleshooting Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/troubleshooting/#error-526-invalid-ssl-certificate). | ### Block API value: `block` Available selectors **Traffic** * [Access Infrastructure Target](#access-infrastructure-target) * [Access Private App](#access-private-app) * [Application](#application) * [Content Categories](#content-categories) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [DLP Profile](#dlp-profile) * [Domain](#domain) * [Download File Types](#download-and-upload-file-types) * [Download Mime Type](#download-and-upload-mime-type) * [Host](#host) * [HTTP Method](#http-method) * [HTTP Response](#http-response) * [Proxy Endpoint](#proxy-endpoint) * [Security Categories](#security-risks) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [Upload File Types](#download-and-upload-file-types) * [Upload Mime Type](#download-and-upload-mime-type) * [URL](#url) * [URL Path](#url-path) * [URL Path & Query](#url-path-and-query) * [URL Query](#url-query) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) The Block action blocks outbound traffic from reaching destinations you specify within the [Selectors](#selectors) and [Value](#value) fields. For example, the following configuration blocks users from being able to upload any file type to Google Drive: | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | ------------ | ----- | ------ | | Application | in | Google Drive | And | Block | | Upload Mime Type | matches regex | .\* | | | #### Cloudflare One Client block notifications Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/plans/zero-trust-services/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | Enterprise | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2024.1.159.0 | | macOS | ✅ | 2024.1.160.0 | | Linux | ❌ | | | iOS | ✅ | 1.7 | | Android | ✅ | 1.4 | | ChromeOS | ✅ | 1.4 | Turn on **Display block notification for Cloudflare One Client** to display notifications for Gateway block events. Blocked users will receive an operating system notification from the Cloudflare One Client with a custom message you set. If you do not set a custom message, the Cloudflare One Client will display a default message. Custom messages must be 100 characters or less. The Cloudflare One Client will only display one notification per minute. Upon selecting the notification, the Cloudflare One Client will direct your users to the [Gateway block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) you have configured. Optionally, you can direct users to a custom URL, such as an internal support form. When you turn on **Send policy context**, Gateway will append details of the matching request to the redirected URL as a query string. Not every context field will be included. Potential policy context fields include: Policy context fields | Field | Definition | Example | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------- | | User email | Email of the user that made the query. | &cf\_user\_email=user@example.com | | Site URL | Full URL of the original HTTP request or domain name in DNS query. | &cf\_site\_uri=https%3A%2F%2Fmalware.testcategory.com%2F | | URL category | [Domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) of the URL to be redirected. | &cf\_request\_categories=New%20Domains,Newly%20Seen%20Domains | | Original HTTP referer | For HTTP traffic, the original HTTP referer header of the HTTP request. | &cf\_referer=https%3A%2F%2Fexample.com%2F | | Rule ID | ID of the Gateway policy that matched the request. | &cf\_rule\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Source IP | Source IP address of the device that matched the policy. | &cf\_source\_ip=203.0.113.5 | | Device ID | UUID of the device that matched the policy. | &cf\_device\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Application names | Name of the application the redirected domain corresponds to, if any. | &cf\_application\_name=Salesforce | | Filter | The traffic type filter that triggered the block. | &cf\_filter=http, &cf\_filter=dns, &cf\_filter=av, or &cf\_filter=l4 | | Account ID | [Cloudflare account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) of the associated Zero Trust account. | &cf\_account\_id=d57c3de47a013c03ca7e237dd3e61d7d | | Query ID | ID of the DNS query for which the redirect took effect. | &cf\_query\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Connection ID | ID of the proxy connection for which the redirect took effect. | &cf\_connection\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Request ID | ID of the HTTP request for which the redirect took effect. | &cf\_request\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | Ensure that your operating system allows notifications for the Cloudflare One Client. Your device may not display notifications if focus, do not disturb, or screen sharing settings are turned on. To turn on client notifications on macOS devices running DisplayLink software, you may have to allow system notifications when mirroring your display. For more information, refer to the [macOS documentation ↗](https://support.apple.com/guide/mac-help/change-notifications-settings-mh40583/mac). ### Redirect API value: `redirect` Available selectors **Traffic** * [Access Infrastructure Target](#access-infrastructure-target) * [Application](#application) * [Content Categories](#content-categories) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [Domain](#domain) * [Host](#host) * [HTTP Method](#http-method) * [Proxy Endpoint](#proxy-endpoint) * [Security Risks](#security-risks) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [URL](#url) * [URL Path](#url-path) * [URL Path & Query](#url-path-and-query) * [URL Query](#url-query) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) The Redirect action allows you to redirect matched HTTP requests to a different URL you specify. For example, if your users browse to the public web page of a SaaS app, you can redirect them to your own self-hosted instance, a single sign-on page, or an internal policy page. To redirect URLs with a Block action and the block page, refer to [Redirect to a block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page). #### Policy settings In **Policy URL redirect**, you can define what URL to redirect matched requests to. The redirect URL can contain paths and queries. For example, you can redirect `example.com` to `cloudflare.com/path/to/page?querystring=x`. When you turn on **Send policy context**, Gateway will append details of the matching request to the redirected URL as a query string. Not every context field will be included. Potential policy context fields include: Policy context fields | Field | Definition | Example | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------- | | User email | Email of the user that made the query. | &cf\_user\_email=user@example.com | | Site URL | Full URL of the original HTTP request or domain name in DNS query. | &cf\_site\_uri=https%3A%2F%2Fmalware.testcategory.com%2F | | URL category | [Domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) of the URL to be redirected. | &cf\_request\_categories=New%20Domains,Newly%20Seen%20Domains | | Original HTTP referer | For HTTP traffic, the original HTTP referer header of the HTTP request. | &cf\_referer=https%3A%2F%2Fexample.com%2F | | Rule ID | ID of the Gateway policy that matched the request. | &cf\_rule\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Source IP | Source IP address of the device that matched the policy. | &cf\_source\_ip=203.0.113.5 | | Device ID | UUID of the device that matched the policy. | &cf\_device\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Application names | Name of the application the redirected domain corresponds to, if any. | &cf\_application\_name=Salesforce | | Filter | The traffic type filter that triggered the block. | &cf\_filter=http, &cf\_filter=dns, &cf\_filter=av, or &cf\_filter=l4 | | Account ID | [Cloudflare account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) of the associated Zero Trust account. | &cf\_account\_id=d57c3de47a013c03ca7e237dd3e61d7d | | Query ID | ID of the DNS query for which the redirect took effect. | &cf\_query\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Connection ID | ID of the proxy connection for which the redirect took effect. | &cf\_connection\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Request ID | ID of the HTTP request for which the redirect took effect. | &cf\_request\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | When you turn on **Preserve original path and query string**, Gateway will append the original path and query string to the redirected URL. Paths and queries in the redirect URL take precedence over the original URL. For example, if the original URL is `example.com/path/to/page?querystring=X` and the redirect URL is `cloudflare.com/redirect-path?querystring=Y`, Gateway will redirect requests to: ``` cloudflare.com/redirect-path/path/to/page?querystring=Y ``` When you turn on both options, Gateway will preserve the original path and query string, then append policy context to the end of the redirect URL. For example, if the original URL is `example.com/path/to/page?querystring=X&k=1` and the redirect URL is `cloudflare.com/redirect-path?querystring=Y`, Gateway will redirect requests to: ``` cloudflare.com/redirect-path/path/to/page?querystring=Y&k=1&cf_user_email=user@example.com ``` ### Isolate API value: `isolate` Available selectors **Traffic** * [Application](#application) * [Content Categories](#content-categories) * [Domain](#domain) * [Host](#host) * [HTTP Method](#http-method) * [Security Risks](#security-risks) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [URL](#url) * [URL Path](#url-path) * [URL Path & Query](#url-path-and-query) * [URL Query](#url-query) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) The Isolate action serves matched traffic to users via [Cloudflare Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/). For more information on this action, refer to [Isolation policies](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#isolate). ### Do Not Inspect API value: `off` Available selectors **Traffic** * [Application](#application) * [Content Categories](#content-categories) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [Domain](#domain) * [Host](#host) * [Proxy Endpoint](#proxy-endpoint) * [Security Risks](#security-risks) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) Visibility limitation When you create a Do Not Inspect policy for a given hostname, application, or app type, you will lose the ability to log or block HTTP requests, apply DLP policies, and perform AV scanning. Information contained within HTTPS encryption, such as the full requested URL, will not be visible if it bypasses Gateway inspection. However, you can still apply [network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) to this traffic. For more information, refer to [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/). Do Not Inspect lets you bypass certain elements from inspection. To prevent Gateway from decrypting and inspecting HTTPS traffic, your policy must match against the Server Name Indication (SNI) in the TLS header. When accessing a Do Not Inspect site in the browser, your browser may display a **Your connection is not private** warning, which you can proceed through to connect. For more information about applications which may require a Do Not Inspect policy, refer to [TLS decryption limitations](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#inspection-limitations). Note All Do Not Inspect policies are evaluated before any Allow or Block policies, regardless of their position in the policy list. For more information, refer to [Order of enforcement](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#http-policies). ### Do Not Isolate API value: `noisolate` Available selectors **Traffic** * [Application](#application) * [Content Categories](#content-categories) * [Domain](#domain) * [Host](#host) * [HTTP Method](#http-method) * [Security Risks](#security-risks) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [URL](#url) * [URL Path](#url-path) * [URL Path & Query](#url-path-and-query) * [URL Query](#url-query) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) The Do Not Isolate action turns off browser isolation for matched traffic. For more information on this action, refer to [Isolation policies](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#do-not-isolate). ### Do Not Scan API value: `noscan` Available selectors **Traffic** * [Application](#application) * [Content Categories](#content-categories) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [Domain](#domain) * [Host](#host) * [HTTP Method](#http-method) * [Proxy Endpoint](#proxy-endpoint) * [Security Risks](#security-risks) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [URL](#url) * [URL Path](#url-path) * [URL Path & Query](#url-path-and-query) * [URL Query](#url-query) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) When an admin enables AV scanning for uploads and/or downloads, Gateway will scan every supported file. Admins can selectively choose to disable scanning by leveraging the HTTP rules. For example, to prevent AV scanning of files uploaded to or downloaded from `example.com`, an admin would configure the following rule: | Selector | Operator | Value | Action | | -------- | ------------- | -------------- | ----------- | | Hostname | matches regex | .\*example.com | Do Not Scan | When a Do Not Scan rule matches, nothing is scanned, regardless of file size or whether the file type is supported or not. ### Quarantine API value: `quarantine` Available selectors **Traffic** * [Application](#application) * [Content Categories](#content-categories) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [Domain](#domain) * [Host](#host) * [HTTP Method](#http-method) * [Proxy Endpoint](#proxy-endpoint) * [Security Risks](#security-risks) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [URL](#url) * [URL Path](#url-path) * [URL Path & Query](#url-path-and-query) * [URL Query](#url-query) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) The Quarantine action sends files in matching requests to a file sandbox to scan for malware. Gateway will only quarantine files not previously seen in the file sandbox. For more information on this action, refer to [File sandboxing](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/file-sandboxing/). #### Sandbox file types In **Sandbox file types**, you can select which file types to quarantine with your policy. You must select at least one file type. File sandboxing supports scanning the following file types: Supported sandboxing file types * `.exe` * `.pdf` * `.doc` * `.docm` * `.docx` * `.rtf` * `.ppt` * `.pptx` * `.xls` * `.xlsm` * `.xlsx` * `.zip` * `.rar` ## Selectors Note Policies created using the URL selector are case-sensitive. Gateway matches HTTP traffic against the following selectors, or criteria: ### Access Infrastructure Target All [targets](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#1-add-a-target) secured by an [Access infrastructure application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/). | UI name | API example | | ---------------------------- | ------------- | | Access Infrastructure Target | access.target | ### Access Private App All destination IPs and hostnames secured by an [Access self-hosted private application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). | UI name | API example | | ------------------------------------------- | ------------------- | | Self-hosted Access App with Private Address | access.private\_app | ### Application Approval Status The review approval status of an application from [Shadow IT Discovery](https://developers.cloudflare.com/cloudflare-one/insights/analytics/shadow-it-discovery/) or the [Application Library](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/). For more information, refer to [Review applications](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/#review-applications). | UI name | API example | | ------------------ | ------------------------------------- | | Application Status | any(app.statuses\[\*\] == "approved") | ### Application You can apply HTTP policies to a growing list of popular web applications. Refer to [Application and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/) for more information. | UI name | API example | | ----------- | --------------------------- | | Application | any(app.ids\[\*\] in {505}) | Multiple API selectors required for Terraform When using Terraform to create a policy with the [Do Not Inspect](#do-not-inspect) action, you must use the `app.hosts_ids` and `app.supports_ids` selectors. For example, to create a Do Not Inspect policy for Google Cloud Platform traffic, create a policy with both `any(app.hosts_ids[*] in {1245})` and `any(app.supports_ids[*] in {1245})`. #### Granular controls When using the _is_ operator with the _Application_ selector, you can use Application Granular Controls to choose specific actions and operations to match application traffic. For example, you can block file uploads to ChatGPT without blocking all ChatGPT traffic: | Selector | Operator | Value | Controls | Action | | ----------- | -------- | --------- | -------- | ------ | | Application | is | _ChatGPT_ | _Upload_ | Block | You can match traffic based on **Application Controls**, which group multiple user actions together, or **Operations**, which allow for granular control of supported API-level actions for an application. For more information, refer to [Application Granular Controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/granular-controls/). ### Body Phase The phase of an HTTP request. You can use this selector to specify whether to scan either the data sent in an HTTP request to your user's device or from your user's device to a destination. Policies without this selector will scan both the HTTP request and response bodies. | UI name | API example | | ---------- | ---------------------------------- | | Body Phase | http.body\_phase == \\"download\\" | Body phase mismatch When combining this selector with the [Download and Upload File Types selectors](#download-and-upload-file-types), ensure you use the matching phase together. For example, use the `download` body phase with the Download File Types selector. If body phase and file type selector logic do not match, the policy may not filter traffic as intended. ### Content Categories Applications within a specific [security category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#content-categories) as categorized by [Cloudflare Radar](https://developers.cloudflare.com/radar/glossary/#content-categories). | UI name | API example | | ------------------ | ---------------------------------------------------- | | Content Categories | any(http.request.uri.content\_category\[\*\] in {1}) | ### Destination Continent Note Only applies to traffic sent through the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/set-up/#gateway-with-warp-default). The continent where the request is destined. Geolocation is determined from the target IP address. To specify a continent, enter its two-letter code into the **Value** field: | Continent | Code | | ------------- | ---- | | Africa | AF | | Antarctica | AN | | Asia | AS | | Europe | EU | | North America | NA | | Oceania | OC | | South America | SA | | Tor network | T1 | | UI name | API example | | ------------------------------------ | ---------------------------------- | | Destination Continent IP Geolocation | http.dst\_ip.geo.continent == "EU" | ### Destination Country Note Only applies to traffic sent through the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/set-up/#gateway-with-warp-default). The country that the request is destined for. Geolocation is determined from the target IP address. To specify a country, enter its [ISO 3166-1 Alpha 2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | | ---------------------------------- | -------------------------------- | | Destination Country IP Geolocation | http.dst\_ip.geo.country == "RU" | ### Destination IP Note Only applies to traffic sent through the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/set-up/#gateway-with-warp-default). The IP address of the request's target. | UI name | API example | | -------------- | -------------------------------------------- | | Destination IP | any(http.conn.dst\_ip\[\*\] in {10.0.0.0/8}) | ### Device Posture With the Device Posture selector, admins can use signals from end-user devices to secure access to their internal and external resources. For example, a security admin can choose to limit all access to internal applications based on whether specific software is installed on a device and/or if the device or software are configured in a particular way. For more information on device posture checks, refer to [Device posture](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). | UI name | API example | | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Passed Device Posture Checks | any(device\_posture.checks.failed\[\*\] in {"1308749e-fcfb-4ebc-b051-fe022b632644"}), any(device\_posture.checks.passed\[\*\] in {"1308749e-fcfb-4ebc-b051-fe022b632644"})" | ### Domain Use this selector to match against a domain and all subdomains. For example, you can match `example.com` and its subdomains, such as `www.example.com`. | UI name | API example | | ------- | ------------------------------------------------ | | Domain | any(http.request.domains\[\*\] == "example.com") | Gateway policies do not support domains with non-Latin characters directly. To use a domain with non-Latin characters, add it to a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). ### Download and Upload File Size Use these selectors to limit the file size of upload or download transactions. File sizes are measured in mebibytes (MiB). | UI name | API example | | ------------------------ | ----------------------------- | | Download File Size (MiB) | http.download.file.size >= 10 | | UI name | API example | | ---------------------- | -------------------------- | | Upload File Size (MiB) | http.upload.file.size < 10 | ### Download and Upload File Types Deprecated selectors The _Download File Types_ and _Upload File Types_ selectors supersede the _Download File Type_ and _Upload File Type_ selectors. Gateway will still evaluate policies with the previous selectors. However, Cloudflare recommends migrating any policies with deprecated selectors to the new corresponding selectors. These selectors will scan file signatures in the HTTP body. You can select from file categories or [specific file types](#supported-file-types), such as executables, archives and compressed files, unscannable files, Microsoft 365/Office documents, and Adobe files. | UI name | API example | | ------------------- | ---------------------------------------------------- | | Download File Types | any(http.download.file.types\[\*\] in {"docx" "7z"}) | | UI name | API example | | ----------------- | --------------------------------------------------- | | Upload File Types | any(http.upload.file.types\[\*\] in {"compressed"}) | #### Supported file types Gateway supports the following file types for use with the _Download File Types_ and _Upload File Types_ selectors: Compressed * 7-Zip archive (`.7z`) * `bzip2` archive (`.bz2`) * GNU Gzip archive (`.gz`) * Microsoft Cabinet file (`.cab`) * Microsoft Compiled HTML Help file (`.chm`) * RAR archive (`.rar`) * `xz` archive (`.xz`) * ZIP archive (`.zip`) Documents * Microsoft Office/365 files * Word document (`.doc`, `.docx`, `.docm`) * Excel spreadsheet (`.xls`, `.xlsx`, `.xlsm`) * PowerPoint presentation (`.ppt`, `.pptx`, `.pptm`) * PDF document (`.pdf`) Executable * Apple Software Package (`.pkg`) * Dynamic-link library (DLL) file (`.dll`) * Executable and Linkable Format (ELF) file (`.elf`) * Java archive (JAR) package (`.jar`) * Java class file (`.class`) * Mach object (Mach-O) file (`.macho`) * Microsoft Windows installer (`.msi`) * Microsoft Software Installer (`.msix`, `.appx`) * Microsoft Windows executable (`.exe`) Image * Adobe Photoshop document (`.psd`) * Bitmap image (`.bmp`) * GIF image (`.gif`) * Icon file (`.ico`) * JPEG image (`.jpg`, `.jpeg`) * PNG image (`.png`) * WebP image (`.webp`) Other * BitTorrent file (`.torrent`) System * Apple Disk Image (`.dmg`) Unscannable * Password-protected Microsoft Office document * Password-protected PDF * Password-protected ZIP archive * Unscannable ZIP archive ### Download and Upload Mime Type These selectors depend on the `Content-Type` header being present in the request (for uploads) or response (for downloads). The MIME type value must match the format used in the `Content-Type` header (for example, `image/png`, `application/pdf`). | UI name | API example | | ------------------ | --------------------------------- | | Download Mime Type | http.download.mime == "image/png" | | UI name | API example | | ---------------- | ------------------------------- | | Upload Mime Type | http.upload.mime == "image/png" | ### DLP Profile Use [Cloudflare Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) to scan HTTP traffic for the presence of sensitive data such as personally identifiable information (PII) or source code. You must configure a [DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/) before you can use this selector in a policy. | UI name | API example | | ----------- | ----------------------------------------------------------------------- | | DLP Profile | any(dlp.profiles\[\*\] in {\\"a0cabf16-7491-4c9a-ac02-f64cabc66394\\"}) | ### Host Use this selector to match against only the hostname specified. For example, you can match `test.example.com` but not `example.com` or `www.test.example.com`. | UI name | API example | | ------- | ---------------------------------- | | Host | http.request.host == "example.com" | Gateway policies do not support hostnames with non-Latin characters directly. To use a hostname with non-Latin characters, add it to a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). Note Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`www.example.com`). To match this type of website, use the [Domain](#domain) selector instead of the Host selector. ### HTTP Method The HTTP request method used in the traffic. | UI name | API example | | ----------- | ---------------------------- | | HTTP Method | http.request.method == "GET" | ### HTTP Response The HTTP response status code received by the traffic. | UI name | API example | | ------- | ----------------------------------- | | URL | http.response.status\_code == "200" | ### Proxy Endpoint The [proxy server](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) where your browser forwards HTTP traffic. | UI name | API example | | -------------- | ----------------------------------------------------------- | | Proxy Endpoint | proxy.endpoint == "3ele0ss56t.proxy.cloudflare-gateway.com" | ### Security Risks Applications within a specific [security category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) as categorized by [Cloudflare Radar](https://developers.cloudflare.com/radar/glossary/#content-categories). | UI name | API example | | ------------------- | ----------------------------------------------------- | | Security Categories | any(http.request.uri.security\_category\[\*\] in {1}) | ### Source Continent The continent of the user making the request. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a continent, enter its two-letter code into the **Value** field: | Continent | Code | | ------------- | ---- | | Africa | AF | | Antarctica | AN | | Asia | AS | | Europe | EU | | North America | NA | | Oceania | OC | | South America | SA | | Tor network | T1 | | UI name | API example | | ------------------------------- | --------------------------------------------- | | Source Continent IP Geolocation | http.src\_ip.geo.continent == "North America" | ### Source Country The country of the user making the request. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a country, enter its [ISO 3166-1 Alpha-2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | | ----------------------------- | -------------------------------- | | Source Country IP Geolocation | http.src\_ip.geo.country == "RU" | ### Source Internal IP Use this selector to apply HTTP policies to a private IP address, assigned by a user's local network, that requests arrive to Gateway from. | UI name | API example | | ------------------ | ------------------------------------------------ | | Source Internal IP | http.conn.internal\_src\_ip == "192.168.86.0/27" | ### Source IP The originating IP address or addresses of a device proxied by Gateway. | UI name | API example | | --------- | --------------------------------------- | | Source IP | http.conn.src\_ip\[\*\] in {10.0.0.0/8} | ### URL Gateway ignores trailing forward slashes (`/`) in URLs. For example, `https://example.com` and `https://example.com/` will count as the same URL and may return a duplicate error. | UI name | API example | | ------- | ------------------------------------ | | URL | http.request.uri matches "/r/gaming" | ### URL Path The pathname of a webpage's URL. | UI name | API example | | -------- | --------------------------------------- | | URL Path | http.request.uri.path == \\"/foo/bar\\" | ### URL Path and Query The pathname and query of a webpage's URL. | UI name | API example | | ------------------ | ----------------------------------------------------------------- | | URL Path and Query | http.request.uri.path\_and\_query == \\"/foo/bar?ab%242=%2A342\\" | ### URL Query The query of a webpage's URL. | UI name | API example | | --------- | ----------------------------------------- | | URL Query | http.request.uri.query == "ab%242=%2A342" | ### Users Use these selectors to match against identity attributes. | UI name | API example | | ----------------- | --------------------------------------------------------------------------------------------------------------- | | User Email | identity.email == "user@example.com" | | User Name | identity.name == "Test User" | | User Group IDs | any(identity.groups\[\*\].id in {"group\_id"}) | | User Group Names | any(identity.groups\[\*\].name in {"group\_name"}) | | User Group Emails | any(identity.groups\[\*\].email in {"group@example.com"}) | | SAML Attributes | any(identity.saml\_attributes\["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"\] in {"Test User"}) | ### Virtual Network Use this selector to match all traffic routed through a specific [Virtual Network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) via the Cloudflare One Client. | UI name | API example | | --------------- | ------------------------------------------------------------ | | Virtual Network | http.conn.vnet\_id == "957fc748-591a-e96s-a15d-1j90204a7923" | ## Comparison operators Comparison operators are the way Gateway matches traffic to a selector. When you choose a **Selector** in the dashboard policy builder, the **Operator** dropdown menu will display the available options for that selector. | Operator | Meaning | | ------------------------ | ------------------------------------------------------------------------------------------------------------------ | | is | equals the defined value | | is not | does not equal the defined value | | in | matches at least one of the defined values | | not in | does not match any of the defined values | | in list | in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | not in list | not in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | matches regex | regex evaluates to true | | does not match regex | regex evaluates to false | | greater than | exceeds the defined number | | greater than or equal to | exceeds or equals the defined number | | less than | below the defined number | | less than or equal to | below or equals the defined number | ## Value In the **Value** field, you can input a single value when using an equality comparison operator (such as _is_) or multiple values when using a containment comparison operator (such as _in_). Additionally, you can use [regular expressions](#regular-expressions) (or regex) to specify a range of values for supported selectors. ### Regular expressions Regular expressions are evaluated using Rust. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for [Wildcards](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/app-paths/#wildcards). To evaluate if your regex matches, you can use [Rustexp ↗](https://rustexp.lpil.uk/). If you want to match multiple values, you can use the pipe symbol (`|`) as an OR operator. You do not need to use an escape character (`\`) before the pipe symbol. For example, the following expression evaluates to true when the hostname matches either `.*whispersystems.org` or `.*signal.org`: | Selector | Operator | Value | | -------- | ------------- | ------------------------------------ | | Host | matches regex | .\*whispersystems.org\|.\*signal.org | In addition to regular expressions, you can use [logical operators](#logical-operators) to match multiple values. ## Logical operators To evaluate multiple conditions in an expression, select the **And** logical operator. These expressions can be compared further with the **Or** logical operator. | Operator | Meaning | | -------- | --------------------------------------------- | | And | match all of the conditions in the expression | | Or | match any of the conditions in the expression | The **Or** operator will only work with conditions in the same expression group. For example, you cannot compare conditions in **Traffic** with conditions in **Identity** or **Device Posture**. If a condition in an expression joins a request attribute (such as _Source IP_) and a response attribute (such as _a DLP Profile_), then the condition will be evaluated when the response is received. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/","name":"HTTP policies"}}]} ``` --- --- title: AV scanning description: How AV scanning works in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # AV scanning Cloudflare Gateway can scan files for malware as users upload or download them. Anti-virus (AV) scanning runs inline — Gateway inspects files as they pass through the proxy and blocks any file that contains a known malicious payload. In addition to AV scanning, Gateway can quarantine previously unseen files into a sandbox to detect zero-day threats not yet in anti-virus databases. For more information, refer to [File sandboxing](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/file-sandboxing/). ## Get started To turn on AV scanning: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. In **Policy settings**, turn on **Scan files for malware**. 3. Choose whether to scan files for malicious payloads during uploads, downloads, or both. You can also block requests containing [non-scannable files](#non-scannable-files). 4. (Optional) Turn on **Display AV block notification for Cloudflare One Client** to send [block notifications](#cloudflare-one-client-block-notifications) to users connected to Gateway with the Cloudflare One Client when AV inspection blocks a file. When a request is blocked due to the presence of malware, Gateway will log the match as a Block decision in your [HTTP logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/#http-logs). ### Cloudflare One Client block notifications Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/plans/zero-trust-services/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | Enterprise | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2024.1.159.0 | | macOS | ✅ | 2024.1.160.0 | | Linux | ❌ | | | iOS | ✅ | 1.7 | | Android | ✅ | 1.4 | | ChromeOS | ✅ | 1.4 | Turn on **Display AV block notification for Cloudflare One Client** to display notifications for Gateway block events. Blocked users will receive an operating system notification from the Cloudflare One Client with a custom message you set. If you do not set a custom message, the Cloudflare One Client will display a default message. Custom messages must be 100 characters or less. The Cloudflare One Client will only display one notification per minute. Upon selecting the notification, the Cloudflare One Client will direct your users to the [Gateway block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) you have configured. Optionally, you can direct users to a custom URL, such as an internal support form. When you turn on **Send policy context**, Gateway will append details of the matching request to the redirected URL as a query string. Not every context field will be included. Potential policy context fields include: Policy context fields | Field | Definition | Example | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------- | | User email | Email of the user that made the query. | &cf\_user\_email=user@example.com | | Site URL | Full URL of the original HTTP request or domain name in DNS query. | &cf\_site\_uri=https%3A%2F%2Fmalware.testcategory.com%2F | | URL category | [Domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) of the URL to be redirected. | &cf\_request\_categories=New%20Domains,Newly%20Seen%20Domains | | Original HTTP referer | For HTTP traffic, the original HTTP referer header of the HTTP request. | &cf\_referer=https%3A%2F%2Fexample.com%2F | | Rule ID | ID of the Gateway policy that matched the request. | &cf\_rule\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Source IP | Source IP address of the device that matched the policy. | &cf\_source\_ip=203.0.113.5 | | Device ID | UUID of the device that matched the policy. | &cf\_device\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Application names | Name of the application the redirected domain corresponds to, if any. | &cf\_application\_name=Salesforce | | Filter | The traffic type filter that triggered the block. | &cf\_filter=http, &cf\_filter=dns, &cf\_filter=av, or &cf\_filter=l4 | | Account ID | [Cloudflare account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) of the associated Zero Trust account. | &cf\_account\_id=d57c3de47a013c03ca7e237dd3e61d7d | | Query ID | ID of the DNS query for which the redirect took effect. | &cf\_query\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Connection ID | ID of the proxy connection for which the redirect took effect. | &cf\_connection\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Request ID | ID of the HTTP request for which the redirect took effect. | &cf\_request\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | Ensure that your operating system allows notifications for the Cloudflare One Client. Your device may not display notifications if focus, do not disturb, or screen sharing settings are turned on. To turn on client notifications on macOS devices running DisplayLink software, you may have to allow system notifications when mirroring your display. For more information, refer to the [macOS documentation ↗](https://support.apple.com/guide/mac-help/change-notifications-settings-mh40583/mac). ## File scan criteria If AV scanning is turned on, Gateway uses the following criteria (in order) to detect and scan files. The first match triggers a scan: 1. The `Content-Disposition` HTTP header is set to `Attachment`. 2. The byte signature of the request or response body matches a known file type: * **Executable** (for example, `.exe`, `.bat`, `.dll`, and `.wasm`) * **Documents** (for example, `.doc`, `.docx`, `.pdf`, `.ppt`, and `.xls`) * **Compressed** (for example, `.7z`, `.gz`, `.zip`, and `.rar`) 3. The file name in the `Content-Disposition` header contains a file extension matching one of the above categories. If none of these conditions match, Gateway falls back to the origin's `Content-Type` header. Gateway will not scan files it determines to be image, video, or audio files. All other files default to being scanned. ## Opt content out from scanning When an admin turns on AV scanning for uploads and/or downloads, Gateway will scan every supported file. Admins can selectively choose to disable scanning using HTTP policies. All [HTTP selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#selectors) can opt HTTP traffic out from AV scanning using the **Do Not Scan** action. When traffic matches a Do Not Scan policy, nothing is scanned, regardless of file size or whether the file type is supported or not. For example, to prevent AV scanning of files uploaded to or downloaded from `example.com`, you can create the following policy: | Selector | Operator | Value | Action | | -------- | ------------- | ----------- | ----------- | | Hostname | matches regex | example.com | Do Not Scan | Opting out of AV scanning applies to uploads and/or downloads of files, matching your account's global AV scanning setting. For example, if you have configured Gateway to globally scan uploads only, then opting out of AV scanning will only apply to uploads. ## Compatibility ### Supported compressed file types In addition to standard object files like PDFs, Zero Trust supports AV scanning for the following archive types: Supported compressed file types * 7-Zip * 7-Zip SFX * ACE * ACE SFX * AutoHotkey * AutoIt * BASE64 * BZ2 * CHM Help Files * CPIO SVR4 * Chrome Extension (CRX) Package Format * eXtensible ARchive format (XAR) * GZIP compressed files * ISO 9660 * Inno Setup * Indigo Rose Setup Factory * Java ARchive * LZH/LHA * MacBinary * MIME base64 * MSCOMPRESS * Microsoft CAB * Microsoft TNEF * NSIS Nullsoft Installer * Office Legacy XML * PGP signed message, document, etc. * RPM * RAR * SAPCar * Self-extracting ARJ * Self-extracting CA * Self-extracting LZH/LHA * Self-extracting RAR * Self-extracting ZIP * Smart Install Maker * TAR * UUE and XXE compressed files * Windows Imaging File (WIM) * XE compressed files (UUE and XXE) * XZ file format * ZIP * ZOO Gateway cannot scan [certain archive files](#non-scannable-files) regardless of file type, such as large or encrypted files. ### Non-scannable files Gateway cannot scan all files for malware. When Gateway encounters a non-scannable file, you can configure AV scanning to either fail open (allow the file to pass through unscanned) or fail closed (deny the file transfer). Gateway cannot scan requests containing the following files: * Files larger than: * 15 MB on Free plans * 25 MB on Pay-as-you-go plans * 100 MB on Enterprise plans * PGP encrypted files * Password protected archives * Archives with more than three recursion levels * Archives with more than 300 files ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/","name":"HTTP policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/","name":"AV scanning"}}]} ``` --- --- title: Common policies description: Reference information for Common policies in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API)[ WebSockets ](https://developers.cloudflare.com/search/?tags=WebSockets)[ Google ](https://developers.cloudflare.com/search/?tags=Google) # Common policies The following policies are commonly used to secure HTTP traffic. HTTP policies are evaluated in order from top to bottom, and the first matching policy applies — except for [Do Not Inspect](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policies, which are always evaluated first. For a baseline set of recommended policies, refer to [Secure your Internet traffic and SaaS apps](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies/). Refer to the [HTTP policies page](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) for a comprehensive list of other selectors, operators, and actions. ## Block sites Block attempts to reach sites by hostname or URL paths. Different approaches may be required based on how a site is organized. ### Block sites by hostname Block all subdomains that use a host. * [ Dashboard ](#tab-panel-5357) * [ API ](#tab-panel-5358) | Selector | Operator | Value | Action | | -------- | ------------- | ---------------- | ------ | | Host | matches regex | .\*example\\.com | Block | In the following API examples, `filters: ["http"]` indicates that this is an HTTP (Layer 7) policy. Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block sites by hostname", "description": "Block all subdomains that use a specific hostname", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "http.request.host matches \".*example.com\"", "identity": "", "device_posture": "" }' ``` ### Block sites by URL Block a section of a site without blocking the entire site. For example, you can block a specific subreddit, such as `reddit.com/r/gaming`, without blocking `reddit.com`. * [ Dashboard ](#tab-panel-5355) * [ API ](#tab-panel-5356) | Selector | Operator | Value | Action | | -------- | ------------- | --------- | ------ | | URL | matches regex | /r/gaming | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block sites by URL", "description": "Block specific parts of a site without blocking the hostname", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "http.request.uri matches \"/r/gaming\"", "identity": "", "device_posture": "" }' ``` ## Block content categories Block content categories which go against your organization's acceptable use policy. * [ Dashboard ](#tab-panel-5385) * [ API ](#tab-panel-5386) * [ Terraform ](#tab-panel-5387) | Selector | Operator | Value | Action | | ------------------ | -------- | ------------------------------------------------------------------------------------- | ------ | | Content Categories | in | _Questionable Content_, _Security Risks_, _Miscellaneous_, _Adult Themes_, _Gambling_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "All-HTTP-ContentCategories-Blocklist", "description": "Block access to questionable content and potential security risks", "precedence": 40, "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(http.request.uri.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161 2 67 125 133 99})", "identity": "", "device_posture": "" }' ``` ``` resource "cloudflare_zero_trust_gateway_policy" "block_unauthorized_apps" { account_id = var.cloudflare_account_id name = "All-HTTP-ContentCategories-Blocklist" description = "Block access to questionable content and potential security risks" precedence = 40 enabled = true action = "block" filters = ["http"] traffic = "any(http.request.uri.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161 2 67 125 133 99})" identity = "" device_posture = "" } ``` ## Block unauthorized applications Note After seven days, view your [Shadow IT SaaS Analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/shadow-it-discovery/) and block additional applications based on what your users are accessing. To minimize the risk of [shadow IT](https://www.cloudflare.com/learning/access-management/what-is-shadow-it/), some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools: * [ Dashboard ](#tab-panel-5388) * [ API ](#tab-panel-5389) * [ Terraform ](#tab-panel-5390) | Selector | Operator | Value | Action | | ----------- | -------- | ------------------------- | ------ | | Application | in | _Artificial Intelligence_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "All-HTTP-Application-Blocklist", "description": "Limit access to shadow IT by blocking web-based tools and applications", "precedence": 60, "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(app.type.ids[*] in {25})", "identity": "", "device_posture": "" }' ``` ``` resource "cloudflare_zero_trust_gateway_policy" "all_http_application_blocklist" { account_id = var.cloudflare_account_id name = "All-HTTP-Application-Blocklist" description = "Limit access to shadow IT by blocking web-based tools and applications" precedence = 60 enabled = true action = "block" filters = ["http"] traffic = "any(app.type.ids[*] in {25})" identity = "" device_posture = "" } ``` ## Check user identity Configure access on a per user or group basis by adding [identity-based conditions](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) to your policies. * [ Dashboard ](#tab-panel-5359) * [ API ](#tab-panel-5360) | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ------------- | ----- | ------ | | Application | in | _Salesforce_ | And | Block | | User Group Names | in | _Contractors_ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Check user identity", "description": "Block access to Salesforce by temporary employees and contractors", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(app.ids[] in {606})", "identity": "any(identity.groups.name[] in {\"Contractors\"})", "device_posture": "" }' ``` ## Skip inspection for groups of applications Certain client applications, such as Zoom or Apple services, rely on certificate pinning. These applications verify they are connecting directly to their own servers and will reject Gateway's TLS inspection certificate. To avoid connection errors, you must add a Do Not Inspect HTTP policy for these applications. Gateway [evaluates Do Not Inspect policies first](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#http-policies), regardless of their position in the policy list. Cloudflare recommends moving your Do Not Inspect policies to the top of the list to reduce confusion. * [ Dashboard ](#tab-panel-5361) * [ API ](#tab-panel-5362) | Selector | Operator | Value | Action | | ----------- | -------- | ---------------- | -------------- | | Application | in | _Do Not Inspect_ | Do Not Inspect | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Bypass incompatible applications", "description": "Skip TLS decryption for applications that are incompatible with Gateway", "enabled": true, "action": "off", "filters": [ "http" ], "traffic": "any(app.type.ids[*] in {16})", "identity": "", "device_posture": "" }' ``` Note You can select either individual applications or the entire Do Not Inspect set, which will update as new applications are added. ## Check device posture Require devices to have certain software installed or other configuration attributes. For instructions on setting up a device posture check, refer to [Enforce device posture](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). ### Enforce a minimum OS version Perform an [OS version check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/os-version/) to ensure users are running at least a minimum version. * [ Dashboard ](#tab-panel-5363) * [ API ](#tab-panel-5364) | Selector | Operator | Value | Action | | ---------------------------- | -------- | -------------------- | ------ | | Passed Device Posture Checks | in | _Minimum OS version_ | Allow | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Require OS version", "description": "Perform an OS version check for minimum version", "enabled": true, "action": "allow", "filters": [ "http" ], "traffic": "", "identity": "", "device_posture": "any(device_posture.checks.passed[*] in {\"\"})" }' ``` To get the UUIDs of your device posture checks, use the [List device posture rules](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/devices/subresources/posture/methods/list/) endpoint. ### Check for a specific file Perform a [file check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/file-check/) to ensure users have a certain file on their device. Since the file path will be different for each operating system, you can configure a file check for each system and use the **Or** logical operator to only require one of the checks to pass. * [ Dashboard ](#tab-panel-5367) * [ API ](#tab-panel-5368) | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | ------------------ | ----- | ------ | | Passed Device Posture Checks | in | _macOS File Check_ | Or | Allow | | Passed Device Posture Checks | in | _Linux File Check_ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Check for specific file", "description": "Ensure users have a specific file on their device regardless of operating system", "enabled": true, "action": "allow", "filters": [ "http" ], "traffic": "", "identity": "", "device_posture": "any(device_posture.checks.passed[] in {\"\"}) or any(device_posture.checks.passed[] in {\"\"})" }' ``` To get the UUIDs of your device posture checks, use the [List device posture rules](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/devices/subresources/posture/methods/list/) endpoint. ## Enforce session duration [Require users to re-authenticate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/) after a certain amount of time has elapsed. ## Isolate high risk sites in remote browser If you are using the [Browser Isolation add-on](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/), refer to our list of [common Isolate policies](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#common-policies). ## Bypass inspection for self-signed certificates When accessing origin servers with certificates not signed by a public certificate authority, you must bypass TLS decryption. * [ Dashboard ](#tab-panel-5365) * [ API ](#tab-panel-5366) | Selector | Operator | Value | Action | | -------- | -------- | -------------------- | -------------- | | Domain | in | internal.example.com | Do Not Inspect | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Bypass internal site inspection", "description": "Bypass TLS decryption for internal sites with self-signed certificates", "enabled": true, "action": "off", "filters": [ "http" ], "traffic": "any(http.request.domains[*] in {\"internal.example.com\"})", "identity": "", "device_posture": "" }' ``` ## Block file types Block the upload or download of files based on their type. * [ Dashboard ](#tab-panel-5383) * [ API ](#tab-panel-5384) | Selector | Operator | Value | Logic | Action | | ------------------- | -------- | --------------------------------------- | ----- | ------ | | Upload File Types | in | _Microsoft Office Word Document (docx)_ | And | Block | | Download File Types | in | _PDF (pdf)_ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block file types", "description": "Block the upload or download of files based on their type", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(http.upload.file.types[*] in {\"docx\"}) and any(http.download.file.types[*] in {\"pdf\"})", "identity": "", "device_posture": "" }' ``` For more information on supported file types, refer to [Download and Upload File Types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types). ## Isolate or block shadow IT applications Isolate shadow IT applications discovered by the [Application Library](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/) that have not been reviewed yet or are currently under review, and block applications that are not approved by your organization. For more information on reviewing shadow IT applications, refer to [Review applications](https://developers.cloudflare.com/cloudflare-one/team-and-resources/app-library/#review-applications). ### 1\. Isolate unreviewed or in review applications Isolate applications if their approval status is _Unreviewed_ or _In review_. * [ Dashboard ](#tab-panel-5369) * [ API ](#tab-panel-5370) | Selector | Operator | Value | Logic | Action | | ------------------ | -------- | ------------ | ----- | ------- | | Application Status | is | _Unreviewed_ | Or | Isolate | | Application Status | is | _In review_ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Isolate unreviewed or in review application status", "description": "Isolate Shadow IT applications that have not been reviewed or are in review in the Application Library", "enabled": true, "action": "isolate", "filters": [ "http" ], "traffic": "any(app.statuses[*] == \"unreviewed\") or any(app.statuses[*] == \"in review\")", "identity": "", "device_posture": "" }' ``` ### 2\. Block unapproved applications Block applications if their approval status is _Unapproved_. * [ Dashboard ](#tab-panel-5371) * [ API ](#tab-panel-5372) | Selector | Operator | Value | Action | | ------------------ | -------- | ------------ | ------ | | Application Status | is | _Unapproved_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block unapproved application status", "description": "Block Shadow IT applications that have been marked as unapproved in the Application Library", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(app.statuses[*] == \"unapproved\")", "identity": "", "device_posture": "" }' ``` ## Block Google services To enable Gateway inspection for Google Drive traffic, you must [add a Cloudflare certificate to Google Drive](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#google-drive). ### Block Google Drive downloads Block file downloads from Google Drive. * [ Dashboard ](#tab-panel-5373) * [ API ](#tab-panel-5374) | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | -------------------------- | ----- | ------ | | Application | in | _Google Drive_ | And | Block | | URL Path & Query | matches regex | .\*(e=download\|export).\* | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block Google Drive downloads", "description": "Block file downloads from Google Drive", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(app.ids[] in {554}) and http.request.uri.path_and_query matches \".(e=download|export).*\"", "identity": "", "device_posture": "" }' ``` ### Block Google Drive uploads Block file uploads from Google Drive. * [ Dashboard ](#tab-panel-5375) * [ API ](#tab-panel-5376) | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | ------------------------------------ | ----- | ------ | | Application | in | _Google Drive_ | And | Block | | Upload Mime Type | matches regex | .\* | And | | | Host | is not | drivefrontend-pa.clients6.google.com | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block Google Drive uploads", "description": "Block file uploads to Google Drive", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(app.ids[] in {554}) and http.upload.mime matches \".\" and not(http.request.host == \"drivefrontend-pa.clients6.google.com\")", "identity": "", "device_posture": "" }' ``` ### Block Gmail downloads Block file downloads from Gmail. * [ Dashboard ](#tab-panel-5377) * [ API ](#tab-panel-5378) | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ------------------------------------- | ----- | ------ | | Host | is | mail-attachment.googleusercontent.com | And | Block | | URL Path & Query | is | /attachment/u/0 | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block Gmail downloads", "description": "Block file downloads from Gmail", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "http.request.host == \"mail-attachment.googleusercontent.com\" and http.request.uri.path_and_query matches \"/attachment/u/0\"", "identity": "", "device_posture": "" }' ``` ### Block Google Translate proxy Block use of Google Translate to translate entire webpages. When translating a website, Google Translate proxies webpages with the `translate.goog` domain. Your users may be able to use this service to bypass other Gateway policies. If you block `translate.goog`, users will still be able to access other Google Translate features. * [ Dashboard ](#tab-panel-5379) * [ API ](#tab-panel-5380) | Selector | Operator | Value | Action | | -------- | ------------- | -------------------------- | ------ | | Domain | matches regex | ^(.+\\.)?translate\\.goog$ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block Google Translate for websites", "description": "Block use of Google Translate to translate entire webpages", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(http.request.domains[*] matches \"^(.+\\.)?translate\\.goog$\")", "identity": "", "device_posture": "" }' ``` ## Filter WebSocket traffic Gateway does not inspect or log [WebSocket ↗](https://datatracker.ietf.org/doc/html/rfc6455) traffic. Instead, Gateway will only log the HTTP details used to make the WebSocket connection, as well as [network session information](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/). To filter your WebSocket traffic, create a policy with the `101` HTTP response code. * [ Dashboard ](#tab-panel-5381) * [ API ](#tab-panel-5382) | Selector | Operator | Value | Action | | ------------- | -------- | -------------------------- | ------ | | HTTP Response | is | _101 SWITCHING\_PROTOCOLS_ | Allow | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Filter WebSocket", "description": "Filter WebSocket traffic with HTTP response code 101", "enabled": true, "action": "allow", "filters": [ "http" ], "traffic": "http.response.status_code == 101", "identity": "", "device_posture": "" }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/","name":"HTTP policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/common-policies/","name":"Common policies"}}]} ``` --- --- title: File sandboxing description: How File sandboxing works in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # File sandboxing Note Available as an add-on to Zero Trust Enterprise plans. For more information, contact your account team. In addition to [anti-virus (AV) scanning](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), Gateway can quarantine previously unseen files downloaded by your users into a sandbox and scan them for malware. When a file download passes AV scanning without a malware detection, Gateway quarantines the file in the [sandbox](#sandbox-environment). If the file has not been downloaded before, Gateway monitors the file's behavior and compares it to known malware patterns. During this process, Gateway displays an interstitial page in the user's browser. If the sandbox does not detect malicious activity, Gateway releases the file and downloads it to the user's device. If the sandbox detects malicious activity, Gateway blocks the download. For any subsequent downloads of the same file, Gateway remembers and applies its previous allow/block decision. Gateway will log any file sandbox decisions in your [HTTP logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/#http-logs). flowchart TD A(["User starts file download"]) --> B["File sent to AV scanner"] B --> C["Malicious file detected?"] C -- Yes --> D["Download blocked"] C -- No --> G["File sent to sandbox"] G --> n1["First time file downloaded?"] K["Malicious activity detected?"] -- Yes --> N["Download blocked"] K -- No --> n3["Download allowed"] n2["Interstitial page displayed for user during scan"] --> n4["File activity monitored"] n1 -- Yes --> n2 n4 --> K n1 -- No --> K B@{ shape: subproc} C@{ shape: hex} D@{ shape: terminal} n1@{ shape: hex} K@{ shape: hex} N@{ shape: terminal} n3@{ shape: terminal} n2@{ shape: display} n4@{ shape: rect} style D stroke:#D50000 style N stroke:#D50000 style n3 stroke:#00C853 ## Get started To begin quarantining downloaded files, turn on file sandboxing: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. In **Policy settings**, turn on **Open previously unseen files in a sandbox environment**. 3. (Optional) To block requests containing [non-scannable files](#non-scannable-files), select **Block requests for files that cannot be scanned**. You can now create [Quarantine HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#quarantine) to determine what files to scan in the sandbox. ## Create test policy To test if file sandboxing is working, you can create a Quarantine policy that matches the [Cloudflare Sandbox Test ↗](https://sandbox.cloudflaredemos.com/): 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies** \> **HTTP**. 2. Select **Add a policy**. 3. Add the following expression: | Selector | Operator | Value | Action | | -------- | -------- | --------------------------- | ---------- | | Host | is | sandbox.cloudflaredemos.com | Quarantine | 4. In **Sandbox file types**, select _ZIP Archive (zip)_. 5. From a device [connected to your Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/), open a browser and go to the [Cloudflare Sandbox Test ↗](https://sandbox.cloudflaredemos.com/). 6. Select **Download Test File**. Gateway will quarantine and scan the file, display an interstitial status page in the browser, then release the file for download. ## Sandbox environment Gateway executes quarantined files in a sandboxed Windows operating system environment. Using machine learning, the sandbox compares how files of a certain type behave compared to how these files should behave. The sandbox detects file actions down to the kernel level and compares them against a real-time malware database. In addition, Gateway checks the sandbox's network activity for malicious behavior and data exfiltration. ## Compatibility ### Supported file types File sandboxing supports scanning the following file types: Supported sandboxing file types * `.exe` * `.pdf` * `.doc` * `.docm` * `.docx` * `.rtf` * `.ppt` * `.pptx` * `.xls` * `.xlsm` * `.xlsx` * `.zip` * `.rar` ### Non-scannable files Gateway cannot scan requests containing the following files: * Files larger than 100 MB * PGP encrypted files ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/","name":"HTTP policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/file-sandboxing/","name":"File sandboxing"}}]} ``` --- --- title: Application Granular Controls description: How Application Granular Controls works in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ TLS ](https://developers.cloudflare.com/search/?tags=TLS) # Application Granular Controls With Application Granular Controls, you can create [Gateway HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to control specific user actions within supported SaaS applications. This allows you to give users access to an application while restricting the actions that they can take within the application. ## Prerequisites To use Application Granular Controls, you must: * Install a [Cloudflare certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) or a [custom certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) on your users' devices. * Turn on [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/). * Turn on the [Gateway proxy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy). * (Optional) If an application uses HTTP/3, turn on the [Gateway proxy for UDP traffic](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/http3/#enable-http3-inspection). * (Optional) To turn on [AI prompt logging](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content), create a [DLP payload encryption public key](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#set-a-dlp-payload-encryption-public-key). ## Create a policy with Application Granular Controls To create a Gateway HTTP policy with Application Granular Controls: * [ Dashboard ](#tab-panel-5391) * [ API ](#tab-panel-5392) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies** \> **HTTP**. 2. Select **Add a policy**. 3. Name the policy. 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. Because granular controls are specific to each application, you must use the _Application_ selector with the _is_ operator. 5. In **Value**, select your desired application. 6. In **Controls**, choose one or more Application Controls or individual Operations. For example, you can create a policy to block file uploads to ChatGPT: | Selector | Operator | Value | Controls | Action | | ----------- | -------- | --------- | -------- | ------ | | Application | is | _ChatGPT_ | _Upload_ | Block | 7. Select **Create policy**. Use the [Create a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/create/) endpoint to create a policy. For example, you can create a policy to block file uploads to ChatGPT: Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block ChatGPT uploads", "description": "Block file uploads to ChatGPT while allowing other usage", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(app.ids[*] == 1199) and any(app_control.controls[*] in {1653})", "identity": "", "device_posture": "" }' ``` For more information, refer to [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). ## Control definitions Gateway defines Application Granular Controls at different levels of granularity, including Application Controls and Operations. ### Application Controls Application Controls are pre-defined controls that represent user intent, such as uploads or downloads. Cloudflare organizes sets of related operations into Application Controls for each supported application. Use Application Controls when a pre-defined grouping matches your intent. ### Operations Operations are the individual API-level actions that an application uses. Use Operations for more fine-grained control than Application Controls provide — for example, blocking only certain types of downloads or blocking comments where no Application Control exists. Because each SaaS application uses a unique set of operations with its own scope and behaviors, operation-level controls may require analysis for each use case. Cloudflare provides Operations based on the [available APIs for an application](#application-apis). For more information on how Operations map to [Application Controls](#application-controls), refer to [Compatible applications](#compatible-applications). #### Operation Groups Operation Groups are groupings of operations defined by the application vendor. Operation Groups are typically based on a categorization of the different functional areas of the application, such as signature requests, or the entities that the application defines, such as files or folders. These definitions vary by application. Gateway groups operations into these operation groups to match the operations with the corresponding vendor API documentation. ### DLP payloads You can use Application Granular Controls with [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) for operations that contain scannable content. This includes operations that contain the content of uploaded or downloaded files or AI prompts. For example, when a user performs a file upload, a sequence of API operations may result, such as setting up the file metadata, uploading the file content, and finalizing the upload. When applying DLP to your Zero Trust traffic, it can be helpful to specifically target an operation that contains file content. ## Application APIs SaaS applications typically provide multiple APIs to interact with. For each application, Application Granular Controls may support the following API types: * Web Application API: These APIs are consumed by the web application that users interact with through their browser. * Platform API: These APIs are exposed to users to allow for programmatic interaction with the SaaS application. These are typically used by automations, scripts, or other applications. [Application Controls](#application-controls) include Operations of both API types. If both API types are available when creating HTTP policies using [Operations](#operations), you should select the Operations that align to the API being used, or include both for wider coverage. ## Compatible applications Application Granular Controls supports the following applications: Artificial Intelligence * ChatGPT * Google Gemini * Perplexity * Claude File Sharing * Box * Dropbox * Google Drive * WeTransfer * Hightail * ShareFile * Smash ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/","name":"HTTP policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/granular-controls/","name":"Application Granular Controls"}}]} ``` --- --- title: HTTP/3 inspection description: How HTTP/3 inspection works in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ QUIC ](https://developers.cloudflare.com/search/?tags=QUIC)[ UDP ](https://developers.cloudflare.com/search/?tags=UDP) # HTTP/3 inspection HTTP/3 uses the QUIC protocol over UDP instead of TCP. Because Gateway's default proxy only handles TCP traffic, HTTP/3 inspection requires turning on the UDP proxy. Without it, HTTP/3 traffic bypasses HTTP inspection. [Network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) still apply to the underlying UDP traffic. Gateway applies HTTP policies to HTTP/3 traffic last. For more information, refer to the [order of enforcement](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#http3-traffic). ## Turn on HTTP/3 inspection Before you can inspect any HTTPS traffic, you must deploy a [user-side certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) to your devices and turn on [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/). To inspect HTTP/3 traffic, you must also turn on the [Gateway proxy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/) for UDP. To turn on the Gateway proxy for UDP and TLS decryption: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. In **Proxy and inspection**, turn on **Allow Secure Web Gateway to proxy traffic**. 3. Select **TCP** and **UDP**. 4. Turn on **TLS decryption**. ### Application limitations Gateway can inspect HTTP/3 traffic from Mozilla Firefox and Microsoft Edge by establishing an HTTP/3 proxy connection. Gateway will then terminate the HTTP/3 connection, decrypt and inspect the traffic, and connect to the destination server over HTTP/2\. Gateway can also inspect other HTTP applications, such as cURL. If both the UDP proxy and TLS decryption are turned on, Google Chrome will automatically cancel HTTP/3 connections and retry them over HTTP/2, which Gateway can inspect. If either the UDP proxy or TLS decryption is turned off, HTTP/3 traffic from Chrome bypasses inspection entirely. Warning If you do not turn on the UDP proxy, HTTP/3 traffic from browsers other than Chrome will bypass HTTP policy enforcement. Network policies still apply. ## Exempt HTTP/3 traffic from inspection If you require HTTP/3 traffic with end-to-end encryption from the client to the origin while still using the Gateway proxy, you can create a [Do Not Inspect HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) to match the desired traffic. Using a Do Not Inspect policy allows HTTP/3 traffic to preserve proxy performance and end-to-end encryption by bypassing Gateway's TLS decryption and inspection. ## Force HTTP/2 traffic To apply Gateway policies to HTTP traffic without turning on the UDP proxy, you must turn off QUIC in your users' browsers to ensure only HTTP/2 traffic reaches Gateway. Google Chrome 1. Go to `chrome://flags` 2. Set **Experimental QUIC protocol** to _Disabled_. 3. Relaunch Chrome. Safari You cannot turn off QUIC in Safari. All traffic will be sent over HTTP/3. Firefox 1. Go to `about:config`. 2. If you receive a warning, select **Accept the Risk and Continue**. 3. Set **network.http.http3.enable** to _false_. 4. Relaunch Firefox. Microsoft Edge 1. Go to `edge://flags` 2. Set **Experimental QUIC protocol** to _Disabled_. 3. Relaunch Edge. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/","name":"HTTP policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/http3/","name":"HTTP/3 inspection"}}]} ``` --- --- title: Tenant control description: Tenant control in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Headers ](https://developers.cloudflare.com/search/?tags=Headers) # Tenant control Tenant control allows your users to access corporate SaaS applications while blocking access to personal accounts on the same service. For example, you can allow access to your company's Google Workspace while blocking personal Gmail logins. Gateway implements tenant control by injecting custom HTTP headers into matching requests. These headers tell the SaaS application which tenant (organization) is authorized. If the user attempts to authenticate with a personal account, the SaaS application reads the header and rejects the request. ## Add custom headers for a SaaS application To create an HTTP policy with custom headers: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies** \> **HTTP**. 2. Select **Add a policy**. 3. Build an expression to match the SaaS traffic you want to control. 4. In **Action**, select _Allow_. In **Untrusted certificate action**, select _Block_. 5. Under **Add headers to matched requests**, select **Add a header**. 6. Add any custom header names and values corresponding to your [SaaS application](#common-policy-configurations). 7. Select **Create policy**. Your policy is now displayed in your list of HTTP policies. When your users attempt to authenticate your configured SaaS application with a personal account, authentication will fail. ### Verify custom headers If you save a HAR (HTTP Archive) file from a browser to analyze your web traffic, custom headers defined with Gateway will not appear in the file. This is because Gateway injects the header after the request leaves the browser. To verify Gateway is applying a custom header: 1. In your policy with custom headers, add a selector to match traffic for [HTTPBin ↗](https://httpbin.org/), an open-source site for testing HTTP requests. For example: | Selector | Operator | Value | Logic | Action | Untrusted certificate action | | ----------- | -------- | ------------------ | ----- | ------ | ---------------------------- | | Application | in | _Google Workspace_ | And | Allow | Block | | Domain | in | httpbin.org | | | | 2. On your device, go to [httpbin.org/anything ↗](https://httpbin.org/anything). Your custom header will appear in the list of headers. 3. (Optional) Remove the HTTPBin expression from your policy. ## Common policy configurations Depending on which SaaS application your organization needs access to, different tenant control policies are required. ### Microsoft 365 Microsoft 365 tenant control requires two policies. When you order your policies, make sure they follow [order of precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence). | Precedence | Selector | Operator | Value | Action | Untrusted certificate action | | ---------- | -------- | -------- | -------------- | ------ | ---------------------------- | | 1 | Domain | is | login.live.com | Allow | Block | | Custom header name | Custom header value | | --------------------------------- | ------------------- | | Sec-Restrict-Tenant-Access-Policy | restrict-msa | | Precedence | Selector | Operator | Value | Action | Untrusted certificate action | | ---------- | ----------- | -------- | --------------------- | ------ | ---------------------------- | | 2 | Application | in | _Microsoft Office365_ | Allow | Block | | Custom header name | Custom header value | | --------------------------------------------------- | -------------------------- | | Restrict-Access-To-Tenants, Restrict-Access-Context | Your organization's domain | For more information, refer to the [Microsoft Entra ID documentation ↗](https://learn.microsoft.com/entra/identity/enterprise-apps/tenant-restrictions). ### Google Workspace | Selector | Operator | Value | Action | Untrusted certificate action | | ----------- | -------- | ------------------ | ------ | ---------------------------- | | Application | in | _Google Workspace_ | Allow | Block | | Custom header name | Custom header value | | -------------------------- | -------------------------- | | X-GoogApps-Allowed-Domains | Your organization's domain | For more information, refer to the [Google Workspace documentation ↗](https://support.google.com/a/answer/1668854). ### Slack | Selector | Operator | Value | Action | Untrusted certificate action | | ----------- | -------- | ------- | ------ | ---------------------------- | | Application | in | _Slack_ | Allow | Block | | Custom header name | Custom header value | | ---------------------------------------------------------------- | ----------------------------- | | X-Slack-Allowed-Workspaces-Requester, X-Slack-Allowed-Workspaces | Your organization's workspace | For more information, refer to the [Slack documentation ↗](https://slack.com/help/articles/360024821873-Approve-Slack-workspaces-for-your-network). ### Dropbox | Selector | Operator | Value | Action | Untrusted certificate action | | ----------- | -------- | --------- | ------ | ---------------------------- | | Application | in | _Dropbox_ | Allow | Block | | Custom header name | Custom header value | | -------------------------- | ---------------------- | | X-Dropbox-allowed-Team-Ids | Your organization's ID | For more information, refer to the [Dropbox documentation ↗](https://help.dropbox.com/security/network-control). ### ChatGPT | Selector | Operator | Value | Action | Untrusted certificate action | | ----------- | -------- | --------- | ------ | ---------------------------- | | Application | in | _ChatGPT_ | Allow | Block | | Custom header name | Custom header value | | ---------------------------- | -------------------------------- | | Chatgpt-Allowed-Workspace-Id | Your organization's workspace ID | For more information, refer to the [OpenAI documentation ↗](https://help.openai.com/articles/8798594-what-is-a-workspace-how-do-i-access-my-chatgpt-business-workspace). ## Exempt users in Cloudflare WAF You can include custom headers in an HTTP policy to allow your users through [Cloudflare WAF](https://developers.cloudflare.com/waf/). This is useful for allowing only Cloudflare One Client users through your WAF. 1. Create an Allow policy for an internal domain behind your WAF with a custom header. | Selector | Operator | Value | Action | | -------- | -------- | --------------- | ------ | | Domain | in | internalapp.com | Allow | | Custom header name | Custom header value | | ------------------ | ------------------- | | X-Example-Header | example-value | 2. In Cloudflare WAF, [create a custom rule](https://developers.cloudflare.com/waf/custom-rules/) to [require the same HTTP header](https://developers.cloudflare.com/waf/custom-rules/use-cases/require-specific-headers/#example-2-require-http-header-with-a-specific-value). ## Use tenant control with Browser Isolation You can configure [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) to send custom headers. This is useful for implementing tenant control for isolated SaaS applications or sending arbitrary custom request headers to isolated websites. To use custom headers with Browser Isolation, create two HTTP policies targeting the same domain or application group. For example, you can create policies for [HTTPBin ↗](https://httpbin.org/), an open-source site for testing HTTP requests: 1. Create an Isolate policy for `httpbin.org`. | Selector | Operator | Value | Action | | -------- | -------- | ----------- | ------- | | Domain | in | httpbin.org | Isolate | 2. Create an Allow policy for `httpbin.org` with a custom header. | Selector | Operator | Value | Action | | -------- | -------- | ----------- | ------ | | Domain | in | httpbin.org | Allow | | Custom header name | Custom header value | | ------------------ | ------------------- | | Example-Header | example-value | 3. Go to [httpbin.org/anything ↗](https://httpbin.org/anything). Cloudflare will render the site in an isolated browser. Your custom header will appear in the list of headers. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/","name":"HTTP policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/tenant-control/","name":"Tenant control"}}]} ``` --- --- title: TLS decryption description: How TLS decryption works in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ TLS ](https://developers.cloudflare.com/search/?tags=TLS) # TLS decryption Cloudflare Gateway can perform [SSL/TLS decryption ↗](https://www.cloudflare.com/learning/security/what-is-https-inspection/) to inspect HTTPS traffic for malware and other security risks. TLS decryption is required for HTTP policies to inspect HTTPS traffic. Without it, information contained within HTTPS encryption, such as the full URL, headers, and request body, [will not be visible to Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect). When you turn on TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a [user-side certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/). Cloudflare prevents traffic interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](https://developers.cloudflare.com/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](https://developers.cloudflare.com/data-localization/). To further control what data centers traffic egresses from, you can use [dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). Cloudflare supports connections from users to Gateway over TLS 1.1, 1.2, and 1.3. ## Turn on TLS decryption Prerequisite Before you turn on TLS decryption, ensure you have installed either a [Cloudflare-generated certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) or [custom certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) on your users' devices. To turn on TLS decryption: * [ Dashboard ](#tab-panel-5396) * [ Terraform (v5) ](#tab-panel-5397) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. In **Proxy and inspection**, turn on **Inspect HTTPS requests with TLS decryption**. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api%5Ftoken): * `Zero Trust Write` 2. Configure the `tls_decrypt` argument in [cloudflare\_zero\_trust\_gateway\_settings ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Fgateway%5Fsettings): ``` resource "cloudflare_zero_trust_gateway_settings" "team_name" { account_id = var.cloudflare_account_id settings = { tls_decrypt = { enabled = true } } } ``` ## Inspection limitations Gateway does not support TLS decryption for applications which use: * [Certificate pinning](#incompatible-certificates) * [Self-signed certificates](#incompatible-certificates) * [Mutual TLS (mTLS) authentication](#incompatible-certificates) * [ESNI and ECH handshake encryption](#esni-and-ech) * [Automatic HTTPS upgrades](#google-chrome-automatic-https-upgrades) ### Inspect on all ports By default, Gateway will only inspect HTTP traffic through port `80`. Additionally, if you [turn on TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption), Gateway will inspect HTTPS traffic through port `443`. To detect and inspect HTTP and HTTPS traffic on ports in addition to `80` and `443`, you can turn on [protocol detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/) and configure Gateway to [inspect traffic on all ports](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). ### Incompatible certificates Applications that use certificate pinning and mTLS authentication do not trust Cloudflare certificates. For example, most mobile applications use [certificate pinning](https://developers.cloudflare.com/ssl/reference/certificate-pinning/). Cloudflare does not trust applications that use self-signed certificates instead of certificates signed by a public CA. If you try to perform TLS decryption on an application with an incompatible certificate configuration, the application may return an SSL or trust error and/or fail to load. To resolve this issue, you can: * Add a [Cloudflare certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to supported applications. * Create a [Do Not Inspect policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) to exempt applications from inspection. The [Application selector](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#application) provides a list of trusted applications that are known to use embedded certificates. Note that if you create a Do Not Inspect policy for an application or website, you will lose the ability to log or block HTTP requests, apply DLP policies, and perform AV scanning. * Configure a [Split Tunnel](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) in Include mode to ensure Gateway will only inspect traffic destined for your IPs or domains. This is useful for organizations that deploy Zero Trust on users' personal devices or otherwise expect personal applications to be used. Alternatively, to allow HTTP filtering while accessing a site with an insecure certificate, set your [Untrusted certificate action](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#untrusted-certificates) to _Pass through_. ### Google Chrome automatic HTTPS upgrades Google Chrome can automatically upgrade HTTP requests to HTTPS requests, even when you select a link that explicitly declares `http://`. When you use Gateway to proxy and filter your traffic, this upgrade can interrupt the connection between your Zero Trust users and Gateway. You can turn off automatic HTTPS upgrades via a Gateway pass through policy, a Chrome browser flag, or a Chrome Enterprise policy. * [ Pass through policy ](#tab-panel-5393) * [ Chrome browser flag ](#tab-panel-5394) * [ Chrome enterprise policy ](#tab-panel-5395) To disable automatic HTTPS upgrades for a URL across your Zero Trust organization, create a Gateway pass through policy. 1. Deploy a [custom root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/). 2. Create an [HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to match the domain of the URL being automatically upgraded. For example: | Selector | Operator | Value | Action | | -------- | -------- | ----------- | ------ | | URL | in | example.com | Allow | 3. In **Untrusted certificate action**, choose _Pass through_. 4. Select **Create policy**. The pass through policy will bypass insecure connection upgrades for any device connected to your Zero Trust organization. For more information, refer to [Untrusted certificates](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#untrusted-certificates). To disable automatic HTTPS upgrades on a per-browser basis, go to [Chrome flags](chrome://flags/#https-upgrades) and turn off **HTTPS Upgrades**. Chrome Enterprise users can turn off automatic HTTPS upgrades for all URLs with a [HttpsUpgradesEnabled management policy ↗](https://chromeenterprise.google/policies/#HttpsUpgradesEnabled). ### Mutual TLS (mTLS) In mutual TLS (mTLS), both the client and server present certificates to verify each other's identity. When Gateway decrypts TLS traffic, it terminates the connection from the client and creates a new connection to the origin server. Because Gateway cannot forward the client's certificate to the origin, the mTLS handshake fails. To prevent connection failures, create a [Do Not Inspect policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) for this traffic. ### ESNI and ECH Websites that adhere to [ESNI or Encrypted Client Hello (ECH) standards ↗](https://blog.cloudflare.com/encrypted-client-hello/) encrypt the Server Name Indication (SNI) during the TLS handshake and are therefore incompatible with HTTP inspection. Gateway relies on the SNI to match an HTTP request to a policy — if the SNI is encrypted, Gateway cannot determine which policy to apply. If the ECH fails, browsers will retry the TLS handshake using the unencrypted SNI from the initial request. To avoid this behavior, you can disable ECH in your users' browsers. You can still apply all [network policy filters](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/#selectors) except for SNI and SNI Domain. To restrict ESNI and ECH traffic, an option is to filter out all port `80` and `443` traffic that does not include an SNI header. ## Post-quantum support Gateway supports post-quantum cryptography using a hybrid key exchange with X25519 and MLKEM768 over TLS 1.3\. Once the key exchange is complete, Gateway uses AES-128-GCM to encrypt traffic. Refer to [Post-quantum cryptography](https://developers.cloudflare.com/ssl/post-quantum-cryptography/) to learn more. ## FIPS compliance By default, TLS decryption can use both TLS version 1.2 and 1.3\. However, some environments such as FedRAMP may require cipher suites and TLS versions compliant with FIPS 140-2\. FIPS compliance currently requires TLS version 1.2. ### Enable FIPS compliance * [ Dashboard ](#tab-panel-5398) * [ Terraform (v5) ](#tab-panel-5399) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. In **Proxy and inspection**, turn on **Inspect HTTPS requests with TLS decryption**. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api%5Ftoken): * `Zero Trust Write` 2. Configure the `tls_decrypt` argument in [cloudflare\_zero\_trust\_gateway\_settings ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Fgateway%5Fsettings): ``` resource "cloudflare_zero_trust_gateway_settings" "team_name" { account_id = var.cloudflare_account_id settings = { tls_decrypt = { enabled = true } } } ``` 1. Select **Enable only cipher suites and TLS versions compliant with FIPS 140-2**. ### Limitations When FIPS compliance is enabled, Gateway will only choose [FIPS-compliant cipher suites](#cipher-suites) when connecting to the origin. If the origin does not support FIPS-compliant ciphers, the request will fail. FIPS-compliant traffic defaults to [HTTP/3](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/http3/). To enforce HTTP policies for UDP traffic, you must turn on the [Gateway proxy for UDP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/http3/#enable-http3-inspection). ## FedRAMP compliance When you use [Cloudflare Regional Services](https://developers.cloudflare.com/data-localization/regional-services/) in the United States and the Cloudflare One Client to on-ramp TLS traffic to Gateway, traffic will egress from a Cloudflare data center within Cloudflare's FedRAMP boundary. If a user's closest data center is non-FedRAMP compliant, their traffic will still egress from a FedRAMP compliant data center, maintaining FedRAMP compliance for the traffic. flowchart LR %% Accessibility accTitle: How Gateway routes FedRAMP compliant traffic with Regional Services accDescr: Flowchart describing how the Cloudflare One Client with Gateway routes traffic to egress from a FedRAMP compliant data center when used with Regional Services in the United States. %% Flowchart subgraph s1["Non-FedRAMP data center"] n2["WARP TLS encryption terminated"] end subgraph s2["FedRAMP data center"] n3["Gateway TLS encryption (FIPS) terminated"] end subgraph s3["Private internal network"] n5["FedRAMP compliant cloudflared"] n6(["Private server"]) end n1(["User near non-FedRAMP compliant data center"]) -- Gateway TLS connection wrapped with WARP TLS (MASQUE) --> n2 n2 -- Gateway TLS connection --> n3 n3 <-- FIPS tunnel --> n5 n5 --> n6 n5@{ shape: rect} ## Cipher suites A cipher suite is a set of encryption algorithms for establishing a secure communications connection. There are several cipher suites in wide use, and a client and server agree on the cipher suite to use when establishing the TLS connection. Support of multiple cipher suites allows compatibility across various clients. The following table lists the default cipher suites Gateway uses for TLS decryption. | Name (OpenSSL) | Name (IANA) | FIPS-compliant | | ----------------------------- | ---------------------------------------------- | -------------- | | ECDHE-ECDSA-AES128-GCM-SHA256 | TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 | ✅ | | ECDHE-ECDSA-AES256-GCM-SHA384 | TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 | ✅ | | ECDHE-RSA-AES128-GCM-SHA256 | TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | ✅ | | ECDHE-RSA-AES256-GCM-SHA384 | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | ✅ | | ECDHE-RSA-AES128-SHA | TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | ❌ | | ECDHE-RSA-AES256-SHA384 | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 | ✅ | | AES128-GCM-SHA256 | TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | ✅ | | AES256-GCM-SHA384 | TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | ✅ | | AES128-SHA | TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA | ❌ | | AES256-SHA | TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA | ❌ | For more information on cipher suites, refer to [Cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/","name":"HTTP policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/http-policies/tls-decryption/","name":"TLS decryption"}}]} ``` --- --- title: Identity-based policies description: Reference information for Identity-based policies in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ OIDC ](https://developers.cloudflare.com/search/?tags=OIDC)[ SAML ](https://developers.cloudflare.com/search/?tags=SAML)[ SCIM ](https://developers.cloudflare.com/search/?tags=SCIM) # Identity-based policies With Cloudflare One, you can create Secure Web Gateway policies that filter outbound traffic down to the user identity level. To do that, you can build DNS, HTTP or Network policies using a set of [identity-based selectors](#identity-based-selectors). These selectors require you to deploy the Cloudflare One Client in [Traffic and DNS mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/). For example, you can create different security rules for different teams — block social media for contractors but allow it for marketing. You may also filter outbound traffic based on additional signals from [device posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). ## Gateway identity checks Gateway checks identity when a user logs in or re-authenticates. To check your users' identities and require re-authentication at regular intervals, you can [enforce a Cloudflare One Client session duration](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/). Warning Unless you use an [identity provider (IdP) that supports SCIM provisioning](#automatic-scim-idp-updates), Gateway will not detect when you add or remove a user from a group in your IdP until the user re-authenticates to your Zero Trust instance. There are two ways a user can re-authenticate: * Log out from an Access-protected application and log back in. * In the Cloudflare One Client, re-authenticate the session by going to **Profile** \> **Account information** \> **Re-authenticate** [1](#user-content-fn-1). This will open a browser window and prompt the user to log in. To view the identity that Gateway will use when evaluating policies, check the [user registry](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/users/). ### Automatic SCIM IdP updates Gateway will automatically detect changes in user name, title, and group membership for IdPs configured with System for Cross-domain Identity Management (SCIM) provisioning. For more information, refer to [SCIM provisioning](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/). ### Extended email addresses Extended email addresses (also known as plus addresses) are variants of an existing email address with `+` or `.` modifiers. Many email providers, such as Gmail and Outlook, deliver emails intended for an extended address to its original address. For example, providers will deliver emails sent to `contact+123@example.com` or `con.tact@example.com` to `contact@example.com`. By default, Gateway will either filter only exact matches or all extended variants depending on the type of policy and action used: DNS policies | Action | Behavior | | ------------------ | ------------------------------------ | | Allow | Match exact address only | | Block | Match exact address and all variants | | Override | Match exact address and all variants | | Safe Search | Match exact address and all variants | | YouTube Restricted | Match exact address and all variants | Network policies | Action | Behavior | | ---------------- | ------------------------------------ | | Allow | Match exact address only | | Audit SSH | Match exact address and all variants | | Block | Match exact address and all variants | | Network Override | Match exact address only | HTTP policies | Action | Behavior | | -------------- | ------------------------------------ | | Allow | Match exact address only | | Block | Match exact address and all variants | | Do Not Inspect | Match exact address only | | Do Not Isolate | Match exact address only | | Do Not Scan | Match exact address only | | Isolate | Match exact address and all variants | Other policies | Policy type | Behavior | | --------------- | ------------------------ | | Egress policy | Match exact address only | | Resolver policy | Match exact address only | To force Gateway to match all email address variants, go to **Traffic policies** \> **Traffic settings** \> **Policy settings** and turn on **Match extended email addresses**. This setting applies to all firewall, egress, and resolver policies. ## Identity-based selectors ### OIDC Claims Specify a value from a [custom OIDC claim](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) configured on your identity provider. Note This selector is only available for the [Generic OIDC](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/) identity provider integration. Named OIDC providers such as Okta and Microsoft Entra ID do not support custom OIDC claims in Gateway policies — use the [User Group Names](#user-group-names) or [User Group IDs](#user-group-ids) selectors for those providers instead. | UI name | API example | | ----------- | ------------------------------------------------------------------ | | OIDC Claims | any(identity.oidc\_claims\[\*\] == "\\"department=engineering\\"") | ### SAML Attributes Specify a value from the SAML Attribute Assertion. | UI name | API example | | --------------- | -------------------------------------------------- | | SAML Attributes | identity.saml\_attributes == "\\"group=finance\\"" | ### User Email Use this selector to create identity-based Gateway policies based on a user's email. | UI name | API example value | | ---------- | ----------------------------------------- | | User Email | identity.email == "user-name@company.com" | ### User Group IDs Use this selector to create identity-based Gateway policies based on an IdP group ID of which the user is configured as a member in the IdP. | UI name | API example | | -------------- | -------------------------------------------- | | User Group IDs | identity.groups.id == "12jf495bhjd7893ml09o" | ### User Group Email Use this selector to create identity-based Gateway policies based on an IdP group email address of which the user is configured as a member in the IdP. | UI name | API example | | ---------------- | -------------------------------------------------- | | User Group Email | identity.groups.email == "contractors@company.com" | ### User Group Names Use this selector to create identity-based Gateway policies based on an IdP group name of which the user is configured as a member in the IdP. | UI name | API example | | ---------------- | --------------------------------------- | | User Group Names | identity.groups.name == "\\"finance\\"" | ### User Name Use this selector to create identity-based Gateway policies based on an IdP username for a particular user in the IdP. | UI name | API example | | --------- | ---------------------------- | | User Name | identity.name == "user-name" | Gateway groups vs. Access rule groups In Gateway, a **User Group** refers to a group in your IdP (for example, an Okta group). Gateway does not currently support applying DNS, HTTP, and Network policies to [Access rule groups](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/). This is because Access rule groups may include criteria not available through the IdP, such as device location or IP address. ## IdP groups in Gateway Cloudflare Gateway can integrate with your organization's identity providers (IdPs). Before building a Gateway policy for IdP users or groups, be sure to [add the IdP as an authentication method](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). Because IdPs expose user groups in different formats, reference the list below to choose the appropriate identity-based selector. ### Microsoft Entra ID | Selector | Value | | -------------- | ----------------------------------- | | User Group IDs | 61503835-b6fe-4630-af88-de551dd59a2 | **Value** is the [Object Id](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/entra-id/#entra-groups-in-zero-trust-policies) for an Entra group. If you enabled user and group synchronization with [SCIM](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/entra-id/#synchronize-users-and-groups), the synchronized groups will appear under _User Group Names_: | Selector | Value | | ---------------- | ---------- | | User Group Names | SCIM group | ### GitHub | Selector | Value | | ---------------- | --------- | | User Group Names | Marketing | ### Google | Selector | Value | | ---------------- | --------- | | User Group Names | Marketing | ### Okta (OIDC) If you added Okta as an [OIDC provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/okta/), use the User Group Names selector: | Selector | Value | | ---------------- | --------- | | User Group Names | Marketing | The Okta OIDC integration supports user and group synchronization with [SCIM](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/okta/#synchronize-users-and-groups). ### Okta (SAML) If you added Okta as a [SAML provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/okta-saml/), use the SAML Attributes selector: | Selector | Attribute name | Attribute value | | --------------- | -------------- | --------------- | | SAML Attributes | groups | Marketing | ### Generic SAML IdP For a [generic SAML provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-saml/), use the SAML Attribute selector: | Selector | Attribute name | Attribute value | | --------------- | -------------- | --------------- | | SAML Attributes | department | Marketing | ### Generic OIDC IdP For a [generic OIDC provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/), use the OIDC Claims selector to filter traffic based on [custom OIDC claims](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) configured on your IdP: | Selector | Claim name | Claim value | | ----------- | ---------- | ----------- | | OIDC Claims | department | Engineering | ## Footnotes 1. In Cloudflare One Client version 2026.1 and earlier, select **Preferences** \> **Account** \> **Re-Authenticate Session**. [↩](#user-content-fnref-1) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/identity-selectors/","name":"Identity-based policies"}}]} ``` --- --- title: Network policies description: Configure Network policies in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Geolocation ](https://developers.cloudflare.com/search/?tags=Geolocation) # Network policies Note To enable this feature, download and deploy the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) on your devices. Network policies control TCP and UDP traffic between your users and network destinations. Use them to allow or block non-HTTP traffic such as SSH, RDP, and database connections based on IP addresses, ports, and protocols. Because Cloudflare One [integrates with your identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/), you can also create identity-based network policies. This allows you to control access to non-HTTP resources on a per-user basis regardless of the user's location or device. A network policy consists of an **Action** and a logical expression that determines the scope of the action. To build an expression, choose a **Selector** and an **Operator**, then enter a value or range of values in the **Value** field. You can use **And** and **Or** logical operators to evaluate multiple conditions. * [Actions](#actions) * [Selectors](#selectors) * [Comparison operators](#comparison-operators) * [Value](#value) * [Logical operators](#logical-operators) If a condition in an expression joins a query attribute (such as _Source IP_) and a response attribute (such as _Resolved IP_), then the condition will be evaluated when the response is received. Terraform provider v4 precedence limitation To avoid conflicts, version 4 of the Terraform Cloudflare provider applies a hash calculation to policy precedence. For example, a precedence of `1000` may become `1000901`. This can cause errors when reordering policies. To avoid this issue, manually set the precedence of policies created with Terraform using the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint. To ensure your precedence is set correctly, Cloudflare recommends [upgrading your Terraform provider to version 5 ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade). ## Actions Like actions in DNS and HTTP policies, actions in network policies define which decision you want to apply to a given set of elements. You can assign one action per policy. ### Allow API value: `allow` Available selectors **Traffic** * [Access Infrastructure Target](#access-infrastructure-target) * [Access Private App](#access-private-app) * [Application](#application) * [Content Categories](#content-categories) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [Destination Port](#destination-port) * [Detected Protocol](#detected-protocol) * [Protocol](#protocol) * [Proxy Endpoint](#proxy-endpoint) * [Security Risks](#security-risks) * [SNI](#sni) * [SNI Domain](#sni-domain) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [Source Port](#source-port) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) Policies with Allow actions allow network traffic to reach certain IPs or ports. In a default-block configuration, Allow policies define the exceptions — traffic that does not match an Allow policy will be blocked by a lower-priority catch-all Block policy. For example, the following configuration allows specific users to reach a given IP address: | Selector | Operator | Value | Logic | Action | | -------------- | -------- | -------------- | ----- | ------ | | Destination IP | in | 92.100.02.102 | And | Allow | | Email | in | \*@example.com | | | ### Audit SSH Deprecated API value: `audit_ssh` Available selectors **Traffic** * [Application](#application) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [Source Port](#source-port) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) Warning Gateway no longer supports the Audit SSH action for new policies. To log your SSH traffic, Cloudflare recommends deploying [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) for your SSH server and configuring [SSH command logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#ssh-command-logs). Policies with Audit SSH actions allow administrators to log SSH traffic. Gateway will detect SSH traffic over port `22`. For example, the following configuration logs SSH commands sent to a given IP address: | Selector | Operator | Value | Action | | -------------- | -------- | ------------ | --------- | | Destination IP | in | 203.0.113.83 | Audit SSH | Gateway only audits SSH traffic over port `22`. Non-standard ports, including those specified with the [Destination Port selector](#destination-port), are not supported. For more information on SSH logging, refer to [Configure SSH proxy and command logs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/ssh-logging/). ### Block API value: `block` Available selectors **Traffic** * [Access Infrastructure Target](#access-infrastructure-target) * [Access Private App](#access-private-app) * [Application](#application) * [Content Categories](#content-categories) * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [Destination Port](#destination-port) * [Detected Protocol](#detected-protocol) * [Protocol](#protocol) * [Proxy Endpoint](#proxy-endpoint) * [Security Risks](#security-risks) * [SNI](#sni) * [SNI Domain](#sni-domain) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [Source Port](#source-port) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) Policies with Block actions block network traffic from reaching certain IPs or ports. For example, the following configuration blocks all traffic directed to port 443: | Selector | Operator | Value | Action | | ---------------- | -------- | ----- | ------ | | Destination Port | in | 443 | Block | #### Cloudflare One Client block notifications Feature availability | [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/plans/zero-trust-services/) | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | | Traffic and DNS mode Traffic only mode | Enterprise | | System | Availability | Minimum client version | | -------- | ------------ | ---------------------- | | Windows | ✅ | 2024.1.159.0 | | macOS | ✅ | 2024.1.160.0 | | Linux | ❌ | | | iOS | ✅ | 1.7 | | Android | ✅ | 1.4 | | ChromeOS | ✅ | 1.4 | Turn on **Display block notification for Cloudflare One Client** to display notifications for Gateway block events. Blocked users will receive an operating system notification from the Cloudflare One Client with a custom message you set. If you do not set a custom message, the Cloudflare One Client will display a default message. Custom messages must be 100 characters or less. The Cloudflare One Client will only display one notification per minute. Upon selecting the notification, the Cloudflare One Client will direct your users to the [Gateway block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) you have configured. Optionally, you can direct users to a custom URL, such as an internal support form. When you turn on **Send policy context**, Gateway will append details of the matching request to the redirected URL as a query string. Not every context field will be included. Potential policy context fields include: Policy context fields | Field | Definition | Example | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------- | | User email | Email of the user that made the query. | &cf\_user\_email=user@example.com | | Site URL | Full URL of the original HTTP request or domain name in DNS query. | &cf\_site\_uri=https%3A%2F%2Fmalware.testcategory.com%2F | | URL category | [Domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) of the URL to be redirected. | &cf\_request\_categories=New%20Domains,Newly%20Seen%20Domains | | Original HTTP referer | For HTTP traffic, the original HTTP referer header of the HTTP request. | &cf\_referer=https%3A%2F%2Fexample.com%2F | | Rule ID | ID of the Gateway policy that matched the request. | &cf\_rule\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Source IP | Source IP address of the device that matched the policy. | &cf\_source\_ip=203.0.113.5 | | Device ID | UUID of the device that matched the policy. | &cf\_device\_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 | | Application names | Name of the application the redirected domain corresponds to, if any. | &cf\_application\_name=Salesforce | | Filter | The traffic type filter that triggered the block. | &cf\_filter=http, &cf\_filter=dns, &cf\_filter=av, or &cf\_filter=l4 | | Account ID | [Cloudflare account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) of the associated Zero Trust account. | &cf\_account\_id=d57c3de47a013c03ca7e237dd3e61d7d | | Query ID | ID of the DNS query for which the redirect took effect. | &cf\_query\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Connection ID | ID of the proxy connection for which the redirect took effect. | &cf\_connection\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | | Request ID | ID of the HTTP request for which the redirect took effect. | &cf\_request\_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 | Ensure that your operating system allows notifications for the Cloudflare One Client. Your device may not display notifications if focus, do not disturb, or screen sharing settings are turned on. To turn on client notifications on macOS devices running DisplayLink software, you may have to allow system notifications when mirroring your display. For more information, refer to the [macOS documentation ↗](https://support.apple.com/guide/mac-help/change-notifications-settings-mh40583/mac). ### Network Override API value: `l4_override` Available selectors **Traffic** * [Destination Continent IP Geolocation](#destination-continent) * [Destination Country IP Geolocation](#destination-country) * [Destination IP](#destination-ip) * [Destination Port](#destination-port) * [Protocol](#protocol) * [SNI](#sni) * [SNI Domain](#sni-domain) * [Source Continent IP Geolocation](#source-continent) * [Source Country IP Geolocation](#source-country) * [Source Internal IP](#source-internal-ip) * [Source IP](#source-ip) * [Source Port](#source-port) * [Virtual Network](#virtual-network) **Identity** * [SAML Attributes](#users) * [User Email](#users) * [User Group Emails](#users) * [User Group IDs](#users) * [User Group Names](#users) * [User Name](#users) **Device Posture** * [Passed Device Posture Checks](#device-posture) Policies with Network Override actions override traffic directed to or coming from certain IPv4/IPv6 addresses or ports. Destination IPs can be public IPs or private IPs connected to your Zero Trust network. For example, the following configuration overrides traffic sent to a public IP with a private IP based on a user's identity: | Selector | Operator | Value | Logic | Action | | -------------- | -------- | -------------- | ----- | ---------------- | | Destination IP | in | 95.92.143.151 | And | Network Override | | User Email | in | \*@example.com | And | | | Override IP | 10.0.0.1 | | | | Warning If the override destination IP is unreachable, Gateway still rewrites the destination but does not log the connection. The traffic fails silently with no log entry. Verify that your override IP is reachable before deploying this policy. Gateway will only log successful override connections in your [network logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/#network-logs). ## Selectors Gateway matches network traffic against the following selectors, or criteria. ### Access Infrastructure Target All [targets](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#1-add-a-target) secured by an [Access infrastructure application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/). | UI name | API example | | ---------------------------- | ------------- | | Access Infrastructure Target | access.target | ### Access Private App All destination IPs and hostnames secured by an [Access self-hosted private application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). | UI name | API example | | ------------------------------------------- | ------------------- | | Self-hosted Access App with Private Address | access.private\_app | ### Application You can apply network policies to a growing list of popular web applications. Refer to [Application and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/) for more information. | UI name | API example | | ----------- | --------------------------- | | Application | any(app.ids\[\*\] in {505}) | ### Content Categories Applications within a specific [security category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#content-categories) as categorized by [Cloudflare Radar](https://developers.cloudflare.com/radar/glossary/#content-categories). | UI name | API example | | ------------------ | -------------------------------------------- | | Content Categories | any(net.fqdn.content\_category\[\*\] in {1}) | ### Destination Continent The continent where the request is destined. Geolocation is determined from the target IP address. To specify a continent, enter its two-letter code into the **Value** field: | Continent | Code | | ------------- | ---- | | Africa | AF | | Antarctica | AN | | Asia | AS | | Europe | EU | | North America | NA | | Oceania | OC | | South America | SA | | Tor network | T1 | | UI name | API example | | ------------------------------------ | ----------------------------- | | Destination Continent IP Geolocation | net.dst.geo.continent == "EU" | ### Destination Country The country that the request is destined for. Geolocation is determined from the target IP address. To specify a country, enter its [ISO 3166-1 Alpha 2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | | ---------------------------------- | --------------------------- | | Destination Country IP Geolocation | net.dst.geo.country == "RU" | ### Destination IP The IP address of the request's target. | UI name | API example | | -------------- | ------------------------------------- | | Destination IP | any(net.dst.ip\[\*\] in {10.0.0.0/8}) | ### Destination Port The port number of the request's target. | UI name | API example | | ---------------- | -------------------- | | Destination Port | net.dst.port == 2222 | ### Detected Protocol The inferred network protocol based on Cloudflare's [protocol detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/). | UI name | API example | | ----------------- | ------------------------------- | | Detected Protocol | net.protocol.detection == "ssh" | ### Device Posture With the Device Posture selector, admins can use signals from end-user devices to secure access to their internal and external resources. For example, a security admin can choose to limit all access to internal applications based on whether specific software is installed on a device and/or if the device or software are configured in a particular way. For more information on device posture checks, refer to [Device posture](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). | UI name | API example | | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Passed Device Posture Checks | any(device\_posture.checks.failed\[\*\] in {"1308749e-fcfb-4ebc-b051-fe022b632644"}), any(device\_posture.checks.passed\[\*\] in {"1308749e-fcfb-4ebc-b051-fe022b632644"})" | ### Protocol The protocol used to send the packet. | UI name | API example | | -------- | --------------------- | | Protocol | net.protocol == "tcp" | Note To enable Gateway filtering on TCP and UDP, go to **Traffic policies** \> **Traffic settings** \> **Allow Secure Web Gateway to proxy traffic**. Network policies apply to all enabled protocols unless you use the **Protocol** selector within a policy. ### Proxy Endpoint The [proxy server](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) where your browser forwards HTTP traffic. | UI name | API example | | -------------- | ----------------------------------------------------------- | | Proxy Endpoint | proxy.endpoint == "3ele0ss56t.proxy.cloudflare-gateway.com" | ### Security Categories Applications within a specific [security category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) as categorized by [Cloudflare Radar](https://developers.cloudflare.com/radar/glossary/#content-categories). | UI name | API example | | ------------------- | --------------------------------------------- | | Security Categories | any(net.fqdn.security\_category\[\*\] in {1}) | ### SNI Server Name Indication (SNI) is the hostname a client sends during the TLS handshake, before encryption begins. Gateway reads the SNI to identify the destination of encrypted traffic. The SNI selector matches the exact hostname. By default, SNI selectors only apply to HTTPS traffic on port `443`. To inspect traffic on every port, turn on [protocol detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/) and choose to [inspect on all ports](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). | UI name | API example | | ------- | --------------------------------- | | SNI | net.sni.host == "www.example.com" | ### SNI Domain The domain whose Server Name Indication (SNI) header Gateway will filter traffic against. For example, a rule for `example.com` will match `example.com`, `www.example.com`, and `my.test.example.com`. By default, SNI selectors only apply to HTTPS traffic on port `443`. To inspect traffic on every port, turn on [protocol detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/) and choose to [inspect on all ports](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). | UI name | API example | | ---------- | -------------------------------- | | SNI Domain | net.sni.domains == "example.com" | ### Source Continent The continent of the user making the request. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a continent, enter its two-letter code into the **Value** field: | Continent | Code | | ------------- | ---- | | Africa | AF | | Antarctica | AN | | Asia | AS | | Europe | EU | | North America | NA | | Oceania | OC | | South America | SA | | Tor network | T1 | | UI name | API example | | ------------------------------- | ---------------------------------------- | | Source Continent IP Geolocation | net.src.geo.continent == "North America" | ### Source Country The country of the user making the request. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a country, enter its [ISO 3166-1 Alpha-2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | | ----------------------------- | --------------------------- | | Source Country IP Geolocation | net.src.geo.country == "RU" | ### Source Internal IP Use this selector to apply network policies to a private IP address, assigned by a user's local network, that requests arrive to Gateway from. | UI name | API example | | ------------------ | ---------------------------------------------- | | Source Internal IP | net.src.internal\_src\_ip == "192.168.86.0/27" | ### Source IP The originating IP address or addresses of a device proxied by Gateway. | UI name | API example | | --------- | -------------------------------- | | Source IP | net.src.ip\[\*\] in {10.0.0.0/8} | ### Source Port The originating port of a device proxied by Gateway. | UI name | API example | | ----------- | ---------------------- | | Source Port | net.src.port == "2222" | ### Users Use these selectors to match against identity attributes. | UI name | API example | | ----------------- | --------------------------------------------------------------------------------------------------------------- | | User Email | identity.email == "user@example.com" | | User Name | identity.name == "Test User" | | User Group IDs | any(identity.groups\[\*\].id in {"group\_id"}) | | User Group Names | any(identity.groups\[\*\].name in {"group\_name"}) | | User Group Emails | any(identity.groups\[\*\].email in {"group@example.com"}) | | SAML Attributes | any(identity.saml\_attributes\["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"\] in {"Test User"}) | ### Virtual Network Use this selector to match all traffic routed through a specific [Virtual Network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) via the Cloudflare One Client. | UI name | API example | | --------------- | ------------------------------------------------------ | | Virtual Network | net.vnet\_id == "957fc748-591a-e96s-a15d-1j90204a7923" | ## Comparison operators Comparison operators are the way Gateway matches traffic to a selector. When you choose a **Selector** in the dashboard policy builder, the **Operator** dropdown menu will display the available options for that selector. | Operator | Meaning | | ------------------------ | ------------------------------------------------------------------------------------------------------------------ | | is | equals the defined value | | is not | does not equal the defined value | | in | matches at least one of the defined values | | not in | does not match any of the defined values | | in list | in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | not in list | not in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | matches regex | regex evaluates to true | | does not match regex | regex evaluates to false | | greater than | exceeds the defined number | | greater than or equal to | exceeds or equals the defined number | | less than | below the defined number | | less than or equal to | below or equals the defined number | Note The _in_ operator allows you to specify IP addresses or networks using CIDR notation (for example, `10.0.0.0/8` matches all IPs from `10.0.0.0` to `10.255.255.255`). ## Value In the **Value** field, you can input a single value when using an equality comparison operator (such as _is_) or multiple values when using a containment comparison operator (such as _in_). Additionally, you can use [regular expressions](#regular-expressions) (or regex) to specify a range of values for supported selectors. ### Regular expressions Regular expressions are evaluated using Rust. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for [Wildcards](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/app-paths/#wildcards). To evaluate if your regex matches, you can use [Rustexp ↗](https://rustexp.lpil.uk/). If you want to match multiple values, you can use the pipe symbol (`|`) as an OR operator. You do not need to use an escape character (`\`) before the pipe symbol. For example, the following expression evaluates to true when the SNI host matches either `.*whispersystems.org` or `.*signal.org`: | Selector | Operator | Value | | -------- | ------------- | ------------------------------------ | | SNI | matches regex | .\*whispersystems.org\|.\*signal.org | In addition to regular expressions, you can use [logical operators](#logical-operators) to match multiple values. ## Logical operators To evaluate multiple conditions in an expression, select the **And** logical operator. These expressions can be compared further with the **Or** logical operator. | Operator | Meaning | | -------- | --------------------------------------------- | | And | match all of the conditions in the expression | | Or | match any of the conditions in the expression | The **Or** operator will only work with conditions in the same expression group. For example, you cannot compare conditions in **Traffic** with conditions in **Identity** or **Device Posture**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/network-policies/","name":"Network policies"}}]} ``` --- --- title: Common policies description: Reference information for Common policies in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API)[ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks)[ Posture ](https://developers.cloudflare.com/search/?tags=Posture) # Common policies The following policies are commonly used to secure network traffic. Network policies are evaluated in order from top to bottom, and the first matching policy applies. Place more specific Allow policies above broader Block policies. For a baseline set of recommended policies, refer to [Secure your Internet traffic and SaaS apps](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies/). Refer to the [network policies page](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) for a comprehensive list of other selectors, operators, and actions. ## Block unauthorized applications Note After seven days, view your [Shadow IT SaaS Analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/shadow-it-discovery/) and block additional applications based on what your users are accessing. To minimize the risk of [shadow IT](https://www.cloudflare.com/learning/access-management/what-is-shadow-it/), some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools: * [ Dashboard ](#tab-panel-5402) * [ API ](#tab-panel-5403) | Selector | Operator | Value | Action | | ----------- | -------- | ------------------------- | ------ | | Application | in | _Artificial Intelligence_ | Block | In the following API examples, `filters: ["l4"]` indicates that this is a network (Layer 4) policy. Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block unauthorized applications", "description": "Block access to unauthorized AI applications", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "any(app.type.ids[*] in {25})", "identity": "", "device_posture": "" }' ``` ## Check user identity Configure access on a per user or group basis by adding [identity-based conditions](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) to your policies. * [ Dashboard ](#tab-panel-5400) * [ API ](#tab-panel-5401) | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ------------- | ----- | ------ | | Application | in | _Salesforce_ | And | Block | | User Group Names | in | _Contractors_ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Check user identity", "description": "Block access to Salesforce by temporary employees and contractors", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "any(app.ids[*] in {606})", "identity": "any(identity.groups.name[*] in {\"Contractors\"})", "device_posture": "" }' ``` ## Enforce device posture Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the [device posture section](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). For example, you can use a list of [device serial numbers](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/corp-device/) to ensure users can only access an application if they connect with the Cloudflare One Client from a company device: In the following example, you can use a list of [device serial numbers](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/corp-device/) to ensure users can only access an application if they connect with the Cloudflare One Client from a company device: * [ Dashboard ](#tab-panel-5424) * [ API ](#tab-panel-5425) * [ Terraform ](#tab-panel-5426) | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | ----------------------- | ----- | ------ | | SNI Domain | is | internalapp.com | And | Block | | Passed Device Posture Checks | not in | _Device serial numbers_ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "All-NET-ApplicationAccess-Allow", "description": "Ensure access to the application comes from authorized WARP clients", "precedence": 70, "enabled": false, "action": "block", "filters": [ "l4" ], "traffic": "any(net.sni.domains[*] == \"internalapp.com\")", "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))" }' ``` To get the UUIDs of your device posture checks, use the [List device posture rules](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/devices/subresources/posture/methods/list/) endpoint. ``` resource "cloudflare_zero_trust_gateway_policy" "all_net_applicationaccess_allow" { account_id = var.cloudflare_account_id name = "All-NET-ApplicationAccess-Allow" description = "Ensure access to the application comes from authorized WARP clients" precedence = 70 enabled = false action = "block" filters = ["l4"] traffic = "any(net.sni.domains[*] == \"internalapp.com\")" posture = "not(any(device_posture.checks.passed[*] in {\"${"$"}${cloudflare_zero_trust_list.allowed_devices_sn_list.id}\"}))" } ``` ## Enforce session duration To require users to re-authenticate after a certain amount of time has elapsed, configure [Cloudflare One Client sessions](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/). ## Allow only approved traffic Restrict user access to only the specific sites or applications configured in your [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). This pattern uses two policies: an Allow policy to permit HTTP/HTTPS traffic, followed by a Block policy to deny everything else. Place the Allow policy above the Block policy so that matching traffic is allowed before the catch-all block applies. ### 1\. Allow HTTP and HTTPS traffic * [ Dashboard ](#tab-panel-5404) * [ API ](#tab-panel-5405) | Selector | Operator | Value | Logic | Action | | ----------------- | -------- | ------- | ----- | ------ | | Detected Protocol | is | _TLS_ | And | Allow | | Destination Port | in | 80, 443 | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow HTTP and HTTPS traffic", "description": "Restrict traffic to HTTP and HTTPS traffic", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.detected_protocol == \"tls\" and net.dst.port in {80 443}", "identity": "", "device_posture": "" }' ``` ### 2\. Block all other traffic * [ Dashboard ](#tab-panel-5406) * [ API ](#tab-panel-5407) | Selector | Operator | Value | Action | | -------- | -------- | ------------ | ------ | | Protocol | in | _TCP_, _UDP_ | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block all other traffic", "description": "Block all other traffic that is not HTTP or HTTPS", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "net.protocol in {\"tcp\" \"udp\"}", "identity": "", "device_posture": "" }' ``` ## Filter HTTPS traffic when inspecting on all ports If your organization blocks traffic by default with a Network policy and you want to [inspect HTTP traffic on all ports](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports), you need to explicitly allow HTTP and TLS traffic to filter it. * [ Dashboard ](#tab-panel-5408) * [ API ](#tab-panel-5409) | Selector | Operator | Value | Logic | Action | | ----------------- | -------- | ------ | ----- | ------ | | Detected Protocol | is | _TLS_ | Or | Allow | | Detected Protocol | is | _HTTP_ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow on inspect all ports", "description": "Filter HTTPS traffic when using inspect all ports", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.detected_protocol == \"tls\" or net.detected_protocol == \"http\"", "identity": "", "device_posture": "" }' ``` ## Restrict private network access to proxy endpoint users When using proxy endpoints, by default all devices added to the proxy endpoint can access your internal applications and services connected through [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). To restrict access and add an additional layer of security, create the following policies. ### Source IP proxy endpoints When using [source IP proxy endpoints](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#source-ip-endpoint), restrict access to only users connecting through the proxy endpoint from specific source IPs. #### 1\. Allow proxy endpoint traffic from specific source IPs * [ Dashboard ](#tab-panel-5410) * [ API ](#tab-panel-5411) | Selector | Operator | Value | Logic | Action | | -------------- | -------- | ---------------- | ----- | ------ | | Proxy Endpoint | in | _Proxy Endpoint_ | And | Allow | | Source IP | in | 203.0.113.0/24 | And | | | Destination IP | in | 10.0.0.0/8 | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow proxy endpoint traffic from specific source IPs", "description": "Allow traffic from proxy endpoint users with specific source IPs to reach private network", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.proxy_endpoint.ids[*] in {\"\"} and net.src.ip in {203.0.113.0/24} and net.dst.ip in {10.0.0.0/8}", "identity": "", "device_posture": "" }' ``` Replace `` with your proxy endpoint ID. #### 2\. Block all other proxy endpoint traffic to private network * [ Dashboard ](#tab-panel-5412) * [ API ](#tab-panel-5413) | Selector | Operator | Value | Logic | Action | | -------------- | -------- | ---------------- | ----- | ------ | | Proxy Endpoint | in | _Proxy Endpoint_ | And | Block | | Destination IP | in | 10.0.0.0/8 | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block all other proxy endpoint traffic", "description": "Block any other proxy endpoint traffic from accessing the private network", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "net.proxy_endpoint.ids[*] in {\"\"} and net.dst.ip in {10.0.0.0/8}", "identity": "", "device_posture": "" }' ``` Replace `` with your proxy endpoint ID. ### Authorization proxy endpoints When using [authorization proxy endpoints](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#authorization-endpoint), add an additional layer of security by restricting access to only users connecting from specific source IPs. This prevents unauthorized access even if user credentials are compromised. #### 1\. Allow proxy endpoint traffic from specific source IPs * [ Dashboard ](#tab-panel-5414) * [ API ](#tab-panel-5415) | Selector | Operator | Value | Logic | Action | | -------------- | -------- | ---------------- | ----- | ------ | | Proxy Endpoint | in | _Proxy Endpoint_ | And | Allow | | Source IP | in | 203.0.113.0/24 | And | | | Destination IP | in | 10.0.0.0/8 | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow authorized proxy endpoint traffic from specific source IPs", "description": "Allow traffic from authorization proxy endpoint users with specific source IPs to reach private network", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.proxy_endpoint.ids[*] in {\"\"} and net.src.ip in {203.0.113.0/24} and net.dst.ip in {10.0.0.0/8}", "identity": "", "device_posture": "" }' ``` Replace `` with your proxy endpoint ID. #### 2\. Block all other proxy endpoint traffic to private network * [ Dashboard ](#tab-panel-5418) * [ API ](#tab-panel-5419) | Selector | Operator | Value | Logic | Action | | -------------- | -------- | ---------------- | ----- | ------ | | Proxy Endpoint | in | _Proxy Endpoint_ | And | Block | | Destination IP | in | 10.0.0.0/8 | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block all other authorized proxy endpoint traffic", "description": "Block any other authorization proxy endpoint traffic from accessing the private network", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "net.proxy_endpoint.ids[*] in {\"\"} and net.dst.ip in {10.0.0.0/8}", "identity": "", "device_posture": "" }' ``` Replace `` with your proxy endpoint ID. ## Restrict access to private networks Restrict access to resources which you have connected through [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic. ### 1\. Allow company employees * [ Dashboard ](#tab-panel-5416) * [ API ](#tab-panel-5417) | Selector | Operator | Value | Logic | Action | | -------------- | ------------- | --------------- | ----- | ------ | | Destination IP | in | 10.0.0.0/8 | And | Allow | | User Email | matches regex | .\*@example.com | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow company employees", "description": "Allow any users with an organization email to reach the application", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.dst.ip in {10.0.0.0/8}", "identity": "identity.email matches \".*@example.com\"", "device_posture": "" }' ``` ### 2\. Block everyone else * [ Dashboard ](#tab-panel-5420) * [ API ](#tab-panel-5421) | Selector | Operator | Value | Action | | -------------- | -------- | ---------- | ------ | | Destination IP | in | 10.0.0.0/8 | Block | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block everyone else", "description": "Block any other users from accessing the application", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "net.dst.ip in {10.0.0.0/8}", "identity": "", "device_posture": "" }' ``` ## Override IP address Override traffic directed toward a specific IP address with a different IP address. * [ Dashboard ](#tab-panel-5422) * [ API ](#tab-panel-5423) | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ------------ | ----- | ---------------- | | Destination IP | in | 203.0.113.17 | And | Network Override | | Destination Port | is | 80 | | | | Override IP | Override Port | | ----------- | ------------- | | 1.1.1.1 | 80 | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Override example.com with 1.1.1.1", "description": "Override a site'\''s IP address with another IP", "enabled": true, "action": "l4_override", "filters": [ "l4" ], "traffic": "net.dst.ip in {203.0.113.17} and net.dst.port == 80", "identity": "", "device_posture": "", "rule_settings": { "l4override": { "ip": "1.1.1.1", "port": 80 }, "override_host": "", "override_ips": null } }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/network-policies/","name":"Network policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/network-policies/common-policies/","name":"Common policies"}}]} ``` --- --- title: Protocol detection description: Protocol detection in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SSH ](https://developers.cloudflare.com/search/?tags=SSH) # Protocol detection Gateway supports the detection, logging, and filtering of network protocols using packet attributes. Protocol detection only applies to devices connected to Cloudflare One via the Cloudflare One Client in [Traffic and DNS mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-and-dns-mode-default) mode. ## Turn on protocol detection To turn on protocol detection: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings** \> **Proxy and inspection settings**. 2. Turn on **Allow protocol detection**. You can now use _Detected Protocol_ as a selector in a [Network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/#detected-protocol). ### Inspect on all ports By default, Gateway will only inspect HTTP traffic through port `80`. Additionally, if you [turn on TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption), Gateway will inspect HTTPS traffic through port `443`. To detect and inspect HTTP and HTTPS traffic on ports in addition to `80` and `443`, under **Manage HTTP inspection by port**, choose _Inspect on all ports_. #### Important considerations **TLS interception on all ports**: When you turn on this setting, Gateway will attempt to intercept TLS traffic on every port, not just port `443`. This means all applications using TLS on non-standard ports will have their traffic intercepted by the Gateway proxy. If you only want to turn on SNI detection for Network policy filtering without full TLS interception, you will need to create [Do Not Inspect policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#do-not-inspect) for the specific applications or domains that use TLS on non-standard ports. Non-HTTP protocols inside TLS bypass network policy filtering Once a Network policy allows a TLS connection at Layer 4, Gateway decrypts the TLS traffic. However, Gateway cannot filter non-HTTP protocols inside the TLS connection. All non-HTTPS traffic inside TLS (such as SSH over TLS, database protocols, or custom protocols) is allowed by default with no further filtering applied. If your organization uses a default-block Network policy, Gateway will still allow all non-HTTPS TLS traffic through. To use HTTP policies to filter all HTTPS traffic on all ports when using a default Block Network policy, [create a Network policy to explicitly allow HTTP and TLS traffic](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/common-policies/#filter-https-traffic-when-inspecting-on-all-ports). ## Supported protocols Gateway supports detection and filtering of the following protocols: | Protocol | Notes | | ------------ | -------------------------------------------------------------------------------------------- | | HTTP | Hypertext Transfer Protocol (HTTP/1.1). | | HTTP2 | Hypertext Transfer Protocol Version 2. | | SSH | Secure Shell Protocol — remote login and command execution. | | TLS | Transport Layer Security. Gateway detects TLS versions 1.1 through 1.3 with the _TLS_ value. | | DCERPC | Distributed Computing Environment / Remote Procedure Call. | | MQTT | Message Queuing Telemetry Transport — lightweight IoT messaging protocol. | | TPKT | TPKT commonly initiates RDP sessions, so you can use it to identify and filter RDP traffic. | | IMAP | Internet Message Access Protocol — email retrieval. | | POP3 | Post Office Protocol v3 — email retrieval. | | SMTP | Simple Mail Transfer Protocol — email sending. | | MYSQL | MySQL database wire protocol. | | RSYNC-DAEMON | rsync daemon protocol. | | LDAP | Lightweight Directory Access Protocol. | | NTP | Network Time Protocol. | ## Example network policy You can create network policies that filter traffic based on protocol detections rather than common ports. For example, you can block all SSH traffic on your network without blocking port 22 or any other non-default ports: | Selector | Operator | Value | Action | | ----------------- | -------- | ----- | ------ | | Detected Protocol | in | _SSH_ | Block | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/network-policies/","name":"Network policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/network-policies/protocol-detection/","name":"Protocol detection"}}]} ``` --- --- title: SSH proxy and command logs (legacy) description: SSH proxy and command logs (legacy) in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SSH ](https://developers.cloudflare.com/search/?tags=SSH) # SSH proxy and command logs (legacy) Legacy feature — not recommended for new deployments This SSH proxy and command logging method is deprecated. For new deployments, use [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) to manage SSH sessions and log SSH commands. Cloudflare One supports SSH proxying and command logging using Secure Web Gateway and the Cloudflare One Client. You can create network policies to manage and monitor SSH access to your applications. When a device connects to your origin server over SSH, a session log will be generated showing which user connected, the session duration, and optionally a full replay of all commands run during the session. ## Prerequisites * [Install the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/set-up/) on end-user devices. * [Install the Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) on end-user devices. ## 1\. Ensure Unix usernames match user SSO identities Cloudflare Gateway will take the identity from a token and, using short-lived certificates, authorize the user on the target infrastructure. The simplest setup is one where a user's Unix username matches their email address prefix. Issued short-lived certificates will be valid for the user's email address prefix. For example, if a user in your Okta or GSuite organization is registered as `jdoe@example.com`, they would log in to the SSH server as `jdoe`. For testing purposes, you can run the following command to generate a Unix user on the machine: Terminal window ``` sudo adduser jdoe ``` Advanced setup: Differing usernames SSH certificates include one or more `principals` in their signature which indicate the Unix usernames the certificate is allowed to log in as. Cloudflare Access will always set the principal to the user's email address prefix. For example, when `jdoe@example.com` tries to connect, Access issues a short-lived certificate authorized for the principal `jdoe`. By default, SSH servers authenticate the Unix username against the principals listed in the user's certificate. You can configure your SSH server to accept principals that do not match the Unix username. Note If you would like to use short-lived certificates with the browser-based terminal, the user's email address prefix needs to matches their Unix username. **Username matches a different email** To allow `jdoe@example.com` to log in as the user `johndoe`, add the following to the server's `/etc/ssh/sshd_config`: ``` Match user johndoe AuthorizedPrincipalsCommand /bin/echo 'jdoe' AuthorizedPrincipalsCommandUser nobody ``` This tells the SSH server that, when someone tries to authenticate as the user `johndoe`, check their certificate for the principal `jdoe`. This would allow the user `jdoe@example.com` to sign into the server with a command such as: Terminal window ``` ssh johndoe@server ``` **Username matches multiple emails** To allow multiple email addresses to log in as `vmuser`, add the following to the server's `/etc/ssh/sshd_config`: ``` Match user vmuser AuthorizedPrincipalsFile /etc/ssh/vmusers-list.txt ``` This tells the SSH server to load a list of principles from a file. Then, in `/etc/ssh/vmusers-list.txt`, list the email prefixes that can log in as `vmuser`, one per line: ``` jdoe bwayne robin ``` **Username matches all users** To allow any Access user to log in as `vmuser`, add the following command to the server's `/etc/ssh/sshd_config`: ``` Match user vmuser AuthorizedPrincipalsCommand /bin/bash -c "echo '%t %k' | ssh-keygen -L -f - | grep -A1 Principals" AuthorizedPrincipalsCommandUser nobody ``` This command takes the certificate presented by the user and authorizes whatever principal is listed on it. **Allow all users** To allow any Access user to log in with any username, add the following to the server's `/etc/ssh/sshd_config`: ``` AuthorizedPrincipalsCommand /bin/bash -c "echo '%t %k' | ssh-keygen -L -f - | grep -A1 Principals" AuthorizedPrincipalsCommandUser nobody ``` Since this will put the security of your server entirely dependent on your Access configuration, make sure your [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/) are correctly configured. ## 2\. Generate a Gateway SSH proxy CA Instead of traditional SSH keys, Gateway uses short-lived certificates to authenticate traffic between Cloudflare and your origin. Note Other short-lived CAs, such as those used to [secure SSH servers behind Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy/), are incompatible with the Gateway SSH proxy. For SSH logging to work, you must create a new CA using the `gateway_ca` API endpoint. To generate a Gateway SSH proxy CA and get its public key: * [ Dashboard ](#tab-panel-5429) * [ API ](#tab-panel-5430) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Service credentials** \> **SSH**. 2. Select **Add a certificate**. 3. Under **SSH with Access for Infrastructure**, select **Generate SSH CA**. A new row will appear in the short-lived certificates table called **SSH with Access for Infrastructure**. 4. Select the **SSH with Access for Infrastructure** certificate. 5. Copy its **CA public key**. You can return to copy this public key at any time. 1. [Create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with the following permissions: | Type | Item | Permission | | ------- | -------------------- | ---------- | | Account | Access: SSH Auditing | Edit | 2. If you have not yet generated a Cloudflare SSH CA, make a `POST` request to the Cloudflare API: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: SSH Auditing Write` Add a new SSH Certificate Authority (CA) ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 1. If you have already created a Cloudflare SSH CA or receive the error message `access.api.error.gateway_ca_already_exists`, make a `GET` request instead: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: SSH Auditing Write` * `Access: SSH Auditing Read` List SSH Certificate Authorities (CA) ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 1. Copy the `public_key` value returned in the response. ## 3\. Save the public key 1. Use the following command to change directories to the SSH configuration directory on the remote target machine: Terminal window ``` cd /etc/ssh ``` 2. Once there, you can use the following command to both generate the file and open a text editor to input/paste the public key. Terminal window ``` vim ca.pub ``` 3. In the `ca.pub` file, paste the public key without any modifications. ca.pub ``` ecdsa-sha2-nistp256 open-ssh-ca@cloudflareaccess.org ``` The `ca.pub` file can hold multiple keys, listed one per line. Empty lines and comments starting with `#` are also allowed. 4. Save the `ca.pub` file. In some systems, you may need to use the following command to force the file to save depending on your permissions: Terminal window ``` :w !sudo tee % :q! ``` ## 4\. Modify your `sshd_config` file Configure your SSH server to trust the Cloudflare SSH CA by updating the `sshd_config` file on the remote target machine. 1. While in the `/etc/ssh` directory on the remote machine, open the `sshd_config` file. Terminal window ``` sudo vim /etc/ssh/sshd_config ``` 2. Press `i` to enter insert mode, then add the following lines at the top of the file, above all other directives: ``` PubkeyAuthentication yes TrustedUserCAKeys /etc/ssh/ca.pub ``` Be aware of your include statements If there are any include statements below these lines, the configurations in those files will not take precedence. 3. Press `esc` and then type `:x` and press `Enter` to save and exit. ## 5\. Check your SSH port number Cloudflare's SSH proxy only works with servers running on the default port 22\. Open the `sshd_config` file and verify that no other `Port` values are specified. Terminal window ``` cat /etc/ssh/sshd_config ``` ## 6\. Restart your SSH server Once you have modified your `sshd` configuration, reload the SSH service on the remote machine for the changes to take effect. * [ Debian/Ubuntu ](#tab-panel-5427) * [ CentOS/RHEL ](#tab-panel-5428) For Debian/Ubuntu: Terminal window ``` sudo systemctl reload ssh ``` For CentOS/RHEL 7 and newer: Terminal window ``` sudo systemctl reload sshd ``` ## 7\. Create an Audit SSH policy 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies**. 2. In the **Network** tab, select **Add a network policy**. 3. Name the policy and specify the [Destination IP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/#destination-ip) for your origin server. You can enter either a public or private IP. To use a private IP, refer to [Connect private networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/). 4. Add any other conditions to your policy. If a user does not meet the criteria, they will be blocked by default. 5. In the **Action** dropdown, select _Audit SSH_. 6. (Optional) Enable **SSH Command Logging**. If you have not already uploaded an SSH encryption public key, follow the steps in [Configure SSH Command Logging](#optional-configure-ssh-command-logging). 7. Save the policy. ## 8\. Connect as a user Users can use any SSH client to connect to the target resource, as long as they are logged into the Cloudflare One Client on their device. Cloudflare One will authenticate, proxy, and optionally encrypt and record all SSH traffic through Gateway. Users must specify their desired username to connect with as part of the SSH command: Terminal window ``` ssh @ ``` Note If the target resource is already in a user's `.ssh/known_hosts` file, the user must first remove existing SSH keys before attempting to connect: Terminal window ``` ssh-keygen -R ``` ## (Optional) Configure SSH Command Logging To log SSH commands, you will need to generate an HPKE key pair and upload the public key to Cloudflare. 1. [Download ↗](https://github.com/cloudflare/ssh-log-cli/releases/latest/) the Cloudflare `ssh-log-cli` utility. 2. Using the `ssh-log-cli` utility, generate a public and private key pair. Terminal window ``` ./ssh-log-cli generate-key-pair -o sshkey ls ``` ``` README.md ssh-log-cli sshkey sshkey.pub ``` This command outputs two files, an `sshkey.pub` public key and a matching `sshkey` private key. 3. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 4. In **SSH log encryption public key**, paste the contents of `sshkey.pub` and select **Save**. Note that this a different public key from the `ca.pub` file you used to configure the SSH server. All proxied SSH commands are immediately encrypted using this public key. The matching private key is required to view logs. ## View SSH Logs 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights** \>**Logs** \> **SSH command logs**. 2. If you enabled the **SSH Command Logging** feature, you can **Download** a session's command log. 3. To decrypt the log, follow the instructions in the [SSH Logging CLI repository ↗](https://github.com/cloudflare/ssh-log-cli/). In the following example, `sshkey` is the private key that matches the public key uploaded to Cloudflare. Terminal window ``` ./ssh-log-cli decrypt -i sshlog -k sshkey ``` This command outputs a `sshlog-decrypted.zip` file with the decrypted logs. ## Limitations SSH Command Logging does not support SFTP since it cannot be inspected and logged. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/network-policies/","name":"Network policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/network-policies/ssh-logging/","name":"SSH proxy and command logs (legacy)"}}]} ``` --- --- title: Order of enforcement description: How Order of enforcement works in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Order of enforcement With Cloudflare Gateway, you can [enable and configure](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/) any combination of DNS, network, and HTTP policies. flowchart TB %% Accessibility accTitle: Gateway order of enforcement accDescr: Flowchart describing the order of enforcement for Gateway policies. subgraph Resolution["Resolution"] dns2["1.1.1.1"] dns4["Custom resolver"] dns3["Resolver policies
(Enterprise users only)"] internal["Internal DNS"] end subgraph DNS["DNS"] dns1["DNS policies"] Resolution end subgraph HTTP["HTTP policies"] http1{{"Do Not Inspect policies"}} http2["Isolate policies
(with Browser Isolation add-on)"] http3["Allow, Block, Do Not Scan, Quarantine, and Redirect policies, DLP, and anti-virus scanning"] https["HTTP or HTTPS?"] end subgraph Proxy["Proxy"] HTTP network1["Network policies"] nonhttp["Non-HTTP(S) traffic"] end subgraph Egress["Egress"] egress1["Egress policies
(Enterprise users only)"] end start(["Traffic"]) --> dns0[/"DNS query"/] & http0["Network connections"] dns0 ----> dns1 dns1 -- Resolved by --> dns2 dns1 --> dns3 dns3 -- Resolved by --> dns4 dns2 -----> internet(["Internet"]) dns4 -----> internet dns4 ---> cloudflare["Private network services
(Cloudflare Tunnel, Cloudflare WAN, Cloudflare Mesh)"] http1 -- Do Not Inspect --> internet http1 -- Inspect --> http2 http2 --> http3 http0 --> magic["Cloudflare Network Firewall (Enterprise users only)"] magic --> egress1 egress1 --> tcp["Check for origin availability (TCP SYN)"] tcp --> network1 http3 --> internet https -- HTTPS --> http1 https -- HTTP --> http2 network1 --> https & nonhttp dns3 -- Resolved by --> internal & dns2 nonhttp -----> internet https@{ shape: hex} http0@{ shape: lean-r} Order of enforcement change on 2025-07-14 On 2025-07-14, Gateway began evaluating network-level policies before application-level policies and verify the network path to an origin server before accepting a connection. This only affects your policies if you are applying HTTP policies in your account. For example: Comparison of old and new order of enforcement | Old order of enforcement | New order of enforcement | | | ---------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | | **Network Block policy and HTTP Block policy** | Gateway blocks traffic and displays the block page and/or follows the client notification settings on the HTTP policy. | Gateway blocks traffic. Gateway does not display the block page but will follow the client notification settings on the Network policy. | | **Network Allow policy and HTTP Block policy** | Gateway blocks traffic and displays the block page and follows the client notification settings on the HTTP policy. | No change. | | **Network Block policy and HTTP Allow policy** | Gateway blocks traffic and follows the client notification settings on the Network policy. | No change. | ## Connection establishment When a user connects to a server with Gateway, Gateway first establishes a TCP connection with the destination server on the port the user requested. Because TCP traffic is proxied by Cloudflare, the connection Gateway establishes with the origin is independent from the connection users establish with Gateway. This means Gateway assigns a new source IP and port to the user's connection and no details from the user's TCP handshake are included in the TCP handshake with the origin server. If the TCP connection to the destination server is successful, Gateway will apply policies. If Gateway policies allow the connection, Gateway will connect the user to the destination server. If Gateway policies block the connection, Gateway will end the connection and will not send any data between the user and the destination server. If the TCP connection to the destination server is unsuccessful, Gateway will not run any policies and retry TCP connections from the user to the server. flowchart TD %% Accessibility accTitle: How Gateway proxy works accDescr: Flowchart describing how the Gateway proxy uses the Happy Eyeballs algorithm to establish TCP connections and proxy user traffic. %% Flowchart A[User's device sends TCP SYN to Gateway] --> B[Gateway sends TCP SYN to origin server] B --> C{{Origin server responds with TCP SYN-ACK?}} C -->|Yes| E[TCP handshakes completed] C -->|No| D[Connection fails] E --> F{{Connection allowed?}} F -->|Allow policy| G[Gateway proxies traffic bidirectionally] F -->|Block policy| H[Connection blocked by firewall policies] %% Styling style D stroke:#D50000 style G stroke:#00C853 style H stroke:#D50000 Connections to Zero Trust will always appear in your [Zero Trust network session logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/) regardless of connection success. Because Gateway does not inspect failed connections, they will not appear in your [Gateway activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). ### Filter TCP SYN packets with Cloudflare Network Firewall Because Gateway sends a TCP SYN to the destination server before evaluating policies, Gateway Network or HTTP Block policies do not prevent the initial TCP SYN from reaching the destination server. If you need to prevent TCP SYN packets from being sent to specific destination IP addresses, you can create a [Cloudflare Network Firewall](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/) rule to block traffic at the packet level. As shown in the [enforcement flowchart](#order-of-enforcement), Cloudflare Network Firewall evaluates traffic before Gateway checks for origin availability. Note Cloudflare Network Firewall is available to Enterprise users only. To block TCP SYN packets to a specific destination: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Firewall policies** \> **Custom policies**. 2. Select **Add a policy**. 3. Create a rule with the destination IP address or CIDR range you want to block. For example, to block all traffic to `10.0.0.0/8`, use the expression `ip.dst in {10.0.0.0/8}` with a **Block** action. 4. Select **Add new policy**. For more information on creating packet filtering rules, refer to [Add policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/add-policies/). ## Priority between policy builders Gateway applies your policies in the following order: 1. DNS policies with selectors evaluated before resolution 2. Resolver policies (if applicable) 3. DNS policies with selectors evaluated after resolution 4. Egress policies (if applicable) 5. Network policies 6. HTTP policies DNS and resolver policies are standalone. For example, if you block a site with a DNS policy but do not create a corresponding HTTP policy, users can still access the site if they know its IP address. ### HTTP/3 traffic For proxied [HTTP/3 traffic](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/http3/), Gateway applies your policies in the following order: 1. DNS policies 2. Network policies 3. HTTP policies ## Priority within a policy builder ### DNS policies Gateway evaluates DNS policies first in order of DNS resolution, then in [order of precedence](#order-of-precedence). When DNS queries are received, Gateway evaluates policies with pre-resolution selectors, resolves the DNS query, then evaluates policies with post-resolution selectors. This means policies with selectors evaluated before DNS resolution take precedence. For example, the following set of policies will block `example.com`: | Precedence | Selector | Operator | Value | Action | | ---------- | ------------------------------- | -------- | ------------- | ------ | | 1 | Resolved Country IP Geolocation | is | United States | Allow | | 2 | Domain | is | example.com | Block | Despite an explicit Allow policy ordered first, policy 2 takes precedence because the _Domain_ selector is evaluated before DNS resolution. If a policy contains both pre-resolution and post-resolution selectors, Gateway will evaluate the entire policy after DNS resolution. For information on when each selector is evaluated, refer to the [list of DNS selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#selectors). ### Network policies Gateway evaluates network policies in [order of precedence](#order-of-precedence). ### HTTP policies Gateway applies HTTP policies based on a combination of [action type](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#actions) and [order of precedence](#order-of-precedence): 1. All Do Not Inspect policies are evaluated first, in order of precedence. 2. If no policies match, all Isolate policies are evaluated in order of precedence. 3. All Allow, Block and Do Not Scan policies are evaluated in order of precedence. 4. The body of the HTTP request, including Data Loss Prevention (DLP), AV scanning, and file sandboxing, is evaluated. This order of enforcement allows Gateway to first determine whether decryption should occur. If a site matches a Do Not Inspect policy, it is automatically allowed through Gateway and bypasses all other HTTP policies. Note The only exception is if you are using [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) — all sites within the clientless remote browser are implicitly isolated even if they match a Do Not Inspect policy. Next, Gateway checks decrypted traffic against your Isolate policies. When a user makes a request which triggers an Isolate policy, the request will be rerouted to a [remote browser](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/). Next, Gateway evaluates all Allow, Block, and Do Not Scan policies. These policies apply to both isolated and non-isolated traffic. For example, if `example.com` is isolated and `example.com/subpage` is blocked, Gateway will block the subpage (`example.com/subpage`) inside of the remote browser. Lastly, Gateway inspects the body of the HTTP request by evaluating it against DLP policies, and running anti-virus scanning and file sandboxing. If DLP Block policies are present, the action Gateway ultimately takes may not match the action it initially logs. For more information, refer to [DLP policy precedence](#dlp-policy-precedence). ### Resolver policies When [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) are present, Gateway first evaluates any DNS policies with pre-resolution selectors, then routes any DNS queries according to the [order of precedence](#order-of-precedence) of your resolver policies, and lastly evaluates any DNS policies with post-resolution selectors. ### Default behavior when no policy matches If traffic does not match any explicit Allow or Block policy, Gateway applies the following defaults: | Policy type | Default action | Description | | ----------- | -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | DNS | Allow | DNS queries resolve normally through the configured resolver. | | Network | Allow | TCP and UDP connections are allowed through the Gateway proxy. | | HTTP | Allow | HTTP and HTTPS requests are allowed. However, if you have configured a default Block action in your [HTTP policy settings](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/), unmatched traffic is blocked instead. | Because the default is to allow unmatched traffic, Gateway follows a permissive model. To switch to a restrictive model (block by default, allow by exception), create a catch-all Block policy at the lowest precedence in the relevant policy builder and add specific Allow policies above it. Note Do Not Inspect policies are evaluated before all other HTTP policies. If traffic matches a Do Not Inspect policy, it bypasses all remaining HTTP policies and is allowed through Gateway. For details, refer to [HTTP policy priority](#http-policies). ### Order of precedence Order of precedence refers to the priority of individual policies within the DNS, network, or HTTP policy builder. Gateway evaluates policies in ascending order beginning with the lowest value. The order of precedence follows the first match principle. Once traffic matches an Allow or Block policy, evaluation stops and no subsequent policies can override the decision. Therefore, Cloudflare recommends assigning the most specific policies and exceptions with the highest precedence and the most general policies with the lowest precedence. #### Cloudflare dashboard In the Cloudflare dashboard, policies are in order of precedence from top to bottom of the list. Policies begin with precedence `1` and count upward. You can modify the order of precedence by dragging and dropping individual policies in the dashboard. #### Cloudflare API To update the precedence of a policy with the Cloudflare API, use the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint to update the `precedence` field. #### DLP policy precedence For Gateway configurations with DLP policies, Gateway will filter and log traffic based on first match, then scan the body of the HTTP request for matching content. Because of the first match principle, Gateway may perform and log a decision for traffic, then perform a contradicting decision. For example, if traffic is first allowed with an Allow HTTP policy, then blocked with a DLP Block policy, Gateway will log the initial Allow action despite ultimately blocking the request. #### Access applications If Gateway traffic is headed to a private IP address protected as an Access application, that traffic will still be evaluated by the destination application's Access policies, even if a Gateway Allow policy matched first. Gateway Block policies that match traffic will terminate any other policy evaluation. This is expected behavior. A Gateway Allow policy does not override or bypass Access policies. Terraform provider v4 precedence limitation To avoid conflicts, version 4 of the Terraform Cloudflare provider applies a hash calculation to policy precedence. For example, a precedence of `1000` may become `1000901`. This can cause errors when reordering policies. To avoid this issue, manually set the precedence of policies created with Terraform using the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint. To ensure your precedence is set correctly, Cloudflare recommends [upgrading your Terraform provider to version 5 ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade). ## Example Suppose you have a list of policies arranged in the following order of precedence: * DNS policies: | Precedence | Selector | Operator | Value | Action | | ---------- | -------- | ------------- | ---------------- | ------ | | 1 | Host | is | example.com | Block | | 2 | Host | is | test.example.com | Allow | | 3 | Domain | matches regex | .\\ | Block | * HTTP policies: | Precedence | Selector | Operator | Value | Action | | ---------- | -------- | -------- | ----------------- | -------------- | | 1 | Host | is | example.com | Block | | 2 | Host | is | test2.example.com | Do Not Inspect | * Network policies: | Precedence | Selector | Operator | Value | Action | | ---------- | ---------------- | -------- | ---------------- | ------ | | 1 | Destination Port | is | 80 | Block | | 2 | Destination port | is | 443 | Allow | | 3 | SNI Domain | is | test.example.com | Block | When a user goes to `https://test.example.com`, Gateway performs the following operations: 1. Evaluate DNS request against DNS policies: 1. Policy #1 does not match `test.example.com` — move on to check Policy #2. 2. Policy #2 matches, so DNS resolution is allowed. 3. Policy #3 is not evaluated because there has already been an explicit match. 2. Evaluate HTTPS request against network policies: 1. Policy #1 does not match because port 80 is used for standard HTTP, not HTTPS. 2. Policy #2 matches, so the request is allowed and proxied to the upstream server. 3. Policy #3 is not evaluated because there has already been an explicit match. 3. Evaluate HTTPS request against HTTP policies: 1. Policy #2 is evaluated first because Do Not Inspect [always takes precedence](#http-policies) over Allow and Block. Since there is no match, move on to check Policy #1. 2. Policy #1 does not match `test.example.com`. Since there are no matching Block policies, the request passes the HTTP filter. Therefore, the user is able to connect to `https://test.example.com`. ## Precedence calculations When arranging policies in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), Gateway automatically calculates the precedence for rearranged policies. When using the API to create a policy, unless the precedence is explicitly defined in the policy, Gateway will assign precedence to policies starting at `1000`. Every time a new policy is added to the bottom of the order, Gateway will calculate the current highest precedence in the account and add a random integer between 1 and 100 to `1000` so that it now claims the maximum precedence in the account. To manually update a policy's precedence, use the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint. You can set a policy's precedence to any value that is not already in use. Changing the order within the Cloudflare dashboard or API may result in configuration issues when using [Terraform](#manage-precedence-with-terraform). ## Manage precedence with Terraform You can manage the order of execution of your Gateway policies using Terraform. With version 5 of the Terraform Cloudflare provider, Gateway users can list their policies in a Terraform file with any desired integer precedence value. Cloudflare recommends starting with a precedence of `1000` and adding extra space between each policy's precedence for any future policies. For example: ``` resource "cloudflare_zero_trust_gateway_policy" "policy_1" { account_id = var.cloudflare_account_id # other attributes... precedence = 1000 } resource "cloudflare_zero_trust_gateway_policy" "policy_2" { account_id = var.cloudflare_account_id # other attributes... precedence = 2000 } resource "cloudflare_zero_trust_gateway_policy" "policy_3" { account_id = var.cloudflare_account_id # other attributes... precedence = 3000 } ``` To avoid precedence calculation errors when reordering policies with Terraform, you should move one policy at a time before running `terraform plan` and `terraform apply`. If you use both Terraform and the Cloudflare dashboard or API, sync your polices with `terraform refresh` before reordering policies in Terraform. Alternatively, you can set your account to [read-only in the Cloudflare dashboard](https://developers.cloudflare.com/cloudflare-one/api-terraform/#set-dashboard-to-read-only), only allowing changes using the API or Terraform. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/order-of-enforcement/","name":"Order of enforcement"}}]} ``` --- --- title: Packet filtering description: Configure Packet filtering in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Packet filtering Packet filtering lets you inspect individual pieces of network traffic (packets) and apply rules to allow or block them before they reach your network. Use the pages in this section to create and manage filtering policies. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}}]} ``` --- --- title: Add policies description: Add policies in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API) # Add policies A root ruleset is the top-level container that holds all your firewall policies. You can check for an existing root ruleset from the dashboard or via the [Account rulesets API](https://developers.cloudflare.com/api/resources/rulesets/methods/list/). If you are a new Magic Transit customer, you may not have a root ruleset created for your account. To view examples for root rulesets, review the [Cloudflare Network Firewall Terraform documentation ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/magic%5Ffirewall%5Fruleset). By default, you can create a maximum of 200 policies. Contact your account team to request a higher limit if needed. We recommend you create lists of IP addresses to reference within policies to streamline policy management. ## Add a policy 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. Select **Add a policy**. 3. Fill out the information for your new policy. All existing policies apply to IPv4 traffic only. You can use a [Managed IP List](https://developers.cloudflare.com/waf/tools/lists/managed-lists/#managed-ip-lists) when populating the **Value**. 4. When you are done, select **Add new policy**. ## Create a disabled policy When you add a new policy, the policy is **Enabled** by default. To create a **Disabled** policy, follow the steps in [Add a policy](#add-a-policy) above and toggle **Enabled** to off. When a policy is in the disabled state, the policy will not perform the action until it is set to **Enabled**. To disable an existing policy, from the **Custom policies** tab, set the **Enabled** toggle to off. ## Update a policy 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. Locate the policy you want to edit and select the three dots > **Edit**. 3. Update the policy with your changes and select **Save**. ## Delete an existing policy 1. Locate the policy you want to delete in the list. 2. From the end of the row, select **Delete**. 3. Select **Delete** again to confirm the deletion. ## API Below, you can find examples of how to use the API to perform certain actions. Warning The examples on this page all use the `https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets` endpoint. This endpoint creates policies from scratch and **will replace all existing policies in the ruleset**. If you have a ruleset already deployed, consider using the `https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{ruleset_id}/rules` endpoint instead. Refer to [Add a rule to a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/add-rule/) and [Create an account ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/create/) for more information. ### Skip action A skip action tells the firewall to stop evaluating the current ruleset for matching traffic, effectively allowing it through. Rules in a ruleset evaluate in order from top to bottom. In the example below, the skip rule must appear before the block rule so that matching traffic (port `8080`) is allowed through before the catch-all block applies. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "Example ruleset", "kind": "root", "phase": "magic_transit", "description": "Example ruleset description", "rules": [ { "action": "skip", "action_parameters": { "ruleset": "current" }, "expression": "tcp.dstport in { 8080 } ", "description": "Allow port 8080" }, { "action": "block", "expression": "tcp.dstport in { 1..65535 }", "description": "Block all TCP ports" } ] }' ``` ### Block a country The example below blocks all packets with a source or destination IP address coming from Brazil by using its 2-letter country code in [ISO 3166-1 Alpha 2 ↗](https://www.iso.org/obp/ui/#search/code/) format. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "Example ruleset", "kind": "root", "phase": "magic_transit", "description": "Example ruleset description", "rules": [ { "action": "block", "expression": "ip.src.country == \"BR\"", "description": "Block traffic from Brazil" } ] }' ``` ### Use an IP list Cloudflare Network Firewall supports [using lists in expressions](https://developers.cloudflare.com/waf/tools/lists/use-in-expressions/) for the `ip.src` and `ip.dst` fields. The supported lists are: * `$cf.anonymizer` \- Anonymizer proxies * `$cf.botnetcc` \- Botnet command and control channel * `$cf.malware` \- Sources of malware * `$` \- The name of an account-level IP list Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "Example ruleset", "kind": "root", "phase": "magic_transit", "description": "Example ruleset description", "rules": [ { "action": "block", "expression": "ip.src in $cf.anonymizer", "description": "Block traffic from anonymizer proxies" } ] }' ``` ## Next steps Refer to [Form expressions](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/form-expressions/) for more information on how to write rule expressions. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/add-policies/","name":"Add policies"}}]} ``` --- --- title: Best practices description: How Best practices works in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Best practices By default, Cloudflare Network Firewall allows all incoming (ingress) traffic that has passed through Cloudflare's core DDoS mitigations. To reduce your exposure to attacks and prevent unwanted traffic from reaching your network, configure rules using the following guidelines. If you are setting up firewall rules for the first time, start with the [Minimal ruleset](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset/). If you have existing on-premises or edge firewall rules, the best approach is to replicate those rules in Network Firewall. If you are unable to export your current firewall rules, contact your Cloudflare Implementation Manager for help translating the rules into Network Firewall rules. * [ Minimal ruleset ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset/) * [ Extended ruleset ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/best-practices/extended-ruleset/) * [ Magic Transit egress ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/best-practices/magic-transit-egress/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/best-practices/","name":"Best practices"}}]} ``` --- --- title: Extended ruleset description: Configure Extended ruleset in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ TCP ](https://developers.cloudflare.com/search/?tags=TCP)[ UDP ](https://developers.cloudflare.com/search/?tags=UDP)[ ICMP ](https://developers.cloudflare.com/search/?tags=ICMP)[ IPsec ](https://developers.cloudflare.com/search/?tags=IPsec) # Extended ruleset The extended ruleset builds on the [Minimal ruleset](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset/) by creating targeted rules for different types of systems on your network. Before creating these rules, you must [create IP lists](https://developers.cloudflare.com/waf/tools/lists/custom-lists/#ip-lists) for each category. If you are unable to export your current perimeter firewall rules, consider identifying categories of systems or user groups that reside on your Magic Transit prefixes. For example: * [Endpoints (user devices)](#endpoints-user-devices) * [Internal routers](#internal-routerfirewall-ip-addresses) * [Web servers](#web-servers) * [Non-web servers](#non-web-servers) For each item above, consider the requirements in terms of their permitted Internet access. For example, permit what is required for legitimate traffic and block the rest. ## Create lists for using Cloudflare Network Firewall rules For more information on lists, refer to [Use rule lists](https://developers.cloudflare.com/cloudflare-one/reusable-components/use-rules-list/). You can also create a list from the dashboard from **Configurations** \> **Lists** on your **Account Home**. ## Endpoints (User devices) Endpoint devices do not operate as servers, which means: * They receive traffic from standard common ports — for example `80` or `443` — towards their ephemeral ports (temporary ports assigned by the OS for outbound connections, typically above `32768` in modern operating systems). * Connections flow outwards, not inwards, and therefore do not receive unsolicited inbound TCP connections. * They typically only need client TCP and UDP, with no requirement for ingress ICMP. For example, you can create a list for the combination of generic client TCP and client UDP that allows external pings or traceroutes and a catchall rule for all other protocols and traffic. Create a list named **Endpoints** and specify the list of endpoints or user IP addresses to reference within the rules. Warning Rule 10 in the example ruleset below is a catch-all (a final rule that matches any remaining traffic) that blocks all traffic not permitted in rules 1-3 towards your list of Endpoint IP addresses. If you want to permit other traffic to these destination IP addresses, the new rule must be added before rule 10. ### Suggested rules **Rule ID**: 1**Description**: Allows return traffic (responses to outbound requests) to ephemeral ports while blocking unsolicited inbound connections. Blocks inbound SYN-only traffic (meaning SYN-ACKs are permitted).**Match**: `ip.proto eq "tcp" and ip.dst in $endpoints and tcp.dstport in {32768..60999} and not (tcp.flags.syn and not tcp.flags.ack)` **Action**: Allow **Rule ID**: 2**Description**: Endpoints (clients) will receive traffic destined for ephemeral ports**Match**: `ip.proto eq "udp" and ip.dst in $endpoints and udp.dstport in {32768..60999}` **Action**: Allow **Rule ID**: 3**Description**: Permits ICMP traffic to destination IP addresses in `$endpoints` list with ICMP Types: * Type 0 = Echo Reply * Type 3 = Destination Unreachable * Type 11 = Time Exceeded **Match**: `ip.proto eq "icmp" and ip.dst in $endpoints and (icmp.type eq 0 or icmp.type eq 3 or icmp.type eq 11)` **Action**: Allow **Rule ID**: 10**Description**: Otherwise deny all traffic to IP's in `$endpoints` list**Match**: `ip.dst in $endpoints` **Action**: Block ## Internal router/Firewall IP addresses Follow the best practices for internal routers or firewall interface IP addresses on your MT prefixes below. 1. Create [an IP list](https://developers.cloudflare.com/waf/tools/lists/custom-lists/#ip-lists), **Internal routers** for example, with your IP addresses. 2. Block ICMP if it is not needed. 3. Permit GRE/ESP as needed if the devices have GRE/IPsec tunnels via the Internet. ### Suggested rules **Rule ID**: 1**Description**: Permit limited ICMP traffic inbound, including: * Type 0 - Echo Reply * Type 3 - Destination Unreachable * Type 8 - Echo * Type 11 - Time Exceeded **Match**: `ip.proto eq "icmp" and ip.dst in $internal_routers and ( (icmp.type eq 0 or icmp.type eq 3) or (icmp.type eq 11) or (icmp.type eq 8) )` **Action**: Allow **Rule ID**: 2**Description**: Block all other traffic destined to these IP addresses**Match**: `ip.dst in $internal_routers` **Action**: Block ## Web Servers Web servers require careful consideration of necessary traffic flows. Traffic for the **web server** functionality is required in addition to traffic flows where the web server is acting as a client. Where possible, permit the required destination IP addresses and ports for web servers and block everything else. Additional services, for example NTP/DNS, may be required along with the ports for the web traffic. The following is an example of suggested rules, but you should only make changes based on your specific requirements. For example, if you are not proxied by Cloudflare Layer 7 protection and you expect traffic sourced from the web towards your web servers: 1. Create [an IP list](https://developers.cloudflare.com/waf/tools/lists/custom-lists/#ip-lists), **web servers** for example, to list IP addresses for your web servers. 2. Permit traffic for the web server traffic inbound from the Internet. 3. Permit traffic for the infrastructure or client traffic flows from the Internet, for example DNS and NTP. 4. Block all other traffic destined for the web server IP addresses. ### Suggested rules **Rule ID**: 1**Description**: Allows inbound HTTP/S traffic from the Internet with SYN-only or ACK-only flag (not SYN/ACKs)**Match**: `ip.proto eq "tcp" and tcp.srcport in {32768..60999} and ip.dst in $web_servers and tcp.dstport in {80 443} and not (tcp.flags.syn and tcp.flags.ack)` **Action**: Allow **Rule ID**: 2**Description**: Allows UDP replies for DNS and NTP to web servers**Match**: `ip.dst in $web_servers and ip.proto eq "udp" and udp.srcport in {53 123} and udp.dstport in {1024..65535}` **Action**: Allow if necessary but Disable if under attack **Rule ID**: 3**Description**: Catch-all to block all other traffic destined for web server IP addresses**Match**: `ip.dst in $web_servers` **Action**: Block Alternatively, if you have Cloudflare Layer 7 protection, the Cloudflare public IP addresses can be permitted as the source IP addresses to the destination IP addresses for the HTTP/HTTPS inbound traffic. This recommendation effectively replaces Rule 1 in the example above. Warning Cloudflare's IP ranges may change. Refer to [Cloudflare's IP addresses ↗](https://www.cloudflare.com/ips/) for the current list, or use an [IP list](https://developers.cloudflare.com/waf/tools/lists/custom-lists/#ip-lists) that you update periodically rather than hardcoding ranges in your rules. ### Suggested rules for Cloudflare proxied traffic **Description**: Allow inbound HTTP/S traffic from Cloudflare with SYN or ACK**Match**: `ip.proto eq "tcp" and ip.dst in $web_servers and tcp.dstport in {80 443} and not (tcp.flags.syn and tcp.flags.ack) and ip.src in {173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22}` **Action**: Allow ## Non-web servers Restrict the source based on whether the server is expecting traffic from the general Internet or from only specific users. 1. Apply rules based on source IP or ports if possible. 2. Restrict permitted destination ports to only those that are required. 3. Block incoming SYN to the closed ports. ### Suggested rules * `IP Destination Address { non-web server } and TCP dst port in \ — Permit` * `IP Destination Address { non-web server } and UDP dst port in \ — Permit` * `IP Destination Address { web server } — Block` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/best-practices/","name":"Best practices"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/best-practices/extended-ruleset/","name":"Extended ruleset"}}]} ``` --- --- title: Magic Transit egress description: How Magic Transit egress works in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Magic Transit egress The suggestions in the [Minimal ruleset](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset) and [Extended ruleset](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/best-practices/extended-ruleset) are recommendations for ingress (incoming) traffic. This page covers the additional consideration needed for egress (outgoing) traffic. Cloudflare Network Firewall does not track connection state (it is not "stateful"). A stateful firewall automatically allows return traffic for active connections — for example, if you send a request outbound, the response is allowed back in. Because Network Firewall is not stateful, each packet — whether ingress or egress — is evaluated independently against your rules. This means ingress block rules can inadvertently block egress traffic. For Magic Transit egress traffic, consider the following: * Network Firewall rules apply to both Magic Transit ingress and egress traffic passing through Cloudflare. * If you have a "default drop" catchall rule (a final rule that blocks all traffic not matched by earlier rules) for ingress traffic, you must add an earlier rule to permit traffic sourced from your Magic Transit prefix with the destination as **any** to allow outbound egress traffic. For example, place the following allow rule before any default-drop catchall rule: **Match**: `ip.src in {}` **Action**: Allow ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/best-practices/","name":"Best practices"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/best-practices/magic-transit-egress/","name":"Magic Transit egress"}}]} ``` --- --- title: Minimal ruleset description: Configure Minimal ruleset in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ TCP ](https://developers.cloudflare.com/search/?tags=TCP)[ UDP ](https://developers.cloudflare.com/search/?tags=UDP)[ IPsec ](https://developers.cloudflare.com/search/?tags=IPsec)[ ICMP ](https://developers.cloudflare.com/search/?tags=ICMP) # Minimal ruleset The suggested minimal ruleset blocks some known common vectors for DDoS attacks and permits all other ESP (Encapsulating Security Payload, used in IPsec VPNs), TCP, UDP, GRE (Generic Routing Encapsulation, used for tunnels), and ICMP traffic. This is a suggested list and not an exhaustive list. Check which ports and protocols your infrastructure uses (for example, VPN, NTP, or database services) and ensure they are not blocked by these rules. ## Recommended rules **Rule ID**: 1 **Description**: Single rule that blocks all traffic with UDP source ports which are used in attacks or invalid in Magic Transit ingress. **Match**: `(udp.srcport in {1900 11211 389 111 19 1194 3702 10001 20800 161 162 137 27005 520 0})` **Action**: Block **Rule ID**: 2 **Description**: Blocks TCP traffic with source port `0` and common ports used in TCP SYN/ACK reflection attacks (attacks that exploit TCP handshake responses to flood a target). **Match**: `(tcp.srcport in {21 0 3306})` **Action**: Block **Rule ID**: 3 **Description**: Blocks HOPOPT (Hop-by-Hop Options, IP protocol 0), which has no legitimate use in most environments, and blocks any protocol that is not ESP, TCP, UDP, GRE, or ICMP. Permit the relevant protocols for your environment. **Match**: `(ip.proto eq "hopopt") or (not ip.proto in {"esp" "tcp" "udp" "gre" "icmp"})` **Action**: Block These rules are also available as [managed rules](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/enable-managed-rulesets/) that you can enable without manual configuration. The rules above are provided for reference and customization. ## Traffic and port types The information below covers traffic type, how the port is used, and reasons for blocking the port. | Traffic | Port use | Reason to block | | ---------------------------- | ----------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | | UDP source port 0 | Reserved port. Should not be used by applications. | Invalid as a legitimate traffic source port. Commonly used in DDoS attacks. | | UDP source port 1900 | Simple Service Discovery Protocol (SSDP). Allows universal plug and play devices to send and receive information. | [SSDP DDoS attacks ↗](https://www.cloudflare.com/learning/ddos/ssdp-ddos-attack/) exploit Universal Plug and Play protocols. | | UDP source port 11211 | Memcached. A database caching system designed to speed up websites and networks. | [Memcached DDoS Attacks ↗](https://www.cloudflare.com/learning/ddos/memcached-ddos-attack/). | | UDP source port 389 | Connection-less Lightweight Directory Access Protocol (CLDAP). | [Used in reflection attacks ↗](https://blog.cloudflare.com/reflections-on-reflections/). | | UDP source port 111 | SunRPC | Common attack vector. [Used in reflection attacks ↗](https://blog.cloudflare.com/reflections-on-reflections/). | | UDP source port 19 | CHARGEN | [Amplification attack vector ↗](https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/). | | UDP source port 1194 | OpenVPN | Unless this is an authorized VPN in your environment, this common VPN should be blocked. | | UDP source port 3702 | Web Services Dynamic Discovery Multicast discovery protocol (WS-Discovery) | Vulnerable to exploiting for DDoS attacks. | | UDP source port 10001 | Ubiquiti UniFi discovery protocol | Ubiquiti devices were exploited and used to conduct DDoS attacks on this port. | | UDP source port 20800 | Call of Duty | [Commonly used in attacks ↗](https://blog.cloudflare.com/reflections-on-reflections/). | | UDP source ports 161 and 162 | SNMP | Vulnerable to exploiting for DDoS attacks. | | UDP source port 137 | NetBIOS | NetBIOS allows file sharing over networks. If configured improperly, can expose file systems. | | UDP source port 27005 | SRCDS | Used in [amplication attacks ↗](https://blog.cloudflare.com/reflections-on-reflections/). | | UDP source port 520 | Routing Information Protocol (RIP) | Internal routing protocol. Not required on Internet WAN access. | | TCP source port 0 | Reserved port. Should not be used by applications. | Commonly used in DDoS attacks. Invalid as a legitimate traffic source port. | | TCP source port 21 | FTP | Commonly used for attacks. | | TCP source port 3306 | MYSQL open source database | Used as attack vector in DDoS attacks. | ## Other common traffic to consider The list below is a common list of traffic types you should also consider blocking or restricting inbound. * SFTP, TFTP * SSH, Telnet * RDP * RCP * SMCP * NTP * Common vector for reflection attacks. Consider using [Cloudflare One traffic policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/), [1.1.1.1's DNS over HTTPS (DoH)](https://developers.cloudflare.com/1.1.1.1/), or an internal DNS service if possible. Consider restricting your firewall rules to only allow the source and destination of DNS traffic. * MS-SQL * Common vector and [increasingly used as vector for DDoS attacks ↗](https://blog.cloudflare.com/ddos-attack-trends-for-2021-q4/). Block if unused or consider restricting only to the required source IP addresses. * HTTP and HTTPS * If you only have servers on your Magic Transit prefixes, consider blocking ingress traffic on TCP source ports 80 and 443 from outside. If you have endpoints on your Magic Transit prefixes, you can allow traffic on the source ports but consider creating a disabled rule you can activate to respond to reflection attacks as needed. If relevant to your environment, consider blocking based on geolocation data, which blocks traffic based on the country or user when an end user's IP address is registered in the geolocation database. If you are interested in participating in the beta for [Session Initiation Protocol (SIP) Validation ↗](https://blog.cloudflare.com/programmable-packet-filtering-with-magic-firewall/), contact your Implementation Manager. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/best-practices/","name":"Best practices"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset/","name":"Minimal ruleset"}}]} ``` --- --- title: Create Rate Limiting policies (beta) description: Create Rate Limiting policies (beta) in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Create Rate Limiting policies (beta) Rate limiting policies (beta) allow you to set maximum traffic thresholds - measured in packets or bits per second — for incoming traffic destined for your network as it arrives at specific Cloudflare data centers. When traffic to a location exceeds your defined limit, the policy takes action. This guide walks you through creating a policy that matches incoming packets and triggers when the traffic rate exceeds your configured threshold. Note For Cloudflare Advanced Network Firewall customers, rate limiting (beta) is available by request through the account team. ## Add a policy To add a policy: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. In the **Rate limiting** tab, select **Add a policy**. 3. Fill out the information for your new policy: * Select the **Field**: At the moment, you can only choose a [data center name](https://developers.cloudflare.com/cloudflare-network-firewall/reference/network-firewall-fields/) (for example, `ORD` for Chicago). * Select the **Operator**: Choose among **equals** or **is in**. * Select the **Value**. 4. When you are done, select **Save policy**. ## Edit an existing policy To edit a policy: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. Select the **Rate limiting** tab. 3. Locate the policy you want to edit in the list and select **Edit**. 4. Edit the policy with your changes and select **Edit policy**. ## Delete an existing policy To delete an existing policy: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. Select the **Rate limiting** tab. 3. Locate the policy you want to delete from the list. 4. Select the three dots, then select **Remove**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/create-rate-limiting-policies/","name":"Create Rate Limiting policies (beta)"}}]} ``` --- --- title: Enable Managed Rulesets description: Enable Managed Rulesets in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API) # Enable Managed Rulesets With [managed rulesets](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/), you can quickly deploy pre-built firewall rules maintained by Cloudflare. You use Cloudflare Network Firewall to control which managed rules are enabled. In addition to enabling managed rulesets, you can also add and enable custom policies. Refer to [add policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/add-policies/). Note Before you can use managed rulesets with Cloudflare Network Firewall, your account must have managed rulesets enabled. Contact your account team to request access. To enable or disable a rule, you specify which properties should be overridden. Overrides are configured in the root ruleset of the Managed phase (the top-level ruleset that controls which managed rules are active). This root ruleset can contain only one rule, but that single rule can include multiple overrides for different managed rules. Cloudflare recommends starting with the `action` set to `log` to evaluate impact before switching to block. You have multiple options for enabling rules: * Select an individual rule and enable it. * Enable multiple rules by enabling by category in the `magic-transit-phase`. * Enable an entire ruleset. ## API ### 1\. Create a Managed phase Managed kind ruleset To create a managed ruleset, you must first build a request with the following: * `managed_ruleset_id`: The ID of the Managed phase Managed kind ruleset that contains the rule you want to enable. To find this ID, list available managed rulesets using `GET /accounts/{account_id}/rulesets?kind=managed&phase=magic_transit_managed`. * `managed_rule_id`: The ID of the rule you want to enable. Additionally, you need the properties you want to override. The properties you can override include: * `enabled`: This value can be set to `true` or `false`. When set to `true`, the rule matches packets and applies the rule's default action if the action is not overridden. When set to `false`, the rule is disabled and does not match any packets. * `action`: The value can be set to `log` so the rule only produces logs instead of applying the rule's default action. The `enabled` and `action` properties for a rule are set in the Managed phase Managed kind ruleset. All rules in the Managed phase are currently disabled by default. The example below contains a request for a Managed phase Managed Kind ruleset. Example request - Create a Managed phase Managed Kind ruleset ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "execute ruleset", "description": "Ruleset containing execute rules", "kind": "root", "phase": "magic_transit_managed", "rules": [ { "expression": "true", "action": "execute", "description": "Enable one rule ", "action_parameters": { "id": "", "version": "latest", "overrides": { "rules": [ { "id": "", "enabled": true, "action": "log" } ] } } } ] }' ``` ### 2\. Patch a Managed phase Managed kind ruleset Because the root ruleset can only contain one rule, you must PATCH that existing rule (rather than adding new rules) when you want to enable additional managed rules. Building off the example from the previous step, the example below enables a category to select multiple rules instead of a single rule. The category will be set to `log` mode, which means the rule can produce logs but will not accept or drop packets. Example request - Patch a Managed phase Managed kind ruleset ``` curl --request PATCH \ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{root_kind_ruleset}/rules/{root_kind_rule} \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "expression": "true", "action": "execute", "action_parameters": { "id": "", "version": "latest", "overrides": { "rules": [ { "id": "", "enabled": true } ], "categories": [ { "category": "simple", "enabled": true, "action": "log" } ] } } }' ``` ### 3\. Enable all rules To enable the complete ruleset or enable all rules, send the request below. Example request to enable all rules ``` curl --request PATCH \ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{root_kind_ruleset}/rules/{root_kind_rule} \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "expression": "true", "action": "execute", "action_parameters": { "id": "", "version": "latest", "overrides": { "enabled": true } } }' ``` ### 4\. Delete a ruleset To delete a ruleset, refer to [Delete a rule in a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/delete-rule/). ## Cloudflare dashboard ### Enable rules You can also use the dashboard to enable managed rulesets: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. Select **Managed rulesets**. This is where the dashboard lists all your managed rules. 3. To enable a rule, turn **Status** on. ### Edit rules To edit a rule: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. Select **Managed rulesets**. This is where the dashboard lists all your managed rules. 3. Select the three dots > **Edit**. 4. Make the necessary changes, then select **Save**. ### View rules To view basic information about your rules: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and go to **Networking** \> **Firewall policies**. 2. Select **Managed rulesets**. This is where the dashboard lists all your managed rules. 3. Locate your managed rule, select the three dots > **View**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/enable-managed-rulesets/","name":"Enable Managed Rulesets"}}]} ``` --- --- title: Form expressions description: How Form expressions works in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Form expressions Rules are written using the Cloudflare Rules language - a domain-specific language (DSL) intended to mimic Wireshark semantics. For more information, refer to the [Rules language](https://developers.cloudflare.com/ruleset-engine/rules-language/) documentation. To start with a simple case, review below how you would match a source IP. In this expression, `ip.src` refers to the source IP address of the incoming packet, and `==` means "equals": ``` ip.src == 192.0.2.0 ``` Expressions can be more complex by joining multiple clauses via a logical operator (`&&` means AND, `||` means OR). The following expression matches packets from `192.0.2.1` that also have the TCP push or reset flag set: ``` ip.src == 192.0.2.1 && (tcp.flags.push || tcp.flags.reset) ``` ## Capabilities You can use Cloudflare Network Firewall to skip or block packets based on source or destination IP, source or destination port, protocol, packet length, or bit field match. ## Restrictions The expression engine supports CIDR notation (IP address ranges like `192.0.2.0/24`), but only inside curly-brace sets. A bare comparison will not work as expected: ``` ip.src == 192.0.2.0/24 # bad ip.src in { 192.0.2.0/24 } # good ``` Expressions have a complexity limit that is easily reached when many joined or nested clauses are in the expression. Here's an example: ``` (tcp.dstport == 1000 || tcp.dstport == 1001) && (tcp.dstport == 1002 || tcp.dstport == 1003) && (tcp.dstport == 1004 || tcp.dstport == 1005) && (tcp.dstport == 1006 || tcp.dstport == 1007) && (tcp.dstport == 1008 || tcp.dstport == 1009) && (tcp.dstport == 1010 || tcp.dstport == 1011) && (tcp.dstport == 1012 || tcp.dstport == 1013) && (tcp.dstport == 1014 || tcp.dstport == 1015) && (tcp.dstport == 1016 || tcp.dstport == 1017) ``` If the limit is reached, the response will have a `400` status code and an error message of `ruleset exceeds complexity constraints`. Split the expression across multiple rules and try again. Each rule can handle a subset of the conditions, and the firewall evaluates them in order. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/form-expressions/","name":"Form expressions"}}]} ``` --- --- title: Overview description: Overview in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Overview Protect your cloud infrastructure or network offices with advanced, scalable firewall-as-a-service protection. Enterprise-only Unwanted network traffic — from DDoS floods to unauthorized scans — can overwhelm your infrastructure. Cloudflare Network Firewall is a firewall-as-a-service (FWaaS) delivered from the Cloudflare global network, meaning Cloudflare runs the firewall for you in the cloud instead of on your own hardware. You can apply filter rules on a variety of criteria, such as protocol (for example, TCP or UDP) and packet length, to filter unwanted traffic before it reaches your network. Cloudflare Network Firewall uses Wireshark display filter syntax — a rule language originally from the popular network analysis tool [Wireshark ↗](https://www.wireshark.org/), widely used in networking and the same syntax used across other Cloudflare products. With this syntax, you can craft rules to precisely allow or deny any traffic in or out of your network. Cloudflare Network Firewall is available with the purchase of [Magic Transit](https://developers.cloudflare.com/magic-transit/) or [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/). --- ## Features ### Intrusion Detection System (IDS) Actively monitor for a wide range of known threat signatures in your traffic. IDS scans packets for patterns that match known attacks (such as malware signatures or exploit attempts) and alerts you when it finds a match. [ Use Intrusion Detection System (IDS) ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/ids/) --- ## Related products **[Cloudflare Magic Transit](https://developers.cloudflare.com/magic-transit/)** Secure your network from incoming Internet traffic, and improve performance at Cloudflare scale. **[Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/)** Improve security and performance for your entire corporate networking, reducing cost and operation complexity. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/network-firewall-overview/","name":"Overview"}}]} ``` --- --- title: Protocol validation rules description: How Protocol validation rules works in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Protocol validation rules Cloudflare Network Firewall can validate [Session Initiation Protocol (SIP) ↗](https://datatracker.ietf.org/doc/html/rfc2543) traffic — the protocol used to set up voice and video calls over IP networks (VoIP). This lets you inspect whether SIP packets are properly formatted and enforce a positive security model (only allow well-formed SIP traffic, block everything else). You can use the `sip` field when creating a rule to check whether packets contain valid SIP data, a Layer 7 (L7) protocol. The `sip` field evaluates to `true` for well-formed SIP packets. Refer to [Cloudflare Network Firewall fields](https://developers.cloudflare.com/cloudflare-network-firewall/reference/network-firewall-fields/), specifically the `sip` field, for more information on this topic. Currently, SIP is the only protocol supported for deep validation. Contact your account manager if you need Cloudflare Network Firewall to support additional protocols. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/protocol-validation-rules/","name":"Protocol validation rules"}}]} ``` --- --- title: Ruleset logic description: How Ruleset logic works in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ ICMP ](https://developers.cloudflare.com/search/?tags=ICMP) # Ruleset logic Cloudflare Network Firewall rules are performed after Cloudflare's DDoS mitigations have been applied. The two systems are independent, and therefore, permitting traffic inside Cloudflare Network Firewall does not allow it within our DDoS mitigations. Traffic can still be blocked by DDoS mitigations that are applied first in the flow through Cloudflare's systems. By default, Cloudflare Network Firewall policies allow all traffic until explicitly blocked by a rule. If no policy is configured, all traffic is permitted after DDoS mitigations have been applied. ## Security policy You have two options for configuring a security policy: * Enforce a positive security model, which blocks everything and creates allow rules for specific required traffic. * Begin with a minimal ruleset to block specific traffic and, by default, everything else is permitted. Traffic is matched in order of the configured rules. As soon as traffic is matched by an enabled rule, it is no longer validated against the later rules. Disabled rules are skipped entirely — traffic is not evaluated against them. In the dashboard under **Traffic policies** \> **Firewall policies**, rule order begins from the top and flows down your list of rules. For example, permitting all TCP traffic in a rule #4 would mean all TCP traffic is permitted. A rule #5 to block traffic for IP address `x.x.x.x` would not be checked. For best practices when configuring your security policy, refer to [Best practices](https://developers.cloudflare.com/cloudflare-network-firewall/best-practices/). ## Packet filtering policies and Magic Transit endpoint health checks Cloudflare-sourced traffic is also subject to the Cloudflare Network Firewall rules you configure. If you block all ICMP traffic, you will also block Cloudflare's [endpoint health checks](https://developers.cloudflare.com/magic-transit/reference/tunnel-health-checks/#endpoint-health-checks). When blocking ICMP traffic, ensure your rules first allow ICMP sourced from Cloudflare public IPs to your prefix endpoint IPs before applying a block ICMP rule. For a list of Cloudflare's public IPs, refer to [IP Ranges ↗](https://www.cloudflare.com/ips/). ## Cloudflare Network Firewall phases Traffic is processed in two phases: first against your Custom rules, then against Cloudflare's Managed rules. ### Custom phase ruleset The Custom phase is a set of rules you define and control. You can customize the expression, order, and actions of these rules. Cloudflare Network Firewall evaluates custom policies before managed policies in the order of precedence. Therefore, if traffic meets the conditions from a custom policy first, that is the action Cloudflare Network Firewall will take. The actions available for a custom rule are **Block** or **Skip** (allow). ### Managed phase ruleset Managed phase rulesets are maintained by Cloudflare and contain rules based on best practices, known malicious patterns, and other threat intelligence. Cloudflare maintains the expressions and order of execution for rules in the Managed phase. You can enable, disable, or set individual rules to log matching packets. Refer to [Enable managed rulesets](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/enable-managed-rulesets/) for more information. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/ruleset-logic/","name":"Ruleset logic"}}]} ``` --- --- title: Traffic types description: How Traffic types works in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ TCP ](https://developers.cloudflare.com/search/?tags=TCP)[ UDP ](https://developers.cloudflare.com/search/?tags=UDP)[ ICMP ](https://developers.cloudflare.com/search/?tags=ICMP) # Traffic types Cloudflare Network Firewall enables you to allow or block traffic on a variety of packet characteristics, including: * **Source and destination IP** — the sender's and receiver's IP addresses * **Source and destination port** — the numeric port identifying the specific service (for example, port 80 for HTTP) * **Protocol** — the communication method, such as TCP or UDP * **Packet length** — the size of the packet in bytes * **Bit field match** — inspect individual flags within packet headers Cloudflare Network Firewall operates at OSI layers 3 and 4 — the network layer (IP addressing and routing) and transport layer (port-based connections). It supports protocols such as TCP (reliable, ordered connections), UDP (fast, connectionless messages), and ICMP (network diagnostic messages like ping). You can write rules against any layer 3 or 4 protocol, not only TCP and UDP. To see the full list of fields you can use when writing filter expressions, refer to [Cloudflare Network Firewall fields](https://developers.cloudflare.com/cloudflare-network-firewall/reference/network-firewall-fields/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/","name":"Packet filtering"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/packet-filtering/traffic-types/","name":"Traffic types"}}]} ``` --- --- title: Proxy description: How Proxy works in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ TCP ](https://developers.cloudflare.com/search/?tags=TCP)[ UDP ](https://developers.cloudflare.com/search/?tags=UDP)[ ICMP ](https://developers.cloudflare.com/search/?tags=ICMP) # Proxy You can forward [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) and [network](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/network/) traffic to Gateway for logging and filtering. Gateway can proxy both outbound traffic and traffic directed to resources connected via a Cloudflare Tunnel, Generic Routing Encapsulation (GRE) tunnel, or IPsec tunnel. When a user connects to the Gateway proxy, Gateway will accept the connection and establish a new, separate connection to the origin server. The Gateway proxy is required for filtering HTTP and network traffic via the Cloudflare One Client in Traffic and DNS mode. To proxy HTTP traffic without deploying the Cloudflare One Client, you can configure [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) on your devices. ## Proxy algorithm Gateway uses the [Happy Eyeballs algorithm ↗](https://datatracker.ietf.org/doc/html/rfc6555), which tries IPv4 and IPv6 connections with a staggered fallback and uses whichever address family responds first, to proxy traffic in the following order: 1. The user's browser initiates the TCP handshake by sending Gateway a TCP SYN segment. 2. Gateway sends a SYN segment to the origin server. 3. If the origin server sends a SYN-ACK segment back, Gateway establishes separate TCP connections between the user and Gateway and between Gateway and the origin server. 4. Gateway inspects and filters traffic received from the user. 5. If the traffic passes inspection, Gateway proxies traffic bidirectionally between the user and the origin server. flowchart TD %% Accessibility accTitle: How Gateway proxy works accDescr: Flowchart describing how the Gateway proxy uses the Happy Eyeballs algorithm to establish TCP connections and proxy user traffic. %% Flowchart A[User's device sends TCP SYN to Gateway] --> B[Gateway sends TCP SYN to origin server] B --> C{{Origin server responds with TCP SYN-ACK?}} C -->|Yes| E[TCP handshakes completed] C -->|No| D[Connection fails] E --> F{{Connection allowed?}} F -->|Allow policy| G[Gateway proxies traffic bidirectionally] F -->|Block policy| H[Connection blocked by firewall policies] %% Styling style D stroke:#D50000 style G stroke:#00C853 style H stroke:#D50000 ## Supported protocols Gateway supports proxying TCP, UDP, and ICMP traffic. ### TCP When the proxy is enabled, Gateway will always forward TCP traffic. By default, TCP connection attempts will timeout after 30 seconds and idle connections will disconnect after 8 hours. ### UDP The UDP proxy forwards UDP traffic such as VoIP, [internal DNS requests](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns/), and thick client applications. HTTP/3 uses the QUIC protocol over UDP. To inspect HTTP/3 traffic, turn on both TLS decryption and the UDP proxy. Gateway will then intercept the HTTP/3 connection and connect to the origin server over HTTP/2\. Otherwise, HTTP/3 traffic will bypass inspection. For more information on browser-specific behavior, refer to [HTTP/3 inspection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/http3/). ### ICMP (Internet Control Message Protocol) The ICMP proxy allows ICMP traffic to reach your private network through Gateway. For example, this would allow a Cloudflare One Client user to run diagnostic commands such as `ping` and `traceroute` to an internal server IP. Limitation Gateway cannot log or filter ICMP traffic. #### Allow ICMP traffic through `cloudflared` To use the ICMP proxy with Cloudflare Tunnel, you may need to configure the `cloudflared` host to allow ICMP traffic through `cloudflared`. * [ Linux ](#tab-panel-5431) * [ Docker ](#tab-panel-5432) 1. Ensure that `ping_group_range` includes the Group ID (GID) of the user running `cloudflared`: a. Find the user that owns the `cloudflared` process: Terminal window ``` ps -aux | grep cloudflared ``` ``` johndoe 407 0.8 1.7 1259904 35296 ? Ssl 21:02 0:00 /usr/bin/cloudflared --no-autoupdate tunnel run --token eyJhI... ``` b. Get the Group ID of the `cloudflared` user: Terminal window ``` id -g johndoe ``` ``` 10001 ``` c. Determine the Group IDs that are allowed to use ICMP: Terminal window ``` sudo sysctl net.ipv4.ping_group_range ``` ``` net.ipv4.ping_group_range= 0 10000 ``` d. Either add the user to a group within that range, or update the range to encompass a group the user is already in. To update `ping_group_range`: Terminal window ``` echo 0 10001 | sudo tee /proc/sys/net/ipv4/ping_group_range ``` e. If you need to make the change apply to an already running process, you need to restart `cloudflared`. To make the change persist on reboot, update your `systcl` parameters: Terminal window ``` echo "net.ipv4.ping_group_range = 0 10001" | sudo tee -a /etc/sysctl.d/99-cloudflared.conf ``` 2. If you are running multiple network interfaces (for example, `eth0` and `eth1`), configure `cloudflared` to use the external Internet-facing interface: Terminal window ``` cloudflared tunnel run --icmpv4-src ``` In your environment, modify the `ping_group_range` parameter to include the Group ID (GID) of the user running `cloudflared`. By default the [cloudflared Docker container ↗](https://github.com/cloudflare/cloudflared/blob/master/Dockerfile#L29C6-L29C13) executes as a user called `nonroot` inside of the container. `nonroot` is a specific user that exists in the [base image ↗](https://github.com/GoogleContainerTools/distroless/blob/859eeea1f9b3b7d59bdcd7e24a977f721e4a406c/base/base.bzl#L8) we use, and its Group ID is hardcoded to 65532. ## Turn on the Gateway proxy The Gateway proxy toggle only applies to traffic from Cloudflare One Client devices. Gateway will always proxy traffic sent with [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) or [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) regardless of this setting. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. In **Proxy and inspection settings**, turn on **Allow Secure Web Gateway to proxy traffic**. 3. Select **TCP**. 4. (Optional) Depending on your use case, you can select **UDP** and/or **ICMP**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/proxy/","name":"Proxy"}}]} ``` --- --- title: Resolver policies description: Configure Resolver policies in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS)[ IPv4 ](https://developers.cloudflare.com/search/?tags=IPv4)[ IPv6 ](https://developers.cloudflare.com/search/?tags=IPv6)[ QUIC ](https://developers.cloudflare.com/search/?tags=QUIC) # Resolver policies Note Only available on Enterprise plans. By default, Gateway sends DNS requests to [1.1.1.1](https://developers.cloudflare.com/1.1.1.1/), Cloudflare's public DNS resolver, for resolution. Enterprise users can instead create Gateway policies to route DNS queries to custom resolvers. flowchart TD %% Accessibility accTitle: How Gateway routes DNS queries accDescr: Flowchart describing the order Cloudflare Gateway routes a DNS query from an endpoint through DNS and resolver policies back to the user. %% Flowchart user(["User"])-->endpoint[/"Gateway DNS endpoint"/] endpoint-->query["DNS policy (query)"] query-->resolver["Resolver policy"] resolver--"Routes to
custom resolver"-->response["DNS policy (response)"] response--"Returns response"-->user Gateway will route user traffic to your configured DNS resolver based on the matching policy, even if your resolvers' IP addresses overlap. ## Use cases You may use resolver policies if you require access to non-publicly routed domains, such as private network services or internal resources. You may also use resolver policies if you need to access a protected DNS service or want to simplify DNS management for multiple locations. ### Internal DNS Beta [Cloudflare Internal DNS](https://developers.cloudflare.com/dns/internal-dns/) allows you to manage DNS records for internal resources on a private network. DNS zones configured in Internal DNS can only be queried by the Gateway resolver. With resolver policies, you can determine how Gateway resolves your organization's DNS queries to resolve to internal resources based on the context of the query, such as known source IPs for a geographic location. To get started with resolving internal DNS queries with resolver policies, refer to [Get started](https://developers.cloudflare.com/dns/internal-dns/get-started/). ### Local Domain Fallback Use resolver policies when your DNS server is reachable from Cloudflare's network — for example, through a Cloudflare Tunnel, IPsec/GRE tunnel, or the public Internet. Use [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) when the DNS server is only reachable from the user's device. If both Local Domain Fallback and resolver policies are configured for the same device, Cloudflare will apply your client-side Local Domain Fallback rules first. If you onboard DNS queries to Gateway with the Cloudflare One Client and route them with resolver policies, the source IP of the queries will be the IP address assigned by the Cloudflare One Client. Local Domain Fallback or Gateway Resolver policies? If your DNS server can be configured to connect to a Cloudflare on-ramp, Cloudflare recommends using Gateway Resolver policies rather than Local Domain Fallback. Gateway Resolver policies provide more visibility by allowing you to log and review DNS traffic. ## Resolver connections Resolver policies support TCP and UDP connections. Custom resolvers can point to the Internet via IPv4 or IPv6, or to a private network service, such as a [Magic tunnel](https://developers.cloudflare.com/magic-transit/how-to/configure-tunnel-endpoints/). Policies default to port `53`. You can change which port your resolver uses by customizing it in your policy. You can protect your authoritative nameservers from DDoS attacks by enabling [DNS Firewall](https://developers.cloudflare.com/dns/dns-firewall/). ### Cloudflare Tunnel You can configure connections to a private resolver connected to Cloudflare with [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). To ensure `cloudflared` can route UDP traffic to your resolver, connect your tunnel via [QUIC](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#protocol). For more information on connecting a private DNS resolver to Cloudflare with Cloudflare Tunnel, refer to [Private DNS](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns/). ### Cloudflare WAN To enable connections to a private resolver connected to Cloudflare via [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/), contact your account team. ### Available DNS endpoints Resolver policies can route queries for resolution from the following DNS endpoints: * IPv4 * IPv6 * [DNS over HTTPS (DoH)](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-https/) * [DNS over TLS (DoT)](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-tls/) * DNS queries generated by Cloudflare [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) and [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) * DNS queries generated by [proxy endpoints](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) Gateway will filter, resolve, and log your queries regardless of endpoint. ## Create a resolver policy Virtual network limitation Resolver policies do not automatically update when you change the virtual networks associated with a route. If you move a route from one virtual network to another, the resolver policy will still reference the old virtual network. You will need to manually remove and recreate the resolver policy to update the route. To create a resolver policy: * [ Dashboard ](#tab-panel-5433) * [ Terraform (v5) ](#tab-panel-5434) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Resolver policies**. 2. Select **Add a policy**. 3. Create an expression for your desired traffic. For example, you can resolve a hostname for an internal service: | Selector | Operator | Value | | -------- | -------- | -------------------- | | Host | in | internal.example.com | Make sure your destination is not subject to [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#manage-local-domains). 4. In **Select DNS resolver**, choose _Configure custom DNS resolvers_. 5. Enter the IP addresses of your custom DNS resolver. As you enter an IP address, Gateway will search through your [virtual networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) configured in Zero Trust. 6. In **Network**, choose whether to route queries publicly (to the Internet) or privately (to a private network service). 7. (Optional) Enter a custom port for each IP address. 8. Select **Create policy**. Custom resolvers are saved to your account for future use. You can add up to 10 IPv4 and 10 IPv6 addresses to a policy. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api%5Ftoken): * `Zero Trust Write` 2. Create a resolver policy using the [cloudflare\_zero\_trust\_gateway\_policy ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Fgateway%5Fpolicy) resource: ``` resource "cloudflare_zero_trust_gateway_policy" "resolver_policy" { name = "Example resolver policy" enabled = true account_id = var.cloudflare_account_id description = "TERRAFORM MANAGED resolver policy" action = "resolve" traffic = "dns.fqdn in {\"internal.example.com\"}" identity = "identity.email in {\"jdoe@example.com\"}" precedence = 1 rule_settings = { dns_resolvers = { # You can add up to 10 IPv4 and 10 IPv6 addresses to a policy. ipv4 = [{ ip = "192.0.2.24" port = 53 route_through_private_network = true vnet_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network.staging_vnet.id }] ipv6 = [{ ip = "2001:DB8::" port = 53 route_through_private_network = true vnet_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network.staging_vnet.id }] } } } ``` When a user's query matches a resolver policy, Gateway will send the query to your listed resolvers in the following order: 1. Public resolvers 2. Private resolvers behind the default virtual network for your account 3. Private resolvers behind a custom virtual network Gateway will cache the fastest resolver for use in subsequent queries. Resolver priority is cached on a per user basis for each data center. For more information on creating a DNS policy, refer to [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/). Terraform provider v4 precedence limitation To avoid conflicts, version 4 of the Terraform Cloudflare provider applies a hash calculation to policy precedence. For example, a precedence of `1000` may become `1000901`. This can cause errors when reordering policies. To avoid this issue, manually set the precedence of policies created with Terraform using the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint. To ensure your precedence is set correctly, Cloudflare recommends [upgrading your Terraform provider to version 5 ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade). ## Selectors ### Content Categories Use this selector to filter domains belonging to specific [content categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#content-categories). | UI name | API example | Evaluation phase | | ------------------ | --------------------------------------- | --------------------- | | Content Categories | any(dns.content\_category\[\*\] in {1}) | Before DNS resolution | ### DNS Resolver IP Use this selector to apply policies to DNS queries that arrived to your Gateway Resolver IP address aligned with a registered DNS location. For most Gateway customers, this is an IPv4 anycast address and policies created using this IPv4 address will apply to all DNS locations. However, each DNS location has a dedicated IPv6 address and some Gateway customers have been supplied with a dedicated IPv4 address — these both can be used to apply policies to specific registered DNS locations. | UI name | API example | Evaluation phase | | --------------- | ------------------------------------------- | --------------------- | | DNS Resolver IP | any(dns.resolved\_ip\[\*\] == 198.51.100.0) | Before DNS resolution | ### DoH Subdomain Use this selector to match against DNS queries that arrive via DNS-over-HTTPS (DoH) destined for the DoH endpoint configured for each DNS location. For example, you can use a DNS location with a DoH endpoint of `abcdefg.cloudflare-gateway.com` by choosing the DoH Subdomain selector and inputting a value of `abcdefg`. | UI name | API example | Evaluation phase | | ------------- | ------------------------------- | --------------------- | | DOH Subdomain | dns.doh\_subdomain == "abcdefg" | Before DNS resolution | ### Domain Use this selector to match against a domain and all subdomains. For example, you can match `example.com` and its subdomains, such as `www.example.com`. | UI name | API example | Evaluation phase | | ------- | --------------------------------------- | --------------------- | | Domain | any(dns.domains\[\*\] == "example.com") | Before DNS resolution | Gateway policies do not support domains with non-Latin characters directly. To use a domain with non-Latin characters, add it to a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). ### Host Use this selector to match against only the hostname specified. For example, you can match `test.example.com` but not `example.com` or `www.test.example.com`. | UI name | API example | Evaluation phase | | ------- | ------------------------- | --------------------- | | Host | dns.fqdn == "example.com" | Before DNS resolution | Gateway policies do not support hostnames with non-Latin characters directly. To use a hostname with non-Latin characters, add it to a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). Note Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`www.example.com`). To match this type of website, use the [Domain](#domain) selector instead of the Host selector. ### Location Use this selector to apply policies to a specific [Gateway DNS location](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) or set of locations. | UI name | API example | Evaluation phase | | -------- | --------------------------------------------------------- | --------------------- | | Location | dns.location in {"location\_uuid\_1" "location\_uuid\_2"} | Before DNS resolution | ### Query Record Type Use this selector to choose the DNS resource record type that you would like to apply policies against. For example, you can match `A` records for a domain but not `MX` records. | UI name | API example | Evaluation phase | | ----------------- | ------------------------- | --------------------- | | Query Record Type | dns.query\_rtype == "TXT" | Before DNS resolution | ### Security Categories Use this selector to match domains (and optionally, [IP addresses](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#filter-traffic-by-resolved-ip-category)) belonging to specific [security categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories). | UI name | API example | Evaluation phase | | ------------------- | ---------------------------------------- | --------------------- | | Security Categories | any(dns.security\_category\[\*\] in {1}) | Before DNS resolution | ### Source Continent Use this selector to filter based on the continent where the query arrived to Gateway from. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a continent, enter its two-letter code into the **Value** field: | Continent | Code | | ------------- | ---- | | Africa | AF | | Antarctica | AN | | Asia | AS | | Europe | EU | | North America | NA | | Oceania | OC | | South America | SA | | Tor network | T1 | | UI name | API example | Evaluation phase | | ------------------------------- | ---------------------------------------- | --------------------- | | Source Continent IP Geolocation | dns.src.geo.continent == "North America" | Before DNS resolution | ### Source Country Use this selector to filter based on the country where the query arrived to Gateway from. Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a country, enter its [ISO 3166-1 Alpha-2 code ↗](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. | UI name | API example | Evaluation phase | | ----------------------------- | --------------------------- | --------------------- | | Source Country IP Geolocation | dns.src.geo.country == "RU" | Before DNS resolution | ### Source IP Use this selector to apply policies to the source IP address of DNS queries. For example, this could be the WAN IP address of the stub resolver used by your organization to send queries to Gateway. | UI name | API example | Evaluation phase | | --------- | --------------------------- | --------------------- | | Source IP | dns.src\_ip == 198.51.100.0 | Before DNS resolution | ### Users Use these selectors to match against identity attributes. | UI name | API example | Evaluation phase | | ----------------- | --------------------------------------------------------------------------------------------------------------- | --------------------- | | User Email | identity.email == "user@example.com" | Before DNS resolution | | User Name | identity.name == "Test User" | Before DNS resolution | | User Group IDs | any(identity.groups\[\*\].id in {"group\_id"}) | Before DNS resolution | | User Group Names | any(identity.groups\[\*\].name in {"group\_name"}) | Before DNS resolution | | User Group Emails | any(identity.groups\[\*\].email in {"group@example.com"}) | Before DNS resolution | | SAML Attributes | any(identity.saml\_attributes\["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"\] in {"Test User"}) | Before DNS resolution | ## Comparison operators Comparison operators are the way Gateway matches traffic to a selector. When you choose a **Selector** in the dashboard policy builder, the **Operator** dropdown menu will display the available options for that selector. | Operator | Meaning | | ------------------------ | ------------------------------------------------------------------------------------------------------------------ | | is | equals the defined value | | is not | does not equal the defined value | | in | matches at least one of the defined values | | not in | does not match any of the defined values | | in list | in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | not in list | not in a pre-defined [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of values | | matches regex | regex evaluates to true | | does not match regex | regex evaluates to false | | greater than | exceeds the defined number | | greater than or equal to | exceeds or equals the defined number | | less than | below the defined number | | less than or equal to | below or equals the defined number | ## Value In the **Value** field, you can input a single value when using an equality comparison operator (such as _is_) or multiple values when using a containment comparison operator (such as _in_). Additionally, you can use [regular expressions](#regular-expressions) (or regex) to specify a range of values for supported selectors. ### Regular expressions Regular expressions are evaluated using Rust. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for [Wildcards](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/app-paths/#wildcards). To evaluate if your regex matches, you can use [Rustexp ↗](https://rustexp.lpil.uk/). If you want to match multiple values, you can use the pipe symbol (`|`) as an OR operator. You do not need to use an escape character (`\`) before the pipe symbol. For example, the following expression evaluates to true when the hostname matches either `.*whispersystems.org` or `.*signal.org`: | Selector | Operator | Value | | -------- | ------------- | ------------------------------------ | | Host | matches regex | .\*whispersystems.org\|.\*signal.org | In addition to regular expressions, you can use [logical operators](#logical-operators) to match multiple values. ## Logical operators To evaluate multiple conditions in an expression, select the **And** logical operator. These expressions can be compared further with the **Or** logical operator. | Operator | Meaning | | -------- | --------------------------------------------- | | And | match all of the conditions in the expression | | Or | match any of the conditions in the expression | The **Or** operator will only work with conditions in the same expression group. For example, you cannot compare conditions in **Traffic** with conditions in Identity. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/resolver-policies/","name":"Resolver policies"}}]} ``` --- --- title: Tiered policies description: Overview of Tiered policies in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Tiered policies Note Only available on Enterprise plans. Gateway tiered policies allow you to share and enforce Gateway policies across multiple Zero Trust accounts. This enables centralized policy management for organizations that manage multiple accounts. There are two approaches for setting up tiered policies, depending on your deployment model and policy requirements: * **[Cloudflare Organizations](https://developers.cloudflare.com/cloudflare-one/traffic-policies/tiered-policies/organizations/)** — Share DNS, network, HTTP, and resolver policies across accounts in a Cloudflare Organization using the dashboard. * **[Tenant API](https://developers.cloudflare.com/cloudflare-one/traffic-policies/tiered-policies/tenant-api/)** — Manage DNS policies across parent and child accounts for Managed Service Provider (MSP) deployments. ## Organizations vs. Tenant API | Feature | [Cloudflare Organizations](https://developers.cloudflare.com/cloudflare-one/traffic-policies/tiered-policies/organizations/) | [Tenant API](https://developers.cloudflare.com/cloudflare-one/traffic-policies/tiered-policies/tenant-api/) | | -------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- | | **Supported policy types** | DNS, Network, HTTP, Resolver | DNS only | | **Account model** | Source / Recipient accounts | Parent / Child accounts | | **Shareable settings** | Block pages, extended email matching | Block pages | | **Setup** | Dashboard (self-serve) | API-only | | **Availability** | Enterprise (beta) | Enterprise (GA) | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/tiered-policies/","name":"Tiered policies"}}]} ``` --- --- title: Cloudflare Organizations description: Cloudflare Organizations in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Cloudflare Organizations Note Only available on Enterprise plans. Gateway supports using [Cloudflare Organizations](https://developers.cloudflare.com/fundamentals/organizations/) to share configurations between and apply specific policies to accounts within an Organization. Tiered Gateway policies with Organizations support [DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/), [network](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/), [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/), and [resolver](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) policies. For a DNS-only deployment using the Tenant API, refer to [Tenant API](https://developers.cloudflare.com/cloudflare-one/traffic-policies/tiered-policies/tenant-api/). ## Get started To set up Cloudflare Organizations, refer to [Create an Organization](https://developers.cloudflare.com/fundamentals/organizations/#create-an-organization). Once you have provisioned and configured your Organization's accounts, you can create [Gateway policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/). ## Account types Zero Trust accounts in Cloudflare Organizations include source accounts and recipient accounts. In a tiered policy configuration, a top-level source account can share Gateway policies with its recipient accounts. Recipient accounts can add policies as needed while still being managed by the source account. Organization owners can also configure a [custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) for recipient accounts independently from the source account. Gateway will automatically [generate a unique root CA](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/#generate-a-cloudflare-root-certificate) for each recipient account in an Organization. Each recipient account is subject to the default Zero Trust [account limits](https://developers.cloudflare.com/cloudflare-one/account-limits/). Gateway evaluates source account policies before any recipient account policies. Shared policies always take priority in recipient accounts — recipient accounts cannot bypass, modify, or reorder shared policies, and cannot move any of their own policies above shared ones. If you update the relative priority of shared policies in the source account, the change will be reflected in recipient accounts within approximately two minutes. All traffic and corresponding policies, logs, and configurations for a recipient account will be contained to that recipient account. Organization owners can view logs for recipient accounts on a per-account basis, and [Logpush jobs](https://developers.cloudflare.com/logs/logpush/) must be configured separately. When using DLP policies with [payload logging](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules), each recipient account must configure its own [encryption public key](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#set-a-dlp-payload-encryption-public-key). flowchart TD %% Accessibility accTitle: How Gateway policies work in a tiered account configuration accDescr: Flowchart describing the order of precedence Gateway applies policies in a tiered account configuration using Cloudflare Organizations. %% Flowchart subgraph s1["Source account"] n1["Block malware"] n2["Block spyware"] n3["Block DNS tunnel"] end subgraph s2["Recipient account A"] n5["Block malware"] n6["Block spyware"] n4["Block social media"] end subgraph s3["Recipient account B"] n8["Block malware"] n9["Block spyware"] n10["Block DNS tunnel"] n7["Block instant messaging"] end n1 ~~~ n2 n2 ~~~ n3 s1 -- Share policies with --> s2 & s3 n1@{ shape: rect} n2@{ shape: rect} n3@{ shape: rect} n4@{ shape: rect} n5@{ shape: rect} n6@{ shape: rect} n7@{ shape: rect} n8@{ shape: rect} n9@{ shape: rect} n10@{ shape: rect} n1:::Sky n2:::Sky n3:::Peach n4:::Forest n5:::Sky n6:::Sky n7:::Forest n8:::Sky n9:::Sky n10:::Peach classDef Sky stroke-width:1px, stroke-dasharray:none, stroke:#374D7C, fill:#E2EBFF, color:#374D7C classDef Peach stroke-width:1px, stroke-dasharray:none, stroke:#FBB35A, fill:#FFEFDB, color:#8F632D classDef Forest stroke-width:1px, stroke-dasharray:none, stroke:#2D6A4F, fill:#D8F3DC, color:#2D6A4F In the diagram above: * Blue policies (**Block malware** and **Block spyware**) are shared from the source account. * Orange policies (**Block DNS tunnel**) are not shared. * Green policies (**Block social media** and **Block instant messaging**) are created locally in recipient accounts. ## Limitations Tiered policies with Organizations have the following limitations: * [Egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/) cannot be shared between accounts. * Source accounts cannot share policies that use [device posture](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/) selectors, the [Detected protocol](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/#detected-protocol) selector, or the [Quarantine](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#quarantine) action. Source and recipient accounts can still create and apply policies with these selectors and actions separately from the Organization share. * Policies can only be shared within an Organization. Sharing to sub-organizations is not supported. Warning If a shared policy contains identity-based selectors, ensure that both the source account and recipient accounts have matching identity provider (IdP) configurations. If there is a mismatch in IdPs between the source account and a recipient account, the shared policy will never apply to traffic in that recipient account. ## Manage policies You can create, configure, and share your tiered policies in the source account for your Cloudflare Organization. ### Share policy To share a Gateway policy from a source account to a recipient account: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies**. 2. Choose the policy type you want to share. If you want to share a resolver policy, go to **Traffic policies** \> **Resolver policies**. 3. Find the policy you want to share from the list. In the three-dot menu, select **Share**. Alternatively, to bulk share multiple policies, you can select each policy you want to share, then select **Actions** \> **Share**. 4. In **Select account**, choose the accounts you want to share the policy with. To share the policy with all existing and future recipient accounts in your Organization, choose _Select all accounts in org_. 5. Select **Continue**, then select **Share**. A sharing icon will appear next to the policy's name. When sharing is complete, the policy will appear in and apply to the recipient accounts. Shared policies will appear grayed out in the recipient account's list of Gateway policies. Note After sharing a policy, it may take up to two minutes before the policy appears in recipient accounts. If a policy fails to share to recipient accounts, Gateway will retry deploying the policy automatically unless the error is unrecoverable. ### Edit share recipients To change or remove recipients for a Gateway policy: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies**. 2. Choose the policy type you want to edit. If you want to edit a resolver policy, go to **Traffic policies** \> **Resolver policies**. 3. Find the policy you want to edit from the list. 4. In the three-dot menu, select **Edit shared configuration recipients**. 5. In **Select account**, choose the accounts you want to share the policy with. To remove a recipient, select **Remove** next to the recipient account's name. 6. Select **Continue**, then select **Save**. When sharing is complete, the policy sharing will update across the configured recipient accounts. Note If you selected _Select all accounts in org_ when sharing the policy, you will need to [unshare the policy](#unshare-policy) before you can edit its recipient accounts. ### Unshare policy To stop sharing a policy with all recipient accounts: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies**. 2. Choose the policy type you want to remove. If you want to remove a resolver policy, go to **Traffic policies** \> **Resolver policies**. 3. Find the policy you want to remove from the list. In the three-dot menu, select **Unshare**. Alternatively, to bulk remove multiple policies, you can select each policy you want to remove, then select **Actions** \> **Unshare**. 4. Select **Unshare**. When sharing is complete, Gateway will stop sharing the policy with all recipient accounts and only apply the policy to the source account. ### Edit shared policy Changes made to shared policies will apply to all recipient accounts. Deleting a shared policy will delete the policy from both the source account and all recipient accounts. ## Manage Gateway settings You can share certain Gateway settings - the Gateway block page and extended email address matching - from your source account to recipient accounts in your Cloudflare Organization. Other Gateway settings configured in a source account, such as [AV scanning](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/) and [file sandboxing](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/file-sandboxing/), will not affect recipient account configurations. ### Share Gateway block page To share your [Gateway block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) settings from a source account to a recipient account: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Reusable components** \> **Custom pages**. 2. In **Account Gateway block page**, select the three-dot menu and choose **Share**. 3. In **Select account**, choose the accounts you want to share the settings with. To share the settings with all existing and future recipient accounts in your Organization, choose _Select all accounts in org_. 4. Select **Continue**, then select **Share**. A sharing icon will appear next to the setting. When sharing is complete, the setting will appear in and apply to the recipient accounts. To modify share recipients or unshare the setting, select the three-dot menu and choose **Edit shared configuration recipients** or **Unshare**. ### Share extended email address matching To share your [extended email address matching](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#extended-email-addresses) settings from a source account to a recipient account: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. In **Firewall** \> **Matched extended email address**, select the three-dot menu and choose **Share**. 3. In **Select account**, choose the accounts you want to share the settings with. To share the settings with all existing and future recipient accounts in your Organization, choose _Select all accounts in org_. 4. Select **Continue**, then select **Share**. A sharing icon will appear next to the setting. When sharing is complete, the setting will appear in and apply to the recipient accounts. To modify share recipients or unshare the setting, select the three-dot menu and choose **Edit shared configuration recipients** or **Unshare**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/tiered-policies/","name":"Tiered policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/tiered-policies/organizations/","name":"Cloudflare Organizations"}}]} ``` --- --- title: Tenant API description: Tenant API in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS)[ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API) # Tenant API Note Only available for [Cloudflare Partners ↗](https://www.cloudflare.com/partners/) on Enterprise plans. To gain access, contact your account team. Gateway supports the [Cloudflare Tenant API](https://developers.cloudflare.com/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or individual account level. Warning The Tenant API platform only supports [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/). To apply HTTP, network, and resolver policies, use [Cloudflare Organizations](https://developers.cloudflare.com/cloudflare-one/traffic-policies/tiered-policies/organizations/) instead. For more information, refer to the [Cloudflare Zero Trust for managed service providers ↗](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post. ## Get started To set up the Tenant API, refer to [Get started](https://developers.cloudflare.com/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/). ## Account types The Gateway Tenant platform supports tiered and siloed account configurations. ### Tiered accounts In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still being managed by the parent account. MSPs can also configure child accounts independently from the parent account for the following Gateway features: * **[Custom block page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/)**: Child accounts will use the block page setting used by the parent account unless you configure separate block settings for the child account. This applies to both redirects and custom block pages. The block page uses the account certificate for each child account. * **[Root certificates](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/)**: If Gateway cannot attribute an incoming DNS query to a child account, it will use the parent account's certificate. This happens when the source IP address of the DNS query does not match a child account or if a custom DNS resolver endpoint is not configured. * **[DNS locations](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/)** * **[Lists](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/)** Each child account is subject to the default Zero Trust [account limits](https://developers.cloudflare.com/cloudflare-one/account-limits/). Gateway evaluates parent account policies before any child account policies. To allow a child account to override a specific parent account policy, you can use the [Update a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/update/) endpoint to set the policy's `allow_child_bypass` rule setting to `true`. flowchart TD %% Accessibility accTitle: How Gateway policies work in a tiered account configuration accDescr: Flowchart describing the order of precedence Gateway applies policies in a tiered account configuration. %% Flowchart subgraph s1["Parent account"] n1["Block malware"] n2["Block DNS tunnel"] n3["Block spyware"] end subgraph s2["Child account A"] n4["Block social media"] end subgraph s3["Child account B"] n5["Block instant messaging"] end n1 ~~~ n2 n2 ~~~ n3 A["Tenant"] --Administers--> s1 s1 -- "Applies policies to" --> s2 & s3 n1@{ shape: lean-l} n2@{ shape: lean-l} n3@{ shape: lean-l} n4@{ shape: lean-l} n5@{ shape: lean-l} ### Siloed accounts In a siloed account configuration, each account operates independently within the same tenant. MSPs manage each account's own security policies, resources, and configurations separately. flowchart TD %% Accessibility accTitle: How Gateway policies work in a siloed account configuration accDescr: Flowchart describing the order of precedence Gateway applies policies in a siloed account configuration. %% Flowchart subgraph s1["Siloed account A"] n1["Block social media"] end subgraph s2["Siloed account C"] n2["Block instant messaging"] end subgraph s3["Siloed account B"] n3["Block news"] end A["Tenant"] -- Administers --> s1 & s3 & s2 n1@{ shape: lean-l} n2@{ shape: lean-l} n3@{ shape: lean-l} ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/tiered-policies/","name":"Tiered policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/traffic-policies/tiered-policies/tenant-api/","name":"Tenant API"}}]} ``` --- --- title: Troubleshoot Gateway description: Troubleshoot Troubleshoot Gateway issues in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ TLS ](https://developers.cloudflare.com/search/?tags=TLS)[ DNS ](https://developers.cloudflare.com/search/?tags=DNS)[ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) # Troubleshoot Gateway This guide helps you troubleshoot common issues with Cloudflare Gateway policies. The issues are ordered by the most frequent problems. ## Egress policies do not work as expected Egress policies are the most common category of issues for Gateway. Symptoms include traffic not using your dedicated egress IP, incorrect failover behavior, or high latency due to Gateway routing traffic through a distant data center. ### Symptom: traffic is not using your dedicated egress IP Even with an active egress policy, you may find that traffic is egressing from a default Cloudflare IP address instead of your dedicated egress IP. | Common cause | Solution | | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | DNS resolution to CGNAT (carrier-grade NAT) | When an egress policy uses a _Domain_ or _Host_ selector, Gateway must first resolve that domain. For traffic proxied through Cloudflare, this often resolves to a CGNAT IP address from the 100.64.0.0/10 range. Because this IP is internal to Cloudflare's network, it may not be subject to egress policies, which apply to traffic leaving the network. Change the selector in your egress policy from _Domain_ or _Host_ to _Destination IP_. Use the public IP addresses of the service you are trying to reach. | | Policy precedence | A different egress policy with a higher precedence (a lower number) is matching the traffic first. Remember that egress policies follow the same first-match-wins logic. | | Split Tunnel configuration | The destination IP or domain is excluded from the WARP tunnel via your [Split Tunnel](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) configuration (which controls whether traffic for specific IPs or domains is sent through or excluded from the WARP tunnel). Traffic that is excluded from the tunnel will not be subject to any Gateway policies, including egress. | | No egress logs | Egress logging is available via Logpush with the Gateway Egress dataset. This is essential for troubleshooting. You can also use a third-party IP check service to verify the egress IP from a test device. | ### Symptom: failover is not working or is using the wrong IP Your primary dedicated egress IP becomes unavailable, but instead of using your configured secondary dedicated IP, traffic fails over to a default Cloudflare shared IP. | Common cause | Solution | | ----------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Routing or configuration issue on the Cloudflare side | Document the time of the incident and collect Request IDs from Gateway HTTP or DNS logs for affected users. Open a support ticket and provide this information. Temporarily, you can edit the egress policy to set your secondary IP as the primary to restore service. | ### Symptom: users are egressing from a geographically distant location Gateway routes your users in one country (such as Australia) through a dedicated egress IP located in another region (such as Germany), causing high latency and breaking access to geo-restricted content. Common causes and solutions: | Common cause | Solution | | -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Single egress policy | You may have one broad egress policy that applies to all users regardless of their location. Create location-aware egress policies. Use the _User Location_ selector in your policy to tie specific user locations to their nearest dedicated egress IP. For example, create one policy for when _User Location_ is United Kingdom, egress via London IP; create a second policy for when _User Location_ is Australia, egress via Sydney IP. | | Incorrect geolocation data | The IP address of the user's ISP may not be correctly geolocated. Check the user's location as seen by Cloudflare in the Gateway logs. If it appears incorrect, you can report it to Cloudflare Support. | ## Gateway does not apply policies in the correct order A common point of confusion is how Gateway evaluates its different policy types and the rules within them. ### Symptom: a Block policy is overriding a more specific Allow or Do Not Scan policy You have a high-precedence Allow or Do Not Scan policy for a specific application (such as Allow finance.example.com), but Gateway still block traffic with a low-precedence Block policy (such as Block All High-Risk Sites). The most important concept is [Gateway policy precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/), which Gateway enforces based on the policy's order number. A lower order number in the list means a higher precedence. Gateway stops processing further policies when it encounters the first rule that matches. To resolve Gateway policy precedence issues: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies**. 2. Review the order of your DNS, Network, and HTTP policies. 3. Ensure that your most specific Allow, Do Not Scan, or Do Not Inspect policies have a lower order number than your general Block policies. 4. Drag and drop policies to reorder them as needed. An Allow policy for `teams.microsoft.com` should be placed before a general Block policy for all file sharing applications. ## TLS decryption breaks applications Turning on [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is required for Gateway features such as Data Loss Prevention (DLP), Browser Isolation, and application-aware HTTP policies. However, it can cause issues with certain types of software. ### Symptom: command-line tools (CLI tools) or native applications fail with certificate errors If after turning on TLS decryption, command-line tools (such as `git`, `aws`, `kubectl`, and `terraform`) or desktop applications (such as ChatGPT or Docker) stop working, this may be due to certificate errors. Applications may return errors such as `SSL: CERTIFICATE_VERIFY_FAILED`, `self-signed certificate in certificate chain`, or similar TLS errors. These applications do not use the operating system's trust store and therefore do not trust the Cloudflare root certificate that you installed. They often have their own certificate trust store or use certificate pinning, which expects the server's original certificate, not one re-signed by Cloudflare. To resolve this issue: * [ Recommended ](#tab-panel-5435) * [ Workaround ](#tab-panel-5436) Create a targeted HTTP policy to bypass decryption for the specific domains these tools need to access. Place this policy at a higher precedence (lower order number) than your main TLS decryption policy. Create a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) that includes hosts such as `github.com`, `*.amazonaws.com`, and `*.docker.io`. | Selector | Operator | Value | Action | | -------- | -------- | ------------------ | -------------- | | Domain | in list | _CLI Tool Domains_ | Do Not Inspect | You can configure some tools to trust a custom CA or disable SSL verification. This is less secure and harder to manage at scale. For more information, refer to [Install certificate manually](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/). ### Symptom: the custom block page is not displayed When an HTTP policy blocks a user's request, their browser will return a generic error (`ERR_SSL_PROTOCOL_ERROR`) instead of your configured Gateway block page. This happens because the browser does not trust the certificate presented by the block page, which is signed by the Cloudflare root certificate. This means the certificate is not installed or not trusted on the user's device. To resolve this issue: 1. Confirm that a [Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) is installed on the device. 2. Ensure the certificate is placed in the correct system-level trust store (such as, Keychain's System store on macOS, or Trusted Root Certification Authorities for the Local Computer on Windows). 3. If you are using a mobile device management (MDM) tool, verify that your deployment script correctly installs and trusts the certificate. ## Private DNS and internal resources are not working You have configured Gateway to resolve internal hostnames, but users are unable to access them. For example, a user connected to the Cloudflare One Client tries to access an internal service like `jira.mycompany.local`, but the DNS query fails. | Common causes | Solution | | ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Missing or incorrect resolver policy | Go to **Traffic policies** \> **Resolver policies**. Create a policy that matches your internal domain suffix and forwards queries to your internal DNS servers' IP addresses. | | Split Tunnel excludes the private IP range | If your internal resources are in a private IP range (such as 10.0.0.0/8), that range must be included in the tunnel. If it is in the Exclude list of your Split Tunnel configuration, the Cloudflare One Client will not proxy the traffic. | | Local Domain Fallback misconfiguration | Use resolver policies for corporate DNS. Only use Local Domain Fallback for domains specific to a user's immediate physical network. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/troubleshoot-gateway/","name":"Troubleshoot Gateway"}}]} ``` --- --- title: Troubleshooting description: Troubleshoot Troubleshooting issues in Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) # Troubleshooting This guide helps you troubleshoot common issues with Cloudflare Gateway policies. ## Blocked websites and connectivity ### A website is blocked incorrectly If you believe a domain has been incorrectly blocked by Gateway's security categories or threat intelligence, you can use the [Cloudflare Radar categorization feedback form ↗](https://radar.cloudflare.com/categorization-feedback/) to request a review. ### Error 526: Invalid SSL certificate Gateway presents a **526** error page when it cannot establish a secure connection to the origin. This typically occurs in two cases: * **Untrusted origin certificate**: The certificate presented by the origin server is expired, revoked, or issued by an unknown authority. * **Insecure origin connection**: The origin does not support modern cipher suites or redirects all HTTPS requests to HTTP. For more information, refer to [Error 526](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/). ### Error 502: Bad Gateway This issue can occur when communicating with an origin that partially supports HTTP/2\. If the origin requests a downgrade to HTTP/1.1 (for example, via a `RST_STREAM` frame with `HTTP_1_1_REQUIRED`), Gateway will not automatically reissue the request over HTTP/1.1 and will instead return a `502 Bad Gateway`. To resolve this, disable HTTP/2 at the origin server. ### Untrusted certificate warnings If users see certificate warnings for every page, ensure that the [Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) is installed and trusted on their devices. This is required for Gateway to inspect HTTPS traffic. ## Dashboard and analytics ### Gateway analytics not displayed If you do not see analytics on the Gateway Overview page: * **Verify DNS traffic**: Ensure your devices are actually sending queries to Gateway. Check your [DNS locations](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) and verify the source IPv4 address. * **Check other resolvers**: Ensure that no other DNS resolvers are configured on the device, as they might be bypassing Gateway. * **Wait for processing**: It can take up to 5 minutes for analytics to appear in the dashboard. ## Egress policies Egress policies symptoms include traffic not using your dedicated egress IP, incorrect failover behavior, or high latency due to Gateway routing traffic through a distant data center. ### Symptom: traffic is not using your dedicated egress IP Even with an active egress policy, you may find that traffic is egressing from a default Cloudflare IP address instead of your dedicated egress IP. | Common cause | Solution | | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | DNS resolution to CGNAT (carrier-grade NAT) | When an egress policy uses a _Domain_ or _Host_ selector, Gateway must first resolve that domain. For traffic proxied through Cloudflare, this often resolves to a CGNAT IP address from the 100.64.0.0/10 range. Because this IP is internal to Cloudflare's network, it may not be subject to egress policies, which apply to traffic leaving the network. Change the selector in your egress policy from _Domain_ or _Host_ to _Destination IP_. Use the public IP addresses of the service you are trying to reach. | | Policy precedence | A different egress policy with a higher precedence (a lower number) is matching the traffic first. Remember that egress policies follow the same first-match-wins logic. | | Split Tunnel configuration | The destination IP or domain is excluded from the WARP tunnel via your Split Tunnel configuration. Traffic that is excluded from the tunnel will not be subject to any Gateway policies, including egress. | | No egress logs | Egress logging is available via Logpush with the Gateway Egress dataset. This is essential for troubleshooting. You can also use a third-party IP check service to verify the egress IP from a test device. | ### Symptom: failover is not working or is using the wrong IP Your primary dedicated egress IP becomes unavailable, but instead of using your configured secondary dedicated IP, traffic fails over to a default Cloudflare shared IP. | Common cause | Solution | | ----------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Routing or configuration issue on the Cloudflare side | Document the time of the incident and collect Request IDs from Gateway HTTP or DNS logs for affected users. Open a support ticket and provide this information. Temporarily, you can edit the egress policy to set your secondary IP as the primary to restore service. | ### Symptom: users are egressing from a geographically distant location Gateway routes your users in one country (such as Australia) through a dedicated egress IP located in another region (such as Germany), causing high latency and breaking access to geo-restricted content. | Common cause | Solution | | -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Single egress policy | You may have one broad egress policy that applies to all users regardless of their location. Create location-aware egress policies. Use the _User Location_ selector in your policy to tie specific user locations to their nearest dedicated egress IP. For example, create one policy for when _User Location_ is United Kingdom, egress via London IP; create a second policy for when _User Location_ is Australia, egress via Sydney IP. | | Incorrect geolocation data | The IP address of the user's ISP may not be correctly geolocated. Check the user's location as seen by Cloudflare in the Gateway logs. If it appears incorrect, you can report it to Cloudflare Support. | ## Policy precedence A common point of confusion is how Gateway evaluates its different policy types and the rules within them. ### Symptom: a Block policy is overriding a more specific Allow or Do Not Scan policy You have a high-precedence Allow or Do Not Scan policy for a specific application (such as Allow finance.example.com), but Gateway still block traffic with a low-precedence Block policy (such as Block All High-Risk Sites). The most important concept is [Gateway policy precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/), which Gateway enforces based on the policy's order number. A lower order number in the list means a higher precedence. Gateway stops processing further policies when it encounters the first rule that matches. To resolve Gateway policy precedence issues: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies**. 2. Review the order of your DNS, Network, and HTTP policies. 3. Ensure that your most specific Allow, Do Not Scan, or Do Not Inspect policies have a lower order number than your general Block policies. 4. Drag and drop policies to reorder them as needed. An Allow policy for `teams.microsoft.com` should be placed before a general Block policy for all file sharing applications. ## TLS decryption breaks applications Turning on [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is required for Gateway features such as Data Loss Prevention (DLP), Browser Isolation, and application-aware HTTP policies. However, it can cause issues with certain types of software. ### Symptom: command-line tools (CLI tools) or native applications fail with certificate errors If after turning on TLS decryption, command-line tools (such as `git`, `aws`, `kubectl`, and `terraform`) or desktop applications (such as ChatGPT or Docker) stop working, this may be due to certificate errors. Applications may return errors such as `SSL: CERTIFICATE_VERIFY_FAILED`, `self-signed certificate in certificate chain`, or similar TLS errors. These applications do not use the operating system's trust store and therefore do not trust the Cloudflare root certificate that you installed. They often have their own certificate trust store or use certificate pinning, which expects the server's original certificate, not one re-signed by Cloudflare. To resolve this issue: * [ Recommended ](#tab-panel-5437) * [ Workaround ](#tab-panel-5438) Create a targeted HTTP policy to bypass decryption for the specific domains these tools need to access. Place this policy at a higher precedence (lower order number) than your main TLS decryption policy. Create a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) that includes hosts such as `github.com`, `*.amazonaws.com`, and `*.docker.io`. | Selector | Operator | Value | Action | | -------- | -------- | ------------------ | -------------- | | Domain | in list | _CLI Tool Domains_ | Do Not Inspect | You can configure some tools to trust a custom CA or disable SSL verification. This is less secure and harder to manage at scale. For more information, refer to [Install certificate manually](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/). ### Symptom: the custom block page is not displayed When an HTTP policy blocks a user's request, their browser will return a generic error (`ERR_SSL_PROTOCOL_ERROR`) instead of your configured Gateway block page. This happens because the browser does not trust the certificate presented by the block page, which is signed by the Cloudflare root certificate. This means the certificate is not installed or not trusted on the user's device. To resolve this issue: 1. Confirm that a [Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) is installed on the device. 2. Ensure the certificate is placed in the correct system-level trust store (such as, Keychain's System store on macOS, or Trusted Root Certification Authorities for the Local Computer on Windows). 3. If you are using an MDM, verify that your deployment script correctly installs and trusts the certificate. ## Private DNS and internal resources are not working You have configured Gateway to resolve internal hostnames, but users are unable to access them. For example, a user connected to the Cloudflare One Client tries to access an internal service like `jira.mycompany.local`, but the DNS query fails. | Common causes | Solution | | ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Missing or incorrect resolver policy | Go to **Traffic policies** \> **Resolver policies**. Create a policy that matches your internal domain suffix and forwards queries to your internal DNS servers' IP addresses. | | Split Tunnel excludes the private IP range | If your internal resources are in a private IP range (such as 10.0.0.0/8), that range must be included in the tunnel. If it is in the Exclude list of your Split Tunnel configuration, the Cloudflare One Client will not proxy the traffic. | | Local Domain Fallback misconfiguration | Use resolver policies for corporate DNS. Only use Local Domain Fallback for domains specific to a user's immediate physical network. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/traffic-policies/","name":"Traffic policies"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/traffic-policies/troubleshooting/","name":"Troubleshooting"}}]} ``` --- --- title: Cloud and SaaS findings description: Cloud and SaaS findings in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance) # Cloud and SaaS findings Availability Available for all Zero Trust users. Free users can configure up to two CASB integrations. You must upgrade to an Enterprise plan to view the details of a finding instance. Cloudflare's [Cloud Access Security Broker ↗](https://www.cloudflare.com/learning/access-management/what-is-a-casb/) (CASB) connects to SaaS application and cloud environment APIs to scan for security issues that can occur after a user has successfully logged in. These include misconfigurations (such as overly permissive sharing settings), unauthorized user activity, [shadow IT](https://www.cloudflare.com/learning/access-management/what-is-shadow-it/), and other data security issues. For a list of available findings, refer to [Cloud and SaaS integrations](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/). You can also send posture finding instances to external systems with [CASB webhooks](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/webhooks/). ## Manage CASB integrations When you integrate a third-party SaaS application or cloud environment with Cloudflare CASB, you allow CASB to make API calls to its endpoint and read relevant data on your behalf. The CASB integration permissions are read-only and follow the least privileged model. In other words, only the minimum access required to perform a scan is granted. ### Prerequisites Before you can integrate a SaaS application or cloud environment with CASB, your account with that integration must meet certain requirements. Refer to the SaaS application or cloud environment's [integration guide](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) to learn more about the prerequisites and permissions. ### Add an integration 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Cloud & SaaS findings** \> **Integrations**. 2. Select **Connect an integration** or **Add integration**. 3. Browse the available integrations and select the application you would like to add. 4. Follow the step-by-step integration instructions in the UI. 5. To run your first scan, select **Save integration**. After the first scan, CASB will automatically scan your SaaS application or cloud environment on a frequent basis to keep up with any changes. Scan intervals will vary due to each application having their own set of requirements, but the frequency is typically between every 1 hour and every 24 hours. Once CASB detects at least one finding, you can [view and manage your findings](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/manage-findings/). ### Pause an integration 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Cloud & SaaS findings** \> **Integrations**. 2. Find the integration you would like to pause and select **Configure**. 3. To stop scanning the application, turn off **Scan for findings**. 4. Select **Save integration**. You can resume CASB scanning at any time by turning on **Scan for findings**. ### Delete an integration Warning When you delete an integration, all keys and OAuth data will be deleted. This means you cannot restore a deleted integration or its scanned data. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Cloud & SaaS findings** \> **Integrations**. 2. Find the integration you would like to delete and select **Configure**. 3. Select **Disenroll**. To resume scanning the integration for findings, you will need to [add the integration](#add-an-integration) again. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/cloud-and-saas-findings/","name":"Cloud and SaaS findings"}}]} ``` --- --- title: Scan for sensitive data description: How Scan for sensitive data works in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance) # Scan for sensitive data Note Requires Cloudflare CASB and Cloudflare DLP. You can use [Cloudflare Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) to discover if files stored in a SaaS application contain sensitive data. To perform DLP scans in a SaaS app, first configure a [DLP profile](#configure-a-dlp-profile) (a set of patterns that define what counts as sensitive data) with the data patterns you want to detect, then [add the profile](#enable-dlp-scans-in-casb) to a CASB integration. ## Supported integrations * [Amazon Web Services (AWS) S3](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/aws-s3/) * [Box](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/box/) * [Dropbox](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/dropbox/) * [Google Cloud Platform (GCP) Cloud Storage](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/gcp-cloud-storage) * [Google Drive](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/google-workspace/google-drive/) * [Microsoft OneDrive](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/onedrive/) * [Microsoft SharePoint](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/sharepoint/) * [Microsoft 365 Copilot](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/m365-copilot/) * [OpenAI](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/openai/) * [Anthropic](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/anthropic/) ## Configure a DLP profile You may either use DLP profiles predefined by Cloudflare, or create your own custom profiles based on regex, predefined detection entries, datasets, and document fingerprints. ### Configure a predefined profile 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Profiles**. 2. Choose a [predefined profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/) and select **Edit**. 3. Enable one or more **Detection entries** according to your preferences. 4. Select **Save profile**. Most predefined profiles match when any enabled detection entry matches. The **Personally Identifiable Information (PII) Record** profile is an exception and requires at least three unique detection entries in close proximity before the profile matches. Your DLP profile is now ready to use with CASB. ### Build a custom profile 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Profiles**. 2. Select **Create profile**. 3. Enter a name and optional description for the profile. 4. Add new or existing detection entries to the profile. Add a custom entry 1. Select **Add custom entry**. 2. Choose the type of detection entry you want to create and configure its values. For information on supported detection entry types, refer to [Configure detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/). 3. To save the detection entry, select **Done**. Add existing entries Existing entries include [predefined](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/predefined-detection-entries/) and [user-defined](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/) detection entries that you manage from the Detection entries section. 1. Select **Add existing entries**. 2. Choose which entries you want to add, then select **Confirm**. 3. To save the detection entry, select **Done**. 5. (Optional) Add data classes to include reusable classification rules. 1. Select **Add data classes**. 2. Choose the data classes you want to add, then select **Confirm**. 6. (Optional) Use labels as match criteria for the profile. * Select a sensitivity schema and minimum sensitivity level. * Select a data tag group and one or more data tags. For more information on labels, templates, and data classes, refer to [Data Classification](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/data-classification/). 7. (Optional) Configure [**profile settings**](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/) for the profile. 8. Select **Save profile**. Your DLP profile is now ready to use with CASB. For more information, refer to [Configure a DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/). ## Enable DLP scans in CASB ### Add a new integration 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Integrations** \> **Cloud & Saas**. 2. Select **Add integration** and choose a [supported integration](#supported-integrations). 3. During the setup process, you will be prompted to select DLP profiles for the integration. 4. Select **Save integration**. CASB will scan every publicly accessible file in the integration for text that matches the DLP profile. The initial scan may take up to a few hours to complete. ### Modify an existing integration 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Integrations** \> **Cloud & SaaS**. 2. Choose a [supported integration](#supported-integrations) and select **Configure**. 3. Under **DLP profiles**, select the profiles that you want the integration to scan for. 4. Select **Save integration**. If you enable a DLP profile from the **Manage integrations** page, CASB will only scan publicly accessible files that have had a modification event since enabling the DLP profile. Modification events include changes to the following attributes: * Contents of the file * Name of the file * Visibility of the file (only if changed to publicly accessible) * Owner of the file * Location of the file (for example, moved to a different folder) Warning If you add a DLP profile to an existing integration, CASB only scans files modified after you enabled the profile. To scan all files, you must enable the DLP profile during the [integration setup flow](#add-a-new-integration). ## Limitations DLP in CASB will only scan: * Files less than or equal to 100 MB in size. * Java and R source code files that are at least 5 KB. Smaller files in these languages are skipped. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/cloud-and-saas-findings/","name":"Cloud and SaaS findings"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/cloud-and-saas-findings/casb-dlp/","name":"Scan for sensitive data"}}]} ``` --- --- title: Manage findings description: Manage findings in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance) # Manage findings Findings are security issues detected within SaaS and cloud applications that involve users, data at rest (files stored in your apps), and other configuration settings. With Cloudflare CASB, you can review a comprehensive list of findings in Cloudflare One and take action on the issues found. ## Prerequisites * You have added a [Cloud and SaaS integration](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/). * Your scan has surfaced at least one security finding. ## Posture findings Posture findings include misconfigurations, unauthorized user activity, and other data security issues. To view details about the posture findings that CASB found: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Posture Findings**. 2. Choose **SaaS** or **Cloud**. 3. To view details about a finding, select the finding's name Cloud & SaaS findings will display details about your posture finding, including the finding type, [severity level](#severity-levels), number of instances, associated integration, current status, and date detected. For more information on each instance of the finding, select **Manage**. To manage the finding's visibility, you can update the finding's [severity level](#severity-levels) or [hide the finding](#hide-findings) from view. You can also [send a posture finding instance to a webhook](#send-webhook). Some findings also provide a remediation guide to resolve the issue or support [creating a Gateway HTTP policy](#resolve-finding-with-a-gateway-policy) to block the traffic. ### Severity levels Cloudflare CASB labels each finding with one of the following severity levels: | Severity level | Urgency | | -------------- | ---------------------------------------------------------------------------- | | Critical | Suggests the finding is something your team should act on today. | | High | Suggests the finding is something your team should act on this week. | | Medium | Suggests the finding should be reviewed sometime this month. | | Low | Suggests the finding is informational or part of a scheduled review process. | #### Change the severity level You can change the severity level for a finding at any time in case the default assignment does not suit your environment: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Posture Findings**. 2. Locate the finding you want to modify and select **Manage**. 3. In the severity level drop-down menu, choose your desired setting (_Critical_, _High_, _Medium_, or _Low_). The new severity level will only apply to the posture finding within this specific integration. If you added multiple integrations of the same application, the other integrations will not be impacted by this change. ## Content findings Content findings include instances of potential data exposure as identified by [DLP](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/). To view details about the content findings that CASB found: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Content Findings**. 2. Choose **SaaS** or **Cloud**. 3. To view details about a finding, select the finding's name. Cloud & SaaS findings will display details about your content finding, including the file name, a link to the file, matching DLP profiles, associated integration, and date detected. AWS users can configure a [compute account](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/aws-s3/#compute-account) to scan for data security resources within their S3 resources. ## View shared files File findings for some integrations (such as [Microsoft 365](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/#file-sharing) and [Box](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/box/#file-sharing)) may link to an inaccessible file. To access the actual shared file: * [ Posture finding ](#tab-panel-4941) * [ Content finding ](#tab-panel-4942) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Posture Findings**. 2. Choose **SaaS** or **Cloud**. 3. Locate the individual finding, then select **Manage**. 4. In **Active Instances**, select the file name. 5. In **Shared Links**, select the linked file instance. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Content Findings**. 2. Choose **SaaS** or **Cloud**. 3. Select the file name of the detected asset. 4. In **Sharing details**, select the linked file instance. ## Hide findings After reviewing your findings, you may decide that certain posture findings are not applicable to your organization. Cloudflare CASB allows you to remove findings or individual instances of findings from your list of active issues. CASB will continue to scan for these issues, but any detections will appear in a separate tab. * **Ignore a finding** — Moves the entire finding type from **Active** to **Ignored**. New detections of this finding type still appear, but in the **Ignored** tab. * **Hide an instance** — Moves a single occurrence from **Active** to **Hidden**. Future occurrences for the same user or file go to the **Hidden** tab automatically. ### Ignore a finding 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Posture Findings**. 2. Locate the active finding you want to hide. 3. In the three-dot menu, select **Move to ignore**. The finding's status will change from **Active** to **Ignored**. CASB will continue to scan for these findings and report detections. You can change ignored findings back to **Active** with the same process at any time. ### Hide an instance of a finding 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Posture Findings**. 2. Choose the active finding you want to hide, then select **Manage**. 3. In **Active**, find the instance you want to hide. 4. In the three-dot menu, select **Move to hidden**. The instance will be moved from **Active** to **Hidden** within the finding. If the finding occurs again for the same user, CASB will report the new instance quietly in the **Hidden** tab. You can move hidden instances back to the **Active** tab at any time. ## Send webhook After you configure one or more [CASB webhooks](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/webhooks/), you can send posture finding instances to external systems such as chat platforms, ticketing systems, SIEMs, SOAR tools, and custom automation services. CASB webhooks currently support posture finding instances only. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Posture Findings**. 2. Choose **SaaS** or **Cloud**. 3. Choose the finding you want to review, then select **Manage**. 4. In **Active Instances**, select an instance. 5. In the instance details panel, select **Send webhook**. 6. Choose the webhook destination or destinations you want to use. 7. Select **Send webhooks**. Cloudflare queues webhook sends in the background. A success message means that Cloudflare accepted the request for delivery. To validate a destination before sending a live finding instance, use **Test delivery** from the [Webhooks](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/webhooks/) page. ## Remediate findings In addition to detecting and surfacing misconfigurations or issues with SaaS and cloud applications, CASB can also remediate findings directly in applications. ### Configure remediation permissions Before you can remediate findings, [add a new integration](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) and choose _Read-Write mode_ during setup. Alternatively, you can update an existing integration: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Cloud & SaaS findings** \> **Integrations**. 2. Choose your integration, then select **Configure**. 3. In **Integration permissions**, choose _Read-Write mode_. 4. Select **Update integration**. CASB will redirect you to your Microsoft 365 configuration. 5. Sign in to your organization, then select **Accept**. CASB can now remediate supported findings directly. ### Remediate a finding To remediate a supported finding: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Cloud & SaaS findings** \> **Posture Findings**. 2. Choose a supported finding type, then select **Manage**. 3. In **Active Instances**, select an instance. 4. In **Remediation details**, choose a remediation action to take. CASB will begin remediating the instance. ### Manage remediated findings Remediated findings will appear in **Cloud & SaaS findings** \> **Posture Findings**. The status of the finding will change depending on what action CASB has taken: | Status | Description | | ---------- | --------------------------------------------------------------------------------------------------------------- | | Pending | CASB has set the finding to be remediated. | | Processing | CASB is currently remediating the finding. | | Validating | CASB successfully completed the remediation and is waiting for confirmation that the finding has been resolved. | | Completed | CASB successfully remediated the finding and validated that the finding has been resolved. | | Failed | CASB unsuccessfully remediated the finding. | | Rejected | CASB does not have the correct permissions to remediate the finding. | If the status is **Completed**, remediation succeeded. If the status is **Failed** or **Rejected**, remediation failed, and you can select the finding to take action again. A **Rejected** status indicates that CASB does not have the correct permissions to remediate the finding. CASB will log remediation actions in **Logs** \> **Admin**. For more information, refer to [Cloudflare One Logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/). ## Resolve finding with a Gateway policy CASB detects security issues that already exist in your SaaS environment. To prevent the same issues from recurring, you can create a [Gateway HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) directly from a CASB finding. For example, you can block users from sharing files publicly or accessing unsanctioned applications. CASB supports creating a Gateway policy for findings from the [Google Workspace integration](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/google-workspace/): Supported CASB findings for Gateway policies * Google Workspace: File publicly accessible with edit access * Google Workspace: File publicly accessible with view access * Google Workspace: File shared outside company with edit access * Google Workspace: File shared outside company with view access Before you begin Ensure that you have [enabled HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) for your organization. To create a Gateway policy directly from a CASB finding: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Posture Findings** or **Cloud & SaaS findings** \> **Content Findings**. 2. Choose **SaaS** or **Cloud**. 3. Choose the finding you want to modify, then select **Manage**. 4. Find the instance you want to block and select its three-dot menu. 5. Select **Block with Gateway HTTP policy**. A new browser tab will open with a pre-filled HTTP policy. Note Not all CASB findings will have the **Block with Gateway HTTP policy** option. Unsupported findings can only be resolved from your application dashboard or through your domain provider. 6. (Optional) [Configure the HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). For example, if the policy blocks an unsanctioned third-party app, you can apply the policy to some or all users, or only block uploads or downloads. 7. Select **Save**. Your HTTP policy will now prevent future instances of the security finding. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/cloud-and-saas-findings/","name":"Cloud and SaaS findings"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/cloud-and-saas-findings/manage-findings/","name":"Manage findings"}}]} ``` --- --- title: Troubleshoot CASB description: Troubleshoot Troubleshoot CASB issues in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) # Troubleshoot CASB Use this guide to troubleshoot common issues with Cloud Access Security Broker (CASB). This guide covers troubleshooting steps for CASB integrations and webhooks. For integration-specific issues, refer to the integration's documentation. ## Integration fails to connect or returns an error Integration connection problems are the most common issue during CASB setup. If you receive an error such as "There was an error creating the integration" or are redirected back to the dashboard without the integration appearing, follow these steps. ### Check permissions in the third-party application Ensure the account you are using to authorize the integration has the necessary administrative privileges in the third-party application (for example, **Global Administrator** for Microsoft 365, **Super Admin** for Google Workspace, or **Organization Owner** for GitHub). Insufficient permissions are the leading cause of setup failures. ### Clear previous installations If the SaaS application was previously integrated with a different Cloudflare account, you must manually revoke the old Cloudflare application from within the SaaS provider's admin console. * **For Microsoft 365**: Go to **Microsoft 365 admin center** \> **Enterprise applications** and delete the existing Cloudflare One application. * **For Google Workspace**: Go to **Google Admin Console** \> **Security** \> **Access and data control** \> **API controls** and remove the Cloudflare app from third-party app access. * **For GitHub**: Go to your organization's **Settings** \> **Third-party access** and revoke the Cloudflare CASB application. After cleaning up the old app, wait a few minutes and then try the integration process again from the Cloudflare One dashboard. ### Verify OAuth permissions During setup, CASB will ask you to approve a set of permissions. The permissions requested are required for the CASB service to scan for misconfigurations and, if you choose, to take remediation actions. While some permissions may seem broad (for example, `write` access), they are necessary for actions like quarantining a file or modifying sharing settings. Refer to the specific integration guide for a detailed list of required permissions. ## Findings are stale or not updating after remediation A common point of confusion is when a resolved issue (for example, when a file is made private, or when a user is suspended) continues to appear as an active finding in the CASB dashboard. ### Understand scan frequency CASB integrations do not provide real-time updates. Scans are performed periodically to discover new findings and validate the status of existing ones. The initial scan can take several hours, and subsequent scans run approximately every 24-48 hours. ### Force a re-scan To trigger a new scan: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Integrations**. 2. Find your integration and select **Configure**. 3. Turn off **Scan for findings**. 4. After a few minutes, turn on **Scan for findings** again. This action will queue a fresh scan of your integration. Allow several hours for your findings to reflect the new results. ## Remediation action fails in the dashboard If you attempt to use a one-click remediation action (such as "Make private") on a finding, it may result in a **Failed** status, often with a timeout error. ### Verify permissions The remediation failure may be due to the permissions for the Cloudflare app being changed or revoked in the SaaS application after the initial setup. Re-validate the integration to ensure all required permissions are still granted. ### Remediate manually As a workaround, remediate the finding directly within the SaaS application (for example, change the file's sharing settings in Google Drive). CASB will clear the finding from the dashboard after the next successful scan. ## Webhook test or delivery fails If Cloudflare cannot deliver a test request or a posture finding instance to your destination, follow these steps. ### Check destination requirements Verify that the destination URL uses `https://` and is publicly reachable. Cloudflare rejects destinations that resolve to localhost, loopback, private, or other reserved addresses. ### Check authentication settings Ensure that the webhook's authentication method matches what your receiver expects. Re-enter any bearer token, Basic auth credentials, static headers, or signing secret if needed. ### Understand delivery timing Test delivery sends a test request immediately, but posture finding instance sends are queued in the background. A success message means that Cloudflare accepted the request for delivery. ## CASB is generating false positives CASB may incorrectly flag items, such as flagging internally-shared files as public or archived Google Workspace users as inactive. ### Review finding details Carefully examine the evidence provided in the finding. An object's status in the SaaS platform may not be accurate. ### Report the issue If you confirm the finding is a false positive, report the behavior to Cloudflare Support. Provide the finding ID (visible in the finding's detail view) and as much detail as possible. This helps the Support team refine the detection logic for all customers. ### Hide the finding While Cloudflare investigates the issue, you can [ignore the finding or hide individual instances](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/manage-findings/#hide-findings) to remove it from your active list and reduce noise. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/cloud-and-saas-findings/","name":"Cloud and SaaS findings"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/cloud-and-saas-findings/troubleshoot-casb/","name":"Troubleshoot CASB"}}]} ``` --- --- title: Email security description: Overview of Email security in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Email security Important Refer to [Area 1](https://developers.cloudflare.com/email-security/) if you are looking for the Area 1 documentation. Note If you have not yet purchased Email security, you can try Email security with Retro Scan. Refer to [Retro Scan](https://developers.cloudflare.com/cloudflare-one/email-security/retro-scan/) to learn more. Protect your email inbox with Email security. Cloudflare Email Security uses AI, threat intelligence, and security rules to analyze every incoming email, protecting your organization from phishing, malware, [Business Email Compromise ↗](https://www.cloudflare.com/en-gb/learning/email-security/business-email-compromise-bec/) (where attackers impersonate executives or authority figures to commit fraud), vendor email fraud, and spam. It integrates with your existing email provider (such as Outlook or Gmail) and can be deployed via [API](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/), [BCC](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/gmail-bcc-setup/)/[Journaling](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/m365-journaling/), or [MX/Inline](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/). When you complete the [setup process](https://developers.cloudflare.com/cloudflare-one/email-security/setup/), the Cloudflare dashboard will display the Email security overview page. The Email security overview provides you with: * **Quick actions**, where you can: * View [submissions](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/) * Manage detection settings: manage [allow policies](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/), [blocked senders](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/blocked-senders/), [trusted domains](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/trusted-domains/), [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) and [additional detections](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/additional-detections/). * [Run screens](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#screen-criteria): Search, filter, reclassify, and bulk-move emails * **Recommendations**: Suggested next steps to improve your configuration. For example, submitting misclassified emails for reclassification, creating policies, or protecting users at risk of [impersonation](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/). * **Email security metrics**: Activity from the last seven days. * **Recently modified policies**: A list of recently changed policies. * **Education and resources**: Links to [implementation guides](https://developers.cloudflare.com/cloudflare-one/implementation-guides/), [Email security changelogs](https://developers.cloudflare.com/cloudflare-one/changelog/email-security/), and [API documentation ↗](https://developers.cloudflare.com/api/resources/email%5Fsecurity/subresources/investigate/methods/get/) To access the Email security overview: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Go to **Email security** \> **Overview**. --- ## Troubleshooting For help resolving common issues with Email Security, refer to [Troubleshoot Email Security](https://developers.cloudflare.com/cloudflare-one/email-security/troubleshooting/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}}]} ``` --- --- title: Directories description: Directories in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Directories Directories are folders to store user data. Email security allows you to manage directories from the Cloudflare dashboard. To add a directory: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Email security**. 2. Select **Directories**. 3. Select **Add a directory** \> **Connect an integration**. 4. Select either **Google Workspace CASB + EMAIL** or **Microsoft CASB+EMAIL**. 5. Refer to [Enable Gmail BCC integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/#enable-gmail-bcc-integration) if you choose Google Workspace. Refer to [Enable Microsoft integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/#enable-microsoft-integration) if you choose Microsoft 365. To sync a directory: 1. Locate the directory you want to sync. 2. Select the three dots, then select **Sync now**. Note The **Auto sync** option is on by default. It is recommended to keep this option on at all times to ensure directories are always synchronized. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/directories/","name":"Directories"}}]} ``` --- --- title: Manage Email security directories description: Manage Email security directories in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Manage Email security directories You can manage your Email security directory by editing and deleting added users. Registered users The Email security directory contains registered users only. A registered user is a user added to the [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/). To modify or delete users in the Email security directory: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security** \> **Directories**. 2. Select **Email security Directory**. ## Add a user To manually add a user to the Email security directory: 1. On the sidebar, go to **Settings** \> **Impersonation registry** \> **View**. 2. Select **Add a user**: * Choose **Manual input** as the **Input method**. * Under **User info**, enter the **Display name**. * Under **User email**, enter the **Email addresses**. 1. Select **Save**. To view users you manually added: 1. Go to **Directories**. 2. Select **Email security Directory**. 3. Any manually added user will be displayed under the table as **REGISTERED**. ## Edit a user To edit a user in the Email security directory: 1. Select the user you want to edit. 2. Select the three dots > **Edit**. 3. Enter a user name and/or email. 4. Select **Save**. ## Delete a user To delete a user from the Email security directory: 1. Select the user you want to delete. 2. Select the three dots > **Delete**. 3. Read the pop-up message, and then select **Delete user**. To delete multiple users from the registry at once: 1. Select the users you want to delete. 2. Select the **Action** dropdown list > **Delete**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/directories/","name":"Directories"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/directories/manage-es-directories/","name":"Manage Email security directories"}}]} ``` --- --- title: Manage integrated directories description: Manage integrated directories in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Manage integrated directories To manage an integrated directory: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Directories**. 4. Under **Directory name**, select your directory. 5. You will be redirected to a page where you can manage [Groups](https://developers.cloudflare.com/cloudflare-one/email-security/directories/manage-integrated-directories/manage-groups-directory/) or [Users](https://developers.cloudflare.com/cloudflare-one/email-security/directories/manage-integrated-directories/manage-users-directory/) directories. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/directories/","name":"Directories"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/directories/manage-integrated-directories/","name":"Manage integrated directories"}}]} ``` --- --- title: Manage groups in your directory description: Manage groups in your directory in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Manage groups in your directory Email security allows you to view and manage your groups directory and their [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/). When a group is added to the registry, all members are registered by default. To manage a group directory: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security** \> **Directories**. 2. Locate your directory, select the three dots > **View details**. 3. Select **Groups**. ## Add groups to registry Email security allows you to add group names to the registry. To add a single group to the registry: 1. Select the group name you want to add. 2. Select the three dots > **Add to registry**. To add multiple groups to the registry at once: 1. Select the group names you want to add to the registry. 2. Select the **Action** dropdown list. 3. Select **Add to registry**. ## Remove groups from registry Email security allows you to remove group names from the registry. To remove a single group from the registry: 1. Select the group name you want to remove. 2. Select the three dots > **Remove from registry**. To remove multiple groups from the registry at once: 1. Select the group names you want to remove from registry. 2. Select the **Action** dropdown list. 3. Select **Remove from registry**. ## Filter impersonation registry You can filter the list of group names by registered and unregistered. A group name is registered when it is part of the [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/). A group name is unregistered when they are not part of the impersonation registry. To filter the list: 1. Select **Show filters** \> **Impersonation registry**. 2. Select one of the following: * **All**: To view registered and unregistered groups. * **Registered**: To view registered groups. * **Unregistered**: To view unregistered groups. 3. Select **Apply filters**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/directories/","name":"Directories"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/directories/manage-integrated-directories/","name":"Manage integrated directories"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/directories/manage-integrated-directories/manage-groups-directory/","name":"Manage groups in your directory"}}]} ``` --- --- title: Manage users in your directory description: Manage users in your directory in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Manage users in your directory Email security allows you to view and manage the [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) status of your users directory. To manage users directory: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security** \> **Directories**. 2. Locate your directory, select the three dots > **View details**. 3. Select **Users**. ## Add users to registry To add a single user to the registry: 1. Select the name you want to add. 2. Select the three dots > **Add to registry**. To add multiple users to the registry at once: 1. Select the names you want to add to the registry. 2. Select the **Action** dropdown list. 3. Select **Add to registry**. ## Remove users from registry Email security allows you to remove users from the registry. To remove a single user from the registry: 1. Select the name you want to remove. 2. Select the three dots > **Remove from registry**. To remove multiple users from the registry at once: 1. Select the names you want to remove from the registry. 2. Select the **Action** dropdown list. 3. Select **Remove from registry**. ## Edit a user To edit a user: 1. Under **Display name**, locate the user you want to edit. 2. Select the three dots > **Edit**. 3. Edit the user, then select **Save**. ## Filter a user You can filter the list of users by registered and unregistered. A user is registered when they are added to the [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/). A user is unregistered when they are not part of the impersonation registry. To filter the impersonation registry: 1. Select **Show filters** \> **Impersonation registry**. 2. Choose one of the following: * **All**: To view registered and unregistered users. * **Registered**: To view registered users. * **Unregistered**: To view unregistered users. 3. Select **Apply filters**. To filter users: 1. Select **Show filters** \> **Users**. 2. Choose one of the following: * **All**: To view users in groups and not in groups. * **Users in groups**: To view users in groups. * **Users not in groups**: To view users not in groups. 3. Select **Apply filters**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/directories/","name":"Directories"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/directories/manage-integrated-directories/","name":"Manage integrated directories"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/directories/manage-integrated-directories/manage-users-directory/","name":"Manage users in your directory"}}]} ``` --- # Email Security # Investigate ## Search email messages **get** `/accounts/{account_id}/email-security/investigate` Returns information for each email that matches the search parameter(s). ### Path Parameters - `account_id: string` Identifier. ### Query Parameters - `action_log: optional boolean` Whether to include the message action log in the response. - `alert_id: optional string` - `cursor: optional string` - `detections_only: optional boolean` Whether to include only detections in search results. - `domain: optional string` Sender domains to filter by. - `end: optional string` The end of the search date range. Defaults to `now`. - `final_disposition: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more` Dispositions to filter by. - `"MALICIOUS"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"NONE"` - `message_action: optional "PREVIEW" or "QUARANTINE_RELEASED" or "MOVED"` Message actions to filter by. - `"PREVIEW"` - `"QUARANTINE_RELEASED"` - `"MOVED"` - `message_id: optional string` - `metric: optional string` - `page: optional number` Deprecated: Use cursor pagination instead. End of life: November 1, 2026. - `per_page: optional number` The number of results per page. Maximum value is 1000. - `query: optional string` Space-delimited search term. Case-insensitive. - `recipient: optional string` - `sender: optional string` - `start: optional string` The beginning of the search date range. Defaults to `now - 30 days`. - `subject: optional string` ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `result: array of object { id, action_log, client_recipients, 29 more }` - `id: string` Unique identifier for a message retrieved from investigation - `action_log: array of object { completed_at, operation, completed_timestamp, 2 more }` Deprecated, use `GET /investigate/{investigate_id}/action_log` instead. End of life: November 1, 2026. - `completed_at: string` Timestamp when action completed - `operation: "MOVE" or "RELEASE" or "RECLASSIFY" or 3 more` Type of action performed - `"MOVE"` - `"RELEASE"` - `"RECLASSIFY"` - `"SUBMISSION"` - `"QUARANTINE_RELEASE"` - `"PREVIEW"` - `completed_timestamp: optional string` Deprecated, use `completed_at` instead. End of life: November 1, 2026. - `properties: optional object { folder, requested_by }` Additional properties for the action - `folder: optional string` Target folder for move operations - `requested_by: optional string` User who requested the action - `status: optional string` Status of the action - `client_recipients: array of string` - `detection_reasons: array of string` - `is_phish_submission: boolean` - `is_quarantined: boolean` - `postfix_id: string` The identifier of the message - `properties: object { allowlisted_pattern, allowlisted_pattern_type, blocklisted_message, 2 more }` Message processing properties - `allowlisted_pattern: optional string` Pattern that allowlisted this message - `allowlisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more` Type of allowlist pattern - `"quarantine_release"` - `"acceptable_sender"` - `"allowed_sender"` - `"allowed_recipient"` - `"domain_similarity"` - `"domain_recency"` - `"managed_acceptable_sender"` - `"outbound_ndr"` - `blocklisted_message: optional boolean` Whether message was blocklisted - `blocklisted_pattern: optional string` Pattern that blocklisted this message - `whitelisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more` Legacy field for allowlist pattern type - `"quarantine_release"` - `"acceptable_sender"` - `"allowed_sender"` - `"allowed_recipient"` - `"domain_similarity"` - `"domain_recency"` - `"managed_acceptable_sender"` - `"outbound_ndr"` - `ts: string` Deprecated, use `scanned_at` instead. End of life: November 1, 2026. - `alert_id: optional string` - `delivery_mode: optional "DIRECT" or "BCC" or "JOURNAL" or 8 more` - `"DIRECT"` - `"BCC"` - `"JOURNAL"` - `"REVIEW_SUBMISSION"` - `"DMARC_UNVERIFIED"` - `"DMARC_FAILURE_REPORT"` - `"DMARC_AGGREGATE_REPORT"` - `"THREAT_INTEL_SUBMISSION"` - `"SIMULATION_SUBMISSION"` - `"API"` - `"RETRO_SCAN"` - `delivery_status: optional array of "delivered" or "moved" or "quarantined" or 4 more` - `"delivered"` - `"moved"` - `"quarantined"` - `"rejected"` - `"deferred"` - `"bounced"` - `"queued"` - `edf_hash: optional string` - `envelope_from: optional string` - `envelope_to: optional array of string` - `final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `findings: optional array of object { attachment, detail, detection, 6 more }` Deprecated, use the `findings` field from `GET /investigate/{investigate_id}/detections` instead. End of life: November 1, 2026. Detection findings for this message. - `attachment: optional string` - `detail: optional string` - `detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `field: optional string` - `name: optional string` - `portion: optional string` - `reason: optional string` - `score: optional number` - `value: optional string` - `from: optional string` - `from_name: optional string` - `htmltext_structure_hash: optional string` - `message_id: optional string` - `post_delivery_operations: optional array of "PREVIEW" or "QUARANTINE_RELEASE" or "SUBMISSION" or "MOVE"` Post-delivery operations performed on this message - `"PREVIEW"` - `"QUARANTINE_RELEASE"` - `"SUBMISSION"` - `"MOVE"` - `postfix_id_outbound: optional string` - `replyto: optional string` - `scanned_at: optional string` When the message was scanned (UTC) - `sent_at: optional string` When the message was sent (UTC) - `sent_date: optional string` - `subject: optional string` - `threat_categories: optional array of string` - `to: optional array of string` - `to_name: optional array of string` - `validation: optional object { comment, dkim, dmarc, spf }` - `comment: optional string` - `dkim: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `dmarc: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `spf: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `result_info: object { count, per_page, total_count, 3 more }` - `count: number` Number of items in current page - `per_page: number` Number of items per page - `total_count: number` Deprecated: Always returns 0. End of life: November 1, 2026. - `next: optional string` Cursor for next page - `page: optional number` Deprecated: Always returns 0. End of life: November 1, 2026. - `previous: optional string` Cursor for previous page - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/investigate \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678", "action_log": [ { "completed_at": "2019-12-27T18:11:19.117Z", "operation": "MOVE", "completed_timestamp": "completed_timestamp", "properties": { "folder": "folder", "requested_by": "requested_by" }, "status": "status" } ], "client_recipients": [ "string" ], "detection_reasons": [ "string" ], "is_phish_submission": true, "is_quarantined": true, "postfix_id": "4Njp3P0STMz2c02Q", "properties": { "allowlisted_pattern": "allowlisted_pattern", "allowlisted_pattern_type": "quarantine_release", "blocklisted_message": true, "blocklisted_pattern": "blocklisted_pattern", "whitelisted_pattern_type": "quarantine_release" }, "ts": "ts", "alert_id": "alert_id", "delivery_mode": "DIRECT", "delivery_status": [ "delivered" ], "edf_hash": "edf_hash", "envelope_from": "envelope_from", "envelope_to": [ "string" ], "final_disposition": "MALICIOUS", "findings": [ { "attachment": "attachment", "detail": "detail", "detection": "MALICIOUS", "field": "field", "name": "name", "portion": "portion", "reason": "reason", "score": 0, "value": "value" } ], "from": "from", "from_name": "from_name", "htmltext_structure_hash": "htmltext_structure_hash", "message_id": "message_id", "post_delivery_operations": [ "PREVIEW" ], "postfix_id_outbound": "postfix_id_outbound", "replyto": "replyto", "scanned_at": "2019-12-27T18:11:19.117Z", "sent_at": "2019-12-27T18:11:19.117Z", "sent_date": "sent_date", "subject": "subject", "threat_categories": [ "string" ], "to": [ "string" ], "to_name": [ "string" ], "validation": { "comment": "comment", "dkim": "pass", "dmarc": "pass", "spf": "pass" } } ], "result_info": { "count": 0, "per_page": 0, "total_count": 0, "next": "next", "page": 0, "previous": "previous" }, "success": true } ``` ## Get message details **get** `/accounts/{account_id}/email-security/investigate/{investigate_id}` Retrieves comprehensive details for a specific email message including headers, recipients, sender information, and current quarantine status. Use the investigate_id from search results to fetch detailed information. ### Path Parameters - `account_id: string` Identifier. - `investigate_id: string` Unique identifier for a message retrieved from investigation ### Query Parameters - `submission: optional boolean` When true, search the submissions datastore only. When false or omitted, search the regular datastore only. ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `result: object { id, action_log, client_recipients, 29 more }` - `id: string` Unique identifier for a message retrieved from investigation - `action_log: array of object { completed_at, operation, completed_timestamp, 2 more }` Deprecated, use `GET /investigate/{investigate_id}/action_log` instead. End of life: November 1, 2026. - `completed_at: string` Timestamp when action completed - `operation: "MOVE" or "RELEASE" or "RECLASSIFY" or 3 more` Type of action performed - `"MOVE"` - `"RELEASE"` - `"RECLASSIFY"` - `"SUBMISSION"` - `"QUARANTINE_RELEASE"` - `"PREVIEW"` - `completed_timestamp: optional string` Deprecated, use `completed_at` instead. End of life: November 1, 2026. - `properties: optional object { folder, requested_by }` Additional properties for the action - `folder: optional string` Target folder for move operations - `requested_by: optional string` User who requested the action - `status: optional string` Status of the action - `client_recipients: array of string` - `detection_reasons: array of string` - `is_phish_submission: boolean` - `is_quarantined: boolean` - `postfix_id: string` The identifier of the message - `properties: object { allowlisted_pattern, allowlisted_pattern_type, blocklisted_message, 2 more }` Message processing properties - `allowlisted_pattern: optional string` Pattern that allowlisted this message - `allowlisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more` Type of allowlist pattern - `"quarantine_release"` - `"acceptable_sender"` - `"allowed_sender"` - `"allowed_recipient"` - `"domain_similarity"` - `"domain_recency"` - `"managed_acceptable_sender"` - `"outbound_ndr"` - `blocklisted_message: optional boolean` Whether message was blocklisted - `blocklisted_pattern: optional string` Pattern that blocklisted this message - `whitelisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more` Legacy field for allowlist pattern type - `"quarantine_release"` - `"acceptable_sender"` - `"allowed_sender"` - `"allowed_recipient"` - `"domain_similarity"` - `"domain_recency"` - `"managed_acceptable_sender"` - `"outbound_ndr"` - `ts: string` Deprecated, use `scanned_at` instead. End of life: November 1, 2026. - `alert_id: optional string` - `delivery_mode: optional "DIRECT" or "BCC" or "JOURNAL" or 8 more` - `"DIRECT"` - `"BCC"` - `"JOURNAL"` - `"REVIEW_SUBMISSION"` - `"DMARC_UNVERIFIED"` - `"DMARC_FAILURE_REPORT"` - `"DMARC_AGGREGATE_REPORT"` - `"THREAT_INTEL_SUBMISSION"` - `"SIMULATION_SUBMISSION"` - `"API"` - `"RETRO_SCAN"` - `delivery_status: optional array of "delivered" or "moved" or "quarantined" or 4 more` - `"delivered"` - `"moved"` - `"quarantined"` - `"rejected"` - `"deferred"` - `"bounced"` - `"queued"` - `edf_hash: optional string` - `envelope_from: optional string` - `envelope_to: optional array of string` - `final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `findings: optional array of object { attachment, detail, detection, 6 more }` Deprecated, use the `findings` field from `GET /investigate/{investigate_id}/detections` instead. End of life: November 1, 2026. Detection findings for this message. - `attachment: optional string` - `detail: optional string` - `detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `field: optional string` - `name: optional string` - `portion: optional string` - `reason: optional string` - `score: optional number` - `value: optional string` - `from: optional string` - `from_name: optional string` - `htmltext_structure_hash: optional string` - `message_id: optional string` - `post_delivery_operations: optional array of "PREVIEW" or "QUARANTINE_RELEASE" or "SUBMISSION" or "MOVE"` Post-delivery operations performed on this message - `"PREVIEW"` - `"QUARANTINE_RELEASE"` - `"SUBMISSION"` - `"MOVE"` - `postfix_id_outbound: optional string` - `replyto: optional string` - `scanned_at: optional string` When the message was scanned (UTC) - `sent_at: optional string` When the message was sent (UTC) - `sent_date: optional string` - `subject: optional string` - `threat_categories: optional array of string` - `to: optional array of string` - `to_name: optional array of string` - `validation: optional object { comment, dkim, dmarc, spf }` - `comment: optional string` - `dkim: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `dmarc: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `spf: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/investigate/$INVESTIGATE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678", "action_log": [ { "completed_at": "2019-12-27T18:11:19.117Z", "operation": "MOVE", "completed_timestamp": "completed_timestamp", "properties": { "folder": "folder", "requested_by": "requested_by" }, "status": "status" } ], "client_recipients": [ "string" ], "detection_reasons": [ "string" ], "is_phish_submission": true, "is_quarantined": true, "postfix_id": "4Njp3P0STMz2c02Q", "properties": { "allowlisted_pattern": "allowlisted_pattern", "allowlisted_pattern_type": "quarantine_release", "blocklisted_message": true, "blocklisted_pattern": "blocklisted_pattern", "whitelisted_pattern_type": "quarantine_release" }, "ts": "ts", "alert_id": "alert_id", "delivery_mode": "DIRECT", "delivery_status": [ "delivered" ], "edf_hash": "edf_hash", "envelope_from": "envelope_from", "envelope_to": [ "string" ], "final_disposition": "MALICIOUS", "findings": [ { "attachment": "attachment", "detail": "detail", "detection": "MALICIOUS", "field": "field", "name": "name", "portion": "portion", "reason": "reason", "score": 0, "value": "value" } ], "from": "from", "from_name": "from_name", "htmltext_structure_hash": "htmltext_structure_hash", "message_id": "message_id", "post_delivery_operations": [ "PREVIEW" ], "postfix_id_outbound": "postfix_id_outbound", "replyto": "replyto", "scanned_at": "2019-12-27T18:11:19.117Z", "sent_at": "2019-12-27T18:11:19.117Z", "sent_date": "sent_date", "subject": "subject", "threat_categories": [ "string" ], "to": [ "string" ], "to_name": [ "string" ], "validation": { "comment": "comment", "dkim": "pass", "dmarc": "pass", "spf": "pass" } }, "success": true } ``` ## Domain Types ### Investigate List Response - `InvestigateListResponse object { id, action_log, client_recipients, 29 more }` - `id: string` Unique identifier for a message retrieved from investigation - `action_log: array of object { completed_at, operation, completed_timestamp, 2 more }` Deprecated, use `GET /investigate/{investigate_id}/action_log` instead. End of life: November 1, 2026. - `completed_at: string` Timestamp when action completed - `operation: "MOVE" or "RELEASE" or "RECLASSIFY" or 3 more` Type of action performed - `"MOVE"` - `"RELEASE"` - `"RECLASSIFY"` - `"SUBMISSION"` - `"QUARANTINE_RELEASE"` - `"PREVIEW"` - `completed_timestamp: optional string` Deprecated, use `completed_at` instead. End of life: November 1, 2026. - `properties: optional object { folder, requested_by }` Additional properties for the action - `folder: optional string` Target folder for move operations - `requested_by: optional string` User who requested the action - `status: optional string` Status of the action - `client_recipients: array of string` - `detection_reasons: array of string` - `is_phish_submission: boolean` - `is_quarantined: boolean` - `postfix_id: string` The identifier of the message - `properties: object { allowlisted_pattern, allowlisted_pattern_type, blocklisted_message, 2 more }` Message processing properties - `allowlisted_pattern: optional string` Pattern that allowlisted this message - `allowlisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more` Type of allowlist pattern - `"quarantine_release"` - `"acceptable_sender"` - `"allowed_sender"` - `"allowed_recipient"` - `"domain_similarity"` - `"domain_recency"` - `"managed_acceptable_sender"` - `"outbound_ndr"` - `blocklisted_message: optional boolean` Whether message was blocklisted - `blocklisted_pattern: optional string` Pattern that blocklisted this message - `whitelisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more` Legacy field for allowlist pattern type - `"quarantine_release"` - `"acceptable_sender"` - `"allowed_sender"` - `"allowed_recipient"` - `"domain_similarity"` - `"domain_recency"` - `"managed_acceptable_sender"` - `"outbound_ndr"` - `ts: string` Deprecated, use `scanned_at` instead. End of life: November 1, 2026. - `alert_id: optional string` - `delivery_mode: optional "DIRECT" or "BCC" or "JOURNAL" or 8 more` - `"DIRECT"` - `"BCC"` - `"JOURNAL"` - `"REVIEW_SUBMISSION"` - `"DMARC_UNVERIFIED"` - `"DMARC_FAILURE_REPORT"` - `"DMARC_AGGREGATE_REPORT"` - `"THREAT_INTEL_SUBMISSION"` - `"SIMULATION_SUBMISSION"` - `"API"` - `"RETRO_SCAN"` - `delivery_status: optional array of "delivered" or "moved" or "quarantined" or 4 more` - `"delivered"` - `"moved"` - `"quarantined"` - `"rejected"` - `"deferred"` - `"bounced"` - `"queued"` - `edf_hash: optional string` - `envelope_from: optional string` - `envelope_to: optional array of string` - `final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `findings: optional array of object { attachment, detail, detection, 6 more }` Deprecated, use the `findings` field from `GET /investigate/{investigate_id}/detections` instead. End of life: November 1, 2026. Detection findings for this message. - `attachment: optional string` - `detail: optional string` - `detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `field: optional string` - `name: optional string` - `portion: optional string` - `reason: optional string` - `score: optional number` - `value: optional string` - `from: optional string` - `from_name: optional string` - `htmltext_structure_hash: optional string` - `message_id: optional string` - `post_delivery_operations: optional array of "PREVIEW" or "QUARANTINE_RELEASE" or "SUBMISSION" or "MOVE"` Post-delivery operations performed on this message - `"PREVIEW"` - `"QUARANTINE_RELEASE"` - `"SUBMISSION"` - `"MOVE"` - `postfix_id_outbound: optional string` - `replyto: optional string` - `scanned_at: optional string` When the message was scanned (UTC) - `sent_at: optional string` When the message was sent (UTC) - `sent_date: optional string` - `subject: optional string` - `threat_categories: optional array of string` - `to: optional array of string` - `to_name: optional array of string` - `validation: optional object { comment, dkim, dmarc, spf }` - `comment: optional string` - `dkim: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `dmarc: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `spf: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` ### Investigate Get Response - `InvestigateGetResponse object { id, action_log, client_recipients, 29 more }` - `id: string` Unique identifier for a message retrieved from investigation - `action_log: array of object { completed_at, operation, completed_timestamp, 2 more }` Deprecated, use `GET /investigate/{investigate_id}/action_log` instead. End of life: November 1, 2026. - `completed_at: string` Timestamp when action completed - `operation: "MOVE" or "RELEASE" or "RECLASSIFY" or 3 more` Type of action performed - `"MOVE"` - `"RELEASE"` - `"RECLASSIFY"` - `"SUBMISSION"` - `"QUARANTINE_RELEASE"` - `"PREVIEW"` - `completed_timestamp: optional string` Deprecated, use `completed_at` instead. End of life: November 1, 2026. - `properties: optional object { folder, requested_by }` Additional properties for the action - `folder: optional string` Target folder for move operations - `requested_by: optional string` User who requested the action - `status: optional string` Status of the action - `client_recipients: array of string` - `detection_reasons: array of string` - `is_phish_submission: boolean` - `is_quarantined: boolean` - `postfix_id: string` The identifier of the message - `properties: object { allowlisted_pattern, allowlisted_pattern_type, blocklisted_message, 2 more }` Message processing properties - `allowlisted_pattern: optional string` Pattern that allowlisted this message - `allowlisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more` Type of allowlist pattern - `"quarantine_release"` - `"acceptable_sender"` - `"allowed_sender"` - `"allowed_recipient"` - `"domain_similarity"` - `"domain_recency"` - `"managed_acceptable_sender"` - `"outbound_ndr"` - `blocklisted_message: optional boolean` Whether message was blocklisted - `blocklisted_pattern: optional string` Pattern that blocklisted this message - `whitelisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more` Legacy field for allowlist pattern type - `"quarantine_release"` - `"acceptable_sender"` - `"allowed_sender"` - `"allowed_recipient"` - `"domain_similarity"` - `"domain_recency"` - `"managed_acceptable_sender"` - `"outbound_ndr"` - `ts: string` Deprecated, use `scanned_at` instead. End of life: November 1, 2026. - `alert_id: optional string` - `delivery_mode: optional "DIRECT" or "BCC" or "JOURNAL" or 8 more` - `"DIRECT"` - `"BCC"` - `"JOURNAL"` - `"REVIEW_SUBMISSION"` - `"DMARC_UNVERIFIED"` - `"DMARC_FAILURE_REPORT"` - `"DMARC_AGGREGATE_REPORT"` - `"THREAT_INTEL_SUBMISSION"` - `"SIMULATION_SUBMISSION"` - `"API"` - `"RETRO_SCAN"` - `delivery_status: optional array of "delivered" or "moved" or "quarantined" or 4 more` - `"delivered"` - `"moved"` - `"quarantined"` - `"rejected"` - `"deferred"` - `"bounced"` - `"queued"` - `edf_hash: optional string` - `envelope_from: optional string` - `envelope_to: optional array of string` - `final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `findings: optional array of object { attachment, detail, detection, 6 more }` Deprecated, use the `findings` field from `GET /investigate/{investigate_id}/detections` instead. End of life: November 1, 2026. Detection findings for this message. - `attachment: optional string` - `detail: optional string` - `detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `field: optional string` - `name: optional string` - `portion: optional string` - `reason: optional string` - `score: optional number` - `value: optional string` - `from: optional string` - `from_name: optional string` - `htmltext_structure_hash: optional string` - `message_id: optional string` - `post_delivery_operations: optional array of "PREVIEW" or "QUARANTINE_RELEASE" or "SUBMISSION" or "MOVE"` Post-delivery operations performed on this message - `"PREVIEW"` - `"QUARANTINE_RELEASE"` - `"SUBMISSION"` - `"MOVE"` - `postfix_id_outbound: optional string` - `replyto: optional string` - `scanned_at: optional string` When the message was scanned (UTC) - `sent_at: optional string` When the message was sent (UTC) - `sent_date: optional string` - `subject: optional string` - `threat_categories: optional array of string` - `to: optional array of string` - `to_name: optional array of string` - `validation: optional object { comment, dkim, dmarc, spf }` - `comment: optional string` - `dkim: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `dmarc: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `spf: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` # Detections ## Get message detection details **get** `/accounts/{account_id}/email-security/investigate/{investigate_id}/detections` Returns detection details such as threat categories and sender information for non-benign messages. ### Path Parameters - `account_id: string` Identifier. - `investigate_id: string` Unique identifier for a message retrieved from investigation ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `result: object { action, attachments, findings, 6 more }` - `action: string` - `attachments: array of object { size, content_type, detection, 6 more }` - `size: number` Size of the attachment in bytes - `content_type: optional string` MIME type of the attachment - `detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` Detection result for this attachment - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `encrypted: optional boolean` Whether the attachment is encrypted - `filename: optional string` Name of the attached file - `md5: optional string` MD5 hash of the attachment - `name: optional string` Attachment name (alternative to filename) - `sha1: optional string` SHA1 hash of the attachment - `sha256: optional string` SHA256 hash of the attachment - `findings: array of object { attachment, detail, detection, 6 more }` - `attachment: optional string` - `detail: optional string` - `detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `field: optional string` - `name: optional string` - `portion: optional string` - `reason: optional string` - `score: optional number` - `value: optional string` - `headers: array of object { name, value }` - `name: string` - `value: string` - `links: array of object { href, text }` - `href: string` - `text: optional string` - `sender_info: object { as_name, as_number, geo, 2 more }` - `as_name: optional string` The name of the autonomous system. - `as_number: optional number` The number of the autonomous system. - `geo: optional string` - `ip: optional string` - `pld: optional string` - `threat_categories: array of object { id, description, name }` - `id: optional number` - `description: optional string` - `name: optional string` - `validation: object { comment, dkim, dmarc, spf }` - `comment: optional string` - `dkim: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `dmarc: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `spf: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/investigate/$INVESTIGATE_ID/detections \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "action": "action", "attachments": [ { "size": 0, "content_type": "content_type", "detection": "MALICIOUS", "encrypted": true, "filename": "filename", "md5": "md5", "name": "name", "sha1": "sha1", "sha256": "sha256" } ], "findings": [ { "attachment": "attachment", "detail": "detail", "detection": "MALICIOUS", "field": "field", "name": "name", "portion": "portion", "reason": "reason", "score": 0, "value": "value" } ], "headers": [ { "name": "name", "value": "value" } ], "links": [ { "href": "href", "text": "text" } ], "sender_info": { "as_name": "as_name", "as_number": 0, "geo": "geo", "ip": "ip", "pld": "pld" }, "threat_categories": [ { "id": 0, "description": "description", "name": "name" } ], "validation": { "comment": "comment", "dkim": "pass", "dmarc": "pass", "spf": "pass" }, "final_disposition": "MALICIOUS" }, "success": true } ``` ## Domain Types ### Detection Get Response - `DetectionGetResponse object { action, attachments, findings, 6 more }` - `action: string` - `attachments: array of object { size, content_type, detection, 6 more }` - `size: number` Size of the attachment in bytes - `content_type: optional string` MIME type of the attachment - `detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` Detection result for this attachment - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `encrypted: optional boolean` Whether the attachment is encrypted - `filename: optional string` Name of the attached file - `md5: optional string` MD5 hash of the attachment - `name: optional string` Attachment name (alternative to filename) - `sha1: optional string` SHA1 hash of the attachment - `sha256: optional string` SHA256 hash of the attachment - `findings: array of object { attachment, detail, detection, 6 more }` - `attachment: optional string` - `detail: optional string` - `detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `field: optional string` - `name: optional string` - `portion: optional string` - `reason: optional string` - `score: optional number` - `value: optional string` - `headers: array of object { name, value }` - `name: string` - `value: string` - `links: array of object { href, text }` - `href: string` - `text: optional string` - `sender_info: object { as_name, as_number, geo, 2 more }` - `as_name: optional string` The name of the autonomous system. - `as_number: optional number` The number of the autonomous system. - `geo: optional string` - `ip: optional string` - `pld: optional string` - `threat_categories: array of object { id, description, name }` - `id: optional number` - `description: optional string` - `name: optional string` - `validation: object { comment, dkim, dmarc, spf }` - `comment: optional string` - `dkim: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `dmarc: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `spf: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` # Preview ## Get email preview **get** `/accounts/{account_id}/email-security/investigate/{investigate_id}/preview` Returns a preview of the message body as a base64 encoded PNG image for non-benign messages. ### Path Parameters - `account_id: string` Identifier. - `investigate_id: string` Unique identifier for a message retrieved from investigation ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `result: object { screenshot }` - `screenshot: string` A base64 encoded PNG image of the email. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/investigate/$INVESTIGATE_ID/preview \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "screenshot": "screenshot" }, "success": true } ``` ## Preview for non-detection messages **post** `/accounts/{account_id}/email-security/investigate/preview` Generates a preview image for a message that was not flagged as a detection. Useful for investigating benign messages. Returns a base64-encoded PNG screenshot of the email body. ### Path Parameters - `account_id: string` Identifier. ### Body Parameters - `postfix_id: string` The identifier of the message ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `result: object { screenshot }` - `screenshot: string` A base64 encoded PNG image of the email. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/investigate/preview \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "postfix_id": "4Njp3P0STMz2c02Q" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "screenshot": "screenshot" }, "success": true } ``` ## Domain Types ### Preview Get Response - `PreviewGetResponse object { screenshot }` - `screenshot: string` A base64 encoded PNG image of the email. ### Preview Create Response - `PreviewCreateResponse object { screenshot }` - `screenshot: string` A base64 encoded PNG image of the email. # Raw ## Get raw email content **get** `/accounts/{account_id}/email-security/investigate/{investigate_id}/raw` Returns the raw eml of any non-benign message. ### Path Parameters - `account_id: string` Identifier. - `investigate_id: string` Unique identifier for a message retrieved from investigation ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `result: object { raw }` - `raw: string` A UTF-8 encoded eml file of the email. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/investigate/$INVESTIGATE_ID/raw \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "raw": "raw" }, "success": true } ``` ## Domain Types ### Raw Get Response - `RawGetResponse object { raw }` - `raw: string` A UTF-8 encoded eml file of the email. # Trace ## Get email trace **get** `/accounts/{account_id}/email-security/investigate/{investigate_id}/trace` Retrieves delivery and processing trace information for an email message. Shows the delivery path, retraction history, and move operations performed on the message. Useful for debugging delivery issues. ### Path Parameters - `account_id: string` Identifier. - `investigate_id: string` Unique identifier for a message retrieved from investigation ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `result: object { inbound, outbound }` - `inbound: object { lines, pending }` - `lines: optional array of object { lineno, logged_at, message, ts }` - `lineno: optional number` Line number in the trace log - `logged_at: optional string` - `message: optional string` - `ts: optional string` Deprecated, use `logged_at` instead. End of life: November 1, 2026. - `pending: optional boolean` - `outbound: object { lines, pending }` - `lines: optional array of object { lineno, logged_at, message, ts }` - `lineno: optional number` Line number in the trace log - `logged_at: optional string` - `message: optional string` - `ts: optional string` Deprecated, use `logged_at` instead. End of life: November 1, 2026. - `pending: optional boolean` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/investigate/$INVESTIGATE_ID/trace \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "inbound": { "lines": [ { "lineno": 0, "logged_at": "2019-12-27T18:11:19.117Z", "message": "message", "ts": "ts" } ], "pending": true }, "outbound": { "lines": [ { "lineno": 0, "logged_at": "2019-12-27T18:11:19.117Z", "message": "message", "ts": "ts" } ], "pending": true } }, "success": true } ``` ## Domain Types ### Trace Get Response - `TraceGetResponse object { inbound, outbound }` - `inbound: object { lines, pending }` - `lines: optional array of object { lineno, logged_at, message, ts }` - `lineno: optional number` Line number in the trace log - `logged_at: optional string` - `message: optional string` - `ts: optional string` Deprecated, use `logged_at` instead. End of life: November 1, 2026. - `pending: optional boolean` - `outbound: object { lines, pending }` - `lines: optional array of object { lineno, logged_at, message, ts }` - `lineno: optional number` Line number in the trace log - `logged_at: optional string` - `message: optional string` - `ts: optional string` Deprecated, use `logged_at` instead. End of life: November 1, 2026. - `pending: optional boolean` # Move ## Move a message **post** `/accounts/{account_id}/email-security/investigate/{investigate_id}/move` Moves a single message to a specified mailbox folder (Inbox, JunkEmail, DeletedItems, RecoverableItemsDeletions, or RecoverableItemsPurges). Requires active integration. ### Path Parameters - `account_id: string` Identifier. - `investigate_id: string` Unique identifier for a message retrieved from investigation ### Body Parameters - `destination: "Inbox" or "JunkEmail" or "DeletedItems" or 2 more` - `"Inbox"` - `"JunkEmail"` - `"DeletedItems"` - `"RecoverableItemsDeletions"` - `"RecoverableItemsPurges"` ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `result: array of object { success, completed_at, completed_timestamp, 6 more }` - `success: boolean` Whether the operation succeeded - `completed_at: optional string` When the move operation completed (UTC) - `completed_timestamp: optional string` Deprecated, use `completed_at` instead. End of life: November 1, 2026. - `destination: optional string` Destination folder for the message - `item_count: optional number` Number of items moved. End of life: November 1, 2026. - `message_id: optional string` Message identifier - `operation: optional string` Type of operation performed - `recipient: optional string` Recipient email address - `status: optional string` Operation status - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/investigate/$INVESTIGATE_ID/move \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "destination": "Inbox" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "success": true, "completed_at": "2019-12-27T18:11:19.117Z", "completed_timestamp": "2019-12-27T18:11:19.117Z", "destination": "destination", "item_count": 0, "message_id": "message_id", "operation": "operation", "recipient": "recipient", "status": "status" } ], "success": true } ``` ## Move multiple messages **post** `/accounts/{account_id}/email-security/investigate/move` Moves multiple messages to a specified mailbox folder (Inbox, JunkEmail, DeletedItems, RecoverableItemsDeletions, or RecoverableItemsPurges). Requires active integration. ### Path Parameters - `account_id: string` Identifier. ### Body Parameters - `destination: "Inbox" or "JunkEmail" or "DeletedItems" or 2 more` - `"Inbox"` - `"JunkEmail"` - `"DeletedItems"` - `"RecoverableItemsDeletions"` - `"RecoverableItemsPurges"` - `ids: optional array of string` List of message IDs to move - `postfix_ids: optional array of string` Deprecated, use `ids` instead. End of life: November 1, 2026. List of message IDs to move. ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `result: array of object { success, completed_at, completed_timestamp, 6 more }` - `success: boolean` Whether the operation succeeded - `completed_at: optional string` When the move operation completed (UTC) - `completed_timestamp: optional string` Deprecated, use `completed_at` instead. End of life: November 1, 2026. - `destination: optional string` Destination folder for the message - `item_count: optional number` Number of items moved. End of life: November 1, 2026. - `message_id: optional string` Message identifier - `operation: optional string` Type of operation performed - `recipient: optional string` Recipient email address - `status: optional string` Operation status - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/investigate/move \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "destination": "Inbox" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "success": true, "completed_at": "2019-12-27T18:11:19.117Z", "completed_timestamp": "2019-12-27T18:11:19.117Z", "destination": "destination", "item_count": 0, "message_id": "message_id", "operation": "operation", "recipient": "recipient", "status": "status" } ], "success": true } ``` ## Domain Types ### Move Create Response - `MoveCreateResponse object { success, completed_at, completed_timestamp, 6 more }` - `success: boolean` Whether the operation succeeded - `completed_at: optional string` When the move operation completed (UTC) - `completed_timestamp: optional string` Deprecated, use `completed_at` instead. End of life: November 1, 2026. - `destination: optional string` Destination folder for the message - `item_count: optional number` Number of items moved. End of life: November 1, 2026. - `message_id: optional string` Message identifier - `operation: optional string` Type of operation performed - `recipient: optional string` Recipient email address - `status: optional string` Operation status ### Move Bulk Response - `MoveBulkResponse object { success, completed_at, completed_timestamp, 6 more }` - `success: boolean` Whether the operation succeeded - `completed_at: optional string` When the move operation completed (UTC) - `completed_timestamp: optional string` Deprecated, use `completed_at` instead. End of life: November 1, 2026. - `destination: optional string` Destination folder for the message - `item_count: optional number` Number of items moved. End of life: November 1, 2026. - `message_id: optional string` Message identifier - `operation: optional string` Type of operation performed - `recipient: optional string` Recipient email address - `status: optional string` Operation status # Reclassify ## Change email classification **post** `/accounts/{account_id}/email-security/investigate/{investigate_id}/reclassify` Submits a request to reclassify an email's disposition. Use for reporting false positives or false negatives. Optionally provide the raw EML content for reanalysis. The reclassification is processed asynchronously. ### Path Parameters - `account_id: string` Identifier. - `investigate_id: string` Unique identifier for a message retrieved from investigation ### Body Parameters - `expected_disposition: "NONE" or "BULK" or "MALICIOUS" or 3 more` - `"NONE"` - `"BULK"` - `"MALICIOUS"` - `"SPAM"` - `"SPOOF"` - `"SUSPICIOUS"` - `eml_content: optional string` Base64 encoded content of the EML file. - `escalated_submission_id: optional string` ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `result: unknown` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/investigate/$INVESTIGATE_ID/reclassify \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "expected_disposition": "NONE" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Reclassify Create Response - `ReclassifyCreateResponse = unknown` # Release ## Release messages from quarantine **post** `/accounts/{account_id}/email-security/investigate/release` Releases one or more quarantined messages, delivering them to the intended recipients. Use when a message was incorrectly quarantined. Returns delivery status for each recipient. ### Path Parameters - `account_id: string` Identifier. ### Body Parameters - `body: array of string` ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `result: array of object { id, delivered, failed, 2 more }` - `id: string` Unique identifier for a message retrieved from investigation - `delivered: optional array of string` - `failed: optional array of string` - `postfix_id: optional string` Deprecated, use `id` instead. End of life: November 1, 2026. - `undelivered: optional array of string` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/investigate/release \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '[ "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678" ]' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678", "delivered": [ "string" ], "failed": [ "string" ], "postfix_id": "4Njp3P0STMz2c02Q", "undelivered": [ "string" ] } ], "success": true } ``` ## Domain Types ### Release Bulk Response - `ReleaseBulkResponse object { id, delivered, failed, 2 more }` - `id: string` Unique identifier for a message retrieved from investigation - `delivered: optional array of string` - `failed: optional array of string` - `postfix_id: optional string` Deprecated, use `id` instead. End of life: November 1, 2026. - `undelivered: optional array of string` # Phishguard # Reports ## Get PhishGuard reports **get** `/accounts/{account_id}/email-security/phishguard/reports` Retrieves PhishGuard security alert reports for a specified date range. Reports include detected threats, dispositions, and contextual information. Use for security monitoring and threat analysis. ### Path Parameters - `account_id: string` Identifier. ### Query Parameters - `end: optional string` End of the time range (RFC3339). Takes precedence over to_date. - `from_date: optional string` Deprecated, use `start` instead. Start date in YYYY-MM-DD format. - `start: optional string` Start of the time range (RFC3339). Takes precedence over from_date. - `to_date: optional string` Deprecated, use `end` instead. End date in YYYY-MM-DD format. ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `result: array of object { id, content, disposition, 7 more }` - `id: number` - `content: string` - `disposition: "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `fields: object { to, from, occurred_at, 2 more }` - `to: array of string` - `from: optional string` - `occurred_at: optional string` - `postfix_id: optional string` - `ts: optional string` Deprecated, use `occurred_at` instead - `priority: string` - `title: string` - `created_at: optional string` - `tags: optional array of object { category, value }` - `category: string` - `value: string` - `ts: optional string` Deprecated, use `created_at` instead - `updated_at: optional string` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/phishguard/reports \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": 0, "content": "content", "disposition": "MALICIOUS", "fields": { "to": [ "string" ], "from": "from", "occurred_at": "2019-12-27T18:11:19.117Z", "postfix_id": "postfix_id", "ts": "2019-12-27T18:11:19.117Z" }, "priority": "priority", "title": "title", "created_at": "2019-12-27T18:11:19.117Z", "tags": [ { "category": "category", "value": "value" } ], "ts": "2019-12-27T18:11:19.117Z", "updated_at": "2019-12-27T18:11:19.117Z" } ], "success": true } ``` ## Domain Types ### Report List Response - `ReportListResponse object { id, content, disposition, 7 more }` - `id: number` - `content: string` - `disposition: "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `fields: object { to, from, occurred_at, 2 more }` - `to: array of string` - `from: optional string` - `occurred_at: optional string` - `postfix_id: optional string` - `ts: optional string` Deprecated, use `occurred_at` instead - `priority: string` - `title: string` - `created_at: optional string` - `tags: optional array of object { category, value }` - `category: string` - `value: string` - `ts: optional string` Deprecated, use `created_at` instead - `updated_at: optional string` # Settings # Allow Policies ## List email allow policies **get** `/accounts/{account_id}/email-security/settings/allow_policies` Returns a paginated list of email allow policies. These policies exempt matching emails from security detection, allowing them to bypass disposition actions. Supports filtering by pattern type and policy attributes. ### Path Parameters - `account_id: string` Identifier. ### Query Parameters - `direction: optional "asc" or "desc"` The sorting direction. - `"asc"` - `"desc"` - `is_acceptable_sender: optional boolean` Filter to show only policies where messages from the sender are exempted from Spam, Spoof, and Bulk dispositions (not Malicious or Suspicious). - `is_exempt_recipient: optional boolean` Filter to show only policies where messages to the recipient bypass all detections. - `is_trusted_sender: optional boolean` Filter to show only policies where messages from the sender bypass all detections and link following. - `order: optional "pattern" or "created_at"` Field to sort by. - `"pattern"` - `"created_at"` - `page: optional number` Current page within paginated list of results. - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` - `per_page: optional number` The number of results per page. Maximum value is 1000. - `search: optional string` Search term for filtering records. Behavior may change. - `verify_sender: optional boolean` Filter to show only policies that enforce DMARC, SPF, or DKIM authentication. ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of object { id, created_at, last_modified, 12 more }` - `id: string` Allow policy identifier - `created_at: string` - `last_modified: string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `comments: optional string` - `is_acceptable_sender: optional boolean` Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions. - `is_exempt_recipient: optional boolean` Messages to this recipient will bypass all detections - `is_recipient: optional boolean` Deprecated as of July 1, 2025. Use `is_exempt_recipient` instead. End of life: July 1, 2026. - `is_regex: optional boolean` - `is_sender: optional boolean` Deprecated as of July 1, 2025. Use `is_trusted_sender` instead. End of life: July 1, 2026. - `is_spoof: optional boolean` Deprecated as of July 1, 2025. Use `is_acceptable_sender` instead. End of life: July 1, 2026. - `is_trusted_sender: optional boolean` Messages from this sender will bypass all detections and link following - `modified_at: optional string` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` - `verify_sender: optional boolean` Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication. - `result_info: optional object { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/allow_policies \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "last_modified": "2014-01-01T05:20:00.12345Z", "comments": "Trust all messages send from test@example.com", "is_acceptable_sender": false, "is_exempt_recipient": false, "is_recipient": false, "is_regex": false, "is_sender": true, "is_spoof": false, "is_trusted_sender": true, "modified_at": "2014-01-01T05:20:00.12345Z", "pattern": "test@example.com", "pattern_type": "EMAIL", "verify_sender": true } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get an email allow policy **get** `/accounts/{account_id}/email-security/settings/allow_policies/{policy_id}` Retrieves details for a specific allow policy including its pattern, dispositions that are exempted, and whether it applies to all detections. ### Path Parameters - `account_id: string` Identifier. - `policy_id: string` Allow policy identifier ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, created_at, last_modified, 12 more }` An email allow policy - `id: string` Allow policy identifier - `created_at: string` - `last_modified: string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `comments: optional string` - `is_acceptable_sender: optional boolean` Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions. - `is_exempt_recipient: optional boolean` Messages to this recipient will bypass all detections - `is_recipient: optional boolean` Deprecated as of July 1, 2025. Use `is_exempt_recipient` instead. End of life: July 1, 2026. - `is_regex: optional boolean` - `is_sender: optional boolean` Deprecated as of July 1, 2025. Use `is_trusted_sender` instead. End of life: July 1, 2026. - `is_spoof: optional boolean` Deprecated as of July 1, 2025. Use `is_acceptable_sender` instead. End of life: July 1, 2026. - `is_trusted_sender: optional boolean` Messages from this sender will bypass all detections and link following - `modified_at: optional string` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` - `verify_sender: optional boolean` Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/allow_policies/$POLICY_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "last_modified": "2014-01-01T05:20:00.12345Z", "comments": "Trust all messages send from test@example.com", "is_acceptable_sender": false, "is_exempt_recipient": false, "is_recipient": false, "is_regex": false, "is_sender": true, "is_spoof": false, "is_trusted_sender": true, "modified_at": "2014-01-01T05:20:00.12345Z", "pattern": "test@example.com", "pattern_type": "EMAIL", "verify_sender": true } } ``` ## Create email allow policy **post** `/accounts/{account_id}/email-security/settings/allow_policies` Creates a new allow policy that exempts matching emails from security detections. Use with caution as this bypasses email security scanning. Policies can match on sender patterns and apply to specific detections or all detections. ### Path Parameters - `account_id: string` Identifier. ### Body Parameters - `is_acceptable_sender: boolean` Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions. - `is_exempt_recipient: boolean` Messages to this recipient will bypass all detections - `is_regex: boolean` - `is_trusted_sender: boolean` Messages from this sender will bypass all detections and link following - `pattern: string` - `pattern_type: "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` - `verify_sender: boolean` Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication. - `comments: optional string` - `is_recipient: optional boolean` Deprecated as of July 1, 2025. Use `is_exempt_recipient` instead. End of life: July 1, 2026. - `is_sender: optional boolean` Deprecated as of July 1, 2025. Use `is_trusted_sender` instead. End of life: July 1, 2026. - `is_spoof: optional boolean` Deprecated as of July 1, 2025. Use `is_acceptable_sender` instead. End of life: July 1, 2026. ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, created_at, last_modified, 12 more }` An email allow policy - `id: string` Allow policy identifier - `created_at: string` - `last_modified: string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `comments: optional string` - `is_acceptable_sender: optional boolean` Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions. - `is_exempt_recipient: optional boolean` Messages to this recipient will bypass all detections - `is_recipient: optional boolean` Deprecated as of July 1, 2025. Use `is_exempt_recipient` instead. End of life: July 1, 2026. - `is_regex: optional boolean` - `is_sender: optional boolean` Deprecated as of July 1, 2025. Use `is_trusted_sender` instead. End of life: July 1, 2026. - `is_spoof: optional boolean` Deprecated as of July 1, 2025. Use `is_acceptable_sender` instead. End of life: July 1, 2026. - `is_trusted_sender: optional boolean` Messages from this sender will bypass all detections and link following - `modified_at: optional string` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` - `verify_sender: optional boolean` Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/allow_policies \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "is_acceptable_sender": false, "is_exempt_recipient": false, "is_regex": false, "is_trusted_sender": true, "pattern": "test@example.com", "pattern_type": "EMAIL", "verify_sender": true, "comments": "Trust all messages send from test@example.com", "is_sender": true }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "last_modified": "2014-01-01T05:20:00.12345Z", "comments": "Trust all messages send from test@example.com", "is_acceptable_sender": false, "is_exempt_recipient": false, "is_recipient": false, "is_regex": false, "is_sender": true, "is_spoof": false, "is_trusted_sender": true, "modified_at": "2014-01-01T05:20:00.12345Z", "pattern": "test@example.com", "pattern_type": "EMAIL", "verify_sender": true } } ``` ## Update an email allow policy **patch** `/accounts/{account_id}/email-security/settings/allow_policies/{policy_id}` Updates an existing allow policy. Only provided fields will be modified. Changes take effect for new emails matching the pattern. ### Path Parameters - `account_id: string` Identifier. - `policy_id: string` Allow policy identifier ### Body Parameters - `comments: optional string` - `is_acceptable_sender: optional boolean` Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions. - `is_exempt_recipient: optional boolean` Messages to this recipient will bypass all detections - `is_recipient: optional boolean` Deprecated as of July 1, 2025. Use `is_exempt_recipient` instead. End of life: July 1, 2026. - `is_regex: optional boolean` - `is_sender: optional boolean` Deprecated as of July 1, 2025. Use `is_trusted_sender` instead. End of life: July 1, 2026. - `is_spoof: optional boolean` Deprecated as of July 1, 2025. Use `is_acceptable_sender` instead. End of life: July 1, 2026. - `is_trusted_sender: optional boolean` Messages from this sender will bypass all detections and link following - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` - `verify_sender: optional boolean` Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication. ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, created_at, last_modified, 12 more }` An email allow policy - `id: string` Allow policy identifier - `created_at: string` - `last_modified: string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `comments: optional string` - `is_acceptable_sender: optional boolean` Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions. - `is_exempt_recipient: optional boolean` Messages to this recipient will bypass all detections - `is_recipient: optional boolean` Deprecated as of July 1, 2025. Use `is_exempt_recipient` instead. End of life: July 1, 2026. - `is_regex: optional boolean` - `is_sender: optional boolean` Deprecated as of July 1, 2025. Use `is_trusted_sender` instead. End of life: July 1, 2026. - `is_spoof: optional boolean` Deprecated as of July 1, 2025. Use `is_acceptable_sender` instead. End of life: July 1, 2026. - `is_trusted_sender: optional boolean` Messages from this sender will bypass all detections and link following - `modified_at: optional string` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` - `verify_sender: optional boolean` Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/allow_policies/$POLICY_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "comments": "Trust all messages send from test@example.com", "is_sender": true, "is_trusted_sender": true, "pattern": "test@example.com", "pattern_type": "EMAIL", "verify_sender": true }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "last_modified": "2014-01-01T05:20:00.12345Z", "comments": "Trust all messages send from test@example.com", "is_acceptable_sender": false, "is_exempt_recipient": false, "is_recipient": false, "is_regex": false, "is_sender": true, "is_spoof": false, "is_trusted_sender": true, "modified_at": "2014-01-01T05:20:00.12345Z", "pattern": "test@example.com", "pattern_type": "EMAIL", "verify_sender": true } } ``` ## Delete an email allow policy **delete** `/accounts/{account_id}/email-security/settings/allow_policies/{policy_id}` Removes an allow policy. After deletion, emails matching this pattern will be subject to normal security scanning and disposition actions. ### Path Parameters - `account_id: string` Identifier. - `policy_id: string` Allow policy identifier ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id }` - `id: string` Allow policy identifier ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/allow_policies/$POLICY_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Allow Policy List Response - `AllowPolicyListResponse object { id, created_at, last_modified, 12 more }` An email allow policy - `id: string` Allow policy identifier - `created_at: string` - `last_modified: string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `comments: optional string` - `is_acceptable_sender: optional boolean` Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions. - `is_exempt_recipient: optional boolean` Messages to this recipient will bypass all detections - `is_recipient: optional boolean` Deprecated as of July 1, 2025. Use `is_exempt_recipient` instead. End of life: July 1, 2026. - `is_regex: optional boolean` - `is_sender: optional boolean` Deprecated as of July 1, 2025. Use `is_trusted_sender` instead. End of life: July 1, 2026. - `is_spoof: optional boolean` Deprecated as of July 1, 2025. Use `is_acceptable_sender` instead. End of life: July 1, 2026. - `is_trusted_sender: optional boolean` Messages from this sender will bypass all detections and link following - `modified_at: optional string` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` - `verify_sender: optional boolean` Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication. ### Allow Policy Get Response - `AllowPolicyGetResponse object { id, created_at, last_modified, 12 more }` An email allow policy - `id: string` Allow policy identifier - `created_at: string` - `last_modified: string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `comments: optional string` - `is_acceptable_sender: optional boolean` Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions. - `is_exempt_recipient: optional boolean` Messages to this recipient will bypass all detections - `is_recipient: optional boolean` Deprecated as of July 1, 2025. Use `is_exempt_recipient` instead. End of life: July 1, 2026. - `is_regex: optional boolean` - `is_sender: optional boolean` Deprecated as of July 1, 2025. Use `is_trusted_sender` instead. End of life: July 1, 2026. - `is_spoof: optional boolean` Deprecated as of July 1, 2025. Use `is_acceptable_sender` instead. End of life: July 1, 2026. - `is_trusted_sender: optional boolean` Messages from this sender will bypass all detections and link following - `modified_at: optional string` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` - `verify_sender: optional boolean` Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication. ### Allow Policy Create Response - `AllowPolicyCreateResponse object { id, created_at, last_modified, 12 more }` An email allow policy - `id: string` Allow policy identifier - `created_at: string` - `last_modified: string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `comments: optional string` - `is_acceptable_sender: optional boolean` Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions. - `is_exempt_recipient: optional boolean` Messages to this recipient will bypass all detections - `is_recipient: optional boolean` Deprecated as of July 1, 2025. Use `is_exempt_recipient` instead. End of life: July 1, 2026. - `is_regex: optional boolean` - `is_sender: optional boolean` Deprecated as of July 1, 2025. Use `is_trusted_sender` instead. End of life: July 1, 2026. - `is_spoof: optional boolean` Deprecated as of July 1, 2025. Use `is_acceptable_sender` instead. End of life: July 1, 2026. - `is_trusted_sender: optional boolean` Messages from this sender will bypass all detections and link following - `modified_at: optional string` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` - `verify_sender: optional boolean` Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication. ### Allow Policy Edit Response - `AllowPolicyEditResponse object { id, created_at, last_modified, 12 more }` An email allow policy - `id: string` Allow policy identifier - `created_at: string` - `last_modified: string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `comments: optional string` - `is_acceptable_sender: optional boolean` Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions. - `is_exempt_recipient: optional boolean` Messages to this recipient will bypass all detections - `is_recipient: optional boolean` Deprecated as of July 1, 2025. Use `is_exempt_recipient` instead. End of life: July 1, 2026. - `is_regex: optional boolean` - `is_sender: optional boolean` Deprecated as of July 1, 2025. Use `is_trusted_sender` instead. End of life: July 1, 2026. - `is_spoof: optional boolean` Deprecated as of July 1, 2025. Use `is_acceptable_sender` instead. End of life: July 1, 2026. - `is_trusted_sender: optional boolean` Messages from this sender will bypass all detections and link following - `modified_at: optional string` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` - `verify_sender: optional boolean` Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication. ### Allow Policy Delete Response - `AllowPolicyDeleteResponse object { id }` - `id: string` Allow policy identifier # Block Senders ## List blocked email senders **get** `/accounts/{account_id}/email-security/settings/block_senders` Returns a paginated list of blocked email sender patterns. These patterns prevent emails from matching senders from being delivered. Supports filtering by pattern type and searching across patterns. ### Path Parameters - `account_id: string` Identifier. ### Query Parameters - `direction: optional "asc" or "desc"` The sorting direction. - `"asc"` - `"desc"` - `order: optional "pattern" or "created_at"` Field to sort by. - `"pattern"` - `"created_at"` - `page: optional number` Current page within paginated list of results. - `pattern: optional string` Filter by pattern value. - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Filter by pattern type. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` - `per_page: optional number` The number of results per page. Maximum value is 1000. - `search: optional string` Search term for filtering records. Behavior may change. ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of object { id, comments, created_at, 5 more }` - `id: optional string` Blocked sender pattern identifier - `comments: optional string` - `created_at: optional string` - `is_regex: optional boolean` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` - `result_info: optional object { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/block_senders \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "comments": "Block sender with email test@example.com", "created_at": "2014-01-01T05:20:00.12345Z", "is_regex": false, "last_modified": "2014-01-01T05:20:00.12345Z", "modified_at": "2014-01-01T05:20:00.12345Z", "pattern": "test@example.com", "pattern_type": "EMAIL" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a blocked email sender **get** `/accounts/{account_id}/email-security/settings/block_senders/{pattern_id}` Retrieves details for a specific blocked sender pattern including its pattern type, value, and metadata. ### Path Parameters - `account_id: string` Identifier. - `pattern_id: string` Blocked sender pattern identifier ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, comments, created_at, 5 more }` A blocked sender pattern - `id: optional string` Blocked sender pattern identifier - `comments: optional string` - `created_at: optional string` - `is_regex: optional boolean` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/block_senders/$PATTERN_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "comments": "Block sender with email test@example.com", "created_at": "2014-01-01T05:20:00.12345Z", "is_regex": false, "last_modified": "2014-01-01T05:20:00.12345Z", "modified_at": "2014-01-01T05:20:00.12345Z", "pattern": "test@example.com", "pattern_type": "EMAIL" } } ``` ## Create blocked email sender **post** `/accounts/{account_id}/email-security/settings/block_senders` Creates a new blocked sender pattern. Emails matching this pattern will be blocked from delivery. Patterns can be email addresses, domains, or IP addresses, and support regular expressions. ### Path Parameters - `account_id: string` Identifier. ### Body Parameters - `is_regex: boolean` - `pattern: string` - `pattern_type: "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` - `comments: optional string` ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, comments, created_at, 5 more }` A blocked sender pattern - `id: optional string` Blocked sender pattern identifier - `comments: optional string` - `created_at: optional string` - `is_regex: optional boolean` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/block_senders \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "is_regex": false, "pattern": "test@example.com", "pattern_type": "EMAIL", "comments": "Block sender with email test@example.com" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "comments": "Block sender with email test@example.com", "created_at": "2014-01-01T05:20:00.12345Z", "is_regex": false, "last_modified": "2014-01-01T05:20:00.12345Z", "modified_at": "2014-01-01T05:20:00.12345Z", "pattern": "test@example.com", "pattern_type": "EMAIL" } } ``` ## Update a blocked email sender **patch** `/accounts/{account_id}/email-security/settings/block_senders/{pattern_id}` Updates an existing blocked sender pattern. Only provided fields will be modified. The pattern will continue blocking emails until deleted. ### Path Parameters - `account_id: string` Identifier. - `pattern_id: string` Blocked sender pattern identifier ### Body Parameters - `comments: optional string` - `is_regex: optional boolean` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, comments, created_at, 5 more }` A blocked sender pattern - `id: optional string` Blocked sender pattern identifier - `comments: optional string` - `created_at: optional string` - `is_regex: optional boolean` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/block_senders/$PATTERN_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "comments": "Block sender with email test@example.com", "pattern": "test@example.com", "pattern_type": "EMAIL" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "comments": "Block sender with email test@example.com", "created_at": "2014-01-01T05:20:00.12345Z", "is_regex": false, "last_modified": "2014-01-01T05:20:00.12345Z", "modified_at": "2014-01-01T05:20:00.12345Z", "pattern": "test@example.com", "pattern_type": "EMAIL" } } ``` ## Delete a blocked email sender **delete** `/accounts/{account_id}/email-security/settings/block_senders/{pattern_id}` Removes a blocked sender pattern. After deletion, emails from this sender will no longer be automatically blocked based on this rule. ### Path Parameters - `account_id: string` Identifier. - `pattern_id: string` Blocked sender pattern identifier ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id }` - `id: string` Blocked sender pattern identifier ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/block_senders/$PATTERN_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Block Sender List Response - `BlockSenderListResponse object { id, comments, created_at, 5 more }` A blocked sender pattern - `id: optional string` Blocked sender pattern identifier - `comments: optional string` - `created_at: optional string` - `is_regex: optional boolean` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` ### Block Sender Get Response - `BlockSenderGetResponse object { id, comments, created_at, 5 more }` A blocked sender pattern - `id: optional string` Blocked sender pattern identifier - `comments: optional string` - `created_at: optional string` - `is_regex: optional boolean` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` ### Block Sender Create Response - `BlockSenderCreateResponse object { id, comments, created_at, 5 more }` A blocked sender pattern - `id: optional string` Blocked sender pattern identifier - `comments: optional string` - `created_at: optional string` - `is_regex: optional boolean` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` ### Block Sender Edit Response - `BlockSenderEditResponse object { id, comments, created_at, 5 more }` A blocked sender pattern - `id: optional string` Blocked sender pattern identifier - `comments: optional string` - `created_at: optional string` - `is_regex: optional boolean` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `pattern: optional string` - `pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"` Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. - `"EMAIL"` - `"DOMAIN"` - `"IP"` - `"UNKNOWN"` ### Block Sender Delete Response - `BlockSenderDeleteResponse object { id }` - `id: string` Blocked sender pattern identifier # Domains ## List protected email domains **get** `/accounts/{account_id}/email-security/settings/domains` Returns a paginated list of email domains protected by Email Security. Includes domain configuration, delivery modes, and authorization status. Supports filtering by delivery mode and integration ID. ### Path Parameters - `account_id: string` Identifier. ### Query Parameters - `active_delivery_mode: optional "DIRECT" or "BCC" or "JOURNAL" or 2 more` Currently active delivery mode to filter by. - `"DIRECT"` - `"BCC"` - `"JOURNAL"` - `"API"` - `"RETRO_SCAN"` - `allowed_delivery_mode: optional "DIRECT" or "BCC" or "JOURNAL" or 2 more` Delivery mode to filter by. - `"DIRECT"` - `"BCC"` - `"JOURNAL"` - `"API"` - `"RETRO_SCAN"` - `direction: optional "asc" or "desc"` The sorting direction. - `"asc"` - `"desc"` - `domain: optional array of string` Domain names to filter by. - `integration_id: optional string` Integration ID to filter by. - `order: optional "domain" or "created_at"` Field to sort by. - `"domain"` - `"created_at"` - `page: optional number` Current page within paginated list of results. - `per_page: optional number` The number of results per page. Maximum value is 1000. - `search: optional string` Search term for filtering records. Behavior may change. - `status: optional "pending" or "active" or "failed" or "timeout"` Filters response to domains with the provided status. - `"pending"` - `"active"` - `"failed"` - `"timeout"` ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of object { id, allowed_delivery_modes, authorization, 19 more }` - `id: optional string` Domain identifier - `allowed_delivery_modes: optional array of "DIRECT" or "BCC" or "JOURNAL" or 2 more` - `"DIRECT"` - `"BCC"` - `"JOURNAL"` - `"API"` - `"RETRO_SCAN"` - `authorization: optional object { authorized, timestamp, status_message }` - `authorized: boolean` - `timestamp: string` - `status_message: optional string` - `created_at: optional string` - `dmarc_status: optional "none" or "good" or "invalid"` - `"none"` - `"good"` - `"invalid"` - `domain: optional string` - `drop_dispositions: optional array of "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `emails_processed: optional object { timestamp, total_emails_processed, total_emails_processed_previous }` - `timestamp: string` - `total_emails_processed: number` - `total_emails_processed_previous: number` - `folder: optional "AllItems" or "Inbox"` - `"AllItems"` - `"Inbox"` - `inbox_provider: optional "Microsoft" or "Google"` - `"Microsoft"` - `"Google"` - `integration_id: optional string` - `ip_restrictions: optional array of string` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `lookback_hops: optional number` - `modified_at: optional string` - `o365_tenant_id: optional string` - `regions: optional array of "GLOBAL" or "AU" or "DE" or 2 more` - `"GLOBAL"` - `"AU"` - `"DE"` - `"IN"` - `"US"` - `require_tls_inbound: optional boolean` - `require_tls_outbound: optional boolean` - `spf_status: optional "none" or "good" or "neutral" or 2 more` - `"none"` - `"good"` - `"neutral"` - `"open"` - `"invalid"` - `status: optional "pending" or "active" or "failed" or "timeout"` - `"pending"` - `"active"` - `"failed"` - `"timeout"` - `transport: optional string` - `result_info: optional object { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/domains \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allowed_delivery_modes": [ "DIRECT" ], "authorization": { "authorized": true, "timestamp": "2019-12-27T18:11:19.117Z", "status_message": "status_message" }, "created_at": "2014-01-01T05:20:00.12345Z", "dmarc_status": "none", "domain": "example.com", "drop_dispositions": [ "MALICIOUS" ], "emails_processed": { "timestamp": "2019-12-27T18:11:19.117Z", "total_emails_processed": 0, "total_emails_processed_previous": 0 }, "folder": "AllItems", "inbox_provider": "Microsoft", "integration_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "ip_restrictions": [ "192.0.2.0/24", "2001:db8::/32" ], "last_modified": "2014-01-01T05:20:00.12345Z", "lookback_hops": 0, "modified_at": "2014-01-01T05:20:00.12345Z", "o365_tenant_id": "o365_tenant_id", "regions": [ "GLOBAL" ], "require_tls_inbound": true, "require_tls_outbound": true, "spf_status": "none", "status": "pending", "transport": "transport" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get an email domain **get** `/accounts/{account_id}/email-security/settings/domains/{domain_id}` Retrieves detailed information for a specific protected email domain including its delivery configuration, SPF/DMARC status, and authorization state. ### Path Parameters - `account_id: string` Identifier. - `domain_id: string` Domain identifier ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, allowed_delivery_modes, authorization, 19 more }` - `id: optional string` Domain identifier - `allowed_delivery_modes: optional array of "DIRECT" or "BCC" or "JOURNAL" or 2 more` - `"DIRECT"` - `"BCC"` - `"JOURNAL"` - `"API"` - `"RETRO_SCAN"` - `authorization: optional object { authorized, timestamp, status_message }` - `authorized: boolean` - `timestamp: string` - `status_message: optional string` - `created_at: optional string` - `dmarc_status: optional "none" or "good" or "invalid"` - `"none"` - `"good"` - `"invalid"` - `domain: optional string` - `drop_dispositions: optional array of "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `emails_processed: optional object { timestamp, total_emails_processed, total_emails_processed_previous }` - `timestamp: string` - `total_emails_processed: number` - `total_emails_processed_previous: number` - `folder: optional "AllItems" or "Inbox"` - `"AllItems"` - `"Inbox"` - `inbox_provider: optional "Microsoft" or "Google"` - `"Microsoft"` - `"Google"` - `integration_id: optional string` - `ip_restrictions: optional array of string` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `lookback_hops: optional number` - `modified_at: optional string` - `o365_tenant_id: optional string` - `regions: optional array of "GLOBAL" or "AU" or "DE" or 2 more` - `"GLOBAL"` - `"AU"` - `"DE"` - `"IN"` - `"US"` - `require_tls_inbound: optional boolean` - `require_tls_outbound: optional boolean` - `spf_status: optional "none" or "good" or "neutral" or 2 more` - `"none"` - `"good"` - `"neutral"` - `"open"` - `"invalid"` - `status: optional "pending" or "active" or "failed" or "timeout"` - `"pending"` - `"active"` - `"failed"` - `"timeout"` - `transport: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/domains/$DOMAIN_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allowed_delivery_modes": [ "DIRECT" ], "authorization": { "authorized": true, "timestamp": "2019-12-27T18:11:19.117Z", "status_message": "status_message" }, "created_at": "2014-01-01T05:20:00.12345Z", "dmarc_status": "none", "domain": "example.com", "drop_dispositions": [ "MALICIOUS" ], "emails_processed": { "timestamp": "2019-12-27T18:11:19.117Z", "total_emails_processed": 0, "total_emails_processed_previous": 0 }, "folder": "AllItems", "inbox_provider": "Microsoft", "integration_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "ip_restrictions": [ "192.0.2.0/24", "2001:db8::/32" ], "last_modified": "2014-01-01T05:20:00.12345Z", "lookback_hops": 0, "modified_at": "2014-01-01T05:20:00.12345Z", "o365_tenant_id": "o365_tenant_id", "regions": [ "GLOBAL" ], "require_tls_inbound": true, "require_tls_outbound": true, "spf_status": "none", "status": "pending", "transport": "transport" } } ``` ## Update an email domain **patch** `/accounts/{account_id}/email-security/settings/domains/{domain_id}` Updates configuration for a protected email domain. Only provided fields will be modified. Changes affect delivery mode, security settings, and regional processing. ### Path Parameters - `account_id: string` Identifier. - `domain_id: string` Domain identifier ### Body Parameters - `allowed_delivery_modes: optional array of "DIRECT" or "BCC" or "JOURNAL" or 2 more` - `"DIRECT"` - `"BCC"` - `"JOURNAL"` - `"API"` - `"RETRO_SCAN"` - `domain: optional string` - `drop_dispositions: optional array of "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `folder: optional "AllItems" or "Inbox"` - `"AllItems"` - `"Inbox"` - `integration_id: optional string` - `ip_restrictions: optional array of string` - `lookback_hops: optional number` - `regions: optional array of "GLOBAL" or "AU" or "DE" or 2 more` - `"GLOBAL"` - `"AU"` - `"DE"` - `"IN"` - `"US"` - `require_tls_inbound: optional boolean` - `require_tls_outbound: optional boolean` - `transport: optional string` ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, allowed_delivery_modes, authorization, 19 more }` - `id: optional string` Domain identifier - `allowed_delivery_modes: optional array of "DIRECT" or "BCC" or "JOURNAL" or 2 more` - `"DIRECT"` - `"BCC"` - `"JOURNAL"` - `"API"` - `"RETRO_SCAN"` - `authorization: optional object { authorized, timestamp, status_message }` - `authorized: boolean` - `timestamp: string` - `status_message: optional string` - `created_at: optional string` - `dmarc_status: optional "none" or "good" or "invalid"` - `"none"` - `"good"` - `"invalid"` - `domain: optional string` - `drop_dispositions: optional array of "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `emails_processed: optional object { timestamp, total_emails_processed, total_emails_processed_previous }` - `timestamp: string` - `total_emails_processed: number` - `total_emails_processed_previous: number` - `folder: optional "AllItems" or "Inbox"` - `"AllItems"` - `"Inbox"` - `inbox_provider: optional "Microsoft" or "Google"` - `"Microsoft"` - `"Google"` - `integration_id: optional string` - `ip_restrictions: optional array of string` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `lookback_hops: optional number` - `modified_at: optional string` - `o365_tenant_id: optional string` - `regions: optional array of "GLOBAL" or "AU" or "DE" or 2 more` - `"GLOBAL"` - `"AU"` - `"DE"` - `"IN"` - `"US"` - `require_tls_inbound: optional boolean` - `require_tls_outbound: optional boolean` - `spf_status: optional "none" or "good" or "neutral" or 2 more` - `"none"` - `"good"` - `"neutral"` - `"open"` - `"invalid"` - `status: optional "pending" or "active" or "failed" or "timeout"` - `"pending"` - `"active"` - `"failed"` - `"timeout"` - `transport: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/domains/$DOMAIN_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "ip_restrictions": [ "192.0.2.0/24", "2001:db8::/32" ] }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allowed_delivery_modes": [ "DIRECT" ], "authorization": { "authorized": true, "timestamp": "2019-12-27T18:11:19.117Z", "status_message": "status_message" }, "created_at": "2014-01-01T05:20:00.12345Z", "dmarc_status": "none", "domain": "example.com", "drop_dispositions": [ "MALICIOUS" ], "emails_processed": { "timestamp": "2019-12-27T18:11:19.117Z", "total_emails_processed": 0, "total_emails_processed_previous": 0 }, "folder": "AllItems", "inbox_provider": "Microsoft", "integration_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "ip_restrictions": [ "192.0.2.0/24", "2001:db8::/32" ], "last_modified": "2014-01-01T05:20:00.12345Z", "lookback_hops": 0, "modified_at": "2014-01-01T05:20:00.12345Z", "o365_tenant_id": "o365_tenant_id", "regions": [ "GLOBAL" ], "require_tls_inbound": true, "require_tls_outbound": true, "spf_status": "none", "status": "pending", "transport": "transport" } } ``` ## Unprotect an email domain **delete** `/accounts/{account_id}/email-security/settings/domains/{domain_id}` Removes email security protection from a domain. After deletion, emails for this domain will no longer be processed by Email Security. This action cannot be undone. ### Path Parameters - `account_id: string` Identifier. - `domain_id: string` Domain identifier ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id }` - `id: string` Domain identifier ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/domains/$DOMAIN_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Domain List Response - `DomainListResponse object { id, allowed_delivery_modes, authorization, 19 more }` - `id: optional string` Domain identifier - `allowed_delivery_modes: optional array of "DIRECT" or "BCC" or "JOURNAL" or 2 more` - `"DIRECT"` - `"BCC"` - `"JOURNAL"` - `"API"` - `"RETRO_SCAN"` - `authorization: optional object { authorized, timestamp, status_message }` - `authorized: boolean` - `timestamp: string` - `status_message: optional string` - `created_at: optional string` - `dmarc_status: optional "none" or "good" or "invalid"` - `"none"` - `"good"` - `"invalid"` - `domain: optional string` - `drop_dispositions: optional array of "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `emails_processed: optional object { timestamp, total_emails_processed, total_emails_processed_previous }` - `timestamp: string` - `total_emails_processed: number` - `total_emails_processed_previous: number` - `folder: optional "AllItems" or "Inbox"` - `"AllItems"` - `"Inbox"` - `inbox_provider: optional "Microsoft" or "Google"` - `"Microsoft"` - `"Google"` - `integration_id: optional string` - `ip_restrictions: optional array of string` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `lookback_hops: optional number` - `modified_at: optional string` - `o365_tenant_id: optional string` - `regions: optional array of "GLOBAL" or "AU" or "DE" or 2 more` - `"GLOBAL"` - `"AU"` - `"DE"` - `"IN"` - `"US"` - `require_tls_inbound: optional boolean` - `require_tls_outbound: optional boolean` - `spf_status: optional "none" or "good" or "neutral" or 2 more` - `"none"` - `"good"` - `"neutral"` - `"open"` - `"invalid"` - `status: optional "pending" or "active" or "failed" or "timeout"` - `"pending"` - `"active"` - `"failed"` - `"timeout"` - `transport: optional string` ### Domain Get Response - `DomainGetResponse object { id, allowed_delivery_modes, authorization, 19 more }` - `id: optional string` Domain identifier - `allowed_delivery_modes: optional array of "DIRECT" or "BCC" or "JOURNAL" or 2 more` - `"DIRECT"` - `"BCC"` - `"JOURNAL"` - `"API"` - `"RETRO_SCAN"` - `authorization: optional object { authorized, timestamp, status_message }` - `authorized: boolean` - `timestamp: string` - `status_message: optional string` - `created_at: optional string` - `dmarc_status: optional "none" or "good" or "invalid"` - `"none"` - `"good"` - `"invalid"` - `domain: optional string` - `drop_dispositions: optional array of "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `emails_processed: optional object { timestamp, total_emails_processed, total_emails_processed_previous }` - `timestamp: string` - `total_emails_processed: number` - `total_emails_processed_previous: number` - `folder: optional "AllItems" or "Inbox"` - `"AllItems"` - `"Inbox"` - `inbox_provider: optional "Microsoft" or "Google"` - `"Microsoft"` - `"Google"` - `integration_id: optional string` - `ip_restrictions: optional array of string` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `lookback_hops: optional number` - `modified_at: optional string` - `o365_tenant_id: optional string` - `regions: optional array of "GLOBAL" or "AU" or "DE" or 2 more` - `"GLOBAL"` - `"AU"` - `"DE"` - `"IN"` - `"US"` - `require_tls_inbound: optional boolean` - `require_tls_outbound: optional boolean` - `spf_status: optional "none" or "good" or "neutral" or 2 more` - `"none"` - `"good"` - `"neutral"` - `"open"` - `"invalid"` - `status: optional "pending" or "active" or "failed" or "timeout"` - `"pending"` - `"active"` - `"failed"` - `"timeout"` - `transport: optional string` ### Domain Edit Response - `DomainEditResponse object { id, allowed_delivery_modes, authorization, 19 more }` - `id: optional string` Domain identifier - `allowed_delivery_modes: optional array of "DIRECT" or "BCC" or "JOURNAL" or 2 more` - `"DIRECT"` - `"BCC"` - `"JOURNAL"` - `"API"` - `"RETRO_SCAN"` - `authorization: optional object { authorized, timestamp, status_message }` - `authorized: boolean` - `timestamp: string` - `status_message: optional string` - `created_at: optional string` - `dmarc_status: optional "none" or "good" or "invalid"` - `"none"` - `"good"` - `"invalid"` - `domain: optional string` - `drop_dispositions: optional array of "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `emails_processed: optional object { timestamp, total_emails_processed, total_emails_processed_previous }` - `timestamp: string` - `total_emails_processed: number` - `total_emails_processed_previous: number` - `folder: optional "AllItems" or "Inbox"` - `"AllItems"` - `"Inbox"` - `inbox_provider: optional "Microsoft" or "Google"` - `"Microsoft"` - `"Google"` - `integration_id: optional string` - `ip_restrictions: optional array of string` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `lookback_hops: optional number` - `modified_at: optional string` - `o365_tenant_id: optional string` - `regions: optional array of "GLOBAL" or "AU" or "DE" or 2 more` - `"GLOBAL"` - `"AU"` - `"DE"` - `"IN"` - `"US"` - `require_tls_inbound: optional boolean` - `require_tls_outbound: optional boolean` - `spf_status: optional "none" or "good" or "neutral" or 2 more` - `"none"` - `"good"` - `"neutral"` - `"open"` - `"invalid"` - `status: optional "pending" or "active" or "failed" or "timeout"` - `"pending"` - `"active"` - `"failed"` - `"timeout"` - `transport: optional string` ### Domain Delete Response - `DomainDeleteResponse object { id }` - `id: string` Domain identifier # Impersonation Registry ## List entries in impersonation registry **get** `/accounts/{account_id}/email-security/settings/impersonation_registry` Returns a paginated list of protected identities in the impersonation registry. These entries define identities and email addresses to protect from impersonation attacks. Can be manually added or automatically synced from directory integrations. ### Path Parameters - `account_id: string` Identifier. ### Query Parameters - `direction: optional "asc" or "desc"` The sorting direction. - `"asc"` - `"desc"` - `order: optional "name" or "email" or "created_at"` Field to sort by. - `"name"` - `"email"` - `"created_at"` - `page: optional number` Current page within paginated list of results. - `per_page: optional number` The number of results per page. Maximum value is 1000. - `provenance: optional "A1S_INTERNAL" or "SNOOPY-CASB_OFFICE_365" or "SNOOPY-OFFICE_365" or "SNOOPY-GOOGLE_DIRECTORY"` - `"A1S_INTERNAL"` - `"SNOOPY-CASB_OFFICE_365"` - `"SNOOPY-OFFICE_365"` - `"SNOOPY-GOOGLE_DIRECTORY"` - `search: optional string` Search term for filtering records. Behavior may change. ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of object { id, comments, created_at, 9 more }` - `id: optional string` Impersonation registry entry identifier - `comments: optional string` - `created_at: optional string` - `directory_id: optional number` - `directory_node_id: optional number` - `email: optional string` - `external_directory_node_id: optional string` - `is_email_regex: optional boolean` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `name: optional string` - `provenance: optional "A1S_INTERNAL" or "SNOOPY-CASB_OFFICE_365" or "SNOOPY-OFFICE_365" or "SNOOPY-GOOGLE_DIRECTORY"` - `"A1S_INTERNAL"` - `"SNOOPY-CASB_OFFICE_365"` - `"SNOOPY-OFFICE_365"` - `"SNOOPY-GOOGLE_DIRECTORY"` - `result_info: optional object { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/impersonation_registry \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "comments": "comments", "created_at": "2014-01-01T05:20:00.12345Z", "directory_id": 0, "directory_node_id": 0, "email": "john.doe@example.com", "external_directory_node_id": "external_directory_node_id", "is_email_regex": false, "last_modified": "2014-01-01T05:20:00.12345Z", "modified_at": "2014-01-01T05:20:00.12345Z", "name": "John Doe", "provenance": "A1S_INTERNAL" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get an impersonation registry entry **get** `/accounts/{account_id}/email-security/settings/impersonation_registry/{impersonation_registry_id}` Retrieves details for a specific impersonation registry entry including the protected identity, email pattern, and synchronization source if directory-synced. ### Path Parameters - `account_id: string` Identifier. - `impersonation_registry_id: string` Impersonation registry entry identifier ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, comments, created_at, 9 more }` An impersonation registry entry - `id: optional string` Impersonation registry entry identifier - `comments: optional string` - `created_at: optional string` - `directory_id: optional number` - `directory_node_id: optional number` - `email: optional string` - `external_directory_node_id: optional string` - `is_email_regex: optional boolean` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `name: optional string` - `provenance: optional "A1S_INTERNAL" or "SNOOPY-CASB_OFFICE_365" or "SNOOPY-OFFICE_365" or "SNOOPY-GOOGLE_DIRECTORY"` - `"A1S_INTERNAL"` - `"SNOOPY-CASB_OFFICE_365"` - `"SNOOPY-OFFICE_365"` - `"SNOOPY-GOOGLE_DIRECTORY"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/impersonation_registry/$IMPERSONATION_REGISTRY_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "comments": "comments", "created_at": "2014-01-01T05:20:00.12345Z", "directory_id": 0, "directory_node_id": 0, "email": "john.doe@example.com", "external_directory_node_id": "external_directory_node_id", "is_email_regex": false, "last_modified": "2014-01-01T05:20:00.12345Z", "modified_at": "2014-01-01T05:20:00.12345Z", "name": "John Doe", "provenance": "A1S_INTERNAL" } } ``` ## Create impersonation registry entry **post** `/accounts/{account_id}/email-security/settings/impersonation_registry` Creates a new entry in the impersonation registry to protect against impersonation. Emails attempting to impersonate this identity will be flagged. Supports regex patterns for flexible email matching. ### Path Parameters - `account_id: string` Identifier. ### Body Parameters - `email: string` - `is_email_regex: boolean` - `name: string` - `comments: optional string` - `directory_id: optional number` - `directory_node_id: optional number` - `external_directory_node_id: optional string` - `provenance: optional "A1S_INTERNAL" or "SNOOPY-CASB_OFFICE_365" or "SNOOPY-OFFICE_365" or "SNOOPY-GOOGLE_DIRECTORY"` - `"A1S_INTERNAL"` - `"SNOOPY-CASB_OFFICE_365"` - `"SNOOPY-OFFICE_365"` - `"SNOOPY-GOOGLE_DIRECTORY"` ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, comments, created_at, 9 more }` An impersonation registry entry - `id: optional string` Impersonation registry entry identifier - `comments: optional string` - `created_at: optional string` - `directory_id: optional number` - `directory_node_id: optional number` - `email: optional string` - `external_directory_node_id: optional string` - `is_email_regex: optional boolean` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `name: optional string` - `provenance: optional "A1S_INTERNAL" or "SNOOPY-CASB_OFFICE_365" or "SNOOPY-OFFICE_365" or "SNOOPY-GOOGLE_DIRECTORY"` - `"A1S_INTERNAL"` - `"SNOOPY-CASB_OFFICE_365"` - `"SNOOPY-OFFICE_365"` - `"SNOOPY-GOOGLE_DIRECTORY"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/impersonation_registry \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "email": "john.doe@example.com", "is_email_regex": false, "name": "John Doe" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "comments": "comments", "created_at": "2014-01-01T05:20:00.12345Z", "directory_id": 0, "directory_node_id": 0, "email": "john.doe@example.com", "external_directory_node_id": "external_directory_node_id", "is_email_regex": false, "last_modified": "2014-01-01T05:20:00.12345Z", "modified_at": "2014-01-01T05:20:00.12345Z", "name": "John Doe", "provenance": "A1S_INTERNAL" } } ``` ## Update an impersonation registry entry **patch** `/accounts/{account_id}/email-security/settings/impersonation_registry/{impersonation_registry_id}` Updates an existing impersonation registry entry. Only provided fields will be modified. Directory-synced entries can't be updated. ### Path Parameters - `account_id: string` Identifier. - `impersonation_registry_id: string` Impersonation registry entry identifier ### Body Parameters - `comments: optional string` - `directory_id: optional number` - `directory_node_id: optional number` - `email: optional string` - `external_directory_node_id: optional string` - `is_email_regex: optional boolean` - `name: optional string` - `provenance: optional "A1S_INTERNAL" or "SNOOPY-CASB_OFFICE_365" or "SNOOPY-OFFICE_365" or "SNOOPY-GOOGLE_DIRECTORY"` - `"A1S_INTERNAL"` - `"SNOOPY-CASB_OFFICE_365"` - `"SNOOPY-OFFICE_365"` - `"SNOOPY-GOOGLE_DIRECTORY"` ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, comments, created_at, 9 more }` An impersonation registry entry - `id: optional string` Impersonation registry entry identifier - `comments: optional string` - `created_at: optional string` - `directory_id: optional number` - `directory_node_id: optional number` - `email: optional string` - `external_directory_node_id: optional string` - `is_email_regex: optional boolean` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `name: optional string` - `provenance: optional "A1S_INTERNAL" or "SNOOPY-CASB_OFFICE_365" or "SNOOPY-OFFICE_365" or "SNOOPY-GOOGLE_DIRECTORY"` - `"A1S_INTERNAL"` - `"SNOOPY-CASB_OFFICE_365"` - `"SNOOPY-OFFICE_365"` - `"SNOOPY-GOOGLE_DIRECTORY"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/impersonation_registry/$IMPERSONATION_REGISTRY_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "email": "john.doe@example.com", "name": "John Doe" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "comments": "comments", "created_at": "2014-01-01T05:20:00.12345Z", "directory_id": 0, "directory_node_id": 0, "email": "john.doe@example.com", "external_directory_node_id": "external_directory_node_id", "is_email_regex": false, "last_modified": "2014-01-01T05:20:00.12345Z", "modified_at": "2014-01-01T05:20:00.12345Z", "name": "John Doe", "provenance": "A1S_INTERNAL" } } ``` ## Delete an impersonation registry entry **delete** `/accounts/{account_id}/email-security/settings/impersonation_registry/{impersonation_registry_id}` Removes an entry from the impersonation registry. After deletion, this identity will no longer be protected from impersonation. ### Path Parameters - `account_id: string` Identifier. - `impersonation_registry_id: string` Impersonation registry entry identifier ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id }` - `id: string` Impersonation registry entry identifier ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/impersonation_registry/$IMPERSONATION_REGISTRY_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Impersonation Registry List Response - `ImpersonationRegistryListResponse object { id, comments, created_at, 9 more }` An impersonation registry entry - `id: optional string` Impersonation registry entry identifier - `comments: optional string` - `created_at: optional string` - `directory_id: optional number` - `directory_node_id: optional number` - `email: optional string` - `external_directory_node_id: optional string` - `is_email_regex: optional boolean` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `name: optional string` - `provenance: optional "A1S_INTERNAL" or "SNOOPY-CASB_OFFICE_365" or "SNOOPY-OFFICE_365" or "SNOOPY-GOOGLE_DIRECTORY"` - `"A1S_INTERNAL"` - `"SNOOPY-CASB_OFFICE_365"` - `"SNOOPY-OFFICE_365"` - `"SNOOPY-GOOGLE_DIRECTORY"` ### Impersonation Registry Get Response - `ImpersonationRegistryGetResponse object { id, comments, created_at, 9 more }` An impersonation registry entry - `id: optional string` Impersonation registry entry identifier - `comments: optional string` - `created_at: optional string` - `directory_id: optional number` - `directory_node_id: optional number` - `email: optional string` - `external_directory_node_id: optional string` - `is_email_regex: optional boolean` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `name: optional string` - `provenance: optional "A1S_INTERNAL" or "SNOOPY-CASB_OFFICE_365" or "SNOOPY-OFFICE_365" or "SNOOPY-GOOGLE_DIRECTORY"` - `"A1S_INTERNAL"` - `"SNOOPY-CASB_OFFICE_365"` - `"SNOOPY-OFFICE_365"` - `"SNOOPY-GOOGLE_DIRECTORY"` ### Impersonation Registry Create Response - `ImpersonationRegistryCreateResponse object { id, comments, created_at, 9 more }` An impersonation registry entry - `id: optional string` Impersonation registry entry identifier - `comments: optional string` - `created_at: optional string` - `directory_id: optional number` - `directory_node_id: optional number` - `email: optional string` - `external_directory_node_id: optional string` - `is_email_regex: optional boolean` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `name: optional string` - `provenance: optional "A1S_INTERNAL" or "SNOOPY-CASB_OFFICE_365" or "SNOOPY-OFFICE_365" or "SNOOPY-GOOGLE_DIRECTORY"` - `"A1S_INTERNAL"` - `"SNOOPY-CASB_OFFICE_365"` - `"SNOOPY-OFFICE_365"` - `"SNOOPY-GOOGLE_DIRECTORY"` ### Impersonation Registry Edit Response - `ImpersonationRegistryEditResponse object { id, comments, created_at, 9 more }` An impersonation registry entry - `id: optional string` Impersonation registry entry identifier - `comments: optional string` - `created_at: optional string` - `directory_id: optional number` - `directory_node_id: optional number` - `email: optional string` - `external_directory_node_id: optional string` - `is_email_regex: optional boolean` - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `name: optional string` - `provenance: optional "A1S_INTERNAL" or "SNOOPY-CASB_OFFICE_365" or "SNOOPY-OFFICE_365" or "SNOOPY-GOOGLE_DIRECTORY"` - `"A1S_INTERNAL"` - `"SNOOPY-CASB_OFFICE_365"` - `"SNOOPY-OFFICE_365"` - `"SNOOPY-GOOGLE_DIRECTORY"` ### Impersonation Registry Delete Response - `ImpersonationRegistryDeleteResponse object { id }` - `id: string` Impersonation registry entry identifier # Trusted Domains ## List trusted email domains **get** `/accounts/{account_id}/email-security/settings/trusted_domains` Returns a paginated list of trusted domain patterns. Trusted domains prevent false positives for recently registered domains and lookalike domain detections. Patterns can use regular expressions for flexible matching. ### Path Parameters - `account_id: string` Identifier. ### Query Parameters - `direction: optional "asc" or "desc"` The sorting direction. - `"asc"` - `"desc"` - `is_recent: optional boolean` Filter to show only recently registered domains that are trusted to prevent triggering Suspicious or Malicious dispositions. - `is_similarity: optional boolean` Filter to show only proximity domains (partner or approved domains with similar spelling to connected domains) that prevent Spoof dispositions. - `order: optional "pattern" or "created_at"` Field to sort by. - `"pattern"` - `"created_at"` - `page: optional number` Current page within paginated list of results. - `pattern: optional string` - `per_page: optional number` The number of results per page. Maximum value is 1000. - `search: optional string` Search term for filtering records. Behavior may change. ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of object { id, comments, created_at, 6 more }` - `id: optional string` Trusted domain identifier - `comments: optional string` - `created_at: optional string` - `is_recent: optional boolean` Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition. - `is_regex: optional boolean` - `is_similarity: optional boolean` Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition. - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `pattern: optional string` - `result_info: optional object { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/trusted_domains \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "comments": "Trusted partner domain", "created_at": "2014-01-01T05:20:00.12345Z", "is_recent": true, "is_regex": false, "is_similarity": false, "last_modified": "2014-01-01T05:20:00.12345Z", "modified_at": "2014-01-01T05:20:00.12345Z", "pattern": "example.com" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a trusted email domain **get** `/accounts/{account_id}/email-security/settings/trusted_domains/{trusted_domain_id}` Retrieves details for a specific trusted domain pattern including its pattern value, whether it uses regex matching, and which detection types it affects. ### Path Parameters - `account_id: string` Identifier. - `trusted_domain_id: string` Trusted domain identifier ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, comments, created_at, 6 more }` A trusted email domain - `id: optional string` Trusted domain identifier - `comments: optional string` - `created_at: optional string` - `is_recent: optional boolean` Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition. - `is_regex: optional boolean` - `is_similarity: optional boolean` Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition. - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `pattern: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/trusted_domains/$TRUSTED_DOMAIN_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "comments": "Trusted partner domain", "created_at": "2014-01-01T05:20:00.12345Z", "is_recent": true, "is_regex": false, "is_similarity": false, "last_modified": "2014-01-01T05:20:00.12345Z", "modified_at": "2014-01-01T05:20:00.12345Z", "pattern": "example.com" } } ``` ## Create trusted email domain **post** `/accounts/{account_id}/email-security/settings/trusted_domains` Creates a new trusted domain pattern. Use for partner domains or approved senders that should bypass recent domain registration and similarity checks. Configure whether it prevents recent domain or spoof dispositions. ### Path Parameters - `account_id: string` Identifier. ### Body Parameters - `is_recent: boolean` Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition. - `is_regex: boolean` - `is_similarity: boolean` Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition. - `pattern: string` - `comments: optional string` ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, comments, created_at, 6 more }` A trusted email domain - `id: optional string` Trusted domain identifier - `comments: optional string` - `created_at: optional string` - `is_recent: optional boolean` Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition. - `is_regex: optional boolean` - `is_similarity: optional boolean` Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition. - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `pattern: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/trusted_domains \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "is_recent": true, "is_regex": false, "is_similarity": false, "pattern": "example.com", "comments": "Trusted partner domain" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "comments": "Trusted partner domain", "created_at": "2014-01-01T05:20:00.12345Z", "is_recent": true, "is_regex": false, "is_similarity": false, "last_modified": "2014-01-01T05:20:00.12345Z", "modified_at": "2014-01-01T05:20:00.12345Z", "pattern": "example.com" } } ``` ## Update a trusted email domain **patch** `/accounts/{account_id}/email-security/settings/trusted_domains/{trusted_domain_id}` Updates an existing trusted domain pattern. Only provided fields will be modified. Changes take effect for new emails matching the pattern. ### Path Parameters - `account_id: string` Identifier. - `trusted_domain_id: string` Trusted domain identifier ### Body Parameters - `comments: optional string` - `is_recent: optional boolean` Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition. - `is_regex: optional boolean` - `is_similarity: optional boolean` Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition. - `pattern: optional string` ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, comments, created_at, 6 more }` A trusted email domain - `id: optional string` Trusted domain identifier - `comments: optional string` - `created_at: optional string` - `is_recent: optional boolean` Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition. - `is_regex: optional boolean` - `is_similarity: optional boolean` Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition. - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `pattern: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/trusted_domains/$TRUSTED_DOMAIN_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "comments": "Trusted partner domain", "is_recent": true, "pattern": "example.com" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "comments": "Trusted partner domain", "created_at": "2014-01-01T05:20:00.12345Z", "is_recent": true, "is_regex": false, "is_similarity": false, "last_modified": "2014-01-01T05:20:00.12345Z", "modified_at": "2014-01-01T05:20:00.12345Z", "pattern": "example.com" } } ``` ## Delete a trusted email domain **delete** `/accounts/{account_id}/email-security/settings/trusted_domains/{trusted_domain_id}` Removes a trusted domain pattern. After deletion, emails from this domain will be subject to normal recent domain and similarity checks. ### Path Parameters - `account_id: string` Identifier. - `trusted_domain_id: string` Trusted domain identifier ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id }` - `id: string` Trusted domain identifier ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/settings/trusted_domains/$TRUSTED_DOMAIN_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Trusted Domain List Response - `TrustedDomainListResponse object { id, comments, created_at, 6 more }` A trusted email domain - `id: optional string` Trusted domain identifier - `comments: optional string` - `created_at: optional string` - `is_recent: optional boolean` Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition. - `is_regex: optional boolean` - `is_similarity: optional boolean` Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition. - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `pattern: optional string` ### Trusted Domain Get Response - `TrustedDomainGetResponse object { id, comments, created_at, 6 more }` A trusted email domain - `id: optional string` Trusted domain identifier - `comments: optional string` - `created_at: optional string` - `is_recent: optional boolean` Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition. - `is_regex: optional boolean` - `is_similarity: optional boolean` Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition. - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `pattern: optional string` ### Trusted Domain Create Response - `TrustedDomainCreateResponse object { id, comments, created_at, 6 more }` A trusted email domain - `id: optional string` Trusted domain identifier - `comments: optional string` - `created_at: optional string` - `is_recent: optional boolean` Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition. - `is_regex: optional boolean` - `is_similarity: optional boolean` Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition. - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `pattern: optional string` ### Trusted Domain Edit Response - `TrustedDomainEditResponse object { id, comments, created_at, 6 more }` A trusted email domain - `id: optional string` Trusted domain identifier - `comments: optional string` - `created_at: optional string` - `is_recent: optional boolean` Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition. - `is_regex: optional boolean` - `is_similarity: optional boolean` Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition. - `last_modified: optional string` Deprecated, use `modified_at` instead. End of life: November 1, 2026. - `modified_at: optional string` - `pattern: optional string` ### Trusted Domain Delete Response - `TrustedDomainDeleteResponse object { id }` - `id: string` Trusted domain identifier # Submissions ## Get reclassify submissions **get** `/accounts/{account_id}/email-security/submissions` Returns information for submissions made to reclassify emails. Shows the status, outcome, and disposition changes for reclassification requests made by users or the security team. Useful for tracking false positive/negative reports. ### Path Parameters - `account_id: string` Identifier. ### Query Parameters - `end: optional string` The end of the search date range. Defaults to `now`. - `escalated_from_user: optional boolean` When true, return only submissions that were escalated by an end user (vs. by the security team). When false, return only submissions that were not escalated by an end user. When omitted, no filter is applied. - `original_disposition: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more` - `"MALICIOUS"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"NONE"` - `outcome_disposition: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more` - `"MALICIOUS"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"NONE"` - `page: optional number` Current page within paginated list of results. - `per_page: optional number` The number of results per page. Maximum value is 1000. - `query: optional string` - `requested_disposition: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more` - `"MALICIOUS"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"NONE"` - `start: optional string` The beginning of the search date range. Defaults to `now - 30 days`. - `status: optional string` - `submission_id: optional string` - `type: optional "TEAM" or "USER"` - `"TEAM"` - `"USER"` ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of object { requested_at, submission_id, customer_status, 15 more }` - `requested_at: string` When the submission was requested (UTC). - `submission_id: string` - `customer_status: optional "escalated" or "reviewed" or "unreviewed"` - `"escalated"` - `"reviewed"` - `"unreviewed"` - `escalated_as: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more` - `"MALICIOUS"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"NONE"` - `escalated_at: optional string` - `escalated_by: optional string` - `escalated_submission_id: optional string` - `original_disposition: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more` - `"MALICIOUS"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"NONE"` - `original_edf_hash: optional string` - `original_postfix_id: optional string` The postfix ID of the original message that was submitted - `outcome: optional string` - `outcome_disposition: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more` - `"MALICIOUS"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"NONE"` - `requested_by: optional string` - `requested_disposition: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more` - `"MALICIOUS"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"NONE"` - `requested_ts: optional string` Deprecated, use `requested_at` instead - `status: optional string` - `subject: optional string` - `type: optional "Team" or "User"` Whether the submission was created by a team member or an end user. - `"Team"` - `"User"` - `result_info: optional object { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/submissions \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "requested_at": "2019-12-27T18:11:19.117Z", "submission_id": "submission_id", "customer_status": "escalated", "escalated_as": "MALICIOUS", "escalated_at": "2019-12-27T18:11:19.117Z", "escalated_by": "escalated_by", "escalated_submission_id": "escalated_submission_id", "original_disposition": "MALICIOUS", "original_edf_hash": "original_edf_hash", "original_postfix_id": "original_postfix_id", "outcome": "outcome", "outcome_disposition": "MALICIOUS", "requested_by": "requested_by", "requested_disposition": "MALICIOUS", "requested_ts": "requested_ts", "status": "status", "subject": "subject", "type": "Team" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Submission List Response - `SubmissionListResponse object { requested_at, submission_id, customer_status, 15 more }` - `requested_at: string` When the submission was requested (UTC). - `submission_id: string` - `customer_status: optional "escalated" or "reviewed" or "unreviewed"` - `"escalated"` - `"reviewed"` - `"unreviewed"` - `escalated_as: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more` - `"MALICIOUS"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"NONE"` - `escalated_at: optional string` - `escalated_by: optional string` - `escalated_submission_id: optional string` - `original_disposition: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more` - `"MALICIOUS"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"NONE"` - `original_edf_hash: optional string` - `original_postfix_id: optional string` The postfix ID of the original message that was submitted - `outcome: optional string` - `outcome_disposition: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more` - `"MALICIOUS"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"NONE"` - `requested_by: optional string` - `requested_disposition: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more` - `"MALICIOUS"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"NONE"` - `requested_ts: optional string` Deprecated, use `requested_at` instead - `status: optional string` - `subject: optional string` - `type: optional "Team" or "User"` Whether the submission was created by a team member or an end user. - `"Team"` - `"User"` --- --- title: Search email description: Search email in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Search email With Email security, you can use different screen criteria to search through your email, reclassify and move a certain volume of messages, find similar emails, and export messages. ## Screen criteria Email security allows you to use popular, regular, and advanced screening criteria to search through your inbox. Advanced screening will give you the most in-depth investigation of your inbox. To screen through your email traffic: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Investigation**, then **Run new screen**. 4. Choose between **Popular**, **Regular**, and **Advanced** screen methods. Refer to the explanation below to learn what each method does. The results will be displayed on a table. The table allows you to review and take action on the messages that match your chosen screening criteria. ### Popular screen A popular screen allows you to view messages based on common pre-defined criteria. To use a popular screen criteria: 1. Under **Method**, select **Popular screens**. 2. Select one of the following criteria: * **Moved emails**: View emails automatically or manually moved within the last seven days. * **Reclassified emails**: Emails that had their disposition reclassified within the last seven days. * **Malicious emails**: Emails assigned the malicious disposition within the last seven days. * **Spoof emails**: Emails assigned the spoof disposition within the last seven days. * **Suspicious emails**: Emails assigned the suspicious disposition within the last seven days. * **Spam emails**: Emails assigned to the spam disposition within the last seven days. 3. Select **Run screen**. To modify your screening criteria, under **Active screen criteria**, select **Modify**. ### Regular screen A regular screen allows you to investigate your inbox by inserting a term to screen across all criteria. To use a regular screen criteria: 1. Under **Method**, select **Regular screen**. 2. Select a **Date range**. 3. Enter a keyword. 4. Select **Run screen**. To include all emails as part of the search, enable **Include all mail**. To modify your screening criteria, under **Active screen criteria**, select **Modify**. To reset your screening criteria, select **Reset**. ### Advanced screen The advanced screen criteria gives you the option to narrow message results based on specific criteria. The advanced screen has several options (such as keywords, subject keywords, sender domain, and more) to scan your inbox. To use advanced screen criteria: 1. Under **Method**, select **Advanced screen**. 2. (Required) Select a date range. 3. (Optional) Fill in the other fields. All fields, except for Subject, must be filled with one value only. 4. Select **Run screen**. To include all emails as part of the search, enable **Include all mail**. To modify your screening criteria, under **Active screen criteria**, select **Modify**. To reset your screening criteria, select **Reset**. ## Move messages Moving messages allows you to move messages to a specific folder. You can move up to 1,000 messages at a time. To move messages: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security**, and select **Investigation**. 2. On the Investigation page, select all the messages you want to move. 3. Select the **Action** dropdown, then select **Move**. 4. Select among one of the following folders: * **Inbox**: Move messages to the primary email folder. * **Junk email**: Move messages to the junk or spam folder. * **Trash**: Move messages to the trash or deleted items email folder. * **Soft delete (user recoverable)**: Move messages to the user's Deleted Items folder. This option is for Microsoft 365 only. * **Hard delete (admin recoverable)**: Delete messages from a user's inbox. 5. Select **Save**. To move messages in bulk, select **Select all messages** \> **Action** \> **Move**. ## Find similar emails Each detection has an Email Detection Fingerprint (EDF) hash that Email security sends to the Search API to retrieve similar detections. To find similar detection results: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security**, and select **Investigation**. 2. On the Investigation page, under **Your matching messages**, search for the **Similar emails** column. 3. Select the number of similar emails. Selecting the number will show you a list of similar emails. ## Export messages With Email security, you can export messages to a CSV file. To export messages: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security**, and select **Investigation**. 2. On the Investigation page, under **Your matching messages**, select **Export to CSV**. 3. Select **Export messages** on the pop-up message. You can export up to 500 messages from the dashboard. To export up to 1,000 matching messages, use the [API](https://developers.cloudflare.com/api/resources/email%5Fsecurity/subresources/investigate/methods/get/). To export messages in bulk, select **Select all messages** \> **Export to CSV**. ## Email status Email security allows you to review the status and actions of each email. To view status and actions for each email: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security**, and select **Investigation**. 2. On the Investigation page, select the three dots. 3. Selecting the three dots will show you the following options: * If the email is quarantined: * **View details**: Refer to [Email details](#email-details) to learn more. * **View similar emails**: Find similar emails based on the `value_edf_hash` (Electronic Detection Fingerprint hash). * **Release**: Email security will no longer quarantine your chosen messages. * **Submit for review**: Choose the dispositions of your messages if they are incorrect. Refer to [Reclassify messages](#reclassify-messages) to learn more. * If the email is not quarantined: * **View details**. * **View similar emails**. * **View submission detail**. * **[Move](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/)** (only available if you authorized moves). * **[Submit for review](#reclassify-messages)**. ## Email details Email security shows you the following email detail information: * Details * Action log * Raw message * Mail trace ### Details Email security displays the following details: 1. **Threat type**: Threat type of the email, for example, [credential harvester](https://developers.cloudflare.com/cloudflare-one/email-security/reference/how-es-detects-phish/), and [IP-based spam](https://developers.cloudflare.com/cloudflare-one/email-security/reference/how-es-detects-phish/). 2. **Validation**: Email validation methods [SPF ↗](https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/), [DKIM ↗](https://www.cloudflare.com/learning/dns/dns-records/dns-dkim-record/), [DMARC ↗](https://www.cloudflare.com/learning/dns/dns-records/dns-dmarc-record/). The dashboard will display Pass if SPF, DKIM and DMARC checks have passed. 3. **Sender details**: Information include: * IP address * Registered domain * Autonomous sys number: This number identifies your [autonomous system (AS) ↗](https://www.cloudflare.com/en-gb/learning/network-layer/what-is-an-autonomous-system/). * Autonomous sys name: This name identifies your autonomous system (AS). * Country 4. **Links identified**: A list of malicious links identified by Email security. Refer to [Open links](#open-links) to open links in Security Center, Browser Isolation or an external tool of your choice. 5. **Attachments**: If an email has an attachment, the Cloudflare dashboard will display the filename, and the disposition assigned. You can open attachments in [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/). Only PDF files are currently supported. 6. **Reasons for disposition**: Description of why the email was deemed as malicious, suspicious, or spam. The dashboard also displays [Cloudy summaries](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#cloudy-summaries). #### Cloudy summaries The Cloudflare dashboard uses [Cloudy](https://developers.cloudflare.com/fundamentals/reference/cloudy-ai-agent/) to explain why an email was classified as unwanted. Cloudy analyzes the underlying detection code and generates a description of the specific detection logic that led to an email final disposition. Each summary provides a rating option that allows you to provide feedback to the Email security team. Cloudy summaries are only available for emails with a final [disposition](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#available-values). **View all signatures** allows you to view all the detections that triggered on the email, including detections that did not determine the final disposition. #### Open links You can open links in Security Center or [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/), or copy and paste the link so you can investigate content in external tools. When you select a link in a suspicious email, you risk exposing your device and your company's network to malware, ransomware, and credential harvesting. Browser Isolation eliminates any risk of your device being compromised by opening all web content from unverified or suspicious sources in a safe, disposable remote browser session hosted by Cloudflare. To open links in Security Center: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Email security** \> **Investigation**. 2. Locate the message you want to open links for, select the three dots, then select **View details**. 3. Under **Details**, go to **Links identified**. 4. Locate the link you want to open, and select **Open in Security Center**. 5. You will be redirected to Investigate in the Cloudflare dashboard. 6. Select **Scan now**. 7. The dashboard will generate a report for your link. To open links in Browser Isolation: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Email security** \> **Investigation**. 2. Locate the message you want to open links for, select the three dots, then select **View details**. 3. Under **Details**, go to **Links identified**. 4. Locate the link you want to open, and select **Open in Browser Isolation**. 5. The link will open in a separate window where you will be able to browse the content securely. Alternatively, you can directly [open links in Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/#open-links-in-browser-isolation). When you open a link from an email, Cloudflare will present you with a blue bar. This indicates that the page is isolated and that you are protected from any potential malicious content on that page. Note If you purchased Gateway and [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/), you can perform more actions when opening links. To open and investigate a link in an external tool: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Email security** \> **Investigation**. 2. Locate the message you want to open links for, select the three dots, then select **View details**. 3. Under **Details**, go to **Links identified**. 4. Locate the link you want to open, and select **Copy URL**. 5. Paste the link in your external tool. Warning You may encounter a `400 Bad Request` error after turning Clientless Web Isolation on. If you encounter this error: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Settings** \> **Resources**. 2. Select **Generate certificate**. 3. Choose the **Expiration** (5 years is recommended), then select **Generate certificate**. Your certificate is now generated, and the dashboard will display its Deployment Status as INACTIVE. 4. Select the three dots, and then select **Activate** to activate your certificate. 5. Select the three dots, and then select **Mark as in-use**. 6. Your certificate deployment status should display AVAILABLE IN-USE. ### Action log Action log allows you to review post-delivery actions performed on your selected message. The action log displays: * **Date**: Date when the post-delivery action was performed. * **Activity**: The activity taken on an email. For example, moving the email to the trash folder, releasing a quarantined email, and more. ### Raw message Raw message allows you to view the raw details of the message. You can also choose to download the email message. To download the message, select **Download .EML**. ### Mail trace Mail trace allows you to track the path your selected message took from the sender to the recipient. Mail trace displays: * **Date**: The date and time when the mail was tracked. * **Type**: An email can be inbound (email sent to you from another email), or outbound (emails sent from your email address). * **Activity**: The activity taken on an email. For example, moving the email to the trash folder, releasing a quarantined email, and more. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/investigation/","name":"Investigation"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/investigation/search-email/","name":"Search email"}}]} ``` --- --- title: Monitoring description: Monitoring in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Monitoring Once you have chosen a domain to scan, Email security allows you to monitor the traffic scanned from your email inboxes. Note With Email security, you can enable logs to send detection data to an endpoint of your choice. Refer to [Enable Email security logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/) for more information. To monitor your inbox: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Under **Email security**, select **Monitoring**. The dashboard will display the following metrics: * Email activity * [Disposition evaluation](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/) * Detection details * [Impersonations](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) * [Phish submissions](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/) * [Auto-move events](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) * [Detection settings metrics](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/) ## Email activity Email activity aggregates statistics about emails scanned and dispositions assigned (the number of email flagged due to a detection) within a given timeframe. To view the live number of email scanned and dispositions scanned, enable **Live mode**. ## Disposition evaluation Email traffic that flows through Email security is given a final disposition, which represents Email security's evaluation of that specific message. Disposition evaluation displays the following dispositions: * **Malicious**: Traffic associated with active threat campaigns. Malicious messages invoked multiple phishing verdict triggers and met thresholds for bad behavior. * **Recommendation**: Block. * **Spam**: Traffic associated with non-malicious, commercial campaigns. * **Recommendation**: Route to existing Spam quarantine folder. * **Bulk**: Traffic often associated with newsletters or marketing campaigns. Refer to [Graymail ↗](https://en.wikipedia.org/wiki/Graymail%5F%28email%29) for more details. * **Recommendation**: Monitor or tag. * **Suspicious**: Traffic associated with phishing campaigns (and is under further analysis by our automated systems). * **Recommendation**: Research these messages internally to evaluate legitimacy. * **Spoof**: Traffic associated with phishing campaigns that is either non-compliant with your email authentication policies ([SPF ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-spf-record/), [DKIM ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dkim-record/), [DMARC ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dmarc-record/)) or has mismatching `Envelope From` and `Header From` values. * **Recommendation**: Block after investigating (can be triggered by third-party mail services). ## Detection details Detection details displays information about: * **Malicious** disposition: * **Email threat types**: Top malicious threat types, and their number relative to the total amount of malicious threats received. * **Targeted users**: Top number of emails targeted, and their number relative to the total amount of malicious targets. * **Malicious links**: A graph displaying the total number of malicious links and their distribution throughout the month. * **Malicious attachments**: Number of malicious attachments, and the top types of malicious files received. * **Suspicious** disposition: * **Suspicious threat types**: Top suspicious threat types, and their number relative to the total amount of threats received. * **Suspicious targets**: Top number of emails targeted, and their number relative to the total amount of malicious targets. * **Suspicious links**: A graph displaying the total number of suspicious links and their distribution throughout the month. * **Spoof** disposition: * **Spoof users (impersonated names)**: Top number of impersonated names, and their number relative to the total number of detection received. * **Spoof targets**: Top number of targeted emails. * **Sender v. envelope mismatch**: This field indicates the number of mismatches between the email address the message was sent from, and the email address the message was _actually_ sent from. ## Impersonations Impersonations are a form of phishing attack where the actor pretends to be someone else to steal sensitive information. **Impersonations** displays the number of targeted users, and a chart describing the total number of impersonation attempts. * To view all targeted users, select **View all targeted users**. * To view all impersonation emails, select **View all impersonation emails**. * To view impersonated users, select **View impersonated users**. Refer to [Trusted domains](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/trusted-domains/) to add a trusted domain, and [Impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) to add a user to the impersonation registry. ## Phish submissions Phishing is a type of attack that involves stealing sensitive information with the aim of using and selling the information. A phish submission happens when a user or an administrator reports a phishing attack. Refer to [Phish submissions](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/) to learn how to submit a phish. Phish submissions displays the following information: * **All submissions**: The total number of phish submissions. * **User submissions**: The number of phish submissions reported by your users. * **Admin submissions**: The number of phish submissions reported by an administrator. Select **Review submissions** to review a filtered list of phish submissions reported by your team. ## Auto-move events Auto-move events are emails moved to different inboxes based on the disposition Email security assigned. This panel shows you the total number of auto-moves and the source folder from which these retractions are originating from. Refer to [Auto-moves](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) to configure auto-move events. ## Detection settings metrics Detection settings metric displays information about: * **Allowed traffic**: Traffic that Email security will exempt emails that match certain patterns from normal detection scanning. Allowed traffic shows metrics on emails that were allowed to go through user inboxes. * **Blocked traffic**: Traffic that Email security automatically blocks from senders. Blocked traffic shows metrics on emails that were blocked from user inboxes. * **Domain age**: The number of days since domain registration. Select **Configure** to configure policy and rules for [allowed traffic](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/), [blocked traffic](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/blocked-senders/) and [domain age](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/additional-detections/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/monitoring/","name":"Monitoring"}}]} ``` --- --- title: Download a report description: Download a report in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Download a report Email security allows you to download three types of reports: * Disposition report * Retro scan report * Security report ## Download a disposition report A disposition report shows you all the email messages based on the type of disposition you selected. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Select **Monitoring** \> **Download report**. 3. In **Report type**, select **Email disposition report**. 4. Under **Email disposition report**, select the **Date Range** (required), and the **Disposition**. 5. Select **Export to CSV**. Refer to [Dispositions and attributes](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/) to learn more. ## Download a retro scan report Retro scan scans the last 14 days of your emails, and gives you a report on bulk, spam, spoof, suspicious and malicious emails. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Select **Monitoring** \> **Download report**. 3. In **Report type**, select **Retro Scan report**. 4. Select **View report** to view a report of your last 14 days of emails. Refer to [Retro Scan](https://developers.cloudflare.com/cloudflare-one/email-security/retro-scan/) to learn more. ## Download a security report A security report provides an overview of your email traffic. The report can be generated on the last 30, 60, 90 days, or a timeframe of your choice. The reports contains: * An executive summary: A summary of the threats detected in your organization's email traffic in the last 30 days. * Threat detection: Review metrics regarding dispositions, policy detection, and impersonation attempts. * Submissions: Review the metrics of emails your security team or users have requested to reclassify. To download a security report: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Select **Monitoring** \> **Download report**. 3. In **Report type**, select **Security report** and the **Date range**. 4. Select **Generate report**. 5. Your security report is being generated. You will receive an email with the security report attached once it is ready. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/monitoring/","name":"Monitoring"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/monitoring/download-report/","name":"Download a report"}}]} ``` --- --- title: Outbound Data Loss Prevention (DLP) description: Outbound Data Loss Prevention (DLP) in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) # Outbound Data Loss Prevention (DLP) Compatibility Outbound DLP is only compatible with Microsoft 365\. You need to have Microsoft E3 or E5 license to enable Outbound DLP. Outbound Data Loss Prevention ensures the protection of sensitive information in outbound emails with [Cloudflare Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/). Outbound Data Loss Prevention integrates with your inbox, and it proactively monitors your email to prevent unauthorized data leaks. To enable Outbound DLP: 1. [Create an outbound policy](https://developers.cloudflare.com/cloudflare-one/email-security/outbound-dlp/#1-create-an-outbound-policy). 2. [Set up DLP Assist add-in](https://developers.cloudflare.com/cloudflare-one/email-security/outbound-dlp/#2-dlp-assist-add-in). ## 1\. Create an outbound policy An outbound policy allows you to control outbound email flow. To create an outbound DLP policy: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Email security** \> **Outbound DLP**. 2. Select **Add a policy**. 3. Name your policy. 4. Build an expression to match specific email traffic. For example, you can create a policy that blocks outbound emails containing identifying numbers: | Selector | Operator | Value | Logic | Action | | ------------------- | -------- | --------------------------------------------------------- | ----- | ------ | | Recipient email | not in | example.com | And | Block | | Matched DLP profile | in | _Social Security, Insurance, Tax, and Identifier Numbers_ | | | 5. (Optional) Choose whether to use the default block message or a custom message. 6. Select **Create policy**. After creating your policy, you can modify or reorder your policies in **Email security** \> **Outbound DLP**. ### Selectors | Selector | Description | | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | | Recipient email | The intended recipient of an outbound email. | | Email sender | The user in your organization sending an email. | | Matched DLP profile | The [DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/) that content of an email matches upon scan. | ## 2\. DLP Assist add-in The Data Loss Prevention (DLP) Assist add-in allows Microsoft 365 users to deploy a DLP solution for free using Cloudflare's Email security. DLP Assist add-in protects your data egress from Outlook web and desktop client. To set up DLP Assist add-in: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Email security** \> **Outbound DLP**. 2. Select **View Microsoft add-in instructions** \> Select **Download add-in**. This downloads a `.xml` file necessary to install the add-in on the client side. 3. Set up the add-in in Microsoft 365: * Log in to the [Microsoft admin panel ↗](https://security.microsoft.com/homepage) and go to **Microsoft 365 Admin Center** \> **Settings** \> **Integrated Apps**. * Choose **Upload custom apps** and select **Office Add-in** for the application type. * Select **Upload manifest file (.xml) from device**. * Upload the Cloudflare add-in file you downloaded in step three. Then, verify and complete the wizard. It can take up to 24 hours for an add-in to propagate. The add-in works by inserting headers into the [EML ↗](https://en.wikipedia.org/wiki/EML) on the client side before the message is sent out. To block, encrypt, or send approval, you can configure rules within Microsoft Purview DLP: 1. Go to [Microsoft Purview ↗](https://purview.microsoft.com/datalossprevention/overview?tid=11648e1c-3d60-40e2-bf07-f8d481e48e2d). 2. Select **Policies** \> **Create policy**. 3. Do not choose any templates or custom policy. Select **Next**. 4. Choose a name and description for the policy: You can choose any name. However, this guide will use `Cloudflare Assist Block`. 5. Select **Next** on **Admin Units**: * Choose to only apply to **Exchange Email**. * Choose **Create or customize advanced DLP Rules**. 6. Select **Create rule**: * Create a policy name. * Add the following conditions: * **Header contains words or phrases**: `Key: cf_outbound_dlp with Value: BLOCK` * Select **AND**. * **Content is shared from Microsoft 365**: Select **with people from outside my organization**. 7. Under **Actions**, the admin can choose what to do with the message. You can use the **Restrict access or encrypt the content in Microsoft 365 locations** to block the message or encrypt it. 8. Under **User notifications**, turn on notifications. Admins can also edit the message if they want to. You can also configure if the admin wants to receive a notification under **Incident reports** \> **Use this severity level in admin alerts and reports**. 9. Select **Save**. 10. Select **Turn the Policy On Immediately**. Note The Cloudflare add-in can take up to 24 hours to propagate after install. ### Limitations Outbound DLP presents its limitations: * Outbound DLP only protects user-managed inboxes. * Outbound DLP offers the most consistent experience on Outlook Web App and Outlook desktop, due to limitations imposed by Microsoft. | Platform | Status | | ------------------------------------ | -------------------------------------------------------- | | Web client | Stable | | New Outlook desktop client - Windows | Stable | | Desktop client - macOS | Can cause scanning to be delayed due to Apple limitation | | Old Outlook desktop client | Does not work due to Microsoft limitation | | Mobile client - iOS | Unstable due to Apple limitation | | Mobile client - Android | Unstable due to Microsoft limitation | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/outbound-dlp/","name":"Outbound Data Loss Prevention (DLP)"}}]} ``` --- --- title: PhishGuard description: PhishGuard in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # PhishGuard PhishGuard is a team of analysts that routinely inspects your email environment and responds to threats that come through your email inbox. While Email security uses advanced technologies to protect your email inbox, PhishGuard offers an additional human component to protect your email environment against impersonation events, suspicious items, false negatives/false positives, and any new event that automated intelligent systems may miss due to a lack of context (for example, a compromised account activity). PhishGuard only works on a post-delivery environment (only emails that have already landed in your email inbox are reviewed). As a result, PhishGuard analysts may [submit a message for review](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/#submit-messages-for-review) or [auto-move](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) based on their findings. Warning Auto-moves are mandatory for PhishGuard customers. PhishGuard coordinates with the email detections team, allowing you to directly request immediate detection for specific items and implement custom detections unique to your needs. An example of this is requesting to block all PayPal traffic if you do not use PayPal for invoicing. This capability allows you to take ownership over the rules governing your email environment through PhishGuard's human intervention. Additionally, PhishGuard analysts: * Use real-time threat data to identify malicious activity. Email-based threats are responded to rapidly, and immediately reported and documented. * Review every [user](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#user-submissions) and [team](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#team-submissions) submission so your security team can focus on more critical activities. * Help you detect and mitigate threats faster, reducing the time attacks have access to your network. This also helps reducing business impact, because it prevents data breaches, financial loss, and reputational damage. To use PhishGuard: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **PhishGuard**. The dashboard will display the following metrics: * ROI Calculator * Insider threat defense * Email threat hunting * Actions * API Status * Managed email security operations * Reports ## ROI Calculator Use the ROI Calculator to compare triage durations and hourly rates to calculate PhishGuard's return on investment. The ROI Calculator displays: * Total aggregated saved number in USD dollars. * Triage duration: The amount of time in minutes spent triaging the message. * Hourly rate. ## Insider threat defense An [insider threat ↗](https://www.cloudflare.com/en-gb/learning/access-management/what-is-an-insider-threat/) is a risk to an organization's security stemming from someone associated with the organization. PhishGuard looks for threat actor groups. Insider threat defense on the dashboard displays **Insider leads** and **Insider reports generated**. **Insider leads** displays the number of emails identified as potential insider threat email. **Insider reports generated** displays the number of reports created based on insider leads. ## Email threat hunting PhishGuard reviews suspicious and highly malicious activity in your email environment. On the Cloudflare One dashboard, email threat hunting displays previously unknown phishing attacks. Email threat hunting also gives you information on **Threat leads generated** and **Total reposts generated**. ## Actions **Actions** allows you to review the most common actions taken by the PhishGuard team, such as escalations, threat hunts, and moves. ## API Status API Status allows you to monitor and configure the current status of API message auto-moves and directory integrations. Select **Message moves** to [configure auto-moves](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/). Select **Directory integration** to [configure directories](https://developers.cloudflare.com/cloudflare-one/email-security/directories/). ## Managed email security operations Managed email security operations allows you to review the results of phish submissions reviewed by the PhishGuard team. It displays the following: * Total [phish submissions](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/) * Tracked incidents * Median time to resolve * Resolved track incidents ## Reports Under Reports, you can review reports of threats discovered and resolved by the PhishGuard team. If you select the three dots, you can: * **View report details**: Report Details gives you the following information about each report: * **Overview**: An Overview of the report. This includes date and time of the report, type of attack performed, and more. * **Target and victimology**: Company targeted. * **Details**: Displays information such as delivery disposition, current disposition, ES Alert ID, Message-ID, Timestamp, Subject, and Attempted Fraudulent Amount. * **Indicators of compromise (IOC)**: [Indicators of compromise (IOC) ↗](https://www.cloudflare.com/en-gb/learning/security/what-are-indicators-of-compromise/) are information about a specific security breach that can help security teams determine if an attack has taken place. * Preview email. * [Move email](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/phishguard/","name":"PhishGuard"}}]} ``` --- --- title: Dispositions and attributes description: Reference information for Dispositions and attributes in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Dispositions and attributes Email security uses a variety of factors to determine whether a given email message, domain, URL, or packet is part of a phishing campaign. These small pattern assessments are dynamic in nature and — in many cases — no single pattern will determine the final verdict. Detection vs. disposition Detection is the process Email security does to identify what threat an email may contain. An email can have multiple detections, but they will only have one and final disposition. The detections an email have will determine the disposition of the email. ## Dispositions Any traffic that flows through Email security is given a final disposition, which represents our evaluation of that specific message. Each message will receive only one disposition header, so your organization can take clear and specific actions on different message types. You can use disposition values when [setting up auto-moves](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/). ### Available values The following disposition values follow an order of maliciousness: * **Malicious**: Traffic associated with active threat campaigns. Malicious messages invoked multiple phishing verdict triggers and met thresholds for bad behavior. * **Recommendation**: Block. * **Spam**: Traffic associated with non-malicious, commercial campaigns. * **Recommendation**: Route to existing Spam quarantine folder. * **Bulk**: Traffic often associated with newsletters or marketing campaigns. Refer to [Graymail ↗](https://en.wikipedia.org/wiki/Graymail%5F%28email%29) for more details. * **Recommendation**: Monitor or tag. * **Suspicious**: Traffic associated with phishing campaigns (and is under further analysis by our automated systems). * **Recommendation**: Research these messages internally to evaluate legitimacy. * **Spoof**: Traffic associated with phishing campaigns that is either non-compliant with your email authentication policies ([SPF ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-spf-record/), [DKIM ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dkim-record/), [DMARC ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dmarc-record/)) or has mismatching `Envelope From` and `Header From` values. * **Recommendation**: Block after investigating (can be triggered by third-party mail services). ### Header structure When Email security adds a disposition header to an email message, that header matches the following format: ``` X-CFEmailSecurity-Disposition: [Value] ``` Note that emails with a disposition of `SPAM` will be tagged with `UCE` (unsolicited commercial emails) in their headers: ``` X-CFEmailSecurity-Disposition: UCE ``` ## Attributes Traffic that flows through Email security can also receive one or more Attributes, which indicate that a specific condition has been met. ### Available values | Attribute | Notes | | ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | CUSTOM\_BLOCK\_LIST | This message matches a value you have defined in your custom block list. | | NEW\_DOMAIN\_SENDER= | Alerts to mail from a newly registered domain. Formatted as yyyy-MM-dd HH:mm:ss ZZZ. | | NEW\_DOMAIN\_LINK= | Alerts to mail with links pointing out to a newly registered domain. Formatted as yyyy-MM-dd HH:mm:ss ZZZ. | | ENCRYPTED | Email message is encrypted. | | EXECUTABLE | Email message contains an executable file. | | BEC | Indicates that an email address was contained in your [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) list. Associated with MALICIOUS or SPOOF dispositions. | ### Header structure When Email security adds a disposition header to an email message, that header matches the following format: ``` X-CFEmailSecurity-Attribute: [Value] X-CFEmailSecurity-Attribute: [Value2] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/reference/","name":"Reference"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/reference/dispositions-and-attributes/","name":"Dispositions and attributes"}}]} ``` --- --- title: How Email security detects phish description: Reference information for How Email security detects phish in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # How Email security detects phish Email security uses a variety of factors to determine whether a given email message, a web domain or URL, or specific network traffic is part of a phishing campaign (marked with a [Malicious disposition](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/)) or other common campaigns (for example, `Spam`). Note Certain URL rewrite schemes cannot be decoded (for example, Mimecast). These small pattern assessments are dynamic in nature and — in many cases — no single one in and of itself will determine the final verdict. Instead, our automated systems use a combination of factors and non-factors to clearly distinguish between a valid phishing campaign and benign traffic. ## Scope Email Security inspects email protocols such as SMTP, IMAP, and POP3 to detect phishing, business email compromise (BEC), spoofing, and malware delivered via email. For protection against DDoS attacks targeting web and network infrastructure at layers 3, 4, and 7 — including TCP, UDP, DNS, and HTTP/S traffic — refer to [DDoS Protection](https://developers.cloudflare.com/ddos-protection/). ## Sample attack types and detections ### Malicious payload attached to the message * **Example**: Classic campaign technique which utilizes a variety of active attachment types (EXE, DOC, XLS, PPT, OLE, PDF, and more) as the malicious payload for ransomware attacks, Trojans, viruses, and malware. * **Detections applied**: Machine learning (ML) models on binary bitmaps of the payload as well as higher-level attributes of the payload, with specific focus on signatureless detections for maximum coverage. Additionally, for relevant active payloads, the engine invokes a real-time sandbox to assess behavior and determine maliciousness. ### Encrypted malicious payload attached to the message, with password in message body as text * **Example**: Campaigns that induce the user to apply a password within the message body to the attachment. * **Detections applied**: Real-time lexical parsing of message body for password extraction and ML models on binary bitmaps of the payload, signatureless detections for maximum coverage. ### Encrypted malicious payload attached to the message, with password in message body as an image * **Example**: Campaigns that induce the user to apply a password within the message body to the attachment, with the entire body or part of the body being an image. * **Detections applied**: Real-time OCR parsing of message body for password extraction and ML models on binary bitmaps of the payload, signatureless detections for maximum coverage. ### Malicious payload within an archive attached to the message * **Example**: Campaigns with payloads within typical archives, such as `.zip` files. * **Detections applied**: ML detection tree on the payload, as well as decomposition of each individual archive into component parts and fragments for compound documents. ### Malicious URLs within message body * **Example**: Typical phish campaigns with a socially engineered call to action URL that will implant malware (for example, Watering Hole attacks, Malvertizing, or scripting attacks). * **Detections applied**: Continuous web crawling, followed by real-time link crawling for a select group of suspicious urls, followed by machine learning applied to URL patterns in combination with other pattern rules and topic-based machine learning models for exhaustive coverage of link-based attacks. ### Malicious payload linked through a URL in a message * **Example**: Campaigns where the URL links through to a remote malicious attachment (for example, in a `.doc` or `.pdf` file). * **Detections applied**: Remote document and/or attachment extraction followed by ML detection tree on the payload, instant crawl of links. ### Blind URL campaigns * **Example**: Entirely new domain with intentional obfuscation, seen for the first time in a campaign. * **Detections applied**: Link structure analysis, link length analysis, domain age analysis, neural net models on entire URL as well as domain and IP reputation of URL host, including autonomous system name reputation and geolocation based reputation. ### Malicious URLs within a benign attachment in the message * **Example**: Campaigns obfuscating the payload within attachments. * **Detections applied**: URL extraction within attachments, followed by above mentioned URL detection mechanisms. ### Malicious URLs within an archive attached to the message * **Example**: Campaigns obfuscating the payload within attachments. * **Detections applied**: Attachments decomposed recursively (both in archive formats and compound document formats) to extract URLs, followed by above mentioned URL detection mechanisms. ### Malicious URLs behind URL shortening services * **Example**: Campaigns leveraging Bitly, Owly, and similar services at multiple levels of redirection to hide the target URL. * **Detections applied**: URL shorteners crawled in real time at the moment of message delivery to get to the eventual target URL, followed by URL detection methods. Real-time shorterners are intentionally not crawled ahead of time due to the dynamic nature of these services and the variation of target URLs based on time and source. ### Malicious URLs associated with QR codes (QR Code Phishing Attacks, Quishing) * **Example**: Campaigns leveraging QR code image attachment to deliver malicious payload links for malware distribution and/or credential harvesting. * **Detections applied**: Resolving for images resembling QR codes into URL, followed by above mentioned URL detection mechanisms. ### Instant crawl of URLs within message body * **Example**: Typical phish campaigns with a socially engineered call to action URL that will implant a malware (for example, Watering Hole attacks, Malvertizing, or scripting attacks). * **Detections applied**: Heuristics applied to URLs in message bodies that are not already detected from ahead of time crawling and those deemed suspicious according to strict criteria are crawled in real time. ### Credential Harvesters * **Example**: Form-based credential submission attacks, leveraging known brands (Office 365, PayPal, Dropbox, Google, and more). * **Detections applied**: Continuous web crawling, computer vision on top brand lures, ML models, and infrastructure association. ### Domain Spoof Attacks * **Example**: Campaigns spoofing sender domains to refer to the recipient domain or some known partner domain. * **Detections applied**: Header mismatches, email authentication assessments, sender reputation analysis, homographic analysis, and punycode manipulation assessments. ### Domain proximity attacks * **Example**: Campaigns taking advantage of domain similarity to confuse the end user (for example, `sampledoma1n.com` or `sampledomaln.com` compared to `sampledomain.com`). * **Detections applied**: Header mismatches, email authentication assessments, and sender reputation analysis. ### Email Auth violations * **Example**: Campaigns taking advantage of incorrect or invalid sender Auth records (SPF/DKIM/DMARC) and bypassing incoming Auth-based controls. * **Detections applied**: Assessment of sender authentication records against published SPF/DKIM/DMARC records which is applied in combination with overall message attributes. ### Name Spoof Attacks / Executive Attacks (BEC) * **Example**: Campaigns targeting executives and high-value targets within the organization or using the high-value targets as sources to attack other employees within the organization. * **Detections applied**: Display names compared with known executive names for similarity using several matching models including the Levenshtein algorithm, and if matched, flagged when sender is originating from an unknown domain. ### Fileless / Linkless campaigns (BEC) * **Example**: Typically BEC campaigns with an offline call to action (call me, wire money, invoice, or others). * **Detections applied**: Message lexical analysis, subject analysis, word count assessments, and sender analysis. ### Deferred campaign attacks * **Example**: Campaigns that have no malicious payload and the URL is clean when delivered, but is activated in a deferred manner (3-4 hours later), so the end user is compromised at click time. * **Detections applied**: URL rewrites and/or DNS blocks. ### IP-based spam * **Example**: Volume-based, large scale spam campaigns primarily originating from compromised IP address spaces or botnets. * **Detections applied**: Sender and IP reputation, history, and volume analysis. ### Content-based spam * **Example**: Commodity spam largely focused on selling wares. * **Detections applied**: Sender reputation, history, volume analysis, and message content analysis for commercial intent. ### Web phishing * **Example**: Directly originated or targeted through web (for example, LinkedIn, Malvertizing, and more). * **Detections applied**: Web and DNS service and network device integrations, like web proxies and firewalls. ### Mobile phishing * **Example**: Remote employee getting phished while outside the corporate network. * **Detections applied**: Employee email protection and web and DNS services enforcement in remote users (typically through an MDM integration or an always-on VPN solution). ### Network phishing * **Example**: C2 communications for lateral spread within the network or malicious phish downloaded from an external host. Typically seen when an end user gets infected outside the organization, comes back into the network and the C2 hosts uses the infected endpoint to download the implant based on the IP address space it is now resident in. * **Detections applied**: Network device integrations (firewalls) and API-based integrations within existing orchestration services. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/reference/","name":"Reference"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/reference/how-es-detects-phish/","name":"How Email security detects phish"}}]} ``` --- --- title: Regional processing description: Reference information for Regional processing in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Regional processing Email security uses Cloudflare's [Data Localization Suite (DLS)](https://developers.cloudflare.com/data-localization/) to allow you to control where your emails are processed. You do not need Data Localization Suite with Email security to choose the different locations. Note Regional processing is only available for customers who deploy Email security via MX/Inline or BCC/Journaling. Currently, you can process emails in the following regions: * US * Germany * India * Australia ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/reference/","name":"Reference"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/reference/regional-processing/","name":"Regional processing"}}]} ``` --- --- title: Retro Scan description: Retro Scan in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) # Retro Scan Use Retro Scan to check whether your current email security provider has missed any threats. Cloudflare scans up to 14 days of emails in your Microsoft 365 mailbox and generates a report of malicious messages. Once the scan is complete, you will receive an email notification with a link to the report. Note Retro Scan is only available for Microsoft 365 accounts. To start a free scan: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security** \> **Overview**. 3. Select **Start a free scan** \> **Generate report**. 4. Enable your [Microsoft integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/#enable-microsoft-integration). Once you have enabled your Microsoft integration, you will be redirected to a page where you will add your domains and specify your current email security system. 5. Generate Retro Scan report: * **Connect domains**: Select at least one domain from your integration, then select **Continue**. * **Select current solution**: Select the email security tool you are currently using, then select **Continue**. * **Review details**: Confirm the domain and current solution you selected, then select **Continue**. You will receive an email notification once the report is ready. 6. When you receive the notification email, select the link to view the full report. 7. On the Cloudflare dashboard, select **View report**. The dashboard will display **Overview** and **Details** pages. ### Overview The **Overview** page shows a summary of the scan results across your selected domains, including: * [Disposition evaluation](https://developers.cloudflare.com/cloudflare-one/email-security/monitoring/#disposition-evaluation), the verdict assigned to each scanned message (for example: malicious, suspicious, or spam) * Malicious threat types * Malicious targets, the top recipients targeted by malicious messages * Malicious threat origins ### Details The **Details** page lists up to 1,000 emails that were assigned a disposition during the scan. Select any email to review [details](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#details) about the message. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/retro-scan/","name":"Retro Scan"}}]} ``` --- --- title: Auto-move events description: Auto-move events in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Auto-move events Auto-moves allow you to automatically move emails out of your inbox based on a [disposition](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/) that Email security assigns to each message (for example, malicious, spam, or spoof). Use auto-moves to enforce email security policy without relying on end users to identify and act on threats themselves. After you configure auto-moves, Email security handles flagged messages according to the action you choose for each disposition. To configure auto-move events: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings**. 4. Select **Moves**. 5. Under **Auto-moves**, select **Configure**. 6. For each disposition (malicious, spam, bulk, suspicious, spoof), choose what happens to matching emails: * **Soft delete - user recoverable**: Moves the message to the user's **Recoverable Items - Deleted** folder. The user can still find and restore the message. This option is only available for Microsoft 365 customers. Refer to [Microsoft 365 Exchange data deletion ↗](https://learn.microsoft.com/en-us/compliance/assurance/assurance-exchange-online-data-deletion) for more information. * **Hard delete - admin recoverable**: Removes the message from the user's inbox entirely. Only an administrator can recover it. * **Move to trash**: Moves the message to the user's trash or deleted items folder. This option is only available for Google Workspace users. * **Move to junk**: Moves the message to the user's junk or spam folder. * **No action**: Leaves the message where it is. Email security still records the disposition, but does not move the message. 7. Select **Save**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/auto-moves/","name":"Auto-move events"}}]} ``` --- --- title: Additional detections description: Additional detections in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Additional detections Email security allows you to configure the following additional detections: * Domain age * Blank email detection * [Automated Clearing House (ACH) ↗](https://en.wikipedia.org/wiki/Automated%5Fclearing%5Fhouse) change from free email detection * HTML attachment email detection To configure additional detections: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings**. 4. On the **Settings** page, go to **Detection settings** \> **Additional detections**, and select **Edit**. ## Configure domain age The domain age is the time since the domain has been registered. Because of the domain age detection, [trusted domains](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/trusted-domains/) can be used to create an exception to the age detection. To configure a domain age: 1. On the **Edit additional detections** page: * Select **Malicious domain age**: Controls the threshold for a malicious disposition. Maximum of 100 days. It is recommended to set the **Malicious domain age** to 7 days. * Select **Suspicious domain age**: Controls the threshold for a suspicious disposition. Maximum of 100 days. It is recommended to set the **Suspicious domain age** between 30 and 45 days. 2. Select **Save**. ## Configure blank email detection Blank email detection detects emails with blank bodies and assigns a default disposition. You can choose between **Malicious** and **Suspicious** as dispositions. To enable blank email detection: 1. On the **Edit additional detections** page, enable **Blank email detection**. 2. Choose between **Malicious** and **Suspicious**. 3. Select **Save**. ## Configure ACH change from free email detection [Automated Clearing House (ACH) ↗](https://en.wikipedia.org/wiki/Automated%5Fclearing%5Fhouse) is a banking term related to direct deposits. ACH change from free email detection detects payroll inquiries or change requests from free email domains and assigns a default disposition. You can choose between **Malicious** and **Suspicious** as dispositions. To enable ACH change from free email detection: 1. On the **Edit additional detections** page, enable **ACH change from free email detection**. 2. Choose between **Malicious** and **Suspicious**. 3. Select **Save**. ## Configure HTML attachment email detection HTML attachment email detection detects HTM and HTML attachments in emails and assigns a default disposition. To enable HTML attachment email detection: 1. On the **Edit additional detections** page, enable **HTML attachment email detection**. 2. Choose between **Malicious** and **Suspicious**. 3. Select **Save**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/","name":"Detection settings"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/additional-detections/","name":"Additional detections"}}]} ``` --- --- title: Allow policies description: Allow policies in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Allow policies Email security allows you to configure allow policies. An allow policy exempts messages that match certain patterns from normal detection scanning. ## How allow policies work Allow policies are crucial for legitimate messages that may otherwise be blocked due to, for example, an incorrect setup. Example of allow policy An example of allow policy is a phishing simulation product. You want to configure a phishing simulation product as **Accept sender** so Email security does not scan the messages (or crawl links) in these simulated messages. Allow policies can be configured to match messages based on specific criteria such as individual email addresses, IP address ranges, or domains. This flexibility allows you to exempt legitimate messages from specific sources, even if those sources have low spam reputation or send bulk messages from their own servers. Allow policies are used to mitigate false positives. When an email has been marked as malicious or suspicious, but you still want to receive that email, you configure that email as part of an allow policy. ### Accept sender Allow policies in Email security give you the option to choose **Accept sender**. Accept sender creates exceptions for messages that would otherwise be marked as spam, bulk, or spoof. However, Email security will continue to scan the message for maliciousness. It is recommended to choose this option, as it is the safest option to protect your email inbox from malicious or suspicious activities. Example of a use case where marketing emails that are legitimate have been blocked When a marketing email does not follow the correct template, it may be marked as malicious or spam. It may not be possible to change the template. However, in this scenario, the marketing email is legitimate. To make sure that users still receive the marketing email, you will have to select **Accept sender** and add the marketing domain in **Rule Type** \> **Domains**. **Accept sender** and **Domains** combined exempt marketing emails that may not follow the correct template. Regular expressions and emails to add as Accept sender Below you can find a list of known services you can add when configuring an Accept sender. We recommend you use [RegExr Validation ↗](https://regexr.com/) to validate your regular expressions. * Google `drive-shares-noreply@google.com` `.*@docs\.google\.com` `.*@docos\.bounces\.google\.com` `.*@calendar-server\.bounces\.google\.com` `.*@alerts\.bounces\.google\.com` `calendar-notification@google.com` `.*\+bnc.*@` `noreply-cloud@google.com` `@` `.*@doclist\.bounces\.google\.com` * DocuSign `.*@docusign\.net` * Twitter - Mentions/Retweets `notify@twitter.com` * GitHub (mentions and notifications) `noreply@(github|git)\.` `notifications@github.com` * Apache Foundations (Developers) `.*@.*\.apache\.org` `jira@apache.org` * Atlassian `jira@` `jira@.atlassian.net` `confluence@` `confluence@.atlassian.net` * Intercom `notifications@intercom-mail.com` `notifications@mail.intercom.io` * SharePoint `no-reply@sharepointonline.com` * Box and Dropbox `.*@dropbox\.com` `noreply@box.com` * Salesforce `.*@chatter\.salesforce\.com` `.*@.*\.(apex|bnc)\.salesforce\.com` `.*@.*\.bnc(\.sandbox)?\.salesforce\.com` * Webex - Invites/Mentions `messenger@webex.com` * Bulk mailers `.*@.*mailchimp\.com` `.*@mandrillapp\.com` `.*mailspike\.org` * LinkedIn `invitations@linkedin.com` * FBWork `.*@fbworkmail\.com` * Asana `.*@mail\.asana\.com` * EchoSign `.*@mail\.echosign\.com` * HelloSign `noreply@(email|mail)\.hellosign\.com` * Podio `noreply@podio.com` * Quip `noreply.*@quip\.com` * Zeplin `no-reply@zeplin.io` * DataHug `notifications@datahug.com` * Paperless `.*@paperlesspost\.com` * NetSuite `.*@.*\.na\d\.netsuite\.com` * FS-ISAC `cyberintel@lists.fsisac.com` * Expensify `replies\+[0-9]+@expensify\.com` * KnowBe4 `.*@[a-z]+\.knowbe4\.com` `147\.160\.167\.([1-5][0-9]|6[0-2]|[1-9])` * FreshDesk `.*@.*\.freshdesk\.com` * Webroot `167.89.85.54` `49.72.237.117` * Wombat Egress IPs **Training Platform** `107.20.210.250` `52.1.14.157` * Phishing Assessment `107.23.16.222` `54.173.83.138` ## Configure allow policies To configure allow policies: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings**, then go to **Detection settings** \> **Allow policies**. 4. On the **Detection settings** page, select **Add a policy**. 5. On the **Add an allow policy** page, enter the policy information: * **Input method**: Choose between **Manual input**, and **Uploading an allow policy**: * **Manual input**: * **Action**: Select one of the following to choose how Email security will handle messages that match your criteria: * **Trust sender**: Messages will bypass all detections and link following. * **Exempt recipient**: Message to this recipient will bypass all detections. * **Accept sender**: Messages from this sender will be exempted from Spam, Spoof, and Bulk dispositions. Refer to [Allow policy configuration use cases](#use-case-1) for use case examples on how to configure allow policies for accept sender. * **Rule type**: Specify the scope of your policy. Choose one of the following: * **Email addresses**: Must be a valid email. Enter an email address whose emails are going to be exempted. * **IP addresses**: This is the IP address of the email server. Any email address sent from this email server is going to be allowed. The IP address can only be IPv4\. IPv6 and CIDR are invalid entries. * **Domains**: Must be a valid domain. * **Regular expressions**: Must be valid Java expressions. Regular expressions are matched with fields related to the sender email address (envelope from, header from, reply-to), the originating IP address, and the server name for the email. For example, you can enter `.*@domain\.com` to exempt any email address that ends with `domain.com`. * **(Recommended) Sender verification**: This option enforces DMARC, SPF, or DKIM authentication. If you choose to enable this option, Email security will only honor policies that pass authentication. * **Notes**: Provide additional information about your allow policy. * **Uploading an allow policy**: Upload a file no larger than 150 KB. The file can only contain `Pattern`, `Pattern Type`, `Verify Email`, `Trusted Sender`, `Exempt Recipient`, `Acceptable Sender`, `Notes` fields. The first row must be a header row. Refer to [CSV uploads](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/#csv-uploads) for an example file. 6. Select **Save**. Allow policy configuration use cases The following use cases show how you could configure allow policies for accept sender. ### Use case 1 Company receives emails from third-party providers not used internally. These emails are sent from the service provider, and Email security gives these emails an incorrect disposition. This use case can affect companies such as Shopify, PayPal, and Docusign. To solve this: 1. Create a [team submission](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/team-submissions/). 2. Inform your Cloudflare contact about the escalation. 3. Do not set up allow policies or blocked senders. In this use case, configuring allow policies will create a security gap. Setting up blocked senders will block legitimate emails from providers such as Shopify, PayPal, and Docusign. ### Use case 2 Company receives emails via third-party providers that are used internally. These emails are sent from the company's custom domain, but Email security marks these emails as bulk, spam, or spoof. This use case can cause the emails you want to receive to follow the auto-moves rules you set up. This use case affects emails from internal tools (such as Salesforce, Atlassian, and Figma) that are given an incorrect disposition. To solve this, when you add an allow policy in the Cloudflare One dashboard: 1. Choose **Accept sender**. 2. Verify that **Sender verification (recommended)** is turned on. ### Use case 3 Company receives emails via third-party providers that are used internally. These emails are sent from the company's custom domain, but Email security marks these emails as bulk, spam, or spoof. The custom email domain does not support DMARC, SPF, or DKIM, and would fail Sender Verification. This use case impacts the emails from internal tools (such as Salesforce, Atlassian, and Figma) that are given an incorrect disposition. To solve this, when you add an allow policy in the Cloudflare One dashboard: 1. Choose **Accept sender** based on the static IP you own. 2. Ensure that **Sender verification (recommended)** is turned off. Warning Do not use email addresses or email domains for this policy as they can be easily spoofed without **Sender Verification (Recommended)** enabled. ### CSV uploads You can upload a file no larger than 150 KB. The file can only contain `Pattern`, `Pattern Type`, `Verify Email`, `Trusted Sender`, `Exempt Recipient`, `Acceptable Sender`, `Notes`. The first row must be a header row. An example file would look like this: ``` Values, Rule Type, Sender Verification, Trusted Sender, Exempt Recipient, Acceptable Sender, Notes whale@notaphish.com, EMAIL, true, true, false, true, not a phish ``` ## Export allow policies To export all allow policies: 1. On the **Detection settings** page, select **Value(s)**. Selecting **Value(s)** will select all allow policies. 2. Select **Export to CSV**. To export specific allow policies: 1. On the **Detection settings** page, select the allow policies you want to export. 2. Select **Export to CSV**. ## Edit allow policy To edit an allow policy: 1. On the **Detection settings** page, select the allow policy you want to edit. 2. Select the three dots > **Edit**. 3. Edit the allow policy. 4. Select **Save**. ## Delete allow policy To delete an allow policy: 1. On the **Detection settings** page, select the allow policy you want to delete. 2. Select the three dots > **Delete**. 3. On the pop-up message, select **Delete**. To delete multiple allow policies at once: 1. On the **Detection settings** page, select the allow policies you want to delete. 2. Select **Action**. 3. Select **Delete**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/","name":"Detection settings"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/allow-policies/","name":"Allow policies"}}]} ``` --- --- title: Detection settings best practices description: Detection settings best practices in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Detection settings best practices This guide describes how to configure detection settings to mitigate impersonation risks while ensuring legitimate delivery. Once you configure the [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) to mitigate spoof detections, you can add emails in the impersonation registry as secondary email. Refer to [Edit users](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/#edit-users) to learn how to add a secondary email address. For impersonation events that are caused by systems, Cloudflare recommends that you configure an [allow policy](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/) to mitigate delivery disruptions. To maintain a higher security posture, allow policies should be defined with the narrowest possible scope. Start with specific expressions or email addresses that will target the actual sender or system. If the system is sending from a variety of addresses, you can create an expression that is wider while keeping the expression specific. In some situations, it is better to have multiple specific entries than a more generic policy that allows a whole domain. ## Policy selection criteria When you configure an [allow policy](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/), you can choose how Email security handles messages that match your criteria. Allow policies are suitable for services that may spoof people's names. Use **Accept sender** with **Sender verification (recommended)** turned on for systematic traffic. For example, a file shared through Google Drive will create a notification using the name of the user that is sharing the document. However, the underlying email address used will be a Google system address. Use **Trusted Sender** for emails that do not require phishing inspections. This will exempt messages from any phishing analysis, including links analysis. Example use cases: * Temporary rules (to avoid over-detection) * Phishing simulations * Applications that send one time links for verification ## Best practices for configuration * Prioritize static IPs: Use known and owned, static IP addresses for relay servers. Avoid [ephemeral IP addresses ↗](https://docs.cloud.google.com/vpc/docs/ip-addresses#ephemeral%5Fand%5Fstatic%5Fip%5Faddresses) as their transient nature can lead to policy degradation. * Enforce Sender Verification: Always have **Sender Verification (Recommended)** enabled in the Cloudflare dashboard. It validates the originating system's email authentication records (namely [SPF ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-spf-record/), [DKIM ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dkim-record/), and [DMARC ↗](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dmarc-record/)) against the domain to ensure authenticity. * Handle unsanctioned traffic: Unsanctioned traffic is traffic which has not been approved within an organization. This is also known as [Shadow IT ↗](https://www.cloudflare.com/en-gb/learning/access-management/what-is-shadow-it/). If an unsanctioned system generates spam or spoofed content, [configure a text add-on](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons/) to append a tag to the subject line and automatically [move](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) the message to the junk folder. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/","name":"Detection settings"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/best-practices/","name":"Detection settings best practices"}}]} ``` --- --- title: Blocked senders description: Blocked senders in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Blocked senders Email security marks all messages from these senders with a malicious [disposition](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/). ## How blocked senders work Blocked senders ensures messages from any sender is automatically marked as malicious, preventing them from reaching users' inbox. Sometimes, the same email, IP address or domain always sends malicious emails to the company. In this case, you can add an email address, IP address or domain as a blocked sender. You can choose to enter a regular expression by turning **Regular expression** on. ## Configure blocked senders To configure blocked senders: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings**, go to **Detection settings** \> **Blocked senders**. 4. On the **Detection settings** page, select **Add a sender**. 5. Select the **Input method**: Choose between **Manual input**, and **Upload blocked sender list**: * **Manual input**: * **Sender type**: * **Email addresses**: Must be a valid email. * **IP addresses**: Can only be IPv4\. IPv6 and CIDR are invalid entries. * **Domains**: Must be a valid domain. * **Regular expressions**: Must be valid Java expressions. Regular expressions are matched with fields related to the sender email address (envelope from, header from, reply-to), the originating IP address, and the server name for the email. For example, you can enter `.*@domain\.com` to exempt any email address that ends with `domain.com`. * **Notes**: Provide additional information about the blocked sender policy. * **Upload blocked sender list**: Upload a file no larger than 150 KB. The file cannot can only contain `Blocked_Sender`, `Pattern Type,` and `Notes` fields. The first row must be a header row. Refer to [CSV uploads](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/blocked-senders/#csv-uploads) for an example file. 6. Select **Save**. ### CSV uploads You can upload a file no larger than 150 KB. The file cannot can only contain `Blocked_Sender`, `Pattern Type,` and `Notes` fields. The first row must be a header row. An example file would look like this: ``` Blocked Sender, Blocked Sender Type, Is Regex, Notes john.smith@gmail.com, EMAIL, false, John Smith example.com, DOMAIN, false, Melanie Turner ``` ## Export blocked senders To export all blocked senders: 1. On the **Detection settings** page, select **Sender**. Selecting **Sender** will select all blocked senders. 2. Select **Export to CSV**. To export specific blocked senders: 1. On the **Detection settings** page, select **Value(s)**. Select the blocked senders you want to export. 2. Select **Export to CSV**. ## Edit a blocked sender To edit a blocked sender: 1. On the **Detection settings** page, select the blocked sender you want to edit. 2. Select the three dots > **Edit**. 3. Edit the blocked sender. 4. Select **Save**. ## Delete a blocked sender To delete a blocked sender: 1. On the **Detection settings** page, select the blocked sender you want to delete. 2. Select the three dots > **Delete**. 3. On the pop up message, select **Delete**. To delete multiple blocked senders at once: 1. On the **Detection settings** page, under **Blocked senders**, select the senders you want to delete. 2. Select **Action** 3. Select **Delete**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/","name":"Detection settings"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/blocked-senders/","name":"Blocked senders"}}]} ``` --- --- title: Configure link actions description: Configure link actions in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Configure link actions You can configure how Email security handles links in emails. Note You can only configure link actions if you deploy Email security via [MX/Inline](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment/). To configure link actions: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings**, then go to **Detection settings** \> **Link actions** \> **View**. You can configure **Link actions settings**, or **URL rewrite ignore patterns**. ## Link actions settings To configure link actions, select **Configure**. The dashboard will display **Open links evaluated as suspicious in a remote browser (Recommended)**. This option is turned on by default. Email security will also allow you to select message dispositions to open all the links for dispositioned emails in a remote browser. Select one or more disposition, then select **Save**. If **Open links evaluated as suspicious in a remote browser (Recommended)** is turned off, you can select **URL defang** or **No action** on each disposition. Select **Save** once you have completed the configuration. When opening links, Email security will not allow you to: * [Copy (from remote to client)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) * [Paste (from client to remote)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) * Use [keyboard](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) * [Print](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) * [Download files](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) * [Uploads files](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) ## Add patterns for URLs You can add patterns for URLs that should be rewritten. 1. Under **URL rewrite ignore patterns**, select **Add a pattern**. 2. Enter a valid IP, URL, or regular expression. You can enter up to 512 characters. 3. Select **Save**. To edit a pattern, go to the pattern you want to edit, select the three dots, then **Edit**. Once you have finished modifying the URL patter, select **Save**. To delete a pattern, go to the pattern you want to delete, select the three dots, then **Delete**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/","name":"Detection settings"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/configure-link-actions/","name":"Configure link actions"}}]} ``` --- --- title: Configure text add-ons description: Configure text add-ons in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Configure text add-ons You can create custom labels to be used as the subject or body prefix for emails with specific dispositions. Note You can only configure text add-ons if you deploy Email security via [MX/Inline](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment/). Warning If you currently do not have text add-ons enabled, configuring text add-ons will add a banner to the subject line. As a result, the subject line and the email body will be reduced. ## Subject prefix To configure a subject prefix: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings**, then go to **Detection settings** \> **Text add-ons** \> **View**. 4. Select **Configure** \> **Subject prefix**. 5. Populate each disposition with a subject prefix, and turn on the **Status** to enable the subject prefix for a specific disposition. ### Advanced settings In **Advanced settings**, you can configure **Add "labels" variable**. This option allows you to add a dynamic value for a label that lists dispositions and allows for additional text. To turn on **Add "labels" variable**: 1. Go to **Advanced settings** \> **Add "labels" variable**. 2. Choose between: * **Use default**. * **Use custom "labels" variable**: Enter the custom label in the text box. Once you have configured the subject prefix, select **Save**. ## Body prefix A body prefix is a custom label added to the top of the email body for emails with specific dispositions. Populate each disposition with a body prefix, and turn on the **Status** to enable the body prefix for a specific disposition. ### Advanced settings In Advanced settings, you can configure **Add "labels" or "threat types" variable**. This option allows you to add a dynamic value for labels that lists dispositions, or threats that lists the threat types behind an assigned disposition. To turn on **Add "labels" or "threat types" variable**: 1. Go to **Advanced settings**: 2. Choose between: * **Add "labels" variable**: This option allows you to add a dynamic value that for a label that lists dispositions and allows for additional text. Choose between: * **Use default**. * **Use custom "labels" variable**: Enter the custom label in the text box. Once you have configured the body prefix, select **Save**. ### Add threat types variable This option allows you to include a dynamic value for '%THREATS' that lists the threat types behind an assigned disposition. It can include additional, HTML-formatted text. The dashboard will display **Default** or **Custom** (to use "labels" or "threat types" variable), depending on how you configured the [advanced settings](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons/#advanced-settings-1). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/","name":"Detection settings"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons/","name":"Configure text add-ons"}}]} ``` --- --- title: Impersonation registry description: Impersonation registry in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Impersonation registry The impersonation registry contains combinations of emails of users who are likely to be impersonated. If there is an email that is on the impersonation registry not listed as an alternative email address, that email will be reported as potential [business email compromise (BEC) ↗](https://www.cloudflare.com/en-gb/learning/email-security/business-email-compromise-bec/). Note The impersonation registry should contain a list of users who are likely to be impersonated. Email security applies enhanced security to variations of registered email addresses for additional [Business Email Compromise (BEC) ↗](https://www.cloudflare.com/en-gb/learning/email-security/business-email-compromise-bec/) protection. For easier tracking, the Email security team recommends syncing and structuring VIPs in groups, and avoid doing manual inputs of users. To add a user to the impersonation registry: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings** \> **Impersonation registry**. 4. Select **Add a user**. 5. Select **Input method**: Choose between **Manual input**, **Upload manual list**, and **Select from existing directories**: * **Manual input**: Enter the following information: * **User info**: enter a valid **Display name**. * **User email**: Enter one of the following: * **Email address**: Enter all known email addresses, separated by a comma. * **Regular expressions**: Must be valid Java expressions. * **Upload manual list**: You can upload a file no larger than 150 KB containing all variables of potential emails. The file must contain `Display_Name` and `Email`, and the first row must be the header row. Refer to [CSV uploads](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/#csv-uploads) for an example file. * **Select from existing directories**: * **Select directory**: Select your directory. * **Add users or groups**: Choose the users or groups you want to register. 6. Select **Save**. ### CSV uploads You can upload a file no larger than 150 KB containing all variables of potential emails. The file must contain `Display_Name` and `Email`, and the first row must be the header row. An example file would look like this: ``` Display Name, Email Star Phish, star@nophish.com Phish Ee, phishee@nophish.com ``` ## Edit users Note Administrators can edit the names and emails of users who belong to the Email security directory. Administrators from other integrated directories cannot edit the name and the primary emails of users. To edit users from the Email security directory: 1. Select the user you want to edit. 2. Select the three dots > **Edit**. 3. Enter the **Display name**, **Email** and **Secondary email**. 4. Select **Save**. To edit users from other integrations: 1. Select the user you want to edit. 2. Select the three dots > **Edit**. 3. Enter the **Secondary email**. 4. Select **Save**. ## Remove users Note Adiministrators can remove users who belong to the Email security directory from the **Impersonation registry**. Users who come from an integrated directory cannot be removed from the **Impersonation registry** directly. To remove a user from an integrated directory: 1. Select **Directories** on the sidebar. 2. Select the directory where your user is allocated. 3. Select the **Users** tab. 4. Search for the user you want to remove. 5. Select the three dots > **Remove from registry**. To remove a user from the impersonation registry: 1. Select the user you want to remove. 2. Select the three dots > **Remove from registry**. 3. Read the pop-up message, then select **Remove user**. To remove multiple users at once from the impersonation registry: 1. Select all the users you want to remove. 2. Select **Action** \> **Remove from registry**. 3. Read the pop-up message, then select **Remove users**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/","name":"Detection settings"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/","name":"Impersonation registry"}}]} ``` --- --- title: Trusted domains description: Trusted domains in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Trusted domains Email security allows you to exempt known partner and internal domains from typical detection scanning. Adding trusted domains helps to reduce false positives on malicious, suspicious, and spoof [dispositions](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/). Email security only checks the date when the domain is created. ## How trusted domains work Trusted domains are not for the email message itself, but for entire domains. By default, Email security automatically detects lookalike domains. Lookalike domains can be something like this: `thisisdomain.com` and `thisisadomain.com`. Both domains almost look identical. If an email is received from a domain that looks like a configured domain, this will trigger a detection. Trusted domain is configured to ignore this detection. In [Additional detections](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/additional-detections/), you can configure malicious domain and suspicious [domain age](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/additional-detections/#configure-domain-age). Malicious domain age means that someone may create a domain today, similar to a target, and start sending emails with that domain. This is usually how many phish campaigns start. In this case, the domain is usually marked as Malicious. Malicious domain age is usually set to 7 days. Suspicious domain age means that after 7 days (this number corresponds to the Malicious domain age), a domain may not be malicious, but it can still be suspicious. Email security will mark these domains as Suspicious. It is recommended to configure the **Suspicious domain age** between 30 and 45 days. To view whether a domain is malicious or suspicious: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Investigation**. 2. Run a screen. For example, select **Run screen** for **Malicious emails**, then select **Run screen**. 3. Under **Your matching messages**, if any message displays **Domain Age** under **Threat types**, that means that the domain age is too low, and therefore the disposition assigned is Malicious. If the domain is legitimate, you can add it as a trusted domain: * Go to **Settings** \> **Trusted Domains**. * Under **Domain Info**, add the domain, and select **New Domain**. This will mark the domain whose age is low as a trusted domain. ## Configure trusted domains To configure a trusted domain: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings**, go to **Detection settings** \> **Trusted domains**. 4. On the **Detection settings** page, select **Add a domain**. 5. Select the **Input method**: Choose between **Manual input**, and **Upload trusted domain list**: * **Manual input**: * **Domain info**: Enter a valid domain name. * **Domain type**: Select one or both options: * **Proximity domain**: Domains with similar spelling to your existing domain. * **Recent domain**: Domains created recently. * **Notes**: Provide additional information about the trusted domain list. * **Upload trusted domain list**: You can upload a file no larger than 150 KB of multiple trusted domains. The file can only contain `Domain`, `Proximity`, `New` and `Notes` fields. The first row must be a header row. Refer to [CSV uploads](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/trusted-domains/#csv-uploads) for an example file. 6. Select **Save**. ### CSV uploads You can upload a file no larger than 150 KB of multiple trusted domains. The file can only contain `Domain`, `Proximity`, `New` and `Notes` fields. The first row must be a header row. An example file would look like this: ``` Domain, Proximity, New, Notes mydomain.com, true, true, First Person testdomain.com, false, true, New Hire ``` ## Export trusted domains To export all trusted domains: 1. On the **Detection settings** page, select **Domain**. Selecting **Domain** will select all trusted domains. 2. Select **Export to CSV**. To export specific trusted domains: 1. On the **Detection settings** page, select the trusted domains you want to export. 2. Select **Export to CSV**. ## Edit trusted domains To edit a trusted domain: 1. On the **Detection settings** page, select the trusted domains you want to edit. 2. Select the three dots > Edit. 3. Edit the trusted domain. 4. Select **Save**. ## Delete trusted domains To delete trusted domains: 1. On the **Detection settings** page, select the trusted domain you want to delete. 2. Select the three dots > **Delete**. 3. On the pop up message, select **Delete**. To delete multiple trusted domains at once: 1. On the **Detection settings** page, select the trusted domains you want to delete. 2. Select **Action**. 3. Select **Delete**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/","name":"Detection settings"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/detection-settings/trusted-domains/","name":"Trusted domains"}}]} ``` --- --- title: Information about your domain description: How Information about your domain works in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Information about your domain When you configure your domain, the Cloudflare dashboard will display you the following fields: * **Domain**: Domain name. Refer to [Manage domains](https://developers.cloudflare.com/cloudflare-one/email-security/setup/manage-domains/) to learn how to add, filter, and delete domains. * **Configured method**: The deployment method you used to configure your domain. Depending on how you decided to configure Email security, the dashboard will display: * **MS Graph API**: Your current email provider is Microsoft 365, and Email security has been configured via the Microsoft Graph API. You do not need to change any MX record. * **BCC/Journaling**: You have chosen to set your email via BCC/Journaling. A copy of your email is sent to Cloudflare. * **MX/ Inline**: You have configured your email domain using MX/Inline. This configuration requires a [DNS record change](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/#edit-dns-records). * **Status**: Status indicates the state of the configuration. * For MX/Inline and BCC/Journaling, the dashboard will display **Active** if Email security has processed any email in the last seven days. The dashboard will display **No mail flow** if there has been no email activity in the last seven days. This is likely due to a misconfiguration. Refer to [Configuration checklist](https://developers.cloudflare.com/cloudflare-one/email-security/setup/#5-configuration-checklist) to ensure you have configured your environment correctly. * For MS Graph API, the dashboard will display **Active** if your integration has been successfully connected, and Email security can scan your inbox with the integration. The dashboard will display **Broken** if the API is not scanning emails. This could be due to a CASB misconfiguration. To troubleshoot this, refer to [Troubleshoot CASB](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/troubleshoot-casb/). * **Service address**: This is the email address you will use to send a copy of your email. * **Source**: Depending on how you added the domains, the dashboard will display **MS integration**, **Google**, **CF zones**, or **Manual add**. * **Integration name**: Name of the integration. This field will only be displayed for Microsoft integrations. To rename your integration: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Integrations** \> **Cloud & SaaS**. 2. Locate your integration, select **Configure**, then select **Edit**. 3. Rename your integration, then select **Save**. * **Hops**: The number of hops. This will not be displayed if the configuration method is Microsoft Graph API. Hop count will be visible only if it has been configured. * **Date added**: Date when the domain was added. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/domain-management/","name":"Domain management"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/domain-management/domain/","name":"Information about your domain"}}]} ``` --- --- title: Phish submissions description: Phish submissions in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Phish submissions As part of your continuous email security posture, administrators and security analysts need to submit missed phishing samples to Email security, so Cloudflare can process them and take necessary action. Submitting missed phish samples to Cloudflare is of paramount importance and necessary for continuous protection. Submitting missed phish samples helps Cloudflare improve our machine learning (ML) models, and alerts us of new attack vectors before they become prevalent. There are three routes you can use to report an email as a phish: * Via Investigation, by [reclassifying an email](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/#reclassify-an-email). * Via [PhishNet 365](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/phishnet-365/). * Via [Submission addresses](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/submission-addresses/). ## Reclassify an email 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security** \> **Investigation**. 3. On the **Investigation** page, under **Your matching messages**, select the message you want to reclassify. Select the three dots, then select **Submit for review**. By selecting **Submit for review**, you are requesting a new disposition for the message. 4. Select the new disposition, then select **Save**. When you report an email as phish, this email will be displayed under [User submissions](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/user-submissions/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/phish-submissions/","name":"Phish submissions"}}]} ``` --- --- title: PhishNet Microsoft 365 description: PhishNet Microsoft 365 in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) # PhishNet Microsoft 365 PhishNet is an add-in button that helps users to submit directly to Email security phish samples missed by Email security's detection. To set up PhishNet Microsoft 365: 1. Get the customized manifest URL from [Cloudflare One ↗](https://one.dash.cloudflare.com/?to=/:account/email-security/settings/email-policy/phish-submission?tab=phish-submission). 2. Log in to the [Microsoft admin panel ↗](https://admin.microsoft.com/). 3. Go to **Microsoft 365 admin center** \> **Settings** \> **Integrated Apps**. 4. Select **Upload custom apps**. 5. Choose **Provide link to manifest file** and paste the URL you copied from the Cloudflare One dashboard. 6. Verify and complete the wizard. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/phish-submissions/","name":"Phish submissions"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/phish-submissions/phishnet-365/","name":"PhishNet Microsoft 365"}}]} ``` --- --- title: PhishNet for Google Workspace description: PhishNet for Google Workspace in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Google ](https://developers.cloudflare.com/search/?tags=Google) # PhishNet for Google Workspace To set up PhishNet with Google Workspace you need admin access to your Google Workspace account. ## Set up PhishNet for Google Workspace 1. Log in to [Google Workspace Marketplace apps ↗](https://workspace.google.com/marketplace/app/cloudflare%5Fphishnet/11369379045) using this direct link and an administrator account. 2. Select **Admin install** to install Cloudflare PhishNet. Read the warning, and select **Continue**. 3. You will be redirected to the **Allow data access** page, where you can choose to install Cloudflare PhishNet for **Everyone at your organization**, or **Certain groups or organizational units**. If you choose the latter option, you will have to select the users in the next step. 4. After choosing the groups you want to install PhishNet for, agree with Google's terms of service, and select **Finish**. 5. Cloudflare PhishNet has been installed. Select **DONE**. You have now successfully installed Cloudflare PhishNet. ## Submit phish with PhishNet 1. In your Gmail web client, open the message you would like to flag as either spam or phish. 2. Select the PhishNet logo on the side panel. 3. Under **Select Submission Type**, select **Spam** or **Phish**. 4. Select **Submit Report**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/phish-submissions/","name":"Phish submissions"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/phish-submissions/phishnet-google-workspace/","name":"PhishNet for Google Workspace"}}]} ``` --- --- title: Submission addresses description: Submission addresses in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Submission addresses To view the destination addresses of user and team submissions: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Settings**. 4. Go to **Phish submission** \> **Submission addresses** \> **View**. The dashboard will display **User submission addresses** and **Team submission addresses**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/settings/","name":"Settings"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/settings/phish-submissions/","name":"Phish submissions"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/settings/phish-submissions/submission-addresses/","name":"Submission addresses"}}]} ``` --- --- title: Before you begin description: Before you begin resources and guides for Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Before you begin Before you start the onboarding process, you will have to: 1. Choose a deployment path: Email security provides two deployment modes, [post-delivery](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/) for API and BCC/Journaling and [pre-delivery](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/) for MX/Inline. 2. Learn about dispositions, impersonation registry, and submissions. 3. Know the steps to configure your email environment correctly. The following table compares features available across API, BCC/Journaling and MX/Inline: | Feature | Microsoft 365 | Google Workspace | Others (On-prem/Cloud) | | ------------------- | --------------------------------------------------- | --------------------------------- | -------------------------------------------------------- | | Deployment type | API and MX | BCC and MX | MX only | | API integration | Microsoft Graph API | BCC only | None | | BCC/Journaling | Uses a Journal Rule in the Microsoft Purview portal | Uses BCC rules | Uses journaling | | Inline/MX Mode | MX records point to Cloudflare | MX records point to Cloudflare | MX records point to Cloudflare | | Message remediation | Auto-moves through Read/Write API | Auto-moves through Read/Write API | Messages can be blocked, quarantined, or modified inline | Note that: * All email providers support MX/Inline deployment. * Microsoft 365 or Google Workspace users who integrate Email security via API, BCC/Journaling can modify emails primarily through deletion or post-delivery [move](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/). * Microsoft 365 or Google Workspace users who integrate Email security via MX/Inline can modify emails via post-delivery [move](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/), [link actions](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-link-actions/) and [text add-ons](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons/). ## 1\. Choose a deployment ### Post-delivery deployment When you choose post-delivery deployment, Cloudflare scans emails **after** they reach a users' inbox. If you are a Microsoft 365 user, this is done via [Microsoft's Graph API](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/) or [journaling](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/m365-journaling/). If you are a [Google Workspace](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/gmail-bcc-setup/) or [Microsoft Exchange](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/bcc-microsoft-exchange/) user, this is done via BCC. #### Why you should consider post-delivery deployment Post-delivery deployment is time-efficient, because it does not involve MX changes. Post-delivery deployment does not disrupt mail flow. Post-delivery deployment allows you to enable [auto-move events](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) to hard or soft delete messages, and synchronize your [directory](https://developers.cloudflare.com/cloudflare-one/email-security/directories/) when you use Microsoft Graph API or Google Workspace. Note When you choose post-delivery deployment: * The threat is removed **after** the message has been delivered to the inbox. * It requires API scopes, or BCC/Journaling rule configuration. * Auto-move is only available in BCC/Journaling if you associate an integration. ### Pre-delivery deployment When you choose pre-delivery deployment, Cloudflare scans emails **before** they reach a users' inbox. The MX record points to Cloudflare. #### Why you should consider pre-delivery deployment Pre-delivery deployment provides you with the highest level of protection. It enforces [text add-ons](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons/) or link rewrite at delivery. Pre-delivery blocks threats in transit, and it adds banners or texts before the user views the email. Note When you choose pre-delivery deployment: * You must edit MX records or create a connector. * You can enable auto-move events only after you associate an integration. * Cloudflare [egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) are allowed on downstream mail servers. ## 2\. Understand dispositions Dispositions allow you to configure policies and tune reporting. For example, you can configure a policy to move suspicious emails to your junk folder. Refer to [Dispositions](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to learn more about dispositions. ## 3\. Set up the impersonation registry Most [business email compromise (BEC) ↗](https://www.cloudflare.com/en-gb/learning/email-security/business-email-compromise-bec/) targets executives or finance roles. You must add addresses of roles who are likely to be impersonated. Refer to [Impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) to learn how to add a user to the impersonation registry. Roles you may want to include in the impersonation registry are: * C-suites * Finance roles * HR * IT help-desk * Legal You should review your impersonation registry on a quarterly basis as roles change. ## 4\. Submit messages A submission is a change to an email's disposition **after** initial scanning. It is Cloudflare's built-in feedback loop for correcting false positives/negatives **and** training the detection models to get smarter over time. Refer to [Submit messages for review](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/#submit-messages-for-review) to learn how to reclassify a message. ### Who can reclassify messages [Security teams](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/team-submissions/) and [end users](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/user-submissions/) can perform a submission. ### Why you should submit messages Submissions are critical because: * **They help improve model accuracy**: Every validated submissions teaches Cloudflare's machine learning to recognise new lures, language, infrastructure, and benign patterns. * **They reduce alert fatigue**: Correcting Suspicious or Spam emails that users actually want tailors detections to your organization, cutting noise in the dashboard. * **They close the remediation loop**: When a disposition is upgraded to Malicious, Cloudflare auto-moves those emails out of every inbox (Graph API or Google Workspace API integrations). * **They can help you log activity taken on any submission**: Each submission displays a submission ID, details about original, requested and final dispositions, and more. Refer to [Submit messages for review](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/#submit-messages-for-review) to learn more about submissions. To make the most of submissions: 1. Review submissions on a weekly basis. 2. Ensure you have an integration associated with any MX/Inline deployment. When you associate an integration, you will not need to upload the EMLs every time; Cloudflare can use APIs to receive a copy of your email messages. 3. Investigate any increase in [user submissions](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#user-submissions) (users may have found a phish that bypassed filters) and confirm that analyst-final dispositions align with your policies. A correct use of submissions ensures that Email security delivers a stronger protection with less manual tuning. ## 5\. Configuration checklist Follow the below checklist to ensure your email environment is set up correctly: | Step | Post-delivery | Pre-delivery | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | -------------------------------- | | Authorize integration ([Graph API](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/#enable-microsoft-integration) or [Google Workspace](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/)) | Required[1](#user-content-fn-1) | Required [2](#user-content-fn-2) | | Associate an integration with an MX/Inline domain | Required | | | Add/verify domains | Required | Required | | [Update MX records/connector](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/), then allow Cloudflare [egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) on downstream mail server | Required | | | Populate [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) and [allow](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/)/[block](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/blocked-senders/) lists | Required | Required | | Configure [partner domain TLS](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/partner-domain-tls/) and admin quarantine | Required | | | Configure [text add-ons](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons/) and [link actions](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-link-actions/) | Required | | | Send a test email and verify it appears in **Monitoring** \> [**Email activity**](https://developers.cloudflare.com/cloudflare-one/email-security/monitoring/#email-activity) with expected disposition | Required | Required | Now that you know which deployment path to choose, you can begin your onboarding process. ## Footnotes 1. Associating an integration with BCC/Journaling is required for post-delivery but not for pre-delivery. [↩](#user-content-fnref-1) 2. Still used for directory/auto‑move insight if desired as well as authorizing free API CASB. [↩](#user-content-fnref-2) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}}]} ``` --- --- title: Manage domains description: Add, edit, and manage domains protected by Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Manage domains Once you have deployed your domain, Email security allows you to add, filter and edit domains. You can also choose to stop a domain from being scanned. ## Add domains To protect a new domain: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com) \> Email security. 2. Select **Settings**, go to **Domains** and select **View**. 3. Select **Add a domain**. ## Filter domains To filter your domains: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. Select **Show filters** \> **Configured method**. Choose among the following filters: - **MS Graph API**: To view domains connected via MS Graph API. - **BCC/Journaling**: To view domains connected via BCC/Journaling. - **MX/Inline**: To view domains connected via MX/Inline. - **Retro Scan**: To view domains scanned by Retro Scan. 4. Select **Apply filters**. ## Edit domains To edit your domains: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. On the **Domains** page, locate your domain, select the three dots > **Edit**. 4. If you did not manually add your domain, you will only be able to edit **Hops**. If you manually added your domain, you will be able to edit **Domain name** and **Hops**. 5. Select **Save**. ## Prevent Cloudflare from scanning a domain To stop scanning domains: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. On the **Domains** page, locate your domain, select the three dots > **Stop scanning**. 4. Select **Stop scanning** again to stop Cloudflare from scanning your domain. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/manage-domains/","name":"Manage domains"}}]} ``` --- --- title: API deployment description: How API deployment works in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # API deployment When you choose an API deployment, email messages only reach Email security after they have already reached a user's inbox. Then, through an integration with your email provider, Email security can [auto-move messages](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) based on your organization's policies. ![With API deployment, messages travel through Email security's email filter after reaching your users.](https://developers.cloudflare.com/_astro/M365_API_Deployment_Graph.Czbz8tQF_ZWYsK4.webp) ## Benefits When you choose API deployment, you get the following benefits: * Easy protection for complex email architectures, without requiring any change to mailflow operations. * Agentless deployment for Microsoft 365. ## Limitations However, API deployment also has the following disadvantages: * Email security is dependent on Microsoft's Graph API, and outages will increase the message dwell time in the inbox. * Your email provider may throttle API requests from Email security. * Email security requires read and write access to mailboxes. * Requires API support from your email provider (does not typically support on-premise providers). * Detection rates may be lower if multiple solutions exist. * Messages cannot be modified or quarantined. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/api/","name":"API deployment"}}]} ``` --- --- title: Set up with Microsoft 365 description: Set up with Microsoft 365 in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) # Set up with Microsoft 365 This guide will instruct you through setting up Microsoft 365 with Email security via the Cloudflare dashboard. ## Prerequisites To use Email security, you will need to have: * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up) * A [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization) * A domain to protect ## Enable Email security via the dashboard 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and select **Email security**.. 2. Select **Overview**. Select one of the following options depending on your use case: * If you have not purchased Email security, select **Contact sales**. * If you have not associated any integration: * Select **Set up**. * Choose **MS Graph API** \> **Authorize**. * Refer to [Enable Microsoft integration](#enable-microsoft-integration) to continue the onboarding process. * If you have associated an integration, but have not connected a domain: * Select **Connect a domain**. * Choose **MS Graph API**. Refer to [Connect your domains](#connect-your-domains) to connect your domain(s). ### Enable Microsoft integration To enable Microsoft integration: 1. **Configure policy**: Choose how [CASB](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) interacts with your data. Select **Read-only mode** or **Read-Write mode**. It is recommended that you choose **Read-Write mode**. 2. **Name integration**: Add your integration name, then select **Continue**. 3. **Authorize integration**: * Select **Authorize**. Selecting **Authorize** will take you to the Microsoft Sign in page where you will have to enter your email address. * Once you enter your email address, select **Next**. * After selecting **Next**, the system will show a dialog box with a list of requested permissions. Select **Accept** to authorize Email security. Upon authorization, you will be redirected to a page where you can review details and enroll integration. 4. **Review details**: Review your integration details, then: * Select **Complete Email security set up** where you will be able to connect your domains and configure auto-moves. * Select **Continue to Email security**. Continue with [Connect your domains](#connect-your-domains) for the next steps. ### Connect your domains On the **Set up Email security** page, you will be able to connect your Microsoft domains. To connect your domains: 1. **Connect domains**: Select at least one domain. Then, select **Continue**. 2. (Optional) **Modify default scanning**: You can configure which folder Email security can scan. 3. (Optional - select **Skip for now** to skip this step) **Redirect messages**: Refer to [Auto-moves](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) to learn what auto-moves are, and how to configure auto-moves. 4. **Review details**: Review your connected domains, then select **Go to Domains**. Your domains are now connected successfully. ### Connect new domains To connect new domains: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Select **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. Select **Add a domain**. 4. Select a method for connecting your mail environment to Email security: * If you select **MS Graph API**, refer to [Enable Microsoft integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/#enable-microsoft-integration). * If you select BCC/Journaling, choose how to connect your domains: * If you select **Integrate with MS**, refer to [Enable Microsoft integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/#enable-microsoft-integration). * If you select **Integrate with Google**, refer to [Connect your domains](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/). * If you select **Manual add**, refer to [Enter domain manually](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/manual-add/#enter-domain-manually). ## Prevent Cloudflare from scanning a domain If you want to prevent Cloudflare from scanning a domain: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. On the **Domain management** page, select the domain you do not want to be scanned. 4. Select the three dots > **Stop scanning**. ## View an integration To view the integration for each connected domain: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. Select a domain. 4. Select the three dots > **View integration**. Once you have set up Email security to scan through your inbox, Email security will display detailed information about your inbox. Refer to [Monitor your inbox](https://developers.cloudflare.com/cloudflare-one/email-security/monitoring/) to learn more. ## Verify successful deployment To verify that the deployment has been successful and that your emails are being scanned: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. Under **Your domains**, locate your domain, and verify that **Status** (which describes the state of the configuration) displays **Active**. ## Next steps [Enable logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/) to send detection data to an endpoint of your choice. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/api/","name":"API deployment"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/","name":"Set up with Microsoft 365"}}]} ``` --- --- title: BCC/Journaling description: How BCC/Journaling works in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # BCC/Journaling BCC/Journaling deployment is a post-delivery type of deployment. Cloudflare analyzes emails after they reach the user's inbox. Every time you receive an email, your email provider will send a blind copy to Cloudflare for an analysis. * Choose [BCC](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/gmail-bcc-setup/) if your email provider is Gmail. * Choose [Journaling](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/m365-journaling/) if your email provider is Microsoft 365. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}}]} ``` --- --- title: Microsoft Exchange BCC setup description: Integrate Microsoft Exchange BCC setup with Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) # Microsoft Exchange BCC setup For customers using Microsoft Exchange, setting up Email security via BCC is quick and easy. You need to configure an inbound rule to send emails to Email security via BCC for processing and detection of potential phishing attacks. The following email flow shows how this works: ![Email flow when setting up a phishing assessment risk for Microsoft Exchange with Email security.](https://developers.cloudflare.com/_astro/Microsoft_Exchange_365.fz8IIJ7m_u12q9.webp) Auto-moves for Microsoft Exchange customers Microsoft Exchange customers can auto-move if your email service is on-premise and you are using Microsoft Exchange online. ## Configure Inbound Rule 1. Access Exchange's **Management Console**, and go to **Organization Configuration** \> **Hub Transport**. ![Access Hub transport](https://developers.cloudflare.com/_astro/step1.Cr53r8C4_1XeNup.webp) 2. On the **Actions** pane, select **New Transport Rule**. 3. Give the transport rule a name and a description and select **Next**. ![Give transport rule a name and description](https://developers.cloudflare.com/_astro/step3.Bo-0qS8t_Zos67d.webp) 4. In the **Condition** configuration panel, select the option **from users that are inside or outside the organization** option. In the dropdown that opens, select **Outside the organization**. ![Select scope of transport rule](https://developers.cloudflare.com/_astro/step4.CxndsEWe_ZkYidj.webp) 5. Still in the same **Condition** configuration panel, add a second condition to the transport rule. Select **sent to users that are inside or outside the organization, or partners**. Keep the default value of **Inside the organization**. ![Select where to send emails](https://developers.cloudflare.com/_astro/step5.CFjU-V5M_1so1Xm.webp) 6. Select **Next**. 7. In the **Action** configuration panel, select **Blind carbon copy (Bcc) the message to addresses**. Edit the **addresses** variable to add the addresses you want to copy as BCC. ![Select BCC and edit email addresses](https://developers.cloudflare.com/_astro/step7.DJeDn5tj_Z1JlsIT.webp) 8. In **Specify Recipient**, select the **down arrow** next to the **Add** button > **External E-Mail Address**. ![Select external e-mail address](https://developers.cloudflare.com/_astro/step8.D1wRFlWS_10xDa4.webp) 9. Enter the BCC address provided by Email security. This address is specific to your account. ![Enter the BCC address provided by Email security](https://developers.cloudflare.com/_astro/step9.DnJuKcbu_Z1TY58F.webp) 10. Select **OK** \> **OK** to return to the main configuration page of the transport rule. 11. At the main configuration page of the transport rule, select **Next** to continue to the Exception configuration panel. 12. You do not need to configure an exception rule. Select **Next**. ![You do not need to configure an exception rule](https://developers.cloudflare.com/_astro/step12.CubH_6Qs_ZbcOq.webp) 13. In **Create Rule**, select the **New** button. ![Select the new button](https://developers.cloudflare.com/_astro/step13.Bk-qDQZk_Z1rBVF9.webp) 14. Select **Finish** to close the transport rule configuration panel. This will return you to the Exchange Management Console. ![Select finish](https://developers.cloudflare.com/_astro/step14.FJuX6pFq_ZpkKjK.webp) Note If you have multiple rules, you may need to change the order of the BCC rule and move it to the right location in your rule sequence. This is needed so you can send BCC messages to Email security. Usually, the Email security BCC rule will be at the top of the ruleset. The configured conditions of the Email security BCC rule will only trigger for inbound messages. ## Email processing and reports In BCC mode, all emails are put through automated phishing detections by Email security. Emails that trigger phishing detections are logged for reporting via product portal, email and Slack. Emails that do not trigger any detections are deleted. ## Next steps [Enable logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/) to send detection data to an endpoint of your choice. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/","name":"BCC setup"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/bcc-microsoft-exchange/","name":"Microsoft Exchange BCC setup"}}]} ``` --- --- title: Add BCC rules description: Add BCC rules in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Add BCC rules This page will show you how to add BCC rules in the Google Admin Console. BCC stands for Blind Carbon Copy. A BCC rule is a Google Workspace feature that allows you to create a secure copy of all selected outbound and inbound emails. When you allow Email security to receive a copy of your emails, Cloudflare can perform post-delivery analysis to protect your email inbox. To add BCC rules: 1. Log in to the [Google Admin Console ↗](https://admin.google.com/). 2. On the sidebar, go to **Apps** \> **Google Workspace** \> **Gmail** \> **Compliance**. 3. Go to **Content Compliance** \> Select **Edit**. 4. Add a **Content Compliance** filter, and name it `Email security - BCC`. 5. In **Email messages to affect**, select **Inbound**. 6. Select the recipients you want to send emails to Email security via BCC. Under **Add expressions that describe the content you want to search for in each message**: * Select **If ANY of the following match the message**. * Select **Add** to configure the expression. * Select **Advanced content match**. * In **Location**, select **Headers + Body**. * In **Match type**, select **Matches regex**. * In **Regexp**, input `.*`. You can customize the regex as needed and test within the admin page or on sites like [Regexr ↗](https://regexr.com/). * Select **SAVE**. 7. In **If the above expressions match, do the following**: * Select **Modify message**. * Ensure that **Envelope recipient** \> **Change envelope recipient** is unselected, so that emails will not be dropped as an unintended consequence. You will select this option at a later stage. * Go to **Also deliver to**, select **Add more recipients** \> **ADD** \> Choose **Advanced**: * Under **Envelope recipient**, select **Change envelope recipient** \> **Replace recipient** \> Enter the service address. This is the service address you copied and pasted in step 5 when [connecting your domains](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/). If you did not copy and paste the service address: - In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security**. - Go to **Settings** and locate your domain under **Your domains**. - Select the three dots > **View domain** \> **Service address**. Copy and paste the service address. * Under **Spam and delivery options**, ensure **Suppress bounces from this recipient** is not enabled. * Under **Headers**, select **Add X-Gm-Spam and X-Gm-Phishy headers**. * Select **SAVE**. 8. In **Account types to affect**, select **Users** and **Groups**. 9. Select **SAVE**. To verify that BCC rules have been configured successfully: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security** \> **Settings**. 2. Select **Domains** \> **View**. 3. Locate your domain. Under Status, the dashboard should display **Active**. This means that the BCC rules have been configured successfully, and your mail flow is being detected. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/","name":"BCC setup"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/","name":"Gmail BCC setup"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/add-bcc-rules/","name":"Add BCC rules"}}]} ``` --- --- title: Connect your domains description: Connect your domains in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Connect your domains To connect your domains, you will need to [enable your Gmail BCC integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/#enable-gmail-bcc-integration). Once you have enabled your Gmail BCC integration, the Cloudflare dashboard will redirect you to the **Set up Email security** page. On the **Set up Email security** page: 1. **Connect domains**: Select at least one domain. Then, select **Continue**. 2. (**Optional**) **Add manual domains**: Select **Add domain name** to manually enter additional domains. Then, select **Continue**. 3. (**Optional**) **Adjust hop count**: Enter the number of hops. Then, select **Continue**. Configuring the hop count will determine where you want Cloudflare to sit in the email processing chain. 4. (**Optional**, select **Skip for now** to skip this step) **Move messages**: Refer to [Auto-moves](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) to configure auto-moves. Then, select **Continue**. 5. **Select your processing location**: Configure where you want Cloudflare to process your email. **Global** will be the default option. If you choose **Global**, `@CF-emailsecurity.com` will be your regional service address. Once you have chosen your processing location, select **Continue**. Refer to [Regional processing](https://developers.cloudflare.com/cloudflare-one/email-security/reference/regional-processing/) to learn more. 6. **Review details**: Review your connected domains and service addresses. Then, select **Go to domains.** Your domains are now added successfully. On the **Domains** page, select the three dots > **View integration**. The dashboard will display your [domain information](https://developers.cloudflare.com/cloudflare-one/email-security/settings/domain-management/domain/). Under **Source**, the dashboard will display **Google integration**, along with the **Integration name**. ## Add additional domains To add additional domains: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security** \> **Settings**. 2. Select **Connect an integration** \> **BCC/Journaling** \> **Integrate with Google** \> **Authorize**. 3. **Connect domains**: Select the domains you want to add, then select **Next**. 4. (Optional) Select **Add manual domains**: Enter additional domains manually, then select **Next**. 5. (Optional) Select **Adjust hop count**: Enter the number of hops. 6. **Review details**: Review your selected domains, then use the following email to configure the service address with your third-party email provider: ``` @CF-emailsecurity.com ``` 7. Select **Save**. ## Verify successful deployment To verify that the deployment has been successful and that your emails are being scanned: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. Under **Your domains**, locate your domain, and verify that **Status** (which describes the state of the configuration) displays **Active**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/","name":"BCC setup"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/","name":"Gmail BCC setup"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/","name":"Connect your domains"}}]} ``` --- --- title: Enable auto-moves description: Enable auto-moves in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Enable auto-moves If you do not have an integration: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains** \> select **View**. 3. Locate your domain, select the three dots > Select **Associate an integration**. 4. Select **Connect an integration**. You will then be redirected to the **Add an integration** page. 5. Select **Google Workspace CASB+EMAIL** \> **Select Integration**. 6. Once you select an integration, you can [enable Gmail BCC integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/#enable-gmail-bcc-integration). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/","name":"BCC setup"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/","name":"Gmail BCC setup"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-auto-moves/","name":"Enable auto-moves"}}]} ``` --- --- title: Enable Gmail BCC integration description: Enable Gmail BCC integration in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Google ](https://developers.cloudflare.com/search/?tags=Google) # Enable Gmail BCC integration This guide describes the process for enabling Email security with Google Workspace. It requires setting up a [service account ↗](https://docs.cloud.google.com/iam/docs/service-account-overview) and a JSON key in Google Cloud Platform (GCP), followed by configuring domain-wide delegation in the Google Workspace Admin Console to authorize the integration. ## Prerequisites To use Email security, you will need to have: * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up) * A [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization) * A domain to protect ## Enable Gmail BCC integration: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Overview**. Select one of the following options: * If you have not purchased Email security, select **Contact sales**. * If you have not associated any integration: * Select **Set up**, then choose **BCC/Journaling**. * Select **Integrate with Google** \> **Authorize**. * Name your integration, then select **Next**. * Go to [step 1](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/#1-create-a-service-account-in-your-gcp-project) to continue the process of associating an integration. * If you have associated an integration, but have not connected a domain: * Select **Connect a domain**. * Choose **BCC/Journaling** \> **Integrate with Google**. * Refer to [Connect your domains](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/) to connect your domain(s). ### 1\. Create a Service Account in your GCP Project 1. Once you have named your integration, select **Next**. 2. On the [Google Cloud Console ↗](https://console.cloud.google.com/welcome/new), go to the sidebar, select **APIs & Services**, then select **Credentials**. 3. Select **CREATE CREDENTIALS** \> **Service account**. Refer to [Service accounts overview ↗](https://docs.cloud.google.com/iam/docs/service-account-overview) to learn more about service accounts. 4. Fill in the details to create a service account: * **Service account name**: Enter `Cloudflare Google Integration`. * **Service account ID**: Enter `cloudflare-google-integration`. * **Service account description**: Enter `Cloudflare Google Integration`. * Select **CREATE AND CONTINUE**. ### 2\. Create a JSON Key for your Service Account On the [Google Cloud Console ↗](https://console.cloud.google.com/welcome/new): 1. On the sidebar, select **IAM & Admim** \> **Service Accounts**. 2. Locate your email, select the three dots, then select **Manage keys**. 3. Select **Add key** \> **Create new key**. 4. Select **JSON** \> Select **CREATE**. This downloads a `.json` file which you will use when [uploading a JSON key](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/#3-upload-json-key). ### 3\. Upload JSON Key On the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com/), upload the `.json` file downloaded on step 3. ### 4\. Enable Necessary Google Workspace APIs in GCP Enable the following APIs on the Google Cloud Console: * [Google Calendar API ↗](https://console.cloud.google.com/apis/library/calendar-json.googleapis.com?project=winter-surf-439414-h1) * [Google Drive API ↗](https://console.cloud.google.com/apis/library/drive.googleapis.com?project=winter-surf-439414-h1) * [Google Admin SDK API ↗](https://console.cloud.google.com/apis/library/admin.googleapis.com?project=winter-surf-439414-h1) * [Gmail API ↗](https://console.cloud.google.com/apis/library/gmail.googleapis.com?project=winter-surf-439414-h1) * [Google Service Usage API ↗](https://console.cloud.google.com/apis/library/serviceusage.googleapis.com?project=winter-surf-439414-h1) ### 5\. Log in to Google Workspace Admin Console Log in to Google Workspace Admin Console: Enter your password and log in to the Google Workspace Admin Console. ### 6\. Create a Domain-Wide Delegation API Client 1. Copy the **Client ID** and **Scopes** displayed on the Cloudflare One dashboard. 2. On Google Admin, go to **Security** \> **Access and data control** \> **API controls**. 3. Select **MANAGE DOMAIN WIDE DELEGATION** \> **Add new**. 4. Use the Client ID and copy the scopes to create a new API client. Refer to [Delegate domain-wide authority to your service account ↗](https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/google-alert-center?%5Fgl=1%2Askktsb%2A%5Fga%2AMTMxODg5NDExMy4xNzI5NjA1MzYy%2A%5Fga%5FWH2QY8WWF5%2AMTcyOTc3MDg2Ny40LjEuMTcyOTc3MDg5OC4yOS4wLjA.#delegate%5Fdomain-wide%5Fauthority%5Fto%5Fyour%5Fservice%5Faccount). Then, select **Next**. ### 7\. Confirm Workspace Administrator Email Enter the email associated with the Google Workspace Administrator account. Your email must match the email associated with your Google Workspace account, or else your integration will not work. ### 8\. Create integration 1. Select **Create integration**. 2. Once you created your integration, you will be redirected to the **Review details** page, where you will be able to review **Integration details**. 3. Review your details, then select **Complete Email security set up** \> **Continue to Email security**. ## Verify integration To verify that the integration has been successful: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Integrations**. 2. Under **Your integrations**, locate your integration, and ensure that the integration displays **CASB+EMAIL** under **Type**. Note If you do not reach the step to complete the Email security set up: 1. Go to **Integrations** \> **Cloud & SaaS Integrations** \> **Integrations**. 2. Delete the integration, if present. Locate your integration, select **Configure**, then select **Delete**. 3. Follow the steps from the beginning to [enable Gmail BCC integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/#enable-gmail-bcc-integration). ## Next steps Now that you have created an integration: * [Connect your domains](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/) for Email security to start scanning your inbox. * [Enable logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/) to send detection data to an endpoint of your choice. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/","name":"BCC setup"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/","name":"Gmail BCC setup"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/","name":"Enable Gmail BCC integration"}}]} ``` --- --- title: Overview description: Overview in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Overview For customers using Gmail as their email provider, setting up Email security is quick and easy. You will need to [create an integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/), [add BCC rules](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/add-bcc-rules/), and [connect your domain(s)](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/). You can choose to [add additional domains](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/connect-domains/#add-additional-domains) at a later stage. Once you set up Google integration, Email security will receive a copy of your email messages. You will need a Google integration to enable [auto-moves](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/). The following email flow shows how this works: ![Gmail BCC deployment flow](https://developers.cloudflare.com/_astro/Gmail_Deployment_BCC.YSoTUoiz_Z1MxITR.webp) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/","name":"BCC setup"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/","name":"Gmail BCC setup"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/gmail-bcc-setup/","name":"Overview"}}]} ``` --- --- title: Microsoft 365 journaling setup description: Microsoft 365 journaling setup in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) # Microsoft 365 journaling setup Microsoft 365 journaling is a post-delivery setup method that ensures a copy of every incoming and outgoing email is forwarded to Cloudflare for analysis. When you create a [journal rule ↗](https://learn.microsoft.com/en-us/exchange/security-and-compliance/journaling/journaling#journal-rules) in the Microsoft Purview compliance portal, Cloudflare can scan messages that have already landed in your inbox. The following diagram shows how this works: ![Email flow when setting up Microsoft 365 with Email security.](https://developers.cloudflare.com/_astro/M365Deployment_Journaling.C-FeMlSK_aP6GS.webp) To enable Microsoft 365 journaling deployment: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Email security**. 2. Select **Overview**. If you have not purchased Email security, select **Contact Sales**. Otherwise, select **Set up** \> **BCC/Journaling**. 3. Select **Integrate with MS** \> **Authorize**. 4. Continue with [Integrate with Microsoft 365](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/m365-journaling/#1-integrate-with-microsoft-365) to connect your Microsoft integration. ## 1\. Integrate with Microsoft 365 To integrate with Microsoft 365: 1. **Name integration**: Add your integration name, then select **Continue**. 2. **Authorize integration**: * Select **Authorize**. Selecting **Authorize** will take you to the **Microsoft Sign in** page where you will have to enter your email address. * Once you enter your email address, select **Next**. * After selecting **Next**, the dashboard will show you a dialog box with a list of requested permissions. Select **Accept to authorize Email security**. Upon authorization, you will be redirected to a page where you can review details and enroll the integration. 3. **Review details**: Review your integration details, then: * Select **Complete Email security set up** where you will be able to connect your domains and configure auto-moves. * Select **Continue to Email security**. Continue with [Connect your domains](#connect-your-domains) for the next steps. ### Connect your domains On the **Set up Email security** page: 1. **Connect domains**: Select at least one domain. Then, select **Continue**. 2. (**Optional**) **Add manual domains**: Select **Add domain name** to manually enter additional domains. Then, select **Continue**. 3. (**Optional**) **Adjust hop count**: Enter the number of hops. Then, select **Continue**. 4. (**Optional**, select **Skip for now** to skip this step) **Move messages**: Refer to [Auto-moves](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) to configure auto-moves. Then, select **Continue**. 5. **Select your processing location**: Configure where you want Cloudflare to [process your email](https://developers.cloudflare.com/cloudflare-one/email-security/reference/regional-processing/). **Global** will be the default option. If you choose **Global**, `@CF-emailsecurity.com` will be your regional service address. Once you have chosen your processing location, select **Continue**. 6. **Review details**: Review your connected domains and service addresses. Then, select **Go to domains.** Your domains are now added successfully. To view your connected domains: 1. Go to **Settings**. 2. Locate your domain, select the three dots > **View domain**. Selecting **View domain** will display information about your domain. ## 2\. Configure journal rule 1. Log in to the [Microsoft Purview compliance portal ↗](https://compliance.microsoft.com/homepage). 2. On the sidebar, go to **Settings** (the gear icon) > **Data Lifecycle Management** \> **Exchange (legacy)**. 3. In **Send undeliverable journal reports to** enter the email address of a valid user account. Note that you cannot use a team or group address. Select **Save** once you entered the email address. 4. On the sidebar, go to **Solutions** \> **Data Lifecycle Management** \> **Exchange (legacy)**. 5. Select **Journal rules**. 6. Select **New rule** to configure a journaling rule, and configure it as follows: * **Send journal reports to**: This is the address you copied and pasted in step 5 of [Connect your domains](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/m365-journaling/#connect-your-domains). * **Journal rule name**: `Journal Messages to Email security` * **Journal messages sent or received from**: _Everyone_ * **Type of message to journal**: _External messages only_ 7. Select **Next**. 8. Verify the information is correct, and select **Submit** \> **Done**. Once saved, the rule is automatically active. However, it may take a few minutes for the configuration to propagate and start pushing messages to Email security. After it propagates, you can [monitor your inbox](https://developers.cloudflare.com/cloudflare-one/email-security/monitoring/) in the Cloudflare dashboard to check the number of messages processed. This number will grow as journaled messages are sent to Email security from your Exchange server. ## Verify successful deployment To verify that the deployment has been successful and that your emails are being scanned: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. Under **Your domains**, locate your domain, and verify that **Status** (which describes the state of the configuration) displays **Active**. ## Verify successful addition To verift that your domain has been added successfully and that your emails are being scanned: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. Under **Your domains**, locate your domain, and verify that **Status** is set to **Active**. The **Configured method** should be **BCC/Journaling**. ## Next steps [Enable logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/) to send detection data to an endpoint of your choice. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/","name":"Journaling setup"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/m365-journaling/","name":"Microsoft 365 journaling setup"}}]} ``` --- --- title: Manually add domains description: Manually add domains for BCC or journaling email scanning. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Manually add domains This page will teach you how to manually add domains via BCC/Journaling on the Cloudflare dashboard. This setup is ideal if your email provider is not Microsoft 365 or Google Workspace, or you do not want to directly integrate your account. Beware that manually add does not support [auto-move](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) or [directory synchronization](https://developers.cloudflare.com/cloudflare-one/email-security/directories/). ## Prerequisites To use Email security, you will need to have: * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up) * A [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization) * A domain to protect ## Manually add domains 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Email security**. 2. Select **Overview**. If you have not purchased Email security, select **Contact Sales**. Otherwise, select **Set up** \> **BCC/Journaling**. 3. Select **Manual add**. ## Users with domains on Cloudflare On the **Set up Email security** page: 1. **Connect domains**: Select at least one domain. Then, select **Continue**. 2. (**Optional**) **Add manual domains**: Manually enter additional domains. Then, select **Continue**. 3. (**Optional**) **Adjust hop count**: Enter the number of hops, and then select **Continue**. 4. **Select your processing location**: Configure where you want Cloudflare to process your email. **Global** will be the default option. If you choose **Global**, `@CF-emailsecurity.com` will be your regional service address. Once you have chosen your processing location, select **Continue**. 5. **Review details**: Review your connected domains and regional service address. Then, select **Go to domains.** ## Users who do not have domains with Cloudflare If you do not have domains with Cloudflare, the Cloudflare dashboard will display two options: * Add a domain to Cloudflare. * Enter domain manually. ### Add a domain to Cloudflare Selecting **Add a domain to Cloudflare** will redirect you to a new page where you will connect your domain to Cloudflare. Once you have entered an existing domain, select **Continue**. ### Enter domain manually On the **Set up Email security** page: 1. **Connect domains**: Select at least one domain. Then, select **Continue**. 2. (**Optional**) **Add manual domains**: Manually enter additional domains. Then, select **Continue**. 3. (**Optional**) **Adjust hop count**: Enter the number of hops, and then select **Continue**. 4. **Configure service address with your third party email provider**: Copy and paste the service address into your third-party email provider to allow BCC/Journaling: `@CF-emailsecurity.com`. 5. **Review details**: Review your connected domains. Then, select **Go to domains.** ## Enable auto-moves To enable auto-move events, you will have to associate an integration. To associate an integration: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains** \> Select **View**. 3. On the **Domain management** page, locate your domain, select the three dots, then select **Associate an integration**. 4. Select **Connect an integration**. Follow the steps to [enable the Microsoft 365 integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/#enable-microsoft-integration). 5. Select the three dots, then select **Associate an integration**. Select the integration, then select **Associate**. Now that your domain has an associated integration, enable [auto-move events](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) on your domain. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/","name":"Post-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/","name":"BCC/Journaling"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/","name":"Journaling setup"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/manual-add/","name":"Manually add domains"}}]} ``` --- --- title: Egress IPs description: Reference information for Egress IPs in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Egress IPs When Email Security processes inbound messages through an [MX/Inline deployment](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment/), it re-delivers the messages to your mailbox from its own IP addresses, known as egress IPs (the source addresses Cloudflare sends outbound mail from). Your existing email provider (such as Microsoft 365 or Google Workspace) needs to be configured to accept connections from these addresses, otherwise it will reject the messages as coming from an unauthorized sender. Add all of the following addresses to your mail provider's IP allowlist. Additional information for Microsoft 365 Microsoft 365 does not support IPv6 addresses or the following IPv4 ranges: * `104.30.32.0/19` * `134.195.26.0/23` If you use Microsoft 365, use the individual `/24` blocks (256 addresses each) listed in [Microsoft 365 /24 addresses](#microsoft-365-24-addresses) instead. ### IPv4 ``` 52.11.209.211 52.89.255.11 52.0.67.109 54.173.50.115 104.30.32.0/19 158.51.64.0/26 158.51.65.0/26 134.195.26.0/23 35.157.195.63 52.58.35.43 ``` ### IPv6 ``` 2405:8100:c400::/38 ``` ## Microsoft 365 `/24` addresses Use these IPv4 addresses for Microsoft 365, instead of the `/19` and `/23` subnets: ``` 104.30.32.0/24 104.30.33.0/24 104.30.34.0/24 104.30.35.0/24 104.30.36.0/24 104.30.37.0/24 104.30.38.0/24 104.30.39.0/24 104.30.40.0/24 104.30.41.0/24 104.30.42.0/24 104.30.43.0/24 104.30.44.0/24 104.30.45.0/24 104.30.46.0/24 104.30.47.0/24 104.30.48.0/24 104.30.49.0/24 104.30.50.0/24 104.30.51.0/24 104.30.52.0/24 104.30.53.0/24 104.30.54.0/24 104.30.55.0/24 104.30.56.0/24 104.30.57.0/24 104.30.58.0/24 104.30.59.0/24 104.30.60.0/24 104.30.61.0/24 104.30.62.0/24 104.30.63.0/24 134.195.26.0/24 134.195.27.0/24 ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/","name":"Egress IPs"}}]} ``` --- --- title: MX/Inline deployment description: How MX/Inline deployment works in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS) # MX/Inline deployment With pre-delivery deployment, also known as Inline deployment, Email security evaluates email messages before they reach a user's inbox. ![Inline deployment diagram](https://developers.cloudflare.com/_astro/Email_security_Deployment_Inline.Dsh4g8YD_fMdlm.webp) Before you change your MX records, you will have to set up the [Time to Live (TTL)](https://developers.cloudflare.com/dns/manage-dns-records/reference/ttl/) on your DNS records. If you do not set up the TTL, the DNS propagation will take longer to happen. Cloudflare recommends to decrease the TTL to five minutes (also known as [Auto](https://developers.cloudflare.com/dns/manage-dns-records/reference/ttl/#proxied-records)) 3 to 5 days prior to the planned MX record change. Reducing the TTL allows the DNS record to propagate ahead of time, so changes take effect rapidly. Once you have completed your onboarding process, you can choose to increase the TTL. When you have configured your TTL, you can deploy Email security via MX/Inline. An MX record is a [DNS record](https://developers.cloudflare.com/dns/manage-dns-records/). If your DNS records are hosted by Cloudflare (or any other provider, except for Google), you can [edit your DNS records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/#edit-dns-records) via the dashboard or the API to point your MX records to Cloudflare. By changing your MX records, Email security will be positioned between your incoming emails and Microsoft 0365 or Gmail. Email security becomes a hop in the [SMTP ↗](https://www.cloudflare.com/en-gb/learning/email-security/what-is-smtp/) processing chain and physically interacts with incoming email messages. Based on your policies, various messages are blocked before reaching the inbox. When you choose an inline deployment, you get the following benefits: * Messages are processed and physically blocked before arriving in a user's mailbox. * Your deployment is simpler, because any complex processing can happen downstream and without modification. * Email security can modify delivered messages, adding subject or body mark-ups. * Email security can offer high availability and adaptive message pooling. * You can set up advanced handling downstream for non-quarantined messages with added X-headers. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment/","name":"MX/Inline deployment"}}]} ``` --- --- title: Set up MX/Inline deployment description: How Set up MX/Inline deployment works in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Set up MX/Inline deployment ## Prerequisites To use Email security, you will need to have: * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up) * A [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization) * A domain to protect ## Initiate MX/Inline configuration 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security**. 3. Select **Overview**. Select one of the following options: * If you have not purchased Email security, select **Contact sales**. * If you have not associated any integration, [associate an integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/#associate-an-integration), then select **Set up**. * If you have associated an integration, but have not connected a domain, select [**Connect a domain**](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/#connect-a-domain). 1. Select **MX/Inline**. 2. To start the MX/Inline configuration, you will need to have completed the prerequisite setup on your email provider's platform. Once you have completed this step, select **I confirm that I have completed all the necessary requirements**. Then, select **Start configuration**. Note You can only onboard one domain at a time. ## Associate an integration MX/Inline does not require an integration for protection to be effective. However, it is a best practice to connect an integration. To associate an integration: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Integrations** \> **Cloud & SaaS Integrations** \> **Integrations** 2. Select **Connect an integration**. 3. Select an application: Choose between **Google Workspace CASB + EMAIL**, or **Microsoft CASB + EMAIL**. * Refer to [Enable Gmail BCC integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/#1-create-a-service-account-in-your-gcp-project) if you select **Google Workspace CASB + EMAIL**. * Refer to [Enable Microsoft integration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/#enable-microsoft-integration) if you select **Microsoft CASB + EMAIL**. 4. After you have associated an integration, go to **Email security** \> **Set up**. 5. Follow the instructions to [connect a domain](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/#connect-a-domain). ## Connect a domain If you have verified zones on Cloudflare, continue with the following steps: 1. **Connect a domain**: Select your domain. Then, select **Continue**. 2. **Select position**: This step allows you to choose where Email security fits into your mail flow and configure position settings: * **Select position**: Choose between: * **Sit first (hop count = 1)**: Email security is the first server that receives the email. There are no other email scanners or services between the Internet and Cloudflare. * **Sit in the middle (hop count > 1)**: Email security sits anywhere other than the first position. Other servers receive emails _before_ Email security. There are other email scanners or email services in between. * **Position settings**: Refine how Email security receives and forwards emails: * **Forwarding address**: This is your mail flow next hop after Email security. This value is auto-filled, but you can still change it. * **Outbound TLS**: Choose between: 1. **Forward all messages over TLS** (recommended). 2. **Forward all messages using opportunistic TLS**. * Select **Continue**. 3. (**Optional**, select **Skip for now** to skip this step) **Configure quarantine policy**: Select dispositions to automatically prevent certain types of incoming messages from reaching a recipient's inbox. 4. (Optional) **Update MX records**: * Email security can automatically update MX records for domains that proxy traffic through Cloudflare. Under **Your mail processing location**, select your mail processing location. You can refer to [Regional processing](https://developers.cloudflare.com/cloudflare-one/email-security/reference/regional-processing/) for more information. * You can also choose to allow Cloudflare to update MX records by selecting **I confirm that I allow Cloudflare to update to the new MX records**. When Email security updates MX records, we replace your original MX records with Email security MX records. * Select **Continue**. 5. **Review details**: Review your domain, then select **Go to domains**. ## Users who do not have domains with Cloudflare If you do not have domains with Cloudflare, the dashboard will display two options: * [Enter domain manually](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/#enter-domain-manually). * [Add a domain to Cloudflare](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/#add-a-domain-to-cloudflare). ## Enter domain manually 1. **Add domains**: Manually enter domain names. 2. **Review all domains**: Review all your domains, then select **Continue**. 3. **Verify your domains**: It may take up to 24 hours for your domains to be verified. Select **Done**. 4. Once your domains have been verified, the dashboard will display a message like this: **You have verified domains ready to connect to Email security**. This means that you can now set up Email security via MX/Inline. 5. Select **Set up**, then select **MX/Inline**. 6. Follow the steps to [initiate MX/Inline configuration](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/#initiate-mxinline-configuration). ### Add a domain to Cloudflare Selecting **Add a domain to Cloudflare** will redirect you to a new page where you will connect your domain to Cloudflare. Once you have entered an existing domain, select **Continue**. Then, follow the steps to [Set up MX/Inline](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/). ## Verify successful deployment To verify that the deployment has been successful and that your emails are being scanned: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), select **Email security**. 2. Go to **Settings** \> **Domain management** \> **Domains**, then select **View**. 3. Under **Your domains**, locate your domain, and verify that **Status** (which describes the state of the configuration) displays **Active**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/","name":"Set up MX/Inline deployment"}}]} ``` --- --- title: Partner domain TLS description: Partner domain TLS in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ TLS ](https://developers.cloudflare.com/search/?tags=TLS) # Partner domain TLS To add additional TLS (Transport Layer Security) requirements for emails coming from certain domains, you can enforce higher levels of SSL/TLS inspection. If TLS is required, mail without TLS from the specified domain will be dropped. Note To enforce TLS across all emails, you will need to enforce TLS requirements when you are onboarding your domain. To only enforce TLS for specific emails, you can do so by going to **Settings** \> **Partner domain TLS** \> **Add a domain**. To set up a partner domain: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and select **Email security**. 2. Select **Settings** \> **Partner domain TLS** \> **View**. 3. Select **Add a domain**. 4. Enter a valid domain name. You can also exclude subdomains by selecting **Add exclude**. 5. (Optional) Add an optional note to describe your rule(s). 6. Select **Save**. To edit a partner domain, select the three dots > **Edit**. To delete a partner domain, select the three dots > **Delete**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/partner-domain-tls/","name":"Partner domain TLS"}}]} ``` --- --- title: Cisco - Email security as MX Record description: Integrate Cisco - Email security as MX Record with Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Cisco - Email security as MX Record ![A schematic showing where Email security sits in the life cycle of an email received](https://developers.cloudflare.com/_astro/Cisco_to_Email_Security_MX_Inline.CY054jTO_Z1C8rNN.webp) In this tutorial, you will learn how to configure Cisco IronPort with Email security as MX record. ## Prerequisites To ensure changes made in this tutorial take effect quickly, update the Time to Live (TTL) value of the existing MX records on your domains to five minutes. Do this on all the domains you will be deploying. Changing the TTL value instructs DNS servers on how long to cache this value before requesting an update from the responsible nameserver. You need to change the TTL value before changing your MX records to Email security. This will ensure that changes take effect quickly and can also be reverted quickly if needed. If your DNS manager does not allow for a TTL of five minutes, set it to the lowest possible setting. Note Make TTL changes a few days before the production update, and wait at least as long as the old TTL values before making the update, since some senders might still be using the old cached values. To check your existing TTL, open a terminal window and run the following command against your domain: Terminal window ``` dig mx ``` ``` ; <<>> DiG 9.10.6 <<>> mx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39938 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN MX ;; ANSWER SECTION: . 300 IN MX 10 mxa.global.inbound.cf-emailsecurity.net. . 300 IN MX 10 mxb.global.inbound.cf-emailsecurity.net. ``` In the above example, TTL is shown in seconds as `300` (or five minutes). If you are using Cloudflare for DNS, you can leave the [TTL setting as **Auto**](https://developers.cloudflare.com/dns/manage-dns-records/reference/ttl/). Below is a list with instructions on how to edit MX records for some popular services: * **Cloudflare**: [Set up email records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/email-records/) * **GoDaddy**: [Edit an MX Record ↗](https://www.godaddy.com/help/edit-an-mx-record-19235) * **AWS**: [Creating records by using the Amazon Route 53 console ↗](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html) * **Azure**: [Create DNS records in a custom domain for a web app ↗](https://learn.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain) ## 1\. Add a Sender Group for Email security Email Protection IPs To add a new Sender Group: 1. Go to **Mail Policies** \> **HAT Overview**. 2. Select **Add Sender Group**. 3. Configure the new Sender Group as follows: * **Name**: `Email security`. * **Order**: Order above the existing **WHITELIST** sender group. * **Comment**: `Email security Email Protection egress IP Addresses`. * **Policy**: `TRUSTED` (by default, spam detection is disabled for this mail flow policy). * **SBRS**: Leave blank. * **DNS Lists**: Leave blank. * **Connecting Host DNS Verification**: Leave all options unchecked. 4. Select **Submit and Add Senders** and add the IP addresses mentioned in [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) ## 2\. Configure Incoming Relays You need to configure the Incoming Relays section to tell IronPort to ignore upstream hops, since all the connections are now coming from Email security. This step is needed so the IronPort can retrieve the original IPs to calculate IP reputation. IronPort also uses this information in the Anti-Spam (IPAS) scoring of messages. 1. To enable the Incoming Relays Feature, select **Network** \> **Incoming Relays**. 2. Select **Enable** and commit your changes. 3. Now, you will have to add an Incoming Relay. Select **Network** \> **Incoming Relays**. 4. Select **Add Relay** and give your relay a name. 5. Enter the IP address of the MTA, MX, or other machine that connects to the email gateway to relay incoming messages. You can use IPv4 or IPv6 addresses. 6. Specify the `Received:` header that will identify the IP address of the original external sender. 7. Commit your changes. ## 3\. Disable SPF checks Make sure you disable Sender Policy Framework (SPF) checks in IronPort. Because Email security is acting as the MX record, if you do not disable SPF checks, IronPort will block emails due to an SPF failure. Refer to [Cisco's documentation ↗](https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117973-faq-esa-00.html) for more information on how to disable SPF checks. ## 4\. Set up MX/Inline Now that you have completed the prerequisite steps, set up MX/Inline on the Cloudflare dashboard. Refer to [Set up MX/Inline deployment](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/) for the next steps. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/cisco-email-security-mx/","name":"Cisco - Email security as MX Record"}}]} ``` --- --- title: Cisco - Cisco as MX Record description: Integrate Cisco - Cisco as MX Record with Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Cisco - Cisco as MX Record ![A schematic showing where Email security is in the life cycle of an email received](https://developers.cloudflare.com/_astro/Cisco_to_Cisco_MX_Inline.T2fNxiw3_1dYDUm.webp) In this tutorial, you will learn how to configure Email security with Cisco as MX record. ## 1\. Add a Sender Group for Email security Email Protection IPs To add a new Sender Group: 1. Go to **Mail Policies** \> **HAT Overview**. 2. Select the **Add Sender Group** button. 3. Configure the new Sender Group as follows: * **Name**: `Email security`. * **Order**: Order above the existing **WHITELIST** sender group. * **Comment**: `Email security Email Protection egress IP Addresses`. * **Policy**: `TRUSTED` (by default, spam detection is disabled for this mail flow policy). * **SBRS**: Leave blank. * **DNS Lists**: Leave blank. * **Connecting Host DNS Verification**: Leave all options unchecked. 4. Select **Submit and Add Senders**, and add the IP addresses mentioned in [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/). If you need to process emails in the EU or India regions for compliance purposes, add those IP addresses as well. ## 2\. Add SMTP route for the Email security Email Protection Hosts To add a new SMTP Route: 1. Go to **Network** \> **SMTP Routes**. 2. Select **Add Route**. 3. Configure the new SMTP Route as follows: * **Receiving Domain**: `a1s.mailstream` * In **Destination Hosts**, select **Add Row**, and add the Email security MX hosts. Refer to the [Geographic locations](#5-geographic-locations) table for more information on which MX hosts to use. ## 3\. Create Incoming Content Filters To manage the mail flow between Email security and Cisco ESA, you need two filters: * One to direct all incoming messages to Email security. * One to recognize messages coming back from Email security to route for normal delivery. ### Incoming Content Filter - To Email security To create a new Content Filter: 1. Go to **Mail Policies** \> **Incoming Content Filters**. 2. Select **Add Filter** to create a new filter. 3. Configure the new Incoming Content Filter as follows: * **Name**: `ESA_to_A1S` * **Description**: `Redirect messages to Email security for anti-phishing inspection` * **Order**: This will depend on your other filters. * **Condition**: No conditions. * **Actions**: * For **Action** select **Send to Alternate Destination Host**. * For **Mail Host** input `a1s.mailstream` (the SMTP route configured in step 2). ### Incoming Content Filter - From Email security To create a new Content Filter: 1. Go to **Mail Policies** \> **Incoming Content Filters**. 2. Select the **Add Filter** button to create a new filter. 3. Configure the new Incoming Content Filter as follows: * **Name**: `A1S_to_ESA` * **Description**: `Email security inspected messages for final delivery` * **Order**: This filter must come before the previously created filter. * **Conditions**: Add conditions of type **Remote IP/Hostname** with all the IP addresses mentioned in [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/). For example: | Order | Condition | Rule | | ----- | ------------------ | ------------------ | | 1 | Remote IP/Hostname | Remote IP/Hostname | | 2 | Remote IP/Hostname | 52.89.255.11 | | 3 | Remote IP/Hostname | 52.0.67.109 | | 4 | Remote IP/Hostname | 54.173.50.115 | | 5 | Remote IP/Hostname | 104.30.32.0/19 | | 6 | Remote IP/Hostname | 158.51.64.0/26 | | 7 | Remote IP/Hostname | 158.51.65.0/26 | * Ensure that the _Apply rule:_ dropdown is set to **If one or more conditions match**. * **Actions**: Select **Add Action**, and add the following: | Order | Action | Rule | | ----- | --------------------------------------------- | -------------- | | \--1 | Skip Remaining Content Filters (Final Action) | skip-filters() | ## 4\. Add the Incoming Content Filter to the Inbound Policy table Assign the Incoming Content Filters created in [step 3](#3-create-incoming-content-filters) to your primary mail policy in the Incoming Mail Policy table. Then, commit your changes to activate the email redirection. ## 5\. Geographic locations When configuring the Email security MX records, it is important to configure hosts with the correct MX priority. This will allow mail flows to the preferred hosts and fail over as needed. Choose from the following Email security MX hosts, and order them by priority. For example, if you are located outside the US and want to prioritize email processing in the EU, add `mailstream-eu1.mxrecord.io` as your first host, and then the US servers. | Host | Location | Note | | -------------------------------------------------------------------------------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------ | | mailstream-central.mxrecord.mx mailstream-east.mxrecord.io mailstream-west.mxrecord.io | US | Best option to ensure all email traffic processing happens in the US. | | mailstream-eu1.mxrecord.io | EU | Best option to ensure all email traffic processing happens in Germany, with backup to US data centers. | | mailstream-bom.mxrecord.mx | India | Best option to ensure all email traffic processing happens within India. | | mailstream-india-primary.mxrecord.mx | India | Same as mailstream-bom.mxrecord.mx, with backup to US data centers. | | mailstream-asia.mxrecord.mx | India | Best option to ensure all email traffic processing happens in India, with Australia data centers as backup. | | mailstream-syd.area1.cloudflare.net | Australia / New Zealand | Best option to ensure all email traffic processing happens within Australia. | | mailstream-australia-primary.area1.cloudflare.net | Australia / New Zealand | Best option to ensure all email traffic processing happens in Australia, with India and US data centers as backup. | ## 6\. Set up MX/Inline Now that you have completed the prerequisite steps, set up MX/Inline on the Cloudflare dashboard. Refer to [Set up MX/Inline deployment](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/) for the next steps. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/cisco-mx/","name":"Cisco - Cisco as MX Record"}}]} ``` --- --- title: Google Workspace as MX Record description: Integrate Google Workspace as MX Record with Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Google ](https://developers.cloudflare.com/search/?tags=Google) # Google Workspace as MX Record ![A schematic showing where Email security is in the life cycle of an email received](https://developers.cloudflare.com/_astro/Email_Security_Gmail_MX_Inline.BySaw74N_r7mj1.webp) In this tutorial, you will learn how to configure Google Workspace with Email security as MX record. ## Prerequisites To ensure changes made in this tutorial take effect quickly, update the Time to Live (TTL) value of the existing MX records on your domains to five minutes. Do this on all the domains you will be deploying. Changing the TTL value instructs DNS servers on how long to cache this value before requesting an update from the responsible nameserver. You need to change the TTL value before changing your MX records to Email security. This will ensure that changes take effect quickly and can also be reverted quickly if needed. If your DNS manager does not allow for a TTL of five minutes, set it to the lowest possible setting. Note Make TTL changes a few days before the production update, and wait at least as long as the old TTL values before making the update, since some senders might still be using the old cached values. To check your existing TTL, open a terminal window and run the following command against your domain: Terminal window ``` dig mx ``` ``` ; <<>> DiG 9.10.6 <<>> mx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39938 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN MX ;; ANSWER SECTION: . 300 IN MX 10 mxa.global.inbound.cf-emailsecurity.net. . 300 IN MX 10 mxb.global.inbound.cf-emailsecurity.net. ``` In the above example, TTL is shown in seconds as `300` (or five minutes). If you are using Cloudflare for DNS, you can leave the [TTL setting as **Auto**](https://developers.cloudflare.com/dns/manage-dns-records/reference/ttl/). Below is a list with instructions on how to edit MX records for some popular services: * **Cloudflare**: [Set up email records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/email-records/) * **GoDaddy**: [Edit an MX Record ↗](https://www.godaddy.com/help/edit-an-mx-record-19235) * **AWS**: [Creating records by using the Amazon Route 53 console ↗](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html) * **Azure**: [Create DNS records in a custom domain for a web app ↗](https://learn.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain) ## Requirements * Provisioned Email security account. * Access to the Google administrator console ([Google administrator console ↗](https://admin.google.com/) \> **Apps** \> **Google Workspace** \> **Gmail**). * Access to the domain nameserver hosting the MX records for the domains that will be processed by Email security. ## 1\. Set up Inbound Email Configuration Set up [Inbound Email Configuration ↗](https://support.google.com/a/answer/60730?hl=en) with the following details: * In **Gateway IPs**, select the **Add** link, and add the IPs mentioned in [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/). * Select **Automatically detect external IP (recommended)**. * Select **Require TLS for connections from the email gateways listed above**. * Do not select **Reject all mail not from gateway IPs**. You will enable this option at a later time to ensure your mail flows. * Select **SAVE**. ## 2\. (Optional) Set up an email quarantine [Set up an email quarantine ↗](https://support.google.com/a/answer/6104172?hl=en#add-new-quarantine) with the following details: * **Name**: Email security Malicious. * **Description**: Email security Malicious. * For the **Inbound denial consequence**, select **Drop message**. * For the **Outbound denial consequence**, select **Drop message**. * Select **SAVE**. To access the newly created quarantine, select **GO TO ADMIN QUARANTINE** or access the quarantine directly by pointing your browser to [https://email-quarantine.google.com/adminreview ↗](https://email-quarantine.google.com/adminreview). ## 3\. (Optional) Create a content compliance filter Go to **Compliance**, and create a [content compliance filter ↗](https://support.google.com/a/answer/1346934?hl=en#zippy=%2Cstep-go-to-gmail-compliance-settings-in-the-google-admin-console%2Cstep-enter-email-messages-to-affect) to send malicious messages to quarantine. Enter the following details: * **Content compliance**: Add `Quarantine Email security Malicious`. * **Email messages to affect**: Select **Inbound**. * **Add expressions that describe the content you want to search for in each message**: * Select **Add** to add the condition. * In **Simple content match**, select **Advanced content match**. * In **Location**, select **Full headers**. * In **Match type**, select **Contains text**. * In **Content**, enter `X-CFEmailSecurity-Disposition: MALICIOUS`. * Select **SAVE** to save the condition. * If the above expression match, do the following, select **Quarantine message** and the **Email security Malicious** quarantine that was created in the previous step. * Select **SAVE**. If you would like to quarantine the other dispositions, repeat the above steps and use the following strings for the other dispositions: * `X-CFEmailSecurity-Disposition: BULK` * `X-CFEmailSecurity-Disposition: SPOOF` * `X-CFEmailSecurity-Disposition: UCE` (`UCE` is the equivalent of `SPAM`) If desired, you can create a separate quarantine for each of the dispositions. ## 4\. Set up MX/Inline Now that you have completed the prerequisite steps, set up MX/Inline on the Cloudflare dashboard. Refer to [Set up MX/Inline deployment](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/) for the next steps. ## 5\. (Recommended) Secure Google Workspace from MX records bypass One method of a DNS attack is to search for old MX records and send phishing emails directly to the mail server. To secure the email flow, you should enforce an email flow where inbound messages are accepted by Google Workspace only when they originate from Email security. This can be done by adding a connector to only allow email from Email security with TLS encryption. This step is optional but recommended. Important This step should not be performed until 72 hours after all domains in your Google Workspace have been onboarded to Email security, and Email security is their MX record. If a domain has not been onboarded or DNS is still propagating, you will impact production email flow for that domain. After 72 hours, the MX record DNS update will have sufficiently propagated across the Internet. It is now safe to secure your email flow. This will ensure that Google Workspace only accepts messages that are first received by Email security. This step is highly recommended to prevent threat actors from using cached MX entries to bypass Email security by injecting messages directly into Google Workspace. 1. Access the [Google Administrative Console ↗](https://admin.google.com/), then select **Apps** \> **Google Workspace** \> **Gmail**. 2. Select **Spam, Phishing and Malware**. 3. Go to **Inbound gateway** and select **Edit Inbound gateway**. 4. Enable **Reject all mail not from gateway IPs** and select **Save**. 5. Select **Save** once more to commit and activate the configuration change in the Gmail advanced configuration console. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/gsuite-email-security-mx/","name":"Google Workspace as MX Record"}}]} ``` --- --- title: Microsoft 365 as MX Record description: Integrate Microsoft 365 as MX Record with Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) # Microsoft 365 as MX Record ![A schematic showing where Email security is in the life cycle of an email received](https://developers.cloudflare.com/_astro/Email_security_M365_MX_Inline.BeUQoQiv_Z2khods.webp) In this tutorial, you will learn how to configure Microsoft 365 with Email security as its MX record. ## Prerequisites To ensure changes made in this tutorial take effect quickly, update the Time to Live (TTL) value of the existing MX records on your domains to five minutes. Do this on all the domains you will be deploying. Changing the TTL value instructs DNS servers on how long to cache this value before requesting an update from the responsible nameserver. You need to change the TTL value before changing your MX records to Email security. This will ensure that changes take effect quickly and can also be reverted quickly if needed. If your DNS manager does not allow for a TTL of five minutes, set it to the lowest possible setting. Note Make TTL changes a few days before the production update, and wait at least as long as the old TTL values before making the update, since some senders might still be using the old cached values. To check your existing TTL, open a terminal window and run the following command against your domain: Terminal window ``` dig mx ``` ``` ; <<>> DiG 9.10.6 <<>> mx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39938 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN MX ;; ANSWER SECTION: . 300 IN MX 10 mxa.global.inbound.cf-emailsecurity.net. . 300 IN MX 10 mxb.global.inbound.cf-emailsecurity.net. ``` In the above example, TTL is shown in seconds as `300` (or five minutes). If you are using Cloudflare for DNS, you can leave the [TTL setting as **Auto**](https://developers.cloudflare.com/dns/manage-dns-records/reference/ttl/). Below is a list with instructions on how to edit MX records for some popular services: * **Cloudflare**: [Set up email records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/email-records/) * **GoDaddy**: [Edit an MX Record ↗](https://www.godaddy.com/help/edit-an-mx-record-19235) * **AWS**: [Creating records by using the Amazon Route 53 console ↗](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html) * **Azure**: [Create DNS records in a custom domain for a web app ↗](https://learn.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain) ## 1\. Add Email security IP addresses to Allow List 1. Go to the [Anti-spam policies page ↗](https://security.microsoft.com/antispam) \> Select **Edit connection filter policy**. 2. In **Always allow messages from the following IP addresses or address range**, add IP addresses and CIDR blocks mentioned in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. 3. Select **Save**. 4. Microsoft recommends disabling SPF Hard fail when an email solution is placed in front of it: * Return to the [Anti-spam option ↗](https://security.microsoft.com/antispam). * Select **Default anti-spam policy**. * Select **[Edit spam threshold and properties ↗](https://learn.microsoft.com/en-us/defender-office-365/anti-spam-bulk-complaint-level-bcl-about)** \> **Mark as spam** \> **SPF record: hard fail**, and ensure it is set to **Off**. 5. Select **Save**. ## 2\. Configure Enhanced Filtering ### Create an inbound connector 1. [Set up a connector ↗](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#1-set-up-a-connector-from-your-email-server-to-microsoft-365-or-office-365). 2. Select **Partner organization** under **Connection from**. * Provide a name for the connector: * **Name**: `Email security Inbound Connector` * **Description**: `Inbound connector for Enhanced Filtering` 3. In **Authenticating sent email**, select **By verifying that the IP address of the sending server matches one of the following IP addresses, which belongs to your partner organization.** 4. Enter all of the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. 5. In **Security restrictions**, accept the default **Reject email messages if they aren't sent over TLS** setting. ### Enable enhanced filtering Now that the inbound connector has been configured, you will need to enable the enhanced filtering configuration of the connector. 1. Go to the [Security admin console ↗](https://security.microsoft.com/homepage), and [enable enhanced filtering ↗](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors#use-the-microsoft-defender-portal-to-configure-enhanced-filtering-for-connectors-on-an-inbound-connector). 2. Select **Automatically detect and skip the last IP address** and **Apply to entire organization**. 3. Select **Save**. ## 3\. Configure anti-spam policies To configure anti-spam policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Policies**, select **Anti-spam**. 5. Select the **Anti-spam inbound policy (Default)** text (not the checkbox). 6. In **Actions**, scroll down and select **Edit actions**. 7. Set the following conditions and actions (you might need to scroll up or down to find them): * **Spam**: _Move messages to Junk Email folder_. * **High confidence spam**: _Quarantine message_. * **Select quarantine policy**: _AdminOnlyAccessPolicy_. * **Phishing**: _Quarantine message_. * **Select quarantine policy**: _AdminOnlyAccessPolicy_. * **High confidence phishing**: _Quarantine message_. * **Select quarantine policy**: _AdminOnlyAccessPolicy_. * **Retain spam in quarantine for this many days**: Default is 15 days. Email security recommends 15-30 days. * Select the spam actions in the above step: 1. Select **Save**. ## 4\. Create transport rules To create the transport rules that will send emails with certain [dispositions](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to Email security: 1. Open the new [Exchange admin center ↗](https://admin.exchange.microsoft.com/#/homepage). 2. Go to **Mail flow** \> **Rules**. 3. Select **Add a Rule** \> **Create a new rule**. 4. Set the following rule conditions: * **Name**: _Email Security Deliver to Junk Email folder_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: `BULK` \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs mentioned in [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/). * **Do the following** \- _Modify the message properties_ \> _Set the Spam Confidence Level (SCL)_ \> _5_. 5. Select **Next**. 6. You can use the default values on this screen. Select **Next**. 7. Review your settings and select **Finish** \> **Done**. 8. Select the rule **Email security Deliver to Junk Email folder** you have just created, and **Enable**. 9. Select **Add a Rule** \> **Create a new rule**. 10. Set the following rule conditions: * **Name**: `Email security Deliver to Junk Email folder`. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: `MALICIOUS`, `UCE`, `SPOOF` \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/). * **Do the following**: _Redirect the message to_ \> _hosted quarantine_. 11. Select **Next**. 12. You can use the default values on this screen. Select **Next**. 13. Review your settings and select **Finish** \> **Done**. 14. Select the rule you have just created, and select **Enable**. ## 5\. Set up MX/Inline Now that you have completed the prerequisite steps, set up MX/Inline on the Cloudflare dashboard. Refer to [Set up MX/Inline deployment](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/) for the next steps. ## 6\. (Recommended) Secure Microsoft 365 from MX records bypass One method of a DNS attack is to search for old MX records and send phishing emails directly to the mail server. To secure the email flow, you should enforce an email flow where inbound messages are accepted by Microsoft 365 only when they originate from Email security. This can be done by adding a connector to only allow email from Email security with TLS encryption. This step is optional but recommended. Important This step should not be performed until 72 hours after all domains in your Microsoft 365 organization have been onboarded to Email security, and Email security is their MX record. If a domain has not been onboarded or DNS is still propagating, you will impact production email flow for that domain. #### Create Connector 1. Go to the new [Exchange admin center ↗](https://admin.exchange.microsoft.com/#/homepage). 2. Go to **Mail flow** \> **Connectors**. 3. Select **Add a connector**. 4. Go to **Connection from** \> **Partner organization**. 5. Select **Next**. 6. Set the following options: * **Name** \- `Secure M365 Inbound` * **Description** \- `Only accept inbound email from Email security` 7. Select **Next**. 8. Make sure **By Verifying that the sender domain matches one of the following domains** is selected. 9. Enter `*` in the text field, and select **+**. 10. Select **Next**. 11. Make sure **Reject email messages if they aren't sent over TLS** is selected. 12. Still in the same screen, select **Reject email messages if they aren't sent from within this IP address range**, and enter all the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. 13. Select **Next**. 14. Review your settings and select **Create connector**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/","name":"Microsoft 365 as MX Record"}}]} ``` --- --- title: 5 - Junk email folder and administrative quarantine description: Integrate 5 - Junk email folder and administrative quarantine with Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) # 5 - Junk email folder and administrative quarantine In this tutorial, you will learn to deliver `BULK` messages to the user's junk email folder, and `MALICIOUS`, `SPAM`, and `SPOOF` messages to the Administrative Quarantine (this requires an administrator to release the emails). ## Configure anti-spam policies To configure anti-spam policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Policies**, select **Anti-spam**. 5. Select the **Anti-spam inbound policy (Default)** text (not the checkbox). 6. In **Actions**, scroll down and select **Edit actions**. 7. Set the following conditions and actions (you might need to scroll up or down to find them): * **Spam**: _Move messages to Junk Email folder_. * **High confidence spam**: _Quarantine message_. * **Select quarantine policy**: \_AdminOnlyAccessPolicy\_. * **Phishing**: _Quarantine message_. * **Select quarantine policy**: \_AdminOnlyAccessPolicy\_. * **High confidence phishing**: _Quarantine message_. * **Select quarantine policy**: \_AdminOnlyAccessPolicy\_. * **Retain spam in quarantine for this many days**: Default is 15 days. Email security recommends 15-30 days. * Select the spam actions in the above step. 1. Select **Save**. ## Create transport rules To create the transport rules that will send emails with certain [disposition](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to Email security: 1. Open the new [Exchange admin center ↗](https://admin.exchange.microsoft.com/#/homepage). 2. Go to **Mail flow** \> **Rules**. 3. Select **Add a Rule** \> **Create a new rule**. 4. Set the following rule conditions: * **Name**: _Email security Deliver to Junk Email folder\`_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: `BULK` \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following** \- _\_Modify the message properties\_ > \_Set the Spam Confidence Level (SCL)\_ > \_5\__. 5. Select **Next**. 6. You can use the default values on this screen. Select **Next**. 7. Review your settings and select **Finish** \> **Done**. 8. Select the rule Email security Deliver to Junk Email folder\` you have just created, and **Enable**. 9. Select **Add a Rule** \> **Create a new rule**. 10. Set the following rule conditions: * **Name**: _\`Email security Admin Managed Host Quarantine\`_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: _\`MALICIOUS\`, \`UCE\`, \`SPOOF\`_ \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following**: _\_Redirect the message to\_ > \_hosted quarantine\__. 11. Select **Next**. 12. You can use the default values on this screen. Select **Next**. 13. Review your settings and select **Finish** \> **Done**. 14. Select the rule _\`Email security Admin Managed Host Quarantine\`_ you have just created, and select **Enable**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/","name":"Microsoft 365 as MX Record"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/five-junk-admin-quarantine/","name":"5 - Junk email folder and administrative quarantine"}}]} ``` --- --- title: 4 - User managed quarantine and administrative quarantine description: Integrate 4 - User managed quarantine and administrative quarantine with Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) # 4 - User managed quarantine and administrative quarantine In this tutorial, you will learn to deliver `SPAM` and `SPOOF` messages to the user managed quarantine, and `MALICIOUS` messages to the administrative quarantine (this requires an administrator to release the emails). ## Create quarantine policies To create quarantine policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Rules**, select **Quarantine policies**. 5. Select **Add custom policy**. 6. Set the **Policy name** to `UserNotifyUserRelease`. 7. Select **Next**. 8. In **Recipient message access**, select **Set specific access (Advanced)**, and then: * In **Select release action preference**, choose _Allow recipients to release a message from quarantine_. * In **Select additional actions recipients can take on quarantined messages**, select the **Delete** and **Preview** checkboxes. 9. Select **Next**. 10. In **Quarantine notification**, select **Enable**. 11. Select **Next**. 12. Review your settings and select **Submit**. 13. Select **Done**. 14. Select **Add custom policy**. 15. Set the **Policy name** to `UserNotifyAdminRelease`. 16. Select **Next**. 17. In **Recipient message access**, select **Set specific access (Advanced)**, and then: * In **Select release action preference**, from the drop-down menu, choose _Allow recipients to request a message to be released from quarantine_. * In **Select additional actions recipients can take on quarantined messages**, select the **Delete** and **Preview** checkboxes. 18. Select **Next**. 19. In **Quarantine notification**, select **Enable**. 20. Select **Next**. 21. Review your settings and select **Submit**. 22. Select **Done**. ## Configure quarantine notifications To configure quarantine notifications: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Rules**, select **Quarantine policies**. 5. Select **Global settings**. 6. Scroll to the bottom and set the desired frequency in **Send end-user spam notifications every (days)**. This value can only be incremented in days. 7. Select **Save**. ## Configure anti-spam policies To configure anti-spam policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/) 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Policies**, select **Anti-spam**. 5. Select the **Anti-spam inbound policy (Default)** text (not the checkbox). 6. In the **Actions** section, scroll down and select **Edit actions**. 7. Set the following conditions and actions (you might need to scroll up or down to find them): * **Spam**: _Quarantine message_. * **Select quarantine policy**: _UserNotifyUserRelease_. * **High confidence spam**: _Quarantine message_. * **Select quarantine policy**: _UserNotifyAdminRelease_. * **Phishing**: _Quarantine message_. * **Select quarantine policy**: _UserNotifyAdminRelease_. * **High confidence phishing**: _Quarantine message_. * **Select quarantine policy**: _UserNotifyAdminRelease_. * **Retain spam in quarantine for this many days**: Default is 15 days. Email security recommends 15-30 days. 8. Select **Save**. ## Create transport rules To create the transport rules that will send emails with certain [disposition](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to Email security: 1. Open the new [Exchange admin center ↗](https://admin.exchange.microsoft.com/#/homepage). 2. Go to **Mail flow** \> **Rules**. 3. Select **Add a Rule** \> **Create a new rule**. 4. Set the following rule conditions: * **Name**: _\`Email security User Quarantine Message\`_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: `` `UCE`, `SPOOF` `` \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following** \- _\_Modify the message properties\_ > \_Set the Spam Confidence Level (SCL)\_ > \_5\__. 5. Select **Next**. 6. You can use the default values on this screen. Select **Next**. 7. Review your settings and select **Finish** \> **Done**. 8. Select the rule \`Email security User Quarantine Message\` you have just created, and **Enable**. 9. Select **Add a Rule** \> **Create a new rule**. 10. Set the following rule conditions: * **Name**: _\`Email security User Quarantine Message Admin Release\`_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: _\`MALICIOUS\`_ \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following**: _\_Modify the message properties\_ > \_Set the Spam Confidence Level (SCL)\_ > \_9\__. 11. Select **Next**. 12. You can use the default values on this screen. Select **Next**. 13. Review your settings and select **Finish** \> **Done**. 14. Select the rule _\`Email security User Quarantine Message Admin Release\`_ you have just created, and select **Enable**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/","name":"Microsoft 365 as MX Record"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/four-user-quarantine-admin-quarantine/","name":"4 - User managed quarantine and administrative quarantine"}}]} ``` --- --- title: 1 - Junk email and Email security Admin Quarantine description: Integrate 1 - Junk email and Email security Admin Quarantine with Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) # 1 - Junk email and Email security Admin Quarantine In this tutorial, you will learn how to deliver emails to the Microsoft 365 junk email folder and the Admin Quarantine in Email security. ## Create quarantine policies To create quarantine policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/) 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Rules**, select **Quarantine policies**. 5. Select **Add custom policy**. 6. Set the **Policy name** to `UserNotifyAdminRelease`. 7. Select **Next**. 8. In **Recipient message access**, select **Set specific access (Advanced)**, and then: * In **Select release action preference**, choose _Allow recipients to request a message to be released from quarantine_. * In **Select additional actions recipients can take on quarantined messages**, select the **Delete** and **Preview** checkboxes. 9. Select **Next**. 10. In **Quarantine notification**, select **Enable**. 11. Select **Next**. 12. Review your settings and select **Submit**. 13. Select **Done**. ## Configure quarantine notifications To configure quarantine notifications: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Rules**, select **Quarantine policies**. 5. Select **Global settings**. 6. Scroll to the bottom and set the desired frequency in **Send end-user spam notifications every (days)**. This value can only be incremented in days. 7. Select **Save**. ## Configure anti-spam policies To configure anti-spam policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Policies**, select **Anti-spam**. 5. Select the **Anti-spam inbound policy (Default)** text (not the checkbox). 6. In **Actions**, scroll down and select **Edit actions**. 7. Set the following conditions and actions (you might need to scroll up or down to find them): * **Spam**: _Move messages to Junk Email folder_. * **High confidence spam**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyAdminRelease\_. * **Phishing**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyAdminRelease\_. * **High confidence phishing**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyAdminRelease\_. * **Retain spam in quarantine for this many days**: Default is 15 days. Email security recommends 15-30 days. * Select the spam actions in the above step. 1. Select **Save**. ## Create transport rules To create the transport rules that will send emails with certain dispositions to Email security: 1. Open the new [Exchange admin center ↗](https://admin.exchange.microsoft.com/#/homepage). 2. Go to **Mail flow** \> **Rules**. 3. Select **Add a Rule** \> **Create a new rule**. 4. Set the following rule conditions: * **Name**: `Email security Deliver to Junk Email folder`. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: `BULK` \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following** \- _Modify the message properties_ \> _Set the Spam Confidence Level (SCL)_ \> _5_. 5. Select **Next**. 6. You can use the default values on this screen. Select **Next**. 7. Review your settings and select **Finish** \> **Done**. 8. Select the rule `Email security Deliver to Junk Email folder` you have just created, and select **Enable**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/","name":"Microsoft 365 as MX Record"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/one-junk-admin-quarantine/","name":"1 - Junk email and Email security Admin Quarantine"}}]} ``` --- --- title: 3 - Junk email and administrative quarantine description: Integrate 3 - Junk email and administrative quarantine with Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) # 3 - Junk email and administrative quarantine In this tutorial, you will learn how to deliver `BULK` messages to the users's junk email folder, and `MALICIOUS`, `SPAM`, and `SPOOF` messages to the administrative quarantine (this requires an administrator to release the emails). ## Create quarantine policies To create quarantine policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/) 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Rules**, select **Quarantine policies**. 5. Select **Add custom policy**. 6. Set the **Policy name** to `UserNotifyAdminRelease`. 7. Select **Next**. 8. In **Recipient message access**, select **Set specific access (Advanced)**, and then: * In **Select release action preference**, choose _Allow recipients to request a message to be released from quarantine_. * In **Select additional actions recipients can take on quarantined messages**, select the **Delete** and **Preview** checkboxes. 9. Select **Next**. 10. In **Quarantine notification**, select **Enable**. 11. Select **Next**. 12. Review your settings and select **Submit**. 13. Select **Done**. ## Configure quarantine notifications To configure quarantine notifications: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Rules**, select **Quarantine policies**. 5. Select **Global settings**. 6. Scroll to the bottom and set the desired frequency in **Send end-user spam notifications every (days)**. This value can only be incremented in days. 7. Select **Save**. ## Configure anti-spam policies To configure anti-spam policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Policies**, select **Anti-spam**. 5. Select the **Anti-spam inbound policy (Default)** text (not the checkbox). 6. In **Actions**, scroll down and select **Edit actions**. 7. Set the following conditions and actions (you might need to scroll up or down to find them): * **Spam**: _Move messages to Junk Email folder_. * **High confidence spam**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyAdminRelease\_. * **Phishing**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyAdminRelease\_. * **High confidence phishing**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyAdminRelease\_. * **Retain spam in quarantine for this many days**: Default is 15 days. Email security recommends 15-30 days. * Select the spam actions in the above step. 1. Select **Save**. ## Create transport rules To create the transport rules that will send emails with certain [disposition](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to Email security: 1. Open the new [Exchange admin center ↗](https://admin.exchange.microsoft.com/#/homepage). 2. Go to **Mail flow** \> **Rules**. 3. Select **Add a Rule** \> **Create a new rule**. 4. Set the following rule conditions: * **Name**: _\`Email security Deliver to Junk Email folder\`_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: `BULK` \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following** \- _\_Modify the message properties\_ > \_Set the Spam Confidence Level (SCL)\_ > \_5\__. 5. Select **Next**. 6. You can use the default values on this screen. Select **Next**. 7. Review your settings and select **Finish** \> **Done**. 8. Select the rule \`Email security Deliver to Junk Email folder\` you have just created, and **Enable**. 9. Select **Add a Rule** \> **Create a new rule**. 10. Set the following rule conditions: * **Name**: _\`Email security User Quarantine Message\`_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: _\`MALICIOUS\`, \`UCE\`, \`SPOOF\`_ \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following**: _\_Modify the message properties\_ > \_Set the Spam Confidence Level (SCL)\_ > \_9\__. 11. Select **Next**. 12. You can use the default values on this screen. Select **Next**. 13. Review your settings and select **Finish** \> **Done**. 14. Select the rule _\`Email security User Quarantine Message\`_ you have just created, and select **Enable**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/","name":"Microsoft 365 as MX Record"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/three-junk-admin-quarantine/","name":"3 - Junk email and administrative quarantine"}}]} ``` --- --- title: 2 - Junk email and user managed quarantine description: Integrate 2 - Junk email and user managed quarantine with Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) # 2 - Junk email and user managed quarantine In this tutorial, you will learn how to deliver `BULK` messages to the user's junk folder, and `SPAM` and `SPOOF` messages to the user managed quarantine. ## Create quarantine policies To create quarantine policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Rules**, select **Quarantine policies**. 5. Select **Add custom policy**. 6. Set the **Policy name** to `UserNotifyUserRelease`. 7. Select **Next**. 8. In **Recipient message access**, select **Set specific access (Advanced)**, and then: * In **Select release action preference**, choose _Allow recipients to release a message from quarantine_. * In **Select additional actions recipients can take on quarantined messages**, select the **Delete** and **Preview** checkboxes. 9. Select **Next**. 10. In **Quarantine notification**, select **Enable**. 11. Select **Next**. 12. Review your settings and select **Submit**. 13. Select **Done**. 14. Select **Add custom policy**. 15. Set the **Policy name** to `UserNotifyAdminRelease`. 16. Select **Next**. 17. In **Recipient message access**, select **Set specific access (Advanced)**, and then: * In **Select release action preference**, from the drop-down menu, choose _Allow recipients to request a message to be released from quarantine_. * In **Select additional actions recipients can take on quarantined messages**, select the **Delete** and **Preview** checkboxes. 18. Select **Next**. 19. In **Quarantine notification**, select **Enable**. 20. Select **Next**. 21. Review your settings and select **Submit**. 22. Select **Done**. ## Configure quarantine notifications To configure quarantine notifications: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Rules**, select **Quarantine policies**. 5. Select **Global settings**. 6. Scroll to the bottom and set the desired frequency in **Send end-user spam notifications every (days)**. This value can only be incremented in days. 7. Select **Save**. ## Configure anti-spam policies To configure anti-spam policies: 1. Open the [Microsoft 365 Defender console ↗](https://security.microsoft.com/). 2. Go to **Email & collaboration** \> **Policies & rules**. 3. Select **Threat policies**. 4. Under **Policies**, select **Anti-spam**. 5. Select the **Anti-spam inbound policy (Default)** text (not the checkbox). 6. In **Actions**, scroll down and select **Edit actions**. 7. Set the following conditions and actions (you might need to scroll up or down to find them): * **Spam**: _Move messages to Junk Email folder_. * **High confidence spam**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyUserRelease\_. * **Phishing**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyAdminRelease\_. * **High confidence phishing**: _Quarantine message_. * **Select quarantine policy**: \_UserNotifyAdminRelease\_. * **Retain spam in quarantine for this many days**: Default is 15 days. Email security recommends 15-30 days. * Select the spam actions in the above step. 1. Select **Save**. ## Create transport rules To create the transport rules that will send emails with certain [disposition](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to Email security: 1. Open the new [Exchange admin center ↗](https://admin.exchange.microsoft.com/#/homepage). 2. Go to **Mail flow** \> **Rules**. 3. Select **Add a Rule** \> **Create a new rule**. 4. Set the following rule conditions: * **Name**: _\`Email security Deliver to Junk Email folder\`_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: `BULK` \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following** \- _\_Modify the message properties\_ > \_Set the Spam Confidence Level (SCL)\_ > \_5\__. 5. Select **Next**. 6. You can use the default values on this screen. Select **Next**. 7. Review your settings and select **Finish** \> **Done**. 8. Select the rule \`Email security Deliver to Junk Email folder\` you have just created, and **Enable**. 9. Select **Add a Rule** \> **Create a new rule**. 10. Set the following rule conditions: * **Name**: _\`Email security User Quarantine Message\`_. * **Apply this rule if**: _The message headers_ \> _includes any of these words_. * **Enter text**: `X-CFEmailSecurity-Disposition` \> **Save**. * **Enter words**: _\`UCE\`, \`SPOOF\`_ \> **Add** \> **Save**. * **Apply this rule if**: Select **+** to add a second condition. * **And**: _The sender_ \> _IP address is in any of these ranges or exactly matches_ \> enter the egress IPs in the [Egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page. * **Do the following**: _\_Modify the message properties\_ > \_Set the Spam Confidence Level (SCL)\_ > \_9\__. 11. Select **Next**. 12. You can use the default values on this screen. Select **Next**. 13. Review your settings and select **Finish** \> **Done**. 14. Select the rule _\`Email security User Quarantine Message\`_ you have just created, and select **Enable**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/","name":"Pre-delivery deployment"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/","name":"Prerequisites"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/","name":"Microsoft 365 as MX Record"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/use-cases/two-junk-user-quarantine/","name":"2 - Junk email and user managed quarantine"}}]} ``` --- --- title: Submissions description: Submissions in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Submissions Submitting messages allows you to choose the disposition of your messages if the disposition is incorrect. This helps improve Email security's detection accuracy and ensures proper handling of email threats. ## Submit messages for review To submit a message for review: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Email security** and select **Investigation**. 2. On the **Investigation** page, under **Your matching messages**, select the message you want to reclassify. 3. Select the three dots, then select **Submit for review**. 4. Under **New disposition**, select among the following: * **Malicious**: Traffic invoked multiple phishing verdict triggers, met thresholds for bad behavior, and is associated with active campaigns. * **Spoof**: Traffic associated with phishing campaigns that is either non-compliant with your email authentication policies (SPF, DKIM, DMARC) or has mismatching Envelope From and `Header From` values. * **Spam**: Traffic associated with non-malicious, commercial campaigns. * **Bulk**: Traffic associated with [Graymail ↗](https://en.wikipedia.org/wiki/Graymail%5F%28email%29), that falls in between the definitions of `SPAM` and `SUSPICIOUS`. For example, a marketing email that intentionally obscures its unsubscribe link. * **Clean**: Traffic not associated with any phishing campaigns. 5. Select **Save**. To submit messages in bulk, select **Select all messages** \> **Action** \> **Request submissions**. To release messages in bulk, select **Select all messages** \> **Action** \> **Release**. ## Upload EML files Email security classifies certain emails as "Clean". If you disagree with the disposition, you can upload an EML file and reclassify the email. On the **Investigation** page: 1. Go to the email marked as **Clean**. 2. Select the three dots > **Submit for review**. 3. Upload the EML file. 4. Select a new disposition. 5. Select **Save**. ## View submissions Once you have submitted your messages, you can access those on **Submissions**. To view submissions: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security** \> **Submissions**. 3. Choose from the following submission types: * [**Team submissions**](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/team-submissions/): View emails your security team submitted for submissions. * [**User submissions**](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/user-submissions/): View emails your users submitted for submissions. * [**Invalid submissions**](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/invalid-submissions/): View submissions that could not be processed. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/submissions/","name":"Submissions"}}]} ``` --- --- title: Invalid submissions description: Invalid submissions in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Invalid submissions A submission is invalid when: * A submission has no EML file attached. * A submission has been made with an incorrect file extension. * A submission was made to the wrong team or user alias. To ensure your submission is valid: * Ensure your submission has a file attached with a `.eml` file extension. * Ensure you configure the domain you are submitting emails for. * Ensure policies are configured correctly. To view invalid submissions: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security** \> **Submissions**. 3. Select **Invalid submissions**. You can search by submission ID or submitted email. You can filter based on **Date Range** and **Submitted by** (which will list emails that made the invalid submissions). Once you have configured your desired filters, select **Apply filters**. ## Enable notifications To enable Invalid submission email notifications: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security** \> **Settings**. 3. Go to **Invalid submission emails** and turn on **Invalid submission email notifications**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/submissions/","name":"Submissions"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/submissions/invalid-submissions/","name":"Invalid submissions"}}]} ``` --- --- title: Team submissions description: Team submissions in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Team submissions Team submissions are the emails your security team submitted for submission. All team submissions receive a human review by Cloudflare. ## View team submissions To view team submissions: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security** \> **Submissions**. 3. Select **Team submissions**. ## Filter team submissions Select among the following filters: * **Date Range**: You can select a date range from the last 7, last 30, and last 90 days. * **Original disposition**: Select among the [available values](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#available-values). * **Submitted as**: Select among the [available values](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#available-values). * **Final disposition**: Select among the [available values](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#available-values). * **Escalation**: Filter by team submissions that have been escalated or not. Select among `Yes`, `No`, or `All`. Once you have selected all the filters, select **Apply filters**. The dashboard will populate the table with the list of emails your security team submitted for submission, including a **Submission ID**, and the **Email subject**. ## View submission details To gain more details on a specific submission: 1. Go to the submission you want to have more details for. 2. Select the three dots > select among **View more**, **View email message** and **View similar details**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/submissions/","name":"Submissions"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/submissions/team-submissions/","name":"Team submissions"}}]} ``` --- --- title: User submissions description: User submissions in Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # User submissions User submissions are the emails your users submitted for submission. User submissions help enhance our detection model, but can be escalated for human review. Any email that is reported as [phish](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/#reclassify-an-email) will be displayed under **User submissions**. Note [PhishGuard](https://developers.cloudflare.com/cloudflare-one/email-security/phishguard/) customers can have submissions analyzed when submitting at either user or team level. Any non-PhishGuard customer can still have submissions analyzed by submitting at team level. ## View user submissions To view user submissions: 1. Log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/). 2. Select **Email security** \> **Submissions**. 3. Select **User submissions**. ## Filter user submissions Select among the following filters: * **Date Range**: Select a date range from the last 7, last 30, and last 90 days. * **Original disposition**: Select among the [available values](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#available-values). * **Submitted as**: Select among the [available values](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#available-values). Once you have selected all the filters, select **Apply filters**. The dashboard will populate the table with the list of emails your users submitted for submission, including a **Submission ID**, and the **Email subject**. ## View submission details To gain more details on a specific submission: 1. Go to the submission you want to have more details for. 2. Select the three dots > select among **View more**, **View email message**, **View similar details**, and **Escalate**. ## Escalate a submission To escalate a submission: 1. Go to the submission you want to escalate. 2. Select the three dots > select **Escalate**. 3. The dashboard will display a message to authorize escalation. Select **Escalate**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/submissions/","name":"Submissions"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/email-security/submissions/user-submissions/","name":"User submissions"}}]} ``` --- --- title: Troubleshoot Email security description: Resolve common issues with Cloudflare Email security, including delivery delays, false positives, and DMARC authentication errors. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Troubleshoot Email security Review common troubleshooting scenarios for Cloudflare Email Security. ## Email headers and attributes Email Security identifies threats using detections that result in a final disposition. You can inspect email headers to understand why a specific disposition was applied. | Attribute | Description | | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | CUSTOM\_BLOCK\_LIST | Matches a value defined in your custom block list. | | NEW\_DOMAIN\_SENDER | The email was sent from a newly registered domain. | | NEW\_DOMAIN\_LINK | The email contains links to a newly registered domain. | | ENCRYPTED | The email message is encrypted. | | BEC | The sender address is in your [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/). | ## Detections and reclassification ### Handle a false positive A false positive occurs when a legitimate email is incorrectly flagged as malicious or spam. **Solution**: 1. In the Email Security dashboard, go to **Investigation**. 2. Find the email and select **Submit for reclassification**. 3. Choose the correct disposition (for example, `Clean`). 4. To prevent future blocks, add the sender to your [Acceptable Senders](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/) list. ### Handle a false negative A false negative occurs when a malicious email is not detected by Email Security. **Solution**: 1. Ensure the email actually passed through Email Security by checking for the `X-CFEmailSecurity-Disposition` header. 2. Submit the email for reclassification in the dashboard. This is the preferred method for reporting missed detections. ## Authentication errors ### DMARC failures Email Security may mark an email as **SPAM** if it fails DMARC authentication and the sending domain has a `p=reject` or `p=quarantine` policy. **Solution**: * Ask the sender to fix their DMARC/SPF/DKIM records. * Configure an [Acceptable Sender](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/) entry to suppress the failure for that specific sender. ## Delivery issues ### Emails are delayed or not arriving If emails are not being delivered or are arriving with significant latency: 1. **Check MX records**: Ensure your [MX records](https://developers.cloudflare.com/cloudflare-one/email-security/setup/) are correctly configured and pointing to Cloudflare. 2. **Verify connectivity**: From your sending mail server, verify you can connect to Cloudflare's mailstream endpoints on port 25. 3. **Check outbound logs**: In the dashboard, use the **Mail Trace** feature to confirm if Email Security successfully delivered the email to your downstream mail server (for example, Google Workspace or Microsoft 365). --- ## How to contact Support If you cannot resolve the issue, [open a support case](https://developers.cloudflare.com/support/contacting-cloudflare-support/). Please provide the **Message ID** or **Alert ID** for the affected emails, which you can find in the **Investigation** section of the dashboard. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/troubleshooting/","name":"Troubleshoot Email security"}}]} ``` --- --- title: Data loss prevention description: How Data loss prevention works in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance) # Data loss prevention Availability Available as an add-on to Zero Trust Enterprise plans. Users on Zero Trust Free and Pay-as-you-go plans can use the [Financial Information](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#financial-information) and [Social Security, Insurance, Tax, and Identifier Numbers](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#social-security-insurance-tax-and-identifier-numbers) predefined profiles, [payload logging](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules), and [false positive reporting](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#report-false-positives). Cloudflare [Data Loss Prevention](https://www.cloudflare.com/learning/access-management/what-is-dlp/) (DLP) allows you to scan your web traffic and SaaS applications for the presence of sensitive data such as social security numbers, financial information, secret keys, and source code. DLP scans HTTP traffic, SaaS application files, and AI prompts for sensitive data such as credit card numbers, credentials, and personally identifiable information. Cloudflare does not write scanned content to disk. DLP encrypts and temporarily stores content in memory only. To retain matched content for review, configure [payload logging](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) for encrypted payload copies or a [Logpush destination](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#send-dlp-forensic-copies-to-logpush-destination) to export full matching HTTP requests. ## Data classification Data Classification extends Cloudflare DLP with reusable labels and data classes for organizing sensitive content. Use it to define sensitivity schemas, sensitivity levels, data tag groups, data tags, and reusable classification rules that can then be applied in custom DLP profiles. To get started, refer to [Data Classification](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/data-classification/). ## Data in transit Data Loss Prevention complements [Secure Web Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) to detect sensitive data transferred in HTTP requests. DLP scans the HTTP body (excluding headers), which may include uploaded or downloaded files, chat messages, forms, and other web content. You can also use DLP with [Email security](https://developers.cloudflare.com/cloudflare-one/email-security/) to scan [outbound emails](https://developers.cloudflare.com/cloudflare-one/email-security/outbound-dlp/). DLP requires [Gateway HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) with [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) to read the contents of HTTPS traffic in transit. The depth of visibility varies for each site or application. DLP does not scan any traffic that bypasses Cloudflare Gateway (such as traffic that matches a [Do Not Inspect](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policy). To get started, refer to [Scan HTTP traffic with DLP](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/). ## Data at rest Data Loss Prevention complements [Cloudflare CASB](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) (Cloud Access Security Broker) to detect sensitive data stored in your SaaS applications. CASB connects directly to SaaS application APIs to retrieve and scan files, rather than reading files as they pass through Cloudflare Gateway. Because of this, Gateway and Cloudflare One Client settings (such as [Do Not Inspect](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policies and [Split Tunnel](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) configurations) do not affect data at rest scans. To get started, refer to [Scan SaaS applications with DLP](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/casb-dlp/). ## AI traffic Data Loss Prevention integrates with [Cloudflare AI Gateway](https://developers.cloudflare.com/ai-gateway/) to scan AI prompts and responses for sensitive data. When DLP is enabled on an AI Gateway, it inspects the text content of requests sent to AI providers and responses returned from AI models, without requiring Gateway HTTP filtering or TLS decryption. To get started, refer to [Set up DLP for AI Gateway](https://developers.cloudflare.com/ai-gateway/features/dlp/set-up-dlp/). ## Troubleshooting For help resolving common issues with DLP, refer to [Troubleshoot DLP](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/troubleshoot-dlp/). ## Supported file types ### Formats DLP supports reporting and scanning the following file types: * Text and CSV * Microsoft Office 2007 and later (`.docx`, `.xlsx,` `.pptx`), including Microsoft 365 * PDF * ZIP files containing the above DLP will scan the text contained in text, Microsoft Office, and PDF files. Note ZIP files can be recursively compressed a maximum of 10 times. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}}]} ``` --- --- title: Data Loss Prevention (DLP) description: Protect sensitive data in AI Gateway prompts and responses using Cloudflare DLP detection engines. image: https://developers.cloudflare.com/dev-products-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/ai-gateway/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Data Loss Prevention (DLP) Data Loss Prevention (DLP) for AI Gateway helps protect your organization from inadvertent exposure of sensitive data through AI interactions. By integrating with Cloudflare's proven DLP technology, AI Gateway can scan both incoming prompts and outgoing AI responses for sensitive information, ensuring your AI applications maintain security and compliance standards. ## How it works AI Gateway DLP leverages the same powerful detection engines used in [Cloudflare's Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) solution to scan AI traffic in real-time. The system analyzes both user prompts sent to AI models and responses received from AI providers, identifying sensitive data patterns and taking appropriate protective actions. ## Key benefits * **Prevent data leakage**: Stop sensitive information from being inadvertently shared with AI providers or exposed in AI responses * **Maintain compliance**: Help meet regulatory requirements like GDPR, HIPAA, and PCI DSS * **Consistent protection**: Apply the same DLP policies across all AI providers and models * **Audit visibility**: Comprehensive logging and reporting for security and compliance teams * **Zero-code integration**: Enable protection without modifying existing AI applications ## Supported AI traffic AI Gateway DLP can scan: * **User prompts** \- Content submitted to AI models, including text, code, and structured data * **AI responses** \- Output generated by AI models before being returned to users The system works with all AI providers supported by AI Gateway, providing consistent protection regardless of which models or services you use. ### Inspection scope DLP inspects the text content of request and response bodies as they pass through AI Gateway. The following details apply: * **Non-streaming requests and responses**: DLP scans the full request and response body. * **Streaming (SSE) responses**: DLP buffers the full streamed response before scanning. This means DLP-scanned streaming responses are not delivered incrementally to the client. Expect increased time-to-first-token latency when DLP response scanning is enabled on streaming requests, because the entire response must be received from the provider before DLP can evaluate it and release it to the client. * **Tool call arguments and results**: DLP scans the text content present in the message body, which includes tool call arguments and results if they appear in the JSON request or response payload. * **Base64-encoded images and file attachments**: DLP does not decode base64-encoded content or follow external URLs. Only the raw text of the request and response body is inspected. * **Multipart form data**: DLP scans the text portions of the request body. Binary data within multipart payloads is not inspected. ### Streaming behavior When DLP response scanning is enabled and a client sends a streaming request (`"stream": true`), AI Gateway buffers the complete provider response before running DLP inspection. This differs from requests without DLP, where streamed chunks are forwarded to the client as they arrive. Because of this buffering: * **Time-to-first-token latency increases** proportionally to the full response generation time. * **Request-only DLP scanning** (where the **Check** setting is set to **Request**) does not buffer the response and has no impact on streaming latency. * If you need low-latency streaming for certain requests while still using DLP on the same gateway, consider setting the DLP policy **Check** to **Request** only, or use separate gateways for latency-sensitive and DLP-scanned traffic. ### Per-request DLP controls DLP policies are configured at the gateway level and apply uniformly to all requests passing through that gateway. There is no per-request header to select specific DLP profiles or to bypass DLP scanning for individual requests. If you need different DLP policies for different use cases (for example, per-tenant policy variance in a multi-tenant application), the recommended approach is to create separate gateways with different DLP configurations and route requests to the appropriate gateway based on your application logic. ## Integration with Cloudflare DLP AI Gateway DLP uses the same [detection profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/) as Cloudflare One's DLP solution. Profiles are shared account-level objects, so you can reuse existing predefined or custom profiles across both [Gateway HTTP policies](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/) and AI Gateway DLP policies. Key differences from Cloudflare One Gateway DLP: * **No Gateway proxy or TLS decryption required** \- AI Gateway inspects traffic directly as an AI proxy, so you do not need to set up [Gateway HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) or [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/). * **Separate policy management** \- DLP policies for AI Gateway are configured per gateway in the AI Gateway dashboard, not in Cloudflare One traffic policies. * **Separate logs** \- DLP events for AI Gateway appear in [AI Gateway logs](https://developers.cloudflare.com/ai-gateway/observability/logging/), not in Cloudflare One HTTP request logs. * **Shared profiles** \- DLP detection profiles (predefined and custom) are shared across both products. Changes to a profile apply everywhere it is used. For more information about Cloudflare's DLP capabilities, refer to the [Data Loss Prevention documentation](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/). ## Getting started To enable DLP for your AI Gateway: 1. [Set up DLP policies](https://developers.cloudflare.com/ai-gateway/features/dlp/set-up-dlp/) for your AI Gateway 2. Configure detection profiles and response actions 3. Monitor DLP events through the Cloudflare dashboard ## Related resources * [Set up DLP for AI Gateway](https://developers.cloudflare.com/ai-gateway/features/dlp/set-up-dlp/) * [Cloudflare Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) * [AI Gateway Security Features](https://developers.cloudflare.com/ai-gateway/features/guardrails/) * [DLP Detection Profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ai-gateway/","name":"AI Gateway"}},{"@type":"ListItem","position":3,"item":{"@id":"/ai-gateway/features/","name":"Features"}},{"@type":"ListItem","position":4,"item":{"@id":"/ai-gateway/features/dlp/","name":"Data Loss Prevention (DLP)"}}]} ``` --- --- title: Data classification description: Understand how Data Classification works in Cloudflare DLP. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance) # Data classification Data Classification extends Cloudflare DLP with a reusable layer for identifying, organizing, and labeling sensitive content. Instead of building all detection logic directly inside a DLP profile, you can define labels and reusable classification rules, then apply them in custom DLP profiles. ## What is Data Classification? With Data Classification, you can: * Define labels such as sensitivity levels and data tags * Use templates as a starting point for those labels * Build reusable data classes that combine multiple signals into a single classification rule This is useful when you want more than direct inspection. Detection entries help identify sensitive content. Data Classification helps organize and label that content so administrators can identify its severity and apply it consistently across DLP profiles. Templates provide Cloudflare-managed starting points for sensitivity schemas and data tag groups. When you build from a template, Cloudflare creates a new object in your account that you can edit. ## How Data Classification fits with DLP Data Classification works alongside detection entries and DLP profiles. | Component | What it does | | ----------------- | ----------------------------------------------------------------------------------------------------------------------- | | Detection entries | Detect specific content such as patterns, datasets, document fingerprints, AI prompt topics, and predefined detections. | | Labels | Define sensitivity schemas, sensitivity levels, data tag groups, and data tags used to describe matched content. | | Templates | Provide Cloudflare-managed starting points for sensitivity schemas and data tag groups. | | Data classes | Build reusable classification rules from detection entries, other data classes, sensitivity levels, and data tags. | | DLP profiles | Apply detection and classification logic to DLP scanning and enforcement workflows. | In general, detection entries help identify sensitive content. Data Classification helps organize and label that content so administrators can identify its severity, understand where it exists, and apply it consistently. DLP profiles then apply that logic to scanning and enforcement workflows. ## When to use Data Classification vs DLP profiles Use detection entries and DLP profiles when you want direct detection and enforcement. For example, if you want to detect a specific regex, dataset, or predefined detection and immediately use it in a policy, building directly with detection entries may be enough. Use Data Classification when you want a more reusable and structured model. For example, Data Classification is a better fit when you want to: * standardize sensitivity labels across multiple detections * organize related detections into a reusable data class * combine multiple signals into a single classification rule * reuse the same classification logic across multiple DLP profiles In summary, use DLP profiles when you want enforcement. Use Data Classification when you want to organize and label sensitive content in a reusable way before applying that logic in DLP workflows. ## Next steps To get started: * [Configure labels and templates](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/data-classification/configure-labels-and-templates/) — Create labels and build from Cloudflare-managed templates. * [Build a data class](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/data-classification/build-a-data-class/) — Create reusable classification rules and apply them in custom DLP profiles. * [Configure DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/) — Apply detection entries, data classes, and labels in DLP scanning workflows. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/data-classification/","name":"Data classification"}}]} ``` --- --- title: Build a data class description: Create reusable data classes in Cloudflare DLP Data Classification. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance) # Build a data class Data classes are reusable classification rules built from detection entries, other data classes, sensitivity levels, and data tags. Use a data class when you want to combine multiple signals into a single reusable classification rule that can then be added to custom DLP profiles. ## What a data class does A data class lets you define classification logic separately from a DLP profile. Instead of rebuilding the same logic in multiple profiles, you can create one reusable data class and apply it wherever you need it. Data classes can also assign labels to matched content. This lets you connect raw detections to a broader classification model instead of relying only on direct entry matching in a profile. ## Create a data class 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Data classification** \> **Data classes**. 2. Select **Create data class**. 3. Enter a name and optional description. 4. Build the detection rules for the data class. 5. Assign the labels you want matching content to receive. 6. Select **Save**. ## Build detection rules Data classes use a rule builder to combine multiple signals into one classification rule. You can build rules from: * [detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/) * other existing data classes Use logical operators such as `AND` and `OR` to control how those conditions are evaluated. Because data classes can reference other data classes, you can build reusable classification layers instead of recreating the same logic in multiple places. Cloudflare excludes the current data class from the selector to prevent recursive references. ## Assign labels After you define the rule logic, choose the labels you want matching content to receive. You can assign: * a sensitivity schema and sensitivity level * a data tag group and one or more data tags When content matches the data class, Cloudflare applies those labels to the match. ## Use a data class in a DLP profile After you create a data class, you can add it to a custom DLP profile. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Profiles**. 2. Create or edit a custom DLP profile. 3. In **Data classes**, select **Add data classes**. 4. Choose the data classes you want to include, then select **Confirm**. 5. (Optional) Add direct detection entries or labels to the profile. 6. Select **Save profile**. Custom DLP profiles can combine direct detection entries, data classes, and labels in the same profile. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/data-classification/","name":"Data classification"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/data-loss-prevention/data-classification/build-a-data-class/","name":"Build a data class"}}]} ``` --- --- title: Configure labels and templates description: Create labels and build from templates in Cloudflare DLP Data Classification. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance) # Configure labels and templates Labels and templates define the classification metadata you can apply to sensitive content in Cloudflare DLP. Use the **Labels** tab to create and manage sensitivity schemas, sensitivity levels, data tag groups, and data tags. Use the **Templates** tab to review Cloudflare-managed starting points for sensitivity schemas and data tag groups. ## Labels Labels help you describe matched content in a consistent way. Data Classification supports two label types: * **Sensitivity schemas and levels** define an ordered classification hierarchy. * **Data tag groups and tags** define additional descriptors you can apply to content. You can use labels directly in custom DLP profiles and assign them through data classes. ### Sensitivity schemas and levels A sensitivity schema is a named hierarchy of sensitivity levels, such as `Public`, `Internal`, `Confidential`, or `Restricted`. Each schema contains one or more ordered levels. In custom DLP profiles, selecting a sensitivity level lets you match content at that level or higher within the selected schema. ### Create a sensitivity schema When creating a sensitivity schema, you can either create a custom schema from scratch or start from a template. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Data classification** \> **Labels**. 2. Select **Create labels**. 3. In **Sensitivity schema**, choose one of the following: * **Create a custom schema** to define the schema from scratch * **Choose a template** to start from a Cloudflare-managed template 4. Enter or review the name and description. 5. Add or update the sensitivity levels you want to include, in order. 6. Select **Save**. You can edit the resulting sensitivity schema after creation. ### Data tag groups and tags A data tag group contains related tags you can use to describe content beyond its sensitivity level. For example, a data tag group could contain tags for business function, data owner, or content category. ### Create a data tag group When creating a data tag group, you can either create a custom group from scratch or start from a template. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Data classification** \> **Labels**. 2. Select **Create labels**. 3. In **Data tag group**, choose one of the following: * **Create a custom group** to define the group from scratch * **Choose a template** to start from a Cloudflare-managed template 4. Enter or review the name and description. 5. Add or update the data tags you want to include. 6. Select **Save**. You can edit the resulting data tag group after creation. ## Templates Templates provide Cloudflare-managed starting points for sensitivity schemas and data tag groups. Templates are not linked objects. When you build from a template, Cloudflare creates a new sensitivity schema or data tag group in your account. After that, you can edit it like any other label object you create. You can start from a template in either of the following ways: * from the **Templates** tab, by reviewing a template and selecting **Build with template** * from the **Labels** tab, by selecting **Create labels** and then **Choose a template** inline during creation ### Build from a template from the Templates tab 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Data classification** \> **Templates**. 2. Select a template to review its details. 3. Select **Build with template**. 4. Review and customize the resulting sensitivity schema or data tag group. 5. Select **Save**. After you build from a template, the resulting object appears in the **Labels** tab and can be used in data classes and DLP profiles. ## Use labels in DLP After you create labels, you can use them in either of the following ways: * assign them to content through [Build a data class](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/data-classification/build-a-data-class/) * apply them directly in [custom DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/) In custom DLP profiles, sensitivity levels and data tags can be used directly as profile criteria, even when they are not assigned through a data class. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/data-classification/","name":"Data classification"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/data-loss-prevention/data-classification/configure-labels-and-templates/","name":"Configure labels and templates"}}]} ``` --- --- title: Detection entries description: Manage reusable detection logic for Cloudflare DLP. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance) # Detection entries Detection entries are the reusable detection logic that Cloudflare DLP uses to identify sensitive content in your web traffic and SaaS applications. You can create and manage detection entries independently of DLP profiles, then add the same entry to one or more custom profiles. Use the following pages to configure detection entries and review Cloudflare-managed predefined detections. ## Detection entry pages * [Configure detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/) — Create and manage pattern entries, datasets, document entries, and AI prompt topics. * [Predefined detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/predefined-detection-entries/) — Review Cloudflare-managed predefined detections and their descriptions. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/detection-entries/","name":"Detection entries"}}]} ``` --- --- title: Configure detection entries description: Create and manage detection entries in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance) # Configure detection entries Detection entries are the reusable detection logic that Cloudflare DLP uses to identify sensitive content in your web traffic and SaaS applications. You can create and manage detection entries independently of [DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/), then add the same entry to one or more custom profiles. You can also use detection entries in [data classes](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/data-classification/build-a-data-class/). Detection entries include: * [Pattern entries](#pattern-entries) — regular expressions used to detect text patterns * [Predefined detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/predefined-detection-entries/) — Cloudflare-managed detections for specific types of sensitive content * [Exact Data Match datasets](#exact-data-match-datasets) — uploaded datasets of sensitive values to match against, such as customer records or account numbers * [Custom Wordlist datasets](#custom-wordlist-datasets) — uploaded plaintext datasets used to detect terms such as product names, internal codes, or SKU numbers * [Document entries](#document-entries) — fingerprints of example documents used to find similar content * [AI prompt topics](#ai-prompt-topics) — categories of prompts submitted to generative AI tools ## Manage detection entries In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Detection entries** to create, review, and manage detection entries. The Detection entries section includes dedicated views for different entry types, including **All**, **Pattern**, **Predefined**, **Datasets**, **Documents**, and **AI prompt topics**. You can use search and filters to find specific entries and review details such as type, status, and last updated time. You can add the same detection entry to multiple custom DLP profiles. When you delete a custom detection entry, Cloudflare lists the profiles that currently use it. ## Predefined detection entries Predefined detection entries are Cloudflare-managed detections for specific types of sensitive content. You can review them from the **Predefined** view in **Detection entries** and add them directly to custom DLP profiles. For a full list, refer to [Predefined detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/predefined-detection-entries/). ## Pattern entries Pattern entries use regular expressions to detect text patterns in scanned content. You can create pattern entries independently of a DLP profile and reuse them across multiple custom profiles. Regular expressions are written in Rust. Cloudflare recommends validating your regex with [Rustexp ↗](https://rustexp.lpil.uk/). DLP detects UTF-8 characters, which can be up to 4 bytes each. Custom text pattern detections are limited to 1024 bytes in length. DLP does not support regular expressions with `+` or `*` operators because they are prone to exceeding the length limit. For example, the regex pattern `a+` can detect an infinite number of `a` characters. Cloudflare recommends using `a{min,max}` instead, such as `a{1,1024}`. ### Create a pattern entry 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Detection entries**. 2. From the **Pattern** tab, select **Add Pattern**. 3. Enter a name. Optionally, add a description. 4. In **Value**, enter the regular expression you want to detect. 5. Select **Validate Regex**. 6. After the regex is validated, select **Save**. To use a pattern entry, add it as an existing entry to one or more [custom DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile). ## Exact Data Match datasets Exact Data Match (EDM) datasets protect sensitive information such as names, addresses, phone numbers, and account numbers. All EDM dataset data is encrypted before reaching Cloudflare. To detect matches, Cloudflare hashes traffic and compares it to hashes from your dataset. Matched data will be redacted in payload logs. ### Prepare Exact Data Match datasets #### Formatting To prepare an Exact Data Match dataset for DLP, add your desired data to a multi-column spreadsheet. Each line must be at least six characters long. Entries do not require trailing or final commas. For compatibility, save your file in either `.csv` or `.txt` format with LF (`\n`) newline characters. DLP does not support CRLF (`\r\n`) newline characters. For information on dataset limits, refer to [Account limits](https://developers.cloudflare.com/cloudflare-one/account-limits/#data-loss-prevention-dlp). #### Column title cells DLP will detect and use title cells as column names for Exact Data Match datasets. If multiple columns have the same name, DLP will append a number sign (`#`) and number to their names. Update EDM datasets To select which Exact Data Match columns to use, you will need to [reupload any EDM datasets](#manage-existing-exact-data-match-datasets) added prior to column support. ### Upload a new Exact Data Match dataset 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Detection entries**. 2. From the **Datasets** tab, select **Add a dataset**. 3. Select **Exact Data Match (EDM)**. 4. Upload your dataset file. Select **Next**. 5. Review and choose the detected columns you want to include. Select **Next**. 6. Name your dataset. Optionally, add a description. Select **Next**. 7. Review the details for your uploaded dataset. Select **Save dataset**. DLP will encrypt your dataset and save its hash. The dataset will appear in the list with an **Uploading** status. Once the upload is complete, the status will change to **Complete**. You can then add the dataset as an existing entry to one or more [custom DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile). ### Manage existing Exact Data Match datasets Uploaded Exact Data Match datasets are read-only. To update a dataset, you must upload a new file to replace the original. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Detection entries**. 2. From the **Datasets** tab, select the dataset you want to update. 3. Select **Upload dataset** and choose your updated dataset. Select **Next**. 4. Review and choose the new columns. Select **Next**. 5. Select **Save dataset**. Your new dataset will replace the original dataset. Remove existing column entries If you want to update an Exact Data Match dataset to remove a column in use as an [existing detection entry](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile), you must remove the existing entry from any custom DLP profiles using it before updating the dataset. ## Custom Wordlist datasets Custom Wordlist (CWL) datasets protect non-sensitive terms such as intellectual property, SKU numbers, and internal project names. Cloudflare stores data from CWL datasets in plaintext within DLP. Plaintext matches appear in payload logs. Optionally, CWL can detect case-sensitive data. ### Prepare Custom Wordlist datasets Column title cells may result in false positives in Custom Wordlist datasets and should be removed. ### Upload a new Custom Wordlist dataset 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Detection entries**. 2. From the **Datasets** tab, select **Add a dataset**. 3. Select **Custom Wordlist (CWL)**. 4. Name your dataset. Optionally, add a description. 5. In **Upload file**, choose your dataset file. 6. (Optional) In **Settings**, turn on **Enforce case sensitivity** to require matched values to contain exact capitalization. 7. Select **Save**. DLP will save your dataset in cleartext. The dataset will appear in the list with an **Uploading** status. Once the upload is complete, the status will change to **Complete**. You can then add the dataset as an existing entry to one or more [custom DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile). ### Manage existing Custom Wordlist datasets Uploaded Custom Wordlist datasets are read-only. To update a dataset, you must upload a new file to replace the original. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Detection entries**. 2. From the **Datasets** tab, select the dataset you want to update. 3. Select **Upload dataset** and choose your updated dataset. Select **Next**. 4. Select **Save dataset**. Your new dataset will replace the original dataset. ## Document entries You can upload example documents to detect similar content in your organization's traffic. DLP creates a unique fingerprint of the document and compares traffic against it based on how similar it is to the original. This is useful for detecting specific document types common to your organization, such as contract templates or internal reports, where the content does not reduce to a list of individual values in an uploaded dataset. DLP stores uploaded documents encrypted at rest in a [Cloudflare R2](https://developers.cloudflare.com/r2/) bucket. To upload sensitive data that is only stored in memory, use [Exact Data Match datasets](#exact-data-match-datasets). ### Prepare document entries DLP supports documents in `.docx` and `.txt` format. Documents must be under 10 MB. ### Upload a new document entry 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Detection entries**. 2. From the **Documents** tab, select **Add a document entry**. 3. Name your document. Optionally, add a description. 4. In **Minimum similarity for matches**, enter a value between 0% and 100%. 5. In **Upload document**, choose and upload your document file. 6. Select **Save**. The document will appear in the list with a **Pending** status. Once the upload is complete, the status will change to **Complete**. If you created a document entry with Terraform, the status will be **No file** until you upload a file. To use your uploaded document fingerprint, add it as an existing entry to one or more [custom DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile). ### Manage existing document entries Uploaded document entries are read-only. To update a document entry, you must upload a new file to replace the original. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Detection entries**. 2. From the **Documents** tab, choose the document you want to update and select **Edit**. 3. (Optional) Update the name and minimum similarity for matches for your document entry. You can also open the existing uploaded document. 4. In **Update document entry**, choose and upload your updated document file. 5. Select **Save**. Your new document entry will replace the original document entry. If your file upload fails, DLP will still use the original document fingerprint to scan traffic until you delete the entry. ## AI prompt topics DLP uses [Application Granular Controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#granular-controls) to detect and categorize prompts submitted to generative AI tools. Application Granular Controls analyzes prompts for both content and user intent. Supported AI prompt protection detections include: | Detection entry | Description | | ------------------------------------- | ------------------------------------------------------------------------------------------------- | | Content: PII | Prompt contains personal information such as names, SSNs, or email addresses. | | Content: Credentials and Secrets | Prompt contains API keys, passwords, or other sensitive credentials. | | Content: Source Code | Prompt contains actual source code, code snippets, or proprietary algorithms. | | Content: Customer Data | Prompt contains customer names, projects, business activities, or confidential customer contexts. | | Content: Financial Information | Prompt contains financial numbers or confidential business data. | | Intent: PII | Prompt requests specific personal information about individuals. | | Intent: Code Abuse and Malicious Code | Prompt requests malicious code for attacks, exploits, or harmful activities. | | Intent: Jailbreak | Prompt attempts to circumvent AI security policies. | Each detection entry is categorized as either **Content** or **Intent**: * **Content** — Detects specific text or data in the prompt itself (for example, a user pasting source code or a credit card number into a chat). * **Intent** — Detects the user's goal or objective for the AI's response (for example, a user asking an AI to generate malicious code or extract personal information). Intent detection is useful when AI applications have access to internal data sources containing sensitive information through SaaS connectors or Model Context Protocol (MCP) servers. To use an AI prompt topic, configure the corresponding [predefined DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#ai-prompt) or add it as an existing entry to one or more [custom DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile). AI prompt protection is available for ChatGPT, Google Gemini, Perplexity, and Claude. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/detection-entries/","name":"Detection entries"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/","name":"Configure detection entries"}}]} ``` --- --- title: Predefined detection entries description: Reference information for predefined detection entries in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance) # Predefined detection entries Predefined detection entries are Cloudflare-managed detections for specific types of sensitive content. You can review these entries from the **Predefined** view in **Detection entries**. You can add any predefined detection entry directly to a custom [DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile) or [data class](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/data-classification/build-a-data-class/). Use the following reference to review all predefined detection entries currently supported by Cloudflare DLP. | Detection entry | Description | | ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | AI Prompt Content: Credentials and Secrets | Prompt contains API keys, passwords, or other sensitive credentials | | AI Prompt Content: Customer data | Prompt contains customer names, projects, business activities, or confidential customer contexts | | AI Prompt Content: Financial Information | Prompt contains actual financial numbers or confidential business data | | AI Prompt Content: PII | Prompt contains personal information (names, SSNs, emails, etc.) | | AI Prompt Content: Source code | Prompt contains source code, code snippets, or proprietary algorithms | | AI Prompt Intent: Code Abuse and Malicious Code | Malicious code or attempts to exploit vulnerabilities | | AI Prompt Intent: Jailbreak | Prompt attempts to circumvent security policies | | AI Prompt Intent: PII | Prompt requests specific personal information about individuals | | Amazon AWS Access Key ID | Detects Amazon AWS access key IDs such as AKIA. | | Amazon AWS Secret Access Key | Detects potential Amazon AWS secret access keys such as . | | American Express Card Number | Detects American Express credit card numbers such as "378282246310005". | | American Express Text | Detects mentions of the American Express brand name such as "American Express". | | AU Passport Number | Detects Australian passport numbers such as "L1234567". | | Australia Address | Detects Australian street addresses with state and postcode such as "100 George St, Sydney NSW 2000". | | Australia Business (ABN) | Detects Australian Business Numbers (ABN) such as "51 824 753 556". | | Australia Company (ACN) | Detects Australian Company Numbers (ACN) such as "001 000 004". | | Australia Medicare | Detects Australian Medicare card numbers such as "2000000006". | | Australia Passport | Detects Australian passport numbers such as "L1234567". | | Australia Tax File Number | Detects Australian Tax File Numbers (TFN) such as "85 655 734". | | Austria SSN (SV-Nummer) | Detects Austrian social security numbers (SV-Nummer) such as "1018 010180". | | Austria Tax ID | Detects Austrian tax identification numbers (Steuernummer) such as "12 345/6789". | | Austria VAT (UID) | Detects Austrian VAT numbers (UID-Nummer) such as "ATU12345678". | | Belgium Tax ID (NN) | Detects Belgian national numbers (Numéro National / Rijksregisternummer) such as "85.07.30-000.61". | | Belgium VAT | Detects Belgian VAT numbers such as "BE0000000097". | | Bitcoin Wallet | Detects Bitcoin wallet addresses such as "1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2". | | Brazil CNPJ | Detects Brazilian corporate taxpayer registry numbers (CNPJ) such as "11.222.333/0001-81". | | Brazil CPF (Tax ID) | Detects Brazilian individual taxpayer registry numbers (CPF) such as "529.982.247-25". | | Bulgaria Uniform Civil (EGN) | Detects Bulgarian Uniform Civil Numbers (EGN) such as "2405500007". | | C | Detects C source code. | | C# | Detects C# source code. | | C++ | Detects C++ source code. | | Canada Bank Account Number | Detects Canadian bank account numbers (institution + transit + account) such as "12345-678 1234567". | | Canada Health Number | Detects Canadian provincial health card numbers such as "1234-567-897". | | Canada Passport | Detects Canadian passport numbers such as "AB123456". | | Canada PHIN (Manitoba) | Detects Manitoba Personal Health Identification Numbers (PHIN) such as "100000009". | | Canada Physical Address | Detects Canadian street addresses with postal code such as "100 Main St, Ottawa, ON K1A 0B1". | | Canada Social Insurance Number | Detects Canadian Social Insurance Numbers (SIN) such as "114 905 474". | | Chile National ID (RUT) | Detects Chilean national identification numbers (RUT / Rol Único Tributario) such as "12.345.678-5". | | China ID Card | Detects Chinese resident identity card numbers such as "11010519491231002X". | | Cloudflare Account Owned API Token | Detects Cloudflare account-owned API tokens such as cfat\_. | | Cloudflare User API Key | Detects Cloudflare user API keys such as cfk\_. | | Cloudflare User API Token | Detects Cloudflare user API tokens such as cfut\_. | | Croatia Personal ID (OIB) | Detects Croatian personal identification numbers (OIB) such as "10000000005". | | Denmark Tax (CPR) | Detects Danish personal identification numbers (CPR-nummer) such as "010180-0008". | | Diners Club Card Number | Detects Diners Club credit card numbers such as "30121690374838". | | Discord Webhook | Detects Discord webhook URLs such as a webhook URL under discord.com/api/webhooks/. | | Email Address | Detects email addresses such as "[test@example.com](mailto:test@example.com)". | | Ethereum Wallet | Detects Ethereum wallet addresses such as "0x71C7656EC7ab88b098defB751B7401B5f6d8976F". | | EU Passport | Detects EU member state passport numbers such as "AB1234567". | | FDA Active Ingredients | Detects FDA-registered drug active ingredient names such as "ABEMACICLIB". | | FDA Drug Names | Detects FDA-registered drug names such as "ABACAVIR". | | Finland Tax ID | Detects Finnish personal identity codes (Henkilötunnus / HETU) such as "311280-888Y". | | France CNI (National ID) | Detects French national identity card numbers (Carte nationale d'identité) such as "12345678901". | | France Passport | Detects French passport numbers such as "12AB34567". | | France Social Security Number | Detects French social security (INSEE) numbers such as "145081849670637". | | France Tax ID (SPI) | Detects French tax identification numbers (Numéro fiscal SPI) such as "1234567890123". | | France VAT | Detects French VAT numbers such as "FR12000000000". | | Full Name | Detects personal full names. | | Generic CVV Card Number | Detects credit card CVV/CVC verification codes in context of the "cvv" keyword, such as "cvv: 033". | | Germany Tax ID | Detects German tax identification numbers (Steueridentifikationsnummer) such as "10000000005". | | Germany VAT | Detects German VAT numbers (USt-IdNr) such as "DE100000003". | | GitHub PAT | Detects GitHub personal access tokens such as a token beginning with ghp\_. | | Go | Detects Go source code. | | Google GCP API Key | Detects Google Cloud Platform API keys such as AIza. | | Greece Tax (AFM) | Detects Greek tax identification numbers (AFM) such as "100000003". | | Haskell | Detects Haskell source code. | | Hong Kong Identity Card Number | Detects Hong Kong identity card (HKID) numbers such as "F543210(A)". | | Hungary Tax | Detects Hungarian tax identification numbers (Adóazonosító jel) such as "8000000008". | | IBAN | Detects International Bank Account Numbers (IBAN) such as "GB94 BARC 1020 1530 0934 59". | | ICD-10 FY2023 Short Description | Detects ICD-10 FY2023 medical diagnosis terms such as "Typhoid fever, unspecified". | | ICD-11 Short Description | Detects ICD-11 medical diagnosis terms such as "ABDOMINAL ACTINOMYCOSIS". | | India Aadhaar | Detects Indian Aadhaar national identification numbers such as "2345 6789 0124". | | India GST (GSTIN) | Detects Indian Goods and Services Tax identification numbers (GSTIN) such as "22AAAAA0000A1Z5". | | India PAN Card | Detects Indian Permanent Account Number (PAN) card identifiers such as "ABCDE1234F". | | India Voter ID | Detects Indian Voter ID (EPIC) numbers such as "ABC1234567". | | Indonesia Identity Card Number | Detects Indonesian identity card (KTP/NIK) numbers such as "3203012503770011". | | Indonesia Tax (NPWP) | Detects Indonesian taxpayer identification numbers (NPWP) such as "12.345.678.9-012.345". | | Ireland Tax (PPS) | Detects Irish Personal Public Service numbers (PPS) such as "1234567FA". | | Ireland VAT | Detects Ireland VAT numbers such as "IE1234567T". | | Italy Fiscal Code | Detects Italian fiscal codes (Codice Fiscale) such as "BNZVCN32S10E573Z". | | Japan Address | Detects Japanese postal addresses identified by a postal code marker such as "〒100-0001". | | Japan My Number (Corp) | Detects Japanese corporate My Number identifiers (Hojin Bango) such as "7000012050002". | | Japan My Number (Person) | Detects Japanese individual My Number identifiers (Kojin Bango) such as "100000000005". | | Japan Names (Kanji) | Detects Japanese personal names written in kanji and labeled in context such as "氏名: 田中太郎". | | Japan Passport | Detects Japanese passport numbers such as "TZ1234567". | | Java | Detects Java source code. | | JavaScript | Detects JavaScript source code. | | Korea Resident Number (RRN) | Detects South Korean Resident Registration Numbers (RRN) such as "850515-1234567". | | Lua | Detects Lua source code. | | Luxembourg Tax | Detects Luxembourg national identification numbers (Matricule) such as "1985010112345". | | Luxembourg VAT | Detects Luxembourg VAT numbers such as "LU10000053". | | Malaysian National Identity Card Number | Detects Malaysian national identity card (MyKad) numbers such as "560224-10-8354". | | Mastercard Card Number | Detects Mastercard credit card numbers such as "5252 5971 4219 4116". | | Mastercard Text | Detects mentions of the Mastercard brand name such as "Mastercard". | | Microsoft Azure Client Secret | Detects Microsoft Azure client secrets such as . | | MX CLABE (Bank) | Detects Mexican CLABE bank account numbers such as "032180000118359719". | | MX CURP | Detects Mexican CURP codes such as "GOMC850515HJCRRR05". | | Netherlands BSN | Detects Dutch citizen service numbers (Burgerservicenummer / BSN) such as "123456782". | | Netherlands VAT | Detects Dutch VAT numbers (Btw-nummer) such as "NL123456782B01". | | NPM Token | Detects npm registry access tokens such as a token beginning with npm\_. | | NZ NHI Number | Detects New Zealand National Health Index (NHI) numbers such as "ZZZ0016". | | NZ Tax (IRD) | Detects New Zealand Inland Revenue Department (IRD) tax numbers such as "49-091-850". | | OpenAI API Key | Detects OpenAI API keys such as a key beginning with sk-proj-. | | Peru Tax (RUC) | Detects Peruvian taxpayer identification numbers (RUC) such as "20000000001". | | Peru Unique ID (DNI) | Detects Peruvian national identity numbers (DNI) such as "12345678". | | Philippines Unified Multi-Purpose ID Identity Number | Detects Philippines Unified Multi-Purpose ID (UMID) numbers such as "2460-1501400-1". | | Poland National ID (PESEL) | Detects Polish national identification numbers (PESEL) such as "85051500006". | | Poland REGON | Detects Polish National Business Registry numbers (REGON) such as "100000008". | | Poland Tax (NIP) | Detects Polish tax identification numbers (NIP) such as "123-456-32-18". | | Portugal Tax (NIF) | Detects Portuguese tax identification numbers (NIF / Número de Contribuinte) such as "100000002". | | PyPI Token | Detects PyPI package upload tokens such as a token beginning with pypi-. | | Python | Detects Python source code. | | R | Detects R source code. | | Rust | Detects Rust source code. | | Singapore National Registration Identity Card Number | Detects Singapore NRIC/FIN identity card numbers such as "S6792120H". | | Slack API Token | Detects Slack API tokens such as a token beginning with xoxb-. | | Slack Webhook | Detects Slack incoming webhook URLs such as a webhook URL under hooks.slack.com/services/. | | Spain DNI/NIF | Detects Spanish national identity numbers (DNI/NIF) such as "12345678Z". | | Spain SSN | Detects Spanish Social Security affiliation numbers (NAF) such as "28 1234567890". | | Spain Tax (CIF) | Detects Spanish corporate tax identification codes (CIF) such as "A58818501". | | SSH Private Key | Detects SSH private key material such as "-----BEGIN OPENSSH PRIVATE KEY-----". | | Stripe Granular Restricted Key | Detects Stripe live-mode restricted API keys such as a key beginning with rk\_live\_. | | Stripe Standard Secret Key | Detects Stripe live-mode secret API keys such as a key beginning with sk\_live\_. | | Sweden Tax | Detects Swedish personal identity numbers (Personnummer) such as "811228-9874". | | SWIFT | Detects SWIFT/BIC business identifier codes such as "PMFAUS66". | | Swift | Detects Swift source code. | | Taiwan National Identification Number | Detects Taiwan national identification numbers such as "W171845961". | | Thai Identity Card Number | Detects Thai national identity card numbers such as "4-8547-01245-28-9". | | UAE Passport | Detects United Arab Emirates passport numbers such as "A1234567". | | Union Pay Card Number | Detects UnionPay credit card numbers such as "6250941006528599". | | Union Pay Text | Detects mentions of the UnionPay brand name such as "Union Pay". | | United Kingdom National Insurance Number | Detects UK National Insurance Numbers (NINO) such as "OC 66 31 85 C". | | United Kingdom NHS Number | Detects UK NHS patient identification numbers such as "485-585-0454". | | United States ABA Routing Number | Detects US ABA bank routing numbers such as "021000021". | | United States SSN Numeric Detection | Detects US Social Security Numbers such as "123-45-6789". | | United States SSN Text | Detects mentions of "SSN" or "social security" as a keyword, such as "social security". | | Unsanitized HAR File | Detects HAR (HTTP Archive) files that may contain unsanitized authentication tokens or session data, such as a HAR file containing Authorization: Bearer . | | Uruguay ID (CI) | Detects Uruguayan national identity numbers (Cédula de Identidad) such as "1.234.500-8". | | US Driver's License Number | Detects US driver's license numbers such as "CA License: A1234567". | | US Individual Tax Identification Number (ITIN) | Detects US Individual Taxpayer Identification Numbers (ITIN) such as "934-78-5678". | | US Mailing Address | Detects US mailing addresses such as "100 First St, Chicago, IL 60601". | | US Passport Number | Detects US passport numbers such as "A12345678". | | US Phone Number | Detects US phone numbers such as "555-555-5555". | | US Physical Address | Detects US street addresses with state and ZIP code such as "100 First St, Chicago, IL 60601". | | Visa Card Number | Detects Visa credit card numbers such as "4111 1111 1111 1111". | | Visa Text | Detects mentions of the Visa brand name such as "Visa". | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/detection-entries/","name":"Detection entries"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/data-loss-prevention/detection-entries/predefined-detection-entries/","name":"Predefined detection entries"}}]} ``` --- --- title: Scan HTTP traffic description: Scan HTTP traffic in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance)[ Logging ](https://developers.cloudflare.com/search/?tags=Logging) # Scan HTTP traffic You can scan HTTP traffic for sensitive data through [Secure Web Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) policies. Setting up DLP is a two-step process: first, configure a **DLP profile** that defines what sensitive data patterns to detect, and then build a **Gateway HTTP policy** that defines what action to take (allow, block, or log) when Gateway finds matching data. Gateway will parse and scan your HTTP traffic for strings matching the keywords or regular expressions (regexes) specified in the DLP profile. Note To scan AI prompts and responses without Gateway HTTP filtering, you can also enable DLP directly on an [AI Gateway](https://developers.cloudflare.com/ai-gateway/features/dlp/). ## Prerequisites * Set up [Gateway HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/). This routes your users' web traffic through Cloudflare Gateway so it can be inspected. * HTTP filtering requires turning on the [Gateway proxy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP traffic. * Turn on [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption). Because most web traffic is encrypted with HTTPS, Gateway must decrypt it before DLP can scan the request body for sensitive data. ## 1\. Configure a DLP profile A DLP profile defines the sensitive data patterns you want to detect — for example, social security number formats, credit card numbers, or custom patterns specific to your organization. Refer to [Configure a DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/). We recommend getting started with a predefined profile. Important A DLP profile only defines detection patterns. DLP scans will not start until you [create a DLP policy](#2-create-a-dlp-policy). ## 2\. Create a DLP policy DLP Profiles may be used alongside other Cloudflare One rules in a [Gateway HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). To start logging or blocking traffic, create a policy for DLP: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies**. Select **HTTP**. 2. Select **Add a policy**. 3. Build an [HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) using the [DLP Profile](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#dlp-profile) selector. For example, the following policy blocks users from uploading sensitive data to any location other than an approved corporate application. It combines three conditions: the request content matches a DLP profile, the HTTP method is `POST`, and the destination is not an approved application: | Selector | Operator | Value | Logic | Action | | ----------- | -------- | --------------------------------------------------------- | ----- | ------ | | DLP Profile | in | _Social Security, Insurance, Tax, and Identifier Numbers_ | And | Block | | HTTP Method | in | _POST_ | And | | | Application | not in | _Workday_ | | | 4. Select **Create policy**. DLP scanning is now turned on for HTTP traffic matching this policy. ## 3\. Test DLP policy You can test your DLP policy on any device connected to your [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/). To perform a basic test: 1. Go to [dlptest.com ↗](http://dlptest.com/http-post/). 2. Enter a text message or upload a file containing the sensitive data. 3. Select **Submit** to send the request. The request will be allowed or blocked according to your DLP policies. If the data matches a DLP policy, you will see the request in your [DLP logs](#4-view-dlp-logs). Different sites will send requests in different ways. For example, some sites will split a file upload into multiple requests. Therefore, even if the policy works on `dlptest.com`, it is not guaranteed to work the same way on another site or application. ## 4\. View DLP logs 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights** \> **Logs** \> **HTTP request logs**. 2. Select **Filter**. 3. Choose an item under one of the following filters: * **DLP Profiles** shows the requests which matched a specific DLP profile. * **Policy** shows the requests which matched a specific DLP policy. You can expand an individual row to view details about the request. By default, logs show that a match occurred but do not include the actual matched content. To see the data that triggered the DLP policy, [configure logging options](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/). ### Report false positives If DLP flags a request that does not actually contain sensitive data (a false positive), you can report it to Cloudflare: 1. Select the log you want to report. 2. Select **Report DLP false positive** under **DLP details**. 3. The information to be sent to Cloudflare will appear. To confirm your report, select **Send report**. Cloudflare will not respond directly to your report, but reporting false positives helps us improve our products. If you require technical assistance, reach out to [support ↗](https://dash.cloudflare.com/?to=/:account/support). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-policies/","name":"Scan HTTP traffic"}}]} ``` --- --- title: Common policies description: Reference information for Common policies in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance)[ Logging ](https://developers.cloudflare.com/search/?tags=Logging) # Common policies The following DLP policies are commonly used to secure sensitive data in uploaded and downloaded files. They are built as [Gateway HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) using the [DLP Profile](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#dlp-profile) selector. Before using these policies, complete the [prerequisites for scanning HTTP traffic](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#prerequisites). ## Log uploads/downloads When you want to monitor where sensitive data is going before enforcing blocks, use the **Allow** action. In a Gateway HTTP policy, all matches — including Allow — are recorded in your [HTTP request logs](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#4-view-dlp-logs). This gives you visibility into sensitive data transfers without disrupting users. The following example logs any upload or download that matches your enabled [Financial Information](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#financial-information) DLP profile entries when users interact with file sharing applications. | Selector | Operator | Value | Logic | Action | | ------------------ | -------- | ----------------------- | ----- | ------ | | DLP Profile | in | _Financial Information_ | And | Allow | | Content Categories | in | _File Sharing_ | | | ## Block file types Block the upload or download of files based on their type. * [ Dashboard ](#tab-panel-4943) * [ API ](#tab-panel-4944) | Selector | Operator | Value | Logic | Action | | ------------------- | -------- | --------------------------------------- | ----- | ------ | | Upload File Types | in | _Microsoft Office Word Document (docx)_ | And | Block | | Download File Types | in | _PDF (pdf)_ | | | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block file types", "description": "Block the upload or download of files based on their type", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(http.upload.file.types[*] in {\"docx\"}) and any(http.download.file.types[*] in {\"pdf\"})", "identity": "", "device_posture": "" }' ``` For more information on what file formats DLP can scan, refer to [Supported file types](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/#supported-file-types). ## Block uploads/downloads for specific users You can configure access on a per-user or group basis by adding [identity-based conditions](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) to your policies. These selectors match against user attributes from your configured identity provider. The following example blocks only contractors from uploading/downloading Financial Information to file sharing apps. Users who are not in the _Contractors_ group are not affected by this policy. | Selector | Operator | Value | Logic | Action | | ------------------ | -------- | ----------------------- | ----- | ------ | | DLP Profile | in | _Financial Information_ | And | Block | | Content Categories | in | _File Sharing_ | And | | | User Group Names | in | _Contractors_ | | | ## Exclude Android applications Many Android applications (such as Google Drive) use [certificate pinning](https://developers.cloudflare.com/ssl/reference/certificate-pinning/), which is incompatible with Gateway TLS decryption. These applications verify they are connecting directly to their own servers and will reject Gateway's inspection certificate. If needed, you can create a [Do Not Inspect policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) so that the app can continue to function on Android: 1. Set up an [OS version device posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/os-version/) that checks for the Android operating system. 2. Create the following HTTP policy in Gateway: | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | -------------------- | ----- | -------------- | | Application | in | _Google Drive_ | And | Do Not Inspect | | Passed Device Posture Checks | in | _OS Version Android_ | | | Android users can now use the app, but the app traffic will bypass Gateway inspection entirely — including DLP scanning, HTTP logging, and antivirus scanning. ## Exclude specific sites In your [DLP logs](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#4-view-dlp-logs), you may find that certain sites routinely trigger DLP detections that do not represent actual data loss (false positives). To exempt these sites from DLP scanning: 1. [Create a list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) of hostnames or URLs. 2. Exclude the list from your DLP policy using the `not in list` operator, which references the list you created in step 1: | Selector | Operator | Value | Logic | Action | | ----------- | ----------- | ----------------------- | ----- | ------ | | DLP Profile | in | _Financial Information_ | And | Block | | Application | in | _Google Drive_ | And | | | Domain | not in list | _Do not DLP - SSN_ | | | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-policies/","name":"Scan HTTP traffic"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-policies/common-policies/","name":"Common policies"}}]} ``` --- --- title: Logging options description: Logging options in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging) # Logging options Data Loss Prevention allows you to capture, store, and view the data that triggered a specific DLP policy for use as forensic evidence. DLP offers three logging approaches, each suited to different needs: | Approach | What it captures | Encryption | Availability | | --------------------------------------------------------------------------- | ----------------------------------------------------------- | ------------------------------- | ------------ | | [Payload logging](#log-the-payload-of-matched-rules) | Redacted match + 75 bytes of surrounding context | Encrypted with your public key | All plans | | [AI prompt logging](#log-generative-ai-prompt-content) | Generative AI prompt topic, user prompt, and model response | Encrypted with your public key | All plans | | [Logpush forensic copies](#send-dlp-forensic-copies-to-logpush-destination) | Complete HTTP request (headers + body) | Encrypted in transit only (TLS) | Enterprise | Users on all plans can log the [payload](#log-the-payload-of-matched-rules) or [generative AI prompt content](#log-generative-ai-prompt-content) of matched HTTP requests in their Cloudflare logs. Additionally, Enterprise users can [configure a Logpush job](#send-dlp-forensic-copies-to-logpush-destination) to send copies of entire matched HTTP requests to storage destinations. The data that triggers a DLP policy is stored in the body of the HTTP request — the part that carries content such as file uploads, form submissions, and chat messages. This body is referred to as the payload. Payload logging is especially useful when diagnosing the behavior of DLP policies. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later. The stored data will include a redacted version of the match, plus 75 bytes of additional context on both sides of the match. ## Set a DLP payload encryption public key Before you begin logging DLP payloads, you will need to [set a DLP payload encryption public key](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-settings/#payload-encryption-key). DLP uses public-key encryption so that matched sensitive data is readable only by you — Cloudflare does not have access to your private key and cannot decrypt your logs. You can also [configure payload log masking](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-settings/#payload-log-masking) to control how DLP redacts sensitive data in logs. ## Log the payload of matched rules DLP can log the payload of matched HTTP requests in your Cloudflare logs. Use payload logging to verify what content triggered a DLP detection — for example, to confirm whether a match was a real finding or a false positive. ### Turn on payload logging for a DLP policy You can enable payload logging for any Allow or Block HTTP policy that uses the [_DLP Profile_](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#dlp-profile) selector — the filter condition that matches traffic against your DLP detection profiles. 1. Go to **Traffic policies** \> **Firewall policies** \> **HTTP**. 2. Edit an existing Allow or Block DLP policy, or [create a new policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). 3. In the policy builder, scroll down to **Configure policy settings** and turn on **Log the payload of matched rules**. 4. Select **Save**. Data Loss Prevention will now store a portion of the payload for HTTP requests that match this policy. ### View payload logs To view DLP payload logs: 1. Go to **Insights** \> **Logs** \> **HTTP request logs**. 2. Go to the DLP log you are interested in reviewing and expand the row. 3. Select **Decrypt payload log**. 4. Enter your private key and select **Decrypt**. You will see the [ID of the matched DLP Profile](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/dlp/subresources/profiles/methods/list/) followed by the decrypted payload. Note Cloudflare does not store the key or the decrypted payload. ### Report false and true positives to AI context analysis When you have [AI context analysis](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#ai-context-analysis) turned on for a DLP profile, you can improve detection accuracy over time by reporting false and true positives. A false positive is a match that DLP flagged incorrectly (the content was not actually sensitive). A true positive confirms that DLP correctly identified sensitive data. These reports train the AI model to adjust its confidence threshold. To report a DLP match payload as a false or true positive: 1. [Find and decrypt](#view-payload-logs) the payload log you want to report. 2. In **Log details**, choose a detected context match. 3. In **Context**, select the redacted match data. 4. In **Match details**, choose whether you want to report the match as a false positive or a true positive. Based on your report, DLP's machine learning will adjust its confidence in future matches for the associated profile. ### Data privacy * All Cloudflare logs are encrypted at rest (encrypted while stored on disk). Encrypting the payload content adds a second layer of encryption for the matched values that triggered a DLP rule. * Cloudflare cannot decrypt encrypted payloads, since this operation requires your private key. Cloudflare staff will never ask for the private key. * By default, DLP uses Full Mask to redact alphanumeric characters in the matched pattern, replacing them with `*` while preserving the format. For example, `123-45-6789` becomes `***-**-****`. You can [configure the masking level](#configure-payload-log-masking) to show partial or full matches if your incident response workflow requires more context. * You can define sensitive data with [Exact Data Match (EDM)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#exact-data-match-datasets). EDM match logs will redact your defined strings. ## Log generative AI prompt content DLP can detect and log the prompt topic sent to an AI tool. ### Turn on AI prompt content logging for a DLP policy You can enable AI prompt content logging for any Allow or Block HTTP policy that uses the [_Application_](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#application) selector with a supported [Application Granular Controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#granular-controls) application. This means your policy must target a specific AI application (such as ChatGPT) that Gateway can inspect at a granular level. 1. Go to **Traffic policies** \> **Firewall policies** \> **HTTP**. 2. Edit an existing Allow or Block DLP policy, or [create a new policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). 3. In the policy builder, scroll down to **Configure policy settings** and turn on **Capture generative AI prompt content in logs**. 4. Select **Save**. Data Loss Prevention will now store the user prompt and AI model response for requests that match this policy. ### View prompt logs To view generative AI prompt log details: 1. Go to **Insights** \> **Logs** \> **HTTP request logs**. 2. Go to the DLP log you are interested in reviewing and expand the row. 3. Select **Decrypt payload log**. 4. Enter your private key and select **Decrypt**. 5. In **Summary** \> **GenAI prompt captured**, select **View prompt**. Gateway logs will provide a summary of the conversation, including the topic and AI model used, and the user prompt and AI model's raw response if available. A text prompt must be present for DLP to capture the prompt. ## Send DLP forensic copies to Logpush destination Availability Only available on Enterprise plans. Unlike payload logging (which stores encrypted excerpts of matched content), forensic copies send the complete, unaltered HTTP request — including all headers and the full body — to an external storage destination. Gateway allows you to send copies of entire HTTP requests matched in HTTP Allow and Block policies to storage destinations configured in [Logpush](https://developers.cloudflare.com/logs/logpush/) (Cloudflare's log delivery service), including third-party destinations. Forensic copies include unaltered payloads and headers which may include sensitive data. Logpush logs are encrypted in transit only, such as when sent as TLS traffic. Once the data reaches your storage destination, it is stored according to that destination's encryption policies — not encrypted by Cloudflare. To set up the DLP Forensic Copy Logpush job: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights** \>**Logs**, and select **Manage Logpush**. 2. In Logpush, select **Create a Logpush job**. 3. Choose a [Logpush destination](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/). 4. In **Configure logpush job**, choose the _DLP forensic copies_ dataset. Select **Create Logpush job**. 5. Return to **Zero Trust** and go to **Traffic policies** \> **Firewall policies** \> **HTTP**. 6. Edit an existing Allow or Block policy, or [create a new policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). Your policy does not need to include a DLP profile — any Gateway HTTP policy can send forensic copies. 7. In the policy builder, scroll down to **Configure policy settings** and turn on **Send DLP forensic copies to storage**. 8. Select a storage destination. Gateway will list any configured Logpush jobs or integrations that can receive HTTP requests. 9. Select **Save policy**. DLP will now send a copy of HTTP requests that match this policy to your Logpush destination. Logpush supports up to four DLP Forensic Copy Logpush jobs per account. By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs. To send specific policy matches to specific jobs, configure [Log filters](https://developers.cloudflare.com/logs/logpush/logpush-job/filters/). If the request contains an archive file, DLP will only send up to 100 MB of uncompressed content to your configured storage. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-policies/","name":"Scan HTTP traffic"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/","name":"Logging options"}}]} ``` --- --- title: DLP profiles description: DLP profiles in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance) # DLP profiles A DLP profile defines what sensitive data Cloudflare should detect in your traffic. Profiles can combine [detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/) with [Data Classification](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/data-classification/) objects such as data classes, sensitivity levels, and data tags. Cloudflare DLP provides [predefined profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/) for common sensitive data types such as credit card numbers and national identifiers. You can also build custom DLP profiles specific to your data, organization, and risk tolerance by using direct detection entries, data classes, and labels. ## Configure a predefined profile 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Profiles**. 2. Choose a [predefined profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/) and select **Edit**. 3. Enable one or more **Detection entries** according to your preferences. 4. Select **Save profile**. Most predefined profiles match when any enabled detection entry matches. The **Personally Identifiable Information (PII) Record** profile is an exception and requires at least three unique detection entries in close proximity before the profile matches. You can now use this profile in a [DLP policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy), [CASB integration](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/casb-dlp/), or [AI Gateway DLP policy](https://developers.cloudflare.com/ai-gateway/features/dlp/set-up-dlp/). ## Build a custom profile 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Profiles**. 2. Select **Create profile**. 3. Enter a name and optional description for the profile. 4. Add new or existing detection entries to the profile. Add a custom entry 1. Select **Add custom entry**. 2. Choose the type of detection entry you want to create and configure its values. For information on supported detection entry types, refer to [Configure detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/). 3. To save the detection entry, select **Done**. Add existing entries Existing entries include [predefined](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/predefined-detection-entries/) and [user-defined](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/) detection entries that you manage from the Detection entries section. 1. Select **Add existing entries**. 2. Choose which entries you want to add, then select **Confirm**. 3. To save the detection entry, select **Done**. 5. (Optional) Add data classes to include reusable classification rules. 1. Select **Add data classes**. 2. Choose the data classes you want to add, then select **Confirm**. 6. (Optional) Use labels as match criteria for the profile. * Select a sensitivity schema and minimum sensitivity level. * Select a data tag group and one or more data tags. For more information on labels, templates, and data classes, refer to [Data Classification](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/data-classification/). 7. (Optional) Configure [**profile settings**](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/) for the profile. 8. Select **Save profile**. You can now use this profile in a [DLP policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy), [CASB integration](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/casb-dlp/), or [AI Gateway DLP policy](https://developers.cloudflare.com/ai-gateway/features/dlp/set-up-dlp/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-profiles/","name":"DLP profiles"}}]} ``` --- --- title: Profile settings description: Reference information for Profile settings in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance) # Profile settings This page lists the profile settings available when configuring a [predefined](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/) or [custom](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile) DLP profile. You can configure profile settings when you create a custom profile or [edit profile settings](#edit-profile-settings) for an existing predefined or custom profile. ## Edit profile settings To edit profile settings for an existing predefined or custom DLP profile: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Profiles**. 2. Choose a profile, then select **Edit**. 3. In **Settings**, configure the [settings](#available-settings) for your profile. 4. Select **Save profile**. ## Available settings The following advanced detection settings are available for predefined and custom DLP profiles. ### Match count Match count sets a minimum threshold for detections. DLP does not trigger an action (such as blocking or logging) until the number of detections exceeds the match count. For example, if you set a match count of 10, the scanned file or HTTP body must contain 11 or more matching strings before the action triggers. Detections do not have to be unique. ### Optical Character Recognition (OCR) Deprecation notice Profile-level OCR settings will be deprecated in a future release. We recommend configuring OCR in [DLP settings](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-settings/#optical-character-recognition-ocr) instead. Optical Character Recognition (OCR) analyzes and interprets text within image files. When used with DLP profiles, OCR can detect sensitive data within images your users upload. OCR supports scanning `.jpg`/`.jpeg` and `.png` files between 4 KB and 1 MB in size. Text is encoded in UTF-8 format, including support for non-Latin characters. For more information, refer to [DLP settings](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-settings/#optical-character-recognition-ocr). ### AI context analysis Deprecation notice Profile-level AI context analysis settings will be deprecated in a future release. We recommend configuring AI context analysis in [DLP settings](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-settings/#ai-context-analysis) instead. Note AI context analysis only supports Gateway HTTP and HTTPS traffic. AI context analysis uses a pretrained model to analyze surrounding context and adjust the confidence level of a detection. For example, a number that matches a credit card pattern may receive a lower confidence score if it appears in a context where credit card numbers are unlikely. DLP will log any matches that are above your confidence threshold. For full documentation on AI context analysis, refer to [DLP settings](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-settings/#ai-context-analysis). ### Confidence thresholds Confidence thresholds indicate how confident Cloudflare DLP is in a detection. DLP determines the confidence level by inspecting the content for proximity keywords — related terms that appear near the detected data. For example, the word "SSN" appearing near a 9-digit number increases confidence that the number is a Social Security number. When you set a confidence threshold on a profile, DLP only triggers on detections at that level or higher: * **Low** (default) — Based on regular expressions with few proximity keywords. This is the most inclusive setting, with high tolerance for false positives * **Medium** — Applies additional validations, to filter out low confidence detections. This setting has a medium tolerance for false positives. * **High** — Applies rigorous contextual validation for minimal false positives (has a higher likelihood of accuracy). Confidence threshold is set on the DLP profile. When you select a confidence threshold in the Cloudflare dashboard, you will see which DLP entries will be affected by the confidence threshold. Entries that do not reflect a confidence threshold in the dashboard are not yet supported or are not applicable. To change the confidence threshold of a DLP profile: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Profiles**. 2. Select the profile, then select **Edit**. 3. In **Settings** \> **Confidence threshold**, choose a new confidence threshold from the dropdown menu. 4. Select **Save profile**. #### Gateway detections For inline detections in Gateway, to display Low and Medium confidence detections but block High confidence detections, Cloudflare recommends creating two HTTP policies. The first policy should use a Low confidence DLP profile with an Allow action. The second policy should use a High confidence DLP profile with a Block action. For example: | Selector | Operator | Value | Action | | ----------- | -------- | --------------------------- | ------ | | DLP Profile | in | _Low Confidence Detections_ | Allow | | Selector | Operator | Value | Action | | ----------- | -------- | ---------------------------- | ------ | | DLP Profile | in | _High Confidence Detections_ | Block | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-profiles/","name":"DLP profiles"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/","name":"Profile settings"}}]} ``` --- --- title: Integration profiles description: How Integration profiles works in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) # Integration profiles Note Integration profiles require [Cloudflare CASB](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/). Integration profiles let you use data classifications from a third-party platform (such as Microsoft Purview sensitivity labels) directly in Cloudflare DLP. Instead of recreating classification rules in Cloudflare, DLP retrieves them from the third-party platform and populates them as detection entries in a DLP profile. You can then enable the entries you want and create a DLP policy to allow or block matching data. Detection entries in integration profiles are managed by the third-party platform. You cannot manually add, edit, or delete these entries within Cloudflare DLP. ## Microsoft Purview Information Protection (MIP) sensitivity labels Microsoft provides [Purview Information Protection sensitivity labels ↗](https://learn.microsoft.com/en-us/purview/sensitivity-labels) to classify and protect sensitive data. Warning DLP does not filter or log [MIP sublabels ↗](https://learn.microsoft.com/purview/sensitivity-labels#sublabels-that-use-parent-labels-or-label-groups). Only top-level sensitivity labels will be detected, filtered, and logged. To ensure DLP will detect and filter all sensitive data, use only [MIP top-level labels ↗](https://learn.microsoft.com/purview/sensitivity-labels#top-level-labels). ### Setup To add MIP sensitivity labels to a DLP Profile, integrate your Microsoft account with [Cloudflare CASB](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/). A new integration profile will appear under **Data loss prevention** \> **DLP profiles**. The profile is named **MIP Sensitivity Labels** followed by the name of the CASB integration. MIP sensitivity labels can also be added to a [custom DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile) as an existing entry. ### Syncing Allow 24 hours for label additions and edits in your Microsoft account to propagate to Cloudflare DLP. Deletions in your Microsoft account will not delete entries in your Cloudflare DLP Profile. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-profiles/","name":"DLP profiles"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-profiles/integration-profiles/","name":"Integration profiles"}}]} ``` --- --- title: Predefined profiles description: Reference information for Predefined profiles in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance) # Predefined profiles Cloudflare Zero Trust provides predefined DLP profiles for common types of sensitive data. Some profiles include built-in validation checks to increase detection accuracy. Others use profile-specific matching logic to reduce false positives. You can also configure [advanced settings](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/) for predefined profiles. ## AI Prompt DLP provides AI prompt protection with the following predefined profiles: * AI Prompt: AI Security * AI Prompt: Customer * AI Prompt: Financial Information * AI Prompt: PII * AI Prompt: Technical For more information on included detection entries, refer to [AI prompt topics](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#ai-prompt-topics). ## Credentials and Secrets The following secrets are validated with regex. * Amazon Web Services (AWS) keys * Azure API keys * Google Cloud Platform keys * SSH keys The following Cloudflare API credentials are validated algorithmically using a checksum. Only credentials generated after [Cloudflare's token format update](https://developers.cloudflare.com/fundamentals/api/get-started/token-formats/) will be matched by these entries. | Detection entry | Format | | ---------------------------------- | ----------------------------------------------------------------------------- | | Cloudflare User API Key | cfk\_ followed by 40 alphanumeric characters and an 8-character hex checksum | | Cloudflare User API Token | cfut\_ followed by 40 alphanumeric characters and an 8-character hex checksum | | Cloudflare Account Owned API Token | cfat\_ followed by 40 alphanumeric characters and an 8-character hex checksum | ## Financial Information Availability This predefined profile is available on all Zero Trust plans. Credit card numbers begin with a six or eight-digit Issuer Identification Number (IIN) and are followed by up to 23 additional digits. Card verification values (CVVs) are not validated. In the table below, entries use one of three validation methods. [Luhn's algorithm ↗](https://en.wikipedia.org/wiki/Luhn%5Falgorithm) is a checksum formula used to verify credit card numbers. Entries validated "with checksum" use an arithmetic check specific to that number format. Entries validated "with regex" match a known text pattern without performing a mathematical check. | Detection entry | Notes | | -------------------------------- | ------------------------------------------------------------------------------------- | | American Express Card Number | Validated using [Luhn's algorithm ↗](https://en.wikipedia.org/wiki/Luhn%5Falgorithm). | | American Express Text | Text matching amex or american express. | | Diners Club Card Number | Validated using Luhn's algorithm. | | Generic CVV Card Number | Validated with regex. | | Mastercard Card Number | Validated using Luhn's algorithm. | | Mastercard Text | Text matching mastercard. | | Union Pay Card Number | Validated using Luhn's algorithm. | | Union Pay Text | Text matching union pay. | | Visa Card Number | Validated using Luhn's algorithm. | | Visa Text | Text matching visa. | | United States ABA Routing Number | Validated algorithmically with checksum. | | IBAN | Validated with checksum. | ## HTTP Archive The **Unsanitized HAR** predefined profile detects HTTP Archive (HAR) files in traffic that have not been processed by Cloudflare's HAR sanitizer. HAR files frequently contain sensitive data such as session cookies, authorization headers, and other credentials. | Detection entry | Notes | | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Unsanitized HAR file | Detects HAR files that do not carry a Cloudflare sanitized marker. Files processed by the Cloudflare HAR sanitizer and unmodified since will not match this entry. | You can use this profile in a Gateway HTTP policy to block HAR file uploads or redirect users to `https://har-sanitizer.pages.dev/` to sanitize the file before uploading. For more information, refer to [common DLP policies](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/common-policies/). ## Health Information The following diagnosis and medication names are checked for surrounding ASCII characters to prevent false positives. * FDA active ingredients * FDA drug names * ICD-10 FY2023 short descriptions ## Personally Identifiable Information (PII) Record The **Personally Identifiable Information (PII) Record** predefined profile is designed to detect records that contain multiple types of personal data. Unlike most predefined and custom DLP profiles, this profile matches only when at least three unique detection entries are found in close proximity. This behavior helps reduce false positives from isolated matches. The profile includes the following detection entries: * AU Passport Number * American Express Card Number * Diners Club Card Number * US Driver's License Number * Email Address * Full Name * US Mailing Address * Mastercard Card Number * US Individual Tax Identification Number (ITIN) * US Passport Number * US Phone Number * Union Pay Card Number * United States SSN Numeric Detection * Visa Card Number ## Social Security, Insurance, Tax, and Identifier Numbers Availability This predefined profile is available on all Zero Trust plans. The following national identifier detections are validated algorithmically when possible. | Detection entry | Notes | | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | United States SSN Numeric Detection | Matched values must include commonly used separators. For example, 000-00-0000 matches but 000000000 does not. Unlike credit card numbers, Social Security numbers have no built-in checksum, so DLP validates the format only. | | Social Security Number Text | Text matching ssn or social security. | | Australia Tax File Number | Validated with checksum. | | Canada Social Insurance Number | Validated using Luhn's algorithm. | | France Social Security Number | Validated with regex. | | Hong Kong Identity Card (HKIC) Number | Validated with checksum. | | Indonesia Identity Card Number | Validated with regex. | | Malaysian National Identity Card Number | Validated with regex. | | Philippines Unified Multi-Purpose ID (UMID) Number | Validated with regex. | | Singapore National Registration Identity Card Number | Validated with checksum. | | Taiwan National Identification Number | Validated with checksum. | | Thai Identity Card Number | Validated with checksum. | | United Kingdom NHS Number | Validated with checksum. | | United Kingdom National Insurance Number | Validated with regex. | ## Source Code The following programming languages are validated with natural language processing (NLP). * C * C++ * C# * Go * Haskell * Java * JavaScript * Lua * Python * R * Rust * Swift ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-profiles/","name":"DLP profiles"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/","name":"Predefined profiles"}}]} ``` --- --- title: DLP settings description: Configure account-level DLP settings. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # DLP settings DLP settings allow you to configure account-level settings that apply across all DLP profiles and policies. These settings are located in **Zero Trust** \> **Data loss prevention** \> **DLP settings** in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/). ## Optical Character Recognition (OCR) Optical Character Recognition (OCR) analyzes and interprets text within image files. When turned on, OCR can detect sensitive data within images your users upload. OCR supports scanning `.jpg`/`.jpeg` and `.png` files between 4 KB and 1 MB in size. Text is encoded in UTF-8 format, including support for non-Latin characters. To turn on OCR: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **DLP settings**. 2. Turn on **Optical Character Recognition (OCR)**. ## AI context analysis Note AI context analysis only supports Gateway HTTP and HTTPS traffic. AI context analysis uses a pretrained model to analyze surrounding context and adjust the confidence level of a detection. For example, a number that matches a credit card pattern may receive a lower confidence score if it appears in a context where credit card numbers are unlikely. DLP will log any matches that are above your confidence threshold. DLP redacts any matched text, then converts the surrounding context into a vector embedding and submits it to [Cloudflare Workers AI](https://developers.cloudflare.com/workers-ai/). Vector embeddings (not raw text) are stored in user-specific private namespaces for up to six months, along with hit count and the [false positive/negative report](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#report-false-and-true-positives-to-ai-context-analysis). To turn on AI context analysis: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **DLP settings**. 2. Turn on **AI context analysis**. 3. [Add the profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy) to a DLP policy. 4. When configuring the DLP policy, turn on [payload logging](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules). AI context analysis results will appear in the payload section of your [DLP logs](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/#4-view-dlp-logs). To improve future detections of sensitive data, you need to [report false and true positives](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#report-false-and-true-positives-to-ai-context-analysis). ## Payload encryption key Before you begin logging DLP payloads, you will need to set a DLP payload encryption public key. DLP uses public-key encryption so that matched sensitive data is readable only by you — Cloudflare does not have access to your private key and cannot decrypt your logs. ### Generate a key pair You will generate two keys: a public key (uploaded to Cloudflare to encrypt log data) and a private key (kept by you to decrypt log data later). To generate a public/private key pair in the command line, refer to [Generate a key pair](https://developers.cloudflare.com/waf/managed-rules/payload-logging/command-line/generate-key-pair/). ### Upload the public key to Cloudflare 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **DLP settings**. 2. In the **DLP Payload Encryption public key** field, paste your public key. 3. Select **Save**. Note The matching private key is required to view logs. If you lose your private key, you will need to [generate](#generate-a-key-pair) and [upload](#upload-the-public-key-to-cloudflare) a new public key. The payload of new requests will be encrypted with the new public key. Previously logged data encrypted with the old key will be permanently unreadable. ## Payload log masking You can control how sensitive data appears in your DLP payload logs by selecting a masking level. This determines how much of the matched content is visible after decryption. To configure payload log masking: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **DLP settings**. 2. Go to the **Payload log masking** card. 3. Choose one of the following masking levels: * **Full Mask (default):** Masks the match while preserving character count and visual formatting. For example, a Social Security Number appears as `***-**-****`. * **Partial Mask:** Reveals 25% of the matched content while masking the remainder. For example, `***-**-6789`. * **Clear Text:** Stores the full, unmasked match for detailed investigation. For example, `123-45-6789`. Note The masking level is applied at detection time, before the payload is encrypted. Your team will see the selected format when they decrypt the log with your private key. Warning The selected masking level applies to all sensitive data matches found within a payload window — not just the match that triggered the policy. ## Migrate from profile-level settings OCR and AI context analysis are available at both the profile level (**Data loss prevention** \> **Profiles**) and the account level (**Data loss prevention** \> **DLP settings**) during the migration period. When both are configured, DLP uses OR logic for evaluation. A match occurs if either the profile-level or account-level setting would trigger a detection. Profile-level OCR and AI context analysis settings will be deprecated in a future release. We recommend migrating to account-level settings in **DLP settings** to ensure consistent behavior across all profiles. To migrate: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **DLP settings**. 2. Turn on **Optical Character Recognition (OCR)** and/or **AI context analysis** as needed. 3. Go to **Zero Trust** \> **Data loss prevention** \> **Profiles**. 4. For each profile with OCR or AI context analysis enabled, edit the profile and turn off the profile-level settings. 5. Select **Save profile**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/dlp-settings/","name":"DLP settings"}}]} ``` --- --- title: Scan for sensitive data description: How Scan for sensitive data works in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance) # Scan for sensitive data Note Requires Cloudflare CASB and Cloudflare DLP. You can use [Cloudflare Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) to discover if files stored in a SaaS application contain sensitive data. To perform DLP scans in a SaaS app, first configure a [DLP profile](#configure-a-dlp-profile) (a set of patterns that define what counts as sensitive data) with the data patterns you want to detect, then [add the profile](#enable-dlp-scans-in-casb) to a CASB integration. ## Supported integrations * [Amazon Web Services (AWS) S3](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/aws-s3/) * [Box](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/box/) * [Dropbox](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/dropbox/) * [Google Cloud Platform (GCP) Cloud Storage](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/gcp-cloud-storage) * [Google Drive](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/google-workspace/google-drive/) * [Microsoft OneDrive](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/onedrive/) * [Microsoft SharePoint](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/sharepoint/) * [Microsoft 365 Copilot](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/m365-copilot/) * [OpenAI](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/openai/) * [Anthropic](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/anthropic/) ## Configure a DLP profile You may either use DLP profiles predefined by Cloudflare, or create your own custom profiles based on regex, predefined detection entries, datasets, and document fingerprints. ### Configure a predefined profile 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Profiles**. 2. Choose a [predefined profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/) and select **Edit**. 3. Enable one or more **Detection entries** according to your preferences. 4. Select **Save profile**. Most predefined profiles match when any enabled detection entry matches. The **Personally Identifiable Information (PII) Record** profile is an exception and requires at least three unique detection entries in close proximity before the profile matches. Your DLP profile is now ready to use with CASB. ### Build a custom profile 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Profiles**. 2. Select **Create profile**. 3. Enter a name and optional description for the profile. 4. Add new or existing detection entries to the profile. Add a custom entry 1. Select **Add custom entry**. 2. Choose the type of detection entry you want to create and configure its values. For information on supported detection entry types, refer to [Configure detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/). 3. To save the detection entry, select **Done**. Add existing entries Existing entries include [predefined](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/predefined-detection-entries/) and [user-defined](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/) detection entries that you manage from the Detection entries section. 1. Select **Add existing entries**. 2. Choose which entries you want to add, then select **Confirm**. 3. To save the detection entry, select **Done**. 5. (Optional) Add data classes to include reusable classification rules. 1. Select **Add data classes**. 2. Choose the data classes you want to add, then select **Confirm**. 6. (Optional) Use labels as match criteria for the profile. * Select a sensitivity schema and minimum sensitivity level. * Select a data tag group and one or more data tags. For more information on labels, templates, and data classes, refer to [Data Classification](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/data-classification/). 7. (Optional) Configure [**profile settings**](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/) for the profile. 8. Select **Save profile**. Your DLP profile is now ready to use with CASB. For more information, refer to [Configure a DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/). ## Enable DLP scans in CASB ### Add a new integration 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Integrations** \> **Cloud & Saas**. 2. Select **Add integration** and choose a [supported integration](#supported-integrations). 3. During the setup process, you will be prompted to select DLP profiles for the integration. 4. Select **Save integration**. CASB will scan every publicly accessible file in the integration for text that matches the DLP profile. The initial scan may take up to a few hours to complete. ### Modify an existing integration 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Integrations** \> **Cloud & SaaS**. 2. Choose a [supported integration](#supported-integrations) and select **Configure**. 3. Under **DLP profiles**, select the profiles that you want the integration to scan for. 4. Select **Save integration**. If you enable a DLP profile from the **Manage integrations** page, CASB will only scan publicly accessible files that have had a modification event since enabling the DLP profile. Modification events include changes to the following attributes: * Contents of the file * Name of the file * Visibility of the file (only if changed to publicly accessible) * Owner of the file * Location of the file (for example, moved to a different folder) Warning If you add a DLP profile to an existing integration, CASB only scans files modified after you enabled the profile. To scan all files, you must enable the DLP profile during the [integration setup flow](#add-a-new-integration). ## Limitations DLP in CASB will only scan: * Files less than or equal to 100 MB in size. * Java and R source code files that are at least 5 KB. Smaller files in these languages are skipped. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/cloud-and-saas-findings/","name":"Cloud and SaaS findings"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/cloud-and-saas-findings/casb-dlp/","name":"Scan for sensitive data"}}]} ``` --- --- title: Scan for sensitive data description: How Scan for sensitive data works in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Compliance ](https://developers.cloudflare.com/search/?tags=Compliance) # Scan for sensitive data Note Requires Cloudflare CASB and Cloudflare DLP. You can use [Cloudflare Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) to discover if files stored in a SaaS application contain sensitive data. To perform DLP scans in a SaaS app, first configure a [DLP profile](#configure-a-dlp-profile) with the data patterns you want to detect, then [add the profile](#enable-dlp-scans-in-casb) to a CASB integration. ## Supported integrations * [Amazon Web Services (AWS) S3](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/aws-s3/) * [Box](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/box/) * [Dropbox](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/dropbox/) * [Google Cloud Platform (GCP) Cloud Storage](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/gcp-cloud-storage) * [Google Drive](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/google-workspace/google-drive/) * [Microsoft OneDrive](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/onedrive/) * [Microsoft SharePoint](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/sharepoint/) * [Microsoft 365 Copilot](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/m365-copilot/) * [OpenAI](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/openai/) * [Anthropic](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/anthropic/) ## Configure a DLP profile You may either use DLP profiles predefined by Cloudflare, or create your own custom profiles based on regex, predefined detection entries, datasets, and document fingerprints. ### Configure a predefined profile 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Profiles**. 2. Choose a [predefined profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/) and select **Edit**. 3. Enable one or more **Detection entries** according to your preferences. 4. Select **Save profile**. Most predefined profiles match when any enabled detection entry matches. The **Personally Identifiable Information (PII) Record** profile is an exception and requires at least three unique detection entries in close proximity before the profile matches. Your DLP profile is now ready to use with CASB. ### Build a custom profile 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Profiles**. 2. Select **Create profile**. 3. Enter a name and optional description for the profile. 4. Add new or existing detection entries to the profile. Add a custom entry 1. Select **Add custom entry**. 2. Choose the type of detection entry you want to create and configure its values. For information on supported detection entry types, refer to [Configure detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/). 3. To save the detection entry, select **Done**. Add existing entries Existing entries include [predefined](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/predefined-detection-entries/) and [user-defined](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/) detection entries that you manage from the Detection entries section. 1. Select **Add existing entries**. 2. Choose which entries you want to add, then select **Confirm**. 3. To save the detection entry, select **Done**. 5. (Optional) Add data classes to include reusable classification rules. 1. Select **Add data classes**. 2. Choose the data classes you want to add, then select **Confirm**. 6. (Optional) Use labels as match criteria for the profile. * Select a sensitivity schema and minimum sensitivity level. * Select a data tag group and one or more data tags. For more information on labels, templates, and data classes, refer to [Data Classification](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/data-classification/). 7. (Optional) Configure [**profile settings**](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/) for the profile. 8. Select **Save profile**. Your DLP profile is now ready to use with CASB. For more information, refer to [Configure a DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/). ## Enable DLP scans in CASB ### Add a new integration 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Integrations** \> **Cloud & SaaS**. 2. Select **Add integration** and choose a [supported integration](#supported-integrations). 3. During the setup process, you will be prompted to select DLP profiles for the integration. 4. Select **Save integration**. CASB will scan every publicly accessible file in the integration for text that matches the DLP profile. The initial scan may take up to a few hours to complete. ### Modify an existing integration 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Integrations** \> **Cloud & SaaS**. 2. Choose a [supported integration](#supported-integrations) and select **Configure**. 3. Under **DLP profiles**, select the profiles that you want the integration to scan for. 4. Select **Save integration**. Note Enabling a DLP profile on an existing integration only scans publicly accessible files that have had a modification event after the profile is enabled. To scan all existing publicly accessible files, enable the DLP profile during the [initial integration setup](#add-a-new-integration). If you enable a DLP profile from the **Manage integrations** page, CASB will only scan publicly accessible files that have had a modification event since enabling the DLP profile. Modification events include changes to the following attributes: * Contents of the file * Name of the file * Visibility of the file (only if changed to publicly accessible) * Owner of the file * Location of the file (for example, moved to a different folder) In order to scan historical data, you must enable the DLP profile during the [integration setup flow](#add-a-new-integration). ## Limitations DLP in CASB will only scan: * [Text-based files](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/#supported-file-types) such as documents, spreadsheets, and PDFs. Images are not supported. * Files less than or equal 100 MB in size. * Source code with a minimum size of 5 KB for Java and R. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/saas-apps-dlp/","name":"Scan for sensitive data"}}]} ``` --- --- title: Troubleshoot DLP description: Troubleshoot Troubleshoot DLP issues in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) # Troubleshoot DLP Use this guide to troubleshoot common issues with Data Loss Prevention (DLP). ## DLP policy does not trigger or block content DLP not inspecting or blocking content is the most common issue reported. If you have configured a [DLP policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/) but it fails to inspect or block traffic, the cause is almost always that the traffic is not being decrypted. To use DLP to scan the content of HTTPS requests, you must turn on [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/). To turn on TLS decryption: * [ Dashboard ](#tab-panel-4945) * [ Terraform (v5) ](#tab-panel-4946) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. In **Proxy and inspection**, turn on **Inspect HTTPS requests with TLS decryption**. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api%5Ftoken): * `Zero Trust Write` 2. Configure the `tls_decrypt` argument in [cloudflare\_zero\_trust\_gateway\_settings ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Fgateway%5Fsettings): ``` resource "cloudflare_zero_trust_gateway_settings" "team_name" { account_id = var.cloudflare_account_id settings = { tls_decrypt = { enabled = true } } } ``` Once you turn on TLS decryption, you can create a DLP policy to inspect the content of HTTPS requests. For example: | Selector | Operator | Value | Logic | Action | | ----------- | -------- | --------------------- | ----- | ------ | | Domain | in | box.com | And | Block | | DLP Profile | in | _Credit card numbers_ | | | ## DLP scans trigger false positives or block legitimate sites If your DLP policy is blocking access to business-critical applications (such as Zoho, Google, or internal domains) or generating a high number of false positives, your DLP policy is likely too broad. Profiles such as **Credentials and Secrets** are powerful but can be overly aggressive if not scoped correctly. ### Problematic configuration Applying a sensitive profile to all traffic causes unnecessary blocks. For example: | Selector | Operator | Value | Action | | ----------- | -------- | ------------------------- | ------ | | DLP Profile | in | _Credentials and Secrets_ | Block | ### Recommended solution Make your policies more specific. Instead of a catch-all block, create granular policies that target high-risk destinations or user groups. This policy only blocks uploads of financial data to file-sharing websites for a specific user group, reducing the risk of false positives on other sites. | Selector | Operator | Value | Logic | Action | | ------------------ | -------- | --------------------------- | ----- | ------ | | Destination Domain | in | dropbox.com, wetransfer.com | And | Block | | DLP Profile | in | _Financial Information_ | And | | | User Group Names | in | Finance Team | | | You can also create policies that match trusted applications using the [**Do Not Scan** action](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-scan). ## DLP detections are inconsistent If DLP detects sensitive data in plain text but not within images or certain applications, check for the following issues: * **OCR is turned on**: For DLP to scan text within images (such as a picture of a credit card), you must turn on [Optical Character Recognition (OCR)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-settings/#optical-character-recognition-ocr) in DLP settings. * **Application-specific behavior**: Some applications, such as WhatsApp Web, use protocols or encryption methods (such as WebSocket connections) that Gateway may not be able to fully inspect with HTTP policies. * **Supported file types**: Content must be in a [supported file type](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/#supported-file-types) for DLP inspection. ## DLP options are missing or you cannot create custom profiles If you cannot use the _DLP Profile_ selector when creating an HTTP policy or are blocked from creating a custom DLP profile, it typically means one of two things: 1. Incorrect plan. These features require a Zero Trust Enterprise plan. If you believe your account should have this entitlement, contact your account team to confirm your subscription details. 2. Permissions issue. You may not have the required administrative privileges to configure DLP settings. Check with your Cloudflare account administrator. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/data-loss-prevention/","name":"Data loss prevention"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/data-loss-prevention/troubleshoot-dlp/","name":"Troubleshoot DLP"}}]} ``` --- --- title: Remote browser isolation description: How Remote browser isolation works in Browser Isolation. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) # Remote browser isolation Note Remote browser isolation is available as an add-on to Zero Trust Pay-as-you-go and Enterprise plans. Cloudflare Browser Isolation complements the [Secure Web Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) (which inspects and filters HTTP/HTTPS traffic) and [Zero Trust Network Access](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) (which controls access to private applications) by executing active webpage content — executable code such as JavaScript and plugins — in a secure isolated browser. Because active content executes remotely instead of on the user's device, Browser Isolation protects users from zero-day attacks (attacks that exploit vulnerabilities with no available patch) and malware. Browser Isolation also protects users from phishing attacks by preventing user input on risky websites and controlling data transmission to sensitive web applications. You can further filter isolated traffic with Gateway [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) and [DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/) policies. Remote browsing is invisible to the user who continues to use their browser normally without changing their preferred browser and habits. Every open tab and window is automatically isolated. When the user closes the isolated browser, their session is automatically deleted. ## Privacy Cloudflare Browser Isolation is a security product. In order to serve transparent isolated browsing and block web based threats our network decrypts Internet traffic using the [Cloudflare root CA](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/). Traffic logs are retained as per the [Zero Trust](https://developers.cloudflare.com/cloudflare-one/insights/logs/) documentation. ## Troubleshooting For help resolving common issues with Browser Isolation, refer to [Troubleshoot Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/troubleshooting/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}}]} ``` --- --- title: Accessibility description: Accessibility in Browser Isolation. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ A11y ](https://developers.cloudflare.com/search/?tags=A11y) # Accessibility Browser Isolation offers features to support users who have visual impairments or non-English language requirements. ## Screen reader The isolated browser has a built-in screen reader which speaks out loud the content of the isolated page. ### Turn the screen reader on or off To turn the built-in screen reader on or off, right-click on any isolated page and select **Accessibility** \> **Enable** / **Disable screen reader**. Alternatively, to use a keyboard shortcut, press `CTRL + ALT + Z`. ## Languages The isolated browser supports keyboard inputs in all languages. Users can use their native keyboard to type in languages that use diacritics (for example, `á` or `ç`) or character-based scripts (for example, Chinese, Japanese, or Korean). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/accessibility/","name":"Accessibility"}}]} ``` --- --- title: Canvas Remoting description: How Canvas Remoting works in Browser Isolation. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) # Canvas Remoting Canvas Remoting is a Browser Isolation capability that optimizes performance for web applications using the HTML5 Canvas API (a browser feature that allows web applications to draw graphics directly on the page). It sends vector draw commands to the client instead of rasterized bitmaps (pixel images), reducing bandwidth consumption and improving frame rates for productivity applications. ## How it works Browser Isolation uses Network Vector Rendering (NVR) to send lightweight drawing instructions to the user's browser, rather than streaming rendered pixels or video of the page. However, HTML5 Canvas content previously required server-side rasterization (converting draw commands into pixel images), sending large bitmaps for every frame. Canvas Remoting extends NVR to Canvas-based applications by: 1. Capturing draw commands made to the HTML5 Canvas element. 2. Converting and sending those commands to the client as NVR instructions. 3. Rendering the Canvas content on the client onto an offscreen texture (a hidden drawing surface used for intermediate rendering). 4. Compositing (layering) the texture into the final document output. ## Supported applications Canvas Remoting improves performance for productivity applications that rely on the HTML5 Canvas API: | Application | Improvement | | ------------------------------------ | ------------------------------------------ | | Microsoft Word | 10x bandwidth reduction | | Microsoft Excel | Smooth scrolling and data entry | | Microsoft PowerPoint | Fluid animations | | Google Sheets | Consistent 30fps rendering | | Google Maps | Smooth panning and zooming | | Web-based terminals and AI notebooks | Fast and responsive text input and display | ## Limitations Canvas Remoting supports 2D Canvas contexts only. The following are not supported: * WebGL and WebGPU contexts * 3D graphics applications * Advanced Canvas features requiring GPU acceleration ## Enable or disable Canvas Remoting Canvas Remoting is on by default for all Browser Isolation customers. No configuration is required. ![Canvas Remoting context menu option](https://developers.cloudflare.com/_astro/canvas-remoting-context-menu.DnzW09g1_1kc8Iw.webp) ### Disable Canvas Remoting for the current session 1. Right-click on the background of the isolated webpage. 2. Select **Disable Canvas Remoting** from the context menu. ### Re-enable Canvas Remoting 1. Right-click on the background of the isolated webpage. 2. Select **Enable Canvas Remoting** from the context menu. ## Troubleshooting Canvas content renders slowly If Canvas-based applications appear choppy or consume excessive bandwidth: 1. Verify Canvas Remoting is on by right-clicking the page background. 2. Check that the context menu shows **Disable Canvas Remoting** (indicating it is active). 3. If the issue persists, open a support case and provide the Ray ID from the error page. Graphical glitches or missing elements If Canvas content displays incorrectly after reconnecting from a network interruption: 1. Refresh the isolated page. 2. If the issue persists, select **Disable Canvas Remoting** from the right-click menu. 3. Re-enable Canvas Remoting after the page reloads. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/canvas-remoting/","name":"Canvas Remoting"}}]} ``` --- --- title: Extensions description: Reference information for Extensions in Browser Isolation. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Headers ](https://developers.cloudflare.com/search/?tags=Headers) # Extensions Browser Isolation supports running native Chromium Web Extensions in the remote browser. When a page is isolated, it runs in a remote browser — not in the user's local browser. Extensions installed locally cannot interact with isolated pages because the page content exists only on the remote side. This capability allows extending tools that require DOM access (the ability to read and modify page content and structure), such as password managers and ad blockers, to isolated pages. ## Install an extension inside the remote browser ### Prerequisite: Isolate Chrome Web Store Note This step is not required when browsing via Clientless Web Isolation. You can access the Chrome Web Store at `https://.cloudflareaccess.com/browser/https://chromewebstore.google.com/`. Installing extensions requires Chrome Web Store isolation. Create an [HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to isolate the Chrome Web Store (chromewebstore.google.com). ### Install an extension 1. Go to `https://chromewebstore.google.com/` while isolated. 2. Choose your desired extension. 3. Select **Add to Chrome**. To confirm extension installation, select **Add extension**. Remote browser extensions are automatically reinstalled across isolated sessions. ## Remove an extension from the remote browser 1. Go to any isolated webpage. 2. Right-click anywhere to open the context menu and select **Show isolation toolbar**. 3. Select the jigsaw icon in the isolation toolbar to open the extension manager. 4. Select the hamburger icon for the desired extension to open the extension controls. 5. Select **Remove from Chromium**. To confirm removal, select **Remove**. ## Useful extensions ### Modify remote browser user agent [User-Agent Switcher for Chrome ↗](https://chromewebstore.google.com/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg) enables controlling the User Agent sent from the remote browser to an isolated website. ### Control remote browser request headers [ModHeader ↗](https://chromewebstore.google.com/detail/modheader/idgpnmonknjnojddfkpgkljpfnnfcklj) enables controlling arbitrary request headers sent from the remote browser to an isolated website. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/extensions/","name":"Extensions"}}]} ``` --- --- title: Isolation policies description: Reference information for Isolation policies in Browser Isolation. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API) # Isolation policies With Browser Isolation, you can define policies to dynamically isolate websites based on identity, security threats, or content. ## Isolate When an HTTP policy applies the Isolate action, the user's web browser is transparently served an HTML compatible remote browser client. Isolation policies can be applied to requests that include `Accept: text/html*` (requests for web pages). This allows Browser Isolation policies to co-exist with API traffic. The following example enables isolation for all web traffic: | Selector | Operator | Value | Action | | -------- | ------------- | ----- | ------- | | Host | matches regex | .\* | Isolate | If instead you need to isolate specific pages, you can list the domains for which you would like to isolate traffic: | Selector | Operator | Value | Action | | -------- | -------- | ------------------------ | ------- | | Domain | In | example.com, example.net | Isolate | Isolate identity providers for applications Existing cookies and sessions from non-isolated browsing are not sent to the remote browser. Websites that implement single sign-on using third-party cookies will also need to be isolated. For example, if `example.com` authenticates using Google Workspace, you will also need to isolate the top level [Google Workspace URLs ↗](https://support.google.com/a/answer/9012184). ## Do Not Isolate You can choose to disable isolation for certain destinations or categories. The following configuration disables isolation for traffic directed to `example.com`: | Selector | Operator | Value | Action | | -------- | -------- | ----------- | -------------- | | Host | In | example.com | Do Not Isolate | ## Policy settings When you isolate a website, you can also restrict what users do on that site. The following optional settings appear in the Gateway HTTP policy builder when you select the _Isolate_ action. Configure these settings to [prevent data loss ↗](https://blog.cloudflare.com/data-protection-browser/) when users interact with untrusted websites in the remote browser — for example, to stop a user from copying confidential data out of an isolated internal application. ### Copy (from remote to client) flowchart LR subgraph remotebrowser[Remote browser] siteA["Isolated website"]--Data-->remoteclip["Remote clipboard"] end subgraph client[Client] localclip["Local clipboard"] end remoteclip-->localclip * _Allow_: (Default) Users can copy content from an isolated website to their local clipboard. * _Allow only within isolated browser_: Users can only copy content from an isolated website to the remote clipboard. Users cannot copy content out of the remote browser to the local clipboard. You can use this setting alongside [**Paste (from client to remote)**: _Allow only within isolated browser_](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#paste-from-client-to-remote) to only allow copy-pasting between isolated websites. * _Do not allow_: Prohibits users from copying content from an isolated website. ### Paste (from client to remote) flowchart LR subgraph client[Client] localclip["Local clipboard"] end subgraph remotebrowser[Remote browser] remoteclip["Remote clipboard"]-->siteA["Isolated website"] end localclip--Data-->remoteclip * _Allow_: (Default) Users can paste content from their local clipboard to an isolated website. * _Allow only within isolated browser_: Users can only paste content from the remote clipboard to an isolated website. Users cannot paste content from their local clipboard to the remote browser. You can use this setting alongside [**Copy (from remote to client)**: _Allow only within isolated browser_](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#copy-from-remote-to-client) to only allow copy-pasting between isolated websites. * _Do not allow_: Prohibits users from pasting content into an isolated website. ### File downloads * _Allow_: (Default) User can download files from an isolated website to their local machine. * _Do not allow_: Prohibits users from downloading files from an isolated website to their local machine. * _View in remote browser_: Users can open and view files in an isolated environment. Note This option does not prevent files from being downloaded into the remote browser. To prevent files being downloaded into the remote browser, use HTTP Policies to block by [Download Mime Type](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-mime-type). ### File uploads * _Allow_: (Default) Users can upload files from their local machine into an isolated website. * _Do not allow_: Prohibits users from uploading files from their local machine into an isolated website. Note This option does not prevent files being uploaded to websites from third-party cloud file managers or files downloaded into the remote browser download bar from other isolated websites. To prevent files being uploaded from the remote browser into an isolated website, use HTTP Policies to block by [Upload Mime Type](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-mime-type). ### Keyboard * _Allow_: (Default) Users can perform keyboard inputs into an isolated website. * _Do not allow_: Prohibits users from performing keyboard inputs into an isolated website. Note Mouse input remains available to allow users to browse a website by following hyperlinks and scrolling. This does not prevent user input into third-party virtual keyboards within an isolated website. ### Printing * _Allow_: (Default) Users can print isolated web pages to their local machine. * _Do not allow_: Prohibits users from printing isolated web pages to their local machine. ## Custom block dialog Beta With custom block dialogs, you can host a custom block page when users are blocked from taking specific actions, like [copying](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#copy-from-remote-to-client), [pasting](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#paste-from-client-to-remote), [downloading](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#file-downloads), [uploading](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#file-uploads), [performing keyboard inputs](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#keyboard), or [printing](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#printing), within an isolated browser session. Administrators can configure custom block dialogs to explain the reason for the block, and guide the users on how to resolve their issue using the provided query parameters: * `action`: copy, paste, download, upload, perform keyboard inputs, and print * `cf_colo`: for example, `sea01` * `client_url`: for example, `https://example.com` * `policy_id`: 32-character id * `rbi_debug_id`: 32-character id * `user_id`: 32-character id Custom block dialogs are still in beta. Contact your account team to start using custom block dialogs. ## Common policies ### Isolate all security threats Isolate security threats such as malware and phishing. * [ Dashboard ](#tab-panel-5141) * [ API ](#tab-panel-5142) | Selector | Operator | Value | Action | | ------------------- | -------- | -------------------- | ------- | | Security Categories | in | _All security risks_ | Isolate | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Isolate all security threats", "description": "Isolate security threats such as malware and phishing", "enabled": true, "action": "isolate", "filters": [ "http" ], "traffic": "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", "identity": "", "device_posture": "" }' ``` ### Isolate high risk content Isolate high risk content categories such as newly registered domains. * [ Dashboard ](#tab-panel-5143) * [ API ](#tab-panel-5144) | Selector | Operator | Value | Action | | ------------------ | -------- | ---------------- | ------- | | Content Categories | in | _Security Risks_ | Isolate | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Isolate high risk content", "description": "Isolate high risk content categories such as newly registered domains", "enabled": true, "action": "isolate", "filters": [ "http" ], "traffic": "any(http.request.uri.content_category[*] in {32 169 177 128})", "identity": "", "device_posture": "" }' ``` ### Isolate news and media Isolate news and media sites, which are targets for malvertising attacks. * [ Dashboard ](#tab-panel-5145) * [ API ](#tab-panel-5146) | Selector | Operator | Value | Action | | ------------------ | -------- | ---------------- | ------- | | Content Categories | in | _News and Media_ | Isolate | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Isolate news and media", "description": "Isolate news and media sites, which are targets for malvertising attacks", "enabled": true, "action": "isolate", "filters": [ "http" ], "traffic": "any(http.request.uri.content_category[*] in {122})", "identity": "", "device_posture": "" }' ``` ### Isolate uncategorized content Isolate content that has not been categorized by [Cloudflare Radar](https://developers.cloudflare.com/radar/). * [ Dashboard ](#tab-panel-5147) * [ API ](#tab-panel-5148) | Selector | Operator | Value | Action | | ------------------ | -------- | ------------------------ | ------- | | Content Categories | not in | _All content categories_ | Isolate | Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Isolate uncategorized content", "description": "Isolate content not categorized by Cloudflare Radar", "enabled": true, "action": "isolate", "filters": [ "http" ], "traffic": "not(any(http.request.uri.content_category[*] in {2 67 125 133 3 75 183 89 182 6 90 91 144 150 7 70 74 76 79 92 96 100 106 107 116 120 121 122 127 139 156 164 99 9 101 137 10 103 146 11 12 77 98 108 110 111 118 126 129 172 168 113 33 179 166 15 115 119 124 141 161 17 85 87 102 157 135 138 180 162 140 142 32 169 177 128 22 73 82 88 148 23 24 181 71 72 173 78 84 86 94 97 104 105 114 174 93 130 132 136 147 149 154 158 152 26 69 184 81 95 109 123 145 155 159 160 163 165 167}))", "identity": "", "device_posture": "" }' ``` ### Isolate ChatGPT Isolate the use of ChatGPT. * [ Dashboard ](#tab-panel-5149) * [ API ](#tab-panel-5150) | Selector | Operator | Value | Action | | ----------- | -------- | --------- | ------- | | Application | in | _ChatGPT_ | Isolate | In **Configure policy settings**, you can customize restrictions for ChatGPT. For example, to prevent your users from inputting sensitive information, you can select **Disable copy / paste** and **Disable file uploads**. Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Isolate ChatGPT", "description": "Isolate the use of ChatGPT", "enabled": true, "action": "isolate", "filters": [ "http" ], "traffic": "any(app.ids[*] in {1199})", "identity": "", "device_posture": "" }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/isolation-policies/","name":"Isolation policies"}}]} ``` --- --- title: Known limitations description: Reference information for Known limitations in Browser Isolation. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) # Known limitations Below, you will find information regarding the current limitations for Browser Isolation. ## Website compatibility Our Network Vector Rendering (NVR) technology sends drawing instructions to the user's browser instead of streaming video of the page. This allows us to deliver a secure remote computing experience without the bandwidth limitations of video streams. While we expect most websites to work perfectly, some browser features and web technologies are unsupported and will be implemented in the future: * Webcam and microphone support is unavailable. * Websites that use WebGL (a browser technology for rendering 3D graphics) may not function. To turn off WebGL in the browser, refer to [WebGL Rendering Error](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/troubleshooting/#webgl-rendering-error). * Netflix and Spotify Web Player are unavailable. * H.265/HEVC (a video compression format) is not a supported video format at this time. ## Browser compatibility | Browser | Compatibility | | -------------------------------------------- | ------------- | | Google Chrome | ✅ | | Mozilla Firefox | ✅ | | Safari | ✅ | | Microsoft Edge (Chromium-based) | ✅ | | Other Chromium-based browsers (Opera, Brave) | ✅ | | Internet Explorer 11 and below | ❌ | ### Brave Browser Isolation uses [WebRTC](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/network-dependencies/#webrtc-channel) for low-latency communication between the local and remote browser. Brave's WebRTC IP Handling Policy can impact how Cloudflare RBI loads and functions. If the WebRTC IP Handling Policy is configured to **Disable Non-Proxied UDP**, RBI may fail to load correctly because Brave blocks the UDP connections that WebRTC requires. To ensure RBI loads correctly, go to `brave://settings/privacy` in your Brave browser window, find **WebRTC IP Handling Policy**, and change the setting from **Disable Non-Proxied UDP** to one of the following: * **Default** * **Default Public and Private Interfaces** * **Default Public Interface Only** ## Protocol support Browser Isolation requires HTTPS. Websites served over unencrypted HTTP cannot be isolated. ## Virtual machines Browser Isolation is not supported in virtualized environments (VMs). ## Gateway selectors Certain selectors for Gateway HTTP policies bypass Browser Isolation, including: * [Destination Continent IP Geolocation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#destination-continent) * [Destination Country IP Geolocation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#destination-country) * [Destination IP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#destination-ip) You cannot use these selectors to isolate traffic and isolation matches for these selectors will not appear in your Gateway logs. Additionally, you cannot apply other policies based on these selectors while in isolation. For example, if you have a Block policy that matches traffic based on destination IP, Gateway will not block the matching traffic if it is already isolated by an Isolate policy. ## File download size When a user downloads a file within the remote browser, the file is held in memory and destroyed at the end of the remote browser session. Therefore, the total size of files downloaded per session is shared with the amount of memory available to the remote browser. We recommend a maximum individual file size of 512 MB. ## Multifactor authentication [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) does not support Yubikey or WebAuthN (hardware security key authentication). These authentication technologies require the isolated website to use the same domain name as the non-isolated website. Clientless Web Isolation changes the URL by adding a prefix, which breaks this requirement. Therefore, Yubikey and WebAuthN will not work with prefixed Clientless Web Isolation URLs but will work normally for [in-line deployments](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/) such as [isolated Access applications](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/). ## SAML applications Cloudflare Remote Browser Isolation now [supports SAML applications that use HTTP-POST bindings](https://developers.cloudflare.com/cloudflare-one/changelog/browser-isolation/#2025-05-13). SAML is a protocol used for single sign-on (SSO), and some SAML implementations send login data via an HTTP POST request (HTTP-POST bindings). This resolves previous issues such as `405` errors and login loops during SSO authentication flows. You no longer need to isolate both the Identity Provider (IdP) and Service Provider (SP), or switch to HTTP-Redirect bindings, to use Browser Isolation with POST-based SSO. Users can log in to internal or SaaS applications in the isolated browser securely and seamlessly. [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) may still be preferred in some deployment models. Clientless Web Isolation implicitly isolates all traffic (both IdP and SP) and supports HTTP-POST SAML bindings. ## Browser Isolation is not compatible with private apps on non-`443` ports Browser Isolation is not compatible with [self-hosted private applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) that use private IPs or hostnames on ports other than `443`. Trying to access self-hosted applications on non-`443` ports will result in a Gateway block page. To use Browser Isolation for an application on a private IP address with a non-`443` port, configure a [private network application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app/) instead. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/known-limitations/","name":"Known limitations"}}]} ``` --- --- title: Browser Isolation with firewall description: Reference information for Browser Isolation with firewall in Browser Isolation. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ UDP ](https://developers.cloudflare.com/search/?tags=UDP) # Browser Isolation with firewall If your organization uses a firewall or other policies to restrict Internet traffic, you may need to make a few changes to allow Browser Isolation to connect. ## Remoting client Isolated pages are served by the remoting client — the software component in the user's browser that loads, displays, and communicates with the remote browser session. This client communicates to Cloudflare's network via HTTPS and WebRTC. ### Remoting Client (Services) The remoting client provides static assets and API endpoints. For Browser Isolation to function, you must allow: * HTTPS traffic to `*.browser.run` on port `443` #### Clientless Web Isolation Users connecting through Clientless Web Isolation also require connectivity to Cloudflare Access. For users to connect to Access, you must allow: * HTTPS traffic to `https://.cloudflareaccess.com` on port `443` ### WebRTC channel Browser Isolation uses WebRTC (a real-time communication protocol) for low-latency communication between the local browser and the remote browser. WebRTC uses UDP rather than TCP, which means this traffic does not flow through standard HTTP/HTTPS proxy settings. The connecting device must have direct UDP connectivity to the IP ranges listed below. In order to pass WebRTC traffic, the remoting client must be able to connect to the following IP addresses: | IP range | Port range | Protocol | | -------------------------------------------------------------------------------------------------- | ------------- | -------- | | IPv4: 162.159.201.10 - 162.159.201.255 IPv4: 172.64.73.0 - 172.64.73.255 IPv6: 2606:4700:f2::/48 | 10000 - 59999 | UDP | Each remote browser instance is randomly assigned a port, and the port that a user is allocated to will change often and without notice. Note WebRTC traffic does not flow through proxies specified in local browser HTTP/HTTPS proxy settings. The connecting device needs to be able to directly connect to the WebRTC IP ranges. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/network-dependencies/","name":"Browser Isolation with firewall"}}]} ``` --- --- title: Set up Browser Isolation description: Set up Browser Isolation in Browser Isolation. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Set up Browser Isolation Browser Isolation is enabled through [Secure Web Gateway HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). By default, no traffic is isolated until you have added an Isolate policy to your HTTP policies. ## 1\. Connect devices to Cloudflare Setup instructions vary depending on how you want to connect your devices to Cloudflare. Refer to the links below to view the setup guide for each deployment option. | Connection | Mode | Description | | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | [Traffic and DNS mode](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) | In-line | Apply identity-based HTTP policies to traffic proxied through the Cloudflare One Client. | | [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/) | In-line | Apply identity-based HTTP policies to Access applications that are rendered in a remote browser. | | [Gateway proxy endpoint](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/non-identity/) | In-line | Apply non-identity HTTP policies to traffic forwarded to a [proxy endpoint](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/). | | [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/non-identity/) | In-line | Apply non-identity HTTP policies to traffic connected through a GRE or IPsec tunnel (site-to-site encrypted connections to Cloudflare's network). | | [Clientless remote browser](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) | Prefixed URL | Render web pages in a remote browser when users go to https://.cloudflareaccess.com/browser/. | **In-line** mode means traffic is inspected as it flows through Gateway — users browse to websites using normal URLs, not a special Cloudflare prefix. Some in-line methods require device or network configuration, such as installing the Cloudflare One Client or configuring a PAC file. **Prefixed URL** mode requires users to visit a Cloudflare-hosted URL that wraps the target website. ## 2\. Build an Isolation policy To configure Browser Isolation policies: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Firewall policies** \> **HTTP**. 2. Select **Add a policy** and enter a name for the policy. 3. Use the HTTP policy [selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#selectors) and [operators](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#comparison-operators) to specify the websites or content you want to isolate. 4. For **Action**, choose either [_Isolate_](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#isolate) or [_Do not Isolate_](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#do-not-isolate). 5. (Optional) Configure [settings](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings) for an Isolate policy. 6. Select **Create policy**. Next, [verify that your policy is working](#3-check-if-a-web-page-is-isolated). ## 3\. Check if a web page is isolated Users can see if a webpage is isolated by using one of the following methods: * Select the padlock in the address bar and check for the presence of a Cloudflare Root CA. * Right-click the web page and view the context menu options. ### Normal browsing * A non-Cloudflare root certificate indicates that Cloudflare did not proxy this web page. The root certificate is the certificate authority (CA) that your browser trusts to verify the site's identity. ![Website does not present a Cloudflare root certificate](https://developers.cloudflare.com/_astro/non-cloudflare-root-ca.DUtGDw33_ZFcJnQ.webp) * The right-click context menu will have all of the normal options. ![Normal right-click menu in browser](https://developers.cloudflare.com/_astro/non-isolated-browser.B9h2hRe6_Z19cAm7.webp) ### Isolated browsing * A Cloudflare root certificate indicates traffic was proxied through Cloudflare Gateway. ![Website presents a Cloudflare root certificate](https://developers.cloudflare.com/_astro/cloudflare-gateway-root-ca.DLxxnVYn_ZdwfJP.webp) * The right-click context menu will be simplified. ![Simplified right-click menu in browser](https://developers.cloudflare.com/_astro/isolated-browser.CBtYLGGn_141dVf.webp) #### Disconnect Browser Isolation Cloudflare One Client users can temporarily disable remote browsing by [disconnecting the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#lock-device-client-switch). Once the Cloudflare One Client is disconnected, a refresh will return the non-isolated page. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/setup/","name":"Set up Browser Isolation"}}]} ``` --- --- title: Clientless Web Isolation description: How Clientless Web Isolation works in Browser Isolation. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ TLS ](https://developers.cloudflare.com/search/?tags=TLS) # Clientless Web Isolation Clientless Web Isolation allows users to securely browse high risk or sensitive websites in a remote browser without having to install the Cloudflare One Client on their device. Use Clientless Web Isolation when you need to provide isolated browsing to unmanaged devices (for example, contractor laptops or personal phones) where you cannot install software. Note Clientless Web Isolation requires the [Cloudflare Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) add-on. ## Set up Clientless Web Isolation 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Browser isolation** \> **Browser isolation settings**. 2. Turn on **Allow users to open a remote browser without the device client**. 1. To configure permissions, in **Browser isolation** \> **Browser isolation settings** \> select **Manage** next to **Manage remote browser permissions**. You can add authentication methods and [rules](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to control who can access the remote browser. 2. Under **Policies** \> Access Policies > select **Create new policy**. 3. Name your policy and define who will have access to your isolated application. Refer to the [Access policy documentation](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#actions) to construct your policy. 4. Select **Save**. 5. Under **Policies** \> Access Policies > select **Select existing policies** and select the policy or policies you created in the previous step > select **Confirm**. 6. At the bottom of the page, select **Save**. Your application will now be served in an isolated browser for users matching your policies. ### Open links in Browser Isolation To open links using Browser Isolation: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Browser isolation** \> **Browser isolation settings**. 2. Turn on **Allow users to open a remote browser without the device client**. 3. In **Launch browser**, enter the URL link, and then select **Launch**. Your URL will open in a secure isolated browser. ## Filter DNS queries When users browse through Clientless Web Isolation, their DNS queries (the lookups that translate domain names to IP addresses) are handled by Gateway. You can use [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/) to control which domains the remote browser can resolve. Enterprise users can resolve domains available only through private DNS servers by creating [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/). Gateway DNS and resolver policies will always apply to Clientless Web Isolation traffic, regardless of device configuration. ## Use the remote browser Clientless Web Isolation is implemented through a prefixed URL — the target website's address is appended to a Cloudflare-hosted base URL. `` is your organization's team name. ``` https://.cloudflareaccess.com/browser/ ``` For example, to isolate `www.example.com`, users would visit `https://.cloudflareaccess.com/browser/https://www.example.com/` in their preferred browser. If `` is not provided, users are presented with a Cloudflare Zero Trust landing page where they can input a target URL or search for a website. ## Optional configurations ### Allow or block websites When users visit a website through the [Clientless Web Isolation URL](#use-the-remote-browser), the traffic passes through Cloudflare Gateway. This allows you to [apply HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to control what websites the remote browser can connect to, even if the user's device does not have the Cloudflare One Client installed. For example, if you use a third-party Secure Web Gateway to block `example.com`, users can still access the page in the remote browser by visiting `https://.cloudflareaccess.com/browser/https://www.example.com/`. To block `https://.cloudflareaccess.com/browser/https://www.example.com/`, create a Cloudflare Gateway HTTP policy to block `example.com`: | Selector | Operator | Value | Action | | -------- | -------- | ----------- | ------ | | Domain | in | example.com | Block | ### Bypass TLS decryption [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) allows Gateway to inspect the contents of HTTPS traffic by decrypting it, applying policies, and re-encrypting it. If TLS decryption is turned on, Gateway will decrypt all sites accessed through the Clientless Web Isolation URL. Some sites are incompatible with this process (for example, sites that use certificate pinning). To connect to those sites, add a Do Not Inspect HTTP policy for the application or domain. | Selector | Operator | Value | Action | | -------- | -------- | ---------- | -------------- | | Domain | is | mysite.com | Do Not Inspect | Note Clientless Web Isolation can function without TLS decryption turned on. However, TLS decryption is required to apply [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to Clientless Web Isolation traffic, because Gateway must decrypt the traffic before it can inspect and filter the content. ### Connect private networks With Clientless Web Isolation, users can reach any internal web server you have connected through [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). For more information, refer to [Connect private networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/). For example, if you added `192.168.2.1` to your tunnel, users can connect to your application through the remote browser by going to `https://.cloudflareaccess.com/browser/http://192.168.2.1`. Clientless Web Isolation also supports connecting over private ports, for example `https://.cloudflareaccess.com/browser/http://192.168.2.1:7148`. Note All users with access to your remote browser can access your Cloudflare Tunnel applications unless you create a Gateway HTTP policy to block them. ### Disable remote browser controls You can configure [remote browser controls](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings) such as disabling copy/paste, printing, or keyboard input. These settings display in the Gateway [HTTP policy builder](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) when you select the Isolate action. ### Sync cookies between local and remote browser The Cloudflare One Chrome extension allows a user to seamlessly access isolated and non-isolated applications without needing to re-authenticate. The user can log in once to their identity provider (whether through a Clientless Web Isolation link or their local browser) and gain access to all applications behind the SSO login. Note The Chrome extension is available in early access. To install, contact your account team. ## Address bar Clientless Web Isolation has an embedded address bar. This feature is designed to improve the user's experience while visiting isolated pages with prefixed URLs. The clientless address bar has three views: hostname notch, full address bar and hidden. The user's selected view is remembered across domains and remote browsing sessions. ### Hostname notch view By default the isolated domain name appears in the notch positioned at the top and center of an isolated page. ![Viewing hostname of an isolated page in the clientless remote browser](https://developers.cloudflare.com/_astro/rbi-address-bar-notch.BsghmuIS_ZhyMH.webp) Selecting **Expand** or the hostname text will expand the notch to the full address bar view. If isolated page content is obscured by the notch, expanding to the full address bar view will make the content accessible. ### Full address bar view The full address bar allows users to search and go to isolated websites. Users can jump to the address bar at any time by pressing `CTRL + L` on the keyboard. ![Viewing full address of an isolated page in the clientless remote browser](https://developers.cloudflare.com/_astro/rbi-address-bar-full.BDXQJUgz_Z1cD7Aj.webp) ### Hidden view To turn on or off the address bar, users can right-click on any isolated page and select **Show / Hide address bar**. ## Logs * **Authentication events**: User login events are available in [Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/). * **HTTP requests**: Traffic from the remote browser to the Internet is logged in [Gateway activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). * **DNS queries**: DNS queries from the remote browser are shown in [Gateway activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). * **Network sessions**: Egress traffic from the remote browser generates [Zero Trust Network Session Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/), available via [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/) and [Log Explorer](https://developers.cloudflare.com/log-explorer/). * **User actions**: Track copy/paste, download/upload, and print actions initiated by users in the remote browser (only available in [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/)). ## Redirect traffic to the remote browser If you want to isolate a website without the Cloudflare One Client installed, you will need to redirect traffic to the Clientless Web Isolation [prefixed URL](#use-the-remote-browser). One way to do this is through a third-party Secure Web Gateway. To redirect users to the remote browser, you can implement a custom block page similar to the example shown below. ``` Redirecting website to a remote browser

This website is being redirected to a remote browser. Select here if you are not automatically redirected.

``` ## Troubleshooting Review troubleshooting guidance related to Clientless Web Isolation. * [Clientless Web Isolation is loading a blank screen on a Windows device](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/troubleshooting/#blank-screen-on-windows) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/setup/","name":"Set up Browser Isolation"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/","name":"Clientless Web Isolation"}}]} ``` --- --- title: Non-identity on-ramps description: Non-identity on-ramps in Browser Isolation. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Non-identity on-ramps On-ramps are the methods used to route traffic from your network to Cloudflare for inspection. With Cloudflare One, you can isolate HTTP traffic from on-ramps such as [proxy endpoints](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) (which your browser connects to via PAC files to send traffic through Gateway) or [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/) (formerly Magic WAN, which connects your network to Cloudflare through GRE or IPsec tunnels). Since these on-ramps do not require users to log in to the Cloudflare One Client, [identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) are not supported. Note If you want to apply Isolate policies based on user identity, you will need to either install the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) or manually redirect users to the [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) URL. ## Set up non-identity browser isolation 1. [Install a Cloudflare certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your devices. 2. Connect your infrastructure to Gateway using one of the following on-ramps: * Configure your browser to forward traffic to a Gateway proxy endpoint with [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) (Proxy Auto-Configuration files that tell the browser which traffic to route through the proxy). * Connect your enterprise site router to Gateway with the [anycast GRE or IPsec tunnel on-ramp to Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/) (site-to-site encrypted tunnels between your network and Cloudflare). 3. Enable non-identity browser isolation: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Browser isolation** \> **Browser isolation settings**. 2. Turn on **Allow isolated HTTP traffic when user identity is unknown**. 4. Build a non-identity [HTTP policy](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) to isolate websites in a remote browser. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/setup/","name":"Set up Browser Isolation"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/remote-browser-isolation/setup/non-identity/","name":"Non-identity on-ramps"}}]} ``` --- --- title: Troubleshoot Browser Isolation description: Resolve common issues with Cloudflare Browser Isolation, including session limits, rendering errors, and WebGL support. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) # Troubleshoot Browser Isolation Review common troubleshooting scenarios for Cloudflare Browser Isolation. ## Connectivity and sessions ### No Browsers Available If you encounter a `No Browsers Available` alert, please file feedback via the Cloudflare One Client. This error typically indicates a temporary capacity issue in the data center or a connectivity problem between your client and the remote browser. ### Maximum Sessions Reached This alert appears if your device attempts to establish more than two concurrent remote browser instances. A browser isolation session is shared across all tabs and windows within the same browser (for example, all Chrome tabs share one session). You can use two different browsers (such as Chrome and Firefox) concurrently, but opening a third will trigger this alert. To release a session, close all tabs and windows in one of your local browsers. ## Rendering and performance ### WebGL Rendering Error Cloudflare Browser Isolation uses Network Vector Rendering (NVR), which does not support WebGL (Web Graphics Library) in all environments. If a website requires WebGL and your device lacks the necessary hardware resources in the virtualized environment, you may see a rendering error. To resolve this, try enabling software rasterization in your browser: 1. Go to `chrome://flags/#override-software-rendering-list`. 2. Set **Override software rendering list** to _Enabled_. 3. Select **Relaunch**. ### Blank screen on Windows On Windows devices, Clientless Web Isolation may load with a blank screen if there is a conflict between browser mDNS settings and Windows IGMP configuration. | IGMPLevel | WebRTC Anonymization | Result | | ------------ | -------------------- | -------------- | | 0 (disabled) | Enabled / Default | ❌ Blank screen | | 0 (disabled) | Disabled | ✅ Works | | 2 (enabled) | Enabled / Default | ✅ Works | To fix this, either disable **Anonymize local IPs exposed by WebRTC** in your browser flags or ensure `IGMPLevel` is enabled (set to `2`) in your Windows network settings. ### Rendering issues (CSS/Images) If a website displays incorrectly (for example, broken CSS or missing images), it may indicate that the remote browser is unable to fetch specific resources from the origin server. Check your [Gateway HTTP logs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/troubleshooting/) for any blocked subresources that might be required by the page. --- ## How to contact Support If you cannot resolve the issue, [open a support case](https://developers.cloudflare.com/support/contacting-cloudflare-support/). For RBI issues, it is helpful to provide the **Ray ID** from any error page and a description of the browser you are using. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/remote-browser-isolation/","name":"Remote browser isolation"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/remote-browser-isolation/troubleshooting/","name":"Troubleshoot Browser Isolation"}}]} ``` --- --- title: Roles and permissions description: Reference information for Roles and permissions in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Roles and permissions When creating a Cloudflare Zero Trust account, you will be given the Super Administrator role. As a Super Administrator, you can invite members to join your Zero Trust account and assign them different roles. There is no limit to the number of members which can be added to a given account. Any members with the proper permissions will be able to make configuration changes while actively logged into Zero Trust (unless [read-only mode](https://developers.cloudflare.com/cloudflare-one/api-terraform/#set-dashboard-to-read-only) is enabled). To check the list of members in your account, or to manage roles and permissions, refer to our [Account setup](https://developers.cloudflare.com/fundamentals/manage-members/) documentation. ## Zero Trust roles Only Super Administrators will be able to assign or remove the following roles from users in their account. Scroll to the right to see a full list of permissions for each role. | Access Read | Access Edit | Gateway Read | Gateway Edit | Gateway Report | DNS Location Read | DNS Location Edit | Billing Read | Billing Edit | DEX Read | DEX Edit | CASB Read | CASB Edit | | | ---------------------------------------------------------------- | ----------- | ------------ | ------------ | -------------- | ----------------- | ----------------- | ------------ | ------------ | -------- | -------- | --------- | --------- | - | | Super Administrator | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | Cloudflare Zero Trust[1](#user-content-fn-1) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | | Cloudflare Access | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | | Cloudflare Gateway | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | | Cloudflare Zero Trust Read Only | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | | Cloudflare Zero Trust Reporting | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | | Cloudflare Zero Trust DNS Locations Write[2](#user-content-fn-2) | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | | Cloudflare DEX | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | | Cloudflare CASB Read | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | Cloudflare CASB | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ### Cloudflare Zero Trust PII By default, only Super Administrators can view end users' PII in the Gateway activity logs, such as Device IDs, Source IPs, or user emails. No other roles will have the ability to read PII unless Super Administrators explicitly assign the **Cloudflare Zero Trust PII** role to them. The Cloudflare Zero Trust PII role should be considered an add-on role, to be combined with any role from the table above. For example, Super Administrators may decide to assign the Cloudflare Gateway role to a user, and add the Cloudflare Zero Trust PII role to allow that user to access PII in the Gateway logs. Note The Cloudflare Zero Trust PII role does not apply to Access authentication logs. PII is always visible in Access logs. ## Email security roles For more information on Email security roles, refer to [Account-scoped roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/#account-scoped-roles). * **Cloudflare Zero Trust**: Can edit Cloudflare [Zero Trust](https://developers.cloudflare.com/cloudflare-one/). Grants administrator access to all Zero Trust products including Access, Gateway, the Cloudflare One Client, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email security. * **Cloudflare Zero Trust PII**: Can read PII in Zero Trust. This includes Email security. * **Email security Analyst** and **Email security Configuration Admin**: Has full access to all admin features in Email security. * **Email security Integration Admin**: Can read and set up integrations only. * **Email security Configuration Admin**: Has administrator access. Cannot take actions on emails, or read emails. * **Email security Analyst**: Has analyst access. Can take action on emails and read emails. * **Email security Reporting**: Can read metrics. * **Email security Read Only**: Can read all information, but cannot take action on anything. * **Email security Policy Admin**: Can read all settings, but only write [allow policies](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/), [trusted domains](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/trusted-domains/), and [blocked senders](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/blocked-senders/). ## Footnotes 1. The **Cloudflare Zero Trust** role grants administrator access to all Zero Trust products including Access, Gateway, the Cloudflare One Client, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email security. [↩](#user-content-fnref-1) 2. Users with the **Cloudflare Zero Trust DNS Locations Write** role can view all DNS locations for an organization but can only create and edit [secure DNS locations](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations). [↩](#user-content-fnref-2) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/roles-permissions/","name":"Roles and permissions"}}]} ``` --- --- title: Tutorials description: View tutorials for Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Tutorials | Name | Last Updated | Difficulty | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ | ------------ | | [Detect MCP traffic in Gateway logs](https://developers.cloudflare.com/cloudflare-one/tutorials/detect-mcp-traffic-gateway-logs/) | 29 days ago | Advanced | | [Implement regional private DNS servers with Gateway resolver policies](https://developers.cloudflare.com/cloudflare-one/tutorials/regional-private-dns-resolver-policies/) | 6 months ago | Advanced | | [Deploy the Cloudflare One Client on headless Linux machines](https://developers.cloudflare.com/cloudflare-one/tutorials/deploy-client-headless-linux/) | 7 months ago | Beginner | | [Create and secure an AI agent wrapper using AI Gateway and Zero Trust](https://developers.cloudflare.com/cloudflare-one/tutorials/ai-wrapper-tenant-control/) | about 1 year ago | Advanced | | [Use Cloudflare Tunnels with Kubernetes client-go credential plugins](https://developers.cloudflare.com/cloudflare-one/tutorials/tunnel-kubectl/) | over 1 year ago | Intermediate | | [Send SSO attributes to Access-protected origins with Workers](https://developers.cloudflare.com/cloudflare-one/tutorials/extend-sso-with-workers/) | over 1 year ago | Advanced | | [Protect an R2 Bucket with Cloudflare Access](https://developers.cloudflare.com/r2/tutorials/cloudflare-access/) | about 2 years ago | Intermediate | | [Use virtual networks to change user egress IPs](https://developers.cloudflare.com/cloudflare-one/tutorials/user-selectable-egress-ips/) | about 2 years ago | Intermediate | | [Access and secure a MySQL database using Cloudflare Tunnel and network policies](https://developers.cloudflare.com/cloudflare-one/tutorials/mysql-network-policy/) | about 2 years ago | Intermediate | | [Access a web application via its private hostname without the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/tutorials/clientless-access-private-dns/) | about 2 years ago | Intermediate | | [Use Microsoft Entra ID Conditional Access policies in Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/tutorials/entra-id-conditional-access/) | over 2 years ago | Intermediate | | [Protect access to Microsoft 365 with dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/tutorials/m365-dedicated-egress-ips/) | over 2 years ago | Intermediate | | [Monitor Cloudflare Tunnel with Grafana](https://developers.cloudflare.com/cloudflare-one/tutorials/grafana/) | over 2 years ago | Intermediate | | [Use Cloudflare R2 as a Zero Trust log destination](https://developers.cloudflare.com/cloudflare-one/tutorials/r2-logs/) | over 2 years ago | Beginner | | [Create custom headers for Cloudflare Access-protected origins with Workers](https://developers.cloudflare.com/cloudflare-one/tutorials/access-workers/) | over 2 years ago | Intermediate | | [Protect access to Amazon S3 buckets with Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/tutorials/s3-buckets/) | over 2 years ago | Advanced | | [Validate the Access token with FastAPI](https://developers.cloudflare.com/cloudflare-one/tutorials/fastapi/) | almost 3 years ago | Beginner | | [Isolate risky Entra ID users](https://developers.cloudflare.com/cloudflare-one/tutorials/entra-id-risky-users/) | over 3 years ago | Advanced | | [Connect through Cloudflare Access using kubectl](https://developers.cloudflare.com/cloudflare-one/tutorials/kubectl/) | almost 4 years ago | Advanced | | [GraphQL Analytics](https://developers.cloudflare.com/cloudflare-one/tutorials/graphql-analytics/) | about 4 years ago | Intermediate | | [Integrate Microsoft MCAS with Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/tutorials/integrate-microsoft-mcas-teams/) | over 4 years ago | Intermediate | | [Connect through Cloudflare Access using a CLI](https://developers.cloudflare.com/cloudflare-one/tutorials/cli/) | about 5 years ago | Intermediate | | [MongoDB SSH](https://developers.cloudflare.com/cloudflare-one/tutorials/mongodb-tunnel/) | over 5 years ago | Advanced | | [Zero Trust GitLab SSH & HTTP](https://developers.cloudflare.com/cloudflare-one/tutorials/gitlab/) | over 5 years ago | Advanced | | [Require U2F with Okta](https://developers.cloudflare.com/cloudflare-one/tutorials/okta-u2f/) | over 5 years ago | Intermediate | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}}]} ``` --- --- title: Create custom headers for Cloudflare Access-protected origins with Workers description: This tutorial covers how to use a Cloudflare Worker to add custom headers to traffic. The headers will be sent to origin services protected by Cloudflare Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ JavaScript ](https://developers.cloudflare.com/search/?tags=JavaScript) # Create custom headers for Cloudflare Access-protected origins with Workers **Last reviewed:** over 2 years ago This tutorial covers how to use a [Cloudflare Worker](https://developers.cloudflare.com/workers/) to add custom HTTP headers to traffic, and how to send those custom headers to your origin services protected by [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). Some applications and networking implementations require specific custom headers to be passed to the origin, which can be difficult to implement for traffic moving through a Zero Trust proxy. You can configure a Worker to send the [user authorization headers](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/) required by Access. --- ## Before you begin * Secure your origin server with Cloudflare Access ## Before you begin 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to the **Workers & Pages** page. [ Go to **Workers & Pages** ](https://dash.cloudflare.com/?to=/:account/workers-and-pages) 2. If this is your first Worker, select **Create Worker**. Otherwise, select **Create application**, then select **Create Worker**. 3. Enter an identifiable name for the Worker, then select **Deploy**. 4. Select **Edit code**. 5. Input the following Worker: * [ JavaScript ](#tab-panel-5452) * [ TypeScript ](#tab-panel-5453) JavaScript ``` export default { async fetch(request, env, ctx) { const { headers } = request; const cfaccessemail = headers.get("cf-access-authenticated-user-email"); const requestWithID = new Request(request); requestWithID.headers.set("company-user-id", cfaccessemail); return fetch(requestWithID); }, }; ``` TypeScript ``` export default { async fetch(request, env, ctx): Promise { const { headers } = request; const cfaccessemail = headers.get("cf-access-authenticated-user-email"); const requestWithID = new Request(request); requestWithID.headers.set("company-user-id", cfaccessemail); return fetch(requestWithID); }, } satisfies ExportedHandler; ``` 1. Select **Save and deploy**. Your Worker is now ready to send custom headers to your Access-protected origin services. ## Apply the Worker to your hostname 1. Select the Worker you created, then go to **Triggers**. 2. In **Routes**, select **Add route**. 3. Enter the hostname and zone for your origin, then select **Add route**. The Worker will now insert a custom header into requests that match the defined route. For example: Example custom header ``` "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Accept-Encoding": "gzip", "Accept-Language": "en-US,en;q=0.9", "Cf-Access-Authenticated-User-Email": "user@example.com", "Company-User-Id": "user@example.com", "Connection": "keep-alive" ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/access-workers/","name":"Create custom headers for Cloudflare Access-protected origins with Workers"}}]} ``` --- --- title: Create and secure an AI agent wrapper using AI Gateway and Zero Trust description: This tutorial explains how to use Cloudflare AI Gateway and Zero Trust to create a functional and secure website wrapper for an AI agent. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ AI ](https://developers.cloudflare.com/search/?tags=AI) # Create and secure an AI agent wrapper using AI Gateway and Zero Trust **Last reviewed:** about 1 year ago This tutorial explains how to use [Cloudflare AI Gateway](https://developers.cloudflare.com/ai-gateway/) and Zero Trust to create a functional and secure website wrapper for an AI agent. Cloudflare Zero Trust administrators can protect access to the wrapper with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). Additionally, you can enforce [Gateway policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) to control how your users interact with AI agents, including executing AI agents in an isolated browser with [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/), enforcing [Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) profiles to prevent your users from sharing sensitive data, and scanning content to avoid answers from AI agents that violate internal corporate guidelines. Creating an AI agent wrapper is also an effective way to enforce tenant control if you have an enterprise plan for a specific AI provider, such as ChatGPT Enterprise. This tutorial uses ChatGPT as an example AI agent. ## Before you begin Make sure you have: * A [Cloudflare Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/). * An API key for your desired AI provider, such as an [OpenAI API key ↗](https://platform.openai.com/api-keys) for ChatGPT. ## 1\. Create an AI gateway First, create an AI gateway to control your AI app. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to the **AI Gateway** page. [ Go to **AI Gateway** ](https://dash.cloudflare.com/?to=/:account/ai/ai-gateway) 2. Select **Create Gateway**. 3. Name your gateway. 4. Select **Create**. 5. Configure your desired options for the gateway. 6. [Connect your AI provider](https://developers.cloudflare.com/ai-gateway/get-started/#connect-application) to proxy queries to your AI agent of choice using your AI gateway. 7. (Optional) Turn on [Authenticated Gateway](https://developers.cloudflare.com/ai-gateway/configuration/authentication/). The Authenticated Gateway feature ensures your AI gateway can only be called securely by enforcing a token in the form of a request header `cf-aig-authorization`. 1. Go to **AI** \> **AI Gateway**. 2. Select your AI gateway, then go to **Settings**. 3. Turn on **Authenticated Gateway**, then choose **Confirm**. 4. Select **Create authentication token**, then select **Create an AI Gateway authentication token**. 5. Configure your token and copy the token value. When creating your Worker, you will need to pass this token when calling your AI gateway. For more information, refer to [Getting started with AI Gateway](https://developers.cloudflare.com/ai-gateway/get-started/). ## 2\. (Optional) Use Guardrails to block unsafe or inappropriate content [Guardrails](https://developers.cloudflare.com/ai-gateway/features/guardrails/) is an built-in AI Gateway security feature that allows Cloudflare to identify unsafe or inappropriate content in prompts and responses based on selected categories. 1. In the Cloudflare dashboard, go to the **AI Gateway** page. [ Go to **AI Gateway** ](https://dash.cloudflare.com/?to=/:account/ai/ai-gateway) 2. Select your AI gateway. 3. Go to **Guardrails**. 4. Turn on Guardrails. 5. Select **Change** to configure the categories you would like to filter for both prompts and responses. ## 3\. Build a Worker to serve the wrapper ### 1\. Create the Worker In order to build the Worker, you will need to choose if you want to build it locally using [Wrangler](https://developers.cloudflare.com/workers/wrangler/install-and-update/) or remotely using the [dashboard ↗](https://dash.cloudflare.com/). * [ Wrangler ](#tab-panel-5454) * [ Dashboard ](#tab-panel-5455) 1. In a terminal, log in to your Cloudflare account: Terminal window ``` wrangler login ``` 2. Initiate the project locally: Terminal window ``` mkdir ai-agent-wrapper cd ai-agent-wrapper wrangler init ``` 3. Create a Wrangler configuration file: TOML ``` name = "ai-agent-wrapper" main = "src/index.js" compatibility_date = "2023-10-30" [vars] # Add any environment variables here ``` 4. Add your AI provider's API key as a [secret](https://developers.cloudflare.com/workers/configuration/secrets/): Terminal window ``` wrangler secret put ``` You can now build the Worker using the `index.js` file created by Wrangler. 1. In the Cloudflare dashboard, go to the **Workers & Pages** page. [ Go to **Workers & Pages** ](https://dash.cloudflare.com/?to=/:account/workers-and-pages) 2. Select **Create**. 3. In **Workers**, choose the **Hello world** template. 4. Name your worker, then select **Deploy**. 5. Select your Worker, then go to the **Settings** tab. 6. Go to **Variables and Secrets**, then select **Add**. 7. Choose _Secret_ as the type, name your secret (for example, `OPENAI_API_KEY`), and enter the value of your AI provider's API key in **Value**. You can now build the Worker using the online code editor by selecting **Edit code** on your Worker page. ### 2\. Build the Worker The following is an example starter Worker that serves a simple front-end to allow a user to interact with an AI provider behind AI Gateway. This example uses OpenAI as its AI provider: JavaScript ``` export default { async fetch(request, env) { if (request.url.endsWith("/api/chat")) { if (request.method === "POST") { try { const { messages } = await request.json(); const response = await fetch( "https://gateway.ai.cloudflare.com/v1/$ACCOUNT_ID/$GATEWAY_ID/openai/chat/completions", { method: "POST", headers: { "Content-Type": "application/json", Authorization: `Bearer ${env.OPENAI_API_KEY}`, }, body: JSON.stringify({ model: "gpt-4o-mini", messages: messages, }), }, ); if (!response.ok) { throw new Error(`AI Gateway Error: ${response.status}`); } const result = await response.json(); return new Response( JSON.stringify({ response: result.choices[0].message.content, }), { headers: { "Content-Type": "application/json" }, }, ); } catch (error) { return new Response(JSON.stringify({ error: error.message }), { status: 500, headers: { "Content-Type": "application/json" }, }); } } return new Response("Method not allowed", { status: 405 }); } return new Response(HTML, { headers: { "Content-Type": "text/html" }, }); }, }; const HTML = ` 177 collapsed lines ChatGPT Wrapper

AI Assistant

`; ``` Note that the account ID and gateway ID need to be replaced in the AI Gateway endpoint. You can add these as [environment variables](https://developers.cloudflare.com/workers/configuration/environment-variables/) or [secrets](https://developers.cloudflare.com/workers/configuration/secrets/) in Workers. If you chose to use Authenticated Gateway when creating your AI gateway, make sure to also add your token as a secret and pass its value to the AI gateway in the `cf-aig-authorization` header. ### 3\. Publish the Worker Once the Worker code is complete, you need to make the Worker addressable using a hostname controllable by Cloudflare Access. * [ Wrangler ](#tab-panel-5456) * [ Dashboard ](#tab-panel-5457) Edit the Wrangler configuration file and add the following information to ensure that the Worker is only accessible using the custom hostname: TOML ``` name = "ai-agent-wrapper" main = "src/index.js" compatibility_date = "2023-10-30" workers_dev = false # Replace with your custom domain routes = [ { pattern = "", custom_domain = true } ] [vars] # Add any environment variables here ``` To publish the worker, run `wrangler deploy`. If you built your Worker remotely using the [code editor](https://developers.cloudflare.com/workers/get-started/dashboard/) available in the Cloudflare dashboard, you can deploy it by selecting **Deploy**. To ensure that the Worker is only accessible from the custom hostname: 1. In the Cloudflare dashboard, go to the **Workers & Pages** page. [ Go to **Workers & Pages** ](https://dash.cloudflare.com/?to=/:account/workers-and-pages) 2. Select your Worker. 3. Go to **Settings**. 4. Within **Domains & Routes**, select **Add**. 5. Choose **Custom domain**. 6. Enter your desired custom domain name. 7. Select **Add domain**. The Worker is now behind an addressable public hostname. Make sure to turn off both **workers.dev** and **Preview URLs** so that the Worker can only be accessed with its custom domain. ## 4\. Secure the wrapper with Access To secure the AI agent wrapper to ensure that only trusted users can access it: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **Self-hosted and private**. 4. Select **Add public hostname** and enter the custom domain you set for your Worker. 5. [Configure your Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for your Worker. 6. Add [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/) to control who can connect to your application. Now your AI wrapper can only be accessed by your users that successfully match your Access policies. ## 5\. Block access to public AI agents with Gateway You can now block access to all unauthorized public AI agents with a Gateway [HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies** \> **HTTP**. 2. Select **Add a policy**. 3. Add the following policy: | Selector | Operator | Value | Action | | ------------------ | -------- | ------------------------- | ------ | | Content Categories | in | _Artificial Intelligence_ | Block | 4. Select **Create policy**. This ensures that public AI agents are not accessible using a managed endpoint. Alternatively, you can prevent users from using public AI agents by displaying a [custom block message](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#customize-the-block-page), [redirect](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page), or a [user notification](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#cloudflare-one-client-block-notifications) directing users to the AI agent wrapper. ## 6\. Enforce Data Loss Prevention and Clientless Browser Isolation Now that you have full control over access to your AI agent wrapper, you can enforce extra security methods such as Data Loss Prevention (DLP) and Clientless Web Isolation to protect and control data shared with the AI agent. ### Apply Data Loss Prevention profiles You can use [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) to prevent your users from sending sensitive data to the AI agent. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Data loss prevention** \> **Profiles**. 2. Ensure that the [DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/) you want to enforce are properly configured. 3. Add an HTTP policy to enforce the DLP profile for the hostname for your wrapper. For example: | Selector | Operator | Value | Logic | Action | | ----------- | -------- | ---------------------- | ----- | ------ | | Host | is | ai-wrapper.example.com | And | Block | | DLP Profile | in | _AI DLP profile_ | | | 4. Select **Create policy**. For more information on creating DLP policies, refer to [Scan HTTP traffic](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/). ### Execute in a clientless isolated browser Because you published your wrapper as a self-hosted Access application, you can execute it in an [isolated session](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) for your users by creating an [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) and configuring it for your application. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Browser isolation** \> **Browser isolation settings**. 2. Turn on **Allow users to open a remote browser without the device client**. 1. Go to **Access controls** \> **Policies**. 2. Select **Add a policy**. 3. Set the **Action** to _Allow_. 4. In **Add rules**, add identity rules to define who the application should be isolated for. 5. In **Additional settings (optional)**, turn on **Isolate application**. Once the Access policy has been created, you can attach it to your wrapper. 1. Go to **Access controls** \> **Applications**. 2. Choose your wrapper application, then select **Configure**. 3. In **Policies**, select **Select existing policies**. 4. Choose the Access policy you previously created. 5. Select **Confirm**, then select **Save**. Because Clientless Web Isolation traffic applies your Gateway HTTP policies, your configured DLP profiles will apply to isolated sessions. For more information on isolating an Access application, refer to [Isolate self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/). ## Additional benefits Organizations that adopt Cloudflare to secure access to AI agents will benefit from improved visibility and configurability. ### Visibility Zero Trust will log all [Access events](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/) and [DLP detections](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/#http-logs). In addition, AI Gateway provides [visibility](https://developers.cloudflare.com/ai-gateway/observability/logging/) into user prompts, model response, token usage, and costs. Logs can be exported to external providers with [Logpush](https://developers.cloudflare.com/logs/logpush/). ### Configurability You can configure your wrapper to use a [different AI provider](https://developers.cloudflare.com/ai-gateway/usage/providers/) or give your users the option to choose between multiple AI providers, including AI models running directly on Cloudflare's global network with [Workers AI](https://developers.cloudflare.com/workers-ai/). With this, you can control costs related to AI usage or adopt newer models without impacting your users or the access controls already put in place. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/ai-wrapper-tenant-control/","name":"Create and secure an AI agent wrapper using AI Gateway and Zero Trust"}}]} ``` --- --- title: Connect through Cloudflare Access using a CLI description: Cloudflare's cloudflared command-line tool allows you to interact with endpoints protected by Cloudflare Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ CLI ](https://developers.cloudflare.com/search/?tags=CLI) # Connect through Cloudflare Access using a CLI **Last reviewed:** about 5 years ago Cloudflare's `cloudflared` command-line tool allows you to interact with endpoints protected by Cloudflare Access. You can use `cloudflared` to interact with a protected application's API. These instructions are not meant for configuring a service to run against an API. The token in this example is tailored to user identity and intended only for an end user interacting with an API via a command-line tool. **This walkthrough covers how to:** * Connect to resources secured by Cloudflare Access from a CLI **Time to complete:** 30 minutes --- ## Authenticate a session from the command line Once you have [installed cloudflared](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/), you can use it to retrieve a Cloudflare Access [application token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/). This walkthrough uses the domain `example.com` as a stand-in for a protected API. 1. To generate a token, run the following command: Terminal window ``` cloudflared access login https://example.com ``` With this command, `cloudflared` launches a browser window containing the same Access login page found when attempting to access a web application. 2. Select your identity provider and log in. If the browser window does not launch, you can use the unique URL that is automatically printed to the command line. 1. Once you have successfully authenticated, the browser returns the token to `cloudflared` in a cryptographic transfer and stores it. The token is valid for the [session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/) configured by the Access administrator. ## Access your API Once you have retrieved a token, you can access the protected API. The `cloudflared` command-line tool includes a wrapper for transferring data via `curl`, which uses URL syntax (for more, see the [curl ↗](https://github.com/curl/curl) GitHub project). The wrapper injects the token into the `curl` request as a query argument named _token_. You can invoke the wrapper as follows: Terminal window ``` cloudflared access curl http://example.com ``` It is possible also to use the `put` command with `cloudflared` for any Unix tool to include the token in the request. Read on for other available commands. ## Available commands ### login The `login` command initiates the login flow for an application behind Access. Terminal window ``` cloudflared access login http://example.com ``` ### curl The `curl` command invokes the client wrapper and includes the token in the request automatically. Terminal window ``` cloudflared access curl http://example.com ``` ### token The `token` command retrieves the token scoped to that specific application for use in other command-line tools. Terminal window ``` cloudflared access token -app=http://example.com ``` ## Using the token as an environment variable It is possible to save the token as an environment variable for convenience and concision in scripts that access a protected application. Set up a token as an environment variable as follows: 1. Run the following command to export the token to the shell environment: Terminal window ``` export TOKEN=$(cloudflared access token -app=http://example.com) ``` 2. Confirm the token was saved with the following: Terminal window ``` echo $TOKEN ``` Once you have exported the token to your environment, use the variable with the Cloudflare Access request header in the script to access a protected endpoint, as in the following example: Terminal window ``` curl -H "cf-access-token: $TOKEN" https://example.com/rest/api/2/item/foo-123 ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/cli/","name":"Connect through Cloudflare Access using a CLI"}}]} ``` --- --- title: Access a web application via its private hostname without the Cloudflare One Client description: With Cloudflare Browser Isolation and resolver policies, users can connect to private web-based applications via their private hostnames. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS)[ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) # Access a web application via its private hostname without the Cloudflare One Client **Last reviewed:** about 2 years ago With Cloudflare Browser Isolation and resolver policies, users can connect to private web-based applications via their private hostnames without needing to install the Cloudflare One Client. By the end of this tutorial, users who pass your Gateway DNS and network policies will be able to access your private application at `https://.cloudflareaccess.com/browser/https://internalrecord.com`. ## Before you begin Make sure you have: * [Cloudflare Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) enabled on your account * [Resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) enabled on your account * An HTTP or HTTPS application that users access through a browser ## Create a Cloudflare Tunnel First, install `cloudflared` on a server in your private network: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and go to **Zero Trust** \> **Networks** \> **Connectors** \> **Cloudflare Tunnels**. 2. Select **Create a tunnel**. 3. Choose **Cloudflared** for the connector type and select **Next**. 4. Enter a name for your tunnel. We suggest choosing a name that reflects the type of resources you want to connect through this tunnel (for example, `enterprise-VPC-01`). 5. Select **Save tunnel**. 6. Next, you will need to install `cloudflared` and run it. To do so, check that the environment under **Choose an environment** reflects the operating system on your machine, then copy the command in the box below and paste it into a terminal window. Run the command. 7. Once the command has finished running, your connector will appear in Cloudflare One. ![Connector appearing in the UI after cloudflared has run](https://developers.cloudflare.com/_astro/connector.BnVS4T_M_ZxLFu6.webp) 8. Select **Next**. ## Add private network routes 1. In the **CIDR** tab, add the following IP addresses: * Private IP/CIDR of your application server (for example, `10.128.0.175/32`) * Private IP/CIDR of your DNS server 2. Select **Save tunnel**. The application and DNS server are now connected to Cloudflare. ## Enable Clientless Web Isolation 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Browser isolation** \> **Browser isolation settings**. 2. Turn on **Allow users to open a remote browser without the device client**. 1. For **Permissions**, select **Manage**. 2. Select **Add a rule**. 3. Create an expression that defines who can open the Clientless Web Isolation browser. For example, | Rule action | Rule type | Selector | Value | Action | | ----------- | --------- | ---------------- | ------------ | ---------------- | | Allow | Include | Emails ending in | @example.com | Select **Save**. | To test, open a browser and go to `https://.cloudflareaccess.com/browser/https://`. ## Create a Gateway resolver policy 1. Go to **Traffic policies** \> **Resolver policies**. 2. Select **Add a policy**. 3. Create an expression to match against the private [domain](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/#domain) or [hostname](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/#host) of the application: | Selector | Operator | Value | | -------- | -------- | ------------------ | | Domain | in | internalrecord.com | 4. In **Select DNS resolver**, select _Configure custom DNS resolvers_. 5. Enter the private IP address of your DNS server. 6. In the dropdown menu, select _` - Private`_. 7. (Optional) Enter a custom port. 8. Select **Create policy**. To test, open a browser and go to `https://.cloudflareaccess.com/browser/https://internalrecord.com`. ## Create a Gateway network policy (recommended) 1. Go to **Traffic policies** \> **Firewall policies** \> **Network**. 2. Add a [network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) that targets the private IP address of your application. You can optionally include any ports or protocols relevant for application access. For example, | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | -------------- | ----- | ------ | | Destination IP | in | 10.128.0.175 | And | Allow | | Destination Port | in | 80 | Or | | | User Email | matches regex | .\*example.com | | | Note Device posture checks are not supported because they require the Cloudflare One Client. For best practices on securing private applications, refer to [Build secure access policies](https://developers.cloudflare.com/learning-paths/replace-vpn/build-policies/). ## Connect as a user Users can now access the application at the following URL: `https://.cloudflareaccess.com/browser/https://internalrecord.com` The application will load in an isolated browser. You can optionally [configure remote browser controls](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings) such as disabling copy/paste, printing, or keyboard input. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/clientless-access-private-dns/","name":"Access a web application via its private hostname without the Cloudflare One Client"}}]} ``` --- --- title: Deploy the Cloudflare One Client on headless Linux machines description: This tutorial explains how to deploy the Cloudflare One Client on headless Linux devices using a service token and an installation script. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Linux ](https://developers.cloudflare.com/search/?tags=Linux) # Deploy the Cloudflare One Client on headless Linux machines **Last reviewed:** 7 months ago This tutorial explains how to deploy the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) on Linux devices using a service token and an installation script. This deployment workflow is designed for headless servers - that is, servers which do not have access to a browser for identity provider logins - and for situations where you want to fully automate the onboarding process. Because devices will not register through an identity provider, [identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) and logging will be unavailable. Note This tutorial focuses on deploying the Cloudflare One Client as an endpoint device agent. If you are looking to deploy the Cloudflare One Client as a gateway to a private network, refer to the [Cloudflare Mesh documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/). ## Prerequisites * [Cloudflare Zero Trust account](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization) ## 1\. Create a service token Fully automated deployments rely on a service token to enroll the Cloudflare One Client in your Zero Trust organization. You can use the same token to enroll multiple devices, or generate a unique token per device if they require different [device profile settings](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/). To create a service token: * [ Dashboard ](#tab-panel-5458) * [ API ](#tab-panel-5459) * [ Terraform (v5) ](#tab-panel-5460) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Service credentials** \> **Service Tokens**. 2. Select **Create Service Token**. 3. Name the service token. The name allows you to easily identify events related to the token in the logs and to revoke the token individually. 4. Choose a **Service Token Duration**. This sets the expiration date for the token. 5. Select **Generate token**. You will see the generated Client ID and Client Secret for the service token, as well as their respective request headers. 6. Copy the Client Secret. Warning This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token. 1. Make a `POST` request to the [Access Service Tokens](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/service%5Ftokens/methods/create/) endpoint: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Service Tokens Write` Create a service token ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/service_tokens" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "CI/CD token", "duration": "8760h" }' ``` 2. Copy the `client_id` and `client_secret` values returned in the response. Response ``` "result": { "client_id": "88bf3b6d86161464f6509f7219099e57.access", "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5", "created_at": "2025-09-25T22:26:26Z", "expires_at": "2026-09-25T22:26:26Z", "id": "3537a672-e4d8-4d89-aab9-26cb622918a1", "name": "CI/CD token", "updated_at": "2025-09-25T22:26:26Z", "duration": "8760h", "client_secret_version": 1 } ``` Warning This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api%5Ftoken): * `Access: Service Tokens Write` 2. Configure the [cloudflare\_zero\_trust\_access\_service\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Faccess%5Fservice%5Ftoken) resource: ``` resource "cloudflare_zero_trust_access_service_token" "example_service_token" { account_id = var.cloudflare_account_id name = "Example service token" duration = "8760h" lifecycle { create_before_destroy = true } } ``` 3. Get the Client ID and Client Secret of the service token: Example: Output to CLI 1. Output the Client ID and Client Secret to the Terraform state file: ``` output "example_service_token_client_id" { value = cloudflare_zero_trust_access_service_token.example_service_token.client_id } output "example_service_token_client_secret" { value = cloudflare_zero_trust_access_service_token.example_service_token.client_secret sensitive = true } ``` 2. Apply the configuration: Terminal window ``` terraform apply ``` 3. Read the Client ID and Client Secret: Terminal window ``` terraform output -raw example_service_token_client_id ``` Terminal window ``` terraform output -raw example_service_token_client_secret ``` Example: Store in HashiCorp Vault ``` resource "vault_generic_secret" "example_service_token" { path = "kv/cloudflare/example_service_token" data_json = jsonencode({ "CLIENT_ID" = cloudflare_access_service_token.example_service_token.client_id "CLIENT_SECRET" = cloudflare_access_service_token.example_service_token.client_secret }) } ``` ## 2\. Configure device enrollment permissions Device enrollment permissions determine the users and devices that can register WARP with your Zero Trust organization. To allow devices to enroll using a service token: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Team & Resources** \> **Devices**. Select the **Management** tab. 2. In **Device enrollment permissions**, select **Manage**. 3. In the **Policies** tab, select **Create new policy**. A new tab will open with the policy creation page. 4. For **Action**, select _Service Auth_. 5. For the **Selector** field, you have two options: you can either allow all service tokens (`Any Access Service Token`) or specific service tokens (`Service Token`). For example: | Rule Action | Rule type | Selector | Value | | ------------ | --------- | ------------- | ------------ | | Service Auth | Include | Service Token | | 6. Save the policy. 7. Go back to **Device enrollment permissions** and add the newly created policy to your permissions. 8. Select **Save**. ## 3\. Create an installation script You can use a shell script to automate WARP installation and registration. The following example shows how to deploy the Cloudflare One Client on Ubuntu 24.04. 1. In a terminal, create a new `.sh` file using a text editor. For example: Terminal window ``` vim install_warp.sh ``` 2. Press `i` to enter insert mode and add the following lines: ``` #!/bin/bash set -e # Download and install the Cloudflare One Client function warp() { curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list sudo apt-get update --assume-yes sudo apt-get install --assume-yes cloudflare-warp } # Create an MDM file with your Cloudflare One Client deployment parameters function mdm() { sudo touch /var/lib/cloudflare-warp/mdm.xml cat > /var/lib/cloudflare-warp/mdm.xml << "EOF" auth_client_id 88bf3b6d86161464f6509f7219099e57.access auth_client_secret bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5 auto_connect 1 onboarding organization your-team-name service_mode warp EOF } #main program warp mdm ``` 3. If you are using Debian or RHEL / CentOS, modify the `warp()` function so that it installs the correct [WARP package ↗](https://pkg.cloudflareclient.com/) for your OS. 4. Modify the values in the `mdm()` function: 1. For `auth_client_id` and `auth_client_secret`, replace the string values with the Client ID and Client Secret of your [service token](https://developers.cloudflare.com/cloudflare-one/tutorials/deploy-client-headless-linux/#1-create-a-service-token). 2. For `organization`, replace `your-team-name` with your Zero Trust team name. 3. (Optional) Add or modify other [Cloudflare One Client deployment parameters](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/) according to your preferences. 5. Press `esc`, then type `:x` and press `Enter` to save and exit. ## 4\. Install WARP To install the Cloudflare One Client using the example script: 1. Make the script executable: Terminal window ``` chmod +x install_warp.sh ``` 2. Run the script: Terminal window ``` sudo ./install_warp.sh ``` The Cloudflare One Client is now deployed with the configuration parameters stored in `/var/lib/cloudflare-warp/mdm.xml`. Assuming [auto\_connect](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#auto%5Fconnect) is configured, the Cloudflare One Client will automatically connect to your Zero Trust organization. Once connected, the device will appear in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) under **Zero Trust** \> **Team & Resources** \> **Devices** with the email `non_identity@.cloudflareaccess.com`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/deploy-client-headless-linux/","name":"Deploy the Cloudflare One Client on headless Linux machines"}}]} ``` --- --- title: Detect MCP traffic in Gateway logs description: Scan Gateway logs for unauthorized MCP traffic. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ MCP ](https://developers.cloudflare.com/search/?tags=MCP)[ Logging ](https://developers.cloudflare.com/search/?tags=Logging)[ TypeScript ](https://developers.cloudflare.com/search/?tags=TypeScript)[ GraphQL ](https://developers.cloudflare.com/search/?tags=GraphQL) # Detect MCP traffic in Gateway logs **Last reviewed:** 29 days ago Organizations may lack visibility into Model Context Protocol (MCP) traffic, which can allow employees to connect to remote MCP servers outside of IT oversight. These connections risk the exfiltration of sensitive internal data and credentials, tool injection attacks or software supply chain risks. As an IT administrator, you want to identify shadow MCP traffic to prevent unauthorized data exfiltration while still supporting governed use cases. In this tutorial, you will use the Cloudflare GraphQL Analytics API to scan Gateway HTTP logs for MCP traffic patterns, create DLP profiles that detect MCP JSON-RPC methods, and classify traffic to differentiate between authorized traffic sent to MCP server portals and traffic sent to "shadow" remote MCP servers. ## Prerequisites * A Cloudflare account with a [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/) * [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) with HTTP filtering enabled and actively proxying user traffic * An [API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with the following permissions: * Account-level `Zero Trust: Read` * Account-level `DLP: Write` * Account-level `Gateway: Write` * Your Cloudflare account ID (available in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login) under **Account Home**) * Familiarity with [GraphQL Analytics API](https://developers.cloudflare.com/analytics/graphql-api/) queries * A working knowledge of TypeScript and REST APIs ## 1\. Review the Gateway HTTP dataset The `gatewayHttpRequestsAdaptiveGroups` dataset in the GraphQL Analytics API provides aggregated Gateway HTTP log data. Use this dataset to query for MCP-related traffic patterns: * **Dimensions**: `httpHost`, `httpRequestURI`, `action`, `users`, `dlpProfiles` * **Time range**: Up to 30 days of historical data * **Grouping**: Aggregates results by dimension values * **Filtering**: Supports `OR`, `AND`, and `like` operators ## 2\. Build the MCP detection query MCP traffic can be identified by three signals: 1. **Domain patterns**: Hostnames containing `mcp` (for example, `mcp.datadog.com`) 2. **URL paths**: Standard MCP endpoints such as `/mcp`, `/mcp/sse`, and `/sse` 3. **DLP matches**: JSON-RPC methods in request bodies (covered in a later step) The following GraphQL query scans Gateway logs for the first two signals: * [ JavaScript ](#tab-panel-5469) * [ TypeScript ](#tab-panel-5470) JavaScript ``` const query = ` query MCPTrafficScan($accountTag: string, $since: string, $until: string) { viewer { accounts(filter: { accountTag: $accountTag }) { gatewayHttpRequestsAdaptiveGroups( filter: { datetime_geq: $since datetime_leq: $until OR: [ { httpHost_like: "%mcp%" } { httpRequestURI_like: "%/mcp%" } { httpRequestURI_like: "%/sse%" } ] } limit: 10000 ) { dimensions { httpHost action users } count } } } } `; const variables = { accountTag: "", since: "", // ISO-8601 format, for example 2025-03-08T00:00:00Z until: "", // Up to 30 days after start date }; const response = await fetch("https://api.cloudflare.com/client/v4/graphql", { method: "POST", headers: { Authorization: `Bearer ${apiToken}`, "Content-Type": "application/json", }, body: JSON.stringify({ query, variables }), }); const data = await response.json(); const groups = data.data?.viewer?.accounts?.[0]?.gatewayHttpRequestsAdaptiveGroups || []; ``` TypeScript ``` const query = ` query MCPTrafficScan($accountTag: string, $since: string, $until: string) { viewer { accounts(filter: { accountTag: $accountTag }) { gatewayHttpRequestsAdaptiveGroups( filter: { datetime_geq: $since datetime_leq: $until OR: [ { httpHost_like: "%mcp%" } { httpRequestURI_like: "%/mcp%" } { httpRequestURI_like: "%/sse%" } ] } limit: 10000 ) { dimensions { httpHost action users } count } } } } `; const variables = { accountTag: "", since: "", // ISO-8601 format, for example 2025-03-08T00:00:00Z until: "", // Up to 30 days after start date }; const response = await fetch("https://api.cloudflare.com/client/v4/graphql", { method: "POST", headers: { Authorization: `Bearer ${apiToken}`, "Content-Type": "application/json", }, body: JSON.stringify({ query, variables }), }); const data = await response.json(); const groups = data.data?.viewer?.accounts?.[0]?.gatewayHttpRequestsAdaptiveGroups || []; ``` Replace `` with your Cloudflare account ID. Replace `` and `` with ISO-8601 timestamps covering your desired time range (up to 30 days). ## 3\. Process the query results Each group in the response represents aggregated traffic for a specific `httpHost` and `action` combination. Parse the results to identify unblocked MCP connections: * [ JavaScript ](#tab-panel-5463) * [ TypeScript ](#tab-panel-5464) JavaScript ``` const hits = groups.map((group) => ({ domain: group.dimensions.httpHost, requestCount: group.count, users: group.dimensions.users || [], actions: { allowed: group.dimensions.action === "allow" ? group.count : 0, blocked: group.dimensions.action === "block" ? group.count : 0, }, })); const totalMCPRequests = hits.reduce((sum, h) => sum + h.requestCount, 0); const unblockedHits = hits.filter((h) => h.actions.allowed > 0); console.log(`Found ${totalMCPRequests} MCP requests`); console.log(`${unblockedHits.length} destinations are unblocked`); ``` TypeScript ``` interface MCPTrafficHit { domain: string; requestCount: number; users: string[]; actions: { allowed: number; blocked: number; }; } const hits: MCPTrafficHit[] = groups.map((group: any) => ({ domain: group.dimensions.httpHost, requestCount: group.count, users: group.dimensions.users || [], actions: { allowed: group.dimensions.action === "allow" ? group.count : 0, blocked: group.dimensions.action === "block" ? group.count : 0, }, })); const totalMCPRequests = hits.reduce((sum, h) => sum + h.requestCount, 0); const unblockedHits = hits.filter((h) => h.actions.allowed > 0); console.log(`Found ${totalMCPRequests} MCP requests`); console.log(`${unblockedHits.length} destinations are unblocked`); ``` Key insights from the data: * **Unblocked traffic** (`action` \= `allow`) - Active MCP connections that need investigation or blocking * **Blocked traffic** (`action` \= `block`) - Your existing policies are working * **User attribution** \- This indicates which employees are connecting to MCP servers ## 4\. Create DLP profiles for MCP JSON-RPC detection Gateway HTTP policies can match domains and URL paths, but they cannot inspect request bodies. DLP profiles scan `POST` body content for patterns, which is useful for shadow MCP detection, since MCP uses JSON-RPC over HTTP and has several detectable hallmarks. Every MCP request contains a `"method"` field: ``` { "jsonrpc": "2.0", "id": 1, "method": "tools/call", "params": { "name": "read_file", "arguments": { "path": "/etc/passwd" } } } ``` An attacker could run an MCP server on a non-standard domain (for example, `internal-tools.company.com/api/assistant`) without triggering domain-based or path-based rules. You can use DLP scans of the `POST` body for `"method": "tools/call"` and other MCP-specific patterns to provide more robust protection of MCP traffic. ### Review DLP constraints Before building detection patterns, note the following DLP limitations: * **Regex syntax** — Rust regex (differs slightly from JavaScript and PCRE) * **Scan depth** — First 1,024 bytes of the request body only * **POST only** — DLP only scans `POST` requests * **Performance** — Regex patterns must be efficient to avoid catastrophic backtracking ### Build MCP detection patterns MCP indicators can be found in JSON-RPC method fields. The following regex patterns cover the core MCP protocol methods: * [ JavaScript ](#tab-panel-5471) * [ TypeScript ](#tab-panel-5472) JavaScript ``` const DLP_REGEX_PATTERNS = [ { name: "MCP Initialize Method", regex: '"method"\\s{0,5}:\\s{0,5}"initialize"', }, { name: "MCP Tools Call", regex: '"method"\\s{0,5}:\\s{0,5}"tools/call"', }, { name: "MCP Tools List", regex: '"method"\\s{0,5}:\\s{0,5}"tools/list"', }, { name: "MCP Resources Read", regex: '"method"\\s{0,5}:\\s{0,5}"resources/read"', }, { name: "MCP Resources List", regex: '"method"\\s{0,5}:\\s{0,5}"resources/list"', }, { name: "MCP Prompts List", regex: '"method"\\s{0,5}:\\s{0,5}"prompts/(list|get)"', }, { name: "MCP Sampling Create Message", regex: '"method"\\s{0,5}:\\s{0,5}"sampling/createMessage"', }, { name: "MCP Protocol Version", regex: '"protocolVersion"\\s{0,5}:\\s{0,5}"202[4-9]', }, { name: "MCP Notifications Initialized", regex: '"method"\\s{0,5}:\\s{0,5}"notifications/initialized"', }, { name: "MCP Roots List", regex: '"method"\\s{0,5}:\\s{0,5}"roots/list"', }, ]; ``` TypeScript ``` const DLP_REGEX_PATTERNS = [ { name: "MCP Initialize Method", regex: '"method"\\s{0,5}:\\s{0,5}"initialize"', }, { name: "MCP Tools Call", regex: '"method"\\s{0,5}:\\s{0,5}"tools/call"', }, { name: "MCP Tools List", regex: '"method"\\s{0,5}:\\s{0,5}"tools/list"', }, { name: "MCP Resources Read", regex: '"method"\\s{0,5}:\\s{0,5}"resources/read"', }, { name: "MCP Resources List", regex: '"method"\\s{0,5}:\\s{0,5}"resources/list"', }, { name: "MCP Prompts List", regex: '"method"\\s{0,5}:\\s{0,5}"prompts/(list|get)"', }, { name: "MCP Sampling Create Message", regex: '"method"\\s{0,5}:\\s{0,5}"sampling/createMessage"', }, { name: "MCP Protocol Version", regex: '"protocolVersion"\\s{0,5}:\\s{0,5}"202[4-9]', }, { name: "MCP Notifications Initialized", regex: '"method"\\s{0,5}:\\s{0,5}"notifications/initialized"', }, { name: "MCP Roots List", regex: '"method"\\s{0,5}:\\s{0,5}"roots/list"', }, ]; ``` Pattern explanation: * `\\s{0,5}` — Allows zero to five whitespace characters to handle both minified and pretty-printed JSON * `"method"` — Double quotes are literal because JSON requires them * `"tools/call"` — Matches the exact MCP method name * `202[4-9]` — Matches MCP protocol versions 2024 through 2029 ### Create the DLP profile via API Send a `POST` request to create a custom DLP profile containing all detection patterns: * [ JavaScript ](#tab-panel-5467) * [ TypeScript ](#tab-panel-5468) JavaScript ``` const dlpProfile = { name: "MCP-Shield: MCP JSON-RPC Detection", description: "Detects MCP protocol JSON-RPC methods in HTTP request bodies.", type: "custom", entries: DLP_REGEX_PATTERNS.map((p) => ({ name: p.name, enabled: true, pattern: { regex: p.regex, validation: "luhn", }, })), }; const response = await fetch( `https://api.cloudflare.com/client/v4/accounts/${accountId}/gateway/rules`, { method: "POST", headers: { Authorization: `Bearer ${apiToken}`, "Content-Type": "application/json", }, body: JSON.stringify(dlpRule), }, ); const data = await response.json(); if (data.success) { console.log(`Created DLP profile: ${data.result.id}`); } ``` TypeScript ``` const dlpProfile = { name: "MCP-Shield: MCP JSON-RPC Detection", description: "Detects MCP protocol JSON-RPC methods in HTTP request bodies.", type: "custom", entries: DLP_REGEX_PATTERNS.map((p) => ({ name: p.name, enabled: true, pattern: { regex: p.regex, validation: "luhn", }, })), }; const response = await fetch( `https://api.cloudflare.com/client/v4/accounts/${accountId}/gateway/rules`, { method: "POST", headers: { Authorization: `Bearer ${apiToken}`, "Content-Type": "application/json", }, body: JSON.stringify(dlpRule), }, ); const data = await response.json(); if (data.success) { console.log(`Created DLP profile: ${data.result.id}`); } ``` Replace `${accountId}` with your Cloudflare account ID and `${apiToken}` with your API token. ### Reference the DLP profile in a Gateway rule After the DLP profile exists, create a Gateway HTTP policy that blocks requests matching the profile: * [ JavaScript ](#tab-panel-5461) * [ TypeScript ](#tab-panel-5462) JavaScript ``` const dlpRule = { name: "MCP-Shield: Block MCP JSON-RPC via DLP", description: "Blocks requests with MCP JSON-RPC patterns detected by DLP", precedence: 85, enabled: true, action: "block", filters: ["http"], traffic: 'any(http.request.body.scan.dlp.profiles[*] == "MCP-Shield: MCP JSON-RPC Detection")', }; ``` TypeScript ``` const dlpRule = { name: "MCP-Shield: Block MCP JSON-RPC via DLP", description: "Blocks requests with MCP JSON-RPC patterns detected by DLP", precedence: 85, enabled: true, action: "block", filters: ["http"], traffic: 'any(http.request.body.scan.dlp.profiles[*] == "MCP-Shield: MCP JSON-RPC Detection")', }; ``` This rule triggers when the DLP profile matches any of the regex patterns in the request body. ## 5\. Classify Portal traffic and shadow MCP traffic Cloudflare [MCP Server Portals](https://developers.cloudflare.com/cloudflare-one/) provide governed infrastructure for approved MCP access within your organization, including: * **Governed access** — Centralized MCP infrastructure managed by your IT team * **Audit trails** — All MCP requests logged through Gateway with user attribution * **Policy enforcement** — Zero Trust policies apply automatically, including authentication and DLP * **Approved tools** — A curated set of MCP tools and resources vetted by security When analyzing Gateway logs, it is helpful to differentiate between two types of MCP traffic: | Traffic type | Characteristics | Risk level | Action | | ------------------ | ---------------------------------------------------------------------------------------------- | ----------- | ------------------------- | | MCP Portal traffic | httpHost matches your portal domain (for example, mcp.yourcompany.com or mcp-portal.pages.dev) | Authorized | Monitor | | Shadow MCP traffic | httpHost does not match any portal domain (for example, mcp.datadog.com, api.stripe.com/mcp) | Investigate | Block, redirect or review | Extend the query processing from [Process the query results](#3-process-the-query-results) to classify traffic by comparing hostnames against your list of approved portal domains: * [ JavaScript ](#tab-panel-5465) * [ TypeScript ](#tab-panel-5466) JavaScript ``` const portalDomains = [ "mcp.yourcompany.com", "mcp-portal.pages.dev", "approved-mcp.workers.dev", ]; const results = groups.map((group) => { const isPortalTraffic = portalDomains.some((domain) => group.dimensions.httpHost.includes(domain), ); return { domain: group.dimensions.httpHost, requestCount: group.count, users: group.dimensions.users || [], trafficType: isPortalTraffic ? "portal" : "shadow", riskLevel: isPortalTraffic ? "low" : "high", }; }); const portalTraffic = results.filter((r) => r.trafficType === "portal"); const shadowTraffic = results.filter((r) => r.trafficType === "shadow"); console.log("Portal traffic:", portalTraffic); console.log("Shadow MCP traffic:", shadowTraffic); ``` TypeScript ``` const portalDomains = [ "mcp.yourcompany.com", "mcp-portal.pages.dev", "approved-mcp.workers.dev", ]; const results = groups.map((group) => { const isPortalTraffic = portalDomains.some((domain) => group.dimensions.httpHost.includes(domain), ); return { domain: group.dimensions.httpHost, requestCount: group.count, users: group.dimensions.users || [], trafficType: isPortalTraffic ? "portal" : "shadow", riskLevel: isPortalTraffic ? "low" : "high", }; }); const portalTraffic = results.filter((r) => r.trafficType === "portal"); const shadowTraffic = results.filter((r) => r.trafficType === "shadow"); console.log("Portal traffic:", portalTraffic); console.log("Shadow MCP traffic:", shadowTraffic); ``` Replace the `portalDomains` array with the actual domains of your approved MCP Server Portals. ## Related resources * [Zero Trust documentation](https://developers.cloudflare.com/cloudflare-one/) * [Gateway policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) * [DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) * [GraphQL Analytics API](https://developers.cloudflare.com/analytics/graphql-api/) * [Rules language and wirefilter expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/) * [Pages Functions](https://developers.cloudflare.com/pages/functions/) * [Logpush](https://developers.cloudflare.com/logs/logpush/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/detect-mcp-traffic-gateway-logs/","name":"Detect MCP traffic in Gateway logs"}}]} ``` --- --- title: Use Microsoft Entra ID Conditional Access policies in Cloudflare Access description: With Conditional Access in Microsoft Entra ID, administrators can enforce policies on applications and users directly in EntraID. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft Entra ID ](https://developers.cloudflare.com/search/?tags=Microsoft%20Entra%20ID) # Use Microsoft Entra ID Conditional Access policies in Cloudflare Access **Last reviewed:** over 2 years ago With [Conditional Access ↗](https://learn.microsoft.com/entra/identity/conditional-access/overview) in Microsoft Entra ID (formerly Azure Active Directory), administrators can enforce policies on applications and users directly in Entra ID. Conditional Access has a set of checks that are specialized to Windows and are often preferred by organizations with Windows power users. ## Before you begin Make sure you have: * Global admin rights to Microsoft Entra ID account * Configured users in the Microsoft Entra ID account ## Set up an identity provider for your application Refer to [our IdP setup instructions](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/entra-id/#set-up-entra-id-as-an-identity-provider) for Entra ID. ## Add API permission in Entra ID Once the base IdP integration is tested and working, grant permission for Cloudflare to read Conditional Access policies from Entra ID. 1. In Microsoft Entra ID, go to **App registrations**. 2. Select the application you created for the IdP integration. 3. Go to **API permissions** and select **Add a permission**. 4. Select **Microsoft Graph**. 5. Select **Application permissions** and add `Policy.Read.ConditionalAccess`. Note You must select **Application permissions**; delegated permissions will not work for this feature. 6. Select **Grant admin consent**. ## Configure Conditional Access in Entra ID 1. In Microsoft Entra ID, go to **Enterprise applications** \> **Conditional Access**. 2. Go to **Authentication Contexts**. 3. [Create an authentication context ↗](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#authentication-context) to reference in your Cloudflare Access policies. Give the authentication context a descriptive name (for example, `Require compliant devices`). 4. Next, go to **Policies**. 5. [Create a new Conditional Access policy ↗](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies) or select an existing policy. 6. Assign the conditional access policy to an authentication context: 1. In the policy builder, select **Target resources**. 2. In the **Select what this policy applies to** dropdown, select _Authentication context_. 3. Select the authentication context that will use this policy. 4. Save the policy. ## Sync Conditional Access with Zero Trust To import your Conditional Access policies into Cloudflare Access: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Access settings**. 2. In **Manage your App Launcher**, select **Manage**. 3. Choose **Login methods**. 4. Find your Microsoft Entra ID integration and select **Edit**. 5. Enable **Azure AD Policy Sync**. 6. Select **Save**. ## Create an Access application To enforce your Conditional Access policies on a Cloudflare Access application: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **Self-hosted and private**. 4. Select **Add public hostname** and enter the target URL of the protected application. 5. Select **Create new policy** and build an [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) using the _Azure AD - Auth context_ selector. For example: | Action | Rule type | Selector | Value | | ------- | ----------------------- | ------------------------- | ------------ | | Allow | Include | Emails ending in | @example.com | | Require | Azure AD - Auth context | Require compliant devices | | 6. Add this policy to your application configuration. 7. For **Identity providers**, select your Microsoft Entra ID integration. 8. Follow the remaining [self-hosted application creation steps](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to publish the application. Users will only be allowed access if they pass the Microsoft Entra ID Conditional Access policies associated with this authentication context. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/entra-id-conditional-access/","name":"Use Microsoft Entra ID Conditional Access policies in Cloudflare Access"}}]} ``` --- --- title: Isolate risky Entra ID users description: Microsoft Entra ID (formerly Azure Active Directory) calculates a user's risk level based on the probability that their account has been compromised. With Cloudflare Zero Trust, you can synchronize the Entra ID risky users list with Cloudflare Access and apply more stringent Zero Trust policies to users at higher risk. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft Entra ID ](https://developers.cloudflare.com/search/?tags=Microsoft%20Entra%20ID)[ SCIM ](https://developers.cloudflare.com/search/?tags=SCIM) # Isolate risky Entra ID users **Last reviewed:** over 3 years ago Microsoft Entra ID (formerly Azure Active Directory) calculates a user's [risk level ↗](https://learn.microsoft.com/entra/id-protection/howto-identity-protection-investigate-risk) based on the probability that their account has been compromised. With Cloudflare Zero Trust, you can synchronize the Entra ID risky users list with Cloudflare Access and apply more stringent Zero Trust policies to users at higher risk. This tutorial demonstrates how to automatically redirect users to a remote browser when they are deemed risky by Entra ID. **Time to complete:** 1 hour ## Prerequisites * Microsoft Entra ID Premium P2 license * [Cloudflare Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) add-on * [Gateway HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/) enabled on your devices * [npm ↗](https://docs.npmjs.com/getting-started) installation * [Node.js ↗](https://nodejs.org/en/) installation ## 1\. Set up Entra ID as an identity provider Refer to [our IdP setup instructions](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/entra-id/#set-up-entra-id-as-an-identity-provider) for Entra ID. Note * When you configure the IdP in Cloudflare One, be sure to select **Enable group membership change reauthentication**. * Save the **Application (client) ID**, **Directory (tenant) ID**, and **Client secret** as you will need them again in a later step. ## 2\. Add Entra ID API permissions Once the base IdP integration is tested and working, enable additional permissions that will allow a script to create and update risky user groups in Entra ID: 1. In Microsoft Entra ID, go to **App registrations**. 2. Select the application you created for the IdP integration. 3. Go to **API permissions** and select **Add a permission**. 4. Select **Microsoft Graph**. 5. Select **Application permissions** and add the following [permissions ↗](https://learn.microsoft.com/en-us/graph/permissions-reference): * `IdentityRiskyUser.ReadAll` * `Directory.ReadWriteAll` * `Group.Create` * `Group.ReadAll` * `GroupMember.ReadAll` * `GroupMember.ReadWriteAll` 6. Select **Grant admin consent**. You will see the list of enabled permissions. ![API permissions in Entra ID](https://developers.cloudflare.com/_astro/risky-users-permissions.BXnsnrQO_Zax1Jt.webp) ## 3\. Add risky users to Entra ID group Next, configure an automated script that will populate an Entra ID security group with risky users. To get started quickly, deploy our example Cloudflare Workers script by following the step-by-step instructions below. Alternatively, you can implement the script using [Azure Functions ↗](https://learn.microsoft.com/azure/azure-functions/functions-overview) or any other tool. 1. Open a terminal and clone our example project. Terminal window ``` npm create cloudflare@latest risky-users -- --template https://github.com/cloudflare/msft-risky-user-ad-sync ``` 2. Go to the project directory. Terminal window ``` cd risky-users ``` 3. Modify the [Wrangler configuration file](https://developers.cloudflare.com/workers/wrangler/configuration/) to include the following values: * ``: your Cloudflare [account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/). * ``: your Entra ID **Directory (tenant) ID**, obtained when [setting up Entra ID as an identity provider](#1-set-up-entra-id-as-an-identity-provider). * ``: your Entra ID **Application (client) ID**, obtained when [setting up Entra ID as an identity provider](#1-set-up-entra-id-as-an-identity-provider). * [ wrangler.jsonc ](#tab-panel-5473) * [ wrangler.toml ](#tab-panel-5474) JSONC ``` { "$schema": "./node_modules/wrangler/config-schema.json", "name": "risky-users", // Set this to today's date "compatibility_date": "2026-05-08", "main": "src/index.js", "workers_dev": false, "account_id": "", "vars": { "AZURE_AD_TENANT_ID": "", "AZURE_AD_CLIENT_ID": "", }, "triggers": { "crons": ["* * * * *"], }, } ``` TOML ``` "$schema" = "./node_modules/wrangler/config-schema.json" name = "risky-users" # Set this to today's date compatibility_date = "2026-05-08" main = "src/index.js" workers_dev = false account_id = "" [vars] AZURE_AD_TENANT_ID = "" AZURE_AD_CLIENT_ID = "" [triggers] crons = [ "* * * * *" ] ``` Note The [Cron Trigger](https://developers.cloudflare.com/workers/configuration/cron-triggers/) in this example schedules the script to run every minute. Learn more about [supported cron expressions](https://developers.cloudflare.com/workers/configuration/cron-triggers/#supported-cron-expressions). 1. Deploy the Worker to Cloudflare's global network. Terminal window ``` npx wrangler deploy ``` 2. Create a secret variable named `AZURE_AD_CLIENT_SECRET`. Terminal window ``` wrangler secret put AZURE_AD_CLIENT_SECRET ``` You will be prompted to input the secret's value. Enter the **Client secret** obtained when [setting up Microsoft Entra ID as an identity provider](#1-set-up-azure-ad-as-an-identity-provider). The Worker script will begin executing once per minute. To view realtime logs, run the following command and wait for the script to execute: Terminal window ``` wrangler tail --format pretty ``` After the initial run, the auto-generated groups will appear in the Entra ID dashboard. ![Risky user groups in the Entra ID dashboard](https://developers.cloudflare.com/_astro/risky-users-groups.DdF4Xs9Y_Z2mmVhk.webp) ## 4\. Synchronize risky user groups Next, synchronize Entra ID risky user groups with Cloudflare Access: 1. [Enable SCIM synchronization](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/entra-id/#synchronize-users-and-groups). 2. In Entra ID, assign the following groups to your SCIM enterprise application: * `IdentityProtection-RiskyUser-RiskLevel-high` * `IdentityProtection-RiskyUser-RiskLevel-medium` * `IdentityProtection-RiskyUser-RiskLevel-low` Cloudflare Access will now synchronize changes in group membership with Entra ID. You can verify the synchronization status on the SCIM application's **Provisioning** page. ## 5\. Create a browser isolation policy Finally, create a [Gateway HTTP policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to isolate traffic for risky user groups. 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Traffic policies** \> **Firewall policies** \> **HTTP**. 2. Select **Add a policy**. 3. Build an [Isolate policy](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/isolation-policies/) that contains a _User Group Names_ rule. For example, the following policy serves `app1.example.com` and `app2.example.com` in a remote browser for all members flagged as high risk: | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ------------------------------------------- | ----- | ------- | | Domain | in | app1.example.com, app2.example.com | And | Isolate | | User Group Names | in | IdentityProtection-RiskyUser-RiskLevel-high | | | To test the policy, refer to the Microsoft documentation for [simulating risky detections ↗](https://learn.microsoft.com/entra/id-protection/howto-identity-protection-simulate-risk). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/entra-id-risky-users/","name":"Isolate risky Entra ID users"}}]} ``` --- --- title: Send SSO attributes to Access-protected origins with Workers description: This tutorial will walk you through extending the single-sign-on (SSO) capabilities of Cloudflare Access with our serverless computing platform, Cloudflare Workers. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SSO ](https://developers.cloudflare.com/search/?tags=SSO) # Send SSO attributes to Access-protected origins with Workers **Last reviewed:** over 1 year ago This tutorial will walk you through extending the single-sign-on (SSO) capabilities of [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) with our serverless computing platform, [Cloudflare Workers](https://developers.cloudflare.com/workers/). Specifically, this guide will demonstrate how to modify requests sent to your secured origin to include additional information from the Cloudflare Access authentication event. **Time to complete:** 45 minutes ## Authentication flow [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) is an authentication proxy in charge of validating a user's identity before they connect to your application. As shown in the diagram below, Access inserts a [JWT](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) into the request, which can then be [verified](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#validate-jwts) by the origin server. ![Standard authentication flow for a request to an Access application](https://developers.cloudflare.com/_astro/access-standard-flow.CLZ6SIBs_EHYYX.webp) You can extend this functionality by using a Cloudflare Worker to insert additional HTTP headers into the request. In this example, we will add the [device posture attributes](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/#enforce-device-posture) `firewall_activated` and `disk_encrypted`, but you can include any attributes that Cloudflare Access collects from the authentication event. ![Extended authentication flow uses a Worker to pass additional request headers to the origin](https://developers.cloudflare.com/_astro/access-extended-flow-serverless.DKpY2r43_1lrFbX.webp) ## Benefits This approach allows you to: * **Enhance security:** By incorporating additional information from the authentication event, you can implement more robust security measures. For example, you can use device posture data to enforce access based on device compliance. * **Improve user experience:** You can personalize the user experience by tailoring content or functionality based on user attributes. For example, you can display different content based on the user's role or location. * **Simplify development:** By using Cloudflare Workers, you can easily extend your Cloudflare Access configuration without modifying your origin application code. ## Before you begin * Add a [self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to Cloudflare Access. * Enable the [Disk encryption](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/disk-encryption/) and [Firewall](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/firewall/) device posture checks. * Install [Wrangler](https://developers.cloudflare.com/workers/wrangler/install-and-update/) on your local machine. ## 1\. Create the Worker 1. Create a new Workers project: npm yarn pnpm ``` npm create cloudflare@latest -- device-posture-worker ``` ``` yarn create cloudflare device-posture-worker ``` ``` pnpm create cloudflare@latest device-posture-worker ``` For setup, select the following options: * For _What would you like to start with?_, choose `Hello World example`. * For _Which template would you like to use?_, choose `Worker only`. * For _Which language do you want to use?_, choose `JavaScript`. * For _Do you want to use git for version control?_, choose `Yes`. * For _Do you want to deploy your application?_, choose `No` (we will be making some changes before deploying). 2. Change to the project directory: Terminal window ``` $ cd device-posture-worker ``` 3. Copy-paste the following code into `src/index.js`. Be sure to replace `` with your Zero Trust team name. index.js ``` import { parse } from "cookie"; export default { async fetch(request, env, ctx) { // The name of the cookie const COOKIE_NAME = "CF_Authorization"; const CF_GET_IDENTITY = "https://.cloudflareaccess.com/cdn-cgi/access/get-identity"; const cookie = parse(request.headers.get("Cookie") || ""); if (cookie[COOKIE_NAME] != null) { try { let id = await (await fetch(CF_GET_IDENTITY, request)).json(); let diskEncryptionStatus = false; let firewallStatus = false; for (const checkId in id.devicePosture) { const check = id.devicePosture[checkId]; if (check.type === "disk_encryption") { console.log(check.type); diskEncryptionStatus = check.success; } if (check.type === "firewall") { console.log(check.type); firewallStatus = check.success; break; } } //clone request (immutable otherwise) and insert posture values in new header set let newRequest = await new Request(request); newRequest.headers.set( "Cf-Access-Firewall-Activated", firewallStatus, ); newRequest.headers.set("Cf-Access-Disk-Encrypted", firewallStatus); //sent modified request to origin return await fetch(newRequest); } catch (e) { console.log(e); return await fetch(request); } } return await fetch(request); }, }; ``` ## 2\. View the user's identity The script in `index.js` uses the [get-identity](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/#user-identity) endpoint to fetch a user's complete identity from a Cloudflare Access authentication event. To view a list of available data fields, log in to your Access application and append `/cdn-cgi/access/get-identity` to the URL. For example, if `www.example.com` is behind Access, go to `https://www.example.com/cdn-cgi/access/get-identity`. Below is an example of a user identity that includes the `disk_encryption` and `firewall` posture checks. The Worker inserts the posture check results into the request headers **Cf-Access-Firewall-Activated** and **Cf-Access-Disk-Encrypted**. Example user identity ``` { "id": "P51Tuu01fWHMBjIBvrCK1lK-eUDWs2aQMv03WDqT5oY", "name": "John Doe", "email": "john.doe@cloudflare.com", "amr": [ "pwd" ], "oidc_fields": { "principalName": "XXXXXX_cloudflare.com#EXT#@XXXXXXcloudflare.onmicrosoft.com" }, "groups": [ { "id": "fdaedb59-e9be-4ab7-8001-3e069da54185", "name": "XXXXX" } ], "idp": { "id": "b9f4d68e-dac1-48b0-b728-ae05a5f0d4b2", "type": "azureAD" }, "geo": { "country": "FR" }, "user_uuid": "ce40d564-c72f-475f-a9b8-f395f19ad986", "account_id": "121287a0c6e6260ec930655e6b39a3a8", "iat": 1724056537, "devicePosture": { "f6f9391e-6776-4878-9c60-0cc807dc7dc8": { "id": "f6f9391e-6776-4878-9c60-0cc807dc7dc8", "schedule": "5m", "timestamp": "2024-08-19T08:31:59.274Z", "description": "", "type": "disk_encryption", "check": { "drives": { "C": { "encrypted": true } } }, "success": false, "rule_name": "Disk Encryption - Windows", "input": { "requireAll": true, "checkDisks": [] }, "a0a8e83d-be75-4aa6-bfa0-5791da6e9186": { "id": "a0a8e83d-be75-4aa6-bfa0-5791da6e9186", "schedule": "5m", "timestamp": "2024-08-19T08:31:59.274Z", "description": "", "type": "firewall", "check": { "firewall": false }, "success": false, "rule_name": "Local Firewall Check - Windows", "input": { "enabled": true } } ... } ``` ## 3\. Route the Worker to your application In the [Wrangler configuration file](https://developers.cloudflare.com/workers/wrangler/configuration/), [set up a route](https://developers.cloudflare.com/workers/configuration/routing/routes/) that maps the Worker to your Access application domain: * [ wrangler.jsonc ](#tab-panel-5475) * [ wrangler.toml ](#tab-panel-5476) JSONC ``` { "route": { "pattern": "app.example.com/*", "zone_name": "example.com" } } ``` TOML ``` [route] pattern = "app.example.com/*" zone_name = "example.com" ``` ## 4\. Deploy the Worker Terminal window ``` npx wrangler deploy ``` The Worker will now insert the **Cf-Access-Firewall-Activated** and **Cf-Access-Disk-Encrypted** headers into requests that pass your application's Access policies. Example request headers ``` { "headers": { "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Accept-Encoding": "gzip", "Accept-Language": "en-US,en;q=0.9,fr-FR;q=0.8,fr;q=0.7,en-GB;q=0.6", "Cf-Access-Authenticated-User-Email": "John.Doe@cloudflare.com", "Cf-Access-Disk-Encrypted": "false", "Cf-Access-Firewall-Activated": "false", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" } } ``` You can verify that these headers are received by the origin server. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/extend-sso-with-workers/","name":"Send SSO attributes to Access-protected origins with Workers"}}]} ``` --- --- title: Validate the Access token with FastAPI description: This tutorial covers how to validate that the Access JWT is on requests made to FastAPI apps. The code is written in Python. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Python ](https://developers.cloudflare.com/search/?tags=Python) # Validate the Access token with FastAPI **Last reviewed:** almost 3 years ago This tutorial covers how to validate that the [Access JWT](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) is on requests made to FastAPI apps. **Time to complete:** 15 minutes ## Prerequisites * A [self-hosted Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for your FastAPI app * The [AUD tag](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application ## 1\. Create a validation function 1. In your FastAPI project, create a new file called `cloudflare.py` that contains the following code: Python ``` from fastapi import Request, HTTPException # The Application Audience (AUD) tag for your application POLICY_AUD = "XXXXX" # Your CF Access team domain TEAM_DOMAIN = "https://.cloudflareaccess.com" CERTS_URL = "{}/cdn-cgi/access/certs".format(TEAM_DOMAIN) async def validate_cloudflare(request: Request): """ Validate that the request is authenticated by Cloudflare Access. """ if verify_token(request) != True: raise HTTPException(status_code=400, detail="Not authenticated properly!") def _get_public_keys(): """ Returns: List of RSA public keys usable by PyJWT. """ r = requests.get(CERTS_URL) public_keys = [] jwk_set = r.json() for key_dict in jwk_set["keys"]: public_key = jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(key_dict)) public_keys.append(public_key) return public_keys def verify_token(request): """ Verify the token in the request. """ token = "" if "CF_Authorization" in request.cookies: token = request.cookies["CF_Authorization"] else: raise HTTPException(status_code=400, detail="missing required cf authorization token") keys = _get_public_keys() # Loop through the keys since we can't pass the key set to the decoder valid_token = False for key in keys: try: # decode returns the claims that has the email when needed jwt.decode(token, key=key, audience=POLICY_AUD, algorithms=["RS256"]) valid_token = True break except: raise HTTPException(status_code=400, detail="Error decoding token") if not valid_token: raise HTTPException(status_code=400, detail="Invalid token") return True ``` ## 2\. Use the validation function in your app You can now add the validation function as a dependency in your FastAPI app. One way to do this is by creating an [APIRouter instance ↗](https://fastapi.tiangolo.com/tutorial/bigger-applications/#another-module-with-apirouter). The following example executes the validation function on each request made to paths that start with `/admin`: Python ``` from fastapi import APIRouter, Depends, HTTPException from cloudflare import validate_cloudflare router = APIRouter( prefix="/admin", tags=["admin"], dependencies=[Depends(validate_cloudflare)] responses={404: {"description": "Not found"}}, ) @router.get("/") async def root(): return {"message": "Hello World"} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/fastapi/","name":"Validate the Access token with FastAPI"}}]} ``` --- --- title: Zero Trust GitLab SSH & HTTP description: Learn how to add Zero Trust rules to a self-hosted instance of GitLab. This tutorial walks you through deploying GitLab in DigitalOcean. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SSH ](https://developers.cloudflare.com/search/?tags=SSH) # Zero Trust GitLab SSH & HTTP **Last reviewed:** over 5 years ago You can use Cloudflare Access to add Zero Trust rules to a self-hosted instance of GitLab. Combined with Cloudflare Tunnel, users can connect through HTTP and SSH and authenticate with your team's identity provider. **This walkthrough covers how to:** * Deploy an instance of GitLab * Lock down all inbound connections to that instance and use Cloudflare Tunnel to set outbound connections to Cloudflare * Build policies with Cloudflare Access to control who can reach GitLab * Connect over HTTP and SSH through Cloudflare **Time to complete:** 1 hour --- ## Deploying GitLab This section walks through deploying GitLab in DigitalOcean. If you have already deployed GitLab, you can skip this section. Create a Droplet that has 16 GB of RAM and 6 CPUs. This should make it possible to support 500 users, based on [GitLab's resource recommendations ↗](https://docs.gitlab.com/ee/install/requirements.html). ![Create Droplet](https://developers.cloudflare.com/_astro/create-droplet.5w9w-Z20_Z1VnfVG.webp) GitLab will provide an external IP that is exposed to the Internet (for now). You will need to connect to the deployed server using this external IP for the initial configuration. You can secure connections to the IP by [adding SSH keys ↗](https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2) to your DigitalOcean account. This example uses a macOS machine to configure the Droplet. Copy the IP address assigned to the machine from DigitalOcean. ![Machine IP](https://developers.cloudflare.com/_astro/show-ip.BX4xqubr_8H1My.webp) Open Terminal and run the following command, replacing the IP address with the IP assigned by DigitalOcean. Terminal window ``` ssh root@134.209.124.123 ``` Next, install GitLab. This example uses the [Ubuntu package ↗](https://about.gitlab.com/install/#ubuntu) and the steps in the GitLab documentation, with a few exceptions called out below. Run the following commands to begin. Terminal window ``` sudo apt-get update sudo apt-get install -y curl openssh-server ca-certificates curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash ``` The commands above download the GitLab software to this machine. You must now install it. This is the first place this tutorial will diverge from the operations in the GitLab documentation. The next step in the GitLab-provided tutorial sets an external hostname. Instead, you can just install the software. Terminal window ``` sudo apt-get install gitlab-ee ``` After a minute or so, GitLab will be installed. ![Install GitLab](https://developers.cloudflare.com/_astro/install-gitlab.COTmg1AD_2wx6Wb.webp) However, the application is not running yet. You can check to see what ports are listening to confirm by using `ss`. Terminal window ``` sudo ss -lntup ``` The result should be only the services currently active on the machine: Terminal window ``` sudo ss -lntup ``` ``` Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process udp UNCONN 0 0 *:9094 *:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=29,fd=3)) tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=29,fd=4)) ``` To start GitLab, run the software's reconfigure command. Terminal window ``` sudo gitlab-ctl reconfigure ``` GitLab will launch its component services. Once complete, confirm that GitLab is running and listening on both ports 22 and 80. ![GitLab Services](https://developers.cloudflare.com/_astro/gitlab-services.DWHydQAd_1zXwjJ.webp) Terminal window ``` sudo ss -lntup ``` ``` Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process udp UNCONN 0 0 *:9094 *:* tcp LISTEN 0 4096 127.0.0.1:9236 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:8150 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=29,fd=3)) tcp LISTEN 0 4096 127.0.0.1:8151 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:3000 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:8153 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:8154 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:8155 0.0.0.0:* tcp LISTEN 0 511 0.0.0.0:8060 0.0.0.0:* users:(("nginx",pid=324,fd=8)) tcp LISTEN 0 4096 127.0.0.1:9121 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:9090 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:9187 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:9093 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:9229 0.0.0.0:* tcp LISTEN 0 1024 127.0.0.1:8080 0.0.0.0:* tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=324,fd=7)) tcp LISTEN 0 4096 127.0.0.1:9168 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:8082 0.0.0.0:* tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=29,fd=4)) tcp LISTEN 0 4096 *:9094 *:* ``` Users connect to GitLab over SSH (port 22 here) and HTTP for the web app (port 80). In the next step, you will make it possible for users to try both through Cloudflare Access. I'll leave this running and head over to the Cloudflare dashboard. ## Securing GitLab with Zero Trust rules ### Building Zero Trust policies You can use Cloudflare Access to build Zero Trust rules to determine who can connect to both the web application of GitLab (HTTP) and who can connect over SSH. When a user makes a request to a site protected by Access, that request hits Cloudflare's network first. Access can then check if the user is allowed to reach the application. When integrated with Cloudflare Tunnel, the Zero Trust architecture looks like this: ![GitLab Services](https://developers.cloudflare.com/_astro/teams-diagram.DZV8IyTp_ZaozQs.webp) To determine who can reach the application, Cloudflare Access relies on integration with identity providers like Okta, Microsoft Entra ID, or Google to issue the identity cards that get checked at the door. While a VPN allows users free range on a private network unless someone builds an active rule to stop them, Access enforces that identity check on every request (and at any granularity configured). For GitLab, start by building two policies. Users will connect to GitLab in a couple of methods: in the web app and over SSH. Create policies to secure a subdomain for each. First, the web app. Before you build the rule, you'll need to follow [these instructions](https://developers.cloudflare.com/cloudflare-one/setup/) to set up Cloudflare Access in your account. Once enabled, go to the **Applications** page in Zero Trust. Select **Create new application**. Select **Self-hosted and private**. ![Self Hosted](https://developers.cloudflare.com/_astro/policy.V6-L7e37_Z1O2Ag1.webp) You will be prompted to add a subdomain that will represent the resource. This must be a subdomain of a domain in your Cloudflare account. You will need separate subdomains for the web application and SSH flows. This example uses `gitlab.widgetcorp.tech` for the web application and `gitlab-ssh.widgetcorp.tech` for SSH connectivity. You can decide which identity providers will be allowed to authenticate. By default, all configured providers are allowed. Add rules to determine who can reach the site. Select **Create** to publish the application. Repeat these steps for the second application, `gitlab-ssh.widgetcorp.tech`. ## Cloudflare Tunnel Cloudflare Tunnel creates a secure, outbound-only, connection between this machine and Cloudflare's network. With an outbound-only model, you can prevent any direct access to this machine and lock down any externally exposed points of ingress. And with that, no open firewall ports. Cloudflare Tunnel is made possible through a lightweight daemon from Cloudflare called `cloudflared`. Download and install `cloudflared` on the DigitalOcean machine by following the instructions listed on the [Downloads](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/) page. Once installed, authenticate the instance of `cloudflared` with the following command. Terminal window ``` cloudflared login ``` The command will print a URL that you must visit to login with your Cloudflare account. Choose a website that you have added into your account. Once you select one of the sites in your account, Cloudflare will download a certificate file to authenticate this instance of `cloudflared`. You can now use `cloudflared` to control Cloudflare Tunnel connections in your Cloudflare account. ![Download Cert](https://developers.cloudflare.com/_astro/cert-download.CzGYlCAx_Z1IrUwf.webp) ### Connecting to Cloudflare You can now connect GitLab to Cloudflare using Cloudflare Tunnel. 1. Create a new Tunnel by running the following command. Terminal window ``` cloudflared tunnel create gitlab ``` `cloudflared` will generate a unique ID for this Tunnel, for example `6ff42ae2-765d-4adf-8112-31c55c1551ef`. You can use this Tunnel both for SSH and HTTP traffic. 1. You will need to configure Cloudflare Tunnel to proxy traffic to both destinations. The configuration below will take traffic bound for the DNS record that will be created for the web app and the DNS record to represent SSH traffic to the right port. You use the text editor of your choice to edit the configuration file. The example relies on `Vi`. Terminal window ``` vim ~/.cloudflared/config.yml ``` 1. Configure the Tunnel to serve traffic. ``` tunnel: 6ff42ae2-765d-4adf-8112-31c55c1551ef credentials-file: /root/.cloudflared/6ff42ae2-765d-4adf-8112-31c55c1551ef.json ingress: - hostname: gitlab.widgetcorp.tech service: http://localhost:80 - hostname: gitlab-ssh.widgetcorp.tech service: ssh://localhost:22 # Catch-all rule, which just responds with 404 if traffic doesn't match any of # the earlier rules - service: http_status:404 ``` ![Self Hosted](https://developers.cloudflare.com/_astro/config-file.C9yhlhb3_fa9dL.webp) 1. You can test that the configuration file is set correctly with the following command: Terminal window ``` cloudflared tunnel ingress validate ``` `cloudflared` should indicate the Tunnel is okay. You can now begin running the Tunnel. Terminal window ``` cloudflared tunnel run ``` ![Tunnel Run](https://developers.cloudflare.com/_astro/tunnel-run.0yb8I0dS_Z12fkE.webp) Note This command should be run as a `systemd` service for long-term use; if it terminates, GitLab will be unavailable. ### Configure DNS records You can now create DNS records for GitLab in the Cloudflare dashboard. Remember, you will still need two records - one for the web application and one for SSH traffic. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and go to the **DNS Records** page for your domain. [ Go to **Records** ](https://dash.cloudflare.com/?to=/:account/:zone/dns/records) 2. Select **Add record**. Choose `CNAME` as the record type. 3. In the **Name** field, input `gitlab`. 4. In the **Target** field, input the ID of the Tunnel created followed by `cfargotunnel.com`. In this example, that value is: ``` 6ff42ae2-765d-4adf-8112-31c55c1551ef.cfargotunnel.com ``` 1. Select **Save**. 2. Repeat the process again by creating a second `CNAME` record, with the same **Target**, but input `gitlab-ssh` for the **Name**. Both records should then appear, pointing to the same Tunnel. The ingress rules defined in the configuration file above will direct traffic to the appropriate port. ![View DNS](https://developers.cloudflare.com/_astro/view-dns.D18Ri4DU_128DTe.webp) ### Connecting to the web application You can now test the end-to-end configuration for the web application. Visit the subdomain created for the web application. Cloudflare Access will prompt you to authenticate. Login with your provider. Once authenticated, you should see the GitLab web application. ![GitLab Web](https://developers.cloudflare.com/_astro/gitlab-web.Jd4Y_aFN_Z27DDoX.webp) Register your own account and create a Blank project to test SSH in the next step. ![Blank Project](https://developers.cloudflare.com/_astro/blank-project.fZ_spCg9_86YyE.webp) GitLab will create a new project and repository. Note To pull or push code, you must also add an SSH key to your profile in GitLab. ### Configuring SSH To push and pull code over SSH, you will need to install `cloudflared` on the client machine as well. This example uses a macOS laptop. On macOS, you can install `cloudflared` with the following command. Terminal window ``` brew install cloudflared ``` While you need to install `cloudflared`, you do not need to wrap your SSH commands in any unique way. Instead, you will need to make a one-time change to your SSH configuration file. Terminal window ``` vim /Users/samrhea/.ssh/config ``` Input the following values; replacing `gitlab-ssh.widgetcorp.tech` with the hostname you created. ``` Host gitlab-ssh.widgetcorp.tech ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h ``` You can now test the SSH flow by attempting to clone the project created earlier. Terminal window ``` git clone git@gitlab-ssh.widgetcorp.tech:samrhea/demo ``` `cloudflared` will prompt you to login with my identity provider and, once successful, issue a token to your device to allow you to authenticate. ![GitLab Clone](https://developers.cloudflare.com/_astro/git-clone.JvUcJ24A_60TIt.webp) ### Lock down exposed ports You can now configure your DigitalOcean firewall with a single rule, block any inbound traffic, to prevent direct access. ![Set Rules](https://developers.cloudflare.com/_astro/disable-ingress.DuP5QaLx_Z1NcTV3.webp) Cloudflare Tunnel will continue to run outbound-only connections and I can avoid this machine getting caught up in a crypto mining operation, or something worse. ## View logs You can also view logs of the events that are allowed and blocked. Open the `Access` page of the `Logs` section in Zero Trust. ## Troubleshooting If you are using Git Large File Storage (LFS), note that Git LFS is not automatically supported by `cloudflared`. To access repositories protected by Cloudflare Access, you need to authenticate manually by running: Terminal window ``` cloudflared access login ``` Replace `` with the Cloudflare Access-protected URL. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/gitlab/","name":"Zero Trust GitLab SSH & HTTP"}}]} ``` --- --- title: Monitor Cloudflare Tunnel with Grafana description: This tutorial covers how to create the metrics endpoint and set up the Prometheus server. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Grafana ](https://developers.cloudflare.com/search/?tags=Grafana) # Monitor Cloudflare Tunnel with Grafana **Last reviewed:** over 2 years ago [Grafana ↗](https://grafana.com/) is a dashboard tool that visualizes data stored in other databases. You can use Grafana to convert your [tunnel metrics](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/metrics/) into actionable insights. It is not possible to push metrics directly from `cloudflared` to Grafana. Instead, `cloudflared` runs a [Prometheus ↗](https://prometheus.io) metrics endpoint, which a Prometheus server periodically scrapes. Grafana then uses Prometheus as a data source to present metrics to the administrator. flowchart LR subgraph 192.168.1.1 A[cloudflared]-->B[Metrics endpoint] end B--->C subgraph 192.168.1.2 C[Prometheus server]-->D[Grafana dashboard] end This tutorial covers how to create the metrics endpoint, set up the Prometheus server, and view the data in Grafana. ## Before you begin * You will need a Cloudflare Tunnel. To create a tunnel, refer to our [getting started guide](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/). ## Create the metrics endpoint If your tunnel was created via the CLI, run the following command on the `cloudflared` server (`192.168.1.1`): Terminal window ``` cloudflared tunnel --metrics 192.168.1.1:60123 run my-tunnel ``` If your tunnel was created via the dashboard, the [\--metrics](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#metrics) flag must be added to your `cloudflared` system service configuration. Refer to [Add tunnel run parameters](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#add-run-parameters-to-tunnel-service) for instructions on how to do this. ## Set up Prometheus On the Prometheus and Grafana server (`192.168.1.2`): 1. [Download ↗](https://prometheus.io/download/) Prometheus. 2. Extract Prometheus: Terminal window ``` tar xvfz prometheus-*.tar.gz cd prometheus-* ``` 3. Open `prometheus.yml` in a text editor and add the `cloudflared` job to the end of the file: ``` # my global config global: scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute. evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute. # scrape_timeout is set to the global default (10s). # Alertmanager configuration alerting: alertmanagers: - static_configs: - targets: # - alertmanager:9093 # Load rules once and periodically evaluate them according to the global 'evaluation_interval'. rule_files: # - "first_rules.yml" # - "second_rules.yml" # A scrape configuration containing exactly one endpoint to scrape: # Here it's Prometheus itself. scrape_configs: # The job name is added as a label `job=` to any timeseries scraped from this config. - job_name: "prometheus" # metrics_path defaults to '/metrics' # scheme defaults to 'http'. static_configs: - targets: ["localhost:9090"] ## Address of Prometheus dashboard - job_name: "cloudflared" static_configs: - targets: ["198.168.1.1:60123"] ## cloudflared server IP and the --metrics port configured for the tunnel ``` 4. Start Prometheus: Terminal window ``` ./prometheus --config.file="prometheus.yml" ``` You can optionally configure Prometheus to run as a service so that it does not need to be manually started if the machine reboots. 5. Open a browser and go to `http://localhost:9090/`. You should be able to access the Prometheus dashboard. 6. To verify that Prometheus is fetching tunnel metrics, enter `cloudflared_tunnel_total_requests` into the expression console and select **Execute**. ![Prometheus dashboard showing tunnel metrics data](https://developers.cloudflare.com/_astro/Prometheus-dashboard.CUKRS856_28Ma3Y.webp) Refer to [Available metrics](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/metrics/#available-metrics) to check what other metrics are available. ## Connect Grafana to Prometheus 1. [Download ↗](https://grafana.com/grafana/download) and install Grafana. 2. Start Grafana as a system service: Terminal window ``` sudo systemctl daemon-reload sudo systemctl start grafana-server ``` 3. Verify that Grafana is running: Terminal window ``` sudo systemctl status grafana-server ``` 4. Open a browser and go to `http://localhost:3000/`. The default HTTP port that Grafana listens to is `3000` unless you have configured a different port. 5. On the sign-in page, enter your Grafana credentials. To test without an account, you can enter `admin` for both the username and password and skip the password change step. 6. In Grafana, go to **Connections** \> **Data sources**. 7. Select **Add a new data source** and select **Prometheus**. 8. In the **Prometheus server URL** field, enter the IP address and port of your Prometheus dashboard (`http://localhost:9090`). 9. Select **Save & test**. ## Build Grafana dashboard 1. In Grafana, go to **Dashboards** \> **New** \> **New dashboard**. 2. Select **Add visualization**. 3. Select **Prometheus**. 4. In the metrics field, enter `cloudflared_tunnel_total_requests` and select **Run queries**. You will see a graph showing the number of requests as a function of time. ![Grafana dashboard showing a tunnel metrics graph](https://developers.cloudflare.com/_astro/Grafana-dashboard.Bz0eyO9h_ZBdbLa.webp) You can add operations to the queries to modify what is displayed. For example, you could show all tunnel requests over a recent period of time, such as a day, rather than all tunnel requests since metrics began reporting. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/grafana/","name":"Monitor Cloudflare Tunnel with Grafana"}}]} ``` --- --- title: GraphQL Analytics description: Use the GraphQL Analytics API to review data for Cloudflare Network Firewall network traffic related to rules matching your traffic. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ GraphQL ](https://developers.cloudflare.com/search/?tags=GraphQL) # GraphQL Analytics **Last reviewed:** about 4 years ago Use the GraphQL Analytics API to review data for Cloudflare Network Firewall network traffic related to rules matching your traffic. This contains both rules you configured in the Cloudflare Network Firewall dashboard, and the rules managed by Cloudflare as a part of [Cloudflare Network Firewall Managed rules](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/enable-managed-rulesets/) and [Cloudflare Network Firewall IDS](https://developers.cloudflare.com/cloudflare-network-firewall/about/ids/) features. Before you begin, you must have an [API token](https://developers.cloudflare.com/analytics/graphql-api/getting-started/authentication/). For additional help getting started with GraphQL Analytics, refer to [GraphQL Analytics API](https://developers.cloudflare.com/analytics/graphql-api/). ## Obtain Cloudflare Account ID To construct a Network Firewall GraphQL query for an object, you will need a Cloudflare Account ID ### Obtain your Cloudflare Account ID 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account. 2. The URL in your browser's address bar should show `https://dash.cloudflare.com/` followed by a hex string. The hex string is your Cloudflare Account ID. ### Obtain the rule ID for a firewall rule To construct queries to gather analytics for a particular rule, you need the rule ID for each firewall rule. 1. In the Cloudflare dashboard, go to the **Cloudflare Network Firewall** page. [ Go to **Firewall policies** ](https://dash.cloudflare.com/?to=/:account/network-security/magic%5Ffirewall) 2. In the **Custom rules** tab, locate the rule you need the rule ID for from the list and select the three dots > **Edit**. 3. Locate the **Rule ID** and select the copy button. 4. Select **Cancel** to return to the **Cloudflare Network Firewall** page. ## Explore GraphQL schema with Cloudflare Network Firewall query example In this section, you will run a test query to retrieve a five minute count of all configured Cloudflare Network Firewall rules within five minute intervals. You can copy and paste the code below into GraphiQL. For additional information about the Analytics schema, refer to [Explore the Analytics schema with GraphiQL](https://developers.cloudflare.com/analytics/graphql-api/getting-started/explore-graphql-schema/). ``` query MagicFirewallExample($accountTag: string!, $start: Time, $end: Time) { viewer { accounts(filter: { accountTag: $accountTag }) { magicFirewallSamplesAdaptiveGroups( filter: { datetime_geq: $start, datetime_leq: $end } limit: 2 orderBy: [datetimeFiveMinute_DESC] ) { sum { bits packets } dimensions { datetimeFiveMinute ruleId } } } } } ``` [Run in GraphQL API Explorer](https://graphql.cloudflare.com/explorer?query=I4VwpgTgngBAsgQwOYEsDGAxFEwHcEA2BAogB4IC2ADgWABQAkCaaA9iAHYAuAKsgFwwAzlwgoOSAIQAaGAxEIIXQTxQUwshmA4ATFWrABKGAG8AUDBgA3FHkimLlmMzacuQugDMUBLpEEmzizs3HxIgkzBbmEwAL7G5k5OFMjoWDj4RADKlDRgQgCCOghUXChWYADiEOxUHo5Jlt6+-qYwxX5l6gD6SGDAEQpKsh1gXWDdtANy2jpxDY0EaijKMABMC0msEDqQAEJQggDao+NYFXDiIH7dACLEWQDCALqbMAlvlkIgFA6NjQAjFZCT5OKjMADWYxB-0ssVBOgMHCEKFYyL+sMspwM5zAlw41zAoMsEBAtAAkjpQfD-jSnHT4bEgA&variables=N4IghgxhD2CuB2AXAKmA5iAXCAggYTwHkBVAOWQH0BJAERABoQBnRMAJ0SxACYAGbgGwBaXgFYRADmQBGAMyZuATkzTpALQYgApvAAmXPoJHjeU6cqUr1IAL5A) ## Example queries for Cloudflare Network Firewall ### Obtain analytics for a specific rule Use the example below to display the total number of packets and bits for the top ten suspected malicious traffic streams within the last hour. After receiving the results, you can sort by packet rates with a five minute average. For each stream, display the: * Source and destination IP addresses * Ingress Cloudflare data centers that received it * Total traffic volume in bits and packets received within the hour * Actions taken by the firewall rule ``` query MagicFirewallObtainRules( $accountId: string! $ruleId: string $start: Time $end: Time ) { viewer { accounts(filter: { accountTag: $accountId }) { magicFirewallNetworkAnalyticsAdaptiveGroups( filter: { ruleId: $ruleId, datetime_geq: $start, datetime_leq: $end } limit: 10 orderBy: [avg_packetRateFiveMinutes_DESC] ) { sum { bits packets } dimensions { coloCity ipDestinationAddress ipSourceAddress outcome } } } } } ``` [Run in GraphQL API Explorer](https://graphql.cloudflare.com/explorer?query=I4VwpgTgngBAsgQwOYEsDGAxFEwHcEA2BA8gEYAuCKAdgEogFgDOAFAFAwwAkCaaA9iGrkAkgBMAXDCbkINJAEIO3CAzDipMudSTKuMhBHJSAKigC2YPWGqSYZy2wCUMAN7KAbijyQ3yzrwCQuSsAGYoBOSQUq4wgYLCJshSPHwJomIwAL4u7pz5MObI6Fg4+EQAcmDkuPwQANYAgtSEUOToTI1iCAAO7R5gAOIQgj2s-gUw4ZHRbjCqjBoqauIANDDdUe2WAPpIYMApBkbrm9UWYDuMh9w2mVkTBQQWKMYwAIwADI-5dWKQACEoFIANoIDxIHY9Xj1aq0BBRLADOA0EBRJg7AAiAFEAMoAYQAuj9cj9OEwQOY-JNJqRXkwyfloWhYSFGQ8aZwxBdqEwUPxedTOZwBAR+PjXlBGZwUD1Mcx2i12gKumIcEwGcKZT1cYIIGgwKr1ZqtYJyAJHMKOZNrZxrQ8skA&variables=N4IghgxhD2CuB2AXAkgExALhAJQKIAUAZAQQGFcB9AdWQBUAJC5AERABoQAnWAGwFM0mHARLlqdRi3YgAzojCdEQgEwAGZQDYAtKoCsOgBy0AjAGYMygJwZjxgFrS+8dFjWad+1UePWrN+yAAvkA) ### Obtain IDS analytics Use the example below to display the total number of packets and bits for the top 10 traffic streams that Cloudflare Network Firewall IDS has detected in the last hour. By setting `verdict` to `drop` and `outcome` as `pass`, we are filtering for traffic that was marked as a detection (i.e. verdict was drop) but was not dropped (for example, outcome was `pass`). This is because currently, Cloudflare Network Firewall IDS only detects malicious traffic but does not drop the traffic. For each stream, display the: * Source and destination IP addresses. * Ingress Cloudflare data centers that received it. * Total traffic volume in bits and packets received within the hour. ``` query MagicFirewallObtainIDS($accountTag: string!, $start: Time, $end: Time) { viewer { accounts(filter: { accountTag: $accountTag }) { magicIDPSNetworkAnalyticsAdaptiveGroups( filter: { datetime_geq: $start datetime_leq: $end verdict: drop outcome: pass } limit: 10 orderBy: [avg_packetRateFiveMinutes_DESC] ) { sum { bits packets } dimensions { coloCity ipDestinationAddress ipSourceAddress } } } } } ``` [Run in GraphQL API Explorer](https://graphql.cloudflare.com/explorer?query=I4VwpgTgngBAsgQwOYEsDGAxFEwHcEA2BA8gEYAuCKAdgJIAiAygBQAkCaaA9iNeQCrIAXDADO5CDSQBCADQxW4hBHIj+KALZh5rMNQAmazWACUMAN4AoGDABuKPJAvWbMDt17lRzAGYoC5JAi5m6cPHyCSCLsYZ6RMAC+ZlaurhrI6AwACowAcmDkuFwQANYAgtSEUOToomX6CAAONbZgAOIQPI3eLqk2fgFBzn19DYE1WgD6SGDA0UoqvSMwYwXGkwSz0Xr6SyOtEProqiudjXt9POTcWiKNCKKiFzYJzzAEmignAIwADG-FfSQABCUBEAG0ELYkJN7mgSgUAEoIQJYVpwGggQKiSb0ACijAAwgBdC7JN6iEAaYbLGykL5PWk2OEIrxvV60o5aaiiFBcHk02ncAhcQlfKBvGwoRr0MDiGgovnUer6HCPSUwaWMHgQNBgFVqxnLDl9E0vFyvBJAA&variables=N4IghgxhD2CuB2AXAKmA5iAXCAggYTwHkBVAOWQH0BJAERABoQBnRMAJ0SxACYAGbgGwBaXgFYRADmQBGAMyZuATkzTpALQYgApvAAmXPoJHjeU6cqUr1IAL5A) Alternatively, to inspect all traffic that was analyzed, but grouped into malicious traffic and other traffic, the example below can be used. The response will contain two entries for each five minute timestamp. `verdict` will be set to `drop` for malicious traffic, and `verdict` will be set to `pass` for traffic that did not match any of the IDS rules. ``` query MagicFirewallTraffic($accountTag: string!, $start: Time, $end: Time) { viewer { accounts(filter: { accountTag: $accountTag }) { magicIDPSNetworkAnalyticsAdaptiveGroups( filter: { datetime_geq: $start, datetime_leq: $end } limit: 10 orderBy: [avg_packetRateFiveMinutes_DESC] ) { sum { bits packets } dimensions { coloCity ipDestinationAddress ipSourceAddress verdict } } } } } ``` [Run in GraphQL API Explorer](https://graphql.cloudflare.com/explorer?query=I4VwpgTgngBAsgQwOYEsDGAxFEwHcEA2BAKhAgGbnoAUAJAmmgPYgB2ALscgFwwDO7CClZIAhABoYtAQgjtexFAFswk2mFYATBcrABKGAG8AUDBgA3FHkhHTZmA2Zt2falQLtIvQw8YsOXEi89H7OgTAAvgYm9vZKyOgAkgAiAAoAygByYOy4TBAA1gCCrIRQ7Oh8RZoIAA4V5mAA4hAsta52sWbunhDeMDWeFSoA+khgwMEycpKDObojBBPBGpqRnV0EyijyMACMAAwbsfmakABCULwA2gjmSCO1DAU5AEoInliNcMIgnnwjZIAUXSAGEALrHGDRKFmPggJS2LpdABGOz4sPsTzQLxcmIimM0ulYfBQTBJSOR9mYBCYoJ2UExZhQtWSYAEwg+ZNY1U0OD4GKp9hZ6RYEDQYF5-MFQoskCJaHY+KhBNiqvWESAA&variables=N4IghgxhD2CuB2AXAKmA5iAXCAggYTwHkBVAOWQH0BJAERABoQBnRMAJ0SxACYAGbgGwBaXgFYRADmQBGAMyZuATkzTpALQYgApvAAmXPoJHjeU6cqUr1IAL5A) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/graphql-analytics/","name":"GraphQL Analytics"}}]} ``` --- --- title: Integrate Microsoft MCAS with Cloudflare Zero Trust description: With an MCAS API call, you can manage a URL category that contains the blocked URLs. Use the output to create a Hostname List that can be used by Gateway HTTP policies to block them. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft) # Integrate Microsoft MCAS with Cloudflare Zero Trust **Last reviewed:** over 4 years ago Many security teams rely on Microsoft MCAS (Microsoft Cloud App Security), Microsoft's CASB solution, to identify and block threats on the Internet, as well as allow or block access to cloud applications. This tutorial covers how to integrate MCAS with Cloudflare Zero Trust, and create Gateway HTTP policies to ensure visibility and control over data. Microsoft provides an MCAS API endpoint to allow queries to see which applications have been marked as blocked or allowed. With an MCAS API call, you can manage a URL category that contains the blocked URLs returned by the API query, and use the output to create a Hostname List that can be used by Gateway HTTP policies to block them. **Time to complete:** 20 minutes ## Basic configuration In your Microsoft account, you first need to create an API token and URL endpoint to use to query the URLs blocked by MCAS. Follow the guide for [Managing API tokens for Microsoft Cloud App Security ↗](https://learn.microsoft.com/defender-cloud-apps/api-authentication) to generate a new API token and a custom API URL for the API endpoint. ## Using the API to query banned applications Once you have the API token and API URL, use curl to get the list of banned applications from Microsoft MCAS: Terminal window ``` curl -v "https:///api/discovery_block_scripts/?format=120&type=banned" -H "Authorization: Token " ``` This will return a list of banned hostnames. In this case, Angie's List is the banned application. ![Banned hostnames](https://developers.cloudflare.com/_astro/mcas-domains.CtUPNlL__5tMjF.webp) ### Processing the output As you can see, the banned hostnames are preceded by a `.`. To use this output for a Zero Trust List, we need to do some text processing. 1. Run the curl API call and direct the output to a file, in this case `mcas.txt`: Terminal window ``` curl -v "https:///api/discovery_block_scripts/?format=120&type=banned" -H "Authorization: Token " > mcas.txt ``` 2. Remove the leading `.`, for example by running `sed` from the CLI: Terminal window ``` sed -i 's/^.//' mcas.txt ``` 3. This will give you the list of hostnames without leading `.`. 4. Replace the file's `.txt` extension with `.csv`. The file can now be imported into Cloudflare Zero Trust as a Hostname list. ## Using the API to query allowed applications If you would like to get a list of all of the MCAS allowed applications, you can use the same API query, but instead of using `type=banned`, use `type=allowed`. This will return a much larger list. Terminal window ``` curl -v "https:///api/discovery_block_scripts/?format=120&type=allowed" -H "Authorization: Token " ``` ## Adding a hostname list in Cloudflare One 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Reusable components** \> **Lists** 2. Select **Upload CSV**. Even though the hostname list is not in CSV format, it will work with no issues. 3. Add a name for the list, specify _Hostnames_ as the list type, and give it a description. 4. Drag and drop your MCAS output file created via the API call, or you can select **Select a file**. 5. Select **Create**. You will see the list of hostnames that have been added to the list. 6. Save the list. Your list is now ready to be referenced by Gateway HTTP policies. ## Creating an HTTP policy 1. Go to **Traffic policies** \> **Traffic policies** \> **HTTP**. 2. Select **Add a policy**. 3. Create the following policy. | Selector | Operator | Value | Action | | -------- | -------- | --------------------- | ------ | | Host | in list | | Block | Now when trying to visit one of the MCAS defined sites, the user will be blocked. ![Access Restricted](https://developers.cloudflare.com/_astro/mcas-block-page.Bgzcx6ig_ZPxsLe.webp) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/integrate-microsoft-mcas-teams/","name":"Integrate Microsoft MCAS with Cloudflare Zero Trust"}}]} ``` --- --- title: Connect through Cloudflare Access using kubectl description: Connecting to Cloudflare's network using kubectl. Create a Zero Trust policy for your machine. Create an outbound-only connection between your machine and Cloudflared's network. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Kubernetes ](https://developers.cloudflare.com/search/?tags=Kubernetes)[ TCP ](https://developers.cloudflare.com/search/?tags=TCP) # Connect through Cloudflare Access using kubectl **Last reviewed:** almost 4 years ago You can connect to machines over `kubectl` using Cloudflare's Zero Trust platform. **This walkthrough covers how to:** * Build a policy in Cloudflare Access to secure the machine * Connect a machine to Cloudflare's network using kubectl * Connect from a client machine **Before you start** * [Add a website to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) **Time to complete:** 30 minutes --- ## Create an Access policy 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **Self-hosted and private**. 4. Select **Add public hostname** and input a subdomain. This will be the hostname where your application will be available to users. 5. [Create a new policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/) to control who can reach the application, or select existing policies. 6. Follow the remaining [self-hosted application creation steps](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to publish the application. ## Install `cloudflared` Cloudflare Tunnel creates a secure, outbound-only connection between this machine and Cloudflare's network. With an outbound-only model, you can prevent any direct access to this machine and lock down any externally exposed points of ingress. And with that, no open firewall ports. Cloudflare Tunnel is made possible through a lightweight daemon from Cloudflare called `cloudflared`. Download and install `cloudflared` on the DigitalOcean machine by following the instructions listed on the [Downloads](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/) page. ## Authenticate `cloudflared` Run the following command to authenticate cloudflared into your Cloudflare account. Terminal window ``` cloudflared tunnel login ``` `cloudflared` will open a browser window and prompt you to log in to your Cloudflare account. If you are working on a machine that does not have a browser, or a browser window does not launch, you can copy the URL from the command-line output and visit the URL in a browser on any machine. Choose any hostname presented in the list. Cloudflare will issue a certificate scoped to your account. You do not need to pick the specific hostname where you will serve the Tunnel. ## Create a Tunnel Next, create a tunnel with the command below. Terminal window ``` cloudflared tunnel create ``` Replacing `` with a name for the Tunnel. This name can be any value. A single Tunnel can also serve traffic for multiple hostnames to multiple services in your environment, including a mix of connection types like SSH and HTTP. The command will output an ID for the Tunnel and generate an associated credentials file. At any time you can list the Tunnels in your account with the following command. Terminal window ``` cloudflared tunnel list ``` ## Configure the Tunnel You can now [configure the tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/create-local-tunnel/#4-create-a-configuration-file) to serve traffic. Create a `YAML` file that `cloudflared` can reach. By default, `cloudflared` will look for the file in the same folder where `cloudflared` has been installed. Terminal window ``` vim ~/.cloudflared/config.yml ``` Next, configure the Tunnel, replacing the example ID below with the ID of the Tunnel created above. Additionally, replace the hostname in this example with the hostname of the application configured with Cloudflare Access. YAML ``` tunnel: 6ff42ae2-765d-4adf-8112-31c55c1551ef credentials-file: /root/.cloudflared/6ff42ae2-765d-4adf-8112-31c55c1551ef.json ingress: - hostname: azure.widgetcorp.tech service: tcp://kubernetes.docker.internal:6443 originRequest: proxyType: socks - service: http_status:404 # Catch-all rule, which responds with 404 if traffic doesn't match any of # the earlier rules ``` ## Route to the Tunnel You can now create a DNS record that will route traffic to this Tunnel. Multiple DNS records can point to a single Tunnel and will send traffic to the configured service as long as the hostname is defined with an [ingress rule](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/#file-structure-for-public-hostnames). 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and go to the **DNS Records** page for your domain. [ Go to **Records** ](https://dash.cloudflare.com/?to=/:account/:zone/dns/records) 2. Select **Add record**. Choose `CNAME` as the record type. For **Name**, choose the hostname where you want to create a Tunnel. This should match the hostname of the Access policy. 3. For **Target**, input the ID of your Tunnel followed by `.cfargotunnel.com`. For example: ``` 6ff42ae2-765d-4adf-8112-31c55c1551ef.cfargotunnel.com ``` 1. Select **Save**. ## Run the Tunnel You can now run the Tunnel to connect the target service to Cloudflare. Use the following command to run the Tunnel, replacing `` with the name created for your Tunnel. Terminal window ``` cloudflared tunnel run ``` We recommend that you run `cloudflared` [as a service](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/as-a-service/) that is configured to launch on start. ## Connect from a client machine You can now connect from a client machine using `cloudflared`. This example uses a macOS laptop. On macOS, you can install `cloudflared` with the following command using Homebrew. Terminal window ``` brew install cloudflared ``` Run the following command to create a connection from the device to Cloudflare. Any available port can be specified. Terminal window ``` cloudflared access tcp --hostname azure.widgetcorp.tech --url 127.0.0.1:1234 ``` With this service running, you can run a `kubectl` command and `cloudflared` will launch a browser window and prompt the user to authenticate with your SSO provider. Once authenticated, `cloudflared` will expose the connection to the client machine at the local URL specified in the command. `kubeconfig` does not support proxy command configurations at this time, though the community has submitted plans to do so. In the interim, users can alias the cluster's API server to save time. Terminal window ``` alias kubeone="env HTTPS_PROXY=socks5://127.0.0.1:1234 kubectl" ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/kubectl/","name":"Connect through Cloudflare Access using kubectl"}}]} ``` --- --- title: Protect access to Microsoft 365 with dedicated egress IPs description: This tutorial covers how to secure access to your Microsoft 365 applications with Cloudflare Gateway dedicated egress IPs. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Microsoft ](https://developers.cloudflare.com/search/?tags=Microsoft)[ IPv4 ](https://developers.cloudflare.com/search/?tags=IPv4)[ IPv6 ](https://developers.cloudflare.com/search/?tags=IPv6) # Protect access to Microsoft 365 with dedicated egress IPs **Last reviewed:** over 2 years ago Note Only available on Zero Trust Enterprise plans. This tutorial covers how to secure access to your Microsoft 365 applications with Cloudflare Gateway dedicated egress IPs. You can map a named location in Microsoft Entra ID to a location associated with your dedicated egress IPs. Traffic will egress from Cloudflare with these IP addresses. If users attempt to access your Microsoft applications without these IPs, Entra ID will block access. ## Before you begin Make sure you have: * In Cloudflare, a Zero Trust Enterprise plan with [dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) * In Microsoft 365, an organization managed with [Microsoft Entra ID ↗](https://learn.microsoft.com/en-us/entra/identity/) ## Create an egress policy in Cloudflare Gateway 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Egress policies**. 2. Select **Add a policy**. 3. Name your policy, then add conditions to check users are configured in Microsoft Entra ID. For example, you can check for [identity conditions](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/): | Selector | Operator | Value | | ---------------- | -------- | --------------------------------------- | | User Group Names | in | Sales and Marketing, Retail, U.S. Sales | Additionally, you can check for [device posture conditions](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/): | Selector | Operator | Value | Logic | | --------------------------- | -------- | ----------------------------------------------- | ----- | | Passed Device Posture Check | is | CrowdStrike Overall ZTA score (Crowdstrike s2s) | And | | Passed Device Posture Check | is | AppCheckMac - Required Software (Application) | | 4. Enable **Use dedicated Cloudflare egress IPs**. Select your desired IPv4 and IPv6 addresses. For example: | Primary IPv4 address | IPv6 address | | -------------------- | ------------- | | 203.0.113.0 | 2001:db8::/32 | ## Create a named IP range location in Microsoft Entra ID 1. Log in to the [Microsoft Azure portal ↗](https://aka.ms/azureportal). 2. In the sidebar, select **Microsoft Entra ID**. 3. Go to **Security** \> **Named locations**. 4. Select **IP ranges location**. 5. Name your location, then add the IP addresses used in your Cloudflare dedicated egress IP policy. 6. Select **Upload**. This named location corresponds with the locations of your dedicated egress IPs. ## Create a conditional access policy in Microsoft Entra ID 1. In **Protect**, go to **Conditional Access**. 2. Select **Create new policy**. 3. Configure which Entra ID users you want to limit access for, and which traffic, applications, or actions you want to protect. 4. In **Conditions**, select **Locations**. Enable **Configure**. 5. In **Include**, select _Any location_. In **Exclude**, select the named location you created. 6. In **Access controls**, go to **Grant**. Enable _Block access_. Your policy will block access for your selected users from any location except those using your dedicated egress IPs. ## Test your policies 1. Using [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/), sign in to your Zero Trust organization with a user's account. 2. Go to any Microsoft 365 app within your organization. Entra ID should allow access. 3. Disconnect the Cloudflare One Client from your Zero Trust organization. Entra ID should block access to any Microsoft 365 applications. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/m365-dedicated-egress-ips/","name":"Protect access to Microsoft 365 with dedicated egress IPs"}}]} ``` --- --- title: MongoDB SSH description: You can build Zero Trust rules to secure connections to MongoDB deployments using Cloudflare Access and Cloudflared Tunnel. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ MongoDB ](https://developers.cloudflare.com/search/?tags=MongoDB)[ SSH ](https://developers.cloudflare.com/search/?tags=SSH)[ Kubernetes ](https://developers.cloudflare.com/search/?tags=Kubernetes) # MongoDB SSH **Last reviewed:** over 5 years ago You can build Zero Trust rules to secure connections to MongoDB deployments using Cloudflare Access and Cloudflare Tunnel. Cloudflare Tunnel requires a lightweight daemon, `cloudflared`, running alongisde the deployment and as on the client side. In this tutorial, a client running `cloudflared` connects over SSH to a MongoDB deployment running on Kubernetes. The deployment example is structured to connect [Compass ↗](https://www.mongodb.com/products/compass) to the MongoDB instance. The MongoDB Kubernetes deployment runs both the MongoDB database service and `cloudflared` as a ingress service that operates like a jump host. **This tutorial covers how to:** * Create a Cloudflare Access rule to secure a MongoDB deployment * Configure a StatefulSet and service definition for the deployment * Configure an Cloudflare Tunnel connection to Cloudflare's edge * Create an SSH configuration file for the client **Time to complete:** 50 minutes --- ## Configure Cloudflare Access You can build a rule in Cloudflare Access to control who can connect to your MongoDB deployment. Cloudflare Access rules are built around a hostname; even though this deployment will be accessible over SSH, the resource will be represented in Cloudflare as a hostname. For example, if you have the website `app.com` in your Cloudflare account, you can build a rule to secure `mongodb.app.com`. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **Self-hosted and private**. 4. Select **Add public hostname** and enter the subdomain where users will connect to your deployment (for example, `mongodb.app.com`). 5. Add [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to control who can reach the deployment. You can build a policy that allows anyone in your organization to connect or you can build more granular policies based on signals like identity provider groups, [multifactor method](https://developers.cloudflare.com/cloudflare-one/tutorials/okta-u2f/), or [country](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/). 6. Follow the remaining [self-hosted application creation steps](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to publish the application. ## Configure the Kubernetes deployment To be accessible over SSH, the Kubernetes deployment should manage both the MongoDB standalone service and an SSH proxy service. The configuration below will deploy 1 replica of the database service, available at port 27017, as well as an SSH proxy available at port 22. StatefulSet Configuration YAML ``` apiVersion: apps/v1 kind: StatefulSet metadata: name: mongodb-standalone namespace: mongodb spec: serviceName: database replicas: 1 selector: matchLabels: app: database template: metadata: labels: app: database selector: mongodb-standalone spec: containers: - name: mongodb-standalone image: mongo command: ["mongod"] args: ["--config=/config/mongod.conf"] ports: - containerPort: 27017 protocol: TCP name: mongod volumeMounts: - name: mongodb-conf mountPath: /config readOnly: true - name: mongodb-data mountPath: /data/db - name: tls mountPath: /etc/tls - name: mongodb-socket mountPath: /socket - name: ssh-proxy image: ubuntu:20.04 command: ["/scripts/entrypoint.sh"] ports: - containerPort: 22 protocol: TCP name: ssh-port volumeMounts: - name: mongodb-socket mountPath: /socket - name: scripts mountPath: /scripts readOnly: true - name: ssh-authorized-keys mountPath: /config/ssh readOnly: true resources: requests: cpu: 20m memory: 32Mi volumes: - name: mongodb-socket emptyDir: {} - name: mongodb-conf configMap: name: mongodb-standalone items: - key: mongod.conf path: mongod.conf - name: tls secret: secretName: tls - name: mongodb-data persistentVolumeClaim: claimName: mongodb-standalone - name: scripts configMap: name: scripts items: - key: entrypoint.sh path: entrypoint.sh mode: 0744 - name: ssh-authorized-keys configMap: name: ssh-proxy-config items: - key: authorized_keys path: authorized_keys mode: 0400 ``` The corresponding service definition should also specify the ports and target ports for the containers (in this case, the database service and the SSH proxy service). Service Definition YAML ``` apiVersion: v1 kind: Service metadata: name: database namespace: mongodb labels: app: database spec: clusterIP: None selector: app: database ports: - protocol: TCP port: 27017 targetPort: 27017 --- apiVersion: v1 kind: Service metadata: name: ssh-proxy namespace: mongodb labels: app: database spec: selector: app: database ports: - protocol: TCP port: 22 targetPort: 22 ``` The MongoDB pod and the SSH jump host will share a Unix socket over an empty directory volume. The `entrypoint.sh` file run by the jump host, example below, will start an OpenSSH server. ``` #!/bin/sh export TZ=America/Chicago ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone apt-get update -y && apt-get install -y openssh-server mkdir /root/.ssh cp /config/ssh/authorized_keys /root/.ssh/authorized_keys chmod 400 /root/.ssh/authorized_keys service ssh start while true; do sleep 30; done; ``` ## Configure Cloudflare Tunnel Next, you can use `cloudflared` to connect to Cloudflare's Edge using Cloudflare Tunnel. Start by [downloading and installing](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/create-local-tunnel/) the Cloudflare Tunnel daemon, `cloudflared`. Once installed, run the following command to authenticate the instance of `cloudflared` into your Cloudflare account. Terminal window ``` cloudflared login ``` The command will launch a browser window and prompt you to login with your Cloudflare account. Choose a website that you have added into your account. Once you select one of the sites in your account, Cloudflare will download a certificate file, called `cert.pem` to authenticate this instance of `cloudflared`. The `cert.pem` file uses a certificate to authenticate your instance of `cloudflared` and includes an API key for your account to perform actions like DNS record changes. You can now use `cloudflared` to control Cloudflare Tunnel connections in your Cloudflare account. ![Download Certificate](https://developers.cloudflare.com/_astro/cert-download.CzGYlCAx_Z1IrUwf.webp) ### Create a Tunnel You can now [create a Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/create-local-tunnel/) that will connect `cloudflared` to Cloudflare's edge. You'll configure the details of that Tunnel in the next step. Run the following command to create a Tunnel. You can replace `mongodb` with any name that you choose. This command requires the `cert.pem` file. `cloudflared tunnel create mongodb` Cloudflare will create the Tunnel with that name and generate an ID and credentials file for that Tunnel. ![New Tunnel](https://developers.cloudflare.com/_astro/create.2q9ua5Ht_18exbR.webp) ### Delete the `cert.pem` file The credentials file is separate from the `cert.pem` file. Unlike the `cert.pem` file, the credentials file consists of a token that authenticates only the Named Tunnel you just created. Formatted as `JSON`, the file cannot make changes to your Cloudflare account or create additional Tunnels. If you are done creating Tunnels, you can delete the `cert.pem` file, leave only the credentials file, and continue to manage DNS records directly in the Cloudflare dashboard or API. For additional information on the different functions of the two files, refer to the list of [useful terms](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/tunnel-useful-terms/#certpem). Store the `JSON` file as a Kubernetes secret. ### Configure Cloudflare Tunnel The previous setps used `cloudflared` to generate a credentials file for your Cloudflare account. When run as a service alongside the MongoDB Kubernetes deployment you will need to use a Docker image of `cloudflared`. Cloudflare makes an [official image available ↗](https://hub.docker.com/r/cloudflare/cloudflared) in DockerHub. The configuration below will run a single replica of `cloudflared` as an ingress point alongside the MongoDB and SSH proxy services. `cloudflared` will proxy traffic to the SSH proxy service. The `cloudflared` instance will run as its own deployment in a different namespace and, if network policy allows, ingress to any service in the Kubernetes node. `cloudflared` Configuration YAML ``` apiVersion: apps/v1 kind: Deployment metadata: name: dashboard-tunnel namespace: argotunnel labels: app: dashboard-tunnel spec: replicas: 1 selector: matchLabels: app: dashboard-tunnel template: metadata: labels: app: dashboard-tunnel spec: containers: - name: dashboard-tunnel # Image from https://hub.docker.com/r/cloudflare/cloudflared image: cloudflare/cloudflared:2020.11.11 command: ["cloudflared", "tunnel"] args: ["--config", "/etc/tunnel/config.yaml", "run"] ports: - containerPort: 5000 livenessProbe: tcpSocket: port: 5000 initialDelaySeconds: 60 periodSeconds: 60 volumeMounts: - name: dashboard-tunnel-config mountPath: /etc/tunnel - name: tunnel-credentials mountPath: /etc/credentials volumes: - name: dashboard-tunnel-config configMap: name: dashboard-tunnel-config - name: tunnel-credentials secret: secretName: tunnel-credentials --- apiVersion: v1 kind: ConfigMap metadata: name: dashboard-tunnel-config namespace: argotunnel data: config.yaml: | tunnel: 9a00ef26-4997-4de2-83db-631efc74245c credentials-file: /etc/credentials/k8s-dashboard.json metrics: :5000 protocol: http2 no-autoupdate: true ingress: - hostname: mongodb.widgetcorp.tech originRequest: bastionMode: true - service: http_status:404 ``` ## Connect from a client Once deployed, you can run `cloudflared` on the client side to connect to the MongoDB deployment. Add the following lines to your SSH configuration file, replacing the examples with your hostname and details. The `--destination` value should match the URL of the SSH Proxy service configured previously. Terminal window ``` Host mongodb ProxyCommand /usr/local/bin/cloudflared access ssh --hostname mongodb.widgetcorp.tech --destination ssh-proxy.mongodb.svc.cluster.local:22 LocalForward 27000 /socket/mongodb-27017.sock User root IdentityFile /Users/username/.ssh/id_rsa ``` This is a one-time step. When you next attempt to make an SSH connection to the deployment, `cloudflared` will launch a browser window and prompt you to authenticate. Once authenticated, you will be connected if you have a valid session. Once the tunnel is established, all requests to `localhost:27000` on your machine will be forwarded to `/socket/mongodb-27017.sock` on the SSH proxy container. You can then set MongoDB Compass to connect to `localhost:27000`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/mongodb-tunnel/","name":"MongoDB SSH"}}]} ``` --- --- title: Access and secure a MySQL database using Cloudflare Tunnel and network policies description: Using Cloudflare Tunnel's private networks, users can connect to arbitrary non-browser based TCP/UDP applications, like databases. You can set up network policies that implement zero trust controls to define who and what can access those applications using the Cloudflare One Client. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ MySQL ](https://developers.cloudflare.com/search/?tags=MySQL)[ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) # Access and secure a MySQL database using Cloudflare Tunnel and network policies **Last reviewed:** about 2 years ago Using Cloudflare Tunnel's private networks, users can connect to arbitrary non-browser based TCP/UDP applications, like databases. You can set up network policies that implement zero trust controls to define who and what can access those applications using the Cloudflare One Client. By the end of this tutorial, users that pass network policies will be able to access a remote MySQL database available through a Cloudflare Tunnel on TCP port 3306. ## Before you begin Make sure you have: * A MySQL database listening for remote connections and configured with users that can connect remotely * (Optional)[Resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) enabled on your account ## Create a Cloudflare Tunnel Install `cloudflared` on a server in your private network. This server should have connectivity to the MySQL database. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and go to **Zero Trust** \> **Networks** \> **Connectors** \> **Cloudflare Tunnels**. 2. Select **Create a tunnel**. 3. Choose **Cloudflared** for the connector type and select **Next**. 4. Enter a name for your tunnel. We suggest choosing a name that reflects the type of resources you want to connect through this tunnel (for example, `enterprise-VPC-01`). 5. Select **Save tunnel**. 6. Next, you will need to install `cloudflared` and run it. To do so, check that the environment under **Choose an environment** reflects the operating system on your machine, then copy the command in the box below and paste it into a terminal window. Run the command. 7. Once the command has finished running, your connector will appear in Cloudflare One. ![Connector appearing in the UI after cloudflared has run](https://developers.cloudflare.com/_astro/connector.BnVS4T_M_ZxLFu6.webp) 8. Select **Next**. ## Add private network routes 1. In the **CIDR** tab, add the following IP addresses: * Private IP/CIDR of your MySQL server (for example, `10.128.0.175/32`) * (Optional) Private IP/CIDR of your internal DNS server 1. Select **Save tunnel**. The application and (optional) DNS server are now connected to Cloudflare. ## Create a Gateway network policy 1. Go to **Traffic policies** \> **Network policies**. 2. Add a [network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) that targets the private IP address and the port of the MySQL database (port 3306 by default). The following example allows access to the database to the users that enrolled into the Cloudflare One Client using an `@example.com` email address. The network policies can also take into consideration [device posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | -------------- | ----- | ------ | | Destination IP | in | 10.128.0.175 | And | Allow | | Destination Port | in | 3306 | And | | | User Email | matches regex | .\*example.com | | | In addition to the Allow rule above, Cloudflare recommends adding a [catch-all block policy](https://developers.cloudflare.com/learning-paths/replace-vpn/build-policies/) to the bottom of your network policy list to enforce a default-deny model. Allowed Cloudflare One Client users can now connect to the MySQL server at `10.128.0.175` using the MySQL client of their choice. ## (Optional) Create a Gateway resolver policy To allow users to access the MySQL database using an internal hostname instead of the private IP address, configure a Gateway resolver policy. 1. Go to **Traffic policies** \> **Resolver policies**. 2. Select **Add a policy**. 3. Create an expression to match against the private [domain](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/#domain) or [hostname](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/#host) of the application, like in the following example: | Selector | Operator | Value | | -------- | -------- | ------------------ | | Domain | in | internalrecord.com | 4. In **Select DNS resolver**, select _Configure custom DNS resolvers_. 5. Enter the private IP address of your DNS server. 6. In the dropdown menu, select _` - Private`_. 7. (Optional) Enter a custom port. 8. Select **Create policy**. If your internal DNS server has an `A` record for the MySQL database, users can connect to the server using this record. For example, assuming a BIND server that includes the entry: `mysql IN A 10.128.0.175` Allowed Cloudflare One Client users can connect to the MySQL database at `mysql.internalrecord.com` using the MySQL client of their choice. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/mysql-network-policy/","name":"Access and secure a MySQL database using Cloudflare Tunnel and network policies"}}]} ``` --- --- title: Require U2F with Okta description: This tutorial covers how to Integrate Cloudflare Access with Okta. It also covers the steps to set up Cloudflare Access and integrate Okta with Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Okta ](https://developers.cloudflare.com/search/?tags=Okta) # Require U2F with Okta **Last reviewed:** over 5 years ago Many identity providers, like Okta, support multiple multifactor authentication (MFA) options simultaneously. For example, Okta will allow you to login with your password and a temporary code generated in an app or a U2F hard key like a Yubikey. Some second factor methods are more resistant to phishing. U2F options require you to have access to a physical device, also known as a hardware key. Without that key, a user cannot impersonate you even if they have your password. You can build rules in Cloudflare Access to require that users authenticate with a hardware key - even if your provider supports multiple options. When users login with a less secure option, like an app-based code, Access will block them. **This tutorial covers how to:** * Integrate Cloudflare Access with Okta * Configure Okta for U2F enrollment * Build an [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) that require users login with a hardware key * Specify that policy to apply to certain Access applications The first two sections of this tutorial link to guides to set up Cloudflare Access and integrate Okta. If you already use Cloudflare Access with Okta, you can skip ahead to the fourth section. **Time to complete:** 20 minutes --- ## Configure Cloudflare Access Before you begin, you'll need to follow [these instructions](https://developers.cloudflare.com/cloudflare-one/setup/) to set up Cloudflare Access in your account. The hardware key feature is available on any plan, including the free plan. ## Integrate Okta Follow [these instructions](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/okta/) to integrate Okta with your Cloudflare Access account. Once integrated, Access will be able to apply rules using identity, group membership, and multifactor method from Okta. ## Configure Okta for U2F An Okta administrator in your organization must first [enable U2F support ↗](https://help.okta.com/en/prod/Content/Topics/Security/MFA.htm) in your Okta account **and** [configure users ↗](https://help.okta.com/en/prod/Content/Topics/Security/healthinsight/required-factors.htm) to be prompted for it. This is a global setting; if your account has already configured U2F, you do not need to do anything unique to use it with Cloudflare Access. ## Test U2F in Access You can begin building U2F policies by testing your Okta integration. 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Access settings**. 2. In **Manage your App Launcher**, select **Manage**. 3. Choose **Login methods**. 4. Choose the row for Okta and select **Test**. Cloudflare Access will prompt you to login with your Okta account. For the purposes of the test, use a second factor option like an app-based code. Okta will return `amr` values to Cloudflare Access - these are standard indicators of multifactor methods shared between identity control systems. The `mfa` value is sent by Okta to tell Cloudflare Access that you used a multifactor authentication option. The `pwd` value indicates you used a password. In this example, the `otp` value is sent because the user authenticatd with an app-based code. You can test with a hardkey by logging out of Okta and returning to the list of providers in Access. Select **Test** again, but this time use your hardware key as a second factor. Cloudflare Access will now see Okta share `hwk` in the `amr` fields. ![Test MFA](https://developers.cloudflare.com/_astro/with-hwk.CL1DMkwd_Z6LXdY.webp) ## Build a Zero Trust policy to require U2F You can use this information to build a rule in Access. Go to the `Applications` list in the Cloudflare Access section of the dashboard. Choose an application that you have already built or create a new one. This example adds the requirement to an existing application. Select **Edit** to edit the existing `Allow` rule. Add a `Require` rule and select `Authentication Method` from the list. Choose `hwk` as the required `Authentication Method`. Select **Save rule**. ![Require Rule](https://developers.cloudflare.com/_astro/require-hwk.D9ImfCao_ZAoRHD.webp) Optional: you can also configure Cloudflare Access to only show users Okta for this application if you have multiple other providers integrated. In the `Authentication` Tab, choose `Okta` as the only option to show users. ## Testing the rule You can now test the rule. Visit the application and attempt to login using an app-based code or method other than a hardware security key. Access will block the attempt. ![Blocked](https://developers.cloudflare.com/_astro/blocked-user.DutI7nnY_2mWm6R.webp) If you sign out of Okta, and reattempt with a hardware key, Access will then allow the connection. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/okta-u2f/","name":"Require U2F with Okta"}}]} ``` --- --- title: Use Cloudflare R2 as a Zero Trust log destination description: This tutorial covers how to build a Cloudflare R2 bucket to store Zero Trust logs. It also shows how to connect the bucket to the Zero Trust Logpush service. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging) # Use Cloudflare R2 as a Zero Trust log destination **Last reviewed:** over 2 years ago Note Only available on Zero Trust Enterprise plans. This tutorial covers how to build a [Cloudflare R2 bucket](https://developers.cloudflare.com/r2/buckets/) to store logs, and how to connect the bucket to the Zero Trust [Logpush service](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/) to store logs persistently and export them into other tools. ## Before you begin * Ensure Cloudflare R2 and the Zero Trust Logpush integration are included in your plan. For more information, contact your account team. ## Create a Cloudflare R2 bucket 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to the **R2 Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/r2/overview) 2. Select **Create bucket**. 3. Enter an identifiable name for the bucket, then select **Create bucket**. ## Create an R2 API token 1. Return to **R2**, then select **Manage R2 API tokens**. 2. Select **Create API token**. 3. In **Permissions**, select **Object Read & Write**. 4. In **Specify bucket(s)**, choose _Apply to specific buckets only_. Select the bucket you created. 5. Configure other token settings to your preferences. 6. Select **Create API Token**. 7. Copy the **Access Key ID**, **Secret Access Key**, and endpoint URL values. You will not be able to access these values again. 8. Select **Finish**. ## Connect a Zero Trust Logpush job 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Insights** \> **Logs**. Select **Manage Logpush**. 2. Select **Connect a service**. 3. Choose which data sets and fields you want to send to your bucket. Select **Next**. 4. Select **S3 Compatible**. 5. In **S3 Compatible Bucket Path**, enter the name of your bucket. 6. In **Bucket region**, enter `auto`. 7. Enter the values for **Access Key ID**, **Secret Access Key**, and **Endpoint URL** in their corresponding fields. 8. Select **Push**. If prompted, you do not need to prove ownership with a token challenge. The Logpush job will send the selected Zero Trust logs to your R2 bucket. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/r2-logs/","name":"Use Cloudflare R2 as a Zero Trust log destination"}}]} ``` --- --- title: Implement regional private DNS servers with Gateway resolver policies description: Configure Gateway resolver policies to route DNS queries to region-specific private DNS servers, enabling geo-steering for internal resources across multiple locations. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS)[ Geolocation ](https://developers.cloudflare.com/search/?tags=Geolocation)[ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) # Implement regional private DNS servers with Gateway resolver policies **Last reviewed:** 6 months ago Gateway resolver policies allow you to route DNS queries to custom DNS resolvers based on various criteria. This tutorial demonstrates how to configure region-specific private DNS servers to ensure your users are directed to the closest internal resources based on their geographic location. This approach is particularly useful for organizations with internal networks spanning multiple locations where DNS routes and manages access to private network resources. By the end of this tutorial, you will have configured Gateway resolver policies to automatically route DNS queries to region-specific private DNS servers based on user location, providing optimal performance and access to internal resources. This tutorial uses US and EU region servers as example private DNS servers. ## Prerequisites Before you begin, make sure you have: * An Enterprise Zero Trust account * Private DNS servers deployed in multiple regions (for example, US, EU, and APAC) * A [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) connecting your private DNS servers to Cloudflare * Internal domains that need to be resolved (for example, `internal.example.com`) ## 1\. Connect private DNS servers with Cloudflare Tunnel First, connect your regional private DNS servers to Cloudflare using Cloudflare Tunnel. For each region where you have a private DNS server, [create a tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#1-create-a-tunnel). For each tunnel, [add the private IP addresses](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2-add-private-network-routes) of your DNS servers. For example, `10.0.1.53/32` for the US region and `10.1.1.53/32` for the EU region. Repeat this process for all regional DNS servers. ## 2\. Create Gateway resolver policies for each region Once your private DNS servers are connected to Cloudflare, configure Gateway resolver policies to route DNS queries to the appropriate regional DNS server based on user location. ### Create resolver policies for each region For each region where you have a private DNS server: 1. Go to **Traffic policies** \> **Resolver policies**. 2. Select **Add a policy**. 3. Name your policy based on the region (for example, `US Internal DNS`). 4. Create an expression to match internal domains and users in that region. For example, to match users in the United States: | Selector | Operator | Value | Logic | | ----------------------------- | -------- | -------------------- | ----- | | Domain | in | internal.example.com | And | | Source Country IP Geolocation | in | _United States_ | | 5. In **Select DNS resolver**, select _Configure custom DNS resolvers_. 6. Enter the private IP address of your regional DNS server (for example, `10.0.1.53` for US or `10.1.1.53` for EU). 7. In the dropdown menu, choose _` - Private`_. 8. (Optional) Select **Add DNS resolver** and enter a secondary IP address to add a backup DNS resolver. 9. Select **Create policy**. 10. Repeat steps 1-9 for each region where you have a private DNS server. For example, to create a policy to match users in the EU region: | Selector | Operator | Value | Logic | | ----------------------------- | -------- | -------------------------------------------------------- | ----- | | Domain | in | internal.example.com | And | | Source Country IP Geolocation | in | _Austria_, _Belgium_, _France_, _Germany_, _Netherlands_ | | ### Create a fallback resolver policy Create a catch-all policy for users in regions without a dedicated DNS server, or if no policies match your traffic: 1. Go to **Traffic policies** \> **Resolver policies**. 2. Select **Add a policy**. 3. Name your policy (for example, `Internal DNS Fallback`). 4. Create an expression to match internal domains: | Selector | Operator | Value | | -------- | -------- | -------------------- | | Domain | in | internal.example.com | 5. In **Select DNS resolver**, select _Configure custom DNS resolvers_. 6. Enter the private IP address of your primary DNS server. 7. Select **Create policy**. ## 3\. Configure policy order Gateway will apply resolver policies based on [order of precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence). Ensure your policies are ordered from most specific to least specific: 1. Go to **Traffic policies** \> **Resolver policies**. 2. Use the drag handle to reorder policies: * Resolver policies with regional coverage first * Your fallback resolver policy last Gateway will apply the first matching policy. If no policies match your traffic, Gateway will apply the fallback resolver policy. The order between resolver policies with regional coverage does not matter. ## 4\. Test your configuration ### Test from different regions To test your configuration, deploy the Cloudflare One Client on a device in each region where you have a private DNS server and run a DNS query to an internal domain. For example, to test the US region: 1. [Deploy the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/) on a device in the US region. 2. From the device, open a terminal and run: Terminal window ``` nslookup internal.example.com ``` 3. Verify that the DNS query returns the expected IP address for your internal resource. The response should show the IP address that your US DNS server is configured to return for `internal.example.com`. 4. Repeat the test from devices in other regions to confirm they receive responses from their respective regional DNS servers. Each region may return different IP addresses based on your DNS server configuration. ### Verify in Gateway logs 1. Go to **Insights** \> **Logs** \> **DNS query logs**. 2. Filter for queries to `internal.example.com`. 3. Check the **Resolver IP** field to confirm queries are being routed to the correct regional DNS servers based on user location. ## Best practices * **Use backup resolvers**: Configure secondary DNS resolvers for each region to ensure high availability. * **Monitor DNS performance**: Use [Gateway Analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/gateway/) to track DNS query performance and identify any issues with regional routing. * **Implement network policies**: Combine resolver policies with [network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) to control access to internal resources based on user identity and device posture. * **Consider virtual networks**: If you have overlapping IP address spaces across regions, use [virtual networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) to isolate traffic. * **Test failover scenarios**: Regularly test what happens when a regional DNS server becomes unavailable to ensure your backup resolvers work as expected. ## Related resources * [Resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) * [Connect private networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) * [Gateway Analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/gateway/) * [Virtual networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/regional-private-dns-resolver-policies/","name":"Implement regional private DNS servers with Gateway resolver policies"}}]} ``` --- --- title: Protect access to Amazon S3 buckets with Cloudflare Zero Trust description: This tutorial demonstrates how to secure access to Amazon S3 buckets with Cloudflare Zero Trust so that data in these buckets is not publicly exposed on the Internet. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ S3 ](https://developers.cloudflare.com/search/?tags=S3) # Protect access to Amazon S3 buckets with Cloudflare Zero Trust **Last reviewed:** over 2 years ago This tutorial demonstrates how to secure access to Amazon S3 buckets with Cloudflare Zero Trust so that data in these buckets is not publicly exposed on the Internet. You can combine Cloudflare Access and AWS VPC endpoints. Enterprise may also use Cloudflare Gateway egress policies with dedicated egress IPs. ## Method 1: Via Cloudflare Access and VPC endpoints flowchart TB cf1[/Cloudflare One Client or clientless users/]--Access policy-->cf2{{Cloudflare}} cf2--Cloudflare Tunnel-->vpc1 subgraph VPC vpc1[EC2 VM]-->vpc2[VPC endpoint] end vpc2-->s3_1 subgraph S3 service s3_1([S3 bucket]) end i1[/Users outside
Zero Trust/]-. "S3 access denied" .->s3_1 ### Prerequisites * S3 bucket to be protected by Cloudflare Zero Trust * AWS VPC with one EC2 virtual machine (VM) hosting the [Cloudflare Tunnel daemon](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) * S3 bucket and AWS VPC configured in the same [AWS region ↗](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html) ### 1\. Create a VPC endpoint in AWS 1. In the [AWS dashboard ↗](https://aws.amazon.com/console/), go to **Services** \> **Networking & Content Delivery** \> **VPC**. 2. Under **Virtual private cloud**, go to **Endpoints**. 3. Select **Create endpoint** and name the endpoint. 4. Choose _AWS services_ as the service category. 5. In **Services**, search and select the S3 service in the same region of the VPC. For example, for the AWS region **Europe (London) - eu-west-2**, the corresponding S3 service is named `com.amazonaws.eu-west-2.s3` with a type of Gateway. 6. In **VPC**, select your VPC that contains the EC2 VM hosting the Cloudflare tunnel daemon. 7. In **Route tables**, select the route table associated with the VPC. 8. In **Policy**, choose _Full access_. 9. Select **Create endpoint**. After you create the VPC endpoint, a new entry in the VPC route table with the target being your VPC endpoint. The entry will have the format `vpce-xxxxxxxxxxxxxxxxx`. ### 2\. Set up a bucket policy for VPC access 1. Go to **Services** \> **Storage** \> **S3**. 2. In Amazon S3, go to **Buckets** \> **** \> **Permissions**. 3. Disable **Block all public access**. 4. In **Bucket policy**, add the following policy: ``` { "Version": "2012-10-17", "Id": "VPCe", "Statement": [ { "Sid": "VPCe", "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::", "arn:aws:s3:::/*" ], "Condition": { "StringEquals": { "aws:SourceVpce": "" } } } ] } ``` Your bucket policy will allow your VPC to access your S3 bucket. ### 3\. Enable static website hosting for the S3 bucket 1. Return to Amazon S3, then go to **Buckets** \> **** \> **Properties**. 2. In **Static website hosting**, select **Edit**. 3. Enable **Static website hosting**. 4. Specify the Index and Error documents for the S3 bucket. 5. Select **Save changes**. A bucket website endpoint will be available at `http://.s3-website..amazonaws.com`. Because of the bucket policy, this website endpoint will only be accessible from the VPC with the VPC endpoint configured. ### 4\. Add a published application to the Cloudflare Tunnel 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Networks** \> **Connectors** \> **Cloudflare Tunnels**. 2. Select your Tunnel, then select **Configure**. 3. Go to **Published applications**, then select **Add a public hostname**. 4. Enter a subdomain your organization will use to access the S3 bucket. For example, `s3-bucket..com`. 5. Under **Service**, choose _HTTP_ for **Type**. In **URL**, enter `.s3-website..amazonaws.com`. 6. In **Additional application settings** \> **HTTP Settings**, input the **HTTP Host Header** as `.s3-website..amazonaws.com`. 7. Select **Save hostname**. Your Cloudflare Tunnel will terminate at the AWS VPC using your public hostname. ### 5\. Restrict S3 access with an Access policy 1. Go to **Access controls** \> **Applications**. 2. Select **Create new application**. 3. Select **Self-hosted and private**. 4. Select **Add public hostname** and enter the public hostname used by your Tunnel. For example, `s3-bucket..com`. 5. Add [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to determine which users and applications may access your bucket. You can optionally create a [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) policy to automatically authenticate access to your S3 bucket. 6. Follow the remaining [self-hosted application creation steps](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to publish the application. Users and applications that successfully authenticate via Cloudflare Access can access your S3 bucket at `https://s3-bucket..com`. ## Method 2: Via Cloudflare Gateway egress policies Note This method is only available on Enterprise plans. flowchart TB cf1[/Cloudflare One Client users/]--Egress policy-->cf2{{Cloudflare}} cf2--Egress with dedicated IP-->i1[Internet] i1-->s3_1 subgraph S3 Service s3_1([S3 bucket]) end i2[/Users outside
Zero Trust/]-. "IPs denied" .->s3_1 ### Prerequisites * Cloudflare Zero Trust account with [dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) * S3 bucket to be protected by Cloudflare Zero Trust ### 1\. Set up a bucket policy to restrict access to a specific IP address 1. In the [AWS dashboard ↗](https://aws.amazon.com/console/), go to **Services** \> **Storage** \> **S3**. 2. Go to **Buckets** \> **** \> **Permissions**. 3. Disable **Block all public access**. 4. In **Bucket policy**, add the following policy: ``` { "Version": "2012-10-17", "Id": "SourceIP", "Statement": [ { "Sid": "SourceIP", "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::", "arn:aws:s3:::/*" ], "Condition": { "IpAddress": { "aws:SourceIp": "/32" } } } ] } ``` ### 2\. Enable static website hosting for the S3 bucket 1. Return to your bucket, then go to **Properties**. 2. In **Static website hosting**, select **Edit**. 3. Enable **Static website hosting**. 4. Specify the Index and Error documents for the S3 bucket. 5. Select **Save changes**. A bucket website endpoint will be available at `http://.s3-website..amazonaws.com`. Because of the bucket policy, the website endpoint will only be accessible to traffic sourced from the dedicated egress IP specified. ### 3\. Setup a dedicated egress IP policy 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Egress policies**. Select **Add a policy**. 2. Create a policy that specifies which proxied traffic Gateway should assign a [dedicated egress IP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) to. For more information, refer to [Egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/). 3. In **Select an egress IP**, choose _Use dedicated Cloudflare egress IPs_. Select the dedicated egress IP defined in your bucket policy. 4. Select **Create policy**. Traffic proxied by Gateway and assigned your specified egress IP can access your S3 bucket at `http://.s3-website..amazonaws.com`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/s3-buckets/","name":"Protect access to Amazon S3 buckets with Cloudflare Zero Trust"}}]} ``` --- --- title: Use Cloudflare Tunnels with Kubernetes client-go credential plugins description: This tutorial explains how to use Cloudflare Tunnels with Kubernetes client-go credential plugins for authentication. By following these steps, you can securely access your Kubernetes cluster through a Cloudflare Tunnel. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Kubernetes ](https://developers.cloudflare.com/search/?tags=Kubernetes) # Use Cloudflare Tunnels with Kubernetes client-go credential plugins **Last reviewed:** over 1 year ago This tutorial explains how to use Cloudflare Tunnels with Kubernetes client-go credential plugins for authentication. By following these steps, you can securely access your Kubernetes cluster through a Cloudflare Tunnel using the `kubectl` command-line tool. ## Prerequisites * A Cloudflare account * The Cloudflare Tunnel client (`cloudflared`) installed on your machine * Access to a Kubernetes cluster * `kubectl` installed on your machine ## 1\. Set up a Cloudflare Tunnel 1. Authenticate `cloudflared` with your Cloudflare account: Terminal window ``` cloudflared tunnel login ``` 2. Create a new tunnel: Terminal window ``` cloudflared tunnel create k8s-tunnel ``` 3. Configure your tunnel by creating a configuration file named `config.yml`: YAML ``` tunnel: credentials-file: /path/to/credentials.json ingress: - hostname: k8s.example.com service: tcp://kubernetes.default.svc.cluster.local:443 - service: http_status:404 ``` Replace `` with your tunnel ID and adjust the hostname as needed. 4. Start the tunnel: Terminal window ``` cloudflared tunnel run k8s-tunnel ``` ## 2\. Configure the Kubernetes API server Ensure your Kubernetes API server is configured to accept authentication from Cloudflare Tunnels. This may involve setting up an authentication webhook or configuring the API server to trust the Cloudflare Tunnel's client certificates. ## 3\. Set up client-go credential plugin 1. Create a script named `cloudflare-k8s-auth.sh` with the following content: ``` #!/bin/bash echo '{ "apiVersion": "client.authentication.k8s.io/v1beta1", "kind": "ExecCredential", "status": { "token": "'"$(cloudflared access token -app=https://k8s.example.com)"'" } }' ``` Make the script executable: Terminal window ``` chmod +x cloudflare-k8s-auth.sh ``` 2. Update your `~/.kube/config` file to use the credential plugin: YAML ``` apiVersion: v1 kind: Config clusters: - cluster: server: https://k8s.example.com name: cloudflare-k8s users: - name: cloudflare-user user: exec: apiVersion: client.authentication.k8s.io/v1beta1 command: /path/to/cloudflare-k8s-auth.sh interactiveMode: Never contexts: - context: cluster: cloudflare-k8s user: cloudflare-user name: cloudflare-k8s-context current-context: cloudflare-k8s-context ``` ## 4\. Use kubectl with Cloudflare Tunnel Now you can use `kubectl` commands as usual. The client-go credential plugin will automatically handle authentication through the Cloudflare Tunnel: Terminal window ``` kubectl get pods ``` ## Troubleshooting If you encounter issues: * Ensure `cloudflared` is running and the tunnel is active * Check that your `~/.kube/config` file is correctly configured * Verify that the Kubernetes API server is properly set up to accept authentication from Cloudflare Tunnels * Review the Cloudflare Tunnel logs for any error messages For more information, refer to the [Cloudflare Tunnels documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) and the [Kubernetes client-go credential plugins documentation ↗](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/tunnel-kubectl/","name":"Use Cloudflare Tunnels with Kubernetes client-go credential plugins"}}]} ``` --- --- title: Use virtual networks to change user egress IPs description: This tutorial gives administrators an easy way to allow their users to change their egress IP address between any of your assigned dedicated egress IP addresses. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ IPv4 ](https://developers.cloudflare.com/search/?tags=IPv4)[ IPv6 ](https://developers.cloudflare.com/search/?tags=IPv6)[ Private networks ](https://developers.cloudflare.com/search/?tags=Private%20networks) # Use virtual networks to change user egress IPs **Last reviewed:** about 2 years ago Note Only available on Enterprise plans. This tutorial gives administrators an easy way to allow their users to change their egress IP address between any of your assigned dedicated egress IP addresses. Your users can choose which egress IP to use by switching virtual networks directly from in the Cloudflare One Client. Changing egress IPs can be useful in quality assurance (QA) and other similar scenarios in which users both use their local egress location and either switch to or simulate other remote locations. ## Before you begin Make sure you have: * [Deployed the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) on your users' devices. * [Configured tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/) to connect your private network to Cloudflare. This tutorial assumes you have: * Created two tunnels [through the dashboard](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/). * Routed `10.0.0.0/8` through one tunnel. * Routed `192.168.88.0/24` through the other tunnel. * Received multiple [dedicated egress IP addresses](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). ## Create a virtual network for each egress route First, create [virtual networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) corresponding to your dedicated egress IPs. * [ Dashboard ](#tab-panel-5477) * [ API ](#tab-panel-5478) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Networks** \> **Routes**. 2. In **Virtual networks**, select **Create virtual network**. 3. Name your virtual network. We recommend using a name related to the location of the corresponding dedicated egress IP. For example, if your users will egress from the Americas, you can name the virtual network `vnet-AMER`. 4. Select **Save**. 5. Repeat Steps 2-4 for each dedicated egress IP you want users to switch between. For example, you can create another virtual network called `vnet-EMEA` for egress from Europe, the Middle East, and Africa. 1. Create a [virtual network](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) corresponding to one of your dedicated egress IPs. We recommend using a name related to the location of the corresponding dedicated egress IP. For example, if your users will egress from the Americas, you can name the virtual network `vnet-AMER`. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Cloudflare One Networks Write` * `Cloudflare Tunnel Write` Create a virtual network ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "comment": "Virtual network to egress from the Americas", "is_default": false, "name": "vnet-AMER" }' ``` For more information, refer to [Create a virtual network](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/virtual%5Fnetworks/methods/create/). 2. Repeat Step 1 for each dedicated egress IP you want users to switch between. For example, you can create another virtual network called `vnet-EMEA` for egress from Europe, the Middle East, and Africa. ## Assign each virtual network to each tunnel After creating your virtual networks, route your private network CIDRs over each virtual network. This ensures that users can reach all services on your network regardless of which egress IP they use. * [ Dashboard ](#tab-panel-5479) * [ API ](#tab-panel-5480) 1. Go to **Networks** \> **Connectors** \> **Cloudflare Tunnels**. 2. Select your tunnel routing `10.0.0.0/8`, then select **Configure**. 3. Go to **Private Networks**. Select the `10.0.0.0/8` route. 4. In **Additional settings**, choose your first virtual network. For example, `vnet-AMER`. 5. Select **Save private network**. 6. To route `10.0.0.0/8` over another virtual network, select **Add a private network**. 7. In **CIDR**, enter `10.0.0.0/8`. In **Additional settings**, choose your second virtual network. For example, `vnet-EMEA`. 8. Select **Save private network**. 9. Repeat Steps 6-8 for each virtual network you created. 10. Return to **Networks** \> **Tunnels**. Repeat Steps 2-9 for each private network tunnel route. 1. Assign your first virtual network to your private network route. For example, assign `vnet-AMER` to your tunnel that routes `10.0.0.0/8`: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Cloudflare One Networks Write` * `Cloudflare Tunnel Write` Update a tunnel route ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/$ROUTE_ID" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "network": "10.0.0.0/8", "tunnel_id": "", "virtual_network_id": "" }' ``` For more information, refer to [Update a tunnel route](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/routes/methods/edit/). 2. Repeat this process for each virtual network you created. For example: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Cloudflare One Networks Write` * `Cloudflare Tunnel Write` Update a tunnel route ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/$ROUTE_ID" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "network": "10.0.0.0/8", "tunnel_id": "", "virtual_network_id": "" }' ``` 3. Repeat Steps 1-2 for each private network tunnel route. Each tunnel connected to your private network should have each of your virtual networks assigned to it. For example, if you have tunnels routing `10.0.0.0/8` and `192.168.88.0/24`, both tunnels should have the `vnet-AMER` and `vnet-EMEA` virtual networks assigned. | Tunnel | CIDR | Virtual network | | --------------- | --------------- | --------------- | | **Tunnel 1** | 10.0.0.0/8 | vnet-AMER | | 10.0.0.0/8 | vnet-EMEA | | | **Tunnel 2** | 192.168.88.0/24 | vnet-AMER | | 192.168.88.0/24 | vnet-EMEA | | ## Create virtual network egress policies Next, assign your dedicated egress IPs to each virtual network using Gateway egress policies. * [ Dashboard ](#tab-panel-5481) * [ API ](#tab-panel-5482) 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Egress policies**. 2. Select **Add a policy**. 3. Name your policy. We recommend including the country or region traffic will egress from. 4. Add the virtual network with the _Virtual Network_ selector. For example: | Selector | Operator | Value | | --------------- | -------- | ----------- | | Virtual Network | is | _vnet-AMER_ | 5. In **Select an egress IP**, choose **Use dedicated Cloudflare egress IPs**. Choose the dedicated IPv4 and IPv6 addresses you want traffic to egress with. 6. Select **Create policy**. 7. Repeat Steps 1-6 to create a separate egress policy for each virtual network you created. 1. Add a Gateway egress policy that matches the corresponding virtual network. For example: Create a Zero Trust Gateway rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "action": "egress", "description": "Egress via North America by connecting to vnet-AMER", "enabled": true, "filters": [ "egress" ], "name": "Egress AMER vnet", "precedence": 0, "traffic": "net.vnet_id == ", "rule_settings": { "egress": { "ipv4": "", "ipv4_fallback": "", "ipv6": "" } } }' ``` For more information, refer to [Create a Zero Trust Gateway rule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/create/). 2. Repeat Step 1 to create an egress policy for each virtual network you created. Each policy you create should correspond to a different primary dedicated egress IP. ## Test virtual network egress Windows, macOS, and Linux 1. On your user's device, log in to your Zero Trust organization in the Cloudflare One Client. 2. In a terminal, run the following command to check the default egress IP address. Terminal window ``` curl ifconfig.me -4 ``` The command should output your organization's default egress IP. 3. In the client GUI, use the **VNET** dropdown to switch to a virtual network you created. Version 2026.1 and earlier In the Cloudflare One Client, select the gear icon > **Virtual Networks**. 4. Check the egress IP address by running `curl ifconfig.me -4` again. The command should output the IP address specified in your egress policy. iOS and Android 1. On your user's device, log in to your Zero Trust organization in the Cloudflare One Agent app. 2. In a browser, go to [ifconfig.me ↗](https://ifconfig.me/). Your organization's default egress IP should appear in **IP Address**. 3. In Cloudflare One Agent, go to **Advanced** \> **Connection options** \> **Virtual networks**. Choose a virtual network you created. 4. Check the egress IP address by reloading the browser page from Step 1\. The IP address specified in your egress policy should appear in **IP Address**. While your users are connected to a virtual network, their traffic will route via the dedicated egress IP specified. You can repeat these steps to test that each virtual network is egressing from the correct IP. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/user-selectable-egress-ips/","name":"Use virtual networks to change user egress IPs"}}]} ``` --- --- title: Changelog description: Review recent changes to Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Changelog [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/cloudflare-one.xml) ## 2026-05-06 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Cloudy Summaries in PhishNet O365** PhishNet users can now access **Cloudy summaries** directly within the email investigation experience. When reviewing a message in PhishNet, users will see an AI-generated summary that provides additional context and key details about the email. These summaries help users quickly understand the nature of a message without needing to manually parse through headers, body content, and detection signals. Cloudy surfaces the most relevant information so users can make faster, more informed decisions about suspicious emails. **These summaries are not trained on customer data.** They are generated using the outputs of our existing detection models and analysis systems. This feature is available for PhishNet with Office 365\. Support for Gmail will be available by the end of the quarter. ## 2026-05-06 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **IPv6 CIDR routes for Cloudflare Mesh** [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) nodes now support IPv6 CIDR routes. You can advertise both IPv4 and IPv6 subnets through your Mesh nodes, making IPv6-only or dual-stack private networks reachable from any enrolled device. ![IPv6 CIDR routes on a Mesh node in the Cloudflare dashboard](https://developers.cloudflare.com/_astro/mesh-ipv6-routes.CC-jlZkw_Z16Puzf.webp) To add an IPv6 route, follow the same steps as [adding an IPv4 route](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/routes/#add-a-route) — enter the IPv6 CIDR (for example, `fd00::/64`) when configuring the route in the [dashboard ↗](https://dash.cloudflare.com/?to=/:account/mesh) or via the API. ## 2026-04-30 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Post-quantum IPsec interoperability with third-party devices** Cloudflare IPsec now supports post-quantum key agreement with compatible third-party devices. [Cisco ↗](https://www.cisco.com/) and [Fortinet ↗](https://www.fortinet.com/) are the first third-party vendors validated to interoperate with Cloudflare IPsec using ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism). Post-quantum IPsec uses [RFC 9370 ↗](https://datatracker.ietf.org/doc/rfc9370/) and [draft-ietf-ipsecme-ikev2-mlkem ↗](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-mlkem/) to negotiate hybrid key agreement during the IKEv2 `IKE_INTERMEDIATE` phase. This combines classical Diffie-Hellman (Group 20) with ML-KEM-768 or ML-KEM-1024 to protect against [harvest-now, decrypt-later ↗](https://en.wikipedia.org/wiki/Harvest%5Fnow,%5Fdecrypt%5Flater) attacks. Key details: * Compatible with Cisco 8000 Series Secure Routers with IOS XR Release 26.1.1 and Fortinet FortiOS 7.6.6 and later. * Uses ML-KEM-768 or ML-KEM-1024 as an additional Key Exchange to DH Group 20. * Follows RFC 9370 and draft-ietf-ipsecme-ikev2-mlkem standards. * No additional licensing required. Post-quantum IPsec with third-party devices is now generally available with confirmed interoperability for the platforms listed above. Cloudflare intends to support interoperability with more vendors as they build out support for draft-ietf-ipsecme-ikev2-mlkem. Contact your account team to discuss support for additional vendors. For supported key exchange methods and the list of validated platforms, refer to [GRE and IPsec tunnels](https://developers.cloudflare.com/cloudflare-wan/reference/gre-ipsec-tunnels/#tested-third-party-vendor-interoperability). ## 2026-04-30 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Classify sensitive content with Data Classification** Cloudflare DLP now includes **Data Classification**, which lets administrators organize and label sensitive content using labels, templates, and reusable data classes. With Data Classification, administrators can define labels such as sensitivity schemas and levels, and data tag groups and tags. Administrators can also build from Cloudflare-managed templates and create reusable data classes that combine detection entries, other data classes, sensitivity levels, and data tags. You can then use those classifications in custom DLP profiles to identify the severity of sensitive content, understand where it exists, and apply that logic consistently across DLP profiles. For more information, refer to [Data Classification](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/data-classification/). ## 2026-04-30 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **New predefined detection entries are available** Cloudflare DLP now includes new predefined detection entries. The expanded catalog includes detections for specific credential types, webhooks, addresses, tax identifiers, national IDs, financial data, and crypto wallets. Examples include `GitHub PAT`, `OpenAI API Key`, `Slack Webhook`, `Discord Webhook`, `US Physical Address`, and `Bitcoin Wallet`. For the full list, refer to [Predefined detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/predefined-detection-entries/). ## 2026-04-29 [ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/) **Digital experience tests to authenticated resources and enhanced configuration** [Digital experience tests](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) now support testing applications protected by Cloudflare Access or third-party authentication. All authentication secrets are managed via [Cloudflare Secret Store](https://developers.cloudflare.com/secrets-store/). Digital experience tests also have enhanced configuration options including: * New HTTP methods (DELETE, PATCH, POST, PUT) * Secret Store headers, custom plain text headers, and custom request bodies * Advanced settings: follow redirects, response bodies, response headers, and allow untrusted certificates ![Digital experience test configuration for Cloudflare Access applications](https://developers.cloudflare.com/_astro/dex_test_auth_config.CD3G3zb__o7m7g.webp)![Digital experience enhanced test configuration](https://developers.cloudflare.com/_astro/dex_test_enhanced_config.Nsv7Vcob_ppxh5.webp) ## 2026-04-29 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Gateway Authorization Proxy and hosted PAC files are now generally available** The [Gateway Authorization Proxy](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#authorization-endpoint) and [hosted PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#create-a-hosted-pac-file) are now generally available for all plan types. Authorization proxy endpoints add an identity-aware option alongside the existing [source IP proxy endpoints](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#source-ip-endpoint), using [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) authentication to verify who a user is before applying Gateway filtering — without installing the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/). Cloudflare-hosted PAC files let you create and distribute PAC files directly from Cloudflare One on Cloudflare's global network. These features are ideal for environments where deploying a device client is not an option, such as virtual desktops (VDI) or compliance-restricted endpoints. To get started, refer to the [proxy endpoints documentation](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/). ## 2026-04-28 [ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/) **Internet outage notifications for devices** [Digital Experience](https://developers.cloudflare.com/cloudflare-one/insights/dex/) will display a dashboard notification when an Internet outage or traffic anomaly may impact a [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) device based on its geographic location or network connection. This Internet outage and traffic anomaly data is pulled from [Cloudflare Radar ↗](https://radar.cloudflare.com/). All Internet outage and traffic anomaly observations can be viewed in the [Radar Outage Center ↗](https://radar.cloudflare.com/outage-center). ![Digital Experience Monitoring dashboard notification for Internet outage impacting Cloudflare One Client devices](https://developers.cloudflare.com/_astro/dex_radar_ux_notification.CpdrUVYA_ZSzgIe.webp)![Digital Experience Monitoring dashboard analytics for Internet outage impacting Cloudflare One Client devices](https://developers.cloudflare.com/_astro/dex_radar_analytics.GaPxWM6C_2jLyzS.webp) ## 2026-04-28 [ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/) **Cloudflare One Client speed tests** IT teams can now remotely run speed tests from the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) to Cloudflare's network edge. Each speed test includes the following metrics: * Internet speed: download and upload throughput * Latency: download, upload, unloaded latency, and jitter * Network quality score: video streaming, webchat/real-time communication (RTC) In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights** \> **Digital experience** \> **Diagnostics** and select **Run diagnostics** to use the feature today. ![Cloudflare One client speed test result](https://developers.cloudflare.com/_astro/dex_speed_test.DukupcRs_gXUVw.webp) ## 2026-04-28 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Create and manage DLP detection entries outside of profiles** You can now create, view, and manage DLP detection entries outside of profiles. Detection entries are no longer hidden inside individual profiles. Administrators can manage detection entries directly from the **Detection entries** section and use them in custom DLP profiles. For more information, refer to [Configure detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/). ## 2026-04-28 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Detect PII records with a new predefined DLP profile** Cloudflare DLP now includes a new predefined profile designed to detect PII records that contain multiple types of personal data: **Personally Identifiable Information (PII) Record**. Most predefined and custom DLP profiles match when any enabled detection entry matches. The **Personally Identifiable Information (PII) Record** profile is different. It only matches when at least three unique detection entries are found in close proximity, which reduces false positives from standalone values that may not represent a real PII record. Detection entries included in the profile: * AU Passport Number * American Express Card Number * Diners Club Card Number * US Driver's License Number * Email Address * Full Name * US Mailing Address * Mastercard Card Number * US Individual Tax Identification Number (ITIN) * US Passport Number * US Phone Number * Union Pay Card Number * United States SSN Numeric Detection * Visa Card Number For more information, refer to [predefined DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/). ## 2026-04-24 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **Network Session Logs now available for all on-ramps** [Zero Trust Network Session Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/) are now generated for all traffic proxied through Cloudflare Gateway, regardless of on-ramp type. This includes traffic from [proxy endpoints (PAC files)](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) and [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) egress — on-ramps that previously did not generate session logs. Customers who already consume the `zero_trust_network_sessions` dataset via [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/) or [Log Explorer](https://developers.cloudflare.com/log-explorer/) may see increased log volume if they use these on-ramps. For field definitions, refer to [Zero Trust Network Session Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/). For traffic analysis, refer to [Network session analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/network-sessions/). ## 2026-04-23 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **AAGUID restrictions and AMR matching for Access independent MFA** [Independent MFA](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/) in Cloudflare Access now supports two additional organization-level controls: * **[Restrict authenticators by AAGUID](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/#restrict-authenticators-by-aaguid)** — Limit enrollment to a specific set of WebAuthn authenticators using their [AAGUID ↗](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#authenticator-attestation-guid). This is useful for organizations that require FIPS-validated security keys or company-issued hardware. AAGUIDs are managed through a new [List](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) type. * **[AMR matching](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/#use-identity-provider-mfa)** — Skip the independent MFA prompt when the identity provider has already performed an equivalent MFA. Access reads the `amr` claim defined in [RFC 8176 ↗](https://datatracker.ietf.org/doc/html/rfc8176) and matches supported values such as `hwk`, `otp`, and `fpt` to the authenticator types allowed on the application or policy. This prevents users from having to complete MFA twice when their identity provider already enforces it. To get started, refer to [Independent MFA](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/). ## 2026-04-21 [ Cloudflare Network Firewall ](https://developers.cloudflare.com/cloudflare-network-firewall/)[ Magic Transit ](https://developers.cloudflare.com/magic-transit/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Country rules supported in Unified Routing** [Cloudflare Advanced Network Firewall](https://developers.cloudflare.com/cloudflare-network-firewall/) Country rules are now supported for accounts using [Unified Routing](https://developers.cloudflare.com/cloudflare-wan/reference/traffic-steering/#unified-routing-mode-beta) mode. This feature requires a Cloudflare Advanced Network Firewall subscription. You can create firewall rules that match traffic based on source or destination country to enforce geographic access policies across your network. This is the first of the Cloudflare Advanced Network Firewall features to become available in Unified Routing. Support for additional features - IP Lists, ASN Lists, Threat Intel Lists, IDS, Rate Limiting, SIP, and Managed Rulesets - is planned. For the full list of current beta limitations, refer to [Traffic steering beta limitations](https://developers.cloudflare.com/cloudflare-wan/reference/traffic-steering/#beta-limitations). ## 2026-04-20 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Network session analytics dashboard** The new [Network session analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/network-sessions/) dashboard is now available in Cloudflare One. This dashboard provides visibility into your network traffic patterns, helping you understand how traffic flows through your Cloudflare One infrastructure. ![Cloudflare One Network Session Analytics](https://developers.cloudflare.com/_astro/cf1-network-session-analytics.Gl90hEcp_MuWRb.webp) #### What you can do with Network session analytics * **Analyze geographic distribution**: View a world map showing where your network traffic originates, with a list of top locations by session count. * **Monitor key metrics**: Track session count, total bytes transferred, and unique users. * **Identify connection issues**: Analyze connection close reasons to troubleshoot network problems. * **Review protocol usage**: See which network protocols (TCP, UDP, ICMP) are most used. #### Dashboard features * **Summary metrics**: Session count, bytes total, and unique users * **Traffic by location**: World map visualization and location list with top traffic sources * **Top protocols**: Breakdown of TCP, UDP, ICMP, and ICMPv6 traffic * **Connection close reasons**: Insights into why sessions terminated (client closed, origin closed, timeouts, errors) #### How to access 1. Log in to [Cloudflare One ↗](https://dash.cloudflare.com). 2. Go to **Zero Trust** \> **Insights** \> **Dashboards**. 3. Select **Network session analytics**. For more information, refer to the [Network session analytics documentation](https://developers.cloudflare.com/cloudflare-one/insights/analytics/network-sessions/). ## 2026-04-17 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Homepage and sign-out for MCP server portals** [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) display a homepage when users visit the portal domain in a browser. ![MCP server portal homepage showing connection status and setup instructions](https://developers.cloudflare.com/_astro/portals-homepage-disconnected.BHbOwayQ_Z1G37WD.webp) The homepage shows: * The portal name and organization branding * The MCP endpoint URL with a copy button * Per-client connection instructions for Claude Desktop, Workers AI Playground, OpenCode, Windsurf, and other MCP clients Authenticated users see their email address and a **Sign out** button. Selecting **Sign out** revokes all portal-level OAuth grants, deletes upstream server OAuth states, and redirects through Cloudflare Access logout. A confirmation page shows a summary of the revoked sessions. For more information, refer to [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/#portal-homepage). ## 2026-04-15 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Independent MFA for Access applications** Cloudflare Access now supports independent multi-factor authentication (MFA), allowing you to enforce MFA requirements without relying on your identity provider (IdP). With per-application and per-policy configuration, you can enforce stricter authentication methods like hardware security keys on sensitive applications without requiring them across your entire organization. This reduces the risk of MFA fatigue for your broader user population while adding additional security where it matters most. This feature also addresses common gaps in IdP-based MFA, such as inconsistent MFA policies across different identity providers or the need for additional security layers beyond what the IdP provides. Independent MFA supports the following authenticator types: * **Authenticator application** — Time-based one-time passwords (TOTP) using apps like Google Authenticator, Microsoft Authenticator, or Authy. * **Security key** — Hardware security keys such as YubiKeys. * **Biometrics** — Built-in device authenticators including Apple Touch ID, Apple Face ID, and Windows Hello. Note Infrastructure applications do not yet support independent MFA. #### Configuration levels You can configure MFA requirements at three levels: | Level | Description | | ---------------- | -------------------------------------------------------------- | | **Organization** | Enforce MFA by default for all applications in your account. | | **Application** | Require or turn off MFA for a specific application. | | **Policy** | Require or turn off MFA for users who match a specific policy. | Settings at lower levels (policy) override settings at higher levels (organization), giving you granular control over MFA enforcement. #### User enrollment Users enroll their authenticators through the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/). To help with onboarding, administrators can share a direct enrollment link: `.cloudflareaccess.com/AddMfaDevice`. To get started with Independent MFA, refer to [Independent MFA](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/). ## 2026-04-15 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New, streamlined creation experience for Access Applications and Gateway Policies** The Cloudflare One dashboard now features redesigned builders for two core workflows: creating Gateway policies and configuring self-hosted Access applications. #### Gateway rule builder The Gateway rule builder now features a redesigned user experience, bringing it in line with the Access policy builder experience. Improvements include: * **Streamlined UX** with clearer states and improved user interactions * **Wirefilter editing** for viewing and editing Gateway rules directly from wirefilter expressions * **Preview state** to review the impact of your policy in a simple graphic ![New Gateway rule builder](https://developers.cloudflare.com/_astro/gateway-rule-builder.BxvzsN8s_Z2q9xKY.webp) For more information, refer to [Traffic policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/). #### Access application builder for self-hosted apps The self-hosted Access application builder now offers a simplified creation workflow with fewer steps from setup to save. Improvements include: * **New application selection experience** that makes choosing the right application type before you begin easier. * **Streamlined creation flow** with fewer clicks to build and save an application * **Inline policy creation** for building Access policies directly within the application creation flow * **Preview state** to understand how your policies enforce user access before saving ![New Access application builder](https://developers.cloudflare.com/_astro/access-application-builder.B__yqGin_Z2pRlHk.webp) For more information, refer to [self-hosted applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/). ## 2026-04-15 [ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/) **Last seen timestamp for Cloudflare One Client devices is more consistent** The last seen timestamp for [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) devices is now more consistent across the dashboard. IT teams will see more consistent information about the most recent client event between a device and Cloudflare's network. ## 2026-04-14 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **DLP account-level settings** **Account-level DLP settings are now available** in Cloudflare One. You can now configure advanced DLP settings at the account level, including OCR, AI context analysis, and payload masking. This provides consistent enforcement across all DLP profiles and simplifies configuration management. Key changes: * **Consistent enforcement**: Settings configured at the account level apply to all DLP profiles * **Simplified migration**: Settings enabled on any profile are automatically migrated to account level * **Deprecation notice**: Profile-level advanced settings will be deprecated in a future release **Migration details:** During the migration period, if a setting is enabled on any profile, it will automatically be enabled at the account level. This means profiles that previously had a setting disabled may now have it enabled if another profile in the account had it enabled. Settings are evaluated using OR logic - a setting is enabled if it is turned on at either the account level or the profile level. However, profile-level settings cannot be enabled when the account-level setting is off. For more details, refer to the [DLP settings documentation](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-settings/). ## 2026-04-14 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **Introducing Cloudflare Mesh** [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) is now available ([blog post ↗](https://blog.cloudflare.com/mesh/)). Mesh connects your services and devices with post-quantum encrypted networking, allowing you to route traffic privately between servers, laptops, and phones over TCP, UDP, and ICMP. ![Cloudflare Mesh network map showing nodes and devices connected through Cloudflare](https://developers.cloudflare.com/_astro/mesh-network-map.CED6jNHK_ZlOsym.webp) #### What Cloudflare Mesh does * Assigns a private [Mesh IP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/#mesh-ips) to every enrolled device and node. * Enables any participant to reach any other participant by IP — including client-to-client, without deploying any infrastructure. * Supports [CIDR routes](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/routes/) for subnet routing through Mesh nodes. * Supports [high availability](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/high-availability/) with active-passive replicas for nodes with routes. * All traffic flows through Cloudflare, so [Gateway network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/), [device posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/), and access rules apply to every connection. #### What changed * **WARP Connector** is now **Cloudflare Mesh**. Existing WARP Connectors are now called mesh nodes. All existing deployments continue to work — no migration required. * **Peer-to-peer connectivity** is now called **Mesh connectivity** and is part of the Cloudflare Mesh documentation. * **Mesh node limit** increased from 10 to **50 per account**. * New [dashboard experience ↗](https://dash.cloudflare.com/?to=/:account/mesh) at **Networking** \> **Mesh** with an interactive network map, node management, route configuration, diagnostics, and a setup wizard. #### Get started Refer to the [Cloudflare Mesh documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) to set up your first Mesh network. ## 2026-04-14 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Detect Cloudflare API tokens with DLP** The **Credentials and Secrets** DLP profile now includes three new predefined entries for detecting Cloudflare API credentials: | Entry name | Token prefix | Detects | | ---------------------------------- | ------------ | ------------------------- | | Cloudflare User API Key | cfk\_ | User-scoped API keys | | Cloudflare User API Token | cfut\_ | User-scoped API tokens | | Cloudflare Account Owned API Token | cfat\_ | Account-scoped API tokens | These detections target the new [Cloudflare API credential format](https://developers.cloudflare.com/fundamentals/api/get-started/token-formats/), which uses a structured prefix and a CRC32 checksum suffix. The identifiable prefix makes it possible to detect leaked credentials with high confidence and low false positive rates — no surrounding context such as `Authorization: Bearer` headers is required. Credentials generated before this format change will not be matched by these entries. #### How to enable Cloudflare API token detections 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **DLP** \> **DLP Profiles**. 2. Select the **Credentials and Secrets** profile. 3. Turn on one or more of the new Cloudflare API token entries. 4. Use the profile in a Gateway HTTP policy to log or block traffic containing these credentials. Example policy: | Selector | Operator | Value | Action | | ----------- | -------- | ------------------------- | ------ | | DLP Profile | in | _Credentials and Secrets_ | Block | You can also enable individual entries to scope detection to specific credential types — for example, enabling **Account Owned API Token** detection without enabling **User API Key** detection. For more information, refer to [predefined DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/). ## 2026-04-14 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Configure how sensitive data appears in DLP payload logs** You can now configure how sensitive data matches are displayed in your DLP payload match logs — giving your incident response team the context they need to validate alerts without compromising your security posture. To get started, go to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), select **Zero Trust** \> **Data loss prevention** \> **DLP settings** and find the **Payload log masking** card. Previously, all DLP payload logs used a single masking mode that obscured matched data entirely and hid the original character count, making it difficult to distinguish true positives from false positives. This update introduces three options: * **Full Mask (default):** Masks the match while preserving character count and visual formatting (for example, `***-**-****` for a Social Security Number). This is an improvement over the previous default, which did not preserve character count. * **Partial Mask:** Reveals 25% of the matched content while masking the remainder (for example, `***-**-6789`). * **Clear Text:** Stores the full, unmasked violation for deep investigation (for example, `123-45-6789`). **Important:** The masking level you select is applied at detection time, before the payload is encrypted. This means the chosen format is what your team will see after decrypting the log with your private key — the existing encryption workflow is unchanged. **Applies to all enabled detections:** When a masking level other than Full Mask is selected, it applies to all sensitive data matches found within a payload window — not just the match that triggered the policy. Any data matched by your enabled DLP detection entries will be masked at the selected level. For more information, refer to [DLP logging options](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules). ## 2026-04-10 [ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) **Canvas Remoting optimizes performance for productivity applications** Remote Browser Isolation now supports **Canvas Remoting**, improving performance for HTML5 Canvas applications by sending vector draw commands instead of rasterized bitmaps. #### Key improvements * **10x bandwidth reduction:** Microsoft Word and other Office apps use 90% less bandwidth * **Smooth performance:** Google Sheets maintains consistent 30fps rendering * **Responsive terminals:** Web-based development environments and AI notebooks work in real-time * **Zero configuration:** Enabled by default for all Browser Isolation customers #### How it works Instead of sending rasterized bitmaps for every Canvas update, Browser Isolation now: 1. Captures Canvas draw commands at the source 2. Converts them to lightweight vector instructions 3. Renders Canvas content on the client This reduces bandwidth from hundreds of kilobytes per second to tens of kilobytes per second. #### Managing Canvas Remoting To temporarily disable for troubleshooting: * Right-click the isolated webpage background * Select **Disable Canvas Remoting** * Re-enable the same way by selecting **Enable Canvas Remoting** #### Limitations Currently supports 2D Canvas contexts only. WebGL and 3D graphics applications continue using bitmap rendering. For more information, refer to [Canvas Remoting](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/canvas-remoting/). ## 2026-04-09 [ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) **Send CASB posture finding instances with webhooks** You can now use **CASB webhooks** in Cloudflare One to send posture finding instances to external systems such as chat platforms, ticketing systems, SIEMs, SOAR tools, and custom automation services. This gives security teams a simple way to route CASB posture findings into the tools and workflows they already use for triage and response. To get started, go to **Integrations** \> **Webhooks** in the Cloudflare One dashboard to create a webhook destination. After you configure a webhook, open a posture finding instance and select **Send webhook** to send it. #### Key capabilities * **Flexible authentication** — Configure destinations using **None**, **Basic Auth**, **Bearer Auth**, **Static Headers**, or **HMAC-Signing**. * **Built-in testing** — Use **Test delivery** to send a test request before sending a live finding instance. * **Posture finding workflows** — Send posture finding instances directly from the finding details workflow in **Cloud & SaaS findings**. * **HTTPS destinations** — Configure webhook destinations with public `https://` URLs. #### Learn more * Configure [CASB webhooks](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/webhooks/) in Cloudflare. * Learn how to [manage findings](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/manage-findings/) in Cloudflare. CASB webhooks are now available in Cloudflare One. ## 2026-04-08 [ Risk Score ](https://developers.cloudflare.com/cloudflare-one/insights/risk-score/) **User risk scoring for high risk browsing activity** Cloudflare One's **User Risk Scoring** now incorporates direct signals from **Gateway DNS traffic patterns**. This update allows security teams to automatically elevate a user's risk score when they visit high-risk or malicious domains, providing a more holistic view of internal threats. #### Why this matters Browsing activity is a primary indicator of potential compromise. By tying Gateway DNS logs to specific users, administrators can now flag individuals interacting with: * **Security threats**: Domains associated with malware, phishing, or command-and-control (C2) centers. * **High-risk content**: Categories such as questionable content or violence that may violate corporate compliance. Even if a Gateway policy is set to **Block** the traffic, the interaction is still captured as a "hit" to ensure the user's risk profile reflects the attempted activity. #### New risk behaviors Two new behaviors are now available in the dashboard: * **Suspicious Security Domain Visited**: Triggers when a user visits a domain in the security threats or security risk categories. * **High risk domain visited**: Triggers when a user visits domains categorized as questionable content, violence, or CIPA. To learn more and get started, refer to the [User Risk Scoring documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/). ## 2026-04-07 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Cloudflare One Client for Windows (version 2026.3.851.0)** A new GA release for the Windows Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. The next stable release for Windows will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information. **Changes and improvements** * Fixed an issue causing Windows client tunnel interface initialization failure which prevented clients from establishing a tunnel for connection. * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms. * Fixed packet capture failing on tunnel interface when the tunnel interface is renamed by SCCM VPN boundary support. * Fixed unnecessary registration deletion caused by RDP connections in multi-user mode. * Fixed increased tunnel interface start-up time due to a race between duplicate address detection (DAD) and disabling NetBT. * Fixed tunnel failing to connect when the system DNS search list contains unexpected characters. * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization. * Fixed initiating managed network detections checks when no network is available, which caused device profile flapping. * Fixed an issue where degraded Windows Management Instrumentation (WMI) state could put the client in a failed connection state loop during initialization. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. This warning will be omitted from future release notes. This Windows update was released in July 2025. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. This warning will be omitted from future release notes. This Microsoft Security Intelligence update was released in May 2025. * DNS resolution may be broken when the following conditions are all true: * The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while the client is connected. To work around this issue, reconnect the client by selecting **Disconnect** and then **Connect** in the client user interface. ## 2026-04-07 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **User Submission Triage Status Tracking** Cloudflare Email security now supports **Triage Status Tracking for User Submissions**. This enhancement gives SOC teams a streamlined way to track, manage, and prioritize user-submitted emails directly within the Cloudflare One dashboard. * The User Submissions table now includes a **Status** column with three states: **Unreviewed** (new submissions awaiting triage), **Reviewed** (submissions assessed by the SOC team), and **Escalated** (submissions escalated to team submissions for further investigation). Analysts can quickly update statuses and filter the table to focus on what needs attention. * SOC teams can now organize their triage workflows, avoid duplicate reviews, and make sure critical threats get escalated for deeper investigation—bringing order to the chaos of high-volume submission management. Triage Status Tracking is **automatically available** for all Email security customers using the user submissions feature. No additional configuration is required; customers just need to make sure user submissions are being sent to their user submission aliases. This applies to all Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2026-04-07 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Link aggregation (LACP) support for Cloudflare One Appliance** Cloudflare One Appliance now supports Link Aggregation Control Protocol (LACP), allowing you to bundle up to six physical LAN ports into a single logical interface. Link aggregation increases available bandwidth and eliminates single points of failure on the LAN side of the appliance. This feature is available in beta on physical appliance hardware with the latest OS. No entitlement is required. To configure a Link Aggregation Group, refer to [Configure link aggregation groups](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/network-options/link-aggregation/). ## 2026-04-06 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **DANE Support for MX Deployments** Cloudflare Email Security now supports DANE (DNS-based Authentication of Named Entities) for MX deployments. This enhancement strengthens email transport security by enabling DNSSEC-backed certificate verification for our regional MX records. * Regional MX hostnames now publish DANE TLSA records backed by DNSSEC, enabling DANE-capable SMTP senders to cryptographically validate certificate identities before establishing TLS connections—moving beyond opportunistic encryption to verified encrypted delivery. * DANE support is automatically available for all customers using regional MX deployments. No additional configuration is required; DANE-capable mail infrastructure will automatically validate MX certificates using the published records. This applies to all Email Security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2026-04-06 [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Organizations is now in public beta for enterprises** We're announcing the public beta of **Organizations** for enterprise customers, a new top-level Cloudflare container that lets Cloudflare customers manage multiple accounts, members, analytics, and shared policies from one centralized location. **What's New** **Organizations \[BETA\]**: [Organizations](https://developers.cloudflare.com/fundamentals/organizations/) are a new top-level container for centrally managing multiple accounts. Each Organization supports up to 500 accounts and 5000 zones, giving larger teams a single place to administer resources at scale. **Self-serve onboarding**: Enterprise customers can [create an Organization](https://developers.cloudflare.com/fundamentals/organizations/setup/) in the dashboard and assign accounts where they are already Super Administrators. **Centralized Account Management**: At launch, every Organization member has the Organization Super Admin role. Organization Super Admins can invite other users and manage any child account under the Organization implicitly.**Shared policies**: Share [WAF](https://developers.cloudflare.com/waf/custom-rules/) or [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/tiered-policies/organizations/) policies across multiple accounts within your Organization to simplify centralized policy management.**Implicit access**: Members of an Organization automatically receive Super Administrator permissions across child accounts, removing the need for explicit membership on each account. Additional Org-level roles will be available over the course of the year. **Unified analytics**: View, filter, and download aggregate HTTP analytics across all Organization child accounts from a single dashboard for centralized visibility into traffic patterns and security events. **Terraform provider support**: Manage Organizations with infrastructure as code from day one. Provision organizations, assign accounts, and configure settings programmatically with the [Cloudflare Terraform provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/organization). **Shared policies**: Share [WAF](https://developers.cloudflare.com/waf/custom-rules/) or [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) policies across multiple accounts within your Organization to simplify centralized policy management. Note Organizations is in Public Beta. You must have an Enterprise account to create an organization, but once created, you can add accounts of any plan type where you are a Super Administrator. For more info: * [Get started with Organizations](https://developers.cloudflare.com/fundamentals/organizations/) * [Set up your Organization](https://developers.cloudflare.com/fundamentals/organizations/setup/) * [Review limitations](https://developers.cloudflare.com/fundamentals/organizations/limitations/) ## 2026-04-02 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Cloudflare One Client for macOS (version 2026.3.846.0)** A new GA release for the macOS Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. The next stable release for macOS will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information. **Changes and improvements** * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization. * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms. * Fixed initiating managed network detections checks when no network is available, which caused device profile flapping. ## 2026-04-02 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Cloudflare One Client for Linux (version 2026.3.846.0)** A new GA release for the Linux Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. The next stable release for Linux will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information. **Changes and improvements** * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization. * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms. * Fixed initiating managed network detections checks when no network is available, which caused device profile flapping. ## 2026-04-02 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Session management for MCP server portals** [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) support in-session management of upstream MCP server connections. Users can return to the server selection page at any time to enable or disable servers, reauthenticate, or change which data a server has access to — all without leaving their MCP client. To return to the server selection page, ask your AI agent with a prompt like "take me back to the server selection page." The portal responds with an authorization URL via [MCP elicitation ↗](https://modelcontextprotocol.io/specification/2025-03-26/server/elicitation) that you open in your browser: ``` https://./authorize?elicitationId= ``` From the server selection page you can: * **Enable or disable servers** — Toggle individual upstream MCP servers on or off. Disabling a server removes its tools from the active session, which reduces context window usage. * **Log out and reauthenticate** — Log out of a server and log back in to change which data the server has access to, or to reauthenticate with different permissions. Users can also enable or disable a server inline by asking their AI agent directly, for example "enable the wiki server" or "disable my Jira server." The portal also automatically prompts connected users to authorize new servers when an admin adds them to the portal. This requires the use of [managed OAuth](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/managed-oauth/#enable-managed-oauth-on-an-mcp-server-portal). For more information, refer to [Manage portal sessions](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/#manage-portal-sessions). ## 2026-04-01 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Logs UI refresh** Access authentication logs and Gateway activity logs (DNS, Network, and HTTP) now feature a refreshed user interface that gives you more flexibility when viewing and analyzing your logs. ![Screenshot of the new logs UI showing DNS query logs with customizable columns and filtering options](https://developers.cloudflare.com/_astro/cf1-new-logs-ui.DxF4x0l-_mRSyH.webp) The updated UI includes: * **Filter by field** \- Select any field value to add it as a filter and narrow down your results. * **Customizable fields** \- Choose which fields to display in the log table. Querying for fewer fields improves log loading performance. * **View details** \- Select a timestamp to view the full details of a log entry. * **Switch to classic view** \- Return to the previous log viewer interface if needed. For more information, refer to [Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/) and [Gateway activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). ## 2026-03-26 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Code mode for MCP server portals** [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) support [code mode](https://developers.cloudflare.com/agents/api-reference/codemode/), a technique that reduces context window usage by replacing individual tool definitions with a single code execution tool. Code mode is turned on by default on all portals. To turn it off, edit the portal in **Access controls** \> **AI controls** and turn off **Code mode** under **Basic information**. When code mode is active, the portal exposes a single `code` tool instead of listing every tool from every upstream MCP server. The connected AI agent writes JavaScript that calls typed `codemode.*` methods for each upstream tool. The generated code runs in an isolated [Dynamic Worker](https://developers.cloudflare.com/workers/runtime-apis/bindings/worker-loader/) environment, keeping authentication credentials and environment variables out of the model context. To use code mode, append `?codemode=search_and_execute` to your portal URL when connecting from an MCP client: ``` https://./mcp?codemode=search_and_execute ``` For more information, refer to [code mode](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/#code-mode). ## 2026-03-26 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Context optimization for MCP server portals** [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) support two context optimization options that reduce how many tokens tool definitions consume in the model's context window. Both options are activated by appending the `optimize_context` query parameter to the portal URL. #### `minimize_tools` Strips tool descriptions and input schemas from all upstream tools, leaving only their names. The portal exposes a special `query` tool that agents use to retrieve full definitions on demand. This provides up to 5x savings in token usage. ``` https://./mcp?optimize_context=minimize_tools ``` #### `search_and_execute` Hides all upstream tools and exposes only two tools: `query` and `execute`. The `query` tool searches and retrieves tool definitions. The `execute` tool runs the upstream tools in an isolated [Dynamic Worker](https://developers.cloudflare.com/workers/runtime-apis/bindings/worker-loader/) environment. This reduces the initial token cost to a small constant, regardless of how many tools are available through the portal. ``` https://./mcp?optimize_context=search_and_execute ``` For more information, refer to [Optimize context](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/#optimize-context). ## 2026-03-26 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Streaming ZIP file scanning removes per-file size limits** DLP now processes ZIP files using a streaming handler that scans archive contents element-by-element as data arrives. This removes previous file size limitations and improves memory efficiency when scanning large archives. Microsoft Office documents (DOCX, XLSX, PPTX) also benefit from this improvement, as they use ZIP as a container format. This improvement is automatic — no configuration changes are required. ## 2026-03-25 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Detect and sanitize HAR files** HTTP Archive (HAR) files are used by engineering and support teams to capture and share web traffic logs for troubleshooting. However, these files routinely contain highly sensitive data — including session cookies, authorization headers, and other credentials — that can pose a significant risk if uploaded to third-party services without being reviewed or cleaned first. Gateway now includes a predefined DLP profile called **Unsanitized HAR** that detects HAR files in HTTP traffic. You can use this profile in a Gateway HTTP policy to either block HAR file uploads entirely or redirect users to a sanitization tool before allowing the upload to proceed. #### How to configure a HAR file policy In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall Policies** \> **HTTP** and create a new HTTP policy using the **DLP Profile** selector: | Selector | Operator | Value | Action | | ----------- | -------- | ----------------- | ------ | | DLP Profile | in | _Unsanitized HAR_ | | Then choose one of the following actions: * **Block**: Prevents the upload of any HAR file that has not been sanitized by Cloudflare's sanitizer. Use this for strict environments where HAR file sharing must be disallowed entirely. * **Block** with **Gateway Redirect**: Intercepts the upload and redirects the user to `https://har-sanitizer.pages.dev/`, where they can sanitize the file. Once sanitized, the user can re-upload the clean file and proceed with their workflow. #### Sanitized HAR recognition HAR files processed by the Cloudflare HAR sanitizer receive a tamper-evident sanitized marker. DLP recognizes this marker and will not re-trigger the policy on a file that has already been sanitized and has not been modified since. If a previously sanitized file is edited, it will be treated as unsanitized and flagged again. #### Visibility in Gateway logs Gateway logs will reflect whether a detected HAR file was classified as **Unsanitized** or **Sanitized**, giving your security team full visibility into HAR file activity across your organization. For more information, refer to [predefined DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/). ## 2026-03-24 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **OIDC Claims filtering now available in Gateway Firewall, Resolver, and Egress policies** Cloudflare Gateway now supports [OIDC Claims](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#oidc-claims) as a selector in Firewall, Resolver, and Egress policies. Administrators can use custom OIDC claims from their identity provider to build fine-grained, identity-based traffic policies across all Gateway policy types. With this update, you can: * Filter traffic in [DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/), [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/), and [Network](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) firewall policies based on OIDC claim values. * Apply custom [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) to route DNS queries to specific resolvers depending on a user's OIDC claims. * Control [egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/) to assign dedicated egress IPs based on OIDC claim attributes. For example, you can create a policy that routes traffic differently for users with `department=engineering` in their OIDC claims, or restrict access to certain destinations based on a user's role claim. To get started, configure [custom OIDC claims](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) on your identity provider and use the **OIDC Claims** selector in the Gateway policy builder. For more information, refer to [Identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/). ## 2026-03-20 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Managed OAuth for Cloudflare Access** Cloudflare Access supports managed OAuth, which allows non-browser clients — such as CLIs, AI agents, SDKs, and scripts — to authenticate with Access-protected applications using a standard OAuth 2.0 authorization code flow. Previously, non-browser clients that attempted to access a protected application received a `302` redirect to a login page they could not complete. The established workaround was `cloudflared access curl`, which required installing additional tooling. With managed OAuth, clients instead receive a `401` response with a `WWW-Authenticate` header that points to Access's OAuth discovery endpoints ([RFC 8414 ↗](https://datatracker.ietf.org/doc/html/rfc8414) and [RFC 9728 ↗](https://datatracker.ietf.org/doc/html/rfc9728)). The client opens the end user's browser to the Access login page. The end user authenticates with their identity provider, and the client receives an OAuth access token for subsequent requests. Access enforces the same policies as a browser login; the OAuth layer is a new transport mechanism, not a separate authentication path. Managed OAuth can be enabled on any self-hosted Access application or [MCP server portal](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/). It is opt-in for existing applications to avoid interfering with those that run their own OAuth servers and rely on their own `WWW-Authenticate` headers. Note For MCP server portals, managed OAuth is enabled by default on new portals. It remains opt-in for self-hosted applications. To enable managed OAuth, go to **Zero Trust** \> **Access controls** \> **Applications**, edit the application, and turn on **Managed OAuth** under **Advanced settings**. You can also enable it via the API by setting `oauth_configuration.enabled` to `true` on the [Access applications endpoint](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/applications/methods/update/). ![Managed OAuth settings in the Cloudflare dashboard](https://developers.cloudflare.com/_astro/managed-oauth.BirLnBpy_Zjg97R.webp) For setup instructions, refer to [Enable managed OAuth](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/managed-oauth/). ## 2026-03-20 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Route MCP server portal traffic through Cloudflare Gateway** [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) can now route traffic through [Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) for richer HTTP request logging and data loss prevention (DLP) scanning. When Gateway routing is turned on, portal traffic appears in your [Gateway HTTP logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). You can create [Gateway HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) with [DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/) to detect and block sensitive data sent to upstream MCP servers. Note DLP [AI prompt profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#ai-prompt) do not apply to MCP server portal traffic. To enable Gateway routing, go to **Access controls** \> **AI controls**, edit the portal, and turn on **Route traffic through Cloudflare Gateway** under **Basic information**. ![Route MCP server portal traffic through Cloudflare Gateway](https://developers.cloudflare.com/_astro/portal-route-through-gateway.0KMUAXBm_Z1B5rry.webp) For more details, refer to [Route traffic through Gateway](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/#route-portal-traffic-through-gateway). ## 2026-03-20 [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **Stream logs from multiple replicas of Cloudflare Tunnel simultaneously** In the Cloudflare One dashboard, the overview page for a specific Cloudflare Tunnel now shows all [replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/) of that tunnel and supports streaming logs from multiple replicas at once. ![View replicas and stream logs from multiple connectors](https://developers.cloudflare.com/_astro/tunnel-multiconn.DEOEaLlu_ZDxArh.webp) Previously, you could only stream logs from one replica at a time. With this update: * **Replicas on the tunnel overview** — All active replicas for the selected tunnel now appear on that tunnel's overview page under **Connectors**. Select any replica to stream its logs. * **Multi-connector log streaming** — Stream logs from multiple replicas simultaneously, making it easier to correlate events across your infrastructure during debugging or incident response. To try it out, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Networks** \> **Connectors** \> **Cloudflare Tunnels**. Select **View logs** next to the tunnel you want to monitor. For more information, refer to [Tunnel log streams](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) and [Deploy replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/deploy-replicas/). ## 2026-03-15 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Unlimited result paging in Investigations** Investigations now support unlimited result paging in both the dashboard and the API, removing the previous 1,000-record cap. Security teams can page through complete result sets when searching across large mail volumes, giving SOC analysts and automated workflows deeper visibility for forensics and threat hunting. In the dashboard, infinite paging is now supported in the Investigations view. The 1,000-record ceiling has been removed, so you can navigate through the full result set directly in the UI. The [Investigations API](https://developers.cloudflare.com/api/resources/email%5Fsecurity/subresources/investigate/methods/list) now returns up to 10,000 records per page (up from 1,000), with no cap on total result volume across pages. For high-volume use cases, we recommend: * **[Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/) to a SIEM** for full-fidelity datasets and long-term retention. * **SOAR playbooks** against the async bulk action API for large-scale remediation. Bulk actions initiated from the dashboard remain capped at 1,000 messages per action. * **The Investigations API** for report exports larger than 1,000 results, which is the dashboard download cap. This applies to all Email Security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2026-03-10 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2026.3.566.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and introduces a brand new visual style for the client interface. The new Cloudflare One Client interface changes connectivity management from a toggle to a button and brings useful connectivity settings to the home screen. The redesign also introduces a collapsible navigation bar. When expanded, more client information can be accessed including connectivity, settings, and device profile information. If you have any feedback or questions, visit the [Cloudflare Community forum](https://community.cloudflare.com/t/introducing-the-new-cloudflare-one-client-interface/901362) and let us know. **Changes and improvements** * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations. * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms. * Fixed initiating managed network detection checks when no network is available, which caused device profile flapping. **Known issues** * The client may become stuck in a `Connecting` state. To resolve this issue, reconnect the client by selecting **Disconnect** and then **Connect** in the client user interface. Alternatively, change the client's operation mode. * The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it. * Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client. ## 2026-03-10 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2026.3.566.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and introduces a brand new visual style for the client interface. The new Cloudflare One Client interface changes connectivity management from a toggle to a button and brings useful connectivity settings to the home screen. The redesign also introduces a collapsible navigation bar. When expanded, more client information can be accessed including connectivity, settings, and device profile information. If you have any feedback or questions, visit the [Cloudflare Community forum](https://community.cloudflare.com/t/introducing-the-new-cloudflare-one-client-interface/901362) and let us know. **Changes and improvements** * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms. * Fixed packet capture failing on tunnel interface when the tunnel interface is renamed by SCCM VPN boundary support. * Fixed unnecessary registration deletion caused by RDP connections in multi-user mode. * Fixed increased tunnel interface start-up time due to a race between duplicate address detection (DAD) and disabling NetBT. * Fixed tunnel failing to connect when the system DNS search list contains unexpected characters. * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations. * Fixed initiating managed network detection checks when no network is available, which caused device profile flapping. **Known issues** * The client may unexpectedly terminate during captive portal login. To work around this issue, use a web browser to authenticate with the captive portal and then re-launch the client. * An error indicating that Microsoft Edge can't read and write to its data directory may be displayed during captive portal login; this error is benign and can be dismissed. * The client may become stuck in a `Connecting` state. To resolve this issue, reconnect the client by selecting **Disconnect** and then **Connect** in the client user interface. Alternatively, change the client's operation mode. * The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it. * Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client. * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. This warning will be omitted from future release notes. This Microsoft Security Intelligence update was released in May 2025. * DNS resolution may be broken when the following conditions are all true: * The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while the client is connected. To work around this issue, reconnect the client by selecting **Disconnect** and then **Connect** in the client user interface. ## 2026-03-04 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **User risk score selector in Access policies** You can now use [user risk scores](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/) in your [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). The new **User Risk Score** selector allows you to create Access policies that respond to user behavior patterns detected by Cloudflare's risk scoring system, including impossible travel, high DLP policy matches, and more. For more information, refer to [Use risk scores in Access policies](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/#use-risk-scores-in-access-policies). ## 2026-03-04 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Gateway Authorization Proxy and hosted PAC files (open beta)** The [Gateway Authorization Proxy](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#authorization-endpoint) and [PAC file hosting](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#create-a-hosted-pac-file) are now in open beta for all plan types. Previously, [proxy endpoints](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#source-ip-endpoint) relied on static source IP addresses to authorize traffic, providing no user-level identity in logs or policies. The new authorization proxy replaces IP-based authorization with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) authentication, verifying who a user is before applying Gateway filtering without installing the WARP client. This is ideal for environments where you cannot deploy a device client, such as virtual desktops (VDI), mergers and acquisitions, or compliance-restricted endpoints. #### Key capabilities * **Identity-aware proxy traffic** — Users authenticate through your identity provider (Okta, Microsoft Entra ID, Google Workspace, and others) via Cloudflare Access. Logs now show exactly which user accessed which site, and you can write [identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) like "only the Finance team can access this accounting tool." * **Multiple identity providers** — Display one or multiple login methods simultaneously, giving flexibility for organizations managing users across different identity systems. * **Cloudflare-hosted PAC files** — Create and host [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#create-a-hosted-pac-file) directly in Cloudflare One with pre-configured templates for Okta and Azure, hosted at `https://pac.cloudflare-gateway.com//` on Cloudflare's global network. * **Simplified billing** — Each user occupies a seat, exactly like they do with the Cloudflare One Client. No new metrics to track. #### Get started 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Networks** \> **Resolvers & Proxies** \> **Proxy endpoints**. 2. [Create an authorization proxy endpoint](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#authorization-endpoint) and configure Access policies. 3. [Create a hosted PAC file](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#create-a-hosted-pac-file) or write your own. 4. [Configure browsers](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#3b-configure-browser-to-use-pac-file) to use the PAC file URL. 5. [Install the Cloudflare certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) for HTTPS inspection. For more details, refer to the [proxy endpoints documentation](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) and the [announcement blog post ↗](https://blog.cloudflare.com/gateway-authorization-proxy-identity-aware-policies/). ## 2026-03-02 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **Copy Cloudflare One resources as JSON or POST requests** You can now copy Cloudflare One resources as JSON or as a ready-to-use API POST request directly from the dashboard. This makes it simple to transition workflows into API calls, automation scripts, or infrastructure-as-code pipelines. To use this feature, click the overflow menu (⋮) on any supported resource and select **Copy as JSON** or **Copy as POST request**. The copied output includes only the fields present on your resource, giving you a clean and minimal starting point for your own API calls. Initially supported resources: * Access applications * Access policies * Gateway policies * Resolver policies * Service tokens * Identity providers We will continue to add support for more resources throughout 2026. ## 2026-03-01 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Clipboard controls for browser-based RDP** You can now configure clipboard controls for browser-based RDP with Cloudflare Access. Clipboard controls allow administrators to restrict whether users can copy or paste text between their local machine and the remote Windows server. ![Enable users to copy and paste content from their local machine to remote RDP sessions in the Cloudflare One dashboard](https://developers.cloudflare.com/_astro/rdp-clipboard-controls.B0ZmliDb_Z1Ne5yg.webp) This feature is useful for organizations that support bring-your-own-device (BYOD) policies or third-party contractors using unmanaged devices. By restricting clipboard access, you can prevent sensitive data from being transferred out of the remote session to a user's personal device. #### Configuration options Clipboard controls are configured per policy within your Access application. For each policy, you can independently allow or deny: * **Copy from local client to remote RDP session** — Users can copy/paste text from their local machine into the browser-based RDP session. * **Copy from remote RDP session to local client** — Users can copy/paste text from the browser-based RDP session to their local machine. By default, both directions are denied for new policies. For existing Access applications created before this feature was available, clipboard access remains enabled to preserve backwards compatibility. When a user attempts a restricted clipboard action, the clipboard content is replaced with an error message informing them that the action is not allowed. For more information, refer to [Clipboard controls for browser-based RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/#clipboard-controls). ## 2026-02-27 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Export MCP server portal logs with Logpush** Availability Only available on Enterprise plans. [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) now supports [Logpush](https://developers.cloudflare.com/logs/logpush/) integration. You can automatically export MCP server portal activity logs to third-party storage destinations or security information and event management (SIEM) tools for analysis and auditing. #### Available log fields The MCP server portal logs dataset includes fields such as: * `Datetime` — Timestamp of the request * `PortalID` / `PortalAUD` — Portal identifiers * `ServerID` / `ServerURL` — Upstream MCP server details * `Method` — JSON-RPC method (for example, `tools/call`, `prompts/get`, `resources/read`) * `ToolCallName` / `PromptGetName` / `ResourceReadURI` — Method-specific identifiers * `UserID` / `UserEmail` — Authenticated user information * `Success` / `Error` — Request outcome * `ServerResponseDurationMs` — Response time from upstream server For the complete field reference, refer to [MCP portal logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/mcp%5Fportal%5Flogs/). #### Set up Logpush To configure Logpush for MCP server portal logs, refer to [Logpush integration](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). Note MCP server portals is currently in beta. ## 2026-02-27 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **New protocols added for Gateway Protocol Detection (Beta)** Gateway [Protocol Detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/) now supports seven additional protocols in beta: | Protocol | Notes | | ------------ | -------------------------------------------------- | | IMAP | Internet Message Access Protocol — email retrieval | | POP3 | Post Office Protocol v3 — email retrieval | | SMTP | Simple Mail Transfer Protocol — email sending | | MYSQL | MySQL database wire protocol | | RSYNC-DAEMON | rsync daemon protocol | | LDAP | Lightweight Directory Access Protocol | | NTP | Network Time Protocol | These protocols join the existing set of detected protocols (HTTP, HTTP2, SSH, TLS, DCERPC, MQTT, and TPKT) and can be used with the _Detected Protocol_ selector in [Network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) to identify and filter traffic based on the application-layer protocol, without relying on port-based identification. If protocol detection is enabled on your account, these protocols will automatically be logged when detected in your Gateway network traffic. For more information on using Protocol Detection, refer to the [Protocol detection documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/). ## 2026-02-24 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2026.1.150.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features. **Changes and improvements** * Improvements to [multi-user mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/). Fixed an issue where when switching from a pre-login registration to a user registration, Mobile Device Management (MDM) configuration association could be lost. * Added a new feature to [manage NetBIOS over TCP/IP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#netbios-over-tcpip) functionality on the Windows client. NetBIOS over TCP/IP on the Windows client is now disabled by default and can be enabled in [device profile settings](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/). * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for the Windows [client certificate posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/) to ensure logged results are from checks that run once users log in. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. * Fixed an issue where misconfigured DEX HTTP tests prevented new registrations. * Fixed an issue causing DNS requests to fail with clients in Traffic and DNS mode. * Improved service shutdown behavior in cases where the daemon is unresponsive. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2026-02-24 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2026.1.150.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. * Fixed an issue with DNS server configuration failures that caused tunnel connection delays. * Fixed an issue where misconfigured DEX HTTP tests prevented new registrations. * Fixed an issue causing DNS requests to fail with clients in Traffic and DNS mode. ## 2026-02-24 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2026.1.150.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com). **Changes and improvements** * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. * Fixed an issue where misconfigured DEX HTTP tests prevented new registrations. * Fixed issues causing DNS requests to fail with clients in Traffic and DNS mode or DNS only mode. ## 2026-02-20 [ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) **Understand CASB findings instantly with Cloudy Summaries** You can now easily understand your SaaS security posture findings and why they were detected with **Cloudy Summaries in CASB**. This feature integrates Cloudflare's Cloudy AI directly into your CASB Posture Findings to automatically generate clear, plain-language summaries of complex security misconfigurations, third-party app risks, and data exposures. This allows security teams and IT administrators to drastically reduce triage time by immediately understanding the context, potential impact, and necessary remediation steps for any given finding—without needing to be an expert in every connected SaaS application. To view a summary, simply navigate to your Posture Findings in the Cloudflare One dashboard (under **Cloud and SaaS findings**) and open the finding details of a specific instance of a Finding. Cloudy Summaries are supported on all available integrations, including Microsoft 365, Google Workspace, Salesforce, GitHub, AWS, Slack, and Dropbox. See the full list of supported integrations [here](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/). #### Key capabilities * **Contextual explanations** — Quickly understand the specifics of a finding with plain-language summaries detailing exactly what was detected, from publicly shared sensitive files to risky third-party app scopes. * **Clear risk assessment** — Instantly grasp the potential security impact of the finding, such as data breach risks, unauthorized account access, or email spoofing vulnerabilities. * **Actionable guidance** — Get clear recommendations and next steps on how to effectively remediate the issue and secure your environment. * **Built-in feedback** — Help improve future AI summarization accuracy by submitting feedback directly using the thumbs-up and thumbs-down buttons. #### Learn more * Learn more about managing [CASB Posture Findings](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/) in Cloudflare. Cloudy Summaries in CASB are available to all Cloudflare CASB users today. ## 2026-02-20 [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **Manage Cloudflare Tunnel directly from the main Cloudflare Dashboard** [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) is now available in the main Cloudflare Dashboard at [Networking > Tunnels ↗](https://dash.cloudflare.com/?to=/:account/tunnels), bringing first-class Tunnel management to developers using Tunnel for securing origin servers. ![Manage Tunnels in the Core Dashboard](https://developers.cloudflare.com/_astro/tunnel-core-dashboard.BGPqaHfo_Pi6HO.webp) This new experience provides everything you need to manage Tunnels for [public applications](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/), including: * **Full Tunnel lifecycle management**: Create, configure, delete, and monitor all your Tunnels in one place. * **Native integrations**: View Tunnels by name when configuring [DNS records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/) and [Workers VPC](https://developers.cloudflare.com/workers-vpc/) — no more copy-pasting UUIDs. * **Real-time visibility**: Monitor [replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/) and Tunnel [health status](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors/#tunnel-status) directly in the dashboard. * **Routing map**: Manage all ingress routes for your Tunnel, including [public applications](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/), [private hostnames](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/), [private CIDRs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/), and [Workers VPC services](https://developers.cloudflare.com/workers-vpc/), from a single interactive interface. #### Choose the right dashboard for your use case **Core Dashboard**: Navigate to [Networking > Tunnels ↗](https://dash.cloudflare.com/?to=/:account/tunnels) to manage Tunnels for: * Securing origin servers and [public applications](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) with CDN, WAF, Load Balancing, and DDoS protection * Connecting [Workers to private services](https://developers.cloudflare.com/workers-vpc/) via Workers VPC **Cloudflare One Dashboard**: Navigate to [Zero Trust > Networks > Connectors ↗](https://one.dash.cloudflare.com/?to=/:account/networks/connectors) to manage Tunnels for: * Securing your public applications with [Zero Trust access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) * Connecting users to [private applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) * Building a [private mesh network](https://developers.cloudflare.com/reference-architecture/architectures/sase/#connecting-networks) Both dashboards provide complete Tunnel management capabilities — choose based on your primary workflow. #### Get started New to Tunnel? Learn how to [get started with Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/) or explore advanced use cases like [securing SSH servers](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/) or [running Tunnels in Kubernetes](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/kubernetes/). ## 2026-02-19 [ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/) **DEX Supports EU Customer Metadata Boundary** [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into [WARP](https://developers.cloudflare.com/warp-client/) device connectivity and performance to any internal or external application. Now, all DEX logs are fully compatible with Cloudflare's [Customer Metadata Boundary](https://developers.cloudflare.com/data-localization/metadata-boundary/) (CMB) setting for the 'EU' (European Union), which ensures that DEX logs will not be stored outside the 'EU' when the option is configured. If a Cloudflare One customer using DEX enables CMB 'EU', they will not see any DEX data in the Cloudflare One dashboard. Customers can ingest DEX data via [LogPush](https://developers.cloudflare.com/logs/logpush/), and build their own analytics and dashboards. If a customer enables CMB in their account, they will see the following message in the Digital Experience dashboard: "DEX data is unavailable because Customer Metadata Boundary configuration is on. Use Cloudflare LogPush to export DEX datasets." ![Digital Experience Monitoring message when Customer Metadata Boundary for the EU is enabled](https://developers.cloudflare.com/_astro/dex_supports_cmb.6YOLXjHN_ZJh3uv.webp) ## 2026-02-17 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Streamlined clientless browser isolation for private applications** A new **Allow clientless access** setting makes it easier to connect users without a device client to internal applications, without using public DNS. ![Allow clientless access setting in the Cloudflare One dashboard](https://developers.cloudflare.com/_astro/allow-clientless-access.BHKwQuVt_1mLRiX.webp) Previously, to provide clientless access to a private hostname or IP without a [published application](https://developers.cloudflare.com/cloudflare-one/networks/routes/add-routes/#add-a-published-application-route), you had to create a separate [bookmark application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/bookmarks/) pointing to a prefixed [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) URL (for example, `https://.cloudflareaccess.com/browser/https://10.0.0.1/`). This bookmark was visible to all users in the App Launcher, regardless of whether they had access to the underlying application. Now, you can manage clientless access directly within your [private self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). When **Allow clientless access** is turned on, users who pass your Access application policies will see a tile in their App Launcher pointing to the prefixed URL. Users must have [remote browser permissions](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) to open the link. ## 2026-02-17 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Policies for bookmark applications** You can now assign [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to [bookmark applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/bookmarks/). This lets you control which users see a bookmark in the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) based on identity, device posture, and other policy rules. Previously, bookmark applications were visible to all users in your organization. With policy support, you can now: * **Tailor the App Launcher to each user** — Users only see the applications they have access to, reducing clutter and preventing accidental clicks on irrelevant resources. * **Restrict visibility of sensitive bookmarks** — Limit who can view bookmarks to internal tools or partner resources based on group membership, identity provider, or device posture. Bookmarks support all [Access policy configurations](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) except purpose justification, temporary authentication, and application isolation. If no policy is assigned, the bookmark remains visible to all users (maintaining backwards compatibility). For more information, refer to [Add bookmarks](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/bookmarks/). ## 2026-02-17 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Cloudflare Network Firewall ](https://developers.cloudflare.com/cloudflare-network-firewall/)[ Network Flow ](https://developers.cloudflare.com/network-flow/) **Cloudflare One Product Name Updates** We are updating naming related to some of our Networking products to better clarify their place in the Zero Trust and Secure Access Service Edge (SASE) journey. We are retiring some older brand names in favor of names that describe exactly what the products do within your network. We are doing this to help customers build better, clearer mental models for comprehensive SASE architecture delivered on Cloudflare. #### What's changing * **Magic WAN** → **Cloudflare WAN** * **Magic WAN IPsec** → **Cloudflare IPsec** * **Magic WAN GRE** → **Cloudflare GRE** * **Magic WAN Connector** → **Cloudflare One Appliance** * **Magic Firewall** → **Cloudflare Network Firewall** * **Magic Network Monitoring** → **Network Flow** * **Magic Cloud Networking** → **Cloudflare One Multi-cloud Networking** **No action is required by you** — all functionality, existing configurations, and billing will remain exactly the same. For more information, visit the [Cloudflare One documentation](https://developers.cloudflare.com/cloudflare-one/). ## 2026-02-13 [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Fine-grained permissions for Access policies and service tokens** Fine-grained permissions for **Access policies** and **Access service tokens** are available. These new resource-scoped roles expand the existing RBAC model, enabling administrators to grant permissions scoped to individual resources. #### New roles * **Cloudflare Access policy admin**: Can edit a specific [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) in an account. * **Cloudflare Access service token admin**: Can edit a specific [Access service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) in an account. These roles complement the existing resource-scoped roles for Access applications, identity providers, and infrastructure targets. For more information: * [Resource-scoped roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/#resource-scoped-roles) * [Role scopes](https://developers.cloudflare.com/fundamentals/manage-members/scope/) Note Resource-scoped roles is currently in beta. ## 2026-02-12 [ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Anycast IPs displayed on the dashboard** Cloudflare WAN now displays your Anycast IP addresses directly in the dashboard when you configure IPsec or GRE tunnels. Previously, customers received their Anycast IPs during onboarding or had to retrieve them with an API call. The dashboard now pre-loads these addresses, reducing setup friction and preventing configuration errors. No action is required. All Cloudflare WAN customers can see their Anycast IPs in the tunnel configuration form automatically. For more information, refer to [Configure tunnel endpoints](https://developers.cloudflare.com/cloudflare-wan/configuration/how-to/configure-tunnel-endpoints/). ## 2026-02-11 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Post-quantum encryption support for Cloudflare One Appliance** Cloudflare One Appliance version 2026.2.0 adds [post-quantum encryption](https://developers.cloudflare.com/ssl/post-quantum-cryptography/) support using hybrid ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism). The appliance now uses TLS 1.3 with hybrid ML-KEM for its connection to the Cloudflare edge. During the TLS handshake, the appliance and the edge share a symmetric secret over the TLS connection and inject it into the ESP layer of IPsec. This protects IPsec data plane traffic against harvest-now, decrypt-later attacks. This upgrade deploys automatically to all appliances during their configured interrupt windows with no manual action required. For more information, refer to [Cloudflare One Appliance](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/). ## 2026-02-02 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Improved Accessibility and Search for Monitoring** We have updated the Monitoring page to provide a more streamlined and insightful experience for administrators, improving both data visualization and dashboard accessibility. * **Enhanced Visual Layout**: Optimized contrast and the introduction of stacked bar charts for clearer data visualization and trend analysis.![visual-example](https://developers.cloudflare.com/_astro/monitoring-bar-charts.Bi-4BuXC_xiAlF.webp) * **Improved Accessibility & Usability**: * **Widget Search**: Added search functionality to multiple widgets, including Policies, Submitters, and Impersonation. * **Actionable UI**: All available actions are now accessible via dedicated buttons. * **State Indicators**: Improved UI states to clearly communicate loading, empty datasets, and error conditions.![buttons-example](https://developers.cloudflare.com/_astro/monitoring-buttons.DORPJvP__1JBNhu.webp) * **Granular Data Breakdowns**: New views for dispositions by month, malicious email details, link actions, and impersonations.![monthly-example](https://developers.cloudflare.com/_astro/monitoring-monthly-dispositions.CYuI5d9y_ZSVir3.webp) This applies to all Email Security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2026-01-30 [ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Magic Transit ](https://developers.cloudflare.com/magic-transit/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **BGP over GRE and IPsec tunnels** Magic WAN and Magic Transit customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using IPsec and GRE tunnel on-ramps (beta). Using BGP peering allows customers to: * Automate the process of adding or removing networks and subnets. * Take advantage of failure detection and session recovery features. With this functionality, customers can: * Establish an eBGP session between their devices and the Magic WAN / Magic Transit service when connected via IPsec and GRE tunnel on-ramps. * Secure the session by MD5 authentication to prevent misconfigurations. * Exchange routes dynamically between their devices and their Magic routing table. For configuration details, refer to: * [Configure BGP routes for Magic WAN](https://developers.cloudflare.com/cloudflare-wan/configuration/how-to/configure-routes/#configure-bgp-routes) * [Configure BGP routes for Magic Transit](https://developers.cloudflare.com/magic-transit/how-to/configure-routes/#configure-bgp-routes) ## 2026-01-27 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2026.1.89.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes, improvements, and new features. **Changes and improvements** * Improvements to [multi-user mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/). Fixed an issue where when switching from a pre-login registration to a user registration, Mobile Device Management (MDM) configuration association could be lost. * Added a new feature to [manage NetBIOS over TCP/IP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#netbios-over-tcpip) functionality on the Windows client. NetBIOS over TCP/IP on the Windows client is now disabled by default and can be enabled in [device profile settings](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/). * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for the Windows [client certificate posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/) to ensure logged results are from checks that run once users log in. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2026-01-27 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2026.1.89.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. ## 2026-01-27 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Configure Cloudflare source IPs (beta)** Cloudflare source IPs are the IP addresses used by Cloudflare services (such as Load Balancing, Gateway, and Browser Isolation) when sending traffic to your private networks. For customers using legacy mode routing, traffic to private networks is sourced from public Cloudflare IPs, which may cause IP conflicts. For customers using Unified Routing mode (beta), traffic to private networks is sourced from dedicated, non-Internet-routable private IPv4 range to ensure: * Symmetric routing over private network connections * Proper firewall state preservation * Private traffic stays on secure paths Key details: * **IPv4**: Sourced from `100.64.0.0/12` by default, configurable to any `/12` CIDR * **IPv6**: Sourced from `2606:4700:cf1:5000::/64` (not configurable) * **Affected connectors**: GRE, IPsec, CNI, WARP Connector, and WARP Client (Cloudflare Tunnel is not affected) Configuring Cloudflare source IPs requires Unified Routing (beta) and the `Cloudflare One Networks Write` permission. For configuration details, refer to [Configure Cloudflare source IPs](https://developers.cloudflare.com/cloudflare-wan/configuration/how-to/configure-cloudflare-source-ips/). ## 2026-01-22 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Require Access protection for zones** You can now require Cloudflare Access protection for all hostnames in your account. When enabled, traffic to any hostname that does not have a matching Access application is automatically blocked. This deny-by-default approach prevents accidental exposure of internal resources to the public Internet. If a developer deploys a new application or creates a DNS record without configuring an Access application, the traffic is blocked rather than exposed. ![Require Cloudflare Access protection in the dashboard](https://developers.cloudflare.com/_astro/require-cloudflare-access-protection.BAUmTYOs_ZxNecb.webp) #### How it works * **Blocked by default**: Traffic to all hostnames in the account is blocked unless an Access application exists for that hostname. * **Explicit access required**: To allow traffic, create an Access application with an Allow or Bypass policy. * **Hostname exemptions**: You can exempt specific hostnames from this requirement. To turn on this feature, refer to [Require Access protection](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/require-access-protection/). ## 2026-01-22 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **New granular API token permissions for Cloudflare Access** Three new API token permissions are available for Cloudflare Access, giving you finer-grained control when building automations and integrations: * **Access: Organizations Revoke** — Grants the ability to [revoke user sessions](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#revoke-user-sessions) in a Zero Trust organization. Use this permission when you need a token that can terminate active sessions without broader write access to organization settings. * **Access: Population Read** — Grants read access to the [SCIM users and groups](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) synced from an identity provider to Cloudflare Access. Use this permission for tokens that only need to read synced user and group data. * **Access: Population Write** — Grants write access to the [SCIM users and groups](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) synced from an identity provider to Cloudflare Access. Use this permission for tokens that need to create or modify synced user and group data. These permissions are scoped at the account level and can be combined with existing Access permissions. For a full list of available permissions, refer to [API token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/). ## 2026-01-15 [ Magic Transit ](https://developers.cloudflare.com/magic-transit/)[ Cloudflare Network Firewall ](https://developers.cloudflare.com/cloudflare-network-firewall/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Network Flow ](https://developers.cloudflare.com/network-flow/) **Network Services navigation update** The Network Services menu structure in Cloudflare's dashboard has been updated to reflect solutions and capabilities instead of product names. This will make it easier for you to find what you need and better reflects how our services work together. Your existing configurations will remain the same, and you will have access to all of the same features and functionality. The changes visible in your dashboard may vary based on the products you use. Overall, changes relate to [Magic Transit ↗](https://developers.cloudflare.com/magic-transit/), [Magic WAN ↗](https://developers.cloudflare.com/magic-wan/), and [Magic Firewall ↗](https://developers.cloudflare.com/cloudflare-network-firewall/). **Summary of changes:** * A new **Overview** page provides access to the most common tasks across Magic Transit and Magic WAN. * Product names have been removed from top-level navigation. * Magic Transit and Magic WAN configuration is now organized under **Routes** and **Connectors**. For example, you will find IP Prefixes under **Routes**, and your GRE/IPsec Tunnels under **Connectors.** * Magic Firewall policies are now called **Firewall Policies.** * Magic WAN Connectors and Connector On-Ramps are now referenced in the dashboard as **Appliances** and **Appliance profiles.** They can be found under **Connectors > Appliances.** * Network analytics, network health, and real-time analytics are now available under **Insights.** * Packet Captures are found under **Insights > Diagnostics.** * You can manage your Sites from **Insights > Network health.** * You can find Magic Network Monitoring under **Insights > Network flow**. If you would like to provide feedback, complete [this form ↗](https://forms.gle/htWyjRsTjw1usdis5). You can also find these details in the January 7, 2026 email titled **\[FYI\] Upcoming Network Services Dashboard Navigation Update**. ![Networking Navigation](https://developers.cloudflare.com/_astro/networking-overview-and-navigation.CeMgEFaZ_Z20HKl.webp) ## 2026-01-15 [ Risk Score ](https://developers.cloudflare.com/cloudflare-one/insights/risk-score/) **Support for CrowdStrike device scores in User Risk Scoring** Cloudflare One has expanded its \[User Risk Scoring\] (/cloudflare-one/insights/risk-score/) capabilities by introducing two new behaviors for organizations using the \[CrowdStrike integration\] (/cloudflare-one/integrations/service-providers/crowdstrike/). Administrators can now automatically escalate the risk score of a user if their device matches specific CrowdStrike Zero Trust Assessment (ZTA) score ranges. This allows for more granular security policies that respond dynamically to the health of the endpoint. New risk behaviors The following risk scoring behaviors are now available: * CrowdStrike low device score: Automatically increases a user's risk score when the connected device reports a "Low" score from CrowdStrike. * CrowdStrike medium device score: Automatically increases a user's risk score when the connected device reports a "Medium" score from CrowdStrike. These scores are derived from \[CrowdStrike device posture attributes\] (/cloudflare-one/integrations/service-providers/crowdstrike/#device-posture-attributes), including OS signals and sensor configurations. ## 2026-01-15 [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **Verify WARP Connector connectivity with a simple ping** We have made it easier to validate connectivity when deploying [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) as part of your [software-defined private network](https://developers.cloudflare.com/reference-architecture/architectures/sase/#connecting-networks). You can now `ping` the WARP Connector host directly on its LAN IP address immediately after installation. This provides a fast, familiar way to confirm that the Connector is online and reachable within your network before testing access to downstream services. Starting with [version 2025.10.186.0](https://developers.cloudflare.com/changelog/2026-01-13-warp-linux-ga/), WARP Connector responds to traffic addressed to its own LAN IP, giving you immediate visibility into Connector reachability. Learn more about deploying [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) and building private network connectivity with [Cloudflare One](https://developers.cloudflare.com/cloudflare-one/). ## 2026-01-13 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.10.186.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features. New features include the ability to manage WARP client connectivity for all devices in your fleet using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/), and a new WARP client device posture check for [Antivirus](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/antivirus/). **Changes and improvements** * Added a new feature to manage WARP client connectivity for all devices using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint. * Fixed an issue that caused occasional audio degradation and increased CPU usage on Windows by optimizing route configurations for large [domain-based split tunnel rules](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/#domain-based-split-tunnels). * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. * Fixed an issue where sending large messages to the daemon by Inter-Process Communication (IPC) could cause the daemon to fail and result in service interruptions. * Added support for a new WARP client device posture check for [Antivirus](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/antivirus/). The check confirms the presence of an antivirus program on a Windows device with the option to check if the antivirus is up to date. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2026-01-13 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.10.186.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features, including the ability to manage WARP client connectivity for all devices in your fleet using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). **Changes and improvements** * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. * Added a new feature to manage WARP client connectivity for all devices using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint. ## 2026-01-13 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.10.186.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features, including the ability to manage WARP client connectivity for all devices in your fleet using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com). **Changes and improvements** * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * Linux [disk encryption posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/disk-encryption/) now supports non-filesystem encryption types like `dm-crypt`. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. * Fixed an issue where the GUI becomes unresponsive when the **Re-Authenticate in browser** button is clicked. * Added a new feature to manage WARP client connectivity for all devices using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint. ## 2026-01-12 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Enhanced visibility for post-delivery actions** The Action Log now provides enriched data for post-delivery actions to improve troubleshooting. In addition to success confirmations, failed actions now display the targeted Destination folder and a specific failure reason within the Activity field. Note Error messages will vary depending on whether you are using Google Workspace or Microsoft 365. ![failure-log-example](https://developers.cloudflare.com/_astro/enhanced-visibility-post-delivery-actions.BNiyPtJU_GFx2V.webp) This update allows you to see the full lifecycle of a failed action. For instance, if an administrator tries to move an email that has already been deleted or moved manually, the log will now show the multiple retry attempts and the specific destination error. This applies to all Email Security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2026-01-08 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Cloudflare admin activity logs capture creation of DNS over HTTP (DoH) users** Cloudflare [admin activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/) now capture each time a [DNS over HTTP (DoH) user](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-https/) is created. These logs can be viewed from the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com/), pulled via the [Cloudflare API](https://developers.cloudflare.com/api/), and exported through [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ## 2025-12-31 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Breakout traffic visibility via NetFlow** Magic WAN Connector now exports NetFlow data for breakout traffic to Magic Network Monitoring (MNM), providing visibility into traffic that bypasses Cloudflare's security filtering. This feature allows you to: * Monitor breakout traffic statistics in the Cloudflare dashboard. * View traffic patterns for applications configured to bypass Cloudflare. * Maintain visibility across all traffic passing through your Magic WAN Connector. For more information, refer to [NetFlow statistics](https://developers.cloudflare.com/cloudflare-wan/analytics/netflow-analytics/). ## 2025-12-17 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **Shadow IT - domain level SaaS analytics** Zero Trust has again upgraded its **Shadow IT analytics**, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application. With this update, you can review data transfer metrics at the domain level, rather than just the application level, providing more granular insight into your data transfer patterns. ![New Domain Level Metrics](https://developers.cloudflare.com/_astro/shadow-it-domain.DoZnGAtf_Z1mHw4r.webp) These metrics can be filtered by all available filters on the dashboard, including user, application, or content category. Both the analytics and policies are accessible in the Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), empowering organizations with better visibility and control. ## 2025-12-16 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New duplicate action for supported Cloudflare One resources** You can now duplicate specific Cloudflare One resources with a single click from the dashboard. Initially supported resources: * Access Applications * Access Policies * Gateway Policies To try this out, simply click on the overflow menu (⋮) from the resource table and click _Duplicate_. We will continue to add the Duplicate action for resources throughout 2026. ## 2025-12-09 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.10.118.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. * Fixed an issue where sending large messages to the WARP daemon by Inter-Process Communication (IPC) could cause WARP to crash and result in service interruptions. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-12-09 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.10.118.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. ## 2025-12-03 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Reclassifications to Submissions** We have updated the terminology “Reclassify” and “Reclassifications” to “Submit” and “Submissions” respectively. This update more accurately reflects the outcome of providing these items to Cloudflare. Submissions are leveraged to tune future variants of campaigns. To respect data sanctity, providing a submission does not change the original disposition of the emails submitted. ![nav_example](https://developers.cloudflare.com/_astro/reclassification-submission.B6nL5Hw7_Z2qliyJ.webp) This applies to all Email Security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-11-18 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Adjustment to Final Disposition Column** #### Adjustment to Final Disposition column #### The **Final Disposition** column in **Submissions** \> **Team Submissions** tab is changing for non-Phishguard customers. #### What's Changing * Column will be called **Status** instead of **Final Disposition** * Column status values will now be: **Submitted**, **Accepted** or **Rejected**. #### Next Steps We will listen carefully to your feedback and continue to find comprehensive ways to communicate updates on your submissions. Your submissions will continue to be addressed at an even greater rate than before, fuelling faster and more accurate email security improvement. ## 2025-11-17 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New Cloudflare One Navigation and Product Experience** The Zero Trust dashboard and navigation is receiving significant and exciting updates. The dashboard is being restructured to better support common tasks and workflows, and various pages have been moved and consolidated. There is a new guided experience on login detailing the changes, and you can use the Zero Trust dashboard search to find product pages by both their new and old names, as well as your created resources. To replay the guided experience, you can find it in Overview > Get Started. ![Cloudflare One Dash Changes](https://developers.cloudflare.com/_astro/cf1-dash-changes.Uk_Y-2V-_ZUKoJR.webp) Notable changes * Product names have been removed from many top-level navigation items to help bring clarity to what they help you accomplish. For example, you can find Gateway policies under ‘Traffic policies' and CASB findings under ‘Cloud & SaaS findings.' * You can view all analytics, logs, and real-time monitoring tools from ‘Insights.' * ‘Networks' better maps the ways that your corporate network interacts with Cloudflare. Some pages like Tunnels, are now a tab rather than a full page as part of these changes. You can find them at Networks > Connectors. * Settings are now located closer to the tools and resources they impact. For example, this means you'll find your WARP configurations at Team & Resources > Devices. ![New Cloudflare One Navigation](https://developers.cloudflare.com/_astro/new-cf1-navigation.B7-E-9CV_18BSsx.webp) No changes to our API endpoint structure or to any backend services have been made as part of this effort. ## 2025-11-14 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Generate Cloudflare Access SSH certificate authority (CA) directly from the Cloudflare dashboard** SSH with [Cloudflare Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) allows you to use short-lived SSH certificates to eliminate SSH key management and reduce security risks associated with lost or stolen keys. Previously, users had to generate this certificate by using the [Cloudflare API ↗](https://developers.cloudflare.com/api/) directly. With this update, you can now create and manage this certificate in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com) from the **Access controls** \> **Service credentials** page. ![Navigate to Access controls and then Service credentials to see where you can generate an SSH CA](https://developers.cloudflare.com/_astro/SSH-CA-generation.DYa9RnX1_ZKuDAo.webp) For more details, refer to [Generate a Cloudflare SSH CA](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#generate-a-cloudflare-ssh-ca). ## 2025-11-14 [ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) **New SaaS Security weekly digests with API CASB** You can now stay on top of your SaaS security posture with the new **CASB Weekly Digest** notification. This opt-in email digest is delivered to your inbox every Monday morning and provides a high-level summary of your organization's Cloudflare API CASB findings from the previous week. This allows security teams and IT administrators to get proactive, at-a-glance visibility into new risks and integration health without having to log in to the dashboard. To opt in, navigate to **Manage Account** \> **Notifications** in the Cloudflare dashboard to configure the **CASB Weekly Digest** alert type. #### Key capabilities * **At-a-glance summary** — Review new high/critical findings, most frequent finding types, and new content exposures from the past 7 days. * **Integration health** — Instantly see the status of all your connected SaaS integrations (Healthy, Unhealthy, or Paused) to spot API connection issues. * **Proactive alerting** — The digest is sent automatically to all subscribed users every Monday morning. * **Easy to configure** — Users can opt in by enabling the notification in the Cloudflare dashboard under **Manage Account** \> **Notifications**. #### Learn more * Configure [notification preferences](https://developers.cloudflare.com/notifications/) in Cloudflare. The CASB Weekly Digest notification is available to all Cloudflare users today. ## 2025-11-12 [ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/) **DEX Logpush jobs** [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into WARP device metrics, connectivity, and network performance across your Cloudflare SASE deployment. We've released four new WARP and DEX device data sets that can be exported via [Cloudflare Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). These Logpush data sets can be exported to R2, a cloud bucket, or a SIEM to build a customized logging and analytics experience. 1. [DEX Application Tests](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fapplication%5Ftests/) 2. [DEX Device State Events](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fdevice%5Fstate%5Fevents/) 3. [WARP Config Changes](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/warp%5Fconfig%5Fchanges/) 4. [WARP Toggle Changes](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/warp%5Ftoggle%5Fchanges/) To create a new DEX or WARP Logpush job, customers can go to the account level of the Cloudflare dashboard > Analytics & Logs > Logpush to get started. ![DEX logpush job creation dashboard](https://developers.cloudflare.com/_astro/dex_logpush_datasets.CtCk36pX_Z1tuyHu.webp) ## 2025-11-11 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.9.558.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features including [Path Maximum Transmission Unit Discovery (PMTUD)](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). When PMTUD is enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to diagnose connectivity issues. **Changes and improvements** * Fixed an inconsistency with [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings in multi-user environments when switching between users. * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues. * Fixed an issue where deleting a registration was erroneously reported as having failed. * Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the [PMTUD documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). * Improvements for the [OS version](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/os-version/) WARP client check. Windows Updated Build Revision (UBR) numbers can now be checked by the client to ensure devices have required security patches and features installed. * The WARP client now supports Windows 11 ARM-based machines. For information on known limitations, refer to the [Known limitations page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/known-limitations/#cloudflare-one-client-disconnected-on-windows-arm). **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-11-11 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.9.558.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features including [Path Maximum Transmission Unit Discovery (PMTUD)](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). When PMTUD is enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to diagnose connectivity issues. **Changes and improvements** * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues. * Fixed an issue where deleting a registration was erroneously reported as having failed. * Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the [PMTUD documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-11-11 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.9.558.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features including [Path Maximum Transmission Unit Discovery (PMTUD)](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). When PMTUD is enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to diagnose connectivity issues. WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com/). **Changes and improvements** * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues. * Fixed an issue where deleting a registration was erroneously reported as having failed. * Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the [PMTUD documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). ## 2025-11-11 [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **cloudflared proxy-dns command will be removed starting February 2, 2026** Starting February 2, 2026, the `cloudflared proxy-dns` command will be removed from all new `cloudflared` [releases](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/). This change is being made to enhance security and address a potential vulnerability in an underlying DNS library. This vulnerability is specific to the `proxy-dns` command and does not affect any other `cloudflared` features, such as the core [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) service. The `proxy-dns` command, which runs a client-side [DNS-over-HTTPS (DoH)](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/) proxy, has been an officially undocumented feature for several years. This functionality is fully and securely supported by our actively developed products. Versions of `cloudflared` released before this date will not be affected and will continue to operate. However, note that our [official support policy](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#deprecated-releases) for any `cloudflared` release is one year from its release date. #### Migration paths We strongly advise users of this undocumented feature to migrate to one of the following officially supported solutions before February 2, 2026, to continue benefiting from secure [DNS-over-HTTPS](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/). #### End-user devices The preferred method for enabling DNS-over-HTTPS on user devices is the [Cloudflare WARP client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/). The WARP client automatically secures and proxies all DNS traffic from your device, integrating it with your organization's [Zero Trust policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) and [posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). #### Servers, routers, and IoT devices For scenarios where installing a client on every device is not possible (such as servers, routers, or IoT devices), we recommend using the [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/). Instead of running `cloudflared proxy-dns` on a machine, you can install the WARP Connector on a single Linux host within your private network. This connector will act as a gateway, securely routing all DNS and network traffic from your [entire subnet](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/routes/) to Cloudflare for [filtering and logging](https://developers.cloudflare.com/cloudflare-one/traffic-policies/). ## 2025-11-06 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Automatic Return Routing (Beta)** Magic WAN now supports Automatic Return Routing (ARR), allowing customers to configure Magic on-ramps (IPsec/GRE/CNI) to learn the return path for traffic flows without requiring static routes. Key benefits: * **Route-less mode**: Static or dynamic routes are optional when using ARR. * **Overlapping IP space support**: Traffic originating from customer sites can use overlapping private IP ranges. * **Symmetric routing**: Return traffic is guaranteed to use the same connection as the original on-ramp. This feature is currently in beta and requires the new Unified Routing mode (beta). For configuration details, refer to [Configure Automatic Return Routing](https://developers.cloudflare.com/cloudflare-wan/configuration/how-to/configure-routes/#configure-automatic-return-routing-beta). ## 2025-11-06 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Designate WAN link for breakout traffic** Magic WAN Connector now allows you to designate a specific WAN port for breakout traffic, giving you deterministic control over the egress path for latency-sensitive applications. With this feature, you can: * Pin breakout traffic for specific applications to a preferred WAN port. * Ensure critical traffic (such as Zoom or Teams) always uses your fastest or most reliable connection. * Benefit from automatic failover to standard WAN port priority if the preferred port goes down. This is useful for organizations with multiple ISP uplinks who need predictable egress behavior for performance-sensitive traffic. For configuration details, refer to [Designate WAN ports for breakout apps](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/network-options/application-based-policies/breakout-traffic/#designate-wan-ports-for-breakout-apps). ## 2025-11-06 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Applications to be remapped to the new categories** We have previously added new application categories to better reflect their content and improve HTTP traffic management: refer to [Changelog](https://developers.cloudflare.com/cloudflare-one/changelog/gateway/#2025-10-28). While the new categories are live now, we want to ensure you have ample time to review and adjust any existing rules you have configured against old categories. The remapping of existing applications into these new categories will be completed by January 30, 2026\. This timeline allows you a dedicated period to: * Review the new category structure. * Identify any policies you have that target the older categories. * Adjust your rules to reference the new, more precise categories before the old mappings change. Once the applications have been fully remapped by January 30, 2026, you might observe some changes in the traffic being mitigated or allowed by your existing policies. We encourage you to use the intervening time to prepare for a smooth transition. **Applications being remappedd** | Application Name | Existing Category | New Category | | ------------------------------- | ----------------- | ---------------------------- | | Google Photos | File Sharing | Photography & Graphic Design | | Flickr | File Sharing | Photography & Graphic Design | | ADP | Human Resources | Business | | Greenhouse | Human Resources | Business | | myCigna | Human Resources | Health & Fitness | | UnitedHealthcare | Human Resources | Health & Fitness | | ZipRecruiter | Human Resources | Business | | Amazon Business | Human Resources | Business | | Jobcenter | Human Resources | Business | | Jobsuche | Human Resources | Business | | Zenjob | Human Resources | Business | | DocuSign | Legal | Business | | Postident | Legal | Business | | Adobe Creative Cloud | Productivity | Photography & Graphic Design | | Airtable | Productivity | Development | | Autodesk Fusion360 | Productivity | IT Management | | Coursera | Productivity | Education | | Microsoft Power BI | Productivity | Business | | Tableau | Productivity | Business | | Duolingo | Productivity | Education | | Adobe Reader | Productivity | Business | | AnpiReport | Productivity | Travel | | ビズリーチ | Productivity | Business | | doda (デューダ) | Productivity | Business | | 求人ボックス | Productivity | Business | | マイナビ2026 | Productivity | Business | | Power Apps | Productivity | Business | | RECRUIT AGENT | Productivity | Business | | シフトボード | Productivity | Business | | スタンバイ | Productivity | Business | | Doctolib | Productivity | Health & Fitness | | Miro | Productivity | Photography & Graphic Design | | MyFitnessPal | Productivity | Health & Fitness | | Sentry Mobile | Productivity | Travel | | Slido | Productivity | Photography & Graphic Design | | Arista Networks | Productivity | IT Management | | Atlassian | Productivity | Business | | CoderPad | Productivity | Business | | eAgreements | Productivity | Business | | Vmware | Productivity | IT Management | | Vmware Vcenter | Productivity | IT Management | | AWS Skill Builder | Productivity | Education | | Microsoft Office 365 (GCC) | Productivity | Business | | Microsoft Exchange Online (GCC) | Productivity | Business | | Canva | Sales & Marketing | Photography & Graphic Design | | Instacart | Shopping | Food & Drink | | Wawa | Shopping | Food & Drink | | McDonald's | Shopping | Food & Drink | | Vrbo | Shopping | Travel | | American Airlines | Shopping | Travel | | Booking.com | Shopping | Travel | | Ticketmaster | Shopping | Entertainment & Events | | Airbnb | Shopping | Travel | | DoorDash | Shopping | Food & Drink | | Expedia | Shopping | Travel | | EasyPark | Shopping | Travel | | UEFA Tickets | Shopping | Entertainment & Events | | DHL Express | Shopping | Business | | UPS | Shopping | Business | For more information on creating HTTP policies, refer to [Applications and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/). ## 2025-10-28 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Access private hostname applications support all ports/protocols** [Cloudflare Access for private hostname applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) can now secure traffic on all ports and protocols. Previously, applying Zero Trust policies to private applications required the application to use HTTPS on port `443` and support Server Name Indicator (SNI). This update removes that limitation. As long as the application is reachable via a Cloudflare off-ramp, you can now enforce your critical security controls — like single sign-on (SSO), MFA, device posture, and variable session lengths — to any private application. This allows you to extend Zero Trust security to services like SSH, RDP, internal databases, and other non-HTTPS applications. ![Example private application on non-443 port](https://developers.cloudflare.com/_astro/internal_private_app_any_port.DNXnEy0u_2rybRJ.webp) For example, you can now create a self-hosted application in Access for `ssh.testapp.local` running on port `22`. You can then build a policy that only allows engineers in your organization to connect after they pass an SSO/MFA check and are using a corporate device. This feature is generally available across all plans. ## 2025-10-28 [ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) **CASB introduces new granular roles** Cloudflare CASB (Cloud Access Security Broker) now supports two new granular roles to provide more precise access control for your security teams: * **Cloudflare CASB Read:** Provides read-only access to view CASB findings and dashboards. This role is ideal for security analysts, compliance auditors, or team members who need visibility without modification rights. * **Cloudflare CASB:** Provides full administrative access to configure and manage all aspects of the CASB product. These new roles help you better enforce the principle of least privilege. You can now grant specific members access to CASB security findings without assigning them broader permissions, such as the **Super Administrator** or **Administrator** roles. To enable [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/), scans in CASB, account members will need the **Cloudflare Zero Trust** role. You can find these new roles when inviting members or creating API tokens in the Cloudflare dashboard under **Manage Account** \> **Members**. To learn more about managing roles and permissions, refer to the [Manage account members and roles documentation](https://developers.cloudflare.com/fundamentals/manage-members/roles/). ## 2025-10-28 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **New Application Categories added for HTTP Traffic Management** To give you precision and flexibility while creating policies to block unwanted traffic, we are introducing new, more granular application categories in the Gateway product. We have added the following categories to provide more precise organization and allow for finer-grained policy creation, designed around how users interact with different types of applications: * Business * Education * Entertainment & Events * Food & Drink * Health & Fitness * Lifestyle * Navigation * Photography & Graphic Design * Travel The new categories are live now, but we are providing a transition period for existing applications to be fully remapped to these new categories. The full remapping will be completed by January 30, 2026. We encourage you to use this time to: * Review the new category structure. * Identify and adjust any existing HTTP policies that reference older categories to ensure a smooth transition. For more information on creating HTTP policies, refer to [Applications and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/). ## 2025-10-20 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Schedule DNS policies from the UI** Admins can now create [scheduled DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/timed-policies/) directly from the Zero Trust dashboard, without using the API. You can configure policies to be active during specific, recurring times, such as blocking social media during business hours or gaming sites on school nights. * **Preset Schedules**: Use built-in templates for common scenarios like Business Hours, School Days, Weekends, and more. * **Custom Schedules**: Define your own schedule with specific days and up to three non-overlapping time ranges per day. * **Timezone Control**: Choose to enforce a schedule in a specific timezone (for example, US Eastern) or based on the local time of each user. * **Combined with Duration**: Policies can have both a schedule and a duration. If both are set, the duration's expiration takes precedence. You can see the flow in the demo GIF: ![Schedule DNS policies demo](https://developers.cloudflare.com/_astro/gateway-dns-scheduled-policies-ui.Cf4l1OTE_Z9szVM.webp) This update makes time-based DNS policies accessible to all Gateway customers, removing the technical barrier of the API. ## 2025-10-17 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **On-Demand Security Report** You can now generate on-demand security reports directly from the Cloudflare dashboard. This new feature provides a comprehensive overview of your email security posture, making it easier than ever to demonstrate the value of Cloudflare’s Email security to executives and other decision makers. These reports offer several key benefits: * **Executive Summary:** Quickly view the performance of Email security with a high-level executive summary. * **Actionable Insights:** Dive deep into trend data, breakdowns of threat types, and analysis of top targets to identify and address vulnerabilities. * **Configuration Transparency:** Gain a clear view of your policy, submission, and domain configurations to ensure optimal setup. * **Account Takeover Risks:** Get a snapshot of your M365 risky users (requires a Microsoft Entra ID P2 license and [M365 SaaS integration ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/)). ![Report](https://developers.cloudflare.com/_astro/report.CbkPa8Jt_Z1xMpIx.webp) This feature is available across the following Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-10-16 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.9.173.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). With PMTUD enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to debug connectivity issues. **Changes and improvements** * Improvements for [Windows multi-user](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/) to maintain the [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) state when switching between users. * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues. * Deleting registrations no longer returns an error when succeeding. * Path Maximum Transmission Unit Discovery (PMTUD) is now used to discover the effective MTU of the connection. This allows the client to improve connection performance optimized for the current network. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-10-16 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.9.173.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). With PMTUD enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to debug connectivity issues. **Changes and improvements** * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues. * Deleting registrations no longer returns an error when succeeding. * Path Maximum Transmission Unit Discovery (PMTUD) is now used to discover the effective MTU of the connection. This allows the client to improve connection performance optimized for the current network. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-10-10 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **New domain categories added** We have added three new domain categories under the Technology parent category, to better reflect online content and improve DNS filtering. **New categories added** | Parent ID | Parent Name | Category ID | Category Name | | --------- | ----------- | ----------- | ------------------- | | 26 | Technology | 194 | Keep Awake Software | | 26 | Technology | 192 | Remote Access | | 26 | Technology | 193 | Shareware/Freeware | Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more. ## 2025-10-07 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.8.779.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains significant fixes and improvements including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com/). **Changes and improvements** * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases. * The MASQUE protocol is now the only protocol that can use [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode). If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-10-07 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.8.779.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains significant fixes and improvements. **Changes and improvements** * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases. * The MASQUE protocol is now the only protocol that can use [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode). If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-10-07 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.8.779.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains significant fixes and improvements. **Changes and improvements** * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases. * The MASQUE protocol is now the only protocol that can use [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode). If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-10-02 [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Fine-grained Permissioning for Access for Apps, IdPs, & Targets now in Public Beta** Fine-grained permissions for **Access Applications, Identity Providers (IdPs), and Targets** is now available in Public Beta. This expands our RBAC model beyond account & zone-scoped roles, enabling administrators to grant permissions scoped to individual resources. #### What's New * **[Access Applications ↗](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/)**: Grant admin permissions to specific Access Applications. * **[Identity Providers ↗](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/)**: Grant admin permissions to individual Identity Providers. * **[Targets ↗](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#1-add-a-target)**: Grant admin rights to specific Targets ![Updated Permissions Policy UX](https://developers.cloudflare.com/_astro/2025-10-01-fine-grained-permissioning-ux.BWVmQsVF_Z1p4MJh.webp) Note During the public beta, members must also be assigned an account-scoped, read only role to view resources in the dashboard. This restriction will be lifted in a future release. * **Account Read Only** plus a fine-grained permission for a specific App, IdP, or Target * **Cloudflare Zero Trust Read Only** plus fine-grained permission for a specific App, IdP, or Target For more info: * [Get started with Cloudflare Permissioning](https://developers.cloudflare.com/fundamentals/manage-members/roles/) * [Manage Member Permissioning via the UI & API](https://developers.cloudflare.com/fundamentals/manage-members/manage) ## 2025-10-01 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Expanded File Type Controls for Executables and Disk Images** You can now enhance your security posture by blocking additional application installer and disk image file types with Cloudflare Gateway. Preventing the download of unauthorized software packages is a critical step in securing endpoints from malware and unwanted applications. We have expanded Gateway's file type controls to include: * Apple Disk Image (dmg) * Microsoft Software Installer (msix, appx) * Apple Software Package (pkg) You can find these new options within the [_Upload File Types_ and _Download File Types_ selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) when creating or editing an HTTP policy. The file types are categorized as follows: * **System**: _Apple Disk Image (dmg)_ * **Executable**: _Microsoft Software Installer (msix)_, _Microsoft Software Installer (appx)_, _Apple Software Package (pkg)_ To ensure these file types are blocked effectively, please note the following behaviors: * DMG: Due to their file structure, DMG files are blocked at the very end of the transfer. A user's download may appear to progress but will fail at the last moment, preventing the browser from saving the file. * MSIX: To comprehensively block Microsoft Software Installers, you should also include the file type _Unscannable_. MSIX files larger than 100 MB are identified as Unscannable ZIP files during inspection. To get started, go to your HTTP policies in Zero Trust. For a full list of file types, refer to [supported file types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#supported-file-types). ## 2025-09-30 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.7.176.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * MASQUE is now the default [tunnel protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) for all new WARP device profiles. * Improvement to limit idle connections in [Gateway with DoH mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) to avoid unnecessary resource usage that can lead to DoH requests not resolving. * Improvement to maintain TCP connections to reduce interruptions in long-lived connections such as RDP or SSH. * Improvements to maintain [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings when [switching between organizations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/#switch-organizations-in-the-cloudflare-one-client). * Improvements to maintain client connectivity during network changes. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-09-30 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.7.176.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed a bug preventing the `warp-diag captive-portal` command from running successfully due to the client not parsing SSID on macOS. * Improvements to maintain [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings when [switching between organizations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/#switch-organizations-in-the-cloudflare-one-client). * MASQUE is now the default [tunnel protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) for all new WARP device profiles. * Improvement to limit idle connections in [Gateway with DoH mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) to avoid unnecessary resource usage that can lead to DoH requests not resolving. * Improvements to maintain client connectivity during network changes. * The WARP client now supports macOS Tahoe (version 26.0). **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-09-30 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.7.176.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com/). **Changes and improvements** * MASQUE is now the default [tunnel protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) for all new WARP device profiles. * Improvement to limit idle connections in [Gateway with DoH mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) to avoid unnecessary resource usage that can lead to DoH requests not resolving. * Improvements to maintain [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings when [switching between organizations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/#switch-organizations-in-the-cloudflare-one-client). * Improvements to maintain client connectivity during network changes. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-09-30 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Application granular controls for operations in SaaS applications** Gateway users can now apply granular controls to their file sharing and AI chat applications through [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies). The new feature offers two methods of controlling SaaS applications: * **Application Controls** are curated groupings of Operations which provide an easy way for users to achieve a specific outcome. Application Controls may include _Upload_, _Download_, _Prompt_, _Voice_, and _Share_ depending on the application. * **Operations** are controls aligned to the most granular action a user can take. This provides a fine-grained approach to enforcing policy and generally aligns to the SaaS providers API specifications in naming and function. Get started using [Application Granular Controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/granular-controls) and refer to the list of [supported applications](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/granular-controls/#compatible-applications). ## 2025-09-25 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Refine DLP Scans with New Body Phase Selector** You can now more precisely control your HTTP DLP policies by specifying whether to scan the request or response body, helping to reduce false positives and target specific data flows. In the Gateway HTTP policy builder, you will find a new selector called _Body Phase_. This allows you to define the direction of traffic the DLP engine will inspect: * _Request Body_: Scans data sent from a user's machine to an upstream service. This is ideal for monitoring data uploads, form submissions, or other user-initiated data exfiltration attempts. * _Response Body_: Scans data sent to a user's machine from an upstream service. Use this to inspect file downloads and website content for sensitive data. For example, consider a policy that blocks Social Security Numbers (SSNs). Previously, this policy might trigger when a user visits a website that contains example SSNs in its content (the response body). Now, by setting the **Body Phase** to _Request Body_, the policy will only trigger if the user attempts to upload or submit an SSN, ignoring the content of the web page itself. All policies without this selector will continue to scan both request and response bodies to ensure continued protection. For more information, refer to [Gateway HTTP policy selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#body-phase). ## 2025-09-23 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Invalid Submissions Feedback** Email security relies on your submissions to continuously improve our detection models. However, we often receive submissions in formats that cannot be ingested, such as incomplete EMLs, screenshots, or text files. To ensure all customer feedback is actionable, we have launched two new features to manage invalid submissions sent to our team and user [submission aliases](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/submission-addresses/): * **Email Notifications:** We now automatically notify users by email when they provide an invalid submission, educating them on the correct format. To disable notifications, go to **[Settings ↗](https://one.dash.cloudflare.com/?to=/:account/email-security/settings)** \> **Invalid submission emails** and turn the feature off. ![EmailSec-Invalid-Submissions-Toggle](https://developers.cloudflare.com/_astro/EmailSec-Invalid-Submissions-Toggle.DXjbR6aX_ZsxWGB.webp) * **Invalid Submission dashboard:** You can quickly identify which users need education to provide valid submissions so Cloudflare can provide continuous protection. ![EmailSec-Invalid-Submissions-Dashboard](https://developers.cloudflare.com/_astro/EmailSec-Invalid-Submissions-Dashboard.zuf1on2n_2gjnGS.webp) Learn more about this feature on [invalid submissions](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/invalid-submissions/). This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-09-22 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Access Remote Desktop Protocol (RDP) destinations securely from your browser — now generally available!** [Browser-based RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) is now generally available for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients. Since we announced our [open beta](https://developers.cloudflare.com/changelog/access/#2025-06-30), we've made a few improvements: * Support for targets with IPv6. * Support for [Magic WAN](https://developers.cloudflare.com/cloudflare-wan/) and [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) as on-ramps. * More robust error messaging on the login page to help you if you encounter an issue. * Worldwide keyboard support. Whether your day-to-day is in Portuguese, Chinese, or something in between, your browser-based RDP experience will look and feel exactly like you are using a desktop RDP client. * Cleaned up some other miscellaneous issues, including but not limited to enhanced support for Entra ID accounts and support for usernames with spaces, quotes, and special characters. As a refresher, here are some benefits browser-based RDP provides: * **Control how users authenticate to internal RDP resources** with single sign-on (SSO), multi-factor authentication (MFA), and granular access policies. * **Record who is accessing which servers and when** to support regulatory compliance requirements and to gain greater visibility in the event of a security event. * **Eliminate the need to install and manage software on user devices**. You will only need a web browser. * **Reduce your attack surface** by keeping your RDP servers off the public Internet and protecting them from common threats like credential stuffing or brute-force attacks. ![Example of a browser-based RDP Access application](https://developers.cloudflare.com/_astro/browser-based-rdp-access-app.BNXce1JL_1TDoUX.webp) To get started, refer to [Connect to RDP in a browser](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/). ## 2025-09-18 [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **Connect and secure any private or public app by hostname, not IP — with hostname routing for Cloudflare Tunnel** You can now route private traffic to [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) based on a hostname or domain, moving beyond the limitations of IP-based routing. This new capability is **free for all Cloudflare One customers**. Previously, Tunnel routes could only be defined by IP address or [CIDR range](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/). This created a challenge for modern applications with dynamic or ephemeral IP addresses, often forcing administrators to maintain complex and brittle IP lists. ![Hostname-based routing in Cloudflare Tunnel](https://developers.cloudflare.com/_astro/tunnel-hostname-routing.DSi8MP_7_Z1E6Ym4.webp) **What’s new:** * **Hostname & Domain Routing**: Create routes for individual hostnames (e.g., `payroll.acme.local`) or entire domains (e.g., `*.acme.local`) and direct their traffic to a specific Tunnel. * **Simplified Zero Trust Policies**: Build resilient policies in Cloudflare Access and Gateway using stable hostnames, making it dramatically easier to apply per-resource authorization for your private applications. * **Precise Egress Control**: Route traffic for public hostnames (e.g., `bank.example.com`) through a specific Tunnel to enforce a dedicated source IP, solving the IP allowlist problem for third-party services. * **No More IP Lists**: This feature makes the workaround of maintaining dynamic IP Lists for Tunnel connections obsolete. Get started in the Tunnels section of the Zero Trust dashboard with your first [private hostname](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) or [public hostname](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared/) route. Learn more in our [blog post ↗](https://blog.cloudflare.com/tunnel-hostname-routing/). ## 2025-09-16 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New AI-Enabled Search for Zero Trust Dashboard** Zero Trust Dashboard has a brand new, AI-powered search functionality. You can search your account by resources (applications, policies, device profiles, settings, etc.), pages, products, and more. ![Example search results in the Zero Trust dashboard](https://developers.cloudflare.com/_astro/searchexample.Di8yS8ju_1GmPhw.webp) **Ask Cloudy** — You can also ask Cloudy, our AI agent, questions about Cloudflare Zero Trust. Cloudy is trained on our developer documentation and implementation guides, so it can tell you how to configure functionality, best practices, and can make recommendations. Cloudy can then stay open with you as you move between pages to build configuration or answer more questions. **Find Recents** — Recent searches and Cloudy questions also have a new tab under Zero Trust Overview. ## 2025-09-11 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Regional Email Processing for Germany, India, or Australia** We’re excited to announce that Email security customers can now choose their preferred mail processing location directly from the UI when onboarding a domain. This feature is available for the following onboarding methods: **MX**, **BCC**, and **Journaling**. #### What’s new Customers can now select where their email is processed. The following regions are supported: * **Germany** * **India** * **Australia** Global processing remains the default option, providing flexibility to meet both compliance requirements or operational preferences. #### How to use it When onboarding a domain with MX, BCC, or Journaling: 1. Select the desired processing location (Germany, India, or Australia). 2. The UI will display updated processing addresses specific to that region. 3. For MX onboarding, if your domain is managed by Cloudflare, you can automatically update MX records directly from the UI. #### Availability This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** #### What’s next We’re expanding the list of processing locations to match our [Data Localization Suite (DLS)](https://developers.cloudflare.com/data-localization/) footprint, giving customers the broadest set of regional options in the market without the complexity of self-hosting. ## 2025-09-11 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **DNS filtering for private network onramps** [Magic WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/#dns-filtering) and [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/routes/#dns-filtering) users can now securely route their DNS traffic to the Gateway resolver without exposing traffic to the public Internet. Routing DNS traffic to the Gateway resolver allows DNS resolution and filtering for traffic coming from private networks while preserving source internal IP visibility. This ensures Magic WAN users have full integration with our Cloudflare One features, including [Internal DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/#internal-dns) and [hostname-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). To configure DNS filtering, change your Magic WAN or WARP Connector DNS settings to use Cloudflare's shared resolver IPs, `172.64.36.1` and `172.64.36.2`. Once you configure DNS resolution and filtering, you can use _Source Internal IP_ as a traffic selector in your [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) for routing private DNS traffic to your [Internal DNS](https://developers.cloudflare.com/dns/internal-dns/). ## 2025-09-10 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.7.106.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements including enhancements to [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) or all devices matching the profile will lose connectivity. **Changes and improvements** * Enhancements to [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) or all devices matching the profile will lose connectivity. * Improvement to keep TCP connections up the first time WARP connects on devices so that remote desktop sessions (such as RDP or SSH) continue to work. * Improvements to maintain Global WARP Override settings when switching between organization configurations. * The [MASQUE protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) is now the default protocol for all new WARP device profiles. * Improvement to limit idle connections in DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-09-10 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.7.106.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements including enhancements to [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) or all devices matching the profile will lose connectivity. **Changes and improvements** * Enhancements to [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) or all devices matching the profile will lose connectivity. * Fixed a bug preventing the `warp-diag captive-portal` command from running successfully due to the client not parsing SSID on macOS. * Improvements to maintain Global WARP Override settings when switching between organization configurations. * The [MASQUE protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) is now the default protocol for all new WARP device profiles. * Improvement to limit idle connections in DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-09-08 [ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Custom IKE ID for IPsec Tunnels** Now, Magic WAN customers can configure a custom IKE ID for their IPsec tunnels. Customers that are using Magic WAN and a VeloCloud SD-WAN device together can utilize this new feature to create a high availability configuration. This feature is available via API only. Customers can read the Magic WAN documentation to learn more about the [Custom IKE ID feature and the API call to configure it](https://developers.cloudflare.com/cloudflare-wan/configuration/common-settings/custom-ike-id-ipsec/). ## 2025-09-05 [ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Bidirectional tunnel health checks are compatible with all Magic on-ramps** All bidirectional tunnel health check return packets are accepted by any Magic on-ramp. Previously, when a Magic tunnel had a bidirectional health check configured, the bidirectional health check would pass when the return packets came back to Cloudflare over the same tunnel that was traversed by the forward packets. There are SD-WAN devices, like VeloCloud, that do not offer controls to steer traffic over one tunnel versus another in a high availability tunnel configuration. Now, when a Magic tunnel has a bidirectional health check configured, the bidirectional health check will pass when the return packet traverses over any tunnel in a high availability configuration. ## 2025-09-02 [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **Cloudflare Tunnel and Networks API will no longer return deleted resources by default starting December 1, 2025** Starting **December 1, 2025**, list endpoints for the [Cloudflare Tunnel API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/) and [Zero Trust Networks API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/) will no longer return deleted tunnels, routes, subnets and virtual networks by default. This change makes the API behavior more intuitive by only returning active resources unless otherwise specified. No action is required if you already explicitly set `is_deleted=false` or if you only need to list active resources. This change affects the following API endpoints: * List all tunnels: [GET /accounts/{account\_id}/tunnels](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/methods/list/) * List [Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/): [GET /accounts/{account\_id}/cfd\_tunnel](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/subresources/cloudflared/methods/list/) * List [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) tunnels: [GET /accounts/{account\_id}/warp\_connector](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/subresources/warp%5Fconnector/methods/list/) * List tunnel routes: [GET /accounts/{account\_id}/teamnet/routes](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/routes/methods/list/) * List subnets: [GET /accounts/{account\_id}/zerotrust/subnets](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/subnets/methods/list/) * List virtual networks: [GET /accounts/{account\_id}/teamnet/virtual\_networks](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/virtual%5Fnetworks/methods/list/) #### What is changing? The default behavior of the `is_deleted` query parameter will be updated. | Scenario | Previous behavior (before December 1, 2025) | New behavior (from December 1, 2025) | | -------------------------------- | -------------------------------------------------------------------------- | --------------------------------------------------------------------- | | is\_deleted parameter is omitted | Returns **active & deleted** tunnels, routes, subnets and virtual networks | Returns **only active** tunnels, routes, subnets and virtual networks | #### Action required If you need to retrieve deleted (or all) resources, please update your API calls to explicitly include the `is_deleted` parameter before **December 1, 2025**. To get a list of only deleted resources, you must now explicitly add the `is_deleted=true` query parameter to your request: Terminal window ``` # Example: Get ONLY deleted Tunnels curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/tunnels?is_deleted=true" \ -H "Authorization: Bearer $API_TOKEN" # Example: Get ONLY deleted Virtual Networks curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks?is_deleted=true" \ -H "Authorization: Bearer $API_TOKEN" ``` Following this change, retrieving a complete list of both active and deleted resources will require two separate API calls: one to get active items (by omitting the parameter or using `is_deleted=false`) and one to get deleted items (`is_deleted=true`). #### Why we’re making this change This update is based on user feedback and aims to: * **Create a more intuitive default:** Aligning with common API design principles where list operations return only active resources by default. * **Reduce unexpected results:** Prevents users from accidentally operating on deleted resources that were returned unexpectedly. * **Improve performance:** For most users, the default query result will now be smaller and more relevant. To learn more, please visit the [Cloudflare Tunnel API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/) and [Zero Trust Networks API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/) documentation. ## 2025-09-01 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Updated Email security roles** To provide more granular controls, we refined the [existing roles](https://developers.cloudflare.com/cloudflare-one/roles-permissions/#email-security-roles) for Email security and launched a new Email security role as well. All Email security roles no longer have read or write access to any of the other Zero Trust products: * **Email Configuration Admin** * **Email Integration Admin** * **Email security Read Only** * **Email security Analyst** * **Email security Policy Admin** * **Email security Reporting** To configure [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/email-security/outbound-dlp/) or [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/#set-up-clientless-web-isolation), you now need to be an admin for the Zero Trust dashboard with the **Cloudflare Zero Trust** role. Also through customer feedback, we have created a new additive role to allow **Email security Analyst** to create, edit, and delete Email security policies, without needing to provide access via the **Email Configuration Admin** role. This role is called **Email security Policy Admin**, which can read all settings, but has write access to [allow policies](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/), [trusted domains](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/trusted-domains/), and [blocked senders](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/blocked-senders/). This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-08-29 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Cloudflare One WARP Diagnostic AI Analyzer** We're excited to share a new AI feature, the [WARP diagnostic analyzer ↗](https://blog.cloudflare.com/AI-troubleshoot-warp-and-network-connectivity-issues/), to help you troubleshoot and resolve WARP connectivity issues faster. This beta feature is now available in the [Cloudflare One dashboard ↗](https://dash.cloudflare.com/one/) to all users. The AI analyzer makes it easier for you to identify the root cause of client connectivity issues by parsing [remote captures](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/client-packet-capture/#start-a-remote-capture) of [WARP diagnostic logs](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diag-logs). The WARP diagnostic analyzer provides a summary of impact that may be experienced on the device, lists notable events that may contribute to performance issues, and recommended troubleshooting steps and articles to help you resolve these issues. Refer to [WARP diagnostics analyzer (beta)](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/client-packet-capture/#diagnostics-analyzer-beta) to learn more about how to maximize using the WARP diagnostic analyzer to troubleshoot the WARP client. ## 2025-08-29 [ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/) **DEX MCP Server** [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into device connectivity and performance across your Cloudflare SASE deployment. We've released an MCP server [(Model Context Protocol) ↗](https://cloudflare.com/learning/ai/what-is-model-context-protocol-mcp/) for DEX. The DEX MCP server is an AI tool that allows customers to ask a question like, "Show me the connectivity and performance metrics for the device used by carly‌@acme.com", and receive an answer that contains data from the DEX API. Any Cloudflare One customer using a Free, Pay-as-you-go, or Enterprise account can access the DEX MCP Server. This feature is available to everyone. Customers can test the new DEX MCP server in less than one minute. To learn more, read the [DEX MCP server documentation](https://developers.cloudflare.com/cloudflare-one/insights/dex/dex-mcp-server/). ## 2025-08-27 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **Shadow IT - SaaS analytics dashboard** Zero Trust has significantly upgraded its **Shadow IT analytics**, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application. You can review these metrics against application type, such as Artificial Intelligence or Social Media. You can also mark applications with an approval status, including **Unreviewed**, **In Review**, **Approved**, and **Unapproved** designating how they can be used in your organization. ![Cloudflare One Analytics Dashboards](https://developers.cloudflare.com/_astro/shadow-it-analytics.BLNnG72w_Z1vDznE.webp) These application statuses can also be used in Gateway HTTP policies, so you can block, isolate, limit uploads and downloads, and more based on the application status. Both the analytics and policies are accessible in the Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), empowering organizations with better visibility and control. ## 2025-08-26 [ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) **New CASB integrations for ChatGPT, Claude, and Gemini** [Cloudflare CASB ↗](https://www.cloudflare.com/zero-trust/products/casb/) now supports three of the most widely used GenAI platforms — **OpenAI ChatGPT**, **Anthropic Claude**, and **Google Gemini**. These API-based integrations give security teams agentless visibility into posture, data, and compliance risks across their organization’s use of generative AI. ![Cloudflare CASB showing selection of new findings for ChatGPT, Claude, and Gemini integrations.](https://developers.cloudflare.com/_astro/casb-ai-integrations-preview.B-zsSA1P_Z1wlfJX.webp) #### Key capabilities * **Agentless connections** — connect ChatGPT, Claude, and Gemini tenants via API; no endpoint software required * **Posture management** — detect insecure settings and misconfigurations that could lead to data exposure * **DLP detection** — identify sensitive data in uploaded chat attachments or files * **GenAI-specific insights** — surface risks unique to each provider’s capabilities #### Learn more * [ChatGPT integration docs ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/openai/) * [Claude integration docs ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/anthropic/) * [Gemini integration docs ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/google-workspace/gemini/) These integrations are available to all Cloudflare One customers today. ## 2025-08-26 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Manage and restrict access to internal MCP servers with Cloudflare Access** You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). [Self-hosted applications](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes. For example, if you have an MCP server designed for internal use within your organization, you can configure Access policies to ensure that only authorized users can access it, regardless of which MCP client they use. Support for internal, self-hosted MCP servers also works with MCP server portals, allowing you to provide a single MCP endpoint for multiple MCP servers. For more on MCP server portals, read the [blog post ↗](https://blog.cloudflare.com/zero-trust-mcp-server-portals/) on the Cloudflare Blog. ## 2025-08-26 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **MCP server portals** ![MCP server portal](https://developers.cloudflare.com/_astro/mcp-server-portal.BOKqTCoI_ZXYCcF.webp) An [MCP server portal](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include: * **Streamlined access to multiple MCP servers**: MCP server portals support both unauthenticated MCP servers as well as MCP servers secured using any third-party or custom OAuth provider. Users log in to the portal URL through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth. * **Customized tools per portal**: Admins can tailor an MCP portal to a particular use case by choosing the specific tools and prompt templates that they want to make available to users through the portal. This allows users to access a curated set of tools and prompts — the less external context exposed to the AI model, the better the AI responses tend to be. * **Observability**: Once the user's AI agent is connected to the portal, Cloudflare Access logs the individual requests made using the tools in the portal. This is available in an open beta for all customers across all plans! For more information check out our [blog ↗](https://blog.cloudflare.com/zero-trust-mcp-server-portals/) for this release. ## 2025-08-25 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **New DLP topic based detection entries for AI prompt protection** You now have access to a comprehensive suite of capabilities to secure your organization's use of generative AI. AI prompt protection introduces four key features that work together to provide deep visibility and granular control. 1. **Prompt Detection for AI Applications** DLP can now natively detect and inspect user prompts submitted to popular AI applications, including **Google Gemini**, **ChatGPT**, **Claude**, and **Perplexity**. 1. **Prompt Analysis and Topic Classification** Our DLP engine performs deep analysis on each prompt, applying [topic classification](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#ai-prompt-topics). These topics are grouped into two evaluation categories: * **Content:** PII, Source Code, Credentials and Secrets, Financial Information, and Customer Data. * **Intent:** Jailbreak attempts, requests for malicious code, or attempts to extract PII. To help you apply these topics quickly, we have also released five new predefined profiles (for example, AI Prompt: AI Security, AI Prompt: PII) that bundle these new topics. ![DLP](https://developers.cloudflare.com/_astro/ai-prompt-detection-entry.4QmdkAuv_Z14HtSJ.webp) 1. **Granular Guardrails** You can now build guardrails using Gateway HTTP policies with [application granular controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#granular-controls). Apply a DLP profile containing an [AI prompt topic detection](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#ai-prompt-topics) to individual AI applications (for example, `ChatGPT`) and specific user actions (for example, `SendPrompt`) to block sensitive prompts. ![DLP](https://developers.cloudflare.com/_astro/ai-prompt-policy.CF3H2rbK_2muoEC.webp) 2. **Full Prompt Logging** To aid in incident investigation, an optional setting in your Gateway policy allows you to [capture prompt logs](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content) to store the full interaction of prompts that trigger a policy match. To make investigations easier, logs can be filtered by `conversation_id`, allowing you to reconstruct the full context of an interaction that led to a policy violation. ![DLP](https://developers.cloudflare.com/_astro/ai-prompt-log.ywQDc5qN_2v6nax.webp) AI prompt protection is now available in open beta. To learn more about it, read the [blog ↗](https://blog.cloudflare.com/ai-prompt-protection/#closing-the-loop-logging) or refer to [AI prompt topics](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#ai-prompt-topics). ## 2025-08-21 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.6.1400.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for pre-login for multi-user for the 2025.6.1135.0 release. **Changes and improvements** * Fixes an issue where new pre-login registrations were not being properly created. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, please reconnect the WARP client by toggling off and back on. ## 2025-08-21 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Gateway BYOIP Dedicated Egress IPs now available.** Enterprise Gateway users can now use Bring Your Own IP (BYOIP) for dedicated egress IPs. Admins can now onboard and use their own IPv4 or IPv6 prefixes to egress traffic from Cloudflare, delivering greater control, flexibility, and compliance for network traffic. Get started by following the [BYOIP onboarding process](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). Once your IPs are onboarded, go to **Gateway** \> **Egress policies** and select or create an egress policy. In **Select an egress IP**, choose _Use dedicated egress IPs (Cloudflare or BYOIP)_, then select your BYOIP address from the dropdown menu. ![Screenshot of a dropdown menu adding a BYOIP IPv4 address as a dedicated egress IP in a Gateway egress policy](https://developers.cloudflare.com/_astro/Gateway-byoip-dedicated-egress-ips.D0pzLAbV_8yK6N.webp) For more information, refer to [BYOIP for dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). ## 2025-08-19 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.6.1335.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Improvements to better manage multi-user pre-login registrations. * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement for faster client connectivity on high-latency captive portal networks. * Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-08-19 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.6.1335.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement for faster client connectivity on high-latency captive portal networks. * Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-08-19 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.6.1335.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement for faster client connectivity on high-latency captive portal networks. * Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-08-15 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **SFTP support for SSH with Cloudflare Access for Infrastructure** [SSH with Cloudflare Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) now supports SFTP. It is compatible with SFTP clients, such as Cyberduck. ## 2025-08-14 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Cloudflare Access Logging supports the Customer Metadata Boundary (CMB)** Cloudflare Access logs now support the [Customer Metadata Boundary (CMB)](https://developers.cloudflare.com/data-localization/metadata-boundary/). If you have configured the CMB for your account, all Access logging will respect that configuration. Note For EU CMB customers, the logs will not be stored by Access and will appear as empty in the dashboard. EU CMB customers should utilize [Logpush](https://developers.cloudflare.com/logs/logpush/) to retain their Access logging, if desired. ## 2025-08-07 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Expanded Email Link Isolation** When you deploy MX or Inline, not only can you apply email link isolation to suspicious links in all emails (including benign), you can now also apply email link isolation to all links of a specified disposition. This provides more flexibility in controlling user actions within emails. For example, you may want to deliver suspicious messages but isolate the links found within them so that users who choose to interact with the links will not accidentally expose your organization to threats. This means your end users are more secure than ever before. ![Expanded Email Link Isolation Configuration](https://developers.cloudflare.com/_astro/expanded-link-actions.DziIg6E8_1Sx0Ar.webp) To isolate all links within a message based on the disposition, select **Settings** \> **Link Actions** \> **View** and select **Configure**. As with other other links you isolate, an interstitial will be provided to warn users that this site has been isolated and the link will be recrawled live to evaluate if there are any changes in our threat intel. Learn more about this feature on [Configure link actions ↗](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-link-actions/). This feature is available across these Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-07-31 [ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Terraform V5 support for tunnels and routes** The Cloudflare Terraform provider resources for Cloudflare WAN tunnels and routes now support Terraform provider version 5\. Customers using infrastructure-as-code workflows can manage their tunnel and route configuration with the latest provider version. For more information, refer to the [Cloudflare Terraform provider documentation ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs). ## 2025-07-30 [ Magic Transit ](https://developers.cloudflare.com/magic-transit/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Magic Transit and Magic WAN health check data is fully compatible with the CMB EU setting.** Today, we are excited to announce that all Magic Transit and Magic WAN customers with CMB EU ([Customer Metadata Boundary - Europe](https://developers.cloudflare.com/data-localization/metadata-boundary/)) enabled in their account will be able to access GRE, IPsec, and CNI health check and traffic volume data in the Cloudflare dashboard and via API. This ensures that all Magic Transit and Magic WAN customers with CMB EU enabled will be able to access all Magic Transit and Magic WAN features. Specifically, these two GraphQL endpoints are now compatible with CMB EU: * `magicTransitTunnelHealthChecksAdaptiveGroups` * `magicTransitTunnelTrafficAdaptiveGroups` ## 2025-07-28 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Scam domain category introduced under Security Threats** We have introduced a new Security Threat category called **Scam**. Relevant domains are marked with the Scam category. Scam typically refers to fraudulent websites and schemes designed to trick victims into giving away money or personal information. **New category added** | Parent ID | Parent Name | Category ID | Category Name | | --------- | ---------------- | ----------- | ------------- | | 21 | Security Threats | 191 | Scam | Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more. ## 2025-07-24 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.6.824.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * Improvements to better manage multi-user pre-login registrations. * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement to managed network detection checks for faster switching between managed networks. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-07-24 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.6.824.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement to managed network detection checks for faster switching between managed networks. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-07-24 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Gateway HTTP Filtering on all ports available in open BETA** [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) can now apply [HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to all proxied HTTP requests, not just traffic on standard HTTP (`80`) and HTTPS (`443`) ports. This means all requests can now be filtered by [A/V scanning](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), [file sandboxing](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/file-sandboxing/), [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/#data-in-transit), and more. You can turn this [setting](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports) on by going to **Settings** \> **Network** \> **Firewall** and choosing _Inspect on all ports_. ![HTTP Inspection on all ports setting](https://developers.cloudflare.com/_astro/Gateway-Inspection-all-ports.CCmwX6D0_OoDoS.webp) To learn more, refer to [Inspect on all ports (Beta)](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). ## 2025-07-23 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.5.943.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect. * Changes to the [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) feature to no longer restart the SMS Agent Host (`ccmexec.exe`) service. * Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-07-23 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.5.943.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect. * Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client. * For macOS deployments, the WARP client can now be managed using an `mdm.xml` file placed in `/Library/Application Support/Cloudflare/mdm.xml`. This new configuration option offers an alternative to the still supported method of deploying a managed plist through an MDM solution. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-07-23 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.5.943.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect. * Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-07-22 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Google Bard Application replaced by Gemini** The **Google Bard** application (ID: 1198) has been deprecated and fully removed from the system. It has been replaced by the **Gemini** application (ID: 1340). Any existing Gateway policies that reference the old Google Bard application will no longer function. To ensure your policies continue to work as intended, you should update them to use the new Gemini application. We recommend replacing all instances of the deprecated Bard application with the new Gemini application in your Gateway policies. For more information about application policies, please see the [Cloudflare Gateway documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/). ## 2025-07-21 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Virtual Cloudflare One Appliance with KVM support (open beta)** The KVM-based virtual Cloudflare One Appliance is now in open beta with official support for Proxmox VE. Customers can deploy the virtual appliance on KVM hypervisors to connect branch or data center networks to Cloudflare WAN without dedicated hardware. For setup instructions, refer to [Configure a virtual Cloudflare One Appliance](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/configure-virtual-appliance/). ## 2025-07-17 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **New detection entry type: Document Matching for DLP** You can now create [document-based](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#document-entries) detection entries in DLP by uploading example documents. Cloudflare will encrypt your documents and create a unique fingerprint of the file. This fingerprint is then used to identify similar documents or snippets within your organization's traffic and stored files. ![DLP](https://developers.cloudflare.com/_astro/document-match.CcN8pGgR_Z1e3PDm.webp) **Key features and benefits:** * **Upload documents, forms, or templates:** Easily upload .docx and .txt files (up to 10 MB) that contain sensitive information you want to protect. * **Granular control with similarity percentage:** Define a minimum similarity percentage (0-100%) that a document must meet to trigger a detection, reducing false positives. * **Comprehensive coverage:** Apply these document-based detection entries in: * **Gateway policies:** To inspect network traffic for sensitive documents as they are uploaded or shared. * **CASB (Cloud Access Security Broker):** To scan files stored in cloud applications for sensitive documents at rest. * **Identify sensitive data:** This new detection entry type is ideal for identifying sensitive data within completed forms, templates, or even small snippets of a larger document, helping you prevent data exfiltration and ensure compliance. Once uploaded and processed, you can add this new document entry into a DLP profile and policies to enhance your data protection strategy. ## 2025-07-15 [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **Faster, more reliable UDP traffic for Cloudflare Tunnel** Your real-time applications running over [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) are now faster and more reliable. We've completely re-architected the way `cloudflared` proxies UDP traffic in order to isolate it from other traffic, ensuring latency-sensitive applications like private DNS are no longer slowed down by heavy TCP traffic (like file transfers) on the same Tunnel. This is a foundational improvement to Cloudflare Tunnel, delivered automatically to all customers. There are no settings to configure — your UDP traffic is already flowing faster and more reliably. **What’s new:** * **Faster UDP performance**: We've significantly reduced the latency for establishing new UDP sessions, making applications like private DNS much more responsive. * **Greater reliability for mixed traffic**: UDP packets are no longer affected by heavy TCP traffic, preventing timeouts and connection drops for your real-time services. Learn more about running [TCP or UDP applications](https://developers.cloudflare.com/reference-architecture/architectures/sase/#connecting-applications) and [private networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/) through [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). ## 2025-07-10 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New onboarding guides for Zero Trust** Use our brand new onboarding experience for Cloudflare Zero Trust. New and returning users can now engage with a **Get Started** tab with walkthroughs for setting up common use cases end-to-end. ![Zero Trust onboarding guides](https://developers.cloudflare.com/_astro/zt-onboarding-guides._18EfPbe_NEBk9.webp) There are eight brand new onboarding guides in total: * Securely access a private network (sets up device client and Tunnel) * Device-to-device / mesh networking (sets up and connects multiple device clients) * Network to network connectivity (sets up and connects multiple WARP Connectors, makes reference to Magic WAN availability for Enterprise) * Secure web traffic (sets up device client, Gateway, pre-reqs, and initial policies) * Secure DNS for networks (sets up a new DNS location and Gateway policies) * Clientless web access (sets up Access to a web app, Tunnel, and public hostname) * Clientless SSH access (all the same + the web SSH experience) * Clientless RDP access (all the same + RDP-in-browser) Each flow walks the user through the steps to configure the essential elements, and provides a “more details” panel with additional contextual information about what the user will accomplish at the end, along with why the steps they take are important. Try them out now in the [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/?to=/:account/home)! ## 2025-07-07 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **Cloudy summaries for Access and Gateway Logs** Cloudy, Cloudflare's AI Agent, will now automatically summarize your [Access](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/) and [Gateway](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/) block logs. In the log itself, Cloudy will summarize what occurred and why. This will be helpful for quick troubleshooting and issue correlation. ![Cloudy AI summarizes a log](https://developers.cloudflare.com/_astro/cloudy-explanation.oFZR6cXa_Z2e1RtR.webp) If you have feedback about the Cloudy summary - good or bad - you can provide that right from the summary itself. ## 2025-07-07 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New App Library for Zero Trust Dashboard** Cloudflare Zero Trust customers can use the App Library to get full visibility over the SaaS applications that they use in their Gateway policies, CASB integrations, and Access for SaaS applications. **App Library**, found under **My Team**, makes information available about all Applications that can be used across the Zero Trust product suite. ![Zero Trust App Library](https://developers.cloudflare.com/_astro/app-library.D403GJ9j_1SfMgP.webp) You can use the App Library to see: * How Applications are defined * Where they are referenced in policies * Whether they have Access for SaaS configured * Review their CASB findings and integration status. Within individual Applications, you can also track their usage across your organization, and better understand user behavior. ## 2025-07-01 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Access RDP securely from your browser — now in open beta** [Browser-based RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) is now available in open beta for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients. With browser-based RDP, you can: * **Control how users authenticate to internal RDP resources** with single sign-on (SSO), multi-factor authentication (MFA), and granular access policies. * **Record who is accessing which servers and when** to support regulatory compliance requirements and to gain greater visibility in the event of a security event. * **Eliminate the need to install and manage software on user devices**. You will only need a web browser. * **Reduce your attack surface** by keeping your RDP servers off the public Internet and protecting them from common threats like credential stuffing or brute-force attacks. ![Example of a browsed-based RDP Access application](https://developers.cloudflare.com/_astro/browser-based-rdp-access-app.BNXce1JL_1TDoUX.webp) To get started, see [Connect to RDP in a browser](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/). ## 2025-06-30 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.5.893.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains improvements and new exciting features, including [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) and [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed a device registration issue that caused WARP connection failures when changing networks. * Captive portal improvements and fixes: * Captive portal sign in notifications will now be sent through operating system notification services. * Fix for firewall configuration issue affecting clients in DoH only mode. * Improved the connectivity status message in the client GUI. * Fixed a bug affecting clients in Gateway with DoH mode where the original DNS servers were not restored after disabling WARP. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to handle client configuration changes made by an MDM while WARP is not running. * Improvements for multi-user experience to better handle fast user switching and transitions from a pre-login to a logged-in state. * Added a WARP client device posture check for SAN attributes to the [client certificate check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/). * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. * Added [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) to device profile settings. With SCCM VPN boundary support enabled, operating systems will register WARP's local interface IP with the on-premise DNS server when reachable. * Fix for an issue causing WARP connectivity to fail without full system reboot. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5060829](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-06-30 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.5.893.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed an issue where WARP sometimes failed to automatically relaunch after updating. * Fixed a device registration issue causing WARP connection failures when changing networks. * Captive portal improvements and fixes: * Captive portal sign in notifications will now be sent through operating system notification services. * Fix for firewall configuration issue affecting clients in DoH only mode. * Improved the connectivity status message in the client GUI. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to handle client configuration changes made by an MDM while WARP is not running. * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. * Improvement for WARP connectivity issues on macOS due to the operating system not accepting DNS server configurations. * Added a WARP client device posture check for SAN attributes to the [client certificate check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/). **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-06-30 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.5.893.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed a device registration issue causing WARP connection failures when changing networks. * Captive portal improvements and fixes: * Captive portal sign in notifications will now be sent through operating system notification services. * Fix for firewall configuration issue affecting clients in DoH only mode. * Improved the connectivity status message in the client GUI. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to handle client configuration changes made by MDM while WARP is not running. * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. * Added a WARP client device posture check for SAN attributes to the [client certificate check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/). **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-06-30 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Cloudflare One Agent for Android (version 2.4.2)** A new GA release for the Android Cloudflare One Agent is now available in the [Google Play Store ↗](https://play.google.com/store/apps/details?id=com.cloudflare.cloudflareoneagent). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate [protection of post-quantum cryptography ↗](https://blog.cloudflare.com/pq-2024/) without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * QLogs are now disabled by default and can be enabled in the app by turning on **Enable qlogs** under **Settings** \> **Advanced** \> **Diagnostics** \> **Debug Logs**. The QLog setting from previous releases will no longer be respected. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * The WARP client now applies [post-quantum cryptography ↗](https://blog.cloudflare.com/pq-2024/) end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by [MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Fixed an issue that caused WARP connection failures on ChromeOS devices. ## 2025-06-30 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Cloudflare One Agent for iOS (version 1.11)** A new GA release for the iOS Cloudflare One Agent is now available in the [iOS App Store ↗](https://apps.apple.com/us/app/cloudflare-one-agent/id6443476492). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate [protection of post-quantum cryptography ↗](https://blog.cloudflare.com/pq-2024/) without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * QLogs are now disabled by default and can be enabled in the app by turning on **Enable qlogs** under **Settings** \> **Advanced** \> **Diagnostics** \> **Debug Logs**. The QLog setting from previous releases will no longer be respected. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * The WARP client now applies [post-quantum cryptography ↗](https://blog.cloudflare.com/pq-2024/) end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by [MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). ## 2025-06-23 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)[ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **Data Security Analytics in the Zero Trust dashboard** Zero Trust now includes **Data security analytics**, providing you with unprecedented visibility into your organization sensitive data. The new dashboard includes: * **Sensitive Data Movement Over Time:** * See patterns and trends in how sensitive data moves across your environment. This helps understand where data is flowing and identify common paths. * **Sensitive Data at Rest in SaaS & Cloud:** * View an inventory of sensitive data stored within your corporate SaaS applications (for example, Google Drive, Microsoft 365) and cloud accounts (such as AWS S3). * **DLP Policy Activity:** * Identify which of your Data Loss Prevention (DLP) policies are being triggered most often. * See which specific users are responsible for triggering DLP policies. ![Data Security Analytics](https://developers.cloudflare.com/_astro/cf1-data-security-analytics-v1.BGl6fYXl_H3N0P.webp) To access the new dashboard, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Insights** on the sidebar. ## 2025-06-18 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Gateway will now evaluate Network policies before HTTP policies from July 14th, 2025** [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) will now evaluate [Network (Layer 4) policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) **before** [HTTP (Layer 7) policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users. This change will roll out progressively between **July 14–18, 2025**. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent. #### Updated order of enforcement **Previous order:** 1. DNS policies 2. HTTP policies 3. Network policies **New order:** 1. DNS policies 2. **Network policies** 3. **HTTP policies** #### Action required: Review your Gateway HTTP policies This change may affect block notifications. For example: * You have an **HTTP policy** to block `example.com` and display a block page. * You also have a **Network policy** to block `example.com` silently (no client notification). With the new order, the Network policy will trigger first — and the user will no longer see the HTTP block page. To ensure users still receive a block notification, you can: * Add a client notification to your Network policy, or * Use only the HTTP policy for that domain. --- #### Why we’re making this change This update is based on user feedback and aims to: * Create a more intuitive model by evaluating network-level policies before application-level policies. * Minimize [526 connection errors](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/#error-526-in-the-zero-trust-context) by verifying the network path to an origin before attempting to establish a decrypted TLS connection. --- To learn more, visit the [Gateway order of enforcement documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/). ## 2025-06-17 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.5.828.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains new improvements in addition to the features and improvements introduced in Beta client version 2025.5.735.1. **Changes and improvements** * Improvement to better handle multi-user fast user switching. * Fix for an issue causing WARP connectivity to fail without full system reboot. **Known issues** * Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-06-17 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.5.828.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains new improvements in addition to the features and improvements introduced in Beta client version 2025.5.735.1. **Changes and improvements** * Improvement for WARP connectivity issues on macOS due to the operating system not accepting DNS server configurations. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-06-05 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.5.735.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains improvements and new exciting features, including [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) and [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed a device registration issue causing WARP connection failures when changing networks. * Captive portal improvements including showing connectivity status in the client and sending system notifications for captive portal sign in. * Fixed a bug where in Gateway with DoH mode, connection to DNS servers was not automatically restored after reconnecting WARP. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to gracefully handle changes made by MDM while WARP is not running. * Improvement for multi-user mode to avoid unnecessary key rotations when transitioning from a pre-login to a logged-in state. * Added a WARP client device posture check for SAN attributes to the [client certificate check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/). * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. * Added [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) to device profile settings. With SCCM VPN boundary support enabled, operating systems will register WARP's local interface IP with the on-premise DNS server when reachable. **Known issues** * Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-06-05 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.5.735.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed an issue where the Cloudflare WARP application may not have automatically relaunched after an update. * Fixed a device registration issue causing WARP connection failures when changing networks. * Captive portal improvements including showing connectivity status in the client and sending system notifications for captive portal sign in. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to gracefully handle changes made by MDM while WARP is not running. * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-06-05 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **Cloudflare One Analytics Dashboards and Exportable Access Report** Cloudflare One now offers powerful new analytics dashboards to help customers easily discover available insights into their application access and network activity. These dashboards provide a centralized, intuitive view for understanding user behavior, application usage, and security posture. !\[Cloudflare One Analytics Dashboards\](\~/assets/images/changelog/cloudflare-one/Analytics Dashboards.png) Additionally, a new exportable access report is available, allowing customers to quickly view high-level metrics and trends in their application access. A **preview** of the report is shown below, with more to be found in the report: ![Cloudflare One Analytics Dashboards](https://developers.cloudflare.com/_astro/access-report.C744W7JR_2uzMcN.webp) Both features are accessible in the Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), empowering organizations with better visibility and control. ## 2025-05-29 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New Gateway Analytics in the Cloudflare One Dashboard** Users can now access significant enhancements to Cloudflare Gateway analytics, providing you with unprecedented visibility into your organization's DNS queries, HTTP requests, and Network sessions. These powerful new dashboards enable you to go beyond raw logs and gain actionable insights into how your users are interacting with the Internet and your protected resources. You can now visualize and explore: * Patterns Over Time: Understand trends in traffic volume and blocked requests, helping you identify anomalies and plan for future capacity. * Top Users & Destinations: Quickly pinpoint the most active users, enabling better policy enforcement and resource allocation. * Actions Taken: See a clear breakdown of security actions applied by Gateway policies, such as blocks and allows, offering a comprehensive view of your security posture. * Geographic Regions: Gain insight into the global distribution of your traffic. ![Gateway Analytics](https://developers.cloudflare.com/_astro/gateway-analytics.BdSwbIBb_1WTkQL.webp) To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and go to Analytics in the side navigation bar. ## 2025-05-27 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Gateway Protocol Detection Now Available for Pay-as-you-go and Free Plans** All Cloudflare One Gateway users can now use Protocol detection logging and filtering, including those on Pay-as-you-go and Free plans. With Protocol Detection, admins can identify and enforce policies on traffic proxied through Gateway based on the underlying network protocol (for example, HTTP, TLS, or SSH), enabling more granular traffic control and security visibility no matter your plan tier. This feature is available to enable in your account network settings for all accounts. For more information on using Protocol Detection, refer to the [Protocol detection documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/). ## 2025-05-22 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.4.943.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for [managed networks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) for the 2025.4.929.0 release. **Changes and improvements** * Fixed an issue where it could take up to 3 minutes for the correct device profile to be applied in some circumstances. In the worst case, it should now only take up to 40 seconds. This will be improved further in a future release. **Known issues** * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. * Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. ## 2025-05-22 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.4.943.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for [managed networks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) for the 2025.4.929.0 release. **Changes and improvements** * Fixed an issue where it could take up to 3 minutes for the correct device profile to be applied in some circumstances. In the worst case, it should now only take up to 40 seconds. This will be improved further in a future release. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-05-22 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.4.943.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for [managed networks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) for the 2025.4.929.0 release. **Changes and improvements** * Fixed an issue where it could take up to 3 minutes for the correct device profile to be applied in some circumstances. In the worst case, it should now only take up to 40 seconds. This will be improved further in a future release. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-05-18 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New Applications Added to Zero Trust** 42 new applications have been added for Zero Trust support within the Application Library and Gateway policy enforcement, giving you the ability to investigate or apply inline policies to these applications. 33 of the 42 applications are Artificial Intelligence applications. The others are Human Resources (2 applications), Development (2 applications), Productivity (2 applications), Sales & Marketing, Public Cloud, and Security. To view all available applications, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), navigate to the **App Library** under **My Team**. For more information on creating Gateway policies, see our [Gateway policy documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/). ## 2025-05-16 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **New Access Analytics in the Cloudflare One Dashboard** A new Access Analytics dashboard is now available to all Cloudflare One customers. Customers can apply and combine multiple filters to dive into specific slices of their Access metrics. These filters include: * Logins granted and denied * Access events by type (SSO, Login, Logout) * Application name (Salesforce, Jira, Slack, etc.) * Identity provider (Okta, Google, Microsoft, onetimepin, etc.) * Users (`chris@cloudflare.com`, `sally@cloudflare.com`, `rachel@cloudflare.com`, etc.) * Countries (US, CA, UK, FR, BR, CN, etc.) * Source IP address * App type (self-hosted, Infrastructure, RDP, etc.) ![Access Analytics](https://developers.cloudflare.com/_astro/accessanalytics.DYXgwZCl_Z2PPi7.webp) To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and find Analytics in the side navigation bar. ## 2025-05-15 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Open email attachments with Browser Isolation** You can now safely open email attachments to view and investigate them. What this means is that messages now have a **Attachments** section. Here, you can view processed attachments and their classifications (for example, _Malicious_, _Suspicious_, _Encrypted_). Next to each attachment, a **Browser Isolation** icon allows your team to safely open the file in a **clientless, isolated browser** with no risk to the analyst or your environment. ![Attachment-RBI](https://developers.cloudflare.com/_astro/Attachment-RBI.U9Dp8dJO_265xjw.webp) To use this feature, you must: * Turn on **Allow users to open a remote browser without the device client** in your Zero Trust settings. * Have **Browser Isolation (BISO)** seats assigned. For more details, refer to our [setup guide](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). Some attachment types may not render in Browser Isolation. If there is a file type that you would like to be opened with Browser Isolation, reach out to your Cloudflare contact. This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-05-14 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Windows (version 2025.4.929.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains two significant changes all customers should be aware of: 1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our [DoH IP addresses and domains](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#doh-ip). 2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks. **Changes and improvements** * Fixed an issue causing reconnection loops when captive portals are detected. * Fixed an issue that caused WARP client disk encryption posture checks to fail due to missing drive names. * Fixed an issue where managed network policies could incorrectly report network location beacons as missing. * Improved DEX test error reporting. * Fixed an issue where some parts of the WARP Client UI were missing in high contrast mode. * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile. * Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically. * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met. * Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments. * Fixed an issue where frequent network changes could cause WARP to become unresponsive. * Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect. * Fixed an issue causing WARP connection disruptions after network changes. **Known issues** * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. * Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. ## 2025-05-14 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Domain Categories improvements** **New categories added** | Parent ID | Parent Name | Category ID | Category Name | | --------- | --------------------- | ----------- | ----------------------------- | | 1 | Ads | 66 | Advertisements | | 3 | Business & Economy | 185 | Personal Finance | | 3 | Business & Economy | 186 | Brokerage & Investing | | 21 | Security Threats | 187 | Compromised Domain | | 21 | Security Threats | 188 | Potentially Unwanted Software | | 6 | Education | 189 | Reference | | 9 | Government & Politics | 190 | Charity and Non-profit | **Changes to existing categories** | Original Name | New Name | | ------------- | ----------------------- | | Religion | Religion & Spirituality | | Government | Government/Legal | | Redirect | URL Alias/Redirect | Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more. ## 2025-05-13 [ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) **SAML HTTP-POST bindings support for RBI** Remote Browser Isolation (RBI) now supports SAML HTTP-POST bindings, enabling seamless authentication for SSO-enabled applications that rely on POST-based SAML responses from Identity Providers (IdPs) within a Remote Browser Isolation session. This update resolves a previous limitation that caused `405` errors during login and improves compatibility with multi-factor authentication (MFA) flows. With expanded support for major IdPs like Okta and Azure AD, this enhancement delivers a more consistent and user-friendly experience across authentication workflows. Learn how to [set up Remote Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/). ## 2025-05-13 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **New Applications Added for DNS Filtering** You can now create DNS policies to manage outbound traffic for an expanded list of applications. This update adds support for 273 new applications, giving you more control over your organization's outbound traffic. With this update, you can: * Create DNS policies for a wider range of applications * Manage outbound traffic more effectively * Improve your organization's security and compliance posture For more information on creating DNS policies, see our [DNS policy documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/). ## 2025-05-12 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for Linux (version 2025.4.929.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains two significant changes all customers should be aware of: 1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our [DoH IP addresses and domains](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#doh-ip). 2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks. **Changes and improvements** * Fixed an issue where the managed network policies could incorrectly report network location beacons as missing. * Improved DEX test error reporting. * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile. * Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically. * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs. * Fixed an issue where frequent network changes could cause WARP to become unresponsive. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect. * Fixed an issue causing WARP connection disruptions after network changes. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-05-12 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **WARP client for macOS (version 2025.4.929.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains two significant changes all customers should be aware of: 1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our [DoH IP addresses and domains](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#doh-ip). 2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks. **Changes and improvements** * Fixed an issue where the managed network policies could incorrectly report network location beacons as missing. * Improved DEX test error reporting. * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile. * Improved captive portal detection. * Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically. * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met. * Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments. * Fixed an issue where frequent network changes could cause WARP to become unresponsive. * Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect. * Fixed an issue causing WARP connection disruptions after network changes. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-05-12 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Case Sensitive Custom Word Lists** You can now configure [custom word lists](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#custom-wordlist-datasets) to enforce case sensitivity. This setting supports flexibility where needed and aims to reduce false positives where letter casing is critical. ![dlp](https://developers.cloudflare.com/_astro/case-sesitive-cwl.MPuOc_3r_220dca.webp) ## 2025-05-08 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Open email links with Browser Isolation** You can now safely open links in emails to view and investigate them. ![Open links with Browser Isolation](https://developers.cloudflare.com/_astro/investigate-links.pYbpGkt5_Z1DQRHU.webp) From **Investigation**, go to **View details**, and look for the **Links identified** section. Next to each link, the Cloudflare dashboard will display an **Open in Browser Isolation** icon which allows your team to safely open the link in a clientless, isolated browser with no risk to the analyst or your environment. Refer to [Open links](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#open-links) to learn more about this feature. To use this feature, you must: * Turn on **Allow users to open a remote browser without the device client** in your Zero Trust settings. * Have **Browser Isolation (RBI)** seats assigned. For more details, refer to our [setup guide](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-05-07 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Send forensic copies to storage without DLP profiles** You can now [send DLP forensic copies](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#send-dlp-forensic-copies-to-logpush-destination) to third-party storage for any HTTP policy with an `Allow` or `Block` action, without needing to include a DLP profile. This change increases flexibility for data handling and forensic investigation use cases. By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs. ![DLP](https://developers.cloudflare.com/_astro/forensic-copies-for-all.fxeFrCY4_Z1rCUy9.webp) ## 2025-05-01 [ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) **Browser Isolation Overview page for Zero Trust** A new **Browser Isolation Overview** page is now available in the Cloudflare Zero Trust dashboard. This centralized view simplifies the management of [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) deployments, providing: * **Streamlined Onboarding:** Easily set up and manage isolation policies from one location. * **Quick Testing:** Validate [clientless web application isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) with ease. * **Simplified Configuration:** Configure [isolated access applications](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/) and policies efficiently. * **Centralized Monitoring:** Track aggregate usage and blocked actions. This update consolidates previously disparate settings, accelerating deployment, improving visibility into isolation activity, and making it easier to ensure your protections are working effectively. ![Browser Isolation Overview](https://developers.cloudflare.com/_astro/browser-isolation-overview.Ljd5ax_O_Z1SURww.webp) To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and find Browser Isolation in the side navigation bar. ## 2025-04-30 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) **Dark Mode for Zero Trust Dashboard** The [Cloudflare Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) now supports Cloudflare's native dark mode for all accounts and plan types. Zero Trust Dashboard will automatically accept your user-level preferences for system settings, so if your Dashboard appearance is set to 'system' or 'dark', the Zero Trust dashboard will enter dark mode whenever the rest of your Cloudflare account does. ![Zero Trust dashboard supports dark mode](https://developers.cloudflare.com/_astro/dark-mode.DfLeS20d_Z2kTwNR.webp) * [ Zero Trust Dashboard ](#tab-panel-4939) * [ Core Dashboard ](#tab-panel-4940) To update your view preference in the Zero Trust dashboard: 1. Log into the [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/). 2. Select your user icon. 3. Select **Dark Mode**. To update your view preference in the Core dashboard: 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com). 2. Go to **My Profile** 3. For **Appearance**, choose **Dark**. ## 2025-04-30 [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Cloudflare One Appliance supports multiple DNS server IPs** Cloudflare One Appliance DHCP server settings now support specifying multiple DNS server IP addresses in the DHCP pool. Previously, customers could only configure a single DNS server per DHCP pool. With this update, you can specify multiple DNS servers to provide redundancy for clients at branch locations. For configuration details, refer to [DHCP server](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/network-options/dhcp/dhcp-server/). ## 2025-04-28 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **FQDN Filtering For Gateway Egress Policies** Cloudflare One administrators can now control which egress IP is used based on a destination's fully qualified domain name (FDQN) within Gateway Egress policies. * Host, Domain, Content Categories, and Application selectors are now available in the Gateway Egress policy builder in beta. * During the beta period, you can use these selectors with traffic on-ramped to Gateway with the WARP client, proxy endpoints (commonly deployed with PAC files), or Cloudflare Browser Isolation. * For WARP client support, additional configuration is required. For more information, refer to the [WARP client configuration documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#limitations). ![Egress by FQDN and Hostname](https://developers.cloudflare.com/_astro/Gateway-Egress-FQDN-Policy-preview.Civon5p8_Z2hcuQE.webp) This will help apply egress IPs to your users' traffic when an upstream application or network requires it, while the rest of their traffic can take the most performant egress path. ## 2025-04-21 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Access bulk policy tester** The [Access bulk policy tester](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/#test-all-policies-in-an-application) is now available in the Cloudflare Zero Trust dashboard. The bulk policy tester allows you to simulate Access policies against your entire user base before and after deploying any changes. The policy tester will simulate the configured policy against each user's last seen identity and device posture (if applicable). ![Example policy tester](https://developers.cloudflare.com/_astro/example-policy-tester.DCY8hQvx_2nxAfs.webp) ## 2025-04-14 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **New predefined detection entry for ICD-11** You now have access to the World Health Organization (WHO) 2025 edition of the [International Classification of Diseases 11th Revision (ICD-11) ↗](https://www.who.int/news/item/14-02-2025-who-releases-2025-update-to-the-international-classification-of-diseases-%28icd-11%29) as a predefined detection entry. The new dataset can be found in the [Health Information](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#health-information) predefined profile. ICD-10 dataset remains available for use. ## 2025-04-11 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **HTTP redirect and custom block page redirect** You can now use more flexible redirect capabilities in Cloudflare One with Gateway. * A new **Redirect** action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters. * For **Block** actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL. Learn more in our documentation for [HTTP Redirect](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#redirect) and [Block page redirect](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page). ## 2025-04-09 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Cloudflare Zero Trust SCIM User and Group Provisioning Logs** [Cloudflare Zero Trust SCIM provisioning](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim) now has a full audit log of all create, update and delete event from any SCIM Enabled IdP. The [SCIM logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/scim-logs/) support filtering by IdP, Event type, Result and many more fields. This will help with debugging user and group update issues and questions. SCIM logs can be found on the Zero Trust Dashboard under **Logs** \-> **SCIM provisioning**. ![Example SCIM Logs](https://developers.cloudflare.com/_astro/example-scim-log.Bv5Zqckh_BY26C.webp) ## 2025-04-01 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **CASB and Email security** With Email security, you get two free CASB integrations. Use one SaaS integration for Email security to sync with your directory of users, take actions on delivered emails, automatically provide EMLs for reclassification requests for clean emails, discover CASB findings and more. With the other integration, you can have a separate SaaS integration for CASB findings for another SaaS provider. Refer to [Add an integration](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) to learn more about this feature. ![CASB-EmailSecurity](https://developers.cloudflare.com/_astro/CASB-EmailSecurity.B1wd9be2_PR5LD.webp) This feature is available across these Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-03-21 [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Secure DNS Locations Management User Role** We're excited to introduce the [**Cloudflare Zero Trust Secure DNS Locations Write role**](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations), designed to provide DNS filtering customers with granular control over third-party access when configuring their Protective DNS (PDNS) solutions. Many DNS filtering customers rely on external service partners to manage their DNS location endpoints. This role allows you to grant access to external parties to administer DNS locations without overprovisioning their permissions. **Secure DNS Location Requirements:** * Mandate usage of [Bring your own DNS resolver IP addresses ↗](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#bring-your-own-dns-resolver-ip) if available on the account. * Require source network filtering for IPv4/IPv6/DoT endpoints; token authentication or source network filtering for the DoH endpoint. You can assign the new role via Cloudflare Dashboard (`Manage Accounts > Members`) or via API. For more information, refer to the [Secure DNS Locations documentation ↗](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations). ## 2025-03-17 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Cloudflare One Agent for Android (version 2.4)** A new GA release for the Android Cloudflare One Agent is now available in the [Google Play Store ↗](https://play.google.com/store/apps/details?id=com.cloudflare.cloudflareoneagent). This release includes a new feature allowing [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url) during enrollment, as well as fixes and minor improvements. **Changes and improvements** * Improved in-app error messages. * Improved mobile client login with support for [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url). * Fixed an issue preventing admin split tunnel settings taking priority for traffic from certain applications. ## 2025-03-17 [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Cloudflare One Agent for iOS (version 1.10)** A new GA release for the iOS Cloudflare One Agent is now available in the [iOS App Store ↗](https://apps.apple.com/us/app/cloudflare-one-agent/id6443476492). This release includes a new feature allowing [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url) during enrollment, as well as fixes and minor improvements. **Changes and improvements** * Improved in-app error messages. * Improved mobile client login with support for [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url). * Bug fixes and performance improvements. ## 2025-03-13 [ Cloudflare Network Firewall ](https://developers.cloudflare.com/cloudflare-network-firewall/) **Cloudflare IP Ranges List** Magic Firewall now supports a new managed list of Cloudflare IP ranges. This list is available as an option when creating a Magic Firewall policy based on IP source/destination addresses. When selecting "is in list" or "is not in list", the option "**Cloudflare IP Ranges**" will appear in the dropdown menu. This list is based on the IPs listed in the Cloudflare [IP ranges ↗](https://www.cloudflare.com/en-gb/ips/). Updates to this managed list are applied automatically. ![Cloudflare IPs Managed List](https://developers.cloudflare.com/_astro/cloudflare-ips.DetyOndL_10JG5B.webp) Note: IP Lists require a Cloudflare Advanced Network Firewall subscription. For more details about Cloudflare Network Firewall plans, refer to [Plans](https://developers.cloudflare.com/cloudflare-network-firewall/plans). ## 2025-03-07 [ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/) **Cloudflare One Agent now supports Endpoint Monitoring** [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into device, network, and application performance across your Cloudflare SASE deployment. The latest release of the Cloudflare One agent (v2025.1.861) now includes device endpoint monitoring capabilities to provide deeper visibility into end-user device performance which can be analyzed directly from the dashboard. Device health metrics are now automatically collected, allowing administrators to: * View the last network a user was connected to * Monitor CPU and RAM utilization on devices * Identify resource-intensive processes running on endpoints ![Device endpoint monitoring dashboard](https://developers.cloudflare.com/_astro/cloudflare-one-agent-health-monitoring.XXtiRuOp_Z25TN9Q.webp) This feature complements existing DEX features like [synthetic application monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) and [network path visualization](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/traceroute/), creating a comprehensive troubleshooting workflow that connects application performance with device state. For more details refer to our [DEX](https://developers.cloudflare.com/cloudflare-one/insights/dex/) documentation. ## 2025-03-04 [ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) **Gain visibility into user actions in Zero Trust Browser Isolation sessions** We're excited to announce that new logging capabilities for [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) through [Logpush](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/) are available in Beta starting today! With these enhanced logs, administrators can gain visibility into end user behavior in the remote browser and track blocked data extraction attempts, along with the websites that triggered them, in an isolated session. ``` { "AccountID": "$ACCOUNT_ID", "Decision": "block", "DomainName": "www.example.com", "Timestamp": "2025-02-27T23:15:06Z", "Type": "copy", "UserID": "$USER_ID" } ``` User Actions available: * **Copy & Paste** * **Downloads & Uploads** * **Printing** Learn more about how to get started with Logpush in our [documentation](https://developers.cloudflare.com/logs/logpush/). ## 2025-03-03 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **New SAML and OIDC Fields and SAML transforms for Access for SaaS** [Access for SaaS applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications. **SAML and OIDC Field Additions** OIDC apps now include: * Group Filtering via RegEx * OIDC Claim mapping from an IdP * OIDC token lifetime control * Advanced OIDC auth flows including hybrid and implicit flows ![OIDC field additions](https://developers.cloudflare.com/_astro/oidc-claims.2di8l9Lv_ZrD1mx.webp) SAML apps now include improved SAML attribute mapping from an IdP. ![SAML field additions](https://developers.cloudflare.com/_astro/saml-attribute-statements.CW45j5Qi_1ydeSQ.webp) **SAML transformations** SAML identities sent to Access applications can be fully customized using JSONata expressions. This allows admins to configure the precise identity SAML statement sent to a SaaS application. ![Configured SAML statement sent to application](https://developers.cloudflare.com/_astro/transformation-box.DyKn-DdN_2rtirg.webp) ## 2025-03-01 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Use Logpush for Email security detections** You can now send detection logs to an endpoint of your choice with Cloudflare Logpush. Filter logs matching specific criteria you have set and select from over 25 fields you want to send. When creating a new Logpush job, remember to select **Email security alerts** as the dataset. ![logpush-detections](https://developers.cloudflare.com/_astro/Logpush-Detections.Dc5tHta3_1PsIMk.webp) For more information, refer to [Enable detection logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/#enable-detection-logs). This feature is available across these Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-02-27 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Check status of Email security or Area 1** Concerns about performance for Email security or Area 1? You can now check the operational status of both on the [Cloudflare Status page ↗](https://www.cloudflarestatus.com/). For Email security, look under **Cloudflare Sites and Services**. * **Dashboard** is the dashboard for Cloudflare, including Email security * **Email security (Zero Trust)** is the processing of email * **API** are the Cloudflare endpoints, including the ones for Email security For Area 1, under **Cloudflare Sites and Services**: * **Area 1 - Dash** is the dashboard for Cloudflare, including Email security * **Email security (Area1)** is the processing of email * **Area 1 - API** are the Area 1 endpoints ![Status-page](https://developers.cloudflare.com/_astro/Status-Page.DcFJ1286_2qTtkN.webp) This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-02-25 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Use DLP Assist for M365** Cloudflare Email security customers who have Microsoft 365 environments can quickly deploy an Email DLP (Data Loss Prevention) solution for free. Simply deploy our add-in, create a DLP policy in Cloudflare, and configure Outlook to trigger behaviors like displaying a banner, alerting end users before sending, or preventing delivery entirely. Refer to [Outbound Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/email-security/outbound-dlp/) to learn more about this feature. In GUI alert: ![DLP-Alert](https://developers.cloudflare.com/_astro/DLP-Alert.5s-fbKn3_1xfB14.webp) Alert before sending: ![DLP-Pop-up](https://developers.cloudflare.com/_astro/DLP-Pop-up.0gkYy7o5_ZgIo8K.webp) Prevent delivery: ![DLP-Blocked](https://developers.cloudflare.com/_astro/DLP-Blocked.CmQkGrnM_ZewJi3.webp) This feature is available across these Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-02-14 [ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) **Configure your Magic WAN Connector to connect via static IP assignment** You can now locally configure your [Magic WAN Connector](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/) to work in a static IP configuration. This local method does not require having access to a DHCP Internet connection. However, it does require being comfortable with using tools to access the serial port on Magic WAN Connector as well as using a serial terminal client to access the Connector's environment. For more details, refer to [WAN with a static IP address](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/configure-hardware-appliance/#bootstrap-via-serial-console). ## 2025-02-07 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Open email links with Security Center** You can now investigate links in emails with Cloudflare Security Center to generate a report containing a myriad of technical details: a phishing scan, SSL certificate data, HTTP request and response data, page performance data, DNS records, what technologies and libraries the page uses, and more. ![Open links in Security Center](https://developers.cloudflare.com/_astro/Open-Links-Security-Center.b-LJU4YB_2dBHq8.webp) From **Investigation**, go to **View details**, and look for the **Links identified** section. Select **Open in Security Center** next to each link. **Open in Security Center** allows your team to quickly generate a detailed report about the link with no risk to the analyst or your environment. For more details, refer to [Open links](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#open-links). This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-02-03 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **Block files that are password-protected, compressed, or otherwise unscannable.** Gateway HTTP policies can now block files that are password-protected, compressed, or otherwise unscannable. These unscannable files are now matched with the [Download and Upload File Types traffic selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) for HTTP policies: * Password-protected Microsoft Office document * Password-protected PDF * Password-protected ZIP archive * Unscannable ZIP archive To get started inspecting and modifying behavior based on these and other rules, refer to [HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/). ## 2025-01-20 [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) **Detect source code leaks with Data Loss Prevention** You can now detect source code leaks with Data Loss Prevention (DLP) with predefined checks against common programming languages. The following programming languages are validated with natural language processing (NLP). * C * C++ * C# * Go * Haskell * Java * JavaScript * Lua * Python * R * Rust * Swift DLP also supports confidence level for [source code profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#source-code). For more details, refer to [DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/). ## 2025-01-15 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Export SSH command logs with Access for Infrastructure using Logpush** Availability Only available on Enterprise plans. Cloudflare now allows you to send SSH command logs to storage destinations configured in [Logpush](https://developers.cloudflare.com/logs/logpush/), including third-party destinations. Once exported, analyze and audit the data as best fits your organization! For a list of available data fields, refer to the [SSH logs dataset](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/ssh%5Flogs/). To set up a Logpush job, refer to [Logpush integration](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ## 2024-12-19 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Escalate user submissions** After you triage your users' submissions (that are machine reviewed), you can now escalate them to our team for reclassification (which are instead human reviewed). User submissions from the submission alias, PhishNet, and our API can all be escalated. ![Escalate](https://developers.cloudflare.com/_astro/Escalate.CwXPIyM3_ZxuRN6.webp) From **Reclassifications**, go to **User submissions**. Select the three dots next to any of the user submissions, then select **Escalate** to create a team request for reclassification. The Cloudflare dashboard will then show you the submissions on the **Team Submissions** tab. Refer to [User submissions](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/user-submissions/) to learn more about this feature. This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2024-12-19 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Increased transparency for phishing email submissions** You now have more transparency about team and user submissions for phishing emails through a **Reclassification** tab in the Zero Trust dashboard. Reclassifications happen when users or admins [submit a phish](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/) to Email security. Cloudflare reviews and - in some cases - reclassifies these emails based on improvements to our machine learning models. This new tab increases your visibility into this process, allowing you to view what submissions you have made and what the outcomes of those submissions are. ![Use the Reclassification area to review submitted phishing emails](https://developers.cloudflare.com/_astro/reclassifications-tab.yDgtjG51_Z1TVbIE.webp) ## 2024-12-19 [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) **Troubleshoot tunnels with diagnostic logs** The latest `cloudflared` build [2024.12.2 ↗](https://github.com/cloudflare/cloudflared/releases/tag/2024.12.2) introduces the ability to collect all the diagnostic logs needed to troubleshoot a `cloudflared` instance. A diagnostic report collects data from a single instance of `cloudflared` running on the local machine and outputs it to a `cloudflared-diag` file. For more information, refer to [Diagnostic logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/diag-logs/). ## 2024-12-17 [ Magic Transit ](https://developers.cloudflare.com/magic-transit/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Network Interconnect ](https://developers.cloudflare.com/network-interconnect/) **Establish BGP peering over Direct CNI circuits** Magic WAN and Magic Transit customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using a Direct CNI on-ramp. Using BGP peering allows customers to: * Automate the process of adding or removing networks and subnets. * Take advantage of failure detection and session recovery features. With this functionality, customers can: * Establish an eBGP session between their devices and the Magic WAN / Magic Transit service when connected via CNI. * Secure the session by MD5 authentication to prevent misconfigurations. * Exchange routes dynamically between their devices and their Magic routing table. Refer to [Magic WAN BGP peering](https://developers.cloudflare.com/cloudflare-wan/configuration/how-to/configure-routes/#configure-bgp-routes) or [Magic Transit BGP peering](https://developers.cloudflare.com/magic-transit/how-to/configure-routes/#configure-bgp-routes) to learn more about this feature and how to set it up. ## 2024-12-05 [ Multi-Cloud Networking ](https://developers.cloudflare.com/multi-cloud-networking/) **Generate customized terraform files for building cloud network on-ramps** You can now generate customized terraform files for building cloud network on-ramps to [Magic WAN](https://developers.cloudflare.com/cloudflare-wan/). [Magic Cloud](https://developers.cloudflare.com/multi-cloud-networking/) can scan and discover existing network resources and generate the required terraform files to automate cloud resource deployment using their existing infrastructure-as-code workflows for cloud automation. You might want to do this to: * Review the proposed configuration for an on-ramp before deploying it with Cloudflare. * Deploy the on-ramp using your own infrastructure-as-code pipeline instead of deploying it with Cloudflare. For more details, refer to [Set up with Terraform](https://developers.cloudflare.com/multi-cloud-networking/cloud-on-ramps/#set-up-with-terraform). ## 2024-11-22 [ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) **Find security misconfigurations in your AWS cloud environment** You can now use CASB to find security misconfigurations in your AWS cloud environment using [Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/). You can also [connect your AWS compute account](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/aws-s3/#compute-account) to extract and scan your S3 buckets for sensitive data while avoiding egress fees. CASB will scan any objects that exist in the bucket at the time of configuration. To connect a compute account to your AWS integration: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Integrations**. 2. Find and select your AWS integration. 3. Select **Open connection instructions**. 4. Follow the instructions provided to connect a new compute account. 5. Select **Refresh**. ## 2024-11-21 [ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) **Improved non-English keyboard support** You can now type in languages that use diacritics (like á or ç) and character-based scripts (such as Chinese, Japanese, and Korean) directly within the remote browser. The isolated browser now properly recognizes non-English keyboard input, eliminating the need to copy and paste content from a local browser or device. ## 2024-11-07 [ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/) **Use Logpush for Email security user actions** You can now send user action logs for Email security to an endpoint of your choice with Cloudflare Logpush. Filter logs matching specific criteria you have set or select from multiple fields you want to send. For all users, we will log the date and time, user ID, IP address, details about the message they accessed, and what actions they took. When creating a new Logpush job, remember to select **Audit logs** as the dataset and filter by: * **Field**: `"ResourceType"` * **Operator**: `"starts with"` * **Value**: `"email_security"`. ![Logpush-user-actions](https://developers.cloudflare.com/_astro/Logpush-User-Actions.D14fWgmq_CYM35.webp) For more information, refer to [Enable user action logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/#enable-user-action-logs). This feature is available across all Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2024-10-02 [ Cloudflare Network Firewall ](https://developers.cloudflare.com/cloudflare-network-firewall/) **Search for custom rules using rule name and/or ID** The Magic Firewall dashboard now allows you to search custom rules using the rule name and/or ID. 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com) and select your account. 2. Go to **Analytics & Logs** \> **Network Analytics**. 3. Select **Magic Firewall**. 4. Add a filter for **Rule ID**. ![Search for firewall rules with rule IDs](https://developers.cloudflare.com/_astro/search-with-rule-id.DJgzqgKk_2jJ9x8.webp) Additionally, the rule ID URL link has been added to Network Analytics. ## 2024-10-01 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) **Eliminate long-lived credentials and enhance SSH security with Cloudflare Access for Infrastructure** Organizations can now eliminate long-lived credentials from their SSH setup and enable strong multi-factor authentication for SSH access, similar to other Access applications, all while generating access and command logs. SSH with [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) uses short-lived SSH certificates from Cloudflare, eliminating SSH key management and reducing the security risks associated with lost or stolen keys. It also leverages a common deployment model for Cloudflare One customers: [WARP-to-Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-device-client/). SSH with Access for Infrastructure enables you to: * **Author fine-grained policy** to control who may access your SSH servers, including specific ports, protocols, and SSH users. * **Monitor infrastructure access** with Access and SSH command logs, supporting regulatory compliance and providing visibility in case of security breach. * **Preserve your end users' workflows.** SSH with Access for Infrastructure supports native SSH clients and does not require any modifications to users’ SSH configs. ![Example of an infrastructure Access application](https://developers.cloudflare.com/_astro/infrastructure-app.BhpJOgxs_Z1M0wLH.webp) To get started, refer to [SSH with Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). ## 2024-06-17 [ Risk Score ](https://developers.cloudflare.com/cloudflare-one/insights/risk-score/) **Exchange user risk scores with Okta** Beyond the controls in [Zero Trust](https://developers.cloudflare.com/cloudflare-one/), you can now [exchange user risk scores](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/#send-risk-score-to-okta) with Okta to inform SSO-level policies. First, configure Cloudflare One to send user risk scores to Okta. 1. Set up the [Okta SSO integration](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/okta/). 2. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Integrations** \> **Identity providers**. 3. In **Your identity providers**, locate your Okta integration and select **Edit**. 4. Turn on **Send risk score to Okta**. 5. Select **Save**. 6. Upon saving, Cloudflare One will display the well-known URL for your organization. Copy the value. Next, configure Okta to receive your risk scores. 1. On your Okta admin dashboard, go to **Security** \> **Device Integrations**. 2. Go to **Receive shared signals**, then select **Create stream**. 3. Name your integration. In **Set up integration with**, choose _Well-known URL_. 4. In **Well-known URL**, enter the well-known URL value provided by Cloudflare One. 5. Select **Create**. ## 2024-06-16 [ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)[ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/)[ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/)[ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/)[ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)[ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/)[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Multi-Cloud Networking ](https://developers.cloudflare.com/multi-cloud-networking/)[ Cloudflare Network Firewall ](https://developers.cloudflare.com/cloudflare-network-firewall/)[ Network Flow ](https://developers.cloudflare.com/network-flow/)[ Magic Transit ](https://developers.cloudflare.com/magic-transit/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Network Interconnect ](https://developers.cloudflare.com/network-interconnect/)[ Risk Score ](https://developers.cloudflare.com/cloudflare-one/insights/risk-score/)[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) **Explore product updates for Cloudflare One** Welcome to your new home for product updates on [Cloudflare One](https://developers.cloudflare.com/cloudflare-one/). Our [new changelog](https://developers.cloudflare.com/changelog/) lets you read about changes in much more depth, offering in-depth examples, images, code samples, and even gifs. If you are looking for older product updates, refer to the following locations. Older product updates * [Access](https://developers.cloudflare.com/cloudflare-one/changelog/access/) * [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/changelog/browser-isolation/) * [CASB](https://developers.cloudflare.com/cloudflare-one/changelog/casb/) * [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/changelog/tunnel/) * [Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/changelog/dlp/) * [Digital Experience Monitoring](https://developers.cloudflare.com/cloudflare-one/changelog/dex/) * [Email security](https://developers.cloudflare.com/cloudflare-one/changelog/email-security/) * [Gateway](https://developers.cloudflare.com/cloudflare-one/changelog/gateway/) * [Multi-Cloud Networking](https://developers.cloudflare.com/multi-cloud-networking/changelog/) * [Cloudflare Network Firewall](https://developers.cloudflare.com/cloudflare-network-firewall/changelog/) * [Magic Network Monitoring](https://developers.cloudflare.com/network-flow/changelog/) * [Magic Transit](https://developers.cloudflare.com/magic-transit/changelog/) * [Magic WAN](https://developers.cloudflare.com/cloudflare-wan/changelog/) * [Network Interconnect](https://developers.cloudflare.com/network-interconnect/changelog/) * [Risk score](https://developers.cloudflare.com/cloudflare-one/changelog/risk-score/) * [Cloudflare One Client](https://developers.cloudflare.com/changelog/cloudflare-one-client/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}}]} ``` --- --- title: Access description: Review recent changes to Cloudflare Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Access [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/access.xml) ## 2026-04-23 **AAGUID restrictions and AMR matching for Access independent MFA** [Independent MFA](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/) in Cloudflare Access now supports two additional organization-level controls: * **[Restrict authenticators by AAGUID](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/#restrict-authenticators-by-aaguid)** — Limit enrollment to a specific set of WebAuthn authenticators using their [AAGUID ↗](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#authenticator-attestation-guid). This is useful for organizations that require FIPS-validated security keys or company-issued hardware. AAGUIDs are managed through a new [List](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) type. * **[AMR matching](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/#use-identity-provider-mfa)** — Skip the independent MFA prompt when the identity provider has already performed an equivalent MFA. Access reads the `amr` claim defined in [RFC 8176 ↗](https://datatracker.ietf.org/doc/html/rfc8176) and matches supported values such as `hwk`, `otp`, and `fpt` to the authenticator types allowed on the application or policy. This prevents users from having to complete MFA twice when their identity provider already enforces it. To get started, refer to [Independent MFA](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/). ## 2026-04-17 **Homepage and sign-out for MCP server portals** [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) display a homepage when users visit the portal domain in a browser. ![MCP server portal homepage showing connection status and setup instructions](https://developers.cloudflare.com/_astro/portals-homepage-disconnected.BHbOwayQ_Z1G37WD.webp) The homepage shows: * The portal name and organization branding * The MCP endpoint URL with a copy button * Per-client connection instructions for Claude Desktop, Workers AI Playground, OpenCode, Windsurf, and other MCP clients Authenticated users see their email address and a **Sign out** button. Selecting **Sign out** revokes all portal-level OAuth grants, deletes upstream server OAuth states, and redirects through Cloudflare Access logout. A confirmation page shows a summary of the revoked sessions. For more information, refer to [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/#portal-homepage). ## 2026-04-15 **Independent MFA for Access applications** Cloudflare Access now supports independent multi-factor authentication (MFA), allowing you to enforce MFA requirements without relying on your identity provider (IdP). With per-application and per-policy configuration, you can enforce stricter authentication methods like hardware security keys on sensitive applications without requiring them across your entire organization. This reduces the risk of MFA fatigue for your broader user population while adding additional security where it matters most. This feature also addresses common gaps in IdP-based MFA, such as inconsistent MFA policies across different identity providers or the need for additional security layers beyond what the IdP provides. Independent MFA supports the following authenticator types: * **Authenticator application** — Time-based one-time passwords (TOTP) using apps like Google Authenticator, Microsoft Authenticator, or Authy. * **Security key** — Hardware security keys such as YubiKeys. * **Biometrics** — Built-in device authenticators including Apple Touch ID, Apple Face ID, and Windows Hello. Note Infrastructure applications do not yet support independent MFA. #### Configuration levels You can configure MFA requirements at three levels: | Level | Description | | ---------------- | -------------------------------------------------------------- | | **Organization** | Enforce MFA by default for all applications in your account. | | **Application** | Require or turn off MFA for a specific application. | | **Policy** | Require or turn off MFA for users who match a specific policy. | Settings at lower levels (policy) override settings at higher levels (organization), giving you granular control over MFA enforcement. #### User enrollment Users enroll their authenticators through the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/). To help with onboarding, administrators can share a direct enrollment link: `.cloudflareaccess.com/AddMfaDevice`. To get started with Independent MFA, refer to [Independent MFA](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/independent-mfa/). ## 2026-04-02 **Session management for MCP server portals** [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) support in-session management of upstream MCP server connections. Users can return to the server selection page at any time to enable or disable servers, reauthenticate, or change which data a server has access to — all without leaving their MCP client. To return to the server selection page, ask your AI agent with a prompt like "take me back to the server selection page." The portal responds with an authorization URL via [MCP elicitation ↗](https://modelcontextprotocol.io/specification/2025-03-26/server/elicitation) that you open in your browser: ``` https://./authorize?elicitationId= ``` From the server selection page you can: * **Enable or disable servers** — Toggle individual upstream MCP servers on or off. Disabling a server removes its tools from the active session, which reduces context window usage. * **Log out and reauthenticate** — Log out of a server and log back in to change which data the server has access to, or to reauthenticate with different permissions. Users can also enable or disable a server inline by asking their AI agent directly, for example "enable the wiki server" or "disable my Jira server." The portal also automatically prompts connected users to authorize new servers when an admin adds them to the portal. This requires the use of [managed OAuth](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/managed-oauth/#enable-managed-oauth-on-an-mcp-server-portal). For more information, refer to [Manage portal sessions](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/#manage-portal-sessions). ## 2026-04-01 **Logs UI refresh** Access authentication logs and Gateway activity logs (DNS, Network, and HTTP) now feature a refreshed user interface that gives you more flexibility when viewing and analyzing your logs. ![Screenshot of the new logs UI showing DNS query logs with customizable columns and filtering options](https://developers.cloudflare.com/_astro/cf1-new-logs-ui.DxF4x0l-_mRSyH.webp) The updated UI includes: * **Filter by field** \- Select any field value to add it as a filter and narrow down your results. * **Customizable fields** \- Choose which fields to display in the log table. Querying for fewer fields improves log loading performance. * **View details** \- Select a timestamp to view the full details of a log entry. * **Switch to classic view** \- Return to the previous log viewer interface if needed. For more information, refer to [Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/) and [Gateway activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). ## 2026-03-26 **Code mode for MCP server portals** [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) support [code mode](https://developers.cloudflare.com/agents/api-reference/codemode/), a technique that reduces context window usage by replacing individual tool definitions with a single code execution tool. Code mode is turned on by default on all portals. To turn it off, edit the portal in **Access controls** \> **AI controls** and turn off **Code mode** under **Basic information**. When code mode is active, the portal exposes a single `code` tool instead of listing every tool from every upstream MCP server. The connected AI agent writes JavaScript that calls typed `codemode.*` methods for each upstream tool. The generated code runs in an isolated [Dynamic Worker](https://developers.cloudflare.com/workers/runtime-apis/bindings/worker-loader/) environment, keeping authentication credentials and environment variables out of the model context. To use code mode, append `?codemode=search_and_execute` to your portal URL when connecting from an MCP client: ``` https://./mcp?codemode=search_and_execute ``` For more information, refer to [code mode](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/#code-mode). ## 2026-03-26 **Context optimization for MCP server portals** [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) support two context optimization options that reduce how many tokens tool definitions consume in the model's context window. Both options are activated by appending the `optimize_context` query parameter to the portal URL. #### `minimize_tools` Strips tool descriptions and input schemas from all upstream tools, leaving only their names. The portal exposes a special `query` tool that agents use to retrieve full definitions on demand. This provides up to 5x savings in token usage. ``` https://./mcp?optimize_context=minimize_tools ``` #### `search_and_execute` Hides all upstream tools and exposes only two tools: `query` and `execute`. The `query` tool searches and retrieves tool definitions. The `execute` tool runs the upstream tools in an isolated [Dynamic Worker](https://developers.cloudflare.com/workers/runtime-apis/bindings/worker-loader/) environment. This reduces the initial token cost to a small constant, regardless of how many tools are available through the portal. ``` https://./mcp?optimize_context=search_and_execute ``` For more information, refer to [Optimize context](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/#optimize-context). ## 2026-03-20 **Managed OAuth for Cloudflare Access** Cloudflare Access supports managed OAuth, which allows non-browser clients — such as CLIs, AI agents, SDKs, and scripts — to authenticate with Access-protected applications using a standard OAuth 2.0 authorization code flow. Previously, non-browser clients that attempted to access a protected application received a `302` redirect to a login page they could not complete. The established workaround was `cloudflared access curl`, which required installing additional tooling. With managed OAuth, clients instead receive a `401` response with a `WWW-Authenticate` header that points to Access's OAuth discovery endpoints ([RFC 8414 ↗](https://datatracker.ietf.org/doc/html/rfc8414) and [RFC 9728 ↗](https://datatracker.ietf.org/doc/html/rfc9728)). The client opens the end user's browser to the Access login page. The end user authenticates with their identity provider, and the client receives an OAuth access token for subsequent requests. Access enforces the same policies as a browser login; the OAuth layer is a new transport mechanism, not a separate authentication path. Managed OAuth can be enabled on any self-hosted Access application or [MCP server portal](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/). It is opt-in for existing applications to avoid interfering with those that run their own OAuth servers and rely on their own `WWW-Authenticate` headers. Note For MCP server portals, managed OAuth is enabled by default on new portals. It remains opt-in for self-hosted applications. To enable managed OAuth, go to **Zero Trust** \> **Access controls** \> **Applications**, edit the application, and turn on **Managed OAuth** under **Advanced settings**. You can also enable it via the API by setting `oauth_configuration.enabled` to `true` on the [Access applications endpoint](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/applications/methods/update/). ![Managed OAuth settings in the Cloudflare dashboard](https://developers.cloudflare.com/_astro/managed-oauth.BirLnBpy_Zjg97R.webp) For setup instructions, refer to [Enable managed OAuth](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/managed-oauth/). ## 2026-03-20 **Route MCP server portal traffic through Cloudflare Gateway** [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) can now route traffic through [Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) for richer HTTP request logging and data loss prevention (DLP) scanning. When Gateway routing is turned on, portal traffic appears in your [Gateway HTTP logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). You can create [Gateway HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) with [DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/) to detect and block sensitive data sent to upstream MCP servers. Note DLP [AI prompt profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#ai-prompt) do not apply to MCP server portal traffic. To enable Gateway routing, go to **Access controls** \> **AI controls**, edit the portal, and turn on **Route traffic through Cloudflare Gateway** under **Basic information**. ![Route MCP server portal traffic through Cloudflare Gateway](https://developers.cloudflare.com/_astro/portal-route-through-gateway.0KMUAXBm_Z1B5rry.webp) For more details, refer to [Route traffic through Gateway](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/#route-portal-traffic-through-gateway). ## 2026-03-04 **User risk score selector in Access policies** You can now use [user risk scores](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/) in your [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). The new **User Risk Score** selector allows you to create Access policies that respond to user behavior patterns detected by Cloudflare's risk scoring system, including impossible travel, high DLP policy matches, and more. For more information, refer to [Use risk scores in Access policies](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/#use-risk-scores-in-access-policies). ## 2026-03-01 **Clipboard controls for browser-based RDP** You can now configure clipboard controls for browser-based RDP with Cloudflare Access. Clipboard controls allow administrators to restrict whether users can copy or paste text between their local machine and the remote Windows server. ![Enable users to copy and paste content from their local machine to remote RDP sessions in the Cloudflare One dashboard](https://developers.cloudflare.com/_astro/rdp-clipboard-controls.B0ZmliDb_Z1Ne5yg.webp) This feature is useful for organizations that support bring-your-own-device (BYOD) policies or third-party contractors using unmanaged devices. By restricting clipboard access, you can prevent sensitive data from being transferred out of the remote session to a user's personal device. #### Configuration options Clipboard controls are configured per policy within your Access application. For each policy, you can independently allow or deny: * **Copy from local client to remote RDP session** — Users can copy/paste text from their local machine into the browser-based RDP session. * **Copy from remote RDP session to local client** — Users can copy/paste text from the browser-based RDP session to their local machine. By default, both directions are denied for new policies. For existing Access applications created before this feature was available, clipboard access remains enabled to preserve backwards compatibility. When a user attempts a restricted clipboard action, the clipboard content is replaced with an error message informing them that the action is not allowed. For more information, refer to [Clipboard controls for browser-based RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/#clipboard-controls). ## 2026-02-27 **Export MCP server portal logs with Logpush** Availability Only available on Enterprise plans. [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) now supports [Logpush](https://developers.cloudflare.com/logs/logpush/) integration. You can automatically export MCP server portal activity logs to third-party storage destinations or security information and event management (SIEM) tools for analysis and auditing. #### Available log fields The MCP server portal logs dataset includes fields such as: * `Datetime` — Timestamp of the request * `PortalID` / `PortalAUD` — Portal identifiers * `ServerID` / `ServerURL` — Upstream MCP server details * `Method` — JSON-RPC method (for example, `tools/call`, `prompts/get`, `resources/read`) * `ToolCallName` / `PromptGetName` / `ResourceReadURI` — Method-specific identifiers * `UserID` / `UserEmail` — Authenticated user information * `Success` / `Error` — Request outcome * `ServerResponseDurationMs` — Response time from upstream server For the complete field reference, refer to [MCP portal logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/mcp%5Fportal%5Flogs/). #### Set up Logpush To configure Logpush for MCP server portal logs, refer to [Logpush integration](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). Note MCP server portals is currently in beta. ## 2026-02-17 **Streamlined clientless browser isolation for private applications** A new **Allow clientless access** setting makes it easier to connect users without a device client to internal applications, without using public DNS. ![Allow clientless access setting in the Cloudflare One dashboard](https://developers.cloudflare.com/_astro/allow-clientless-access.BHKwQuVt_1mLRiX.webp) Previously, to provide clientless access to a private hostname or IP without a [published application](https://developers.cloudflare.com/cloudflare-one/networks/routes/add-routes/#add-a-published-application-route), you had to create a separate [bookmark application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/bookmarks/) pointing to a prefixed [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) URL (for example, `https://.cloudflareaccess.com/browser/https://10.0.0.1/`). This bookmark was visible to all users in the App Launcher, regardless of whether they had access to the underlying application. Now, you can manage clientless access directly within your [private self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). When **Allow clientless access** is turned on, users who pass your Access application policies will see a tile in their App Launcher pointing to the prefixed URL. Users must have [remote browser permissions](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) to open the link. ## 2026-02-17 **Policies for bookmark applications** You can now assign [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to [bookmark applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/bookmarks/). This lets you control which users see a bookmark in the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) based on identity, device posture, and other policy rules. Previously, bookmark applications were visible to all users in your organization. With policy support, you can now: * **Tailor the App Launcher to each user** — Users only see the applications they have access to, reducing clutter and preventing accidental clicks on irrelevant resources. * **Restrict visibility of sensitive bookmarks** — Limit who can view bookmarks to internal tools or partner resources based on group membership, identity provider, or device posture. Bookmarks support all [Access policy configurations](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) except purpose justification, temporary authentication, and application isolation. If no policy is assigned, the bookmark remains visible to all users (maintaining backwards compatibility). For more information, refer to [Add bookmarks](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/bookmarks/). ## 2026-02-13 **Fine-grained permissions for Access policies and service tokens** Fine-grained permissions for **Access policies** and **Access service tokens** are available. These new resource-scoped roles expand the existing RBAC model, enabling administrators to grant permissions scoped to individual resources. #### New roles * **Cloudflare Access policy admin**: Can edit a specific [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) in an account. * **Cloudflare Access service token admin**: Can edit a specific [Access service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) in an account. These roles complement the existing resource-scoped roles for Access applications, identity providers, and infrastructure targets. For more information: * [Resource-scoped roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/#resource-scoped-roles) * [Role scopes](https://developers.cloudflare.com/fundamentals/manage-members/scope/) Note Resource-scoped roles is currently in beta. ## 2026-01-22 **Require Access protection for zones** You can now require Cloudflare Access protection for all hostnames in your account. When enabled, traffic to any hostname that does not have a matching Access application is automatically blocked. This deny-by-default approach prevents accidental exposure of internal resources to the public Internet. If a developer deploys a new application or creates a DNS record without configuring an Access application, the traffic is blocked rather than exposed. ![Require Cloudflare Access protection in the dashboard](https://developers.cloudflare.com/_astro/require-cloudflare-access-protection.BAUmTYOs_ZxNecb.webp) #### How it works * **Blocked by default**: Traffic to all hostnames in the account is blocked unless an Access application exists for that hostname. * **Explicit access required**: To allow traffic, create an Access application with an Allow or Bypass policy. * **Hostname exemptions**: You can exempt specific hostnames from this requirement. To turn on this feature, refer to [Require Access protection](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/require-access-protection/). ## 2026-01-22 **New granular API token permissions for Cloudflare Access** Three new API token permissions are available for Cloudflare Access, giving you finer-grained control when building automations and integrations: * **Access: Organizations Revoke** — Grants the ability to [revoke user sessions](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#revoke-user-sessions) in a Zero Trust organization. Use this permission when you need a token that can terminate active sessions without broader write access to organization settings. * **Access: Population Read** — Grants read access to the [SCIM users and groups](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) synced from an identity provider to Cloudflare Access. Use this permission for tokens that only need to read synced user and group data. * **Access: Population Write** — Grants write access to the [SCIM users and groups](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) synced from an identity provider to Cloudflare Access. Use this permission for tokens that need to create or modify synced user and group data. These permissions are scoped at the account level and can be combined with existing Access permissions. For a full list of available permissions, refer to [API token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/). ## 2026-01-08 **Cloudflare admin activity logs capture creation of DNS over HTTP (DoH) users** Cloudflare [admin activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/) now capture each time a [DNS over HTTP (DoH) user](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-https/) is created. These logs can be viewed from the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com/), pulled via the [Cloudflare API](https://developers.cloudflare.com/api/), and exported through [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ## 2025-11-14 **Generate Cloudflare Access SSH certificate authority (CA) directly from the Cloudflare dashboard** SSH with [Cloudflare Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) allows you to use short-lived SSH certificates to eliminate SSH key management and reduce security risks associated with lost or stolen keys. Previously, users had to generate this certificate by using the [Cloudflare API ↗](https://developers.cloudflare.com/api/) directly. With this update, you can now create and manage this certificate in the [Cloudflare One dashboard ↗](https://one.dash.cloudflare.com) from the **Access controls** \> **Service credentials** page. ![Navigate to Access controls and then Service credentials to see where you can generate an SSH CA](https://developers.cloudflare.com/_astro/SSH-CA-generation.DYa9RnX1_ZKuDAo.webp) For more details, refer to [Generate a Cloudflare SSH CA](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#generate-a-cloudflare-ssh-ca). ## 2025-10-28 **Access private hostname applications support all ports/protocols** [Cloudflare Access for private hostname applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) can now secure traffic on all ports and protocols. Previously, applying Zero Trust policies to private applications required the application to use HTTPS on port `443` and support Server Name Indicator (SNI). This update removes that limitation. As long as the application is reachable via a Cloudflare off-ramp, you can now enforce your critical security controls — like single sign-on (SSO), MFA, device posture, and variable session lengths — to any private application. This allows you to extend Zero Trust security to services like SSH, RDP, internal databases, and other non-HTTPS applications. ![Example private application on non-443 port](https://developers.cloudflare.com/_astro/internal_private_app_any_port.DNXnEy0u_2rybRJ.webp) For example, you can now create a self-hosted application in Access for `ssh.testapp.local` running on port `22`. You can then build a policy that only allows engineers in your organization to connect after they pass an SSO/MFA check and are using a corporate device. This feature is generally available across all plans. ## 2025-10-02 **Fine-grained Permissioning for Access for Apps, IdPs, & Targets now in Public Beta** Fine-grained permissions for **Access Applications, Identity Providers (IdPs), and Targets** is now available in Public Beta. This expands our RBAC model beyond account & zone-scoped roles, enabling administrators to grant permissions scoped to individual resources. #### What's New * **[Access Applications ↗](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/)**: Grant admin permissions to specific Access Applications. * **[Identity Providers ↗](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/)**: Grant admin permissions to individual Identity Providers. * **[Targets ↗](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#1-add-a-target)**: Grant admin rights to specific Targets ![Updated Permissions Policy UX](https://developers.cloudflare.com/_astro/2025-10-01-fine-grained-permissioning-ux.BWVmQsVF_Z1p4MJh.webp) Note During the public beta, members must also be assigned an account-scoped, read only role to view resources in the dashboard. This restriction will be lifted in a future release. * **Account Read Only** plus a fine-grained permission for a specific App, IdP, or Target * **Cloudflare Zero Trust Read Only** plus fine-grained permission for a specific App, IdP, or Target For more info: * [Get started with Cloudflare Permissioning](https://developers.cloudflare.com/fundamentals/manage-members/roles/) * [Manage Member Permissioning via the UI & API](https://developers.cloudflare.com/fundamentals/manage-members/manage) ## 2025-09-22 **Access Remote Desktop Protocol (RDP) destinations securely from your browser — now generally available!** [Browser-based RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) is now generally available for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients. Since we announced our [open beta](https://developers.cloudflare.com/changelog/access/#2025-06-30), we've made a few improvements: * Support for targets with IPv6. * Support for [Magic WAN](https://developers.cloudflare.com/cloudflare-wan/) and [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) as on-ramps. * More robust error messaging on the login page to help you if you encounter an issue. * Worldwide keyboard support. Whether your day-to-day is in Portuguese, Chinese, or something in between, your browser-based RDP experience will look and feel exactly like you are using a desktop RDP client. * Cleaned up some other miscellaneous issues, including but not limited to enhanced support for Entra ID accounts and support for usernames with spaces, quotes, and special characters. As a refresher, here are some benefits browser-based RDP provides: * **Control how users authenticate to internal RDP resources** with single sign-on (SSO), multi-factor authentication (MFA), and granular access policies. * **Record who is accessing which servers and when** to support regulatory compliance requirements and to gain greater visibility in the event of a security event. * **Eliminate the need to install and manage software on user devices**. You will only need a web browser. * **Reduce your attack surface** by keeping your RDP servers off the public Internet and protecting them from common threats like credential stuffing or brute-force attacks. ![Example of a browser-based RDP Access application](https://developers.cloudflare.com/_astro/browser-based-rdp-access-app.BNXce1JL_1TDoUX.webp) To get started, refer to [Connect to RDP in a browser](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/). ## 2025-08-26 **Manage and restrict access to internal MCP servers with Cloudflare Access** You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). [Self-hosted applications](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes. For example, if you have an MCP server designed for internal use within your organization, you can configure Access policies to ensure that only authorized users can access it, regardless of which MCP client they use. Support for internal, self-hosted MCP servers also works with MCP server portals, allowing you to provide a single MCP endpoint for multiple MCP servers. For more on MCP server portals, read the [blog post ↗](https://blog.cloudflare.com/zero-trust-mcp-server-portals/) on the Cloudflare Blog. ## 2025-08-26 **MCP server portals** ![MCP server portal](https://developers.cloudflare.com/_astro/mcp-server-portal.BOKqTCoI_ZXYCcF.webp) An [MCP server portal](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include: * **Streamlined access to multiple MCP servers**: MCP server portals support both unauthenticated MCP servers as well as MCP servers secured using any third-party or custom OAuth provider. Users log in to the portal URL through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth. * **Customized tools per portal**: Admins can tailor an MCP portal to a particular use case by choosing the specific tools and prompt templates that they want to make available to users through the portal. This allows users to access a curated set of tools and prompts — the less external context exposed to the AI model, the better the AI responses tend to be. * **Observability**: Once the user's AI agent is connected to the portal, Cloudflare Access logs the individual requests made using the tools in the portal. This is available in an open beta for all customers across all plans! For more information check out our [blog ↗](https://blog.cloudflare.com/zero-trust-mcp-server-portals/) for this release. ## 2025-08-15 **SFTP support for SSH with Cloudflare Access for Infrastructure** [SSH with Cloudflare Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) now supports SFTP. It is compatible with SFTP clients, such as Cyberduck. ## 2025-08-14 **Cloudflare Access Logging supports the Customer Metadata Boundary (CMB)** Cloudflare Access logs now support the [Customer Metadata Boundary (CMB)](https://developers.cloudflare.com/data-localization/metadata-boundary/). If you have configured the CMB for your account, all Access logging will respect that configuration. Note For EU CMB customers, the logs will not be stored by Access and will appear as empty in the dashboard. EU CMB customers should utilize [Logpush](https://developers.cloudflare.com/logs/logpush/) to retain their Access logging, if desired. ## 2025-07-01 **Access RDP securely from your browser — now in open beta** [Browser-based RDP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) is now available in open beta for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients. With browser-based RDP, you can: * **Control how users authenticate to internal RDP resources** with single sign-on (SSO), multi-factor authentication (MFA), and granular access policies. * **Record who is accessing which servers and when** to support regulatory compliance requirements and to gain greater visibility in the event of a security event. * **Eliminate the need to install and manage software on user devices**. You will only need a web browser. * **Reduce your attack surface** by keeping your RDP servers off the public Internet and protecting them from common threats like credential stuffing or brute-force attacks. ![Example of a browsed-based RDP Access application](https://developers.cloudflare.com/_astro/browser-based-rdp-access-app.BNXce1JL_1TDoUX.webp) To get started, see [Connect to RDP in a browser](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/). ## 2025-06-05 **Cloudflare One Analytics Dashboards and Exportable Access Report** Cloudflare One now offers powerful new analytics dashboards to help customers easily discover available insights into their application access and network activity. These dashboards provide a centralized, intuitive view for understanding user behavior, application usage, and security posture. !\[Cloudflare One Analytics Dashboards\](\~/assets/images/changelog/cloudflare-one/Analytics Dashboards.png) Additionally, a new exportable access report is available, allowing customers to quickly view high-level metrics and trends in their application access. A **preview** of the report is shown below, with more to be found in the report: ![Cloudflare One Analytics Dashboards](https://developers.cloudflare.com/_astro/access-report.C744W7JR_2uzMcN.webp) Both features are accessible in the Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), empowering organizations with better visibility and control. ## 2025-05-16 **New Access Analytics in the Cloudflare One Dashboard** A new Access Analytics dashboard is now available to all Cloudflare One customers. Customers can apply and combine multiple filters to dive into specific slices of their Access metrics. These filters include: * Logins granted and denied * Access events by type (SSO, Login, Logout) * Application name (Salesforce, Jira, Slack, etc.) * Identity provider (Okta, Google, Microsoft, onetimepin, etc.) * Users (`chris@cloudflare.com`, `sally@cloudflare.com`, `rachel@cloudflare.com`, etc.) * Countries (US, CA, UK, FR, BR, CN, etc.) * Source IP address * App type (self-hosted, Infrastructure, RDP, etc.) ![Access Analytics](https://developers.cloudflare.com/_astro/accessanalytics.DYXgwZCl_Z2PPi7.webp) To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and find Analytics in the side navigation bar. ## 2025-04-21 **Access bulk policy tester** The [Access bulk policy tester](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/#test-all-policies-in-an-application) is now available in the Cloudflare Zero Trust dashboard. The bulk policy tester allows you to simulate Access policies against your entire user base before and after deploying any changes. The policy tester will simulate the configured policy against each user's last seen identity and device posture (if applicable). ![Example policy tester](https://developers.cloudflare.com/_astro/example-policy-tester.DCY8hQvx_2nxAfs.webp) ## 2025-04-09 **Cloudflare Zero Trust SCIM User and Group Provisioning Logs** [Cloudflare Zero Trust SCIM provisioning](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim) now has a full audit log of all create, update and delete event from any SCIM Enabled IdP. The [SCIM logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/scim-logs/) support filtering by IdP, Event type, Result and many more fields. This will help with debugging user and group update issues and questions. SCIM logs can be found on the Zero Trust Dashboard under **Logs** \-> **SCIM provisioning**. ![Example SCIM Logs](https://developers.cloudflare.com/_astro/example-scim-log.Bv5Zqckh_BY26C.webp) ## 2025-03-03 **New SAML and OIDC Fields and SAML transforms for Access for SaaS** [Access for SaaS applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications. **SAML and OIDC Field Additions** OIDC apps now include: * Group Filtering via RegEx * OIDC Claim mapping from an IdP * OIDC token lifetime control * Advanced OIDC auth flows including hybrid and implicit flows ![OIDC field additions](https://developers.cloudflare.com/_astro/oidc-claims.2di8l9Lv_ZrD1mx.webp) SAML apps now include improved SAML attribute mapping from an IdP. ![SAML field additions](https://developers.cloudflare.com/_astro/saml-attribute-statements.CW45j5Qi_1ydeSQ.webp) **SAML transformations** SAML identities sent to Access applications can be fully customized using JSONata expressions. This allows admins to configure the precise identity SAML statement sent to a SaaS application. ![Configured SAML statement sent to application](https://developers.cloudflare.com/_astro/transformation-box.DyKn-DdN_2rtirg.webp) ## 2025-01-15 **Export SSH command logs with Access for Infrastructure using Logpush** Availability Only available on Enterprise plans. Cloudflare now allows you to send SSH command logs to storage destinations configured in [Logpush](https://developers.cloudflare.com/logs/logpush/), including third-party destinations. Once exported, analyze and audit the data as best fits your organization! For a list of available data fields, refer to the [SSH logs dataset](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/ssh%5Flogs/). To set up a Logpush job, refer to [Logpush integration](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). ## 2024-10-01 **Eliminate long-lived credentials and enhance SSH security with Cloudflare Access for Infrastructure** Organizations can now eliminate long-lived credentials from their SSH setup and enable strong multi-factor authentication for SSH access, similar to other Access applications, all while generating access and command logs. SSH with [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) uses short-lived SSH certificates from Cloudflare, eliminating SSH key management and reducing the security risks associated with lost or stolen keys. It also leverages a common deployment model for Cloudflare One customers: [WARP-to-Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-device-client/). SSH with Access for Infrastructure enables you to: * **Author fine-grained policy** to control who may access your SSH servers, including specific ports, protocols, and SSH users. * **Monitor infrastructure access** with Access and SSH command logs, supporting regulatory compliance and providing visibility in case of security breach. * **Preserve your end users' workflows.** SSH with Access for Infrastructure supports native SSH clients and does not require any modifications to users’ SSH configs. ![Example of an infrastructure Access application](https://developers.cloudflare.com/_astro/infrastructure-app.BhpJOgxs_Z1M0wLH.webp) To get started, refer to [SSH with Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). ## 2025-02-12 **Access policies support filtering** You can now filter Access policies by their action, selectors, rule groups, and assigned applications. ## 2025-02-11 **Private self-hosted applications and reusable policies GA** [Private self-hosted applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) and [reusable Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/) are now generally available (GA) for all customers. ## 2025-01-21 **Access Applications support private hostnames/IPs and reusable Access policies.** Cloudflare Access self-hosted applications can now be defined by [private IPs](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/), [private hostnames](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) (on port 443) and [public hostnames](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). Additionally, we made Access policies into their own object which can be reused across multiple applications. These updates involved significant updates to the overall Access dashboard experience. The updates will be slowly rolled out to different customer cohorts. If you are an Enterprise customer and would like early access, reach out to your account team. ## 2025-01-15 **Logpush for SSH command logs** Enterprise customers can now use Logpush to export SSH command logs for Access for Infrastructure targets. ## 2024-12-04 **SCIM GA for Okta and Microsoft Entra ID** Cloudflare's SCIM integrations with [Okta](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/okta/#synchronize-users-and-groups) and [Microsoft Entra ID](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/entra-id/#synchronize-users-and-groups) (formerly AzureAD) are now out of beta and generally available (GA) for all customers. These integrations can be used for Access and Gateway policies and Zero Trust user management. Note: This GA release does not include [Dashboard SSO SCIM](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/) support. ## 2024-10-23 **SSH with Access for Infrastructure** Admins can now use [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) to manage privileged access to SSH servers. Access for Infrastructure provides improved control and visibility over who accessed what service and what they did during their SSH session. Access for Infrastructure also eliminates the risk and overhead associated with managing SSH keys by using short-lived SSH certificates to access SSH servers. ## 2024-08-26 **Reduce automatic seat deprovisioning minimum to 1 month, down from 2 months.** Admins can now configure Zero Trust seats to [automatically expire](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management/#enable-seat-expiration) after 1 month of user inactivity. The previous minimum was 2 months. ## 2024-06-06 **Scalability improvements to the App Launcher** Applications now load more quickly for customers with a large number of applications or complex policies. ## 2024-04-28 **Add option to bypass CORS to origin server** Access admins can [defer all CORS enforcement to their origin server](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/#bypass-options-requests-to-origin) for specific Access applications. ## 2024-04-15 **Zero Trust User identity audit logs** All user identity changes via SCIM or Authentication events are logged against a user's registry identity. ## 2024-02-22 **Access for SaaS OIDC Support** Access for SaaS applications can be setup with OIDC as an authentication method. OIDC and SAML 2.0 are now both fully supported. ## 2024-02-22 **WARP as an identity source for Access** Allow users to log in to Access applications with their WARP session identity. Users need to reauthenticate based on default session durations. WARP authentication identity must be turned on in your device enrollment permissions and can be enabled on a per application basis. ## 2023-12-20 **Unique Entity IDs in Access for SaaS** All new Access for SaaS applications have unique Entity IDs. This allows for multiple integrations with the same SaaS provider if required. The unique Entity ID has the application audience tag appended. Existing apps are unchanged. ## 2023-12-15 **Default relay state support in Access for SaaS** Allows Access admins to set a default relay state on Access for SaaS apps. ## 2023-09-15 **App launcher supports tags and filters** Access admins can now tag applications and allow users to filter by those tags in the App Launcher. ## 2023-09-15 **App launcher customization** Allow Access admins to configure the App Launcher page within Zero Trust. ## 2023-09-15 **View active Access user identities in the dashboard and API** Access admins can now view the full contents of a user's identity and device information for all active application sessions. ## 2023-09-08 **Custom OIDC claims for named IdPs** Access admins can now add custom claims to the existing named IdP providers. Previously this was locked to the generic OIDC provider. ## 2023-08-02 **Azure AD authentication contexts** Support Azure AD authentication contexts directly in Access policies. ## 2023-06-23 **Custom block pages for Access applications** Allow Access admins to customize the block pages presented by Access to end users. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/access/","name":"Access"}}]} ``` --- --- title: Browser Isolation description: Review recent changes to Cloudflare Browser Isolation. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Browser Isolation [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/browser-isolation.xml) ## 2026-04-10 **Canvas Remoting optimizes performance for productivity applications** Remote Browser Isolation now supports **Canvas Remoting**, improving performance for HTML5 Canvas applications by sending vector draw commands instead of rasterized bitmaps. #### Key improvements * **10x bandwidth reduction:** Microsoft Word and other Office apps use 90% less bandwidth * **Smooth performance:** Google Sheets maintains consistent 30fps rendering * **Responsive terminals:** Web-based development environments and AI notebooks work in real-time * **Zero configuration:** Enabled by default for all Browser Isolation customers #### How it works Instead of sending rasterized bitmaps for every Canvas update, Browser Isolation now: 1. Captures Canvas draw commands at the source 2. Converts them to lightweight vector instructions 3. Renders Canvas content on the client This reduces bandwidth from hundreds of kilobytes per second to tens of kilobytes per second. #### Managing Canvas Remoting To temporarily disable for troubleshooting: * Right-click the isolated webpage background * Select **Disable Canvas Remoting** * Re-enable the same way by selecting **Enable Canvas Remoting** #### Limitations Currently supports 2D Canvas contexts only. WebGL and 3D graphics applications continue using bitmap rendering. For more information, refer to [Canvas Remoting](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/canvas-remoting/). ## 2025-05-13 **SAML HTTP-POST bindings support for RBI** Remote Browser Isolation (RBI) now supports SAML HTTP-POST bindings, enabling seamless authentication for SSO-enabled applications that rely on POST-based SAML responses from Identity Providers (IdPs) within a Remote Browser Isolation session. This update resolves a previous limitation that caused `405` errors during login and improves compatibility with multi-factor authentication (MFA) flows. With expanded support for major IdPs like Okta and Azure AD, this enhancement delivers a more consistent and user-friendly experience across authentication workflows. Learn how to [set up Remote Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/). ## 2025-05-01 **Browser Isolation Overview page for Zero Trust** A new **Browser Isolation Overview** page is now available in the Cloudflare Zero Trust dashboard. This centralized view simplifies the management of [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) deployments, providing: * **Streamlined Onboarding:** Easily set up and manage isolation policies from one location. * **Quick Testing:** Validate [clientless web application isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) with ease. * **Simplified Configuration:** Configure [isolated access applications](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/) and policies efficiently. * **Centralized Monitoring:** Track aggregate usage and blocked actions. This update consolidates previously disparate settings, accelerating deployment, improving visibility into isolation activity, and making it easier to ensure your protections are working effectively. ![Browser Isolation Overview](https://developers.cloudflare.com/_astro/browser-isolation-overview.Ljd5ax_O_Z1SURww.webp) To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and find Browser Isolation in the side navigation bar. ## 2025-03-04 **Gain visibility into user actions in Zero Trust Browser Isolation sessions** We're excited to announce that new logging capabilities for [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) through [Logpush](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/) are available in Beta starting today! With these enhanced logs, administrators can gain visibility into end user behavior in the remote browser and track blocked data extraction attempts, along with the websites that triggered them, in an isolated session. ``` { "AccountID": "$ACCOUNT_ID", "Decision": "block", "DomainName": "www.example.com", "Timestamp": "2025-02-27T23:15:06Z", "Type": "copy", "UserID": "$USER_ID" } ``` User Actions available: * **Copy & Paste** * **Downloads & Uploads** * **Printing** Learn more about how to get started with Logpush in our [documentation](https://developers.cloudflare.com/logs/logpush/). ## 2024-11-21 **Improved non-English keyboard support** You can now type in languages that use diacritics (like á or ç) and character-based scripts (such as Chinese, Japanese, and Korean) directly within the remote browser. The isolated browser now properly recognizes non-English keyboard input, eliminating the need to copy and paste content from a local browser or device. ## 2024-03-21 **Removed third-party cookie dependencies** Removed dependency on third-party cookies in the isolated browser, fixing an issue that previously caused intermittent disruptions for users maintaining multi-site, cross-tab sessions in the isolated browser. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/browser-isolation/","name":"Browser Isolation"}}]} ``` --- --- title: CASB description: Review recent changes to Cloudflare CASB. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # CASB [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/casb.xml) ## 2026-04-09 **Send CASB posture finding instances with webhooks** You can now use **CASB webhooks** in Cloudflare One to send posture finding instances to external systems such as chat platforms, ticketing systems, SIEMs, SOAR tools, and custom automation services. This gives security teams a simple way to route CASB posture findings into the tools and workflows they already use for triage and response. To get started, go to **Integrations** \> **Webhooks** in the Cloudflare One dashboard to create a webhook destination. After you configure a webhook, open a posture finding instance and select **Send webhook** to send it. #### Key capabilities * **Flexible authentication** — Configure destinations using **None**, **Basic Auth**, **Bearer Auth**, **Static Headers**, or **HMAC-Signing**. * **Built-in testing** — Use **Test delivery** to send a test request before sending a live finding instance. * **Posture finding workflows** — Send posture finding instances directly from the finding details workflow in **Cloud & SaaS findings**. * **HTTPS destinations** — Configure webhook destinations with public `https://` URLs. #### Learn more * Configure [CASB webhooks](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/webhooks/) in Cloudflare. * Learn how to [manage findings](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/manage-findings/) in Cloudflare. CASB webhooks are now available in Cloudflare One. ## 2026-02-20 **Understand CASB findings instantly with Cloudy Summaries** You can now easily understand your SaaS security posture findings and why they were detected with **Cloudy Summaries in CASB**. This feature integrates Cloudflare's Cloudy AI directly into your CASB Posture Findings to automatically generate clear, plain-language summaries of complex security misconfigurations, third-party app risks, and data exposures. This allows security teams and IT administrators to drastically reduce triage time by immediately understanding the context, potential impact, and necessary remediation steps for any given finding—without needing to be an expert in every connected SaaS application. To view a summary, simply navigate to your Posture Findings in the Cloudflare One dashboard (under **Cloud and SaaS findings**) and open the finding details of a specific instance of a Finding. Cloudy Summaries are supported on all available integrations, including Microsoft 365, Google Workspace, Salesforce, GitHub, AWS, Slack, and Dropbox. See the full list of supported integrations [here](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/). #### Key capabilities * **Contextual explanations** — Quickly understand the specifics of a finding with plain-language summaries detailing exactly what was detected, from publicly shared sensitive files to risky third-party app scopes. * **Clear risk assessment** — Instantly grasp the potential security impact of the finding, such as data breach risks, unauthorized account access, or email spoofing vulnerabilities. * **Actionable guidance** — Get clear recommendations and next steps on how to effectively remediate the issue and secure your environment. * **Built-in feedback** — Help improve future AI summarization accuracy by submitting feedback directly using the thumbs-up and thumbs-down buttons. #### Learn more * Learn more about managing [CASB Posture Findings](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/) in Cloudflare. Cloudy Summaries in CASB are available to all Cloudflare CASB users today. ## 2025-11-14 **New SaaS Security weekly digests with API CASB** You can now stay on top of your SaaS security posture with the new **CASB Weekly Digest** notification. This opt-in email digest is delivered to your inbox every Monday morning and provides a high-level summary of your organization's Cloudflare API CASB findings from the previous week. This allows security teams and IT administrators to get proactive, at-a-glance visibility into new risks and integration health without having to log in to the dashboard. To opt in, navigate to **Manage Account** \> **Notifications** in the Cloudflare dashboard to configure the **CASB Weekly Digest** alert type. #### Key capabilities * **At-a-glance summary** — Review new high/critical findings, most frequent finding types, and new content exposures from the past 7 days. * **Integration health** — Instantly see the status of all your connected SaaS integrations (Healthy, Unhealthy, or Paused) to spot API connection issues. * **Proactive alerting** — The digest is sent automatically to all subscribed users every Monday morning. * **Easy to configure** — Users can opt in by enabling the notification in the Cloudflare dashboard under **Manage Account** \> **Notifications**. #### Learn more * Configure [notification preferences](https://developers.cloudflare.com/notifications/) in Cloudflare. The CASB Weekly Digest notification is available to all Cloudflare users today. ## 2025-10-28 **CASB introduces new granular roles** Cloudflare CASB (Cloud Access Security Broker) now supports two new granular roles to provide more precise access control for your security teams: * **Cloudflare CASB Read:** Provides read-only access to view CASB findings and dashboards. This role is ideal for security analysts, compliance auditors, or team members who need visibility without modification rights. * **Cloudflare CASB:** Provides full administrative access to configure and manage all aspects of the CASB product. These new roles help you better enforce the principle of least privilege. You can now grant specific members access to CASB security findings without assigning them broader permissions, such as the **Super Administrator** or **Administrator** roles. To enable [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/), scans in CASB, account members will need the **Cloudflare Zero Trust** role. You can find these new roles when inviting members or creating API tokens in the Cloudflare dashboard under **Manage Account** \> **Members**. To learn more about managing roles and permissions, refer to the [Manage account members and roles documentation](https://developers.cloudflare.com/fundamentals/manage-members/roles/). ## 2025-08-26 **New CASB integrations for ChatGPT, Claude, and Gemini** [Cloudflare CASB ↗](https://www.cloudflare.com/zero-trust/products/casb/) now supports three of the most widely used GenAI platforms — **OpenAI ChatGPT**, **Anthropic Claude**, and **Google Gemini**. These API-based integrations give security teams agentless visibility into posture, data, and compliance risks across their organization’s use of generative AI. ![Cloudflare CASB showing selection of new findings for ChatGPT, Claude, and Gemini integrations.](https://developers.cloudflare.com/_astro/casb-ai-integrations-preview.B-zsSA1P_Z1wlfJX.webp) #### Key capabilities * **Agentless connections** — connect ChatGPT, Claude, and Gemini tenants via API; no endpoint software required * **Posture management** — detect insecure settings and misconfigurations that could lead to data exposure * **DLP detection** — identify sensitive data in uploaded chat attachments or files * **GenAI-specific insights** — surface risks unique to each provider’s capabilities #### Learn more * [ChatGPT integration docs ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/openai/) * [Claude integration docs ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/anthropic/) * [Gemini integration docs ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/google-workspace/gemini/) These integrations are available to all Cloudflare One customers today. ## 2025-06-23 **Data Security Analytics in the Zero Trust dashboard** Zero Trust now includes **Data security analytics**, providing you with unprecedented visibility into your organization sensitive data. The new dashboard includes: * **Sensitive Data Movement Over Time:** * See patterns and trends in how sensitive data moves across your environment. This helps understand where data is flowing and identify common paths. * **Sensitive Data at Rest in SaaS & Cloud:** * View an inventory of sensitive data stored within your corporate SaaS applications (for example, Google Drive, Microsoft 365) and cloud accounts (such as AWS S3). * **DLP Policy Activity:** * Identify which of your Data Loss Prevention (DLP) policies are being triggered most often. * See which specific users are responsible for triggering DLP policies. ![Data Security Analytics](https://developers.cloudflare.com/_astro/cf1-data-security-analytics-v1.BGl6fYXl_H3N0P.webp) To access the new dashboard, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Insights** on the sidebar. ## 2024-11-22 **Find security misconfigurations in your AWS cloud environment** You can now use CASB to find security misconfigurations in your AWS cloud environment using [Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/). You can also [connect your AWS compute account](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/aws-s3/#compute-account) to extract and scan your S3 buckets for sensitive data while avoiding egress fees. CASB will scan any objects that exist in the bucket at the time of configuration. To connect a compute account to your AWS integration: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Cloud & SaaS findings** \> **Integrations**. 2. Find and select your AWS integration. 3. Select **Open connection instructions**. 4. Follow the instructions provided to connect a new compute account. 5. Select **Refresh**. ## 2024-06-03 **Atlassian Bitbucket integration** You can now scan your Bitbucket Cloud workspaces for a variety of contextualized security issues such as source code exposure, admin misconfigurations, and more. ## 2024-05-23 **Data-at-rest DLP for Box and Dropbox** You can now scan your [Box](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/box/#data-loss-prevention-optional) and [Dropbox](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/dropbox/#data-loss-prevention-optional) files for DLP matches. ## 2024-04-16 **Export CASB findings to CSV** You can now export all top-level CASB findings or every instance of your findings to CSV. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/casb/","name":"CASB"}}]} ``` --- --- title: Cloudflare Network Firewall description: Track updates and changes to Cloudflare One features. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Cloudflare Network Firewall [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/cloudflare-network-firewall.xml) ## 2026-04-21 **Country rules supported in Unified Routing** [Cloudflare Advanced Network Firewall](https://developers.cloudflare.com/cloudflare-network-firewall/) Country rules are now supported for accounts using [Unified Routing](https://developers.cloudflare.com/cloudflare-wan/reference/traffic-steering/#unified-routing-mode-beta) mode. This feature requires a Cloudflare Advanced Network Firewall subscription. You can create firewall rules that match traffic based on source or destination country to enforce geographic access policies across your network. This is the first of the Cloudflare Advanced Network Firewall features to become available in Unified Routing. Support for additional features - IP Lists, ASN Lists, Threat Intel Lists, IDS, Rate Limiting, SIP, and Managed Rulesets - is planned. For the full list of current beta limitations, refer to [Traffic steering beta limitations](https://developers.cloudflare.com/cloudflare-wan/reference/traffic-steering/#beta-limitations). ## 2026-02-17 **Cloudflare One Product Name Updates** We are updating naming related to some of our Networking products to better clarify their place in the Zero Trust and Secure Access Service Edge (SASE) journey. We are retiring some older brand names in favor of names that describe exactly what the products do within your network. We are doing this to help customers build better, clearer mental models for comprehensive SASE architecture delivered on Cloudflare. #### What's changing * **Magic WAN** → **Cloudflare WAN** * **Magic WAN IPsec** → **Cloudflare IPsec** * **Magic WAN GRE** → **Cloudflare GRE** * **Magic WAN Connector** → **Cloudflare One Appliance** * **Magic Firewall** → **Cloudflare Network Firewall** * **Magic Network Monitoring** → **Network Flow** * **Magic Cloud Networking** → **Cloudflare One Multi-cloud Networking** **No action is required by you** — all functionality, existing configurations, and billing will remain exactly the same. For more information, visit the [Cloudflare One documentation](https://developers.cloudflare.com/cloudflare-one/). ## 2026-01-15 **Network Services navigation update** The Network Services menu structure in Cloudflare's dashboard has been updated to reflect solutions and capabilities instead of product names. This will make it easier for you to find what you need and better reflects how our services work together. Your existing configurations will remain the same, and you will have access to all of the same features and functionality. The changes visible in your dashboard may vary based on the products you use. Overall, changes relate to [Magic Transit ↗](https://developers.cloudflare.com/magic-transit/), [Magic WAN ↗](https://developers.cloudflare.com/magic-wan/), and [Magic Firewall ↗](https://developers.cloudflare.com/cloudflare-network-firewall/). **Summary of changes:** * A new **Overview** page provides access to the most common tasks across Magic Transit and Magic WAN. * Product names have been removed from top-level navigation. * Magic Transit and Magic WAN configuration is now organized under **Routes** and **Connectors**. For example, you will find IP Prefixes under **Routes**, and your GRE/IPsec Tunnels under **Connectors.** * Magic Firewall policies are now called **Firewall Policies.** * Magic WAN Connectors and Connector On-Ramps are now referenced in the dashboard as **Appliances** and **Appliance profiles.** They can be found under **Connectors > Appliances.** * Network analytics, network health, and real-time analytics are now available under **Insights.** * Packet Captures are found under **Insights > Diagnostics.** * You can manage your Sites from **Insights > Network health.** * You can find Magic Network Monitoring under **Insights > Network flow**. If you would like to provide feedback, complete [this form ↗](https://forms.gle/htWyjRsTjw1usdis5). You can also find these details in the January 7, 2026 email titled **\[FYI\] Upcoming Network Services Dashboard Navigation Update**. ![Networking Navigation](https://developers.cloudflare.com/_astro/networking-overview-and-navigation.CeMgEFaZ_Z20HKl.webp) ## 2025-03-13 **Cloudflare IP Ranges List** Magic Firewall now supports a new managed list of Cloudflare IP ranges. This list is available as an option when creating a Magic Firewall policy based on IP source/destination addresses. When selecting "is in list" or "is not in list", the option "**Cloudflare IP Ranges**" will appear in the dropdown menu. This list is based on the IPs listed in the Cloudflare [IP ranges ↗](https://www.cloudflare.com/en-gb/ips/). Updates to this managed list are applied automatically. ![Cloudflare IPs Managed List](https://developers.cloudflare.com/_astro/cloudflare-ips.DetyOndL_10JG5B.webp) Note: IP Lists require a Cloudflare Advanced Network Firewall subscription. For more details about Cloudflare Network Firewall plans, refer to [Plans](https://developers.cloudflare.com/cloudflare-network-firewall/plans). ## 2024-10-02 **Search for custom rules using rule name and/or ID** The Magic Firewall dashboard now allows you to search custom rules using the rule name and/or ID. 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com) and select your account. 2. Go to **Analytics & Logs** \> **Network Analytics**. 3. Select **Magic Firewall**. 4. Add a filter for **Rule ID**. ![Search for firewall rules with rule IDs](https://developers.cloudflare.com/_astro/search-with-rule-id.DJgzqgKk_2jJ9x8.webp) Additionally, the rule ID URL link has been added to Network Analytics. ## 2024-09-12 **New UI improvements** The dashboard now displays the order number of custom rules, and improved drag and drop functionality. You can also preview rules on a side panel without leaving the current page. ## 2024-08-16 **Cloudflare Network Firewall Analytics Rule Log Enhancement** Customers who create a rule in a disabled mode will see the rule as **Log (rule disabled)**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/cloudflare-network-firewall/","name":"Cloudflare Network Firewall"}}]} ``` --- --- title: Cloudflare One Client description: Review recent changes to the Cloudflare One Client. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Cloudflare One Client Review recent changes to the Cloudflare One Client (formerly WARP). [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/cloudflare-one-client.xml) ## 2026-04-07 **Cloudflare One Client for Windows (version 2026.3.851.0)** A new GA release for the Windows Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. The next stable release for Windows will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information. **Changes and improvements** * Fixed an issue causing Windows client tunnel interface initialization failure which prevented clients from establishing a tunnel for connection. * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms. * Fixed packet capture failing on tunnel interface when the tunnel interface is renamed by SCCM VPN boundary support. * Fixed unnecessary registration deletion caused by RDP connections in multi-user mode. * Fixed increased tunnel interface start-up time due to a race between duplicate address detection (DAD) and disabling NetBT. * Fixed tunnel failing to connect when the system DNS search list contains unexpected characters. * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization. * Fixed initiating managed network detections checks when no network is available, which caused device profile flapping. * Fixed an issue where degraded Windows Management Instrumentation (WMI) state could put the client in a failed connection state loop during initialization. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. This warning will be omitted from future release notes. This Windows update was released in July 2025. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. This warning will be omitted from future release notes. This Microsoft Security Intelligence update was released in May 2025. * DNS resolution may be broken when the following conditions are all true: * The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while the client is connected. To work around this issue, reconnect the client by selecting **Disconnect** and then **Connect** in the client user interface. ## 2026-04-02 **Cloudflare One Client for macOS (version 2026.3.846.0)** A new GA release for the macOS Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. The next stable release for macOS will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information. **Changes and improvements** * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization. * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms. * Fixed initiating managed network detections checks when no network is available, which caused device profile flapping. ## 2026-04-02 **Cloudflare One Client for Linux (version 2026.3.846.0)** A new GA release for the Linux Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. The next stable release for Linux will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information. **Changes and improvements** * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization. * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms. * Fixed initiating managed network detections checks when no network is available, which caused device profile flapping. ## 2026-03-10 **WARP client for macOS (version 2026.3.566.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and introduces a brand new visual style for the client interface. The new Cloudflare One Client interface changes connectivity management from a toggle to a button and brings useful connectivity settings to the home screen. The redesign also introduces a collapsible navigation bar. When expanded, more client information can be accessed including connectivity, settings, and device profile information. If you have any feedback or questions, visit the [Cloudflare Community forum](https://community.cloudflare.com/t/introducing-the-new-cloudflare-one-client-interface/901362) and let us know. **Changes and improvements** * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations. * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms. * Fixed initiating managed network detection checks when no network is available, which caused device profile flapping. **Known issues** * The client may become stuck in a `Connecting` state. To resolve this issue, reconnect the client by selecting **Disconnect** and then **Connect** in the client user interface. Alternatively, change the client's operation mode. * The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it. * Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client. ## 2026-03-10 **WARP client for Windows (version 2026.3.566.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and introduces a brand new visual style for the client interface. The new Cloudflare One Client interface changes connectivity management from a toggle to a button and brings useful connectivity settings to the home screen. The redesign also introduces a collapsible navigation bar. When expanded, more client information can be accessed including connectivity, settings, and device profile information. If you have any feedback or questions, visit the [Cloudflare Community forum](https://community.cloudflare.com/t/introducing-the-new-cloudflare-one-client-interface/901362) and let us know. **Changes and improvements** * Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. * Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. * Added monitoring for tunnel statistics collection timeouts. * Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms. * Fixed packet capture failing on tunnel interface when the tunnel interface is renamed by SCCM VPN boundary support. * Fixed unnecessary registration deletion caused by RDP connections in multi-user mode. * Fixed increased tunnel interface start-up time due to a race between duplicate address detection (DAD) and disabling NetBT. * Fixed tunnel failing to connect when the system DNS search list contains unexpected characters. * Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. * Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts. * Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations. * Fixed initiating managed network detection checks when no network is available, which caused device profile flapping. **Known issues** * The client may unexpectedly terminate during captive portal login. To work around this issue, use a web browser to authenticate with the captive portal and then re-launch the client. * An error indicating that Microsoft Edge can't read and write to its data directory may be displayed during captive portal login; this error is benign and can be dismissed. * The client may become stuck in a `Connecting` state. To resolve this issue, reconnect the client by selecting **Disconnect** and then **Connect** in the client user interface. Alternatively, change the client's operation mode. * The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it. * Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client. * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. This warning will be omitted from future release notes. This Microsoft Security Intelligence update was released in May 2025. * DNS resolution may be broken when the following conditions are all true: * The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while the client is connected. To work around this issue, reconnect the client by selecting **Disconnect** and then **Connect** in the client user interface. ## 2026-02-24 **WARP client for Windows (version 2026.1.150.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features. **Changes and improvements** * Improvements to [multi-user mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/). Fixed an issue where when switching from a pre-login registration to a user registration, Mobile Device Management (MDM) configuration association could be lost. * Added a new feature to [manage NetBIOS over TCP/IP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#netbios-over-tcpip) functionality on the Windows client. NetBIOS over TCP/IP on the Windows client is now disabled by default and can be enabled in [device profile settings](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/). * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for the Windows [client certificate posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/) to ensure logged results are from checks that run once users log in. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. * Fixed an issue where misconfigured DEX HTTP tests prevented new registrations. * Fixed an issue causing DNS requests to fail with clients in Traffic and DNS mode. * Improved service shutdown behavior in cases where the daemon is unresponsive. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2026-02-24 **WARP client for macOS (version 2026.1.150.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. * Fixed an issue with DNS server configuration failures that caused tunnel connection delays. * Fixed an issue where misconfigured DEX HTTP tests prevented new registrations. * Fixed an issue causing DNS requests to fail with clients in Traffic and DNS mode. ## 2026-02-24 **WARP client for Linux (version 2026.1.150.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com). **Changes and improvements** * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. * Fixed an issue where misconfigured DEX HTTP tests prevented new registrations. * Fixed issues causing DNS requests to fail with clients in Traffic and DNS mode or DNS only mode. ## 2026-01-27 **WARP client for Windows (version 2026.1.89.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes, improvements, and new features. **Changes and improvements** * Improvements to [multi-user mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/). Fixed an issue where when switching from a pre-login registration to a user registration, Mobile Device Management (MDM) configuration association could be lost. * Added a new feature to [manage NetBIOS over TCP/IP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#netbios-over-tcpip) functionality on the Windows client. NetBIOS over TCP/IP on the Windows client is now disabled by default and can be enabled in [device profile settings](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/). * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for the Windows [client certificate posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/) to ensure logged results are from checks that run once users log in. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2026-01-27 **WARP client for macOS (version 2026.1.89.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`. * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard. ## 2026-01-13 **WARP client for Windows (version 2025.10.186.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features. New features include the ability to manage WARP client connectivity for all devices in your fleet using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/), and a new WARP client device posture check for [Antivirus](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/antivirus/). **Changes and improvements** * Added a new feature to manage WARP client connectivity for all devices using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint. * Fixed an issue that caused occasional audio degradation and increased CPU usage on Windows by optimizing route configurations for large [domain-based split tunnel rules](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/#domain-based-split-tunnels). * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. * Fixed an issue where sending large messages to the daemon by Inter-Process Communication (IPC) could cause the daemon to fail and result in service interruptions. * Added support for a new WARP client device posture check for [Antivirus](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/antivirus/). The check confirms the presence of an antivirus program on a Windows device with the option to check if the antivirus is up to date. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2026-01-13 **WARP client for macOS (version 2025.10.186.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features, including the ability to manage WARP client connectivity for all devices in your fleet using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). **Changes and improvements** * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. * Added a new feature to manage WARP client connectivity for all devices using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint. ## 2026-01-13 **WARP client for Linux (version 2025.10.186.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features, including the ability to manage WARP client connectivity for all devices in your fleet using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com). **Changes and improvements** * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * Linux [disk encryption posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/disk-encryption/) now supports non-filesystem encryption types like `dm-crypt`. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. * Fixed an issue where the GUI becomes unresponsive when the **Re-Authenticate in browser** button is clicked. * Added a new feature to manage WARP client connectivity for all devices using an [external signal](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/). This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint. ## 2025-12-09 **WARP client for Windows (version 2025.10.118.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. * Fixed an issue where sending large messages to the WARP daemon by Inter-Process Communication (IPC) could cause WARP to crash and result in service interruptions. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-12-09 **WARP client for macOS (version 2025.10.118.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * The [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly. * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) now supports transparent HTTP proxying in addition to CONNECT-based proxying. ## 2025-11-11 **WARP client for Windows (version 2025.9.558.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features including [Path Maximum Transmission Unit Discovery (PMTUD)](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). When PMTUD is enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to diagnose connectivity issues. **Changes and improvements** * Fixed an inconsistency with [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings in multi-user environments when switching between users. * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues. * Fixed an issue where deleting a registration was erroneously reported as having failed. * Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the [PMTUD documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). * Improvements for the [OS version](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/os-version/) WARP client check. Windows Updated Build Revision (UBR) numbers can now be checked by the client to ensure devices have required security patches and features installed. * The WARP client now supports Windows 11 ARM-based machines. For information on known limitations, refer to the [Known limitations page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/known-limitations/#cloudflare-one-client-disconnected-on-windows-arm). **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-11-11 **WARP client for macOS (version 2025.9.558.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features including [Path Maximum Transmission Unit Discovery (PMTUD)](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). When PMTUD is enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to diagnose connectivity issues. **Changes and improvements** * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues. * Fixed an issue where deleting a registration was erroneously reported as having failed. * Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the [PMTUD documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-11-11 **WARP client for Linux (version 2025.9.558.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes, improvements, and new features including [Path Maximum Transmission Unit Discovery (PMTUD)](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). When PMTUD is enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to diagnose connectivity issues. WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com/). **Changes and improvements** * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues. * Fixed an issue where deleting a registration was erroneously reported as having failed. * Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the [PMTUD documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/#enable-path-mtu-discovery). ## 2025-10-16 **WARP client for Windows (version 2025.9.173.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). With PMTUD enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to debug connectivity issues. **Changes and improvements** * Improvements for [Windows multi-user](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/) to maintain the [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) state when switching between users. * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues. * Deleting registrations no longer returns an error when succeeding. * Path Maximum Transmission Unit Discovery (PMTUD) is now used to discover the effective MTU of the connection. This allows the client to improve connection performance optimized for the current network. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-10-16 **WARP client for macOS (version 2025.9.173.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). With PMTUD enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to debug connectivity issues. **Changes and improvements** * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues. * Deleting registrations no longer returns an error when succeeding. * Path Maximum Transmission Unit Discovery (PMTUD) is now used to discover the effective MTU of the connection. This allows the client to improve connection performance optimized for the current network. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-10-07 **WARP client for Linux (version 2025.8.779.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains significant fixes and improvements including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com/). **Changes and improvements** * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases. * The MASQUE protocol is now the only protocol that can use [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode). If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-10-07 **WARP client for Windows (version 2025.8.779.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains significant fixes and improvements. **Changes and improvements** * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases. * The MASQUE protocol is now the only protocol that can use [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode). If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-10-07 **WARP client for macOS (version 2025.8.779.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains significant fixes and improvements. **Changes and improvements** * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases. * The MASQUE protocol is now the only protocol that can use [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode). If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-09-30 **WARP client for Windows (version 2025.7.176.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * MASQUE is now the default [tunnel protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) for all new WARP device profiles. * Improvement to limit idle connections in [Gateway with DoH mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) to avoid unnecessary resource usage that can lead to DoH requests not resolving. * Improvement to maintain TCP connections to reduce interruptions in long-lived connections such as RDP or SSH. * Improvements to maintain [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings when [switching between organizations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/#switch-organizations-in-the-cloudflare-one-client). * Improvements to maintain client connectivity during network changes. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-09-30 **WARP client for macOS (version 2025.7.176.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed a bug preventing the `warp-diag captive-portal` command from running successfully due to the client not parsing SSID on macOS. * Improvements to maintain [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings when [switching between organizations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/#switch-organizations-in-the-cloudflare-one-client). * MASQUE is now the default [tunnel protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) for all new WARP device profiles. * Improvement to limit idle connections in [Gateway with DoH mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) to avoid unnecessary resource usage that can lead to DoH requests not resolving. * Improvements to maintain client connectivity during network changes. * The WARP client now supports macOS Tahoe (version 26.0). **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-09-30 **WARP client for Linux (version 2025.7.176.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com/). **Changes and improvements** * MASQUE is now the default [tunnel protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) for all new WARP device profiles. * Improvement to limit idle connections in [Gateway with DoH mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) to avoid unnecessary resource usage that can lead to DoH requests not resolving. * Improvements to maintain [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) settings when [switching between organizations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/#switch-organizations-in-the-cloudflare-one-client). * Improvements to maintain client connectivity during network changes. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-09-10 **WARP client for Windows (version 2025.7.106.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements including enhancements to [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) or all devices matching the profile will lose connectivity. **Changes and improvements** * Enhancements to [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) or all devices matching the profile will lose connectivity. * Improvement to keep TCP connections up the first time WARP connects on devices so that remote desktop sessions (such as RDP or SSH) continue to work. * Improvements to maintain Global WARP Override settings when switching between organization configurations. * The [MASQUE protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) is now the default protocol for all new WARP device profiles. * Improvement to limit idle connections in DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-09-10 **WARP client for macOS (version 2025.7.106.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements including enhancements to [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) or all devices matching the profile will lose connectivity. **Changes and improvements** * Enhancements to [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new [WARP mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) or all devices matching the profile will lose connectivity. * Fixed a bug preventing the `warp-diag captive-portal` command from running successfully due to the client not parsing SSID on macOS. * Improvements to maintain Global WARP Override settings when switching between organization configurations. * The [MASQUE protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol) is now the default protocol for all new WARP device profiles. * Improvement to limit idle connections in DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-08-29 **Cloudflare One WARP Diagnostic AI Analyzer** We're excited to share a new AI feature, the [WARP diagnostic analyzer ↗](https://blog.cloudflare.com/AI-troubleshoot-warp-and-network-connectivity-issues/), to help you troubleshoot and resolve WARP connectivity issues faster. This beta feature is now available in the [Cloudflare One dashboard ↗](https://dash.cloudflare.com/one/) to all users. The AI analyzer makes it easier for you to identify the root cause of client connectivity issues by parsing [remote captures](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/client-packet-capture/#start-a-remote-capture) of [WARP diagnostic logs](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diag-logs). The WARP diagnostic analyzer provides a summary of impact that may be experienced on the device, lists notable events that may contribute to performance issues, and recommended troubleshooting steps and articles to help you resolve these issues. Refer to [WARP diagnostics analyzer (beta)](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/client-packet-capture/#diagnostics-analyzer-beta) to learn more about how to maximize using the WARP diagnostic analyzer to troubleshoot the WARP client. ## 2025-08-21 **WARP client for Windows (version 2025.6.1400.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for pre-login for multi-user for the 2025.6.1135.0 release. **Changes and improvements** * Fixes an issue where new pre-login registrations were not being properly created. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, please reconnect the WARP client by toggling off and back on. ## 2025-08-19 **WARP client for Windows (version 2025.6.1335.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Improvements to better manage multi-user pre-login registrations. * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement for faster client connectivity on high-latency captive portal networks. * Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-08-19 **WARP client for macOS (version 2025.6.1335.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement for faster client connectivity on high-latency captive portal networks. * Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-08-19 **WARP client for Linux (version 2025.6.1335.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement for faster client connectivity on high-latency captive portal networks. * Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-07-24 **WARP client for Windows (version 2025.6.824.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * Improvements to better manage multi-user pre-login registrations. * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement to managed network detection checks for faster switching between managed networks. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-07-24 **WARP client for macOS (version 2025.6.824.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains minor fixes and improvements. **Changes and improvements** * Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected. * Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect. * Improvement to managed network detection checks for faster switching between managed networks. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-07-23 **WARP client for Windows (version 2025.5.943.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect. * Changes to the [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) feature to no longer restart the SMS Agent Host (`ccmexec.exe`) service. * Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-07-23 **WARP client for macOS (version 2025.5.943.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect. * Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client. * For macOS deployments, the WARP client can now be managed using an `mdm.xml` file placed in `/Library/Application Support/Cloudflare/mdm.xml`. This new configuration option offers an alternative to the still supported method of deploying a managed plist through an MDM solution. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-07-23 **WARP client for Linux (version 2025.5.943.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains minor fixes and improvements. **Changes and improvements** * WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect. * Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-06-30 **WARP client for Windows (version 2025.5.893.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains improvements and new exciting features, including [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) and [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed a device registration issue that caused WARP connection failures when changing networks. * Captive portal improvements and fixes: * Captive portal sign in notifications will now be sent through operating system notification services. * Fix for firewall configuration issue affecting clients in DoH only mode. * Improved the connectivity status message in the client GUI. * Fixed a bug affecting clients in Gateway with DoH mode where the original DNS servers were not restored after disabling WARP. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to handle client configuration changes made by an MDM while WARP is not running. * Improvements for multi-user experience to better handle fast user switching and transitions from a pre-login to a logged-in state. * Added a WARP client device posture check for SAN attributes to the [client certificate check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/). * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. * Added [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) to device profile settings. With SCCM VPN boundary support enabled, operating systems will register WARP's local interface IP with the on-premise DNS server when reachable. * Fix for an issue causing WARP connectivity to fail without full system reboot. **Known issues** * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 version KB5060829](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-06-30 **WARP client for macOS (version 2025.5.893.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed an issue where WARP sometimes failed to automatically relaunch after updating. * Fixed a device registration issue causing WARP connection failures when changing networks. * Captive portal improvements and fixes: * Captive portal sign in notifications will now be sent through operating system notification services. * Fix for firewall configuration issue affecting clients in DoH only mode. * Improved the connectivity status message in the client GUI. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to handle client configuration changes made by an MDM while WARP is not running. * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. * Improvement for WARP connectivity issues on macOS due to the operating system not accepting DNS server configurations. * Added a WARP client device posture check for SAN attributes to the [client certificate check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/). **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-06-30 **WARP client for Linux (version 2025.5.893.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed a device registration issue causing WARP connection failures when changing networks. * Captive portal improvements and fixes: * Captive portal sign in notifications will now be sent through operating system notification services. * Fix for firewall configuration issue affecting clients in DoH only mode. * Improved the connectivity status message in the client GUI. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to handle client configuration changes made by MDM while WARP is not running. * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. * Added a WARP client device posture check for SAN attributes to the [client certificate check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/). **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-06-30 **Cloudflare One Agent for Android (version 2.4.2)** A new GA release for the Android Cloudflare One Agent is now available in the [Google Play Store ↗](https://play.google.com/store/apps/details?id=com.cloudflare.cloudflareoneagent). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate [protection of post-quantum cryptography ↗](https://blog.cloudflare.com/pq-2024/) without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * QLogs are now disabled by default and can be enabled in the app by turning on **Enable qlogs** under **Settings** \> **Advanced** \> **Diagnostics** \> **Debug Logs**. The QLog setting from previous releases will no longer be respected. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * The WARP client now applies [post-quantum cryptography ↗](https://blog.cloudflare.com/pq-2024/) end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by [MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Fixed an issue that caused WARP connection failures on ChromeOS devices. ## 2025-06-30 **Cloudflare One Agent for iOS (version 1.11)** A new GA release for the iOS Cloudflare One Agent is now available in the [iOS App Store ↗](https://apps.apple.com/us/app/cloudflare-one-agent/id6443476492). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate [protection of post-quantum cryptography ↗](https://blog.cloudflare.com/pq-2024/) without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * QLogs are now disabled by default and can be enabled in the app by turning on **Enable qlogs** under **Settings** \> **Advanced** \> **Diagnostics** \> **Debug Logs**. The QLog setting from previous releases will no longer be respected. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * The WARP client now applies [post-quantum cryptography ↗](https://blog.cloudflare.com/pq-2024/) end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by [MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). ## 2025-06-17 **WARP client for Windows (version 2025.5.828.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains new improvements in addition to the features and improvements introduced in Beta client version 2025.5.735.1. **Changes and improvements** * Improvement to better handle multi-user fast user switching. * Fix for an issue causing WARP connectivity to fail without full system reboot. **Known issues** * Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-06-17 **WARP client for macOS (version 2025.5.828.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains new improvements in addition to the features and improvements introduced in Beta client version 2025.5.735.1. **Changes and improvements** * Improvement for WARP connectivity issues on macOS due to the operating system not accepting DNS server configurations. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-06-05 **WARP client for Windows (version 2025.5.735.1)** A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains improvements and new exciting features, including [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) and [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed a device registration issue causing WARP connection failures when changing networks. * Captive portal improvements including showing connectivity status in the client and sending system notifications for captive portal sign in. * Fixed a bug where in Gateway with DoH mode, connection to DNS servers was not automatically restored after reconnecting WARP. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to gracefully handle changes made by MDM while WARP is not running. * Improvement for multi-user mode to avoid unnecessary key rotations when transitioning from a pre-login to a logged-in state. * Added a WARP client device posture check for SAN attributes to the [client certificate check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/). * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. * Added [SCCM VPN boundary support](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#sccm-vpn-boundary-support) to device profile settings. With SCCM VPN boundary support enabled, operating systems will register WARP's local interface IP with the on-premise DNS server when reachable. **Known issues** * Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. ## 2025-06-05 **WARP client for macOS (version 2025.5.735.1)** A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This release contains improvements and new exciting features, including [post-quantum cryptography](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems. **Changes and improvements** * Fixed an issue where the Cloudflare WARP application may not have automatically relaunched after an update. * Fixed a device registration issue causing WARP connection failures when changing networks. * Captive portal improvements including showing connectivity status in the client and sending system notifications for captive portal sign in. * The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be [enabled by MDM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#enable%5Fpost%5Fquantum). * Improvement to gracefully handle changes made by MDM while WARP is not running. * Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-05-22 **WARP client for Windows (version 2025.4.943.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for [managed networks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) for the 2025.4.929.0 release. **Changes and improvements** * Fixed an issue where it could take up to 3 minutes for the correct device profile to be applied in some circumstances. In the worst case, it should now only take up to 40 seconds. This will be improved further in a future release. **Known issues** * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. * Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. ## 2025-05-22 **WARP client for macOS (version 2025.4.943.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for [managed networks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) for the 2025.4.929.0 release. **Changes and improvements** * Fixed an issue where it could take up to 3 minutes for the correct device profile to be applied in some circumstances. In the worst case, it should now only take up to 40 seconds. This will be improved further in a future release. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-05-22 **WARP client for Linux (version 2025.4.943.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains a hotfix for [managed networks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) for the 2025.4.929.0 release. **Changes and improvements** * Fixed an issue where it could take up to 3 minutes for the correct device profile to be applied in some circumstances. In the worst case, it should now only take up to 40 seconds. This will be improved further in a future release. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-05-14 **WARP client for Windows (version 2025.4.929.0)** A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains two significant changes all customers should be aware of: 1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our [DoH IP addresses and domains](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#doh-ip). 2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks. **Changes and improvements** * Fixed an issue causing reconnection loops when captive portals are detected. * Fixed an issue that caused WARP client disk encryption posture checks to fail due to missing drive names. * Fixed an issue where managed network policies could incorrectly report network location beacons as missing. * Improved DEX test error reporting. * Fixed an issue where some parts of the WARP Client UI were missing in high contrast mode. * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile. * Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically. * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met. * Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments. * Fixed an issue where frequent network changes could cause WARP to become unresponsive. * Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect. * Fixed an issue causing WARP connection disruptions after network changes. **Known issues** * DNS resolution may be broken when the following conditions are all true: * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. * A custom DNS server address is configured on the primary network adapter. * The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on. * Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July. * Devices with `KB5055523` installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later. ## 2025-05-12 **WARP client for Linux (version 2025.4.929.0)** A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains two significant changes all customers should be aware of: 1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our [DoH IP addresses and domains](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#doh-ip). 2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks. **Changes and improvements** * Fixed an issue where the managed network policies could incorrectly report network location beacons as missing. * Improved DEX test error reporting. * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile. * Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically. * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs. * Fixed an issue where frequent network changes could cause WARP to become unresponsive. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect. * Fixed an issue causing WARP connection disruptions after network changes. **Known issues** * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server). ## 2025-05-12 **WARP client for macOS (version 2025.4.929.0)** A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release contains two significant changes all customers should be aware of: 1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our [DoH IP addresses and domains](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#doh-ip). 2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks. **Changes and improvements** * Fixed an issue where the managed network policies could incorrectly report network location beacons as missing. * Improved DEX test error reporting. * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile. * Improved captive portal detection. * Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically. * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs. * DNS over HTTPS traffic is now included in the WARP tunnel by default. * Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met. * Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments. * Fixed an issue where frequent network changes could cause WARP to become unresponsive. * Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect. * Fixed an issue causing WARP connection disruptions after network changes. **Known issues** * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later. ## 2025-03-17 **Cloudflare One Agent for Android (version 2.4)** A new GA release for the Android Cloudflare One Agent is now available in the [Google Play Store ↗](https://play.google.com/store/apps/details?id=com.cloudflare.cloudflareoneagent). This release includes a new feature allowing [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url) during enrollment, as well as fixes and minor improvements. **Changes and improvements** * Improved in-app error messages. * Improved mobile client login with support for [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url). * Fixed an issue preventing admin split tunnel settings taking priority for traffic from certain applications. ## 2025-03-17 **Cloudflare One Agent for iOS (version 1.10)** A new GA release for the iOS Cloudflare One Agent is now available in the [iOS App Store ↗](https://apps.apple.com/us/app/cloudflare-one-agent/id6443476492). This release includes a new feature allowing [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url) during enrollment, as well as fixes and minor improvements. **Changes and improvements** * Improved in-app error messages. * Improved mobile client login with support for [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url). * Bug fixes and performance improvements. ## 2024-06-16 **Explore product updates for Cloudflare One** Welcome to your new home for product updates on [Cloudflare One](https://developers.cloudflare.com/cloudflare-one/). Our [new changelog](https://developers.cloudflare.com/changelog/) lets you read about changes in much more depth, offering in-depth examples, images, code samples, and even gifs. If you are looking for older product updates, refer to the following locations. Older product updates * [Access](https://developers.cloudflare.com/cloudflare-one/changelog/access/) * [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/changelog/browser-isolation/) * [CASB](https://developers.cloudflare.com/cloudflare-one/changelog/casb/) * [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/changelog/tunnel/) * [Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/changelog/dlp/) * [Digital Experience Monitoring](https://developers.cloudflare.com/cloudflare-one/changelog/dex/) * [Email security](https://developers.cloudflare.com/cloudflare-one/changelog/email-security/) * [Gateway](https://developers.cloudflare.com/cloudflare-one/changelog/gateway/) * [Multi-Cloud Networking](https://developers.cloudflare.com/multi-cloud-networking/changelog/) * [Cloudflare Network Firewall](https://developers.cloudflare.com/cloudflare-network-firewall/changelog/) * [Magic Network Monitoring](https://developers.cloudflare.com/network-flow/changelog/) * [Magic Transit](https://developers.cloudflare.com/magic-transit/changelog/) * [Magic WAN](https://developers.cloudflare.com/cloudflare-wan/changelog/) * [Network Interconnect](https://developers.cloudflare.com/network-interconnect/changelog/) * [Risk score](https://developers.cloudflare.com/cloudflare-one/changelog/risk-score/) * [Cloudflare One Client](https://developers.cloudflare.com/changelog/cloudflare-one-client/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/cloudflare-one-client/","name":"Cloudflare One Client"}}]} ``` --- --- title: Digital Experience Monitoring description: Review recent changes to Digital Experience Monitoring. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Digital Experience Monitoring [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/dex.xml) ## 2026-04-29 **Digital experience tests to authenticated resources and enhanced configuration** [Digital experience tests](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) now support testing applications protected by Cloudflare Access or third-party authentication. All authentication secrets are managed via [Cloudflare Secret Store](https://developers.cloudflare.com/secrets-store/). Digital experience tests also have enhanced configuration options including: * New HTTP methods (DELETE, PATCH, POST, PUT) * Secret Store headers, custom plain text headers, and custom request bodies * Advanced settings: follow redirects, response bodies, response headers, and allow untrusted certificates ![Digital experience test configuration for Cloudflare Access applications](https://developers.cloudflare.com/_astro/dex_test_auth_config.CD3G3zb__o7m7g.webp)![Digital experience enhanced test configuration](https://developers.cloudflare.com/_astro/dex_test_enhanced_config.Nsv7Vcob_ppxh5.webp) ## 2026-04-28 **Internet outage notifications for devices** [Digital Experience](https://developers.cloudflare.com/cloudflare-one/insights/dex/) will display a dashboard notification when an Internet outage or traffic anomaly may impact a [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) device based on its geographic location or network connection. This Internet outage and traffic anomaly data is pulled from [Cloudflare Radar ↗](https://radar.cloudflare.com/). All Internet outage and traffic anomaly observations can be viewed in the [Radar Outage Center ↗](https://radar.cloudflare.com/outage-center). ![Digital Experience Monitoring dashboard notification for Internet outage impacting Cloudflare One Client devices](https://developers.cloudflare.com/_astro/dex_radar_ux_notification.CpdrUVYA_ZSzgIe.webp)![Digital Experience Monitoring dashboard analytics for Internet outage impacting Cloudflare One Client devices](https://developers.cloudflare.com/_astro/dex_radar_analytics.GaPxWM6C_2jLyzS.webp) ## 2026-04-28 **Cloudflare One Client speed tests** IT teams can now remotely run speed tests from the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) to Cloudflare's network edge. Each speed test includes the following metrics: * Internet speed: download and upload throughput * Latency: download, upload, unloaded latency, and jitter * Network quality score: video streaming, webchat/real-time communication (RTC) In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights** \> **Digital experience** \> **Diagnostics** and select **Run diagnostics** to use the feature today. ![Cloudflare One client speed test result](https://developers.cloudflare.com/_astro/dex_speed_test.DukupcRs_gXUVw.webp) ## 2026-04-15 **Last seen timestamp for Cloudflare One Client devices is more consistent** The last seen timestamp for [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) devices is now more consistent across the dashboard. IT teams will see more consistent information about the most recent client event between a device and Cloudflare's network. ## 2026-02-19 **DEX Supports EU Customer Metadata Boundary** [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into [WARP](https://developers.cloudflare.com/warp-client/) device connectivity and performance to any internal or external application. Now, all DEX logs are fully compatible with Cloudflare's [Customer Metadata Boundary](https://developers.cloudflare.com/data-localization/metadata-boundary/) (CMB) setting for the 'EU' (European Union), which ensures that DEX logs will not be stored outside the 'EU' when the option is configured. If a Cloudflare One customer using DEX enables CMB 'EU', they will not see any DEX data in the Cloudflare One dashboard. Customers can ingest DEX data via [LogPush](https://developers.cloudflare.com/logs/logpush/), and build their own analytics and dashboards. If a customer enables CMB in their account, they will see the following message in the Digital Experience dashboard: "DEX data is unavailable because Customer Metadata Boundary configuration is on. Use Cloudflare LogPush to export DEX datasets." ![Digital Experience Monitoring message when Customer Metadata Boundary for the EU is enabled](https://developers.cloudflare.com/_astro/dex_supports_cmb.6YOLXjHN_ZJh3uv.webp) ## 2025-11-12 **DEX Logpush jobs** [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into WARP device metrics, connectivity, and network performance across your Cloudflare SASE deployment. We've released four new WARP and DEX device data sets that can be exported via [Cloudflare Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/). These Logpush data sets can be exported to R2, a cloud bucket, or a SIEM to build a customized logging and analytics experience. 1. [DEX Application Tests](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fapplication%5Ftests/) 2. [DEX Device State Events](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/dex%5Fdevice%5Fstate%5Fevents/) 3. [WARP Config Changes](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/warp%5Fconfig%5Fchanges/) 4. [WARP Toggle Changes](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/warp%5Ftoggle%5Fchanges/) To create a new DEX or WARP Logpush job, customers can go to the account level of the Cloudflare dashboard > Analytics & Logs > Logpush to get started. ![DEX logpush job creation dashboard](https://developers.cloudflare.com/_astro/dex_logpush_datasets.CtCk36pX_Z1tuyHu.webp) ## 2025-08-29 **DEX MCP Server** [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into device connectivity and performance across your Cloudflare SASE deployment. We've released an MCP server [(Model Context Protocol) ↗](https://cloudflare.com/learning/ai/what-is-model-context-protocol-mcp/) for DEX. The DEX MCP server is an AI tool that allows customers to ask a question like, "Show me the connectivity and performance metrics for the device used by carly‌@acme.com", and receive an answer that contains data from the DEX API. Any Cloudflare One customer using a Free, Pay-as-you-go, or Enterprise account can access the DEX MCP Server. This feature is available to everyone. Customers can test the new DEX MCP server in less than one minute. To learn more, read the [DEX MCP server documentation](https://developers.cloudflare.com/cloudflare-one/insights/dex/dex-mcp-server/). ## 2025-03-07 **Cloudflare One Agent now supports Endpoint Monitoring** [Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into device, network, and application performance across your Cloudflare SASE deployment. The latest release of the Cloudflare One agent (v2025.1.861) now includes device endpoint monitoring capabilities to provide deeper visibility into end-user device performance which can be analyzed directly from the dashboard. Device health metrics are now automatically collected, allowing administrators to: * View the last network a user was connected to * Monitor CPU and RAM utilization on devices * Identify resource-intensive processes running on endpoints ![Device endpoint monitoring dashboard](https://developers.cloudflare.com/_astro/cloudflare-one-agent-health-monitoring.XXtiRuOp_Z25TN9Q.webp) This feature complements existing DEX features like [synthetic application monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) and [network path visualization](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/traceroute/), creating a comprehensive troubleshooting workflow that connects application performance with device state. For more details refer to our [DEX](https://developers.cloudflare.com/cloudflare-one/insights/dex/) documentation. ## 2025-01-24 **IP visibility** [IP visibility](https://developers.cloudflare.com/cloudflare-one/insights/dex/ip-visibility/) enables admins to inspect the different IP addresses associated with an end-user device. IP types available for review on the Cloudflare dashboard include: the device's private IP, the public IP assigned to the device by the ISP, and the router's (that the device is connected to) private IP. ## 2024-12-19 **Remote captures** Admins can now collect packet captures (PCAPs) and WARP diagnostic logs from end-user devices. For more information, refer to [Remote captures](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/client-packet-capture/). ## 2024-05-20 **Last seen ISP** Admins can view the last ISP seen for a device by going to **My Team** \> **Devices**. Requires setting up a [traceroute test](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/traceroute/). ## 2024-05-13 **DEX alerts** Admins can now set [DEX alerts](https://developers.cloudflare.com/cloudflare-one/insights/dex/notifications/) using [Cloudflare Notifications](https://developers.cloudflare.com/notifications/). Three new DEX alert types: * Device connectivity anomaly * Test latency * Test low availability ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/dex/","name":"Digital Experience Monitoring"}}]} ``` --- --- title: Data Loss Prevention description: Review recent changes to Cloudflare DLP. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Data Loss Prevention [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/dlp.xml) ## 2026-04-30 **Classify sensitive content with Data Classification** Cloudflare DLP now includes **Data Classification**, which lets administrators organize and label sensitive content using labels, templates, and reusable data classes. With Data Classification, administrators can define labels such as sensitivity schemas and levels, and data tag groups and tags. Administrators can also build from Cloudflare-managed templates and create reusable data classes that combine detection entries, other data classes, sensitivity levels, and data tags. You can then use those classifications in custom DLP profiles to identify the severity of sensitive content, understand where it exists, and apply that logic consistently across DLP profiles. For more information, refer to [Data Classification](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/data-classification/). ## 2026-04-30 **New predefined detection entries are available** Cloudflare DLP now includes new predefined detection entries. The expanded catalog includes detections for specific credential types, webhooks, addresses, tax identifiers, national IDs, financial data, and crypto wallets. Examples include `GitHub PAT`, `OpenAI API Key`, `Slack Webhook`, `Discord Webhook`, `US Physical Address`, and `Bitcoin Wallet`. For the full list, refer to [Predefined detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/predefined-detection-entries/). ## 2026-04-28 **Create and manage DLP detection entries outside of profiles** You can now create, view, and manage DLP detection entries outside of profiles. Detection entries are no longer hidden inside individual profiles. Administrators can manage detection entries directly from the **Detection entries** section and use them in custom DLP profiles. For more information, refer to [Configure detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/). ## 2026-04-28 **Detect PII records with a new predefined DLP profile** Cloudflare DLP now includes a new predefined profile designed to detect PII records that contain multiple types of personal data: **Personally Identifiable Information (PII) Record**. Most predefined and custom DLP profiles match when any enabled detection entry matches. The **Personally Identifiable Information (PII) Record** profile is different. It only matches when at least three unique detection entries are found in close proximity, which reduces false positives from standalone values that may not represent a real PII record. Detection entries included in the profile: * AU Passport Number * American Express Card Number * Diners Club Card Number * US Driver's License Number * Email Address * Full Name * US Mailing Address * Mastercard Card Number * US Individual Tax Identification Number (ITIN) * US Passport Number * US Phone Number * Union Pay Card Number * United States SSN Numeric Detection * Visa Card Number For more information, refer to [predefined DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/). ## 2026-04-14 **DLP account-level settings** **Account-level DLP settings are now available** in Cloudflare One. You can now configure advanced DLP settings at the account level, including OCR, AI context analysis, and payload masking. This provides consistent enforcement across all DLP profiles and simplifies configuration management. Key changes: * **Consistent enforcement**: Settings configured at the account level apply to all DLP profiles * **Simplified migration**: Settings enabled on any profile are automatically migrated to account level * **Deprecation notice**: Profile-level advanced settings will be deprecated in a future release **Migration details:** During the migration period, if a setting is enabled on any profile, it will automatically be enabled at the account level. This means profiles that previously had a setting disabled may now have it enabled if another profile in the account had it enabled. Settings are evaluated using OR logic - a setting is enabled if it is turned on at either the account level or the profile level. However, profile-level settings cannot be enabled when the account-level setting is off. For more details, refer to the [DLP settings documentation](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-settings/). ## 2026-04-14 **Detect Cloudflare API tokens with DLP** The **Credentials and Secrets** DLP profile now includes three new predefined entries for detecting Cloudflare API credentials: | Entry name | Token prefix | Detects | | ---------------------------------- | ------------ | ------------------------- | | Cloudflare User API Key | cfk\_ | User-scoped API keys | | Cloudflare User API Token | cfut\_ | User-scoped API tokens | | Cloudflare Account Owned API Token | cfat\_ | Account-scoped API tokens | These detections target the new [Cloudflare API credential format](https://developers.cloudflare.com/fundamentals/api/get-started/token-formats/), which uses a structured prefix and a CRC32 checksum suffix. The identifiable prefix makes it possible to detect leaked credentials with high confidence and low false positive rates — no surrounding context such as `Authorization: Bearer` headers is required. Credentials generated before this format change will not be matched by these entries. #### How to enable Cloudflare API token detections 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **DLP** \> **DLP Profiles**. 2. Select the **Credentials and Secrets** profile. 3. Turn on one or more of the new Cloudflare API token entries. 4. Use the profile in a Gateway HTTP policy to log or block traffic containing these credentials. Example policy: | Selector | Operator | Value | Action | | ----------- | -------- | ------------------------- | ------ | | DLP Profile | in | _Credentials and Secrets_ | Block | You can also enable individual entries to scope detection to specific credential types — for example, enabling **Account Owned API Token** detection without enabling **User API Key** detection. For more information, refer to [predefined DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/). ## 2026-04-14 **Configure how sensitive data appears in DLP payload logs** You can now configure how sensitive data matches are displayed in your DLP payload match logs — giving your incident response team the context they need to validate alerts without compromising your security posture. To get started, go to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), select **Zero Trust** \> **Data loss prevention** \> **DLP settings** and find the **Payload log masking** card. Previously, all DLP payload logs used a single masking mode that obscured matched data entirely and hid the original character count, making it difficult to distinguish true positives from false positives. This update introduces three options: * **Full Mask (default):** Masks the match while preserving character count and visual formatting (for example, `***-**-****` for a Social Security Number). This is an improvement over the previous default, which did not preserve character count. * **Partial Mask:** Reveals 25% of the matched content while masking the remainder (for example, `***-**-6789`). * **Clear Text:** Stores the full, unmasked violation for deep investigation (for example, `123-45-6789`). **Important:** The masking level you select is applied at detection time, before the payload is encrypted. This means the chosen format is what your team will see after decrypting the log with your private key — the existing encryption workflow is unchanged. **Applies to all enabled detections:** When a masking level other than Full Mask is selected, it applies to all sensitive data matches found within a payload window — not just the match that triggered the policy. Any data matched by your enabled DLP detection entries will be masked at the selected level. For more information, refer to [DLP logging options](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules). ## 2026-03-26 **Streaming ZIP file scanning removes per-file size limits** DLP now processes ZIP files using a streaming handler that scans archive contents element-by-element as data arrives. This removes previous file size limitations and improves memory efficiency when scanning large archives. Microsoft Office documents (DOCX, XLSX, PPTX) also benefit from this improvement, as they use ZIP as a container format. This improvement is automatic — no configuration changes are required. ## 2026-03-25 **Detect and sanitize HAR files** HTTP Archive (HAR) files are used by engineering and support teams to capture and share web traffic logs for troubleshooting. However, these files routinely contain highly sensitive data — including session cookies, authorization headers, and other credentials — that can pose a significant risk if uploaded to third-party services without being reviewed or cleaned first. Gateway now includes a predefined DLP profile called **Unsanitized HAR** that detects HAR files in HTTP traffic. You can use this profile in a Gateway HTTP policy to either block HAR file uploads entirely or redirect users to a sanitization tool before allowing the upload to proceed. #### How to configure a HAR file policy In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall Policies** \> **HTTP** and create a new HTTP policy using the **DLP Profile** selector: | Selector | Operator | Value | Action | | ----------- | -------- | ----------------- | ------ | | DLP Profile | in | _Unsanitized HAR_ | | Then choose one of the following actions: * **Block**: Prevents the upload of any HAR file that has not been sanitized by Cloudflare's sanitizer. Use this for strict environments where HAR file sharing must be disallowed entirely. * **Block** with **Gateway Redirect**: Intercepts the upload and redirects the user to `https://har-sanitizer.pages.dev/`, where they can sanitize the file. Once sanitized, the user can re-upload the clean file and proceed with their workflow. #### Sanitized HAR recognition HAR files processed by the Cloudflare HAR sanitizer receive a tamper-evident sanitized marker. DLP recognizes this marker and will not re-trigger the policy on a file that has already been sanitized and has not been modified since. If a previously sanitized file is edited, it will be treated as unsanitized and flagged again. #### Visibility in Gateway logs Gateway logs will reflect whether a detected HAR file was classified as **Unsanitized** or **Sanitized**, giving your security team full visibility into HAR file activity across your organization. For more information, refer to [predefined DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/). ## 2025-10-01 **Expanded File Type Controls for Executables and Disk Images** You can now enhance your security posture by blocking additional application installer and disk image file types with Cloudflare Gateway. Preventing the download of unauthorized software packages is a critical step in securing endpoints from malware and unwanted applications. We have expanded Gateway's file type controls to include: * Apple Disk Image (dmg) * Microsoft Software Installer (msix, appx) * Apple Software Package (pkg) You can find these new options within the [_Upload File Types_ and _Download File Types_ selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) when creating or editing an HTTP policy. The file types are categorized as follows: * **System**: _Apple Disk Image (dmg)_ * **Executable**: _Microsoft Software Installer (msix)_, _Microsoft Software Installer (appx)_, _Apple Software Package (pkg)_ To ensure these file types are blocked effectively, please note the following behaviors: * DMG: Due to their file structure, DMG files are blocked at the very end of the transfer. A user's download may appear to progress but will fail at the last moment, preventing the browser from saving the file. * MSIX: To comprehensively block Microsoft Software Installers, you should also include the file type _Unscannable_. MSIX files larger than 100 MB are identified as Unscannable ZIP files during inspection. To get started, go to your HTTP policies in Zero Trust. For a full list of file types, refer to [supported file types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#supported-file-types). ## 2025-09-25 **Refine DLP Scans with New Body Phase Selector** You can now more precisely control your HTTP DLP policies by specifying whether to scan the request or response body, helping to reduce false positives and target specific data flows. In the Gateway HTTP policy builder, you will find a new selector called _Body Phase_. This allows you to define the direction of traffic the DLP engine will inspect: * _Request Body_: Scans data sent from a user's machine to an upstream service. This is ideal for monitoring data uploads, form submissions, or other user-initiated data exfiltration attempts. * _Response Body_: Scans data sent to a user's machine from an upstream service. Use this to inspect file downloads and website content for sensitive data. For example, consider a policy that blocks Social Security Numbers (SSNs). Previously, this policy might trigger when a user visits a website that contains example SSNs in its content (the response body). Now, by setting the **Body Phase** to _Request Body_, the policy will only trigger if the user attempts to upload or submit an SSN, ignoring the content of the web page itself. All policies without this selector will continue to scan both request and response bodies to ensure continued protection. For more information, refer to [Gateway HTTP policy selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#body-phase). ## 2025-08-25 **New DLP topic based detection entries for AI prompt protection** You now have access to a comprehensive suite of capabilities to secure your organization's use of generative AI. AI prompt protection introduces four key features that work together to provide deep visibility and granular control. 1. **Prompt Detection for AI Applications** DLP can now natively detect and inspect user prompts submitted to popular AI applications, including **Google Gemini**, **ChatGPT**, **Claude**, and **Perplexity**. 1. **Prompt Analysis and Topic Classification** Our DLP engine performs deep analysis on each prompt, applying [topic classification](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#ai-prompt-topics). These topics are grouped into two evaluation categories: * **Content:** PII, Source Code, Credentials and Secrets, Financial Information, and Customer Data. * **Intent:** Jailbreak attempts, requests for malicious code, or attempts to extract PII. To help you apply these topics quickly, we have also released five new predefined profiles (for example, AI Prompt: AI Security, AI Prompt: PII) that bundle these new topics. ![DLP](https://developers.cloudflare.com/_astro/ai-prompt-detection-entry.4QmdkAuv_Z14HtSJ.webp) 1. **Granular Guardrails** You can now build guardrails using Gateway HTTP policies with [application granular controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#granular-controls). Apply a DLP profile containing an [AI prompt topic detection](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#ai-prompt-topics) to individual AI applications (for example, `ChatGPT`) and specific user actions (for example, `SendPrompt`) to block sensitive prompts. ![DLP](https://developers.cloudflare.com/_astro/ai-prompt-policy.CF3H2rbK_2muoEC.webp) 2. **Full Prompt Logging** To aid in incident investigation, an optional setting in your Gateway policy allows you to [capture prompt logs](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content) to store the full interaction of prompts that trigger a policy match. To make investigations easier, logs can be filtered by `conversation_id`, allowing you to reconstruct the full context of an interaction that led to a policy violation. ![DLP](https://developers.cloudflare.com/_astro/ai-prompt-log.ywQDc5qN_2v6nax.webp) AI prompt protection is now available in open beta. To learn more about it, read the [blog ↗](https://blog.cloudflare.com/ai-prompt-protection/#closing-the-loop-logging) or refer to [AI prompt topics](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#ai-prompt-topics). ## 2025-07-17 **New detection entry type: Document Matching for DLP** You can now create [document-based](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#document-entries) detection entries in DLP by uploading example documents. Cloudflare will encrypt your documents and create a unique fingerprint of the file. This fingerprint is then used to identify similar documents or snippets within your organization's traffic and stored files. ![DLP](https://developers.cloudflare.com/_astro/document-match.CcN8pGgR_Z1e3PDm.webp) **Key features and benefits:** * **Upload documents, forms, or templates:** Easily upload .docx and .txt files (up to 10 MB) that contain sensitive information you want to protect. * **Granular control with similarity percentage:** Define a minimum similarity percentage (0-100%) that a document must meet to trigger a detection, reducing false positives. * **Comprehensive coverage:** Apply these document-based detection entries in: * **Gateway policies:** To inspect network traffic for sensitive documents as they are uploaded or shared. * **CASB (Cloud Access Security Broker):** To scan files stored in cloud applications for sensitive documents at rest. * **Identify sensitive data:** This new detection entry type is ideal for identifying sensitive data within completed forms, templates, or even small snippets of a larger document, helping you prevent data exfiltration and ensure compliance. Once uploaded and processed, you can add this new document entry into a DLP profile and policies to enhance your data protection strategy. ## 2025-06-23 **Data Security Analytics in the Zero Trust dashboard** Zero Trust now includes **Data security analytics**, providing you with unprecedented visibility into your organization sensitive data. The new dashboard includes: * **Sensitive Data Movement Over Time:** * See patterns and trends in how sensitive data moves across your environment. This helps understand where data is flowing and identify common paths. * **Sensitive Data at Rest in SaaS & Cloud:** * View an inventory of sensitive data stored within your corporate SaaS applications (for example, Google Drive, Microsoft 365) and cloud accounts (such as AWS S3). * **DLP Policy Activity:** * Identify which of your Data Loss Prevention (DLP) policies are being triggered most often. * See which specific users are responsible for triggering DLP policies. ![Data Security Analytics](https://developers.cloudflare.com/_astro/cf1-data-security-analytics-v1.BGl6fYXl_H3N0P.webp) To access the new dashboard, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Insights** on the sidebar. ## 2025-05-12 **Case Sensitive Custom Word Lists** You can now configure [custom word lists](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#custom-wordlist-datasets) to enforce case sensitivity. This setting supports flexibility where needed and aims to reduce false positives where letter casing is critical. ![dlp](https://developers.cloudflare.com/_astro/case-sesitive-cwl.MPuOc_3r_220dca.webp) ## 2025-05-07 **Send forensic copies to storage without DLP profiles** You can now [send DLP forensic copies](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#send-dlp-forensic-copies-to-logpush-destination) to third-party storage for any HTTP policy with an `Allow` or `Block` action, without needing to include a DLP profile. This change increases flexibility for data handling and forensic investigation use cases. By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs. ![DLP](https://developers.cloudflare.com/_astro/forensic-copies-for-all.fxeFrCY4_Z1rCUy9.webp) ## 2025-04-14 **New predefined detection entry for ICD-11** You now have access to the World Health Organization (WHO) 2025 edition of the [International Classification of Diseases 11th Revision (ICD-11) ↗](https://www.who.int/news/item/14-02-2025-who-releases-2025-update-to-the-international-classification-of-diseases-%28icd-11%29) as a predefined detection entry. The new dataset can be found in the [Health Information](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#health-information) predefined profile. ICD-10 dataset remains available for use. ## 2025-02-03 **Block files that are password-protected, compressed, or otherwise unscannable.** Gateway HTTP policies can now block files that are password-protected, compressed, or otherwise unscannable. These unscannable files are now matched with the [Download and Upload File Types traffic selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) for HTTP policies: * Password-protected Microsoft Office document * Password-protected PDF * Password-protected ZIP archive * Unscannable ZIP archive To get started inspecting and modifying behavior based on these and other rules, refer to [HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/). ## 2025-01-20 **Detect source code leaks with Data Loss Prevention** You can now detect source code leaks with Data Loss Prevention (DLP) with predefined checks against common programming languages. The following programming languages are validated with natural language processing (NLP). * C * C++ * C# * Go * Haskell * Java * JavaScript * Lua * Python * R * Rust * Swift DLP also supports confidence level for [source code profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#source-code). For more details, refer to [DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/). ## 2025-01-15 **Payload log match visibility** When viewing decrypted payload log matches, DLP now provides more context by listing multiple DLP matches and the matching DLP profile. ## 2024-11-25 **Profile confidence levels** DLP profiles now support setting a [confidence level](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-levels) to choose how tolerant its detections are to false positives based on the context of the detection. The higher a profile's confidence level is, the less false positives will be allowed. Confidence levels include Low, Medium, or High. DLP profile confidence levels supersede [context analysis](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#context-analysis). ## 2024-11-01 **Send entire HTTP requests to a Logpush destination** In addition to [logging the payload](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) from HTTP requests that matched a DLP policy in Cloudflare Logs, Enterprise users can now configure a [Logpush job](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#send-dlp-forensic-copies-to-logpush-destination) to send the entire HTTP request that triggered a DLP match to a storage destination. This allows long-term storage of full requests for use in forensic investigation. ## 2024-09-03 **Exact Data Match multi-entry upload support** You can now upload files with [multiple columns of data](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#upload-a-new-exact-data-match-dataset) as Exact Data Match datasets. DLP can use each column as a separate existing detection entry. ## 2024-05-23 **Data-at-rest DLP for Box and Dropbox** You can now scan your [Box](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/box/#data-loss-prevention-optional) and [Dropbox](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/dropbox/#data-loss-prevention-optional) files for DLP matches. ## 2024-04-16 **Optical character recognition** DLP can now [detect sensitive data](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#optical-character-recognition-ocr) in jpeg, jpg, and png files. This helps companies prevent the leak of sensitive data in images, such as screenshots. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/dlp/","name":"Data Loss Prevention"}}]} ``` --- --- title: Email security description: Track updates and changes to Cloudflare One features. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Email security [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/email-security-cf1.xml) ## 2026-05-06 **Cloudy Summaries in PhishNet O365** PhishNet users can now access **Cloudy summaries** directly within the email investigation experience. When reviewing a message in PhishNet, users will see an AI-generated summary that provides additional context and key details about the email. These summaries help users quickly understand the nature of a message without needing to manually parse through headers, body content, and detection signals. Cloudy surfaces the most relevant information so users can make faster, more informed decisions about suspicious emails. **These summaries are not trained on customer data.** They are generated using the outputs of our existing detection models and analysis systems. This feature is available for PhishNet with Office 365\. Support for Gmail will be available by the end of the quarter. ## 2026-04-07 **User Submission Triage Status Tracking** Cloudflare Email security now supports **Triage Status Tracking for User Submissions**. This enhancement gives SOC teams a streamlined way to track, manage, and prioritize user-submitted emails directly within the Cloudflare One dashboard. * The User Submissions table now includes a **Status** column with three states: **Unreviewed** (new submissions awaiting triage), **Reviewed** (submissions assessed by the SOC team), and **Escalated** (submissions escalated to team submissions for further investigation). Analysts can quickly update statuses and filter the table to focus on what needs attention. * SOC teams can now organize their triage workflows, avoid duplicate reviews, and make sure critical threats get escalated for deeper investigation—bringing order to the chaos of high-volume submission management. Triage Status Tracking is **automatically available** for all Email security customers using the user submissions feature. No additional configuration is required; customers just need to make sure user submissions are being sent to their user submission aliases. This applies to all Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2026-04-06 **DANE Support for MX Deployments** Cloudflare Email Security now supports DANE (DNS-based Authentication of Named Entities) for MX deployments. This enhancement strengthens email transport security by enabling DNSSEC-backed certificate verification for our regional MX records. * Regional MX hostnames now publish DANE TLSA records backed by DNSSEC, enabling DANE-capable SMTP senders to cryptographically validate certificate identities before establishing TLS connections—moving beyond opportunistic encryption to verified encrypted delivery. * DANE support is automatically available for all customers using regional MX deployments. No additional configuration is required; DANE-capable mail infrastructure will automatically validate MX certificates using the published records. This applies to all Email Security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2026-03-15 **Unlimited result paging in Investigations** Investigations now support unlimited result paging in both the dashboard and the API, removing the previous 1,000-record cap. Security teams can page through complete result sets when searching across large mail volumes, giving SOC analysts and automated workflows deeper visibility for forensics and threat hunting. In the dashboard, infinite paging is now supported in the Investigations view. The 1,000-record ceiling has been removed, so you can navigate through the full result set directly in the UI. The [Investigations API](https://developers.cloudflare.com/api/resources/email%5Fsecurity/subresources/investigate/methods/list) now returns up to 10,000 records per page (up from 1,000), with no cap on total result volume across pages. For high-volume use cases, we recommend: * **[Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/) to a SIEM** for full-fidelity datasets and long-term retention. * **SOAR playbooks** against the async bulk action API for large-scale remediation. Bulk actions initiated from the dashboard remain capped at 1,000 messages per action. * **The Investigations API** for report exports larger than 1,000 results, which is the dashboard download cap. This applies to all Email Security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2026-02-02 **Improved Accessibility and Search for Monitoring** We have updated the Monitoring page to provide a more streamlined and insightful experience for administrators, improving both data visualization and dashboard accessibility. * **Enhanced Visual Layout**: Optimized contrast and the introduction of stacked bar charts for clearer data visualization and trend analysis.![visual-example](https://developers.cloudflare.com/_astro/monitoring-bar-charts.Bi-4BuXC_xiAlF.webp) * **Improved Accessibility & Usability**: * **Widget Search**: Added search functionality to multiple widgets, including Policies, Submitters, and Impersonation. * **Actionable UI**: All available actions are now accessible via dedicated buttons. * **State Indicators**: Improved UI states to clearly communicate loading, empty datasets, and error conditions.![buttons-example](https://developers.cloudflare.com/_astro/monitoring-buttons.DORPJvP__1JBNhu.webp) * **Granular Data Breakdowns**: New views for dispositions by month, malicious email details, link actions, and impersonations.![monthly-example](https://developers.cloudflare.com/_astro/monitoring-monthly-dispositions.CYuI5d9y_ZSVir3.webp) This applies to all Email Security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2026-01-12 **Enhanced visibility for post-delivery actions** The Action Log now provides enriched data for post-delivery actions to improve troubleshooting. In addition to success confirmations, failed actions now display the targeted Destination folder and a specific failure reason within the Activity field. Note Error messages will vary depending on whether you are using Google Workspace or Microsoft 365. ![failure-log-example](https://developers.cloudflare.com/_astro/enhanced-visibility-post-delivery-actions.BNiyPtJU_GFx2V.webp) This update allows you to see the full lifecycle of a failed action. For instance, if an administrator tries to move an email that has already been deleted or moved manually, the log will now show the multiple retry attempts and the specific destination error. This applies to all Email Security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-12-03 **Reclassifications to Submissions** We have updated the terminology “Reclassify” and “Reclassifications” to “Submit” and “Submissions” respectively. This update more accurately reflects the outcome of providing these items to Cloudflare. Submissions are leveraged to tune future variants of campaigns. To respect data sanctity, providing a submission does not change the original disposition of the emails submitted. ![nav_example](https://developers.cloudflare.com/_astro/reclassification-submission.B6nL5Hw7_Z2qliyJ.webp) This applies to all Email Security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-11-18 **Adjustment to Final Disposition Column** #### Adjustment to Final Disposition column #### The **Final Disposition** column in **Submissions** \> **Team Submissions** tab is changing for non-Phishguard customers. #### What's Changing * Column will be called **Status** instead of **Final Disposition** * Column status values will now be: **Submitted**, **Accepted** or **Rejected**. #### Next Steps We will listen carefully to your feedback and continue to find comprehensive ways to communicate updates on your submissions. Your submissions will continue to be addressed at an even greater rate than before, fuelling faster and more accurate email security improvement. ## 2025-10-17 **On-Demand Security Report** You can now generate on-demand security reports directly from the Cloudflare dashboard. This new feature provides a comprehensive overview of your email security posture, making it easier than ever to demonstrate the value of Cloudflare’s Email security to executives and other decision makers. These reports offer several key benefits: * **Executive Summary:** Quickly view the performance of Email security with a high-level executive summary. * **Actionable Insights:** Dive deep into trend data, breakdowns of threat types, and analysis of top targets to identify and address vulnerabilities. * **Configuration Transparency:** Gain a clear view of your policy, submission, and domain configurations to ensure optimal setup. * **Account Takeover Risks:** Get a snapshot of your M365 risky users (requires a Microsoft Entra ID P2 license and [M365 SaaS integration ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/)). ![Report](https://developers.cloudflare.com/_astro/report.CbkPa8Jt_Z1xMpIx.webp) This feature is available across the following Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-09-23 **Invalid Submissions Feedback** Email security relies on your submissions to continuously improve our detection models. However, we often receive submissions in formats that cannot be ingested, such as incomplete EMLs, screenshots, or text files. To ensure all customer feedback is actionable, we have launched two new features to manage invalid submissions sent to our team and user [submission aliases](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/submission-addresses/): * **Email Notifications:** We now automatically notify users by email when they provide an invalid submission, educating them on the correct format. To disable notifications, go to **[Settings ↗](https://one.dash.cloudflare.com/?to=/:account/email-security/settings)** \> **Invalid submission emails** and turn the feature off. ![EmailSec-Invalid-Submissions-Toggle](https://developers.cloudflare.com/_astro/EmailSec-Invalid-Submissions-Toggle.DXjbR6aX_ZsxWGB.webp) * **Invalid Submission dashboard:** You can quickly identify which users need education to provide valid submissions so Cloudflare can provide continuous protection. ![EmailSec-Invalid-Submissions-Dashboard](https://developers.cloudflare.com/_astro/EmailSec-Invalid-Submissions-Dashboard.zuf1on2n_2gjnGS.webp) Learn more about this feature on [invalid submissions](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/invalid-submissions/). This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-09-11 **Regional Email Processing for Germany, India, or Australia** We’re excited to announce that Email security customers can now choose their preferred mail processing location directly from the UI when onboarding a domain. This feature is available for the following onboarding methods: **MX**, **BCC**, and **Journaling**. #### What’s new Customers can now select where their email is processed. The following regions are supported: * **Germany** * **India** * **Australia** Global processing remains the default option, providing flexibility to meet both compliance requirements or operational preferences. #### How to use it When onboarding a domain with MX, BCC, or Journaling: 1. Select the desired processing location (Germany, India, or Australia). 2. The UI will display updated processing addresses specific to that region. 3. For MX onboarding, if your domain is managed by Cloudflare, you can automatically update MX records directly from the UI. #### Availability This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** #### What’s next We’re expanding the list of processing locations to match our [Data Localization Suite (DLS)](https://developers.cloudflare.com/data-localization/) footprint, giving customers the broadest set of regional options in the market without the complexity of self-hosting. ## 2025-09-01 **Updated Email security roles** To provide more granular controls, we refined the [existing roles](https://developers.cloudflare.com/cloudflare-one/roles-permissions/#email-security-roles) for Email security and launched a new Email security role as well. All Email security roles no longer have read or write access to any of the other Zero Trust products: * **Email Configuration Admin** * **Email Integration Admin** * **Email security Read Only** * **Email security Analyst** * **Email security Policy Admin** * **Email security Reporting** To configure [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/email-security/outbound-dlp/) or [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/#set-up-clientless-web-isolation), you now need to be an admin for the Zero Trust dashboard with the **Cloudflare Zero Trust** role. Also through customer feedback, we have created a new additive role to allow **Email security Analyst** to create, edit, and delete Email security policies, without needing to provide access via the **Email Configuration Admin** role. This role is called **Email security Policy Admin**, which can read all settings, but has write access to [allow policies](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/), [trusted domains](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/trusted-domains/), and [blocked senders](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/blocked-senders/). This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-08-07 **Expanded Email Link Isolation** When you deploy MX or Inline, not only can you apply email link isolation to suspicious links in all emails (including benign), you can now also apply email link isolation to all links of a specified disposition. This provides more flexibility in controlling user actions within emails. For example, you may want to deliver suspicious messages but isolate the links found within them so that users who choose to interact with the links will not accidentally expose your organization to threats. This means your end users are more secure than ever before. ![Expanded Email Link Isolation Configuration](https://developers.cloudflare.com/_astro/expanded-link-actions.DziIg6E8_1Sx0Ar.webp) To isolate all links within a message based on the disposition, select **Settings** \> **Link Actions** \> **View** and select **Configure**. As with other other links you isolate, an interstitial will be provided to warn users that this site has been isolated and the link will be recrawled live to evaluate if there are any changes in our threat intel. Learn more about this feature on [Configure link actions ↗](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-link-actions/). This feature is available across these Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-05-15 **Open email attachments with Browser Isolation** You can now safely open email attachments to view and investigate them. What this means is that messages now have a **Attachments** section. Here, you can view processed attachments and their classifications (for example, _Malicious_, _Suspicious_, _Encrypted_). Next to each attachment, a **Browser Isolation** icon allows your team to safely open the file in a **clientless, isolated browser** with no risk to the analyst or your environment. ![Attachment-RBI](https://developers.cloudflare.com/_astro/Attachment-RBI.U9Dp8dJO_265xjw.webp) To use this feature, you must: * Turn on **Allow users to open a remote browser without the device client** in your Zero Trust settings. * Have **Browser Isolation (BISO)** seats assigned. For more details, refer to our [setup guide](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). Some attachment types may not render in Browser Isolation. If there is a file type that you would like to be opened with Browser Isolation, reach out to your Cloudflare contact. This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-05-08 **Open email links with Browser Isolation** You can now safely open links in emails to view and investigate them. ![Open links with Browser Isolation](https://developers.cloudflare.com/_astro/investigate-links.pYbpGkt5_Z1DQRHU.webp) From **Investigation**, go to **View details**, and look for the **Links identified** section. Next to each link, the Cloudflare dashboard will display an **Open in Browser Isolation** icon which allows your team to safely open the link in a clientless, isolated browser with no risk to the analyst or your environment. Refer to [Open links](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#open-links) to learn more about this feature. To use this feature, you must: * Turn on **Allow users to open a remote browser without the device client** in your Zero Trust settings. * Have **Browser Isolation (RBI)** seats assigned. For more details, refer to our [setup guide](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-04-01 **CASB and Email security** With Email security, you get two free CASB integrations. Use one SaaS integration for Email security to sync with your directory of users, take actions on delivered emails, automatically provide EMLs for reclassification requests for clean emails, discover CASB findings and more. With the other integration, you can have a separate SaaS integration for CASB findings for another SaaS provider. Refer to [Add an integration](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) to learn more about this feature. ![CASB-EmailSecurity](https://developers.cloudflare.com/_astro/CASB-EmailSecurity.B1wd9be2_PR5LD.webp) This feature is available across these Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-03-01 **Use Logpush for Email security detections** You can now send detection logs to an endpoint of your choice with Cloudflare Logpush. Filter logs matching specific criteria you have set and select from over 25 fields you want to send. When creating a new Logpush job, remember to select **Email security alerts** as the dataset. ![logpush-detections](https://developers.cloudflare.com/_astro/Logpush-Detections.Dc5tHta3_1PsIMk.webp) For more information, refer to [Enable detection logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/#enable-detection-logs). This feature is available across these Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-02-27 **Check status of Email security or Area 1** Concerns about performance for Email security or Area 1? You can now check the operational status of both on the [Cloudflare Status page ↗](https://www.cloudflarestatus.com/). For Email security, look under **Cloudflare Sites and Services**. * **Dashboard** is the dashboard for Cloudflare, including Email security * **Email security (Zero Trust)** is the processing of email * **API** are the Cloudflare endpoints, including the ones for Email security For Area 1, under **Cloudflare Sites and Services**: * **Area 1 - Dash** is the dashboard for Cloudflare, including Email security * **Email security (Area1)** is the processing of email * **Area 1 - API** are the Area 1 endpoints ![Status-page](https://developers.cloudflare.com/_astro/Status-Page.DcFJ1286_2qTtkN.webp) This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2025-02-25 **Use DLP Assist for M365** Cloudflare Email security customers who have Microsoft 365 environments can quickly deploy an Email DLP (Data Loss Prevention) solution for free. Simply deploy our add-in, create a DLP policy in Cloudflare, and configure Outlook to trigger behaviors like displaying a banner, alerting end users before sending, or preventing delivery entirely. Refer to [Outbound Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/email-security/outbound-dlp/) to learn more about this feature. In GUI alert: ![DLP-Alert](https://developers.cloudflare.com/_astro/DLP-Alert.5s-fbKn3_1xfB14.webp) Alert before sending: ![DLP-Pop-up](https://developers.cloudflare.com/_astro/DLP-Pop-up.0gkYy7o5_ZgIo8K.webp) Prevent delivery: ![DLP-Blocked](https://developers.cloudflare.com/_astro/DLP-Blocked.CmQkGrnM_ZewJi3.webp) This feature is available across these Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2025-02-07 **Open email links with Security Center** You can now investigate links in emails with Cloudflare Security Center to generate a report containing a myriad of technical details: a phishing scan, SSL certificate data, HTTP request and response data, page performance data, DNS records, what technologies and libraries the page uses, and more. ![Open links in Security Center](https://developers.cloudflare.com/_astro/Open-Links-Security-Center.b-LJU4YB_2dBHq8.webp) From **Investigation**, go to **View details**, and look for the **Links identified** section. Select **Open in Security Center** next to each link. **Open in Security Center** allows your team to quickly generate a detailed report about the link with no risk to the analyst or your environment. For more details, refer to [Open links](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#open-links). This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2024-12-19 **Escalate user submissions** After you triage your users' submissions (that are machine reviewed), you can now escalate them to our team for reclassification (which are instead human reviewed). User submissions from the submission alias, PhishNet, and our API can all be escalated. ![Escalate](https://developers.cloudflare.com/_astro/Escalate.CwXPIyM3_ZxuRN6.webp) From **Reclassifications**, go to **User submissions**. Select the three dots next to any of the user submissions, then select **Escalate** to create a team request for reclassification. The Cloudflare dashboard will then show you the submissions on the **Team Submissions** tab. Refer to [User submissions](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/user-submissions/) to learn more about this feature. This feature is available across these Email security packages: * **Advantage** * **Enterprise** * **Enterprise + PhishGuard** ## 2024-12-19 **Increased transparency for phishing email submissions** You now have more transparency about team and user submissions for phishing emails through a **Reclassification** tab in the Zero Trust dashboard. Reclassifications happen when users or admins [submit a phish](https://developers.cloudflare.com/cloudflare-one/email-security/settings/phish-submissions/) to Email security. Cloudflare reviews and - in some cases - reclassifies these emails based on improvements to our machine learning models. This new tab increases your visibility into this process, allowing you to view what submissions you have made and what the outcomes of those submissions are. ![Use the Reclassification area to review submitted phishing emails](https://developers.cloudflare.com/_astro/reclassifications-tab.yDgtjG51_Z1TVbIE.webp) ## 2024-11-07 **Use Logpush for Email security user actions** You can now send user action logs for Email security to an endpoint of your choice with Cloudflare Logpush. Filter logs matching specific criteria you have set or select from multiple fields you want to send. For all users, we will log the date and time, user ID, IP address, details about the message they accessed, and what actions they took. When creating a new Logpush job, remember to select **Audit logs** as the dataset and filter by: * **Field**: `"ResourceType"` * **Operator**: `"starts with"` * **Value**: `"email_security"`. ![Logpush-user-actions](https://developers.cloudflare.com/_astro/Logpush-User-Actions.D14fWgmq_CYM35.webp) For more information, refer to [Enable user action logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/email-security-logs/#enable-user-action-logs). This feature is available across all Email security packages: * **Enterprise** * **Enterprise + PhishGuard** ## 2024-12-19 **Email security expanded folder scanning** Microsoft 365 customers can now choose to scan all folders or just the inbox when deploying via the Graph API. ## 2024-08-06 **Email security is live** Email security is now live under Zero Trust. ## 2024-08-06 **Microsoft Graph API deployment.** Customers using Microsoft Office 365 can set up Email security via Microsoft Graph API. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/email-security/","name":"Email security"}}]} ``` --- --- title: Gateway description: Review recent changes to Cloudflare Gateway. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Gateway [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/gateway.xml) ## 2026-04-29 **Gateway Authorization Proxy and hosted PAC files are now generally available** The [Gateway Authorization Proxy](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#authorization-endpoint) and [hosted PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#create-a-hosted-pac-file) are now generally available for all plan types. Authorization proxy endpoints add an identity-aware option alongside the existing [source IP proxy endpoints](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#source-ip-endpoint), using [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) authentication to verify who a user is before applying Gateway filtering — without installing the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/). Cloudflare-hosted PAC files let you create and distribute PAC files directly from Cloudflare One on Cloudflare's global network. These features are ideal for environments where deploying a device client is not an option, such as virtual desktops (VDI) or compliance-restricted endpoints. To get started, refer to the [proxy endpoints documentation](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/). ## 2026-04-24 **Network Session Logs now available for all on-ramps** [Zero Trust Network Session Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/) are now generated for all traffic proxied through Cloudflare Gateway, regardless of on-ramp type. This includes traffic from [proxy endpoints (PAC files)](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) and [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) egress — on-ramps that previously did not generate session logs. Customers who already consume the `zero_trust_network_sessions` dataset via [Logpush](https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/) or [Log Explorer](https://developers.cloudflare.com/log-explorer/) may see increased log volume if they use these on-ramps. For field definitions, refer to [Zero Trust Network Session Logs](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/zero%5Ftrust%5Fnetwork%5Fsessions/). For traffic analysis, refer to [Network session analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/network-sessions/). ## 2026-04-20 **Network session analytics dashboard** The new [Network session analytics](https://developers.cloudflare.com/cloudflare-one/insights/analytics/network-sessions/) dashboard is now available in Cloudflare One. This dashboard provides visibility into your network traffic patterns, helping you understand how traffic flows through your Cloudflare One infrastructure. ![Cloudflare One Network Session Analytics](https://developers.cloudflare.com/_astro/cf1-network-session-analytics.Gl90hEcp_MuWRb.webp) #### What you can do with Network session analytics * **Analyze geographic distribution**: View a world map showing where your network traffic originates, with a list of top locations by session count. * **Monitor key metrics**: Track session count, total bytes transferred, and unique users. * **Identify connection issues**: Analyze connection close reasons to troubleshoot network problems. * **Review protocol usage**: See which network protocols (TCP, UDP, ICMP) are most used. #### Dashboard features * **Summary metrics**: Session count, bytes total, and unique users * **Traffic by location**: World map visualization and location list with top traffic sources * **Top protocols**: Breakdown of TCP, UDP, ICMP, and ICMPv6 traffic * **Connection close reasons**: Insights into why sessions terminated (client closed, origin closed, timeouts, errors) #### How to access 1. Log in to [Cloudflare One ↗](https://dash.cloudflare.com). 2. Go to **Zero Trust** \> **Insights** \> **Dashboards**. 3. Select **Network session analytics**. For more information, refer to the [Network session analytics documentation](https://developers.cloudflare.com/cloudflare-one/insights/analytics/network-sessions/). ## 2026-04-14 **Configure how sensitive data appears in DLP payload logs** You can now configure how sensitive data matches are displayed in your DLP payload match logs — giving your incident response team the context they need to validate alerts without compromising your security posture. To get started, go to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), select **Zero Trust** \> **Data loss prevention** \> **DLP settings** and find the **Payload log masking** card. Previously, all DLP payload logs used a single masking mode that obscured matched data entirely and hid the original character count, making it difficult to distinguish true positives from false positives. This update introduces three options: * **Full Mask (default):** Masks the match while preserving character count and visual formatting (for example, `***-**-****` for a Social Security Number). This is an improvement over the previous default, which did not preserve character count. * **Partial Mask:** Reveals 25% of the matched content while masking the remainder (for example, `***-**-6789`). * **Clear Text:** Stores the full, unmasked violation for deep investigation (for example, `123-45-6789`). **Important:** The masking level you select is applied at detection time, before the payload is encrypted. This means the chosen format is what your team will see after decrypting the log with your private key — the existing encryption workflow is unchanged. **Applies to all enabled detections:** When a masking level other than Full Mask is selected, it applies to all sensitive data matches found within a payload window — not just the match that triggered the policy. Any data matched by your enabled DLP detection entries will be masked at the selected level. For more information, refer to [DLP logging options](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules). ## 2026-04-06 **Organizations is now in public beta for enterprises** We're announcing the public beta of **Organizations** for enterprise customers, a new top-level Cloudflare container that lets Cloudflare customers manage multiple accounts, members, analytics, and shared policies from one centralized location. **What's New** **Organizations \[BETA\]**: [Organizations](https://developers.cloudflare.com/fundamentals/organizations/) are a new top-level container for centrally managing multiple accounts. Each Organization supports up to 500 accounts and 5000 zones, giving larger teams a single place to administer resources at scale. **Self-serve onboarding**: Enterprise customers can [create an Organization](https://developers.cloudflare.com/fundamentals/organizations/setup/) in the dashboard and assign accounts where they are already Super Administrators. **Centralized Account Management**: At launch, every Organization member has the Organization Super Admin role. Organization Super Admins can invite other users and manage any child account under the Organization implicitly.**Shared policies**: Share [WAF](https://developers.cloudflare.com/waf/custom-rules/) or [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/tiered-policies/organizations/) policies across multiple accounts within your Organization to simplify centralized policy management.**Implicit access**: Members of an Organization automatically receive Super Administrator permissions across child accounts, removing the need for explicit membership on each account. Additional Org-level roles will be available over the course of the year. **Unified analytics**: View, filter, and download aggregate HTTP analytics across all Organization child accounts from a single dashboard for centralized visibility into traffic patterns and security events. **Terraform provider support**: Manage Organizations with infrastructure as code from day one. Provision organizations, assign accounts, and configure settings programmatically with the [Cloudflare Terraform provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/organization). **Shared policies**: Share [WAF](https://developers.cloudflare.com/waf/custom-rules/) or [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) policies across multiple accounts within your Organization to simplify centralized policy management. Note Organizations is in Public Beta. You must have an Enterprise account to create an organization, but once created, you can add accounts of any plan type where you are a Super Administrator. For more info: * [Get started with Organizations](https://developers.cloudflare.com/fundamentals/organizations/) * [Set up your Organization](https://developers.cloudflare.com/fundamentals/organizations/setup/) * [Review limitations](https://developers.cloudflare.com/fundamentals/organizations/limitations/) ## 2026-04-01 **Logs UI refresh** Access authentication logs and Gateway activity logs (DNS, Network, and HTTP) now feature a refreshed user interface that gives you more flexibility when viewing and analyzing your logs. ![Screenshot of the new logs UI showing DNS query logs with customizable columns and filtering options](https://developers.cloudflare.com/_astro/cf1-new-logs-ui.DxF4x0l-_mRSyH.webp) The updated UI includes: * **Filter by field** \- Select any field value to add it as a filter and narrow down your results. * **Customizable fields** \- Choose which fields to display in the log table. Querying for fewer fields improves log loading performance. * **View details** \- Select a timestamp to view the full details of a log entry. * **Switch to classic view** \- Return to the previous log viewer interface if needed. For more information, refer to [Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/) and [Gateway activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). ## 2026-03-24 **OIDC Claims filtering now available in Gateway Firewall, Resolver, and Egress policies** Cloudflare Gateway now supports [OIDC Claims](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#oidc-claims) as a selector in Firewall, Resolver, and Egress policies. Administrators can use custom OIDC claims from their identity provider to build fine-grained, identity-based traffic policies across all Gateway policy types. With this update, you can: * Filter traffic in [DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/), [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/), and [Network](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) firewall policies based on OIDC claim values. * Apply custom [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) to route DNS queries to specific resolvers depending on a user's OIDC claims. * Control [egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/) to assign dedicated egress IPs based on OIDC claim attributes. For example, you can create a policy that routes traffic differently for users with `department=engineering` in their OIDC claims, or restrict access to certain destinations based on a user's role claim. To get started, configure [custom OIDC claims](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) on your identity provider and use the **OIDC Claims** selector in the Gateway policy builder. For more information, refer to [Identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/). ## 2026-03-04 **Gateway Authorization Proxy and hosted PAC files (open beta)** The [Gateway Authorization Proxy](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#authorization-endpoint) and [PAC file hosting](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#create-a-hosted-pac-file) are now in open beta for all plan types. Previously, [proxy endpoints](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#source-ip-endpoint) relied on static source IP addresses to authorize traffic, providing no user-level identity in logs or policies. The new authorization proxy replaces IP-based authorization with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) authentication, verifying who a user is before applying Gateway filtering without installing the WARP client. This is ideal for environments where you cannot deploy a device client, such as virtual desktops (VDI), mergers and acquisitions, or compliance-restricted endpoints. #### Key capabilities * **Identity-aware proxy traffic** — Users authenticate through your identity provider (Okta, Microsoft Entra ID, Google Workspace, and others) via Cloudflare Access. Logs now show exactly which user accessed which site, and you can write [identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) like "only the Finance team can access this accounting tool." * **Multiple identity providers** — Display one or multiple login methods simultaneously, giving flexibility for organizations managing users across different identity systems. * **Cloudflare-hosted PAC files** — Create and host [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#create-a-hosted-pac-file) directly in Cloudflare One with pre-configured templates for Okta and Azure, hosted at `https://pac.cloudflare-gateway.com//` on Cloudflare's global network. * **Simplified billing** — Each user occupies a seat, exactly like they do with the Cloudflare One Client. No new metrics to track. #### Get started 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Networks** \> **Resolvers & Proxies** \> **Proxy endpoints**. 2. [Create an authorization proxy endpoint](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#authorization-endpoint) and configure Access policies. 3. [Create a hosted PAC file](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#create-a-hosted-pac-file) or write your own. 4. [Configure browsers](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#3b-configure-browser-to-use-pac-file) to use the PAC file URL. 5. [Install the Cloudflare certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) for HTTPS inspection. For more details, refer to the [proxy endpoints documentation](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) and the [announcement blog post ↗](https://blog.cloudflare.com/gateway-authorization-proxy-identity-aware-policies/). ## 2026-02-27 **New protocols added for Gateway Protocol Detection (Beta)** Gateway [Protocol Detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/) now supports seven additional protocols in beta: | Protocol | Notes | | ------------ | -------------------------------------------------- | | IMAP | Internet Message Access Protocol — email retrieval | | POP3 | Post Office Protocol v3 — email retrieval | | SMTP | Simple Mail Transfer Protocol — email sending | | MYSQL | MySQL database wire protocol | | RSYNC-DAEMON | rsync daemon protocol | | LDAP | Lightweight Directory Access Protocol | | NTP | Network Time Protocol | These protocols join the existing set of detected protocols (HTTP, HTTP2, SSH, TLS, DCERPC, MQTT, and TPKT) and can be used with the _Detected Protocol_ selector in [Network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) to identify and filter traffic based on the application-layer protocol, without relying on port-based identification. If protocol detection is enabled on your account, these protocols will automatically be logged when detected in your Gateway network traffic. For more information on using Protocol Detection, refer to the [Protocol detection documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/). ## 2025-12-17 **Shadow IT - domain level SaaS analytics** Zero Trust has again upgraded its **Shadow IT analytics**, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application. With this update, you can review data transfer metrics at the domain level, rather than just the application level, providing more granular insight into your data transfer patterns. ![New Domain Level Metrics](https://developers.cloudflare.com/_astro/shadow-it-domain.DoZnGAtf_Z1mHw4r.webp) These metrics can be filtered by all available filters on the dashboard, including user, application, or content category. Both the analytics and policies are accessible in the Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), empowering organizations with better visibility and control. ## 2025-11-06 **Applications to be remapped to the new categories** We have previously added new application categories to better reflect their content and improve HTTP traffic management: refer to [Changelog](https://developers.cloudflare.com/cloudflare-one/changelog/gateway/#2025-10-28). While the new categories are live now, we want to ensure you have ample time to review and adjust any existing rules you have configured against old categories. The remapping of existing applications into these new categories will be completed by January 30, 2026\. This timeline allows you a dedicated period to: * Review the new category structure. * Identify any policies you have that target the older categories. * Adjust your rules to reference the new, more precise categories before the old mappings change. Once the applications have been fully remapped by January 30, 2026, you might observe some changes in the traffic being mitigated or allowed by your existing policies. We encourage you to use the intervening time to prepare for a smooth transition. **Applications being remappedd** | Application Name | Existing Category | New Category | | ------------------------------- | ----------------- | ---------------------------- | | Google Photos | File Sharing | Photography & Graphic Design | | Flickr | File Sharing | Photography & Graphic Design | | ADP | Human Resources | Business | | Greenhouse | Human Resources | Business | | myCigna | Human Resources | Health & Fitness | | UnitedHealthcare | Human Resources | Health & Fitness | | ZipRecruiter | Human Resources | Business | | Amazon Business | Human Resources | Business | | Jobcenter | Human Resources | Business | | Jobsuche | Human Resources | Business | | Zenjob | Human Resources | Business | | DocuSign | Legal | Business | | Postident | Legal | Business | | Adobe Creative Cloud | Productivity | Photography & Graphic Design | | Airtable | Productivity | Development | | Autodesk Fusion360 | Productivity | IT Management | | Coursera | Productivity | Education | | Microsoft Power BI | Productivity | Business | | Tableau | Productivity | Business | | Duolingo | Productivity | Education | | Adobe Reader | Productivity | Business | | AnpiReport | Productivity | Travel | | ビズリーチ | Productivity | Business | | doda (デューダ) | Productivity | Business | | 求人ボックス | Productivity | Business | | マイナビ2026 | Productivity | Business | | Power Apps | Productivity | Business | | RECRUIT AGENT | Productivity | Business | | シフトボード | Productivity | Business | | スタンバイ | Productivity | Business | | Doctolib | Productivity | Health & Fitness | | Miro | Productivity | Photography & Graphic Design | | MyFitnessPal | Productivity | Health & Fitness | | Sentry Mobile | Productivity | Travel | | Slido | Productivity | Photography & Graphic Design | | Arista Networks | Productivity | IT Management | | Atlassian | Productivity | Business | | CoderPad | Productivity | Business | | eAgreements | Productivity | Business | | Vmware | Productivity | IT Management | | Vmware Vcenter | Productivity | IT Management | | AWS Skill Builder | Productivity | Education | | Microsoft Office 365 (GCC) | Productivity | Business | | Microsoft Exchange Online (GCC) | Productivity | Business | | Canva | Sales & Marketing | Photography & Graphic Design | | Instacart | Shopping | Food & Drink | | Wawa | Shopping | Food & Drink | | McDonald's | Shopping | Food & Drink | | Vrbo | Shopping | Travel | | American Airlines | Shopping | Travel | | Booking.com | Shopping | Travel | | Ticketmaster | Shopping | Entertainment & Events | | Airbnb | Shopping | Travel | | DoorDash | Shopping | Food & Drink | | Expedia | Shopping | Travel | | EasyPark | Shopping | Travel | | UEFA Tickets | Shopping | Entertainment & Events | | DHL Express | Shopping | Business | | UPS | Shopping | Business | For more information on creating HTTP policies, refer to [Applications and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/). ## 2025-10-28 **New Application Categories added for HTTP Traffic Management** To give you precision and flexibility while creating policies to block unwanted traffic, we are introducing new, more granular application categories in the Gateway product. We have added the following categories to provide more precise organization and allow for finer-grained policy creation, designed around how users interact with different types of applications: * Business * Education * Entertainment & Events * Food & Drink * Health & Fitness * Lifestyle * Navigation * Photography & Graphic Design * Travel The new categories are live now, but we are providing a transition period for existing applications to be fully remapped to these new categories. The full remapping will be completed by January 30, 2026. We encourage you to use this time to: * Review the new category structure. * Identify and adjust any existing HTTP policies that reference older categories to ensure a smooth transition. For more information on creating HTTP policies, refer to [Applications and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/). ## 2025-10-20 **Schedule DNS policies from the UI** Admins can now create [scheduled DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/timed-policies/) directly from the Zero Trust dashboard, without using the API. You can configure policies to be active during specific, recurring times, such as blocking social media during business hours or gaming sites on school nights. * **Preset Schedules**: Use built-in templates for common scenarios like Business Hours, School Days, Weekends, and more. * **Custom Schedules**: Define your own schedule with specific days and up to three non-overlapping time ranges per day. * **Timezone Control**: Choose to enforce a schedule in a specific timezone (for example, US Eastern) or based on the local time of each user. * **Combined with Duration**: Policies can have both a schedule and a duration. If both are set, the duration's expiration takes precedence. You can see the flow in the demo GIF: ![Schedule DNS policies demo](https://developers.cloudflare.com/_astro/gateway-dns-scheduled-policies-ui.Cf4l1OTE_Z9szVM.webp) This update makes time-based DNS policies accessible to all Gateway customers, removing the technical barrier of the API. ## 2025-10-10 **New domain categories added** We have added three new domain categories under the Technology parent category, to better reflect online content and improve DNS filtering. **New categories added** | Parent ID | Parent Name | Category ID | Category Name | | --------- | ----------- | ----------- | ------------------- | | 26 | Technology | 194 | Keep Awake Software | | 26 | Technology | 192 | Remote Access | | 26 | Technology | 193 | Shareware/Freeware | Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more. ## 2025-09-30 **Application granular controls for operations in SaaS applications** Gateway users can now apply granular controls to their file sharing and AI chat applications through [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies). The new feature offers two methods of controlling SaaS applications: * **Application Controls** are curated groupings of Operations which provide an easy way for users to achieve a specific outcome. Application Controls may include _Upload_, _Download_, _Prompt_, _Voice_, and _Share_ depending on the application. * **Operations** are controls aligned to the most granular action a user can take. This provides a fine-grained approach to enforcing policy and generally aligns to the SaaS providers API specifications in naming and function. Get started using [Application Granular Controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/granular-controls) and refer to the list of [supported applications](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/granular-controls/#compatible-applications). ## 2025-09-25 **Refine DLP Scans with New Body Phase Selector** You can now more precisely control your HTTP DLP policies by specifying whether to scan the request or response body, helping to reduce false positives and target specific data flows. In the Gateway HTTP policy builder, you will find a new selector called _Body Phase_. This allows you to define the direction of traffic the DLP engine will inspect: * _Request Body_: Scans data sent from a user's machine to an upstream service. This is ideal for monitoring data uploads, form submissions, or other user-initiated data exfiltration attempts. * _Response Body_: Scans data sent to a user's machine from an upstream service. Use this to inspect file downloads and website content for sensitive data. For example, consider a policy that blocks Social Security Numbers (SSNs). Previously, this policy might trigger when a user visits a website that contains example SSNs in its content (the response body). Now, by setting the **Body Phase** to _Request Body_, the policy will only trigger if the user attempts to upload or submit an SSN, ignoring the content of the web page itself. All policies without this selector will continue to scan both request and response bodies to ensure continued protection. For more information, refer to [Gateway HTTP policy selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#body-phase). ## 2025-09-11 **DNS filtering for private network onramps** [Magic WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/#dns-filtering) and [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/routes/#dns-filtering) users can now securely route their DNS traffic to the Gateway resolver without exposing traffic to the public Internet. Routing DNS traffic to the Gateway resolver allows DNS resolution and filtering for traffic coming from private networks while preserving source internal IP visibility. This ensures Magic WAN users have full integration with our Cloudflare One features, including [Internal DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/#internal-dns) and [hostname-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). To configure DNS filtering, change your Magic WAN or WARP Connector DNS settings to use Cloudflare's shared resolver IPs, `172.64.36.1` and `172.64.36.2`. Once you configure DNS resolution and filtering, you can use _Source Internal IP_ as a traffic selector in your [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) for routing private DNS traffic to your [Internal DNS](https://developers.cloudflare.com/dns/internal-dns/). ## 2025-08-27 **Shadow IT - SaaS analytics dashboard** Zero Trust has significantly upgraded its **Shadow IT analytics**, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application. You can review these metrics against application type, such as Artificial Intelligence or Social Media. You can also mark applications with an approval status, including **Unreviewed**, **In Review**, **Approved**, and **Unapproved** designating how they can be used in your organization. ![Cloudflare One Analytics Dashboards](https://developers.cloudflare.com/_astro/shadow-it-analytics.BLNnG72w_Z1vDznE.webp) These application statuses can also be used in Gateway HTTP policies, so you can block, isolate, limit uploads and downloads, and more based on the application status. Both the analytics and policies are accessible in the Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), empowering organizations with better visibility and control. ## 2025-08-21 **Gateway BYOIP Dedicated Egress IPs now available.** Enterprise Gateway users can now use Bring Your Own IP (BYOIP) for dedicated egress IPs. Admins can now onboard and use their own IPv4 or IPv6 prefixes to egress traffic from Cloudflare, delivering greater control, flexibility, and compliance for network traffic. Get started by following the [BYOIP onboarding process](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). Once your IPs are onboarded, go to **Gateway** \> **Egress policies** and select or create an egress policy. In **Select an egress IP**, choose _Use dedicated egress IPs (Cloudflare or BYOIP)_, then select your BYOIP address from the dropdown menu. ![Screenshot of a dropdown menu adding a BYOIP IPv4 address as a dedicated egress IP in a Gateway egress policy](https://developers.cloudflare.com/_astro/Gateway-byoip-dedicated-egress-ips.D0pzLAbV_8yK6N.webp) For more information, refer to [BYOIP for dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). ## 2025-07-28 **Scam domain category introduced under Security Threats** We have introduced a new Security Threat category called **Scam**. Relevant domains are marked with the Scam category. Scam typically refers to fraudulent websites and schemes designed to trick victims into giving away money or personal information. **New category added** | Parent ID | Parent Name | Category ID | Category Name | | --------- | ---------------- | ----------- | ------------- | | 21 | Security Threats | 191 | Scam | Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more. ## 2025-07-24 **Gateway HTTP Filtering on all ports available in open BETA** [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) can now apply [HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to all proxied HTTP requests, not just traffic on standard HTTP (`80`) and HTTPS (`443`) ports. This means all requests can now be filtered by [A/V scanning](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), [file sandboxing](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/file-sandboxing/), [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/#data-in-transit), and more. You can turn this [setting](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports) on by going to **Settings** \> **Network** \> **Firewall** and choosing _Inspect on all ports_. ![HTTP Inspection on all ports setting](https://developers.cloudflare.com/_astro/Gateway-Inspection-all-ports.CCmwX6D0_OoDoS.webp) To learn more, refer to [Inspect on all ports (Beta)](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). ## 2025-07-22 **Google Bard Application replaced by Gemini** The **Google Bard** application (ID: 1198) has been deprecated and fully removed from the system. It has been replaced by the **Gemini** application (ID: 1340). Any existing Gateway policies that reference the old Google Bard application will no longer function. To ensure your policies continue to work as intended, you should update them to use the new Gemini application. We recommend replacing all instances of the deprecated Bard application with the new Gemini application in your Gateway policies. For more information about application policies, please see the [Cloudflare Gateway documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/). ## 2025-06-18 **Gateway will now evaluate Network policies before HTTP policies from July 14th, 2025** [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) will now evaluate [Network (Layer 4) policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) **before** [HTTP (Layer 7) policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users. This change will roll out progressively between **July 14–18, 2025**. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent. #### Updated order of enforcement **Previous order:** 1. DNS policies 2. HTTP policies 3. Network policies **New order:** 1. DNS policies 2. **Network policies** 3. **HTTP policies** #### Action required: Review your Gateway HTTP policies This change may affect block notifications. For example: * You have an **HTTP policy** to block `example.com` and display a block page. * You also have a **Network policy** to block `example.com` silently (no client notification). With the new order, the Network policy will trigger first — and the user will no longer see the HTTP block page. To ensure users still receive a block notification, you can: * Add a client notification to your Network policy, or * Use only the HTTP policy for that domain. --- #### Why we’re making this change This update is based on user feedback and aims to: * Create a more intuitive model by evaluating network-level policies before application-level policies. * Minimize [526 connection errors](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/#error-526-in-the-zero-trust-context) by verifying the network path to an origin before attempting to establish a decrypted TLS connection. --- To learn more, visit the [Gateway order of enforcement documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/). ## 2025-05-29 **New Gateway Analytics in the Cloudflare One Dashboard** Users can now access significant enhancements to Cloudflare Gateway analytics, providing you with unprecedented visibility into your organization's DNS queries, HTTP requests, and Network sessions. These powerful new dashboards enable you to go beyond raw logs and gain actionable insights into how your users are interacting with the Internet and your protected resources. You can now visualize and explore: * Patterns Over Time: Understand trends in traffic volume and blocked requests, helping you identify anomalies and plan for future capacity. * Top Users & Destinations: Quickly pinpoint the most active users, enabling better policy enforcement and resource allocation. * Actions Taken: See a clear breakdown of security actions applied by Gateway policies, such as blocks and allows, offering a comprehensive view of your security posture. * Geographic Regions: Gain insight into the global distribution of your traffic. ![Gateway Analytics](https://developers.cloudflare.com/_astro/gateway-analytics.BdSwbIBb_1WTkQL.webp) To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and go to Analytics in the side navigation bar. ## 2025-05-27 **Gateway Protocol Detection Now Available for Pay-as-you-go and Free Plans** All Cloudflare One Gateway users can now use Protocol detection logging and filtering, including those on Pay-as-you-go and Free plans. With Protocol Detection, admins can identify and enforce policies on traffic proxied through Gateway based on the underlying network protocol (for example, HTTP, TLS, or SSH), enabling more granular traffic control and security visibility no matter your plan tier. This feature is available to enable in your account network settings for all accounts. For more information on using Protocol Detection, refer to the [Protocol detection documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/). ## 2025-05-14 **Domain Categories improvements** **New categories added** | Parent ID | Parent Name | Category ID | Category Name | | --------- | --------------------- | ----------- | ----------------------------- | | 1 | Ads | 66 | Advertisements | | 3 | Business & Economy | 185 | Personal Finance | | 3 | Business & Economy | 186 | Brokerage & Investing | | 21 | Security Threats | 187 | Compromised Domain | | 21 | Security Threats | 188 | Potentially Unwanted Software | | 6 | Education | 189 | Reference | | 9 | Government & Politics | 190 | Charity and Non-profit | **Changes to existing categories** | Original Name | New Name | | ------------- | ----------------------- | | Religion | Religion & Spirituality | | Government | Government/Legal | | Redirect | URL Alias/Redirect | Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more. ## 2025-05-13 **New Applications Added for DNS Filtering** You can now create DNS policies to manage outbound traffic for an expanded list of applications. This update adds support for 273 new applications, giving you more control over your organization's outbound traffic. With this update, you can: * Create DNS policies for a wider range of applications * Manage outbound traffic more effectively * Improve your organization's security and compliance posture For more information on creating DNS policies, see our [DNS policy documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/). ## 2025-04-28 **FQDN Filtering For Gateway Egress Policies** Cloudflare One administrators can now control which egress IP is used based on a destination's fully qualified domain name (FDQN) within Gateway Egress policies. * Host, Domain, Content Categories, and Application selectors are now available in the Gateway Egress policy builder in beta. * During the beta period, you can use these selectors with traffic on-ramped to Gateway with the WARP client, proxy endpoints (commonly deployed with PAC files), or Cloudflare Browser Isolation. * For WARP client support, additional configuration is required. For more information, refer to the [WARP client configuration documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#limitations). ![Egress by FQDN and Hostname](https://developers.cloudflare.com/_astro/Gateway-Egress-FQDN-Policy-preview.Civon5p8_Z2hcuQE.webp) This will help apply egress IPs to your users' traffic when an upstream application or network requires it, while the rest of their traffic can take the most performant egress path. ## 2025-04-11 **HTTP redirect and custom block page redirect** You can now use more flexible redirect capabilities in Cloudflare One with Gateway. * A new **Redirect** action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters. * For **Block** actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL. Learn more in our documentation for [HTTP Redirect](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#redirect) and [Block page redirect](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page). ## 2025-03-21 **Secure DNS Locations Management User Role** We're excited to introduce the [**Cloudflare Zero Trust Secure DNS Locations Write role**](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations), designed to provide DNS filtering customers with granular control over third-party access when configuring their Protective DNS (PDNS) solutions. Many DNS filtering customers rely on external service partners to manage their DNS location endpoints. This role allows you to grant access to external parties to administer DNS locations without overprovisioning their permissions. **Secure DNS Location Requirements:** * Mandate usage of [Bring your own DNS resolver IP addresses ↗](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#bring-your-own-dns-resolver-ip) if available on the account. * Require source network filtering for IPv4/IPv6/DoT endpoints; token authentication or source network filtering for the DoH endpoint. You can assign the new role via Cloudflare Dashboard (`Manage Accounts > Members`) or via API. For more information, refer to the [Secure DNS Locations documentation ↗](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations). ## 2025-02-03 **Block files that are password-protected, compressed, or otherwise unscannable.** Gateway HTTP policies can now block files that are password-protected, compressed, or otherwise unscannable. These unscannable files are now matched with the [Download and Upload File Types traffic selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) for HTTP policies: * Password-protected Microsoft Office document * Password-protected PDF * Password-protected ZIP archive * Unscannable ZIP archive To get started inspecting and modifying behavior based on these and other rules, refer to [HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/http/). ## 2025-02-12 **Upload/Download File Size selectors for HTTP policies** Gateway and DLP users can now create HTTP policies with the [Download and Upload File Size (MiB)](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-size) traffic selectors. This update allows users to block uploads or downloads based on file size. ## 2025-02-02 **The default global Cloudflare root certificate expired on 2025-02-02 at 16:05 UTC** If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. Refer to [Troubleshooting](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/common-issues/#browser-and-certificate-issues) for instructions and troubleshooting steps. ## 2025-01-08 **Bring your own resolver IP (BYOIP) for DNS locations** Enterprise users can now [provide an IP address](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#bring-your-own-dns-resolver-ip) for a private DNS resolver to use with [DNS locations](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/). Gateway supports bringing your own IPv4 and IPv6 addresses. ## 2024-11-20 **Category filtering in the network policy builder** Gateway users can now create network policies with the [Content Categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/#content-categories) and [Security Risks](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/#security-risks) traffic selectors. This update simplifies malicious traffic blocking and streamlines network monitoring for improved security management. ## 2024-10-17 **Per-account Cloudflare root certificate** Gateway users can now generate [unique root CAs](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) for their Zero Trust account. Both generated certificate and custom certificate users must [activate a root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/#activate-a-root-certificate) to use it for inspection. Per-account certificates replace the default Cloudflare certificate, which is set to expire on 2025-02-02. ## 2024-10-10 **Time-based policy duration** Gateway now offers [time-based DNS policy duration](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/timed-policies/#time-based-policy-duration). With policy duration, you can configure a duration of time for a policy to turn on or set an exact date and time to turn a policy off. ## 2024-10-04 **Expanded Gateway log fields** Gateway now offers new fields in [activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/) for DNS, network, and HTTP policies to provide greater insight into your users' traffic routed through Gateway. ## 2024-09-30 **File sandboxing** Gateway users on Enterprise plans can create HTTP policies with [file sandboxing](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/file-sandboxing/) to quarantine previously unseen files downloaded by your users and scan them for malware. ## 2024-07-30 **UK NCSC indicator feed publicly available in Gateway** Gateway users on any plan can now use the [PDNS threat intelligence feed](https://developers.cloudflare.com/security-center/indicator-feeds/#publicly-available-feeds) provided by the UK National Cyber Security Centre (NCSC) in DNS policies. ## 2024-07-14 **Gateway DNS filter non-authenticated queries** Gateway users can now select which endpoints to use for a given DNS location. Available endpoints include IPv4, IPv6, DNS over HTTPS (DoH), and DNS over TLS (DoT). Users can protect each configured endpoint by specifying allowed source networks. Additionally, for the DoH endpoint, users can filter traffic based on source networks and/or authenticate user identity tokens. ## 2024-06-25 **Gateway DNS policy setting to ignore CNAME category matches** Gateway now offers the ability to selectively ignore CNAME domain categories in DNS policies via the [**Ignore CNAME domain categories** setting](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#ignore-cname-domain-categories) in the policy builder and the [ignore\_cname\_category\_matches setting](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/rules/methods/create/) in the API. ## 2024-04-05 **Gateway file type control improvements** Gateway now offers a more extensive, categorized [list of files](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) to control uploads and downloads. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/gateway/","name":"Gateway"}}]} ``` --- --- title: Risk score description: Review recent changes to Cloudflare Zero Trust user risk scoring. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Risk score [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/risk-score.xml) ## 2026-04-08 **User risk scoring for high risk browsing activity** Cloudflare One's **User Risk Scoring** now incorporates direct signals from **Gateway DNS traffic patterns**. This update allows security teams to automatically elevate a user's risk score when they visit high-risk or malicious domains, providing a more holistic view of internal threats. #### Why this matters Browsing activity is a primary indicator of potential compromise. By tying Gateway DNS logs to specific users, administrators can now flag individuals interacting with: * **Security threats**: Domains associated with malware, phishing, or command-and-control (C2) centers. * **High-risk content**: Categories such as questionable content or violence that may violate corporate compliance. Even if a Gateway policy is set to **Block** the traffic, the interaction is still captured as a "hit" to ensure the user's risk profile reflects the attempted activity. #### New risk behaviors Two new behaviors are now available in the dashboard: * **Suspicious Security Domain Visited**: Triggers when a user visits a domain in the security threats or security risk categories. * **High risk domain visited**: Triggers when a user visits domains categorized as questionable content, violence, or CIPA. To learn more and get started, refer to the [User Risk Scoring documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/). ## 2026-01-15 **Support for CrowdStrike device scores in User Risk Scoring** Cloudflare One has expanded its \[User Risk Scoring\] (/cloudflare-one/insights/risk-score/) capabilities by introducing two new behaviors for organizations using the \[CrowdStrike integration\] (/cloudflare-one/integrations/service-providers/crowdstrike/). Administrators can now automatically escalate the risk score of a user if their device matches specific CrowdStrike Zero Trust Assessment (ZTA) score ranges. This allows for more granular security policies that respond dynamically to the health of the endpoint. New risk behaviors The following risk scoring behaviors are now available: * CrowdStrike low device score: Automatically increases a user's risk score when the connected device reports a "Low" score from CrowdStrike. * CrowdStrike medium device score: Automatically increases a user's risk score when the connected device reports a "Medium" score from CrowdStrike. These scores are derived from \[CrowdStrike device posture attributes\] (/cloudflare-one/integrations/service-providers/crowdstrike/#device-posture-attributes), including OS signals and sensor configurations. ## 2024-06-17 **Exchange user risk scores with Okta** Beyond the controls in [Zero Trust](https://developers.cloudflare.com/cloudflare-one/), you can now [exchange user risk scores](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/#send-risk-score-to-okta) with Okta to inform SSO-level policies. First, configure Cloudflare One to send user risk scores to Okta. 1. Set up the [Okta SSO integration](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/okta/). 2. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Integrations** \> **Identity providers**. 3. In **Your identity providers**, locate your Okta integration and select **Edit**. 4. Turn on **Send risk score to Okta**. 5. Select **Save**. 6. Upon saving, Cloudflare One will display the well-known URL for your organization. Copy the value. Next, configure Okta to receive your risk scores. 1. On your Okta admin dashboard, go to **Security** \> **Device Integrations**. 2. Go to **Receive shared signals**, then select **Create stream**. 3. Name your integration. In **Set up integration with**, choose _Well-known URL_. 4. In **Well-known URL**, enter the well-known URL value provided by Cloudflare One. 5. Select **Create**. ## 2024-06-14 **SentinelOne signal ingestion** You can now configure a [predefined risk behavior](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/risk-score/#predefined-risk-behaviors) to evaluate user risk score using device posture attributes from the [SentinelOne integration](https://developers.cloudflare.com/cloudflare-one/integrations/service-providers/sentinelone/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/risk-score/","name":"Risk score"}}]} ``` --- --- title: Cloudflare Tunnel description: Review recent changes to Cloudflare Tunnel. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Cloudflare Tunnel [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/tunnel.xml) ## 2026-03-20 **Stream logs from multiple replicas of Cloudflare Tunnel simultaneously** In the Cloudflare One dashboard, the overview page for a specific Cloudflare Tunnel now shows all [replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/) of that tunnel and supports streaming logs from multiple replicas at once. ![View replicas and stream logs from multiple connectors](https://developers.cloudflare.com/_astro/tunnel-multiconn.DEOEaLlu_ZDxArh.webp) Previously, you could only stream logs from one replica at a time. With this update: * **Replicas on the tunnel overview** — All active replicas for the selected tunnel now appear on that tunnel's overview page under **Connectors**. Select any replica to stream its logs. * **Multi-connector log streaming** — Stream logs from multiple replicas simultaneously, making it easier to correlate events across your infrastructure during debugging or incident response. To try it out, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Networks** \> **Connectors** \> **Cloudflare Tunnels**. Select **View logs** next to the tunnel you want to monitor. For more information, refer to [Tunnel log streams](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) and [Deploy replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/deploy-replicas/). ## 2026-03-19 **Manage Cloudflare Tunnels with Wrangler** You can now manage [Cloudflare Tunnels](https://developers.cloudflare.com/tunnel/) directly from [Wrangler](https://developers.cloudflare.com/workers/wrangler/), the CLI for the Cloudflare Developer Platform. The new [wrangler tunnel](https://developers.cloudflare.com/workers/wrangler/commands/tunnel/) commands let you create, run, and manage tunnels without leaving your terminal. ![Wrangler tunnel commands demo](https://developers.cloudflare.com/_astro/wrangler-tunnel.DOqrtGGg_7EDX0.webp) Available commands: * `wrangler tunnel create` — Create a new remotely managed tunnel. * `wrangler tunnel list` — List all tunnels in your account. * `wrangler tunnel info` — Display details about a specific tunnel. * `wrangler tunnel delete` — Delete a tunnel. * `wrangler tunnel run` — Run a tunnel using the cloudflared daemon. * `wrangler tunnel quick-start` — Start a free, temporary tunnel without an account using [Quick Tunnels](https://developers.cloudflare.com/tunnel/setup/#quick-tunnels-development). Wrangler handles downloading and managing the [cloudflared](https://developers.cloudflare.com/tunnel/downloads/) binary automatically. On first use, you will be prompted to download `cloudflared` to a local cache directory. These commands are currently experimental and may change without notice. To get started, refer to the [Wrangler tunnel commands documentation](https://developers.cloudflare.com/workers/wrangler/commands/tunnel/). ## 2026-02-20 **Manage Cloudflare Tunnel directly from the main Cloudflare Dashboard** [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) is now available in the main Cloudflare Dashboard at [Networking > Tunnels ↗](https://dash.cloudflare.com/?to=/:account/tunnels), bringing first-class Tunnel management to developers using Tunnel for securing origin servers. ![Manage Tunnels in the Core Dashboard](https://developers.cloudflare.com/_astro/tunnel-core-dashboard.BGPqaHfo_Pi6HO.webp) This new experience provides everything you need to manage Tunnels for [public applications](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/), including: * **Full Tunnel lifecycle management**: Create, configure, delete, and monitor all your Tunnels in one place. * **Native integrations**: View Tunnels by name when configuring [DNS records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/) and [Workers VPC](https://developers.cloudflare.com/workers-vpc/) — no more copy-pasting UUIDs. * **Real-time visibility**: Monitor [replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/) and Tunnel [health status](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors/#tunnel-status) directly in the dashboard. * **Routing map**: Manage all ingress routes for your Tunnel, including [public applications](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/), [private hostnames](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/), [private CIDRs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/), and [Workers VPC services](https://developers.cloudflare.com/workers-vpc/), from a single interactive interface. #### Choose the right dashboard for your use case **Core Dashboard**: Navigate to [Networking > Tunnels ↗](https://dash.cloudflare.com/?to=/:account/tunnels) to manage Tunnels for: * Securing origin servers and [public applications](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) with CDN, WAF, Load Balancing, and DDoS protection * Connecting [Workers to private services](https://developers.cloudflare.com/workers-vpc/) via Workers VPC **Cloudflare One Dashboard**: Navigate to [Zero Trust > Networks > Connectors ↗](https://one.dash.cloudflare.com/?to=/:account/networks/connectors) to manage Tunnels for: * Securing your public applications with [Zero Trust access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) * Connecting users to [private applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) * Building a [private mesh network](https://developers.cloudflare.com/reference-architecture/architectures/sase/#connecting-networks) Both dashboards provide complete Tunnel management capabilities — choose based on your primary workflow. #### Get started New to Tunnel? Learn how to [get started with Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/) or explore advanced use cases like [securing SSH servers](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/) or [running Tunnels in Kubernetes](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/kubernetes/). ## 2026-01-15 **Verify WARP Connector connectivity with a simple ping** We have made it easier to validate connectivity when deploying [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) as part of your [software-defined private network](https://developers.cloudflare.com/reference-architecture/architectures/sase/#connecting-networks). You can now `ping` the WARP Connector host directly on its LAN IP address immediately after installation. This provides a fast, familiar way to confirm that the Connector is online and reachable within your network before testing access to downstream services. Starting with [version 2025.10.186.0](https://developers.cloudflare.com/changelog/2026-01-13-warp-linux-ga/), WARP Connector responds to traffic addressed to its own LAN IP, giving you immediate visibility into Connector reachability. Learn more about deploying [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) and building private network connectivity with [Cloudflare One](https://developers.cloudflare.com/cloudflare-one/). ## 2025-11-11 **cloudflared proxy-dns command will be removed starting February 2, 2026** Starting February 2, 2026, the `cloudflared proxy-dns` command will be removed from all new `cloudflared` [releases](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/). This change is being made to enhance security and address a potential vulnerability in an underlying DNS library. This vulnerability is specific to the `proxy-dns` command and does not affect any other `cloudflared` features, such as the core [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) service. The `proxy-dns` command, which runs a client-side [DNS-over-HTTPS (DoH)](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/) proxy, has been an officially undocumented feature for several years. This functionality is fully and securely supported by our actively developed products. Versions of `cloudflared` released before this date will not be affected and will continue to operate. However, note that our [official support policy](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#deprecated-releases) for any `cloudflared` release is one year from its release date. #### Migration paths We strongly advise users of this undocumented feature to migrate to one of the following officially supported solutions before February 2, 2026, to continue benefiting from secure [DNS-over-HTTPS](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/). #### End-user devices The preferred method for enabling DNS-over-HTTPS on user devices is the [Cloudflare WARP client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/). The WARP client automatically secures and proxies all DNS traffic from your device, integrating it with your organization's [Zero Trust policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) and [posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). #### Servers, routers, and IoT devices For scenarios where installing a client on every device is not possible (such as servers, routers, or IoT devices), we recommend using the [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/). Instead of running `cloudflared proxy-dns` on a machine, you can install the WARP Connector on a single Linux host within your private network. This connector will act as a gateway, securely routing all DNS and network traffic from your [entire subnet](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/routes/) to Cloudflare for [filtering and logging](https://developers.cloudflare.com/cloudflare-one/traffic-policies/). ## 2025-09-18 **Connect and secure any private or public app by hostname, not IP — with hostname routing for Cloudflare Tunnel** You can now route private traffic to [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) based on a hostname or domain, moving beyond the limitations of IP-based routing. This new capability is **free for all Cloudflare One customers**. Previously, Tunnel routes could only be defined by IP address or [CIDR range](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/). This created a challenge for modern applications with dynamic or ephemeral IP addresses, often forcing administrators to maintain complex and brittle IP lists. ![Hostname-based routing in Cloudflare Tunnel](https://developers.cloudflare.com/_astro/tunnel-hostname-routing.DSi8MP_7_Z1E6Ym4.webp) **What’s new:** * **Hostname & Domain Routing**: Create routes for individual hostnames (e.g., `payroll.acme.local`) or entire domains (e.g., `*.acme.local`) and direct their traffic to a specific Tunnel. * **Simplified Zero Trust Policies**: Build resilient policies in Cloudflare Access and Gateway using stable hostnames, making it dramatically easier to apply per-resource authorization for your private applications. * **Precise Egress Control**: Route traffic for public hostnames (e.g., `bank.example.com`) through a specific Tunnel to enforce a dedicated source IP, solving the IP allowlist problem for third-party services. * **No More IP Lists**: This feature makes the workaround of maintaining dynamic IP Lists for Tunnel connections obsolete. Get started in the Tunnels section of the Zero Trust dashboard with your first [private hostname](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) or [public hostname](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared/) route. Learn more in our [blog post ↗](https://blog.cloudflare.com/tunnel-hostname-routing/). ## 2025-09-02 **Cloudflare Tunnel and Networks API will no longer return deleted resources by default starting December 1, 2025** Starting **December 1, 2025**, list endpoints for the [Cloudflare Tunnel API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/) and [Zero Trust Networks API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/) will no longer return deleted tunnels, routes, subnets and virtual networks by default. This change makes the API behavior more intuitive by only returning active resources unless otherwise specified. No action is required if you already explicitly set `is_deleted=false` or if you only need to list active resources. This change affects the following API endpoints: * List all tunnels: [GET /accounts/{account\_id}/tunnels](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/methods/list/) * List [Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/): [GET /accounts/{account\_id}/cfd\_tunnel](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/subresources/cloudflared/methods/list/) * List [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) tunnels: [GET /accounts/{account\_id}/warp\_connector](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/subresources/warp%5Fconnector/methods/list/) * List tunnel routes: [GET /accounts/{account\_id}/teamnet/routes](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/routes/methods/list/) * List subnets: [GET /accounts/{account\_id}/zerotrust/subnets](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/subnets/methods/list/) * List virtual networks: [GET /accounts/{account\_id}/teamnet/virtual\_networks](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/virtual%5Fnetworks/methods/list/) #### What is changing? The default behavior of the `is_deleted` query parameter will be updated. | Scenario | Previous behavior (before December 1, 2025) | New behavior (from December 1, 2025) | | -------------------------------- | -------------------------------------------------------------------------- | --------------------------------------------------------------------- | | is\_deleted parameter is omitted | Returns **active & deleted** tunnels, routes, subnets and virtual networks | Returns **only active** tunnels, routes, subnets and virtual networks | #### Action required If you need to retrieve deleted (or all) resources, please update your API calls to explicitly include the `is_deleted` parameter before **December 1, 2025**. To get a list of only deleted resources, you must now explicitly add the `is_deleted=true` query parameter to your request: Terminal window ``` # Example: Get ONLY deleted Tunnels curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/tunnels?is_deleted=true" \ -H "Authorization: Bearer $API_TOKEN" # Example: Get ONLY deleted Virtual Networks curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks?is_deleted=true" \ -H "Authorization: Bearer $API_TOKEN" ``` Following this change, retrieving a complete list of both active and deleted resources will require two separate API calls: one to get active items (by omitting the parameter or using `is_deleted=false`) and one to get deleted items (`is_deleted=true`). #### Why we’re making this change This update is based on user feedback and aims to: * **Create a more intuitive default:** Aligning with common API design principles where list operations return only active resources by default. * **Reduce unexpected results:** Prevents users from accidentally operating on deleted resources that were returned unexpectedly. * **Improve performance:** For most users, the default query result will now be smaller and more relevant. To learn more, please visit the [Cloudflare Tunnel API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/) and [Zero Trust Networks API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/) documentation. ## 2025-07-15 **Faster, more reliable UDP traffic for Cloudflare Tunnel** Your real-time applications running over [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) are now faster and more reliable. We've completely re-architected the way `cloudflared` proxies UDP traffic in order to isolate it from other traffic, ensuring latency-sensitive applications like private DNS are no longer slowed down by heavy TCP traffic (like file transfers) on the same Tunnel. This is a foundational improvement to Cloudflare Tunnel, delivered automatically to all customers. There are no settings to configure — your UDP traffic is already flowing faster and more reliably. **What’s new:** * **Faster UDP performance**: We've significantly reduced the latency for establishing new UDP sessions, making applications like private DNS much more responsive. * **Greater reliability for mixed traffic**: UDP packets are no longer affected by heavy TCP traffic, preventing timeouts and connection drops for your real-time services. Learn more about running [TCP or UDP applications](https://developers.cloudflare.com/reference-architecture/architectures/sase/#connecting-applications) and [private networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/) through [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). ## 2024-12-19 **Troubleshoot tunnels with diagnostic logs** The latest `cloudflared` build [2024.12.2 ↗](https://github.com/cloudflare/cloudflared/releases/tag/2024.12.2) introduces the ability to collect all the diagnostic logs needed to troubleshoot a `cloudflared` instance. A diagnostic report collects data from a single instance of `cloudflared` running on the local machine and outputs it to a `cloudflared-diag` file. For more information, refer to [Diagnostic logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/diag-logs/). ## 2024-10-17 **Simplified WARP Connector deployment** You can now deploy WARP Connector using a simplified, guided workflow similar to `cloudflared` connectors. For detailed instructions, refer to the [WARP Connector documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/). ## 2024-10-10 **Bugfix for --grace-period** The new `cloudflared` build [2024.10.0 ↗](https://github.com/cloudflare/cloudflared/releases/tag/2024.10.0) has a bugfix related to the [\--grace-period](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#grace-period) tunnel run parameter. `cloudflared` connectors will now abide by the specified waiting period before forcefully closing connections to Cloudflare's network. ## 2024-08-06 **cloudflared builds available in GitHub for Apple silicon** macOS users can now download `cloudflared-arm64.pkg` directly from [GitHub ↗](https://github.com/cloudflare/cloudflared/releases), in addition to being available via Homebrew. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/changelog/","name":"Changelog"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/changelog/tunnel/","name":"Cloudflare Tunnel"}}]} ``` --- --- title: Evolving to a SASE architecture with Cloudflare description: This reference architecture explains how organizations can work towards a SASE architecture using Cloudflare. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/reference-architecture/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Evolving to a SASE architecture with Cloudflare **Last reviewed:** over 1 year ago Download a [PDF version](https://developers.cloudflare.com/reference-architecture/static/cloudflare-evolving-to-a-sase-architecture.pdf) of this reference architecture. ## Introduction Cloudflare One is a secure access service edge (SASE) platform that protects enterprise applications, users, devices, and networks. By progressively adopting Cloudflare One, organizations can move away from their patchwork of hardware appliances and other point solutions and instead consolidate security and networking capabilities on one unified control plane. Such network and security transformation helps address key challenges modern businesses face, including: * Securing access for any user to any resource with Zero Trust practices * Defending against cyber threats, including multi-channel phishing and ransomware attacks * Protecting data in order to comply with regulations and prevent leaks * Simplifying connectivity across offices, data centers, and cloud environments Cloudflare One is built on Cloudflare's [connectivity cloud ↗](https://www.cloudflare.com/connectivity-cloud/), ​​a unified, intelligent platform of programmable cloud-native services that enable any-to-any connectivity between all networks (enterprise and Internet), cloud environments, applications, and users. It is one of the [largest global networks ↗](https://www.cloudflare.com/network/), with data centers spanning [hundreds of cities worldwide ↗](https://www.cloudflare.com/network/) and interconnection with over 13,000 network peers. It also has a greater presence in [core Internet exchanges ↗](https://bgp.he.net/report/exchanges#%5Fparticipants) than many other large technology companies. As a result, Cloudflare operates within \~50 ms of \~95% of the world's Internet-connected population. And since all Cloudflare services are designed to run across every network location, all traffic is connected, inspected, and filtered close to the source for the best performance and consistent user experience. This document describes a reference architecture for organizations working towards a SASE architecture, and shows how Cloudflare One enables such security and networking transformation. ### Who is this document for and what will you learn? This reference architecture is designed for IT or security professionals with some responsibility over or familiarity with their organization's existing infrastructure. It is useful to have some experience with technologies important to securing hybrid work, including identity providers (IdPs), user directories, single sign on (SSO), endpoint security or management (EPP, XDR, UEM, MDM), firewalls, routers, and point solutions like packet or content inspection hardware, threat prevention, and data loss prevention technologies. To build a stronger baseline understanding of Cloudflare, we recommend the following resources: * What is Cloudflare? | [Website ↗](https://www.cloudflare.com/what-is-cloudflare/) (5 minute read) or [video ↗](https://youtu.be/XHvmX3FhTwU?feature=shared) (2 minutes) * Solution Brief: [Cloudflare One ↗](https://cfl.re/SASE-SSE-platform-brief) (3 minute read) * Whitepaper: [Overview of Internet-Native SASE Architecture ↗](https://cfl.re/internet-native-sase-architecture-whitepaper) (10 minute read) * Blog: [Zero Trust, SASE, and SSE: foundational concepts for your next-generation network ↗](https://blog.cloudflare.com/zero-trust-sase-and-sse-foundational-concepts-for-your-next-generation-network/) (14 minute read) Those who read this reference architecture will learn: * How Cloudflare One protects an organization's employees, devices, applications, data, and networks * How Cloudflare One fits into your existing infrastructure, and how to approach migration to a SASE architecture * How to plan for deploying Cloudflare One While this document examines Cloudflare One at a technical level, it does not offer fine detail about every product in the platform. Instead, it looks at how all the services in Cloudflare One enable networking and network security to be consolidated on one architecture. Visit the [developer documentation ↗](https://developers.cloudflare.com/) for further information specific to a product area or use case. ## Disintegration of the traditional network perimeter Traditionally, most employees worked in an office and connected locally to the company network via Ethernet or Wi-Fi. Most business systems (e.g. file servers, printers, applications) were located on and accessible only from this internal network. Once connected, users would typically have broad access to local resources. A security perimeter was created around the network to protect against outsider threats, most of which came from the public Internet. The majority of business workloads were hosted on-premises and only accessible inside the network, with very little or no company data or applications existing on the Internet. However, three important trends created problems for this "castle and moat" approach to IT security: 1. **Employees became more mobile**. Organizations increasingly embrace remote / hybrid work and support the use of personal (i.e. not company-owned) devices. 2. **Cloud migration accelerated**. Organizations are moving applications, data, and infrastructure from expensive on-premises data centers to public or private cloud environments in order to improve flexibility, scalability, and cost-effectiveness. 3. **Cyber threats evolved**. The above trends expand an organization's attack surface. For example, attack campaigns have become more sophisticated and persistent in exploiting multiple channels to infiltrate organizations, and cybercriminals face lower barriers to entry with the popularity of the "cybercrime-as-a-service" black market. Traditional perimeter-based security has struggled to adapt to these changes. In particular, extending the "moat" outwards has introduced operational complexity for administrators, poor experiences for users, and inconsistency in how security controls are applied across users and applications. ![With many different methods to connect networks and filter/block traffic, managing access to company applications is costly and time consuming.](https://developers.cloudflare.com/_astro/cf1-ref-arch-1.DR89R8uB_Z1SsQpq.svg) The diagram above shows an example of this adapted perimeter-based approach, in which a mix of firewalls, WAN routers, and VPN concentrators are connected with dedicated WAN on-ramps consisting of MPLS circuits and/or leased lines. The diagram also demonstrates common problem areas. In an effort to centralize policy, organizations sometimes force all employee Internet traffic through their VPN infrastructure, which results in slow browsing and user complaints. Employees then seek workarounds — such as using non-approved devices — which increases their exposure to Internet-borne attacks when they work from home or on public Wi-Fi. In addition, IT teams are unable to respond quickly to changing business needs due to the complexity of their network infrastructure. Such challenges are driving many organizations to prioritize goals like: * Accelerating business agility by supporting remote / hybrid work with secure any-to-any access * Improving productivity by simplifying policy management and by streamlining user experiences * Reducing cyber risk by protecting users and data from phishing, ransomware, and other threats across all channels * Consolidating visibility and controls across networking and security * Reducing costs by replacing expensive appliances and infrastructure (e.g. VPNs, hardware firewalls, and MPLS connections) ## Understanding a SASE architecture In recent years, [secure access service edge ↗](https://www.cloudflare.com/learning/access-management/security-service-edge-sse/), or SASE, has emerged as an aspirational architecture to help achieve these goals. In a SASE architecture, network connectivity and security are unified on a single cloud platform and control plane for consistent visibility, control, and experiences from any user to any application. SASE platforms consist of networking and security services, all underpinned by supporting operational services and a policy engine: * Network services forward traffic from a variety of networks into a single global corporate network. These services provide capabilities like firewalling, routing, and load balancing. * Security services apply to traffic flowing over the network, allowing for filtering of certain types of traffic and control over who can access what. * Operational services provide platform-wide capabilities like logging, API access, and comprehensive Infrastructure-as-Code support through providers like Terraform. * A policy engine integrates across all services, allowing admins to define policies which are then applied across all the connected services. ![Cloudflare's SASE cloud platform offers network, security, and operational services, as well as policy engine features, to provide zero trust connectivity between a variety of user identities, devices and access locations to customer applications, infrastructure and networks.](https://developers.cloudflare.com/_astro/cf1-ref-arch-2.BMHjAM9W_2btPiQ.svg) ## Cloudflare One: single-vendor, single-network SASE Most organizations move towards a SASE architecture progressively rather than all at once, prioritizing key security and connectivity use cases and adopting services like [Zero Trust Network Access ↗](https://www.cloudflare.com/learning/access-management/what-is-ztna/) (ZTNA) or [Secure Web Gateway ↗](https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/) (SWG). Some organizations choose to use SASE services from multiple vendors. For most organizations, however, the aspiration is to consolidate security with a single vendor, in order to achieve simplified management, comprehensive visibility, and consistent experiences. [Cloudflare One ↗](https://www.cloudflare.com/cloudflare-one/) is a single-vendor SASE platform where all services are designed to run across all locations. All traffic is inspected closest to its source, which delivers consistent speed and scale everywhere. And thanks to composable and flexible on-ramps, traffic can be routed from any source to reach any destination. Cloudflare's connectivity cloud also offers many other services that improve application performance and security, such as [API Gateway ↗](https://www.cloudflare.com/learning/security/api/what-is-an-api-gateway/), [Web Application Firewall ↗](https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf/), [Content Delivery ↗](https://www.cloudflare.com/learning/cdn/what-is-a-cdn/), or [DDoS mitigation ↗](https://www.cloudflare.com/learning/ddos/ddos-mitigation/), all of which can complement an organization's SASE architecture. For example, our Content Delivery Network (CDN) features can be used to improve the performance of a self hosted company intranet. Cloudflare's full range of services are illustrated below. ![Cloudflare's anycast network allows provides services on all connected servers to enable secure connections on public and home networks and at corporate offices.](https://developers.cloudflare.com/_astro/cf1-ref-arch-4.Bjts0g1J_Z1YR1dx.svg) ### Cloudflare's anycast network Cloudflare's SASE platform benefits from our use of [anycast ↗](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/) technology. Anycast allows Cloudflare to announce the IP addresses of our services from every data center worldwide, so traffic is always routed to the Cloudflare data center closest to the source. This means traffic inspection, authentication, and policy enforcement take place close to the end user, leading to consistently high-quality experiences. Using anycast ensures the Cloudflare network is well balanced. If there is a sudden increase in traffic on the network, the load can be distributed across multiple data centers – which in turn, helps maintain consistent and reliable connectivity for users. Further, Cloudflare's large [network capacity ↗](https://www.cloudflare.com/network/) and [AI/ML-optimized smart routing ↗](https://blog.cloudflare.com/meet-traffic-manager/) also help ensure that performance is constantly optimized. By contrast, many other SASE providers use Unicast routing in which a single IP address is associated with a single server and/or data center. In many such architectures, a single IP address is then associated with a specific application, which means requests to access that application may have very different network routing experiences depending on how far that traffic needs to travel. For example, performance may be excellent for employees working in the office next to the application's servers, but poor for remote employees or those working overseas. Unicast also complicates scaling traffic loads — that single service location must ramp up resources when load increases, whereas anycast networks can share traffic across many data centers and geographies. ![Cloudflare's anycast network ensures fast and reliable connectivity, whereas Unicast routing often sends all traffic to a single IP address, resulting in slower and failure prone connections.](https://developers.cloudflare.com/_astro/cf1-ref-arch-5.DVAtCA4Y_1d5wQ8.svg) ## Deploying a SASE architecture with Cloudflare To understand how SASE fits into an organization's IT infrastructure, see the diagram below, which maps out all the common components of said infrastructure. Subsequent sections of this guide will add to the diagram, showing where each part of Cloudflare's SASE platform fits in. ![Typical enterprise IT infrastructure may consist of different physical locations, devices and data centers that require connectivity to multiple cloud and on-premises applications.](https://developers.cloudflare.com/_astro/cf1-ref-arch-6.CZw0spTE_Z1gHcKU.svg) In the diagram's top half there are a variety of Internet resources (e.g. Facebook), SaaS applications (e.g. ServiceNow), and applications running in an [infrastructure-as-a-service (IaaS) ↗](https://www.cloudflare.com/learning/cloud/what-is-iaas/) platform (e.g. AWS). This example organization has already deployed cloud based [identity providers ↗](https://www.cloudflare.com/learning/access-management/what-is-an-identity-provider/) (IdP), [unified endpoint management ↗](https://www.cloudflare.com/learning/security/glossary/what-is-endpoint/) (UEM) and endpoint protection platforms (EPP) as part of a Zero Trust initiative. In the bottom half are a variety of users, devices, networks, and locations. Users work from a variety of locations: homes, headquarters and branch offices, airports, and others. The devices they use might be managed by the organization or may be personal devices. In addition to the cloud, applications run in a data center in the organization's headquarters and in a data center operators' colo facility ([Equinix ↗](https://www.equinix.com/), in this example). A SASE architecture will define, secure, and streamline how each user and device will connect to the various resources in the diagram. Over the following sections, this guide will show ways to integrate Cloudflare One into the above infrastructure: * **Applications and services**: Placing access to private applications and services behind Cloudflare * **Networks**: Connecting entire networks to Cloudflare * **Forwarding device traffic**: Facilitating access to Cloudflare-protected resources from any device * **Verifying users and devices**: Identifying which users access requests come from, and which devices those users have ### Connecting applications This journey to a SASE architecture starts with an organization needing to provide remote access to non-Internet facing, internal-only web applications and services (e.g. SSH or RDP). Organizations typically deploy VPN appliances to connect users to the company network where the applications are hosted. However, many applications now live in cloud Infrastructure-as-a-Service platforms, where traditional VPN solutions are hard to configure. This often results in poor application and connectivity performance for users. #### Tunnels to self-hosted applications [Zero Trust Network Access ↗](https://www.cloudflare.com/learning/access-management/what-is-ztna/) (ZTNA) is a SASE service that secures access to self-hosted applications and services. ZTNA functionality can be divided broadly into two categories: 1) establishing connectivity between Cloudflare's network and the environments where the applications are running, and 2) setting policies to define how users are able to access these applications. In this section, we first examine the former — how to connect apps to Cloudflare. Connectivity to self-hosted applications is facilitated through tunnels that are created and maintained by a software connector,[cloudflared](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/). `cloudflared` is a lightweight daemon installed in an organizations' infrastructure that creates a tunnel via an outbound connection to Cloudflare's global network. The connector can be installed in a variety of ways: * In the OS installed on the bare metal server * In the OS that is running in a virtualized environment * In a [container ↗](https://hub.docker.com/r/cloudflare/cloudflared) running in a Docker or Kubernetes environment `cloudflared` runs on Windows, Linux, or macOS operating systems and creates an encrypted tunnel using QUIC, a modern protocol that uses UDP (instead of TCP) for fast tunnel performance and modern encryption standards. Generally speaking, there are two approaches for how users can deploy `cloudflared` in their environment: 1. **On the same server and operating system where the application or service is running**. This is typically in high-risk or compliance deployments where organizations require independent tunnels per application. `cloudflared` consumes a small amount of CPU and RAM, so impact to server performance is marginal. 2. **On a dedicated server(s) in the same network where the applications run**. This often takes the form of multiple containers in a Docker or Kubernetes environment. `cloudflared` manages multiple outbound connections back to Cloudflare and usually requires no changes to network firewalls. Those connections are spread across servers in more than one Cloudflare data center for reliability and failover. Traffic destined for a tunnel is forwarded to the connection that is geographically closest to the request, and if a `cloudflared` connection isn't responding, the tunnel will automatically failover to the next available. For more control over the traffic routed through each tunnel connection, users can integrate with the Cloudflare [load balancing](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers/) service. To ensure reliable local connectivity, organizations should deploy more than one instance of `cloudflared` across their application infrastructure. For example, with ten front-end web servers running in a Kubernetes cluster, you might deploy three kubernetes services [running cloudflared replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/kubernetes/). ![Using cloudflared, multiple outbound connections are created back to Cloudflare across multiple data centers to improve overall performance and reliability.](https://developers.cloudflare.com/_astro/cf1-ref-arch-7.Dk3BnKM8_UmiKN.svg) Once tunnels have been established, there are two methods for how user traffic is forwarded to your application or service. Each method below is protected by policies managed by the ZTNA service that enforces authentication and access (which will be explored in further depth [later in this document](#secure-access-to-self-hosted-apps-and-services)). ##### Public hostname Each public hostname is specific to an address, protocol, and port associated with a private application, allowing for narrow access to a specific service when there might be multiple applications running on the same host. For example, organizations can define a public hostname (`mywebapp.domain.com`) to provide access to a web server running on `https://localhost:8080`, while ensuring no access to local Kubernetes services. Key capabilities: * A hostname is created in a public DNS zone and all requests to that hostname are first routed to the Cloudflare network, inspected against configured security and access policies, before being routed through the tunnel to the secured private resource * Multiple hostnames can be defined per tunnel, with each hostname mapping to a single application (service address and port) * Support for HTTP/HTTPS protocols * Access to resources only requires a browser * When Cloudflare's device client is deployed on an user device, policies can leverage additional contextual signals (e.g. determining whether the device is managed or running the latest OS) in policy enforcement * For access to SSH/VNC services, Cloudflare renders an SSH/VNC terminal using webassembly in the browser Applications exposed this way receive all of the benefits of Cloudflare's leading DNS, CDN, and DDoS services as well as our web application firewall (WAF), API, and bot services, all without exposing application servers directly to the Internet. ##### Private network In some cases, users may want to leverage ZTNA policies to provide access to many applications on an entire private network. This allows for greater flexibility over the ways clients connect and how services are exposed. It also enables communication to resources over protocols other than HTTP. In this scenario, users specify the subnet for the private network they wish to be accessible via Cloudflare. Key capabilities: * `cloudflared`, combined with Cloudflare device agent, provides access to private networks, allowing for any arbitrary L4 TCP, UDP or ICMP connections * One or many networks can be configured using CIDR notation (e.g. 172.21.0.16/28) * Access to resources on the private network requires the Cloudflare device agent to be installed on clients, and at least one Cloudflare Tunnel server on the connecting network For both methods, it is important to note that `cloudflared` only proxies inbound traffic to a private application or network. It does not become a gateway or "on-ramp" back to Cloudflare for the network that it proxies inbound connections to. This means that if the web server starts its own connection to another Internet-based API, that connection will not be routed via Cloudflare Tunnel and will instead be routed via the host server's default route and gateway. This is the desirable outcome in most network topologies, but there are some instances in which network services need to communicate directly with a remotely-connected user, or with services on other segmented networks. If users require connections that originate from the server or network to be routed through Cloudflare, there are multiple on-ramps through which to achieve this, which will be explained further in the "Connecting Networks" section. #### SaaS applications SaaS applications are inherently always connected to and accessed via the public Internet. As a result, the aforementioned tunnel-and-app-connector approach does not apply. Instead, organizations with a SASE architecture inspect and enforce policies on Internet-bound SaaS traffic via a [secure web gateway ↗](https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/) (SWG), which serves as a cloud-native forward proxy. The SWG includes policies that examine outbound traffic requests and inbound content responses to determine if the user, device, or network location has access to resources on the Internet. Organizations can use these policies to control access to approved SaaS applications, as well as detect and block the use of unapproved applications (also known as [shadow IT ↗](https://www.cloudflare.com/learning/access-management/what-is-shadow-it/)). Some SaaS applications allow organizations to configure an IP address allowlist, which limits access to the application based on the source IP address of the request. With Cloudflare, organizations can obtain dedicated [egress IP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) addresses, which can be used as the source address for all traffic leaving their network. When combined with an allowlist in a SaaS application, organizations can ensure that users are only able to access applications if they are first connected to Cloudflare. (More detail on this approach is outlined in a later section about connecting user devices.) Another method to secure access to SaaS applications is to configure single sign-on (SSO) so that Cloudflare becomes an identity proxy — acting as the identity provider (IDP) — as part of the authentication and authorization process. Key capabilities: * Apply consistent access policies across both self-hosted and SaaS applications * Layer device security posture into the authentication process (e.g. users can ensure that only managed devices, running the latest operating system and passing all endpoint security checks, are able to access SaaS applications) * Ensure that certain network routes are used for access (e.g. users can require that devices are connected to Cloudflare using the device agent, which allows them to filter traffic to the SaaS application and prevent downloads of protected data) * Centralize SSO applications to Cloudflare and create one SSO integration from Cloudflare to their IdP — making both infrastructure and access policies SSO-agnostic (e.g. users can allow access to critical applications only when MFA is used, no matter which IdP is used to authenticate) When Cloudflare acts as the SSO service to an application, user authentication is still handled by an organization's existing identity provider, but is proxied via Cloudflare, where additional access restrictions can be applied. The diagram below is a high-level example of a typical request flow: ![The flow of SSO requests is proxied through Cloudflare, where the IdP is still used to authenticate, but Cloudflare provides additional access controls.](https://developers.cloudflare.com/_astro/cf1-ref-arch-8.B5wnNeFj_asbcF.svg) The last method of connecting SaaS applications to Cloudflare's SASE architecture is with an API-based [cloud access security broker ↗](https://www.cloudflare.com/learning/access-management/what-is-a-casb/) (CASB). The Cloudflare CASB integrates via API to [popular SaaS suites](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) — including Google Workspace, Microsoft 365, Salesforce, and more — and continuously scans these applications for misconfigurations, unauthorized user activity, and other security risks. Native integration with the Cloudflare [data loss prevention ↗](https://www.cloudflare.com/learning/access-management/what-is-dlp/) (DLP) service enables CASB to scan for sensitive or regulated data that may be stored in files with incorrect permissions — further risking leaks or unauthorized access. CASB reports findings that alert IT teams to items such as: * Administrative accounts without adequate MFA * Company-sensitive data in files stored with public access permissions * Missing application configurations (e.g. domains missing SPF/DMARC records) #### Checkpoint: Connecting applications to Cloudflare Now, this is what the architecture of a typical organization might look like once they have integrated with Cloudflare services. It is important to note that Cloudflare is designed to secure organizations' existing applications and services in the following ways: * All self-hosted applications and services are only accessible through Cloudflare and controlled by policies defined by the Cloudflare ZTNA * SaaS application traffic is filtered and secured via the Cloudflare SWG * SaaS services are scanned via the Cloudflare CASB to check for configuration and permissions of data at rest ![Access to all applications is now only available via Cloudflare.](https://developers.cloudflare.com/_astro/cf1-ref-arch-9.DbbzPtNJ_Z1xm3bo.svg) ### Connecting networks Once an organization's applications and services have been integrated, it is time to connect Cloudflare to their existing networks. Regional offices, corporate headquarters, retail locations, data centers, and cloud-hosted infrastructure all need to forward traffic to the new corporate SASE network. When all traffic flows through Cloudflare, SASE services perform the following actions: * Granting application access * Filtering general Internet-bound traffic (e.g. blocking access to sites that host malware) * Isolating web sites to protect users from day-zero or unknown harmful Internet content * Filtering traffic to identify data defined by DLP policies — then blocking the download/upload of that data to insecure devices or applications * Providing visibility into the use of non-approved applications and allowing admins to either block or apply policies around their use There are several approaches for connecting networks to Cloudflare, which can provide further flexibility in how an organization provides access to SASE-protected resources: 1. **Use software agents to create tunnels from host machines back to Cloudflare**. This is typically the method favored by users who own their own servers and applications. 2. **Set up IPsec or GRE tunnels from network routers and firewalls to connect them to the Cloudflare WAN service**. This is the approach that network administrators use when they want to forward traffic to and from entire networks. 3. **Connect a network directly to Cloudflare**. This method works best when an organization's network resides in a supported data center, usually one that is colocated with a Cloudflare data center. These methods will be explained further in the next sections. #### Using software agents There are two software-based methods of connecting networks to Cloudflare, depending on the type of applications that currently exist on the network. ##### Client-to-server connectivity As described in the previous section, [cloudflared](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/) proxies requests to applications and services on private networks. It installs on servers in the private network and creates secure tunnels to Cloudflare over the Internet. These connections are balanced across multiple Cloudflare data centers for reliability and can be made via multiple connectors, which helps increase the capacity of the tunnels. Using `cloudflared`, Cloudflare Tunnel supports client to server connections over the Tunnel. Any service or application running behind the Tunnel will use the default routing table when initiating outbound connectivity. This model is appropriate for a majority of scenarios, in which external users need to access resources within a private network that does not require bidirectionally-initiated communication. ![Requests initiated from a client are securely tunneled to Cloudflare via a device agent, while requests from inside the private network follow the default route.](https://developers.cloudflare.com/_astro/cf1-ref-arch-10.PVIlTF5F_2l0MEM.svg) For bidirectional, or meshed connectivity, organizations should use Cloudflare Mesh. ##### Mesh connectivity [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) (formerly WARP Connector) is a lightweight solution for site-to-site, bidirectional, and mesh networking connectivity that does not require changes to underlying network routing infrastructure. Cloudflare Mesh is installed on a Linux server within an organization's network, which then becomes a gateway for other local networks that need to on-ramp traffic to Cloudflare. This provides a lightweight solution to support services such as Microsoft's System Center Configuration Manager (SCCM), Active Directory server updates, VOIP and SIP traffic, and developer workflows with complex CI/CD pipeline interaction. It can either be run supplementally to `cloudflared` and Cloudflare WAN (formerly Magic WAN), or can be a standalone remote access and site-to-site connector to the Cloudflare network. Cloudflare Mesh can proxy both user-to-network and network-to-network connectivity, or can be used to establish an overlay network of Carrier Grade NAT ([CGNAT ↗](https://en.wikipedia.org/wiki/Carrier-grade%5FNAT)) addressed endpoints to provide secure, direct connectivity to established resources using CGNAT IP ranges. This helps address overlapping network IP range challenges, point-solution access problems, or the process of shifting network design without impacting a greater underlying system. ![In an example scenario, a developer might push code to a git repository, which ends up in a Kubernetes cluster in a staging network. From staging, it is accessed by a QA tester. All of this traffic is routed and protected via a Cloudflare Mesh node.](https://developers.cloudflare.com/_astro/cf1-ref-arch-11.CZ1ltr0Y_Z1RiCFP.svg) _Note: Labels in this image may reflect a previous product name._ Cloudflare Tunnel via `cloudflared` is the primary method for connecting users to applications and services on private networks because it is a simpler, more granular and agile solution for many application owners (vs. IP tunnel based connectivity technology, like [IPsec ↗](https://www.cloudflare.com/learning/network-layer/what-is-ipsec/) and [GRE ↗](https://www.cloudflare.com/learning/network-layer/what-is-gre-tunneling/)). Cloudflare Mesh is the preferred method for mesh or other software-defined networking — most of which require bidirectional connectivity — when organizations do not want to make changes to the underlying network routing or edge infrastructure. #### Using network equipment Where it is not optimal or possible to install software agents, networks can also be connected to Cloudflare using existing network equipment, such as routers and network firewalls. To do this, organizations create IPsec or GRE tunnels that connect to Cloudflare's cloud-native [Cloudflare WAN ↗](https://www.cloudflare.com/network-services/products/magic-wan/) service. With Cloudflare WAN, existing network hardware can connect and route traffic from their respective network locations to Cloudflare through a) secure, IPsec-based tunnels over the Internet or, b) across [Cloudflare Network Interconnect ↗](https://www.cloudflare.com/network-services/products/network-interconnect/) (CNI) — private, direct connections that link existing network locations to the nearest Cloudflare data center. Cloudflare's WAN service uses a "light-branch, heavy-cloud" architecture that represents the evolution of software-defined WAN (SD-WAN) connectivity. With Cloudflare WAN, as depicted in the network architecture diagram below, the Cloudflare global network functions as a centrally-managed connectivity hub that securely and efficiently routes traffic between all existing network locations: ![Cloudflare's Connectivity Cloud securely links a variety of network locations to the Internet through products such as Firewall, ZTNA, CASB and Load Balancer.](https://developers.cloudflare.com/_astro/cf1-ref-arch-12.D-EXKLBe_2c1ypU.svg) As previously described, Cloudflare uses a routing technique called [anycast ↗](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/) to globally advertise all of the services and endpoints on the Cloudflare network, including the endpoints for WAN IP tunnels. With [anycast IPsec ↗](https://blog.cloudflare.com/anycast-ipsec/) or anycast GRE tunnels, each tunnel configured from an organization's network device (e.g. edge router, firewall appliance, etc.) connects to hundreds of global Cloudflare data centers. Traffic sourced from an organization's network location is sent directly over these tunnels and always routes to the closest active Cloudflare data center. If the closest Cloudflare data center is unavailable, the traffic is automatically rerouted to the next-closest data center. ![In an example scenario, IPsec traffic from an office network's router would be sent to the closest Cloudflare data center.](https://developers.cloudflare.com/_astro/cf1-ref-arch-13.5dK35i5D_Z1Fn4Lh.svg) To further network resiliency, Cloudflare WAN also supports Equal Cost Multi-Path (ECMP) routing between the Cloudflare network and an organization's network location(s). With ECMP, traffic can be load-balanced across multiple anycast IP tunnels, which helps increase throughput and maximize network reliability. In the event of network path failure of one or more tunnels, traffic can be automatically failed over to the remaining healthy tunnels. The simplest and easiest way to on-ramp existing network locations to the Cloudflare WAN service is to deploy Cloudflare One Appliance, a lightweight appliance you can install in corporate network locations to automatically connect, steer, and shape any IP traffic through secure IPsec tunnels. When the WAN Connector is installed into a network, it will automatically establish communication with the Cloudflare network, download and provision relevant configurations, establish resilient IPsec tunnels, and route connected site network traffic to Cloudflare. The WAN Connector can be deployed as either a hardware or virtual appliance, making it versatile for a variety of user network environments — on-premises, virtual, or public cloud. Management, configuration, observability, and software updates for WAN Connectors is centrally managed from Cloudflare via either the dashboard or the Cloudflare API. As of 2023, the WAN Connector is currently best-suited for connecting small and medium-sized networks to Cloudflare (for example, small offices and retail stores). In situations where deploying the Cloudflare One Appliance is not feasible or desirable, organizations can securely connect their site networks to Cloudflare by configuring IPsec tunnels from their existing IPsec-capable network devices, including WAN or SD-WAN routers, firewalls, and cloud VPN gateways. Please refer to the Cloudflare [documentation](https://developers.cloudflare.com/cloudflare-wan/configuration/third-party/) for up-to-date examples of validated IPsec devices. There may also be situations where network-layer encryption is not necessary — for example, when a site's WAN-bound traffic is already encrypted at the application layer (via TLS), or when an IPsec network device offers very limited throughput performance as it encrypts and decrypts IPsec traffic. Under these circumstances, organizations can connect to the Cloudflare network using [GRE tunnels](https://developers.cloudflare.com/cloudflare-wan/configuration/how-to/configure-tunnel-endpoints/). Organizations may also connect their network locations directly to the Cloudflare network via [Cloudflare Network Interconnect ↗](https://www.cloudflare.com/network-services/products/network-interconnect/) (CNI). Cloudflare [supports a variety of options](https://developers.cloudflare.com/network-interconnect/) to connect your network to Cloudflare: * Direct CNI for Cloudflare WAN and Magic Transit * Classic CNI for Magic Transit * Cloud CNI for Cloudflare WAN and Magic Transit * Peering via either an internet exchange, or a private network interconnect (PNI). The following table summarizes the different methods of connecting networks to Cloudflare: | **Use case** | **Recommended** | **Alternative solution** | | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------- | ------------------------------------------------------------------------------------- | | Remote users connecting to applications on private networks in a Zero Trust model (e.g. most VPN replacement scenarios) | **Cloudflare Tunnel (with cloudflared)** | **Cloudflare WAN** Alternative option if cloudflared not suitable for environment | | Site-to-site connectivity between branches, headquarters, and data centers | **Cloudflare WAN** | **Cloudflare Mesh** Alternative option if routing changes cannot be made at perimeter | | Egress traffic from physical sites or cloud environments to cloud security inspection (e.g. most common SWG and branch firewall replacement scenarios) | **Cloudflare WAN** | **N/A** | | Service-initiated communication with remote users (e.g. AD or SCCM updates, DevOps workflows, VOIP) | **Cloudflare Mesh** | **Cloudflare WAN** Alternative option if inbound source IP fidelity not required | | Mesh networking and device-to-device connectivity | **Cloudflare Mesh** | **N/A** | Each of these methods of connecting and routing traffic can be deployed concurrently from any location. The following diagram highlights how different connectivity methods can be used in a single architecture. Note the following traffic flows: * All traffic connected via a Cloudflare Mesh node or device agent can communicate with each other over the mesh network * Developers working from home can communicate with the production and staging servers in the cloud * The employee in the retail location, as well as the developer at home, can receive VOIP calls on their laptop * A HPC Cluster in AWS represents a proprietary solution in which no third-party software agents can be installed; as a result, it uses an IPsec connection to Cloudflare WAN * In the retail location, the Cloudflare One Appliance routes all traffic to Cloudflare via an IPsec tunnel * An employee's laptop running the device agent creates its own secure connection to Cloudflare that is routed over the IPsec tunnel * The application owner of the reporting system maintains a connection to Cloudflare using `cloudflared` and doesn't require any networking help to expose their application to employees ![Connecting and routing traffic can be created using various methods such as Cloudflare Network Interconnect, IPSEC tunnels, Cloudflare Mesh and cloudflared.](https://developers.cloudflare.com/_astro/cf1-ref-arch-14.BMsYJBWD_1UbvIi.svg) _Note: Labels in this image may reflect a previous product name._ _Note: All of the endpoints connected via Cloudflare Mesh or device agent are automatically assigned IP addresses from the 100.96.0.0/12 address range, while endpoints connected to Cloudflare WAN retain their assigned RFC1918 private IP addresses. `cloudflared` can be deployed in any of the locations by an application owner to provide hostname-based connectivity to the application._ Once the networks, applications, and user devices are connected to Cloudflare — regardless of the connection methods and devices used — all traffic can be inspected, authenticated, and filtered by the Cloudflare SASE services, then securely routed to their intended destinations. Additionally, consistent policies can be applied across all traffic, no matter how it arrives at Cloudflare. #### Checkpoint: Connecting networks to Cloudflare Now this is what a SASE architecture looks like where corporate network traffic from everywhere is forwarded to and processed by Cloudflare. In this architecture, it is possible to make a network connection from any remote location, office location or data center and connect to applications and services living in SaaS infrastructure, cloud-hosted infrastructure or an organization's own on-premise data centers. ![Traffic from all networks, North and South, as well as East and West, is now flowing through and secured by Cloudflare.](https://developers.cloudflare.com/_astro/cf1-ref-arch-15.BL6UWZPA_3hLzV.svg) _Note: Labels in this image may reflect a previous product name._ ### Forwarding device traffic The previous sections explain using ZTNA to secure access to self-hosted applications and using an SWG to inspect and filter traffic destined for the Internet. When a user is working on a device in any of the company networks that is connected to Cloudflare's connectivity cloud, all that traffic is inspected and policies applied without disrupting the user's workflow. Yet, users are not always (or ever) in the office; they work from home, on the road, or from other public networks. How do you ensure they have reliable access to your internal applications? How do you ensure their Internet browsing is secure no matter their work location? There are several approaches to ensure that traffic from a user device which isn't connected to an existing Cloudflare protected network, are also forwarding traffic through Cloudflare and be protected. * [Install an agent on the device](#connecting-with-a-device-agent) * [Modify browser proxy configuration](#browser-proxy-configuration) * [Direct the user to a remote browser instance](#using-remote-browser-instances) * [Modify DNS configuration](#agentless-dns-filtering) #### Connecting with a device agent The preferred method of ensuring device traffic is forwarded to Cloudflare is to install the device agent (also referred to as [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)). The agent runs on Windows, macOS, Linux, iOS, and Android/ChromeOS, and creates a secure connection to Cloudflare where all non-local traffic is sent. Because of Cloudflare's use of anycast networking, the device agent always connects to the nearest Cloudflare server to ensure the best performance for the user. The device agent also collects local machine and network information, which is sent in the request to enrich the policy in Cloudflare. To allow for flexibility in how different devices and users connect, there are multiple [deployment modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/): * A full L4 traffic proxy * L7 DNS proxy * L7 HTTP proxy * The ability to just collect device posture information For example, organizations might have an office that continues to use an existing [DNS filtering ↗](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) service, so they can configure the agent to just proxy network and HTTP traffic. The agent can also be configured with flexible routing controls that allow for scenarios in which traffic destined for office printers is not sent to the Cloudflare network but, instead, routed to the local network. These [split tunnel configurations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) can be made specific to groups of users, types of device operating system, or networks and by default, traffic destined to all private [IPv4 and IPv6 ranges ↗](https://datatracker.ietf.org/doc/html/rfc1918) is sent to the device's default gateway. If the application the user is attempting to reach is not in public DNS, you can configure the hostname and domain to be resolved with [local DNS services](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns/), so that the device agent does not attempt to resolve these using Cloudflare DNS. ![Using the device agent allows Internet and company application bound traffic to be secured by Cloudflare's SWG and ZTNA services.](https://developers.cloudflare.com/_astro/cf1-ref-arch-16.DBOEvI3k_Z1Cgds4.svg) The agent is more than just a network proxy; it is able to examine the device's security posture, such as if the operating system is fully up-to-date or if the hard disk is encrypted. Cloudflare's integrations with [CrowdStrike ↗](https://www.cloudflare.com/partners/technology-partners/crowdstrike/endpoint-partners/), [SentinelOne ↗](https://www.cloudflare.com/partners/technology-partners/sentinelone/), and other third-party services also provide additional data about the security posture of the device. All of this information is associated with each request and, therefore, available for use in company policies — as explained in the "Unified Management" section. The agent can be [deployed](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) to a device either manually or using existing endpoint management (UEM) technologies. Using the agent, users register and authenticate their device to Cloudflare with the integrated identity providers. Identity information — combined with information about the local device — is then used in your SWG and ZTNA policies (including inline CASB capabilities shared across these Cloudflare services). #### Browser proxy configuration When it is not possible to install software on the device, there are agentless approaches. One option is to configure the browser to forward HTTP requests to Cloudflare by configuring proxy server details in the browser or OS. Although this can be done manually, it is more common for organizations to automate the configuration of browser proxy settings using Internet-hosted [Proxy Auto-Configuration](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) (PAC) files. The browser identifies the PAC file location in several ways: * MDM software configuring the setting in the browser * In Windows domains, Group Policy Objects (GPO) can configure the browser's PAC file * Browsers can use [Web Proxy Auto-Discovery ↗](https://datatracker.ietf.org/doc/html/draft-ietf-wrec-wpad-01) (WPAD) From there, configure a proxy endpoint where the browser will send all HTTP requests to. If using this method, please note that: * Filtering HTTPS traffic will also require [installing and trusting Cloudflare root certificates](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) on the devices. * A proxy endpoint will only proxy traffic sourced from a set of known IP addresses, such as the pool of public IP addresses used by a site's NAT gateway, that the administrator must specify. #### Using remote browser instances Another option to ensure device traffic is sent to Cloudflare is to use [remote browser isolation ↗](https://www.cloudflare.com/learning/access-management/what-is-browser-isolation/) (RBI). When a remote user attempts to visit a website, the corresponding requests and responses are handled by a headless remote browser running in the Cloudflare network that functions as a "clone" of the user device's local browser. This shields the user's device from potential harmful content and code execution that may be downloaded from the website it visits. RBI renders the received content in an isolated and secure cloud environment. Instead of executing the web content locally, the user device receives commands for how to "draw" the final rendered web page over a highly optimized protocol supported by all HTML5-compliant browsers on all operating systems. Because the remote browser runs on Cloudflare's servers, SWG policies are automatically applied to all browser requests. Ensuring access to sites is protected with RBI does not require any local software installation or reconfiguring the user's browser. Below are [several ways](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/) to accomplish this: * Typically, a remote browser session is started as the result of an SWG policy — the user just requests websites without being notified that the content is loading in a remote browser. * Organizations can also provide users with a link that automatically ensures RBI always processes each request. * Organizations can also opt to use the ZTNA service to redirect all traffic from self-hosted applications via RBI instances. All requests via a remote browser pass through the Cloudflare SWG; therefore, policies can enforce certain website access limitations. For instance, browser isolation policies can be established to: * Disable copy/paste between a remote web page and the user's local machine; this can prevent the employee from pasting proprietary code into third-party chatbots. * Disable printing of remote web content to prevent contractors from printing confidential information * Disable file uploads/downloads to ensure sensitive company data is not sent to — or downloaded from — certain websites. * Disable keyboard input (in combination with other policies) to limit data being exposed, such as someone typing in passwords to a phishing site. Isolating web applications and applying policies to risky websites helps organizations limit data loss from cyber threats or user error. And, like many Cloudflare One capabilities, RBI can be leveraged across other areas of the SASE architecture. Cloudflare's [email security ↗](https://www.cloudflare.com/learning/email-security/what-is-email-security/) service, for example, can automatically rewrite and isolate suspicious links in emails. This "email link isolation" capability helps protect the user from potential malicious activity such as credential harvesting phishing. #### Agentless DNS Filtering Another option for securing traffic via the Cloudflare network is to configure the device to forward DNS traffic to Cloudflare to be inspected and filtered. First [DNS locations](https://developers.cloudflare.com/cloudflare-one/traffic-policies/get-started/dns/#connect-dns-locations) are created which allow policies to be applied based on different network locations. They can be determined either by the source IP address for the request or you can use "[DNS over TLS ↗](https://www.cloudflare.com/learning/dns/dns-over-tls/)" or "[DNS over HTTPS ↗](https://www.cloudflare.com/learning/dns/dns-over-tls/)". When using source IP addresses, either the device will need to be told which DNS servers to use, or the local DNS server on the network the device is connected to needs to forward all DNS queries to Cloudflare. For DNS over TLS or HTTPS support, the devices need to be configured and support varies. Our recommendation is to use DNS over HTTPS which has wider operating system support. All of the above methods result in only the DNS requests — not all traffic — being sent to Cloudflare. SWG DNS policies are then implemented at this level to manage access to corporate network resources. #### Summary of SWG capabilities for each traffic forwarding method The following table summarizes SWG capabilities for the various methods of forwarding traffic to Cloudflare (as of Oct 2023): | IP tunnel or Interconnect (Cloudflare WAN) | Device Agent (WARP)\*1 | Remote Browser | Browser proxy | DNS proxy | | | ------------------------------------------ | ---------------------- | -------------- | ------------- | --------- | ----- | | Types of traffic forwarded | TCP/UDP | TPC/UDP | HTTP | HTTP | DNS | | **Policy types** | | | | | | | DNS | Yes | Yes | Yes | Yes | Yes | | HTTP/S\*2 | Yes | Yes | Yes | Yes | N/A | | Network (L3/L4 parameter) | Yes | Yes | Yes | Yes | No | | **Data available in policies** | | | | | | | Identity information | No | Yes | Yes | No | No\*3 | | Device posture | No | Yes | No | No | No | | **Capabilities** | | | | | | | Remote browser isolation | Yes | Yes | Yes | Yes | N/A | | Enforce egress IP | Yes | Yes | Yes | Yes | N/A | Notes: 1. Running the device agent in DNS over HTTP mode provides user identity information, in addition to the same capabilities as connecting via DNS. 2. To filter HTTPS traffic, the Cloudflare [certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) needs to be installed on each device. This can be automated when using the device agent. 3. If configuring DNS over HTTPS, it is possible to inject a [service token](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-https/#filter-doh-requests-by-user) into the request, which associates the query with an authenticated user. #### Checkpoint: Forwarding device traffic to Cloudflare By connecting entire networks or individual devices, organizations can now route user traffic to Cloudflare for secure access to privately-hosted applications and secure public Internet access. Once traffic from all user devices is forwarded to the Cloudflare network, it is time for organizations to revisit their high-level SASE architecture: ![With all devices and networks connected, any traffic destined for company applications and services all flows through Cloudflare, where policies are applied to determine access.](https://developers.cloudflare.com/_astro/cf1-ref-arch-17.Cv4XcukK_ZUwUrV.svg) _Note: Labels in this image may reflect a previous product name._ ### Verifying users and devices At this point in implementing SASE architecture, organizations have the ability to route and secure traffic beginning from the point a request is made from a browser on a user's device, all the way through Cloudflare's network to either a company-hosted private application/service or to the public Internet. But, before organizations define policies to manage that access, they need to know who is making the request and determine the security posture of the device. #### Integrating identity providers The first step in any access decision is to determine who is making the request – i.e., to authenticate the user. Cloudflare integrates with identity providers that manage secure access to resources for organizations' employees, contractors, partners, and other users. This includes support for integrations with any [SAML](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-saml/) \- or OpenID Connect ([OIDC](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/)) - compliant service; Cloudflare One also includes pre-built integrations with [Okta](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/okta/), [Microsoft Entra ID (formerly Azure Active Directory)](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/entra-id/), [Google Workspace](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/google-workspace/), as well as consumer IdPs such as [Facebook](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/facebook-login/), [GitHub](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/github/) and [LinkedIn](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/linkedin/). Multiple IdPs can be integrated, allowing organizations to apply policies to a wide range of both internal and external users. When a user attempts to access a Cloudflare secured application or service, they are redirected to authenticate via one of the integrated IdPs. When using the device agent, users must also authenticate to one of their organization's configured IdPs. ![Users are presented with a list of integrated identity providers before accessing protected applications.](https://developers.cloudflare.com/_astro/cf1-ref-arch-18.dg0Dmn3U_Z1aBTIk.svg) Once a user is authenticated, Cloudflare receives that user's information, such as username, group membership, authentication method (password, whether MFA was involved and what type), and other associated attributes (i.e., the user's role, department, or office location). This information from the IdP is then made available to the policy engine. In addition to user identities, most corporate directories also contain groups to which those identities are members. Cloudflare supports the importing of group information, which is then used as part of the policy. Group membership is a critical part of aggregating single identities so that policies can be less complex. It is far easier — for example — to set a policy allowing all employees in the sales department to access Salesforce, than to identify each user in the sales organization. Cloudflare also supports authentication of devices that are not typically associated with a human user – such as an IoT device monitoring weather conditions at a factory. For those secure connections, organizations can generate [service tokens](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) or create [Mutual TLS ↗](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/) (mTLS) certificates that can be deployed to such devices or machine applications. #### Trusting devices Not only does the user identity need to be verified, but the security posture of the user's device needs to be assessed. The device agent is able to provide a range of device information, which Cloudflare uses to build comprehensive security policies. The following built-in posture checks are available: * [Application check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/application-check/): Checks that a specific application process is running * [File check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/file-check/): Checks for the presence of a file * [Firewall](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/firewall/): Checks if a firewall is running * [Disk encryption](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/disk-encryption/): Checks if/how many disks are encrypted * [Domain joined](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/domain-joined/): Checks if the device is joined to a Microsoft Active Directory domain * [OS version](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/os-version/): Checks what version of the OS is running * [Unique Client ID](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/device-uuid/): When using an MDM too, organizations can assign a verifiable UUID to a mobile, desktop, or laptop device * [Device serial number](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/corp-device/): Checks to see if the device serial matches a list of company desktop/laptop computers Cloudflare One can also integrate with any deployed endpoint security solution, such as [Microsoft Endpoint Manager](https://developers.cloudflare.com/cloudflare-one/integrations/service-providers/microsoft/), [Tanium](https://developers.cloudflare.com/cloudflare-one/integrations/service-providers/taniums2s/), [Carbon Black](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/carbon-black/), [CrowdStrike](https://developers.cloudflare.com/cloudflare-one/integrations/service-providers/crowdstrike/), [SentinelOne](https://developers.cloudflare.com/cloudflare-one/integrations/service-providers/sentinelone/), and more. Any data from those products can be passed to Cloudflare for use in access decisions. All of the above device information, combined with data on the user identity and also the network the device is on, is available in Cloudflare to be used as part of the company policy. For example, organizations could choose to only allow administrators to SSH into servers when all of the following conditions are met: their device is free from threats, running the latest operating system, and joined to the company domain. Because this information is available for every network request, any time a device posture changes, its ability to connect to an organization's resources is immediately impacted. #### Integrating email services Email — the #1 communication tool for many organizations and the most common channel by which phishing attacks occur — is another important corporate resource that should be secured via a SASE architecture. Phishing is the root cause of upwards of 90% of breaches that lead to financial loss and brand damage. Cloudflare's email security service scans for signs of malicious content or attachments before they can reach the inbox, and also proactively scans the Internet for attacker infrastructure and attack delivery mechanisms, looking for programmatically-created domains that are used to host content as part of a planned attack. Our service uses all this data to also protect against business and vendor email compromises ([BEC ↗](https://www.cloudflare.com/learning/email-security/business-email-compromise-bec/) / [VEC ↗](https://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/)), which are notoriously hard to detect due to their lack of payloads and ability to look like legitimate email traffic. Instead of deploying tunnels to manage and control traffic to email servers, Cloudflare provides two methods of email security [setup](https://developers.cloudflare.com/email-security/deployment/): * [Inline](https://developers.cloudflare.com/email-security/deployment/inline/): Redirect all inbound email traffic through Cloudflare before they reach a user's inbox by modifying MX records * [API](https://developers.cloudflare.com/email-security/deployment/api/): Integrate Cloudflare directly with an email provider such as Microsoft 365 or Gmail Modifying MX records (inline deployment) forces all inbound email traffic through our cloud email security service where it is scanned, and — if found to be malicious — blocked from reaching a user's inbox. Because the service works at the MX record level, it is possible to use the email security service with any [SMTP-compliant ↗](https://www.cloudflare.com/learning/email-security/what-is-smtp/) email service. ![Protecting email with Cloudflare using MX records ensures all emails are scanned and categorized.](https://developers.cloudflare.com/_astro/cf1-ref-arch-19.B4iJKLu2_IWNy0.svg) Organizations can also opt to integrate email security directly with their email service via APIs. Note that this approach has two drawbacks: there are fewer integrations Cloudflare supports and there is always a small delay between the email being delivered to the service and Cloudflare detecting it via the API. ![Protecting email with Cloudflare using APIs avoids the need to change DNS policy, but introduces delays into email detection and limits the types of email services that can be protected.](https://developers.cloudflare.com/_astro/cf1-ref-arch-20.CpqyyvgC_w1wri.svg) #### Checkpoint: A complete SASE architecture with Cloudflare The steps above provide a complete view of evolving to SASE architecture using Cloudflare One. As the diagram below shows, secure access to all private applications, services, and networks — as well as ensuring the security of users' general Internet access — is now applied to all users in the organization, internal or external. ![A fully deployed SASE solution with Cloudflare protects every aspect of your business. Ensuring all access to applications is secured and all threats from the Internet mitigated.](https://developers.cloudflare.com/_astro/cf1-ref-arch-21.B4dzMu9Q_Z2pc5vA.svg) _Note: Labels in this image may reflect a previous product name._ For ease of use, the entire Cloudflare One platform can be configured via [API](https://developers.cloudflare.com/api/); and with Cloudflare's [Terraform provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs), organizations can manage the Cloudflare global network using the same tools they use to automate the rest of their infrastructure. This allows IT teams to fully manage their Cloudflare One infrastructure, including all the policies detailed in the next section, using code. There are also (as of Oct 2023) more than 500 [GitHub ↗](https://github.com/cloudflare) repositories, many of which allow IT teams to use and build tools to manage their Cloudflare deployment. ## Unified management Now that all users, devices, applications, networks, and other components are seamlessly integrated within a SASE architecture, Cloudflare One provides a centralized platform for comprehensive management. Because of the visibility Cloudflare has across the entire IT infrastructure, Cloudflare can aggregate signals from various sources, including devices, users, and networks. These signals can inform the creation of policies that govern access to organization resources. Before we go into the details of how policies can be written to manage access to applications, services, and networks connected to Cloudflare, it's worth taking a look at the two main enforcement points in Cloudflare's SASE platform that control access: SWG and the ZTNA services. These services are configured through a single administrative dashboard, simplifying policy management across the entire SASE deployment. The following diagram illustrates the flow of a request through these services, including the application of policies and the source of data for these policies. In the diagram below, the user request can either enter through the SWG or ZTNA depending on the type of service requested. It's also possible to combine both services, such as implementing a SWG HTTP policy that uses DLP service to inspect traffic related to a privately hosted application behind a ZTNA Cloudflare Tunnel. This configuration enables organizations to block downloads of sensitive data from internal applications that organizations have authorized for external access. ![User requests to the Internet or self hosted applications go through our SWG and/or ZTNA service. Administrators have a single dashboard to manage policies across both.](https://developers.cloudflare.com/_astro/cf1-ref-arch-23.By2O_HTZ_Z24JfLW.svg) In the following sections, we introduce examples of how different policies can be configured to satisfy specific use cases. While these examples are not exhaustive, the goal is to demonstrate common ways Cloudflare One can be configured to address the challenges organizations encounter in its transition to a SASE architecture. Connecting an IdP to Cloudflare provides the ability to make access decisions based on factors such as group membership, authentication method, or specific user attributes. Cloudflare's device agent also supplies additional signals for policy considerations, such as assessing the operating system or verifying the device's serial number against company-managed devices. However, there are features that allow users to incorporate additional data into deployment for building powerful policies. ### Lists Cloudflare's vast intelligent network continually monitors billions of web assets and [categorizes them](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) based on our threat intelligence and general knowledge of Internet content. You can use our free [Cloudflare Radar ↗](https://radar.cloudflare.com/) service to examine what categories might be applied to any specific domain. Policies can then include these categories to block known and potential security risks on the public Internet, as well as specific categories of content. Additionally, Cloudflare's SWG offers the flexibility to create and maintain customized [lists of data](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/). These lists can be uploaded via CSV files, manually maintained, or integrated with other processes and applications using the Cloudflare API. A list can contain the following data: * URLs * Hostnames * Serial numbers (macOS, Windows, Linux) * Emails * IP addresses * Device IDs (iOS, Android) For example, organizations can maintain a list of IP addresses of all remote office locations, of short term contractors' email addresses, or trusted company domains. These lists can be used in a policy to allow contractors access to a specific application if their traffic is coming from a known office IP address. ### DLP profiles and datasets Cloudflare looks at various aspects of a request, including the source IP, the requested domain, and the identity of the authenticated user initiating the request. Cloudflare also offers a DLP service which has the ability to detect and block requests based on the presence of sensitive content. The service has built in DLP profiles for common data types such as financial information, personally identifiable information (PII), and API keys. There is even a profile for source code, so users can detect and block the transfer of C++ or Python files. Organizations can create customized DLP profiles and use regular expressions to define the patterns of data they are looking for. For data that is hard to define a pattern for, datasets can be used which match exact data values. These datasets allow for the bulk upload of any data to be matched, such as lists of customer account IDs or sensitive project names. These profiles and data sets can be incorporated into policies to prevent users from downloading large files containing confidential customer data. To reduce the risk of false positives, internal users have the option to establish a match count on the profile. This means that a specific number of matches within the data are required before profile triggers. This approach prevents scenarios where a random string resembling PII or a credit card number would trigger the profile unnecessarily. By implementing a match count, the policy demands that multiple data elements align with the profile, significantly increasing its accuracy. Organizations can further increase the accuracy of the DLP profile by enabling context analysis. This feature requires certain proximity keywords to exist within approximately 1000 characters of a match. For example, the string "123-45-6789" will only count as a detection if it is in proximity to keywords such as "ssn". This contextual requirement bolsters the accuracy of the detection process. The DLP service seamlessly integrates with both Cloudflare's SWG and API-driven CASB services. In the case of the API CASB, DLP profiles are selected for scanning each integration with each SaaS application. This customization allows tailored detection criteria based on the type of data you wish to secure within each application. For the SWG service, DLP profiles can be included into any policy to detect the existence of sensitive data in any request passing through the gateway. The most common action associated with this detection is to block the request, providing a robust layer of security. ### Access Groups Access Groups are a powerful tool in the ZTNA service for aggregating users or devices into a unified entity that can be referenced within a policy. Within Cloudflare, multiple pieces of information can be combined into a single Access Group, efficiently reusing data across multiple policies while maintaining it in one centralized location. Consider an Access Group designed to manage access to critical server infrastructure. The same Access Group can be used in a device agent policy that prevents administrators from disabling their connection to Cloudflare. This approach streamlines policy management and ensures consistency across various policy implementations. Below is a diagram featuring an Access Group named "Secure Administrators," which uses a range of attributes to define the characteristics of secure administrators. The diagram shows the addition of two other Access Groups within "Secure Administrators". The groups include devices running on either the latest Windows or macOS, along with the requirement that the device must have either File Vault or Bitlocker enabled. ![An example of using Access Groups can be for grouping up many device, network or user attributes into a single policy that can be reused across applications.](https://developers.cloudflare.com/_astro/cf1-ref-arch-24.aWooHqll_22Jt0n.svg) Consistent with Cloudflare's overarching flexibility, Access Groups can be created, updated, and applied to policies through Cloudflare API or using Terraform. This allows a seamless integration with existing IT systems and processes, ensuring a cohesive approach to access management. Now that we have a solid understanding of all the components available, let's zoom in and take a look at some common use cases and how they are configured. Keep in mind that Cloudflare's policy engines are incredibly powerful and flexible, so these examples are just a glimpse into the capabilities of Cloudflare's SASE platform. ### Example use cases #### Secure access to self hosted apps and services One common driver for moving to a SASE architecture is replacing existing VPN connectivity with a more flexible and secure solution. Cloudflare One SASE architecture enables high performance and secure access to self hosted applications from anywhere in the world. However, the next step entails defining the policies that control access to resources. In this example, consider two services: a database administration application ([pgadmin ↗](https://www.pgadmin.org/) for example) and an SSH daemon running on the database server. The diagram below illustrates the flow of traffic and highlights the ZTNA service. It's important to note that all other services still retain the ability to inspect the request. For instance, the contractor using their personal cell phone in Germany should only have access to the db admin tool, while the employee on a managed device can access both the db admin tool and SSH into the database server. ![An employee working on a managed device at home can access both the db admin tool as well as the SSH service. However a contractor in Germany only has access to the db admin tool.](https://developers.cloudflare.com/_astro/cf1-ref-arch-25.DbM82XF7_NBUE1.svg) The policies that enable access rely on two Access Groups. * Contractors * Users who authenticate through Okta and are part of the Okta group labeled "Contractors" * Authentication requires the use of a hardware token * Database and IT administrators * Users who authenticate through Okta and are in the Okta groups "IT administrators" or "Database administrators" * Authentication requires the use of a hardware token * Users should be on a device with a serial number in the "Managed Devices" list Both of these groups are then used in two different access policies. * Database administration tool access * Database and IT admins are allowed access * Members of the "Contractor" access group are allowed access, but each authenticated session requires the user to complete a justification request * The admin tool is rendered in an isolated browser on Cloudflare's Edge network and file downloads are disabled * Database server SSH access * "Database and IT administrators" group is allowed access * Their device must pass a Crowdstrike risk score of at least 80 * Access must come from a device that is running our device agent and is connected to Cloudflare These policies show that contractors are only allowed access to the database administration tool and do not have SSH access to the server. IT and database administrators can access the SSH service only when their devices are securely connected to Cloudflare via the device agent. Every element of the access groups and policies is evaluated for every login, so an IT administrator using a compromised laptop or a contractor unable to authenticate with a hardware token will be denied access. Both user groups will connect to Cloudflare through the closest and fastest access point of Cloudflare's globally distributed network, resulting in a high quality experience for all users no matter where they are. #### Threat defense for distributed offices and remote workers Another reason for using a SASE solution is to apply company security policies consistently across all users (whether they are employees or contractors) in the organization, regardless of where they work. The Cloudflare One SASE architecture shows that all user traffic, whether routed directly on the device or through the connected network, will go through Cloudflare. Cloudflare's SWG then handles inspection of this traffic. Depending on the connection method, policies can be applied either to the HTTP or DNS request. For example: ![Blocking high risk websites can be done by selecting a few options in the SWG policy](https://developers.cloudflare.com/_astro/cf1-ref-arch-26.CctZYYxb_Zudxsc.svg) This can then be applied to secure and protect all users in one policy. Cloudflare can write another policy allowing access to social media websites while isolating all sessions in a remote browser hosted on Cloudflare's network. ![Isolating all social media websites can be done by identifying the application or website name and selecting what actions the user can take, such as stopping them from copy and pasting or printing.](https://developers.cloudflare.com/_astro/cf1-ref-arch-27.BlDxrRwj_2nRDyn.svg) With this setup, every request to a social media website ensures the following security measures: * Any content on the social media website that contains harmful code is prevented from executing on the local device * External users are restricted from downloading content from the site that could potentially be infected with malware or spyware #### Data protection for regulatory compliance Because Cloudflare One has visibility over every network request, Cloudflare can create policies that apply to the data in the request. This means that the DLP services can be used to detect the download of content from an application and block it for specific user demographics. Let's look at the following policy. ![Our DLP policies allow for the inspection of content in a request and blocking it.](https://developers.cloudflare.com/_astro/cf1-ref-arch-28.DKy2S5nx_2nRDyn.svg) This policy would prevent contractors from downloading a file containing customer accounts information. Furthermore, Cloudflare can configure an additional policy to block the same download if the user's device does not meet specific security posture requirements. This ensures the consistent enforcement of a common rule: no sensitive customer data can be downloaded onto a device that does not meet the required security standards. DLP policies can also be applied in the other direction, ensuring that company sensitive documents are not uploaded to non approved cloud storage or social media. ![A DLP policy can also examine if a HTTP PUT, i.e. a file upload, is taking place to a non approved application where the request contains sensitive data.](https://developers.cloudflare.com/_astro/cf1-ref-arch-29.BGL4hCeF_2nRDyn.svg) ### Visibility across the deployment At this point in the SASE journey, users have re-architectured the IT network and security infrastructure to fully leverage all the capabilities of the Cloudflare One SASE platform. A critical element in long term deployment involves establishing complete visibility into the organization and the ability to diagnose and quickly resolve issues. For quick analysis, Cloudflare provides built-in dashboards and analytics that offers a daily overview of the deployment's operational status. As traffic flows through Cloudflare, the dashboard will alert internal users to the most frequently used SaaS applications, enabling quick actions if any unauthorized applications are accessed by external users. Moreover, all logging information from all Cloudflare One services is accessible and searchable from the administrator's dashboard. This makes it efficient to filter for specific blocked requests, with each log containing useful information such as the user's identity, device information, and the specific rule that triggered the block. This can be very handy in the early stages of deployment where rules can often need tweaking. However, many organizations rely on existing dedicated tools to manage long term visibility over the performance of their infrastructure. To support this, Cloudflare allows the export of all logging information into such tools. Every aspect of Cloudflare One is logged and can be exported. Cloudflare offers built in integrations for continuous transmission of small data batches to a variety of platforms, including AWS, Google Cloud Storage, SumoLogic, Azure, Splunk, Datadog, and any S3 compatible service. This flexibility allows organizations to selectively choose which fields to control the type and volume of data to incorporate into existing tools. On top of logs which are related to traffic and policies, Cloudflare also audits management activity. All administrative actions and changes to Cloudflare Tunnels are logged. This allows for change management auditing and, like all other logs, can be exported into other tools as part of a wider change management monitoring solution. #### Digital Experience Monitoring Cloudflare has [deep insight ↗](https://radar.cloudflare.com/) into the performance of the Internet and connected networks and devices. This knowledge empowers IT administrators with visibility into minute-by-minute experiences of their end-users, enabling swift resolution of issues that impact productivity. The Digital Experience Monitoring (DEM) service enables IT to run constant tests against user devices to determine the quality of the connection to company resources. The results of these tests are available on the Cloudflare One dashboard, enabling IT administrators to review and identify root causes when a specific user encounters difficulties accessing an application. These issues could stem from the user's local ISP or a specific underperforming SaaS service provider. This data is invaluable in helping administrators in diagnosing and addressing poor user experiences, leading to faster issue resolution. The dashboard shows a comprehensive summary of the entire device fleet, displaying real-time and historical connectivity metrics for all organization devices. IT admins can then drill down into specific devices for further analysis. ## Summary Having acquired a comprehensive understanding of Cloudflare's SASE platform, you are now well-equipped to integrate it with existing infrastructure. This system efficiently secures access to applications for both employees and external users, starting from the initial request on the device and extending across every network to the application, regardless of its location. This powerful new model for securing networks, applications, devices, and users is built on the massive Cloudflare network and managed through an intuitive management interface. It's worth noting that many of the capabilities described in this document can be used for free, without any time constraints, for up to 50 users. [Sign up ↗](https://dash.cloudflare.com/sign-up) for an account and head to the [Cloudflare One ↗](https://one.dash.cloudflare.com/) section. While this document has provided an overview of the platform as a whole, for those interested in delving deeper into specific areas, we recommend exploring the following resources. | Topic | Content | | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Cloudflare Tunnels | [Understanding Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) \- [Open source repository for cloudflared ↗](https://github.com/cloudflare/cloudflared) | | WAN as a Service | [Cloudflare WAN documentation](https://developers.cloudflare.com/cloudflare-wan/) \- [WAN transformation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/wan-transformation/) | | Secure Web Gateway | [How to build Gateway policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) | | Zero Trust Network Access | [How to build Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) | | Remote Browser Isolation | [Understanding browser isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) | | API-Driven CASB | [Scanning SaaS applications](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) | | Email security | [Understanding Cloudflare Email security](https://developers.cloudflare.com/email-security/) | | Replacing your VPN | [Using Cloudflare to replace your VPN](https://developers.cloudflare.com/learning-paths/replace-vpn/concepts/) | If you would like to discuss your SASE requirements in greater detail and connect with one of our architects, please visit [https://www.cloudflare.com/cloudflare-one/ ↗](https://www.cloudflare.com/cloudflare-one/) and request a consultation. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/reference-architecture/","name":"Reference Architecture"}},{"@type":"ListItem","position":3,"item":{"@id":"/reference-architecture/architectures/","name":"Reference Architectures"}},{"@type":"ListItem","position":4,"item":{"@id":"/reference-architecture/architectures/sase/","name":"Evolving to a SASE architecture with Cloudflare"}}]} ``` --- --- title: Account limits description: Reference information for Account limits in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Account limits This page lists the default account limits for rules, applications, fields, and other features. These limits may be increased on Enterprise accounts. To request a limit increase, contact your account team. ## Access | Feature | Limit | | ------------------------ | ----- | | Applications | 500 | | Audit Logpush jobs | 5 | | Email addresses per rule | 1,000 | | Rule groups | 300 | | Rules per rule group | 1,000 | | IP addresses per rule | 1,000 | | mTLS root certificates | 50 | | Service tokens | 50 | | Identity providers | 50 | | Reusable policies | 500 | | Rules per application | 1,000 | | Domains per application | 5 | | Infrastructure targets | 5,000 | | MCP portals | 20 | | MCP servers per portal | 10 | ## Gateway | Feature | Limit | | ----------------------------------------- | ----- | | DNS policies per account | 500 | | Network policies per account | 500 | | HTTP policies per account | 500 | | Egress policies per account | 500 | | Resolver policies per account | 500 | | DNS locations | 250 | | Source IP CIDRs per DNS location | 1,500 | | Concurrent streams for HTTP/2 connections | 256 | | PAC files (Standard users) | 50 | | PAC files (Enterprise users) | 1,000 | | Proxy endpoints (Standard users) | 50 | | Proxy endpoints (Enterprise users) | 500 | | Source IP CIDRs per proxy endpoint | 2,000 | | Lists | 100 | | Entries per list (Standard users) | 1,000 | | Entries per list (Enterprise users) | 5,000 | | List API requests per minute | 600 | | DNS Logpush jobs | 5 | | HTTP Logpush jobs | 5 | ## Data Loss Prevention (DLP) | Feature | Limit | | ---------------------------------------- | --------- | | Custom entries | 25 | | Exact Data Match cells per spreadsheet | 100,000 | | Custom Wordlist keywords per spreadsheet | 200 | | Custom Wordlist keywords per account | 1,000 | | Dataset cells per account | 1,000,000 | ## Cloudflare Tunnel | Feature | Limit | | -------------------------------------------------- | ----------------------------------- | | cloudflared tunnels per account | 1,000 | | Routes (CIDR routes + Hostname routes) per account | 1,000 (shared with Cloudflare Mesh) | | Active cloudflared replicas per tunnel | 25 | | Virtual networks per account | 1,000 | ## Cloudflare Mesh | Feature | Limit | | -------------------------------- | ------------------------------------- | | Mesh nodes per account | 50 | | Routes (CIDR routes) per account | 1,000 (shared with Cloudflare Tunnel) | ## Digital Experience Monitoring (DEX) | Feature | Limit | | ----------------------- | -------------------------------------------------------------------------- | | DEX Tests per account | Zero Trust Free: 10 Zero Trust Standard: 30 Zero Trust Enterprise: 50 | | Remote captures per day | Zero Trust Free: 100 Zero Trust Standard: 200 Zero Trust Enterprise: 800 | ## Certificates | Feature | Limit | | ------------------------------ | ----- | | Active certificates | 10 | | Certificates generated per day | 3 | | Custom certificates | 5 | ## Maximum number of characters | Feature | Character limit | | ----------------------------- | --------------- | | Application name | 350 | | Group name | 350 | | mTLS certificates name | 350 | | Service token name | 350 | | IdP name | 350 | | Target name | 255 | | Application URL | 63 | | Team domain | 63 | | Gateway API policy expression | 140,000 | ## Cloudflare One Client | Feature | Limit | | -------------------------------------------------------------------------- | ------ | | Characters per device profile expression | 10,000 | | Combined Split Tunnel and Local Domain Fallback entries per device profile | 1,000 | | Device IP profiles per account | 30 | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/account-limits/","name":"Account limits"}}]} ``` --- --- title: FAQ description: FAQ resources and guides for Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # FAQ Review answers to the most commonly asked questions on Cloudflare Zero Trust, as well as a troubleshooting section to help you solve common issues and errors you may come across. If you cannot find the answer you are looking for, go to our [community page ↗](https://community.cloudflare.com/) and post your question there. --- ## Getting started with Cloudflare Zero Trust For extra guidance on experiencing Cloudflare Zero Trust for the first time. [ Getting started ❯ ](https://developers.cloudflare.com/cloudflare-one/faq/getting-started-faq/) ## General For general questions on Cloudflare Zero Trust and how it works. [ General ❯ ](https://developers.cloudflare.com/cloudflare-one/faq/general-faq/) ## Identity For questions on identity providers and accessing applications behind Cloudflare Zero Trust. [ Identity ❯ ](https://developers.cloudflare.com/cloudflare-one/faq/authentication-faq/) ## Policies For questions on how policies work, and how to create and test them. [ Policies ❯ ](https://developers.cloudflare.com/cloudflare-one/faq/policies-faq/) ## Devices For questions on device connectivity and the Cloudflare One Client. [ Devices ❯ ](https://developers.cloudflare.com/cloudflare-one/faq/devices-faq/) ## Tunnels For questions on connecting applications with Tunnels. [ Tunnels ❯ ](https://developers.cloudflare.com/cloudflare-one/faq/cloudflare-tunnels-faq/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/faq/","name":"FAQ"}}]} ``` --- --- title: Identity FAQ description: Review frequently asked questions about identity and identity providers in Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML)[ SSO ](https://developers.cloudflare.com/search/?tags=SSO) # Identity FAQ [❮ Back to FAQ](https://developers.cloudflare.com/cloudflare-one/faq/) ## Can Access work with multiple identity providers at the same time? Yes. Your team can simultaneously use multiple providers, reducing friction when working with partners or contractors. Get started by adding your preferred identity providers as login methods in Zero Trust. Then, when securing a new application behind Access, you'll be able to choose which providers you want your users to log in with to reach that application. ## What if the identity provider my team uses is not listed? You can add your preferred identity providers to Cloudflare Access even if you do not see them listed in Zero Trust, as long as these providers support SAML 2.0 or [OpenID Connect (OIDC)](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/). ## How do end users log out of an application protected by Access? Access provides a URL that will end a user's current session. To force log out of an Access application, go to: `/cdn-cgi/access/logout` To log out of an App Launcher session, go to: `.cloudflareaccess.com/cdn-cgi/access/logout` For more information, refer to our [session management page](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#log-out-as-a-user). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/faq/","name":"FAQ"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/faq/authentication-faq/","name":"Identity FAQ"}}]} ``` --- --- title: Tunnels FAQ description: Review frequently asked questions about tunnels in Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ WebSockets ](https://developers.cloudflare.com/search/?tags=WebSockets)[ DNS ](https://developers.cloudflare.com/search/?tags=DNS) # Tunnels FAQ [❮ Back to FAQ](https://developers.cloudflare.com/cloudflare-one/faq/) ## ​Can I create a Tunnel for an apex domain? Yes. With [Named Tunnels ↗](https://blog.cloudflare.com/argo-tunnels-that-live-forever/) you can create a CNAME at the apex that points to the named tunnel. ## ​Does Cloudflare Tunnel support Websockets? Yes. Cloudflare Tunnel has full support for Websockets. ## ​Does Cloudflare Tunnel support gRPC? Yes. Cloudflare Tunnel supports gRPC traffic via [private subnet routing](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/). Public hostname deployments are not currently supported. ## How can Tunnel be used with Partial DNS (CNAME Setup)? Cloudflare offers two modes of setup: [Full Setup](https://developers.cloudflare.com/dns/zone-setups/full-setup/), in which the domain uses Cloudflare DNS nameservers, and [Partial Setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/) (also known as CNAME setup) in which the domain uses non-Cloudflare DNS servers. The best experience with Cloudflare Tunnel is using Full Setup because Cloudflare manages DNS for the domain and can automatically configure DNS records for newly started Tunnels. You can still use Tunnel with Partial Setup. You will need to create a new DNS record with your current DNS provider for each new hostname connected through Cloudflare Tunnel. The DNS record should be of type CNAME or ALIAS if it is on the root of the domain. The name of the record should be the subdomain it corresponds to (e.g. `example.com` or `tunnel.example.com`) and the value of the record should be `subdomain.domain.tld.cdn.cloudflare.net`. (e.g. `example.com.cdn.cloudflare.net` or `tunnel.example.com.cdn.cloudflare.net`) For a complete walkthrough of using Access with a partial CNAME setup, refer to [Publish a self-hosted application to the Internet](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/#partial-cname-setup). ## How can origin servers be secured when using Tunnel? Tunnel can expose web applications to the Internet that sit behind a NAT or firewall. Thus, you can keep your web server otherwise completely locked down. To double check that your origin web server is not responding to requests outside Cloudflare while Tunnel is running you can run netcat in the command line: Terminal window ``` netcat -zv [your-server's-ip-address] 80 netcat -zv [your-server's-ip-address] 443 ``` If your server is still responding on those ports, you will see: ``` [ip-address] 80 (http) open ``` If your server is correctly locked down, you will see: ``` [ip-address] 443 (https): Connection refused ``` ## What records are created for routing to a Named Tunnel's hostname? Named Tunnels can be routed via DNS records, in which case we use CNAME records to point to the `.cfargotunnel.com`; Or as Load Balancing endpoints, which also point to `.cfargotunnel.com`. ## Does Cloudflare Tunnel send visitor IPs to my origin? No. When using Cloudflare Tunnel, all requests to the origin are made internally between `cloudflared` and the origin. To log external visitor IPs, you will need to [configure an alternative method](https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/). ## Why does the name 'warp' and 'argo' appear in some legacy materials? Cloudflare Tunnel was previously named Warp during the beta phase. As Warp was added to the Argo product family, we changed the name to Argo Tunnel to match. Once we no longer required users to purchase Argo to create Tunnels, we renamed Argo Tunnel to Cloudflare Tunnel. ## Is it possible to restore a deleted tunnel? No. You cannot undo a tunnel deletion. If the tunnel was locally-managed, its [config.yaml file](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/tunnel-useful-terms/#configuration-file) will still be present and you can create a new tunnel with the same configuration. If the tunnel was remotely-managed, both the tunnel and its configuration are permanently deleted. ## How do I contact support? Before contacting the Cloudflare support team: 1. Take note of any specific error messages and/or problematic behaviors. 2. Make sure that `cloudflared` is updated to the [latest version ↗](https://github.com/cloudflare/cloudflared). 3. Gather any relevant error/access logs from your server. 4. If needed set [\--loglevel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#loglevel) to `debug`, so the Cloudflare support team can get more info from the `cloudflared.log` file. 5. Include your [Cloudflare Tunnel diagnostic logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/diag-logs/) (`cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip`). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/faq/","name":"FAQ"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/faq/cloudflare-tunnels-faq/","name":"Tunnels FAQ"}}]} ``` --- --- title: Devices FAQ description: Review frequently asked questions about devices in Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Devices FAQ [❮ Back to FAQ](https://developers.cloudflare.com/cloudflare-one/faq/) ## Why does my Windows device appear to switch from Wi-Fi to Ethernet when I enable the Cloudflare One Client? As the Cloudflare One Client has replaced WinDivert with WinTun architecture, all Windows machines using WinTun will show as being connected using a virtual adapter. Windows, by default, shows virtual adapter connections with a wired Ethernet connection icon, even if the device is connected over wireless. This is by design and should have no impact on connectivity. ## Why is my device not connecting to a closer Cloudflare data center? As our [Network Map ↗](https://www.cloudflare.com/en-gb/network/) shows, we have locations all over the globe. However, in the Advanced Connection stats of our application, you may notice that the data center (colo) you are connecting to isn't necessarily the one physically closest to your location. This can be due to a number of reasons: * Sometimes your nearest colo may be undergoing maintenance or having problems. Check the [Cloudflare Status page ↗](https://www.cloudflarestatus.com/) for system status. * Your Internet provider may choose to route traffic along an alternate path for reasons such as cost savings, reliability, or other infrastructure concerns. ## Why is my public IP address sometimes visible? The Cloudflare One Client is meant to ensure all your traffic is kept private between you and the origin (the site you are connecting to), but not from the origin itself. In a number of cases, if the origin site you are communicating with can't determine who you are and where you're from, they can't serve locale relevant content to you. Sites inside Cloudflare network are able to see this information. If a site is showing you your IP address, chances are they are in our network. Most sites outside our network (orange clouded sites) however are unable to see this information and instead see the nearest egress colo to their server. We are working to see if in the future we can't find a way to more easily share this information with a limited number of gray clouded sites where it is relevant to both parties. ## Why has my throughput dropped while using the Cloudflare One Client? The Cloudflare One Client is in part powered by 1.1.1.1\. When visiting sites or going to a new location on the Internet, you should see blazing fast DNS lookups. However, the Cloudflare One Client is built to trade some throughput for enhanced privacy, because it encrypts all traffic both to and from your device. While this isn't noticeable at most mobile speeds, on desktop systems in countries where high speed broadband is available, you may notice a drop. We think the tradeoff is worth it though and continue to work on improving performance all over the system. ## Why is my device not connecting to a public Wi-Fi? The Wi-Fi network may have a captive portal that is blocking the Cloudflare One Client from establishing a secure connection. In order to access the portal, and therefore the Internet, you will need to temporarily turn off the Cloudflare One Client. After you login to the captive portal through your browser, you can turn the Cloudflare One Client back on to access corporate resources. For more information, refer to [Captive portal detection](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/captive-portals/). ## Why is my device not connecting to the Internet? A third-party service or ISP may be blocking WARP, or Zero Trust settings may be misconfigured. For a list of common issues and steps to resolve, refer to our [troubleshooting guide](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/common-issues/). ## Why is my device not connecting to the corporate Wi-Fi? An [OS firewall rule](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/#system-firewall) on the device may be blocking the EAP/Radius server that allows users to join the Wi-Fi network. If your corporate Wi-Fi uses a Radius server for network authentication, add the Radius server to your [Split Tunnel](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) Exclude list. ## Why is my device not connecting to my private network? If your private network is [exposed via Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/): * Verify that the Cloudflare One Client is [properly configured](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#device-configuration) on the device. * Verify that the user is allowed through by your Access and Gateway policies. * Verify that the [local LAN settings](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#router-configuration) for the device do not overlap with the CIDR range of your private network. When contacting Cloudflare support, ensure that you include [Cloudflare One Client debug logs](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/) for your device. These logs will help Cloudflare support understand the overall architecture of your machine and networks. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/faq/","name":"FAQ"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/faq/devices-faq/","name":"Devices FAQ"}}]} ``` --- --- title: General description: Review frequently asked questions about Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS) # General [❮ Back to FAQ](https://developers.cloudflare.com/cloudflare-one/faq/) ## What is the difference between Cloudflare Gateway and 1.1.1.1? 1.1.1.1 does not block any DNS query. When a browser requests for example.com, 1.1.1.1 simply looks up the answer either in cache or by performing a full recursive DNS query. Cloudflare Gateway's DNS resolver introduces security into this flow. Instead of allowing all DNS queries, Gateway first checks the hostname being queried against the intelligence Cloudflare has about threats on the Internet. If that query matches a known threat, or is requesting a blocked domain configured by an administrator as part of a Gateway policy, Gateway stops it before the site could load for the user - and potentially execute code or phish that team member. ## Is multi-factor authentication supported? Access supports two methods of enforcing MFA: * **Independent MFA** — Access prompts users for a second factor directly, without relying on your identity provider. You can configure MFA requirements per organization, application, or policy. For more information, refer to [Enforce independent MFA](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/mfa-requirements/#independent-mfa). * **Identity provider-based MFA** — Access respects the [MFA policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/mfa-requirements/#identity-provider-based-mfa) set in your identity provider. For example, if your users are logging into an Access protected app through Okta, Okta would enforce an MFA check before sending the valid authentication confirmation back to Cloudflare Access. ## Which browsers are supported? These browsers are supported: * Internet Explorer 11 * Edge (current release, last release) * Firefox (current release, last release) * Chrome (current release, last release) * Safari (current release, last release) ## What data localization services are supported? Cloudflare Zero Trust can be used with the Data Localization Suite to ensure that traffic is only inspected in the regions you choose. For more information refer to [Use Zero Trust with Data Localization Suite](https://developers.cloudflare.com/data-localization/how-to/zero-trust/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/faq/","name":"FAQ"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/faq/general-faq/","name":"General"}}]} ``` --- --- title: Getting started with Cloudflare Zero Trust FAQ description: Review FAQs about getting started with Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Getting started with Cloudflare Zero Trust FAQ [❮ Back to FAQ](https://developers.cloudflare.com/cloudflare-one/faq/) ## How do I sign up for Cloudflare Zero Trust? You can sign up today on the [Cloudflare dashboard ↗](https://dash.cloudflare.com/). Go to **Zero Trust**, choose a team name and a payment plan, and start protecting your network in just a few minutes. ## What is a team domain/team name? Your team domain is a unique subdomain assigned to your Cloudflare account, for example, `.cloudflareaccess.com`. [Setting up a team domain](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization) is an essential step in your Zero Trust configuration. This is where your users will find the apps you have secured behind Cloudflare Zero Trust — displayed in the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) — and will be able to make login requests to them. The customizable portion of your team domain is called **team name**. You can view your team name and team domain in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) under **Zero Trust** \> **Settings**. | team name | team domain | | -------------- | ------------------------------------- | | your-team-name | .cloudflareaccess.com | You can change your team name at any time, unless you have the Cloudflare dashboard SSO feature enabled on your account. If Cloudflare dashboard SSO is enabled, you must [turn off SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/#change-your-zero-trust-team-name) before changing your team name. When you change your team name, the old name becomes available for other accounts to claim. However, if you delete your entire Zero Trust organization, any team name it used is permanently reserved and cannot be reused by any account — including your own. Warning If you change your team name, you need to update your organization's identity providers (IdPs) and the Cloudflare One Client to reflect the new team name in order to avoid any mismatch errors. ### How do I transfer a team name to another account? If you want to move a team name from one Cloudflare account to another (for example, migrating from a personal account to a company account), you can do so as long as the source Zero Trust organization still exists: 1. In the source account, go to **Settings** and change the team name to a temporary value (for example, `mycompany-old`). 2. In the destination account, go to **Settings** and set the team name to the desired value. Warning Do not delete the Zero Trust organization on the source account before changing the team name. If the organization is deleted, the team name is permanently locked and no account will be able to claim it. ### Why is my old team name is still showing up on the Login page and App Launcher? After changing your team name, you will need to check your Block page, Login page, and App Launcher settings to make sure the new team name is reflected. To verify that your team name change is successfully rendering on the Block page, Login page and App Launcher: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Custom pages** \> **Team name and domain**. 2. Find the **Account Gateway block page** and **Access login page** sections, then select **Manage** next to the page you would like to review first. 3. Review that the value in **Your Organization's name** matches your new team name. 4. If the desired name is not already displayed, change the value to your desired team name and select **Save**. 5. Check both pages (**Account Gateway block page** and **Access login page** to set **Your Organization's name** as your desired team name. The App Launcher will display the same team name set on the Access login page, so you do not need to update the **Your Organization's name** field in the App Launcher page. ## How do I change my subscription plan? To make changes to your subscription, visit the Billing section under **Zero Trust** \> **Settings** in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/). You can change or cancel your subscription at any time. Just remember - if you downgrade your plan during a billing cycle, your downgraded pricing will apply in the next billing cycle. If you upgrade during a billing cycle, you will be billed for the upgraded plan at the moment you select it. ## How are active seats measured? Cloudflare Zero Trust subscriptions consist of seats that users in your account consume. When users authenticate to an application or enroll their agent into the Cloudflare One Client, they count against one of your active seats. Seats can be added, removed, or revoked at **Settings** \> **Cloudflare One plan**. If all seats are currently consumed, you must first remove users before decreasing your purchased seat count. ### Removing users User seats can be removed for Access and Gateway at **Team & Resources** \> **Users** \> **Your users**. Removing a user will have consequences both on Access and on Gateway: * **Access**: All active sessions for that user will be invalidated. A user will be able to log back into an application unless you create an [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to block future logins from that user. * **Gateway**: All active devices for that user will be logged out of your Zero Trust organization, which stops all filtering and routing via the Cloudflare One Client. A user will be able to re-enroll their device unless you create a [device enrollment policy](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/device-enrollment/) to block them. Warning The Remove action will remove a user's seat, but it will not permanently revoke their ability to authenticate. To permanently disable a user's ability to authenticate, you must modify the policies that allow them to reach a given application or enroll a device in the Cloudflare One Client. ### Revoking users The Revoke action will terminate active sessions and log out active devices, but will not remove the user's consumption of an active seat. ## How do I know if my network is protected behind Cloudflare Zero Trust? You can visit the [Zero Trust help page ↗](https://help.one.cloudflare.com/). This page will give you an overview of your network details, as well as an overview of the categories that are being blocked and/or allowed. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/faq/","name":"FAQ"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/faq/getting-started-faq/","name":"Getting started with Cloudflare Zero Trust FAQ"}}]} ``` --- --- title: Policies FAQ description: Review frequently asked questions about policies in Cloudflare Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS) # Policies FAQ [❮ Back to FAQ](https://developers.cloudflare.com/cloudflare-one/faq/) ## What is the order of policy enforcement? Gateway and Access policies generally trigger from top to bottom based on their position in the policy table in the UI. Exceptions include Bypass and Service Auth policies, which Access evaluates first. Similarly, for Gateway HTTP policies, Do Not Inspect and Isolate policies take precedence over all Allow or Block policies. To learn more about order of enforcement, refer to our documentation for [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#order-of-execution) and [Gateway policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/). ## **How can I bypass the L7 firewall for a website?** Cloudflare Gateway uses the hostname in the HTTP `CONNECT` header to identify the destination of the request. Administrators who wish to bypass a site must create a [Do Not Inspect](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policy in order to prevent HTTP inspection from occurring on both encrypted and plaintext traffic. Bypassing the L7 firewall results in no HTTP traffic inspection, and logging is disabled for that HTTP session. ## Can I secure applications with a second-level subdomain URL? Yes. Ensure that your SSL certificates cover the first- and second-level subdomain. Most certificates only cover the first-level subdomain and not the second. This is true for most Cloudflare certificates. To cover a second-level subdomain with a CF certificate, create an [advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/). Wildcard-based policies in Cloudflare Access only cover the level where they are applied. Add the wildcard policy to the left-most subdomain to be covered. ## How do isolation policies work together with HTTP policies? Isolation policies, like all HTTP policies, are evaluated in stages. When a user makes a request which evaluates an Isolation policy, the request will be rerouted to an isolated browser and re-evaluated for HTTP policies. This makes it possible for an isolated browser to remotely render a block page, or have malicious content within the isolated browser blocked by HTTP policies. ## Why is API or CLI traffic not isolated? Isolation policies are applied to requests that include `Accept: text/html*`. This allows Browser Isolation policies to co-exist with API and command line requests. ## Can Access enforce policies on a specific nonstandard port? No. Cloudflare Access cannot enforce a policy that would contain a port appended to the URL. However, you can use Cloudflare Tunnel to point traffic to non-standard ports. For example, if Jira is available at port `8443` on your origin, you can proxy traffic to that port via Cloudflare Tunnel. ## Why can I still reach domains blocked by a Gateway policy? If the domain is blocked by a DNS, network, or HTTP policy, it may be because: * **Your policy is still being updated.** After you edit or create a policy, Cloudflare updates the new setting across all of our data centers around the world. It takes about 60 seconds for the change to propagate. If the domain is only blocked by a DNS policy, it may be because: * **Your device is using another DNS resolver.** If you have other DNS resolvers in your DNS settings, your device could be using IP addresses for resolvers that are not part of Gateway. As a result, the domain you are trying to block is still accessible from your device. Make sure to remove all other IP addresses from your DNS settings and only include Gateway's DNS resolver IP addresses. * **Your policy is not assigned to a DNS location.** If your policy is not assigned to a DNS location and you send a DNS query from that location, Gateway will not apply that policy. Assign a policy to a DNS location to make sure the desired policy is applied when you send a DNS query from that location. * **Your DoH endpoint is not a Gateway DNS location**. Browsers can be configured to use any DoH endpoint. If you chose to configure DoH directly in your browser, make sure that the DoH endpoint is a Gateway DNS location. If the domain is only blocked by a network policy, it may be because: * **Your browser is reusing an existing connection**. Network policies only apply when a connection is opened. If a browser is connected to a domain to be blocked by a network policy, Gateway will not block requests until the connection is closed. To block the domain, close any related tabs or restart your browser. ## When does Access return a Forbidden status page versus a login page? Access returns a Forbidden page with status codes `401`/`403` when it determines there is no way a user can pass a [policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). If Cloudflare can make a full policy determination that a user will not be able to log in, Access will return a Forbidden page instead of a [login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/). For example, your application has a policy that requires a user to be in a [specific geolocation](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#allow) to log in. As admin, you could define this geolocation policy by using [Include](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#include) rules, meaning the user could log in to the application from Country A or Country B. Or you could define this geolocation policy using a [Require](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#require) rule, meaning the user must be in Country A to log in. If a user from country C attempts to access the application, in both the Include and Require scenarios, the user will receive the Forbidden page. This is because Country C was not defined in either scenario. Therefore, Cloudflare has determined that this user cannot meet policy requirements and will receive the Forbidden status page. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/faq/","name":"FAQ"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/faq/policies-faq/","name":"Policies FAQ"}}]} ``` --- --- title: API and Terraform description: How API and Terraform works in Cloudflare One. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Terraform ](https://developers.cloudflare.com/search/?tags=Terraform)[ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API) # API and Terraform You can manage your Cloudflare Zero Trust configuration using the API or Terraform. For more information, refer to the following links: * [API reference](https://developers.cloudflare.com/api/) * [Terraform provider reference ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) * [Terraform how-to documentation](https://developers.cloudflare.com/terraform/) Detailed API and Terraform examples for Cloudflare Zero Trust are available in our [implementation guides](https://developers.cloudflare.com/cloudflare-one/implementation-guides/) and throughout the Cloudflare Zero Trust documentation. ## Set dashboard to read-only Super Administrators can lock all settings as read-only in the Cloudflare One dashboard. Read-only mode ensures that all updates for the account are made through the API or Terraform. To enable read-only mode: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Settings** \> **Admin controls**. 2. Enable **Set dashboard to read-only**. All users, regardless of [user permissions](https://developers.cloudflare.com/cloudflare-one/roles-permissions/), will be prevented from making configuration changes through the UI. ## Scoped API tokens The administrators managing policies and groups in Cloudflare Zero Trust might be different from those responsible for configuring WAF custom rules or other Cloudflare settings. You can configure scoped API tokens so that team members and automated systems can manage Cloudflare Zero Trust settings without having permission to modify other configurations in Cloudflare. You can create a scoped API token [via the dashboard](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) or [via the API](https://developers.cloudflare.com/fundamentals/api/how-to/create-via-api/). For a list of available token permissions, refer to [API token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/api-terraform/","name":"API and Terraform"}}]} ``` --- --- title: Troubleshooting description: Find troubleshooting guides for Cloudflare One products and learn how to collect information for Cloudflare Support. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Troubleshooting Cloudflare One provides troubleshooting guides to help you diagnose and resolve common connectivity, configuration, and security issues across your Zero Trust organization. If you cannot resolve an issue using these guides, you can collect diagnostic information and [contact Cloudflare Support](https://developers.cloudflare.com/cloudflare-one/troubleshooting/contact-support/). * [ Access ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/access/) * [ Gateway ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/gateway/) * [ Tunnel ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/tunnel/) * [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/warp-client/) * [ CASB ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/casb/) * [ DLP ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/dlp/) * [ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/browser-isolation/) * [ DEX ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/dex/) * [ Email Security ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/email-security/) * [ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/wan/) * [ Contact Cloudflare Support ](https://developers.cloudflare.com/cloudflare-one/troubleshooting/contact-support/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}}]} ``` --- --- title: Access description: Access for Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Access Review common troubleshooting scenarios for Cloudflare Access. ## Authentication and login ### AJAX/CORS errors Cloudflare Access requires that the `credentials: same-origin` parameter be added to JavaScript when using the Fetch API to include cookies. AJAX requests fail if this parameter is missing, resulting in an error such as `No Access-Control-Allow-Origin header is present on the requested resource`. For more information, refer to [CORS settings](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/). ### SAML verification failure The error `SAML Verify: Invalid SAML response, SAML Verify: No certificate selected to verify` occurs when the identity provider (IdP) does not include the signing public key in the SAML response. Cloudflare Access requires the public key to match the **Signing certificate** uploaded to Zero Trust. Configure your IdP to include the public key in the response. ### Identity provider user/group info error The error `Failed to fetch user/group information from the identity provider` occurs when Cloudflare lacks the necessary API permissions to communicate with your IdP. Review the [SSO integration guide](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) for your specific IdP and ensure the application has the correct permissions (for example, Microsoft Entra or Okta). ### Google Workspace redirect loop If you place your Google Workspace behind Access, you cannot use Google or Google Workspace as an identity provider for that application. This creates an infinite redirect cycle because both systems depend on each other to complete the login. ### Invalid session error The error `Invalid session. Please try logging in again` indicates that Access was unable to validate your `CF_Session` cookie. This can happen if software or a firewall on your device interferes with requests to Access. Ensure that the same browser instance is used to both initiate and complete the sign-in. ### Firefox Private Window Firefox's default tracking prevention in Private Windows may prevent the `CF_authorization` cookie from being sent, especially for XHR requests. To resolve this, you may need to exempt your application domain and your [team domain](https://developers.cloudflare.com/cloudflare-one/glossary/#team-name) from tracking protection. ### Workers routes on the login path If you have a Cloudflare Worker route assigned to your application's login path, the Worker may overwrite the `cf-authorization` cookie. To prevent this, ensure your Worker script does not modify or strip the `Set-Cookie` header for Access cookies. ## Identity providers ### OTP email not received If a user does not receive a one-time PIN (OTP) email: * **Policy denial**: If the user's email address does not match any **Allow** policies for the application, Cloudflare will not send an OTP email. The login page will still display a message saying the email was sent to prevent account enumeration. * **Email suppression**: The user's email may be on a suppression list due to previous delivery failures. Check your email logs or contact Support to clear suppressions. ### OTP code already used The error `This One-Time PIN has already been used` occurs when the OTP code has already been redeemed before the user enters it. OTP codes are single-use and expire 10 minutes after the initial request. This error most commonly occurs when an email security or anti-phishing tool on your network automatically follows links in emails, consuming the code before you have a chance to enter it. To resolve the issue, select **Request new code** on the login page. If the error recurs consistently, add `noreply@notify.cloudflare.com` to your email security tool's allowlist to prevent it from scanning Cloudflare authentication emails. For setup instructions, refer to [One-time PIN login](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/). ### Google Super Admin login If you use Access as the SSO provider for your Google Workspace, Google Super Admins cannot sign in via Access when accessing `admin.google.com`. Google requires Super Admins to use their original Google password to ensure they can always access the admin console. ### Missing SAML attributes If you receive a `Required attributes are missing` error during SAML authentication, verify that your IdP is sending the mandatory **email** attribute. Additionally, check for typos in attribute names (for example, `groups` vs `gropus`) in your [IdP configuration](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). ## Applications and certificates ### SSH short-lived certificates The error `Error 0: Bad Request. Please create a ca for application` appears if a certificate has not been generated for the Access application. Refer to [SSH short-lived certificates](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy/) to generate a CA for the application. ### SSH "Origin auth failed" This error often indicates a configuration issue on the target server's SSH daemon (`sshd`): * **SSHD config**: Verify that `PubkeyAuthentication` is set to `yes` and `TrustedUserCAKeys` points to the correct Cloudflare CA file. * **Multiple auth methods**: Cloudflare Access for Infrastructure currently does not support `AuthenticationMethods` with multiple comma-separated requirements (for example, `publickey,keyboard-interactive`). ### Team domain change error The error `Access api error auth_domain_cannot_be_updated_dash_sso` occurs if you try to change your team domain while [Cloudflare dashboard SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/) is enabled. Dashboard SSO does not currently support team domain changes. ### Long-lived SSH sessions disconnect All connections proxied through Cloudflare Gateway, including traffic to [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) SSH targets, have a maximum guaranteed duration of 10 hours. If a connection is active during a Gateway release, it will be terminated 10 hours later. To prevent unexpected disconnects, we recommend terminating sessions on a predefined schedule (for example, an 8-hour idle timeout). You can configure this using `ChannelTimeout` in your SSH server or client configuration. --- ## More Access resources For more information, refer to the full Access troubleshooting guide. [ Full Access troubleshooting guide ❯ ](https://developers.cloudflare.com/cloudflare-one/access-controls/troubleshooting/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/access/","name":"Access"}}]} ``` --- --- title: Browser Isolation description: Browser Isolation for Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Browser Isolation Review common troubleshooting scenarios for Cloudflare Browser Isolation. ## Connectivity and sessions ### No Browsers Available If you encounter a `No Browsers Available` alert, please file feedback via the Cloudflare One Client. This error typically indicates a temporary capacity issue in the data center or a connectivity problem between your client and the remote browser. ### Maximum Sessions Reached This alert appears if your device attempts to establish more than two concurrent remote browser instances. A browser isolation session is shared across all tabs and windows within the same browser (for example, all Chrome tabs share one session). You can use two different browsers (such as Chrome and Firefox) concurrently, but opening a third will trigger this alert. To release a session, close all tabs and windows in one of your local browsers. ## Rendering and performance ### WebGL Rendering Error Cloudflare Browser Isolation uses Network Vector Rendering (NVR), which does not support WebGL (Web Graphics Library) in all environments. If a website requires WebGL and your device lacks the necessary hardware resources in the virtualized environment, you may see a rendering error. To resolve this, try enabling software rasterization in your browser: 1. Go to `chrome://flags/#override-software-rendering-list`. 2. Set **Override software rendering list** to _Enabled_. 3. Select **Relaunch**. ### Blank screen on Windows On Windows devices, Clientless Web Isolation may load with a blank screen if there is a conflict between browser mDNS settings and Windows IGMP configuration. | IGMPLevel | WebRTC Anonymization | Result | | ------------ | -------------------- | -------------- | | 0 (disabled) | Enabled / Default | ❌ Blank screen | | 0 (disabled) | Disabled | ✅ Works | | 2 (enabled) | Enabled / Default | ✅ Works | To fix this, either disable **Anonymize local IPs exposed by WebRTC** in your browser flags or ensure `IGMPLevel` is enabled (set to `2`) in your Windows network settings. ### Rendering issues (CSS/Images) If a website displays incorrectly (for example, broken CSS or missing images), it may indicate that the remote browser is unable to fetch specific resources from the origin server. Check your [Gateway HTTP logs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/troubleshooting/) for any blocked subresources that might be required by the page. --- ## More Browser Isolation resources For more information, refer to the full Browser Isolation documentation. [ Browser Isolation troubleshooting ❯ ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/troubleshooting/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/browser-isolation/","name":"Browser Isolation"}}]} ``` --- --- title: CASB description: CASB for Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # CASB Use this guide to troubleshoot common issues with Cloud Access Security Broker (CASB). ## Security findings ### Findings not appearing If you do not see findings for an integrated application: * **Wait for scan**: Initial scans can take up to 24 hours depending on the size of the application. * **Permissions**: Ensure the account used to integrate the application has the necessary administrative permissions. * **Enabled status**: Verify that the integration is enabled in the Zero Trust dashboard. ### False positives If CASB flags a configuration that is intended for your organization: 1. Go to **CASB** \> **Findings**. 2. Select the finding and choose **Dismiss**. 3. Provide a reason for dismissal to help refine future scans. --- ## More CASB resources For more information, refer to the full CASB documentation. [ CASB troubleshooting ❯ ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/troubleshooting/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/casb/","name":"CASB"}}]} ``` --- --- title: Contact Cloudflare Support description: Contact Cloudflare Support in Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) # Contact Cloudflare Support If you cannot resolve an issue using our troubleshooting guides, you can [open a support case](https://developers.cloudflare.com/support/contacting-cloudflare-support/). To help us investigate your issue quickly, please collect and provide the following information when you contact Cloudflare Support. ## 1\. Gather general information For all issues, please include: * **Timestamp (UTC)**: The exact time the issue occurred. * **Detailed description**: A clear description of the problem and the steps to reproduce it. * **Actual vs. Expected**: What happened versus what you expected to happen. * **Problem frequency**: How often does the issue occur? * **Screenshots**: Any relevant screenshots or videos of the error. * **Example URLs**: Specific URLs where the issue is occurring. ## 2\. Collect product diagnostics Depending on the product, providing diagnostic files is critical for a technical investigation. ### Cloudflare One Client (WARP) If the issue involves the Cloudflare One Client, run the `warp-diag` command on the affected device and attach the resulting `.zip` file to your case. For more information, refer to [Diagnostic logs](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/). ### Cloudflare Tunnel If the issue involves Cloudflare Tunnel, run the `cloudflared tunnel diag` command and provide the generated report. For more information, refer to [Tunnel diagnostic logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/diag-logs/). ### Access and Gateway For issues related to authentication loops, blocked websites, or policy enforcement: * **HAR file**: Provide a [HAR file](https://developers.cloudflare.com/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#generate-a-har-file) captured while reproducing the issue. * **Ray ID**: If you see a Cloudflare error page, provide the **Ray ID** displayed at the bottom of the page. * **Identity Provider logs**: Relevant logs from your identity provider (IdP) if the issue involves login failures. * **Request ID**: For Gateway issues, you can find the `request_id` (HTTP logs) or `query_id` (DNS logs) in your [Gateway logs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/troubleshooting/). ### Digital Experience Monitoring (DEX) For issues with DEX tests or device monitoring, provide a [remote capture](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/client-packet-capture/) from the Zero Trust dashboard. --- For more information, refer to [Contacting Cloudflare Support](https://developers.cloudflare.com/support/contacting-cloudflare-support/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/contact-support/","name":"Contact Cloudflare Support"}}]} ``` --- --- title: DEX description: DEX for Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # DEX Review common troubleshooting scenarios for Digital Experience Monitoring (DEX). ## Data visibility ### No data displayed for certain users If you do not see DEX data for specific users in your organization, verify the following: * **Client version**: Ensure the users are running a version of the Cloudflare One Client that supports DEX. * **DEX enabled**: Confirm that DEX is enabled for the [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) assigned to those users. * **Traffic routing**: DEX requires that traffic to Cloudflare's orchestration API is not blocked by local firewalls or SSL-inspecting proxies. ### Fleet status not updating The Fleet status dashboard can take several minutes to reflect changes in device connectivity. If a device remains in an incorrect state, try disconnecting and reconnecting the Cloudflare One Client to force a status update. ## Remote captures ### Remote capture fails to start Remote captures require the Cloudflare One Client to be connected and able to communicate with the Cloudflare control plane. If a capture fails to start: * Verify the device status in the Zero Trust dashboard. * Ensure the device has sufficient disk space to store the capture files before upload. * Check for any local firewall rules that might be blocking the capture command. --- ## More DEX resources For more information, refer to the full DEX documentation. [ DEX troubleshooting ❯ ](https://developers.cloudflare.com/cloudflare-one/insights/dex/troubleshooting/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/dex/","name":"DEX"}}]} ``` --- --- title: DLP description: DLP for Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # DLP Use this guide to troubleshoot common issues with Data Loss Prevention (DLP). ## DLP policy does not trigger or block content DLP not inspecting or blocking content is the most common issue reported. If you have configured a [DLP policy](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/) but it fails to inspect or block traffic, the cause is almost always that the traffic is not being decrypted. To use DLP to scan the content of HTTPS requests, you must turn on [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/). To turn on TLS decryption: * [ Dashboard ](#tab-panel-5439) * [ Terraform (v5) ](#tab-panel-5440) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. In **Proxy and inspection**, turn on **Inspect HTTPS requests with TLS decryption**. 1. Add the following permission to your [cloudflare\_api\_token ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api%5Ftoken): * `Zero Trust Write` 2. Configure the `tls_decrypt` argument in [cloudflare\_zero\_trust\_gateway\_settings ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero%5Ftrust%5Fgateway%5Fsettings): ``` resource "cloudflare_zero_trust_gateway_settings" "team_name" { account_id = var.cloudflare_account_id settings = { tls_decrypt = { enabled = true } } } ``` Once you turn on TLS decryption, you can create a DLP policy to inspect the content of HTTPS requests. For example: | Selector | Operator | Value | Logic | Action | | ----------- | -------- | --------------------- | ----- | ------ | | Domain | in | box.com | And | Block | | DLP Profile | in | _Credit card numbers_ | | | ## DLP scans trigger false positives or block legitimate sites If your DLP policy is blocking access to business-critical applications (such as Zoho, Google, or internal domains) or generating a high number of false positives, your DLP policy is likely too broad. Profiles such as **Credentials and Secrets** are powerful but can be overly aggressive if not scoped correctly. ### Problematic configuration Applying a sensitive profile to all traffic causes unnecessary blocks. For example: | Selector | Operator | Value | Action | | ----------- | -------- | ------------------------- | ------ | | DLP Profile | in | _Credentials and Secrets_ | Block | ### Recommended solution Make your policies more specific. Instead of a catch-all block, create granular policies that target high-risk destinations or user groups. This policy only blocks uploads of financial data to file-sharing websites for a specific user group, reducing the risk of false positives on other sites. | Selector | Operator | Value | Logic | Action | | ------------------ | -------- | --------------------------- | ----- | ------ | | Destination Domain | in | dropbox.com, wetransfer.com | And | Block | | DLP Profile | in | _Financial Information_ | And | | | User Group Names | in | Finance Team | | | You can also create policies that match trusted applications using the [**Do Not Scan** action](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#do-not-scan). ## DLP detections are inconsistent If DLP detects sensitive data in plain text but not within images or certain applications, check for the following issues: * **OCR is turned on**: For DLP to scan text within images (such as a picture of a credit card), you must turn on [Optical Character Recognition (OCR)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#optical-character-recognition-ocr) in the corresponding DLP profile. * **Application-specific behavior**: Some applications, such as WhatsApp Web, use protocols or encryption methods (such as WebSockets) that Gateway may not be able to fully inspect with HTTP policies. * **Supported file types**: Content must be in a [supported file type](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/#supported-file-types) for DLP inspection. ## DLP options are missing or you cannot create custom profiles If you cannot use the _DLP Profile_ selector when creating an HTTP policy or are blocked from creating a custom DLP profile, it typically means one of two things: 1. Incorrect plan. These features require a Zero Trust Enterprise plan. If you believe your account should have this entitlement, contact your account team to confirm your subscription details. 2. Permissions issue. You may not have the required administrative privileges to configure DLP settings. Check with your Cloudflare account administrator. --- ## More DLP resources For more information, refer to the full DLP documentation. [ DLP troubleshooting ❯ ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/troubleshoot-dlp/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/dlp/","name":"DLP"}}]} ``` --- --- title: Email Security description: Email Security for Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Email Security Review common troubleshooting scenarios for Cloudflare Email Security. ## Email headers and attributes Email Security identifies threats using detections that result in a final disposition. You can inspect email headers to understand why a specific disposition was applied. | Attribute | Description | | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | CUSTOM\_BLOCK\_LIST | Matches a value defined in your custom block list. | | NEW\_DOMAIN\_SENDER | The email was sent from a newly registered domain. | | NEW\_DOMAIN\_LINK | The email contains links to a newly registered domain. | | ENCRYPTED | The email message is encrypted. | | BEC | The sender address is in your [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/). | ## Detections and reclassification ### Handle a false positive A false positive occurs when a legitimate email is incorrectly flagged as malicious or spam. **Solution**: 1. In the Email Security dashboard, go to **Investigation**. 2. Find the email and select **Submit for reclassification**. 3. Choose the correct disposition (for example, `Clean`). 4. To prevent future blocks, add the sender to your [Acceptable Senders](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/) list. ### Handle a false negative A false negative occurs when a malicious email is not detected by Email Security. **Solution**: 1. Ensure the email actually passed through Email Security by checking for the `X-CFEmailSecurity-Disposition` header. 2. Submit the email for reclassification in the dashboard. This is the preferred method for reporting missed detections. ## Authentication errors ### DMARC failures Email Security may mark an email as **SPAM** if it fails DMARC authentication and the sending domain has a `p=reject` or `p=quarantine` policy. **Solution**: * Ask the sender to fix their DMARC/SPF/DKIM records. * Configure an [Acceptable Sender](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/) entry to suppress the failure for that specific sender. ## Delivery issues ### Emails are delayed or not arriving If emails are not being delivered or are arriving with significant latency: 1. **Check MX records**: Ensure your [MX records](https://developers.cloudflare.com/cloudflare-one/email-security/setup/) are correctly configured and pointing to Cloudflare. 2. **Verify connectivity**: From your sending mail server, verify you can connect to Cloudflare's mailstream endpoints on port 25. 3. **Check outbound logs**: In the dashboard, use the **Mail Trace** feature to confirm if Email Security successfully delivered the email to your downstream mail server (for example, Google Workspace or Microsoft 365). --- ## More Email Security resources For more information, refer to the full Email Security documentation. [ Email Security troubleshooting ❯ ](https://developers.cloudflare.com/cloudflare-one/email-security/troubleshooting/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/email-security/","name":"Email Security"}}]} ``` --- --- title: Gateway description: Gateway for Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Gateway This guide helps you troubleshoot common issues with Cloudflare Gateway policies. ## Blocked websites and connectivity ### A website is blocked incorrectly If you believe a domain has been incorrectly blocked by Gateway's security categories or threat intelligence, you can use the [Cloudflare Radar categorization feedback form ↗](https://radar.cloudflare.com/categorization-feedback/) to request a review. ### Error 526: Invalid SSL certificate Gateway presents a **526** error page when it cannot establish a secure connection to the origin. This typically occurs in two cases: * **Untrusted origin certificate**: The certificate presented by the origin server is expired, revoked, or issued by an unknown authority. * **Insecure origin connection**: The origin does not support modern cipher suites or redirects all HTTPS requests to HTTP. For more information, refer to [Error 526](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/). ### Error 502: Bad Gateway This issue can occur when communicating with an origin that partially supports HTTP/2\. If the origin requests a downgrade to HTTP/1.1 (for example, via a `RST_STREAM` frame with `HTTP_1_1_REQUIRED`), Gateway will not automatically reissue the request over HTTP/1.1 and will instead return a `502 Bad Gateway`. To resolve this, disable HTTP/2 at the origin server. ### Untrusted certificate warnings If users see certificate warnings for every page, ensure that the [Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) is installed and trusted on their devices. This is required for Gateway to inspect HTTPS traffic. ## Dashboard and analytics ### Gateway analytics not displayed If you do not see analytics on the Gateway Overview page: * **Verify DNS traffic**: Ensure your devices are actually sending queries to Gateway. Check your [DNS locations](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) and verify the source IPv4 address. * **Check other resolvers**: Ensure that no other DNS resolvers are configured on the device, as they might be bypassing Gateway. * **Wait for processing**: It can take up to 5 minutes for analytics to appear in the dashboard. ## Egress policies Egress policies symptoms include traffic not using your dedicated egress IP, incorrect failover behavior, or high latency due to Gateway routing traffic through a distant data center. ### Symptom: traffic is not using your dedicated egress IP Even with an active egress policy, you may find that traffic is egressing from a default Cloudflare IP address instead of your dedicated egress IP. | Common cause | Solution | | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | DNS resolution to CGNAT (carrier-grade NAT) | When an egress policy uses a _Domain_ or _Host_ selector, Gateway must first resolve that domain. For traffic proxied through Cloudflare, this often resolves to a CGNAT IP address from the 100.64.0.0/10 range. Because this IP is internal to Cloudflare's network, it may not be subject to egress policies, which apply to traffic leaving the network. Change the selector in your egress policy from _Domain_ or _Host_ to _Destination IP_. Use the public IP addresses of the service you are trying to reach. | | Policy precedence | A different egress policy with a higher precedence (a lower number) is matching the traffic first. Remember that egress policies follow the same first-match-wins logic. | | Split Tunnel configuration | The destination IP or domain is excluded from the WARP tunnel via your Split Tunnel configuration. Traffic that is excluded from the tunnel will not be subject to any Gateway policies, including egress. | | No egress logs | Egress logging is available via Logpush with the Gateway Egress dataset. This is essential for troubleshooting. You can also use a third-party IP check service to verify the egress IP from a test device. | ### Symptom: failover is not working or is using the wrong IP Your primary dedicated egress IP becomes unavailable, but instead of using your configured secondary dedicated IP, traffic fails over to a default Cloudflare shared IP. | Common cause | Solution | | ----------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Routing or configuration issue on the Cloudflare side | Document the time of the incident and collect Request IDs from Gateway HTTP or DNS logs for affected users. Open a support ticket and provide this information. Temporarily, you can edit the egress policy to set your secondary IP as the primary to restore service. | ### Symptom: users are egressing from a geographically distant location Gateway routes your users in one country (such as Australia) through a dedicated egress IP located in another region (such as Germany), causing high latency and breaking access to geo-restricted content. | Common cause | Solution | | -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Single egress policy | You may have one broad egress policy that applies to all users regardless of their location. Create location-aware egress policies. Use the _User Location_ selector in your policy to tie specific user locations to their nearest dedicated egress IP. For example, create one policy for when _User Location_ is United Kingdom, egress via London IP; create a second policy for when _User Location_ is Australia, egress via Sydney IP. | | Incorrect geolocation data | The IP address of the user's ISP may not be correctly geolocated. Check the user's location as seen by Cloudflare in the Gateway logs. If it appears incorrect, you can report it to Cloudflare Support. | ## Policy precedence A common point of confusion is how Gateway evaluates its different policy types and the rules within them. ### Symptom: a Block policy is overriding a more specific Allow or Do Not Scan policy You have a high-precedence Allow or Do Not Scan policy for a specific application (such as Allow finance.example.com), but Gateway still block traffic with a low-precedence Block policy (such as Block All High-Risk Sites). The most important concept is [Gateway policy precedence](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/), which Gateway enforces based on the policy's order number. A lower order number in the list means a higher precedence. Gateway stops processing further policies when it encounters the first rule that matches. To resolve Gateway policy precedence issues: 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Firewall policies**. 2. Review the order of your DNS, Network, and HTTP policies. 3. Ensure that your most specific Allow, Do Not Scan, or Do Not Inspect policies have a lower order number than your general Block policies. 4. Drag and drop policies to reorder them as needed. An Allow policy for `teams.microsoft.com` should be placed before a general Block policy for all file sharing applications. ## TLS decryption breaks applications Turning on [TLS decryption](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is required for Gateway features such as Data Loss Prevention (DLP), Browser Isolation, and application-aware HTTP policies. However, it can cause issues with certain types of software. ### Symptom: command-line tools (CLI tools) or native applications fail with certificate errors If after turning on TLS decryption, command-line tools (such as `git`, `aws`, `kubectl`, and `terraform`) or desktop applications (such as ChatGPT or Docker) stop working, this may be due to certificate errors. Applications may return errors such as `SSL: CERTIFICATE_VERIFY_FAILED`, `self-signed certificate in certificate chain`, or similar TLS errors. These applications do not use the operating system's trust store and therefore do not trust the Cloudflare root certificate that you installed. They often have their own certificate trust store or use certificate pinning, which expects the server's original certificate, not one re-signed by Cloudflare. To resolve this issue: * [ Recommended ](#tab-panel-5441) * [ Workaround ](#tab-panel-5442) Create a targeted HTTP policy to bypass decryption for the specific domains these tools need to access. Place this policy at a higher precedence (lower order number) than your main TLS decryption policy. Create a [list](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/) that includes hosts such as `github.com`, `*.amazonaws.com`, and `*.docker.io`. | Selector | Operator | Value | Action | | -------- | -------- | ------------------ | -------------- | | Domain | in list | _CLI Tool Domains_ | Do Not Inspect | You can configure some tools to trust a custom CA or disable SSL verification. This is less secure and harder to manage at scale. For more information, refer to [Install certificate manually](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/). ### Symptom: the custom block page is not displayed When an HTTP policy blocks a user's request, their browser will return a generic error (`ERR_SSL_PROTOCOL_ERROR`) instead of your configured Gateway block page. This happens because the browser does not trust the certificate presented by the block page, which is signed by the Cloudflare root certificate. This means the certificate is not installed or not trusted on the user's device. To resolve this issue: 1. Confirm that a [Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) is installed on the device. 2. Ensure the certificate is placed in the correct system-level trust store (such as, Keychain's System store on macOS, or Trusted Root Certification Authorities for the Local Computer on Windows). 3. If you are using an MDM, verify that your deployment script correctly installs and trusts the certificate. ## Private DNS and internal resources are not working You have configured Gateway to resolve internal hostnames, but users are unable to access them. For example, a user connected to the Cloudflare One Client tries to access an internal service like `jira.mycompany.local`, but the DNS query fails. | Common causes | Solution | | ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Missing or incorrect resolver policy | Go to **Traffic policies** \> **Resolver policies**. Create a policy that matches your internal domain suffix and forwards queries to your internal DNS servers' IP addresses. | | Split Tunnel excludes the private IP range | If your internal resources are in a private IP range (such as 10.0.0.0/8), that range must be included in the tunnel. If it is in the Exclude list of your Split Tunnel configuration, the Cloudflare One Client will not proxy the traffic. | | Local Domain Fallback misconfiguration | Use resolver policies for corporate DNS. Only use Local Domain Fallback for domains specific to a user's immediate physical network. | --- ## More Gateway resources For more information, refer to the full Gateway troubleshooting guide. [ Full Gateway troubleshooting guide ❯ ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/troubleshooting/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/gateway/","name":"Gateway"}}]} ``` --- --- title: Tunnel description: Tunnel for Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Tunnel Explore common issues and solutions for Cloudflare Tunnel. ## I see `cloudflared service is already installed`. If you see this error when installing a remotely-managed tunnel, ensure that no other `cloudflared` instances are running as a service on this machine. Only a single instance of `cloudflared` may run as a service on any given machine. Instead, add additional routes to your existing tunnel. Alternatively, you can run `sudo cloudflared service uninstall` to uninstall `cloudflared`. ## I see `An A, AAAA, or CNAME record with that host already exists`. If you are unable to save your tunnel's public hostname, choose a different hostname or delete the existing DNS record. [Check the DNS records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/) for your domain from the [Cloudflare dashboard ↗](https://dash.cloudflare.com). ## Tunnel credentials file does not exist or is not a file. If you encounter the following error when running a tunnel, double check your `config.yml` file and ensure that the `credentials-file` points to the correct location. You may need to change `/root/` to your home directory. Terminal window ``` cloudflared tunnel run ``` ``` 2021-06-04T06:21:16Z INF Starting tunnel tunnelID=928655cc-7f95-43f2-8539-2aba6cf3592d Tunnel credentials file '/root/.cloudflared/928655cc-7f95-43f2-8539-2aba6cf3592d.json' doesn't exist or is not a file ``` ## My tunnel fails to authenticate. To start using Cloudflare Tunnel, a super administrator in the Cloudflare account must first log in through `cloudflared login`. The client will launch a browser window and prompt the user to select a hostname in their Cloudflare account. Once selected, Cloudflare generates a certificate that consists of three components: * The public key of the origin certificate for that hostname * The private key of the origin certificate for that domain * A token that is unique to Cloudflare Tunnel Those three components are bundled into a single PEM file that is downloaded one time during that login flow. The host certificate is valid for the root domain and any subdomain one-level deep. Cloudflare uses that certificate file to authenticate `cloudflared` to create DNS records for your domain in Cloudflare. The third component, the token, consists of the zone ID (for the selected domain) and an API token scoped to the user who first authenticated with the login command. When user permissions change (if that user is removed from the account or becomes an admin of another account, for example), Cloudflare rolls the user's API key. However, the certificate file downloaded through `cloudflared` retains the older API key and can cause authentication failures. The user will need to login once more through `cloudflared` to regenerate the certificate. Alternatively, the administrator can create a dedicated service user to authenticate. ## I see an error: x509: certificate signed by unknown authority. This means the origin is using a certificate that `cloudflared` does not trust. For example, you may get this error if you are using SSL/TLS inspection in a proxy between your server and Cloudflare. To resolve: * Add the certificate to the system certificate pool. * Use the `--origin-ca-pool` flag and specify the path to the certificate. * Use the `--no-tls-verify` flag to stop `cloudflared` checking the certificate for a trust chain. ## I see an error 1033 when attempting to run a tunnel. A `1033` error indicates your tunnel is not connected to Cloudflare's network because Cloudflare's network cannot find a healthy `cloudflared` instance to receive the traffic. First, review whether your tunnel is listed as `Active` in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) by going to **Zero Trust** \> **Networks** \> **Connectors** \> **Cloudflare Tunnels** or run `cloudflared tunnel list`. If the tunnel is not `Active`, review the following and take the action necessary for your tunnel status: | Status | Meaning | Recommended Action | | ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Healthy** | The tunnel is active and serving traffic through four connections to the Cloudflare global network. | No action is required. Your tunnel is running correctly. | | **Inactive** | The tunnel has been created (via the API or dashboard) but the cloudflared connector has never been run to establish a connection. | Run the tunnel as a service (recommended) or use the cloudflared tunnel run command on your origin server to connect the tunnel to Cloudflare. Refer to [substep 6 of step 1 in the Create a Tunnel dashboard guide](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#1-create-a-tunnel) or step 4 in the [Create a Tunnel API guide](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api/#4-install-and-run-the-tunnel). | | **Down** | The tunnel was previously connected but is currently disconnected because the cloudflared process has stopped. | 1\. Ensure the cloudflared [service](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/as-a-service/) or process is actively running on your server. 2\. Check for server-side issues, such as the machine being powered off, an application crash, or recent network changes. | | **Degraded** | The cloudflared connector is running and the tunnel is serving traffic, but at least one individual connection has failed. Further degradation in [tunnel availability](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/) could risk the tunnel going down and failing to serve traffic. | 1\. Review your cloudflared [logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) for connection failures or error messages. 2\. Investigate local network and firewall rules to ensure they are not blocking connections to the [Cloudflare Tunnel IPs and ports](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/). | For more information, refer to the [comprehensive list of Cloudflare 1xxx errors](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/). ## I see a 502 Bad Gateway error when connecting to an HTTP or HTTPS application through tunnel. A `502 Bad Gateway` error with `Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared` on a tunnel route means the tunnel itself is connected to the Cloudflare network, but `cloudflared` cannot reach the origin service defined in your ingress rule. Unlike [error 1033](#i-see-an-error-1033-when-attempting-to-run-a-tunnel), which indicates the tunnel is not connected to Cloudflare, a 502 error indicates the problem is between `cloudflared` and your local service. To identify the specific cause, review your [Tunnel logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) for `error`\-level messages. Common causes include: #### Origin service is not running If the origin service has stopped or never started, `cloudflared` logs will show an error similar to: ``` error="dial tcp [::1]:8080: connect: connection refused" ``` To resolve, verify the service is running and listening on the expected port: Terminal window ``` curl -v http://localhost:8080 ``` If the service is not running, start or restart it. You can confirm the service is listening by running `ss -tlnp | grep ` (Linux) or `lsof -iTCP -sTCP:LISTEN -nP | grep ` (macOS). #### Origin service URL uses the wrong protocol If the origin expects HTTPS but the tunnel route specifies `http://`, or vice versa, `cloudflared` logs will show an error similar to: ``` error="net/http: HTTP/1.x transport connection broken: malformed HTTP response \"\x15\x03\x01\x00\x02\x02\"" ``` To resolve, update the service URL in your tunnel route to match the [protocol](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/protocols/) your origin expects. For example, change `http://localhost:8080` to `https://localhost:8080`. If you are using a locally-managed tunnel, update your ingress rule in the [configuration file](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/). #### Origin service URL points to the wrong port If the port in your tunnel route does not match the port your service is listening on, `cloudflared` will log a `connection refused` error for that port. Double-check the service URL in your ingress rule and compare it against the port your application is bound to. #### Origin uses a certificate that `cloudflared` does not trust If the origin presents a TLS certificate that `cloudflared` cannot verify, the logs will show an error similar to: ``` error="x509: certificate is valid for example.com, not localhost" ``` This commonly occurs when the origin uses a self-signed certificate or when an SSL/TLS inspection proxy sits between `cloudflared` and the origin. To resolve, use one of the following approaches: * Set [originServerName](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/origin-parameters/) to the hostname on the origin certificate in your tunnel route. If you are using a locally-managed tunnel, here is an example of a [configuration file](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/): ``` ingress: - hostname: app.example.com service: https://localhost:443 originRequest: originServerName: app.example.com ``` * Provide the CA certificate using [caPool](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/origin-parameters/): ``` ingress: - hostname: app.example.com service: https://localhost:443 originRequest: caPool: /path/to/ca-cert.pem ``` * As a last resort, disable TLS verification with [noTLSVerify](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/origin-parameters/). This is not recommended for production environments. ``` ingress: - hostname: app.example.com service: https://localhost:443 originRequest: noTLSVerify: true ``` ## I see `ERR_TOO_MANY_REDIRECTS` when attempting to connect to an Access self-hosted app. This error occurs when `cloudflared` does not recognize the SSL/TLS certificate presented by your origin. To resolve the issue, set the [origin server name](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/origin-parameters/) parameter to the hostname on your origin certificate. Here is an example of a locally-managed tunnel configuration: ``` ingress: - hostname: test.example.com service: https://localhost:443 originRequest: originServerName: test.example.com ``` ## `cloudflared access` shows an error `websocket: bad handshake`. This means that your `cloudflared access` client is unable to reach your `cloudflared tunnel` origin. To diagnose this, look at the `cloudflared tunnel` logs. A common root cause is that the `cloudflared tunnel` is unable to proxy to your origin (for example, because the ingress is misconfigured, the origin is down, or the origin HTTPS certificate cannot be validated by `cloudflared tunnel`). If `cloudflared tunnel` has no logs, it means Cloudflare's network is not able to route the websocket traffic to it. There are several possible root causes behind this error: * Your `cloudflared tunnel` is either not running or not connected to Cloudflare's network. * WebSockets are not [enabled](https://developers.cloudflare.com/network/websockets/#enable-websockets). * Your Cloudflare account has Universal SSL enabled but your SSL/TLS encryption mode is set to **Off (not secure)**. To resolve, go to **SSL/TLS** \> **Overview** in the Cloudflare dashboard and set your SSL/TLS encryption mode to **Flexible**, **Full**, or **Full (strict)**. * Your requests are blocked by [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/). To resolve, make sure you set **Definitely automated** to _Allow_ in the bot fight mode settings. * Your SSH or RDP Access application has the [Binding Cookie](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#binding-cookie) enabled. To disable the cookie, go to **Access controls** \> **Applications** and edit the application settings. * One or more [Workers routes](https://developers.cloudflare.com/workers/configuration/routing/routes/) are overlapping with the tunnel hostname, and the Workers do not properly handle the traffic. To resolve, either exclude your tunnel from the Worker route by not defining a route that includes the tunnel's hostname, or update your Worker to only handle specific paths and forward all other requests to the origin (for example, by using `return fetch(req)`). ## Tunnel connections fail with SSL error. If `cloudflared` returns error `error="remote error: tls: handshake failure"`, check to make sure the hostname in question is covered by a SSL certificate. If using a multi-level subdomain, an [advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) may be required as the Universal SSL will not cover more than one level of subdomain. This may surface in the browser as `ERR_SSL_VERSION_OR_CIPHER_MISMATCH`. ## Tunnel connections fail with `Too many open files` error. If your [Cloudflare Tunnel logs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) return a `socket: too many open files` error, it means that `cloudflared` has exhausted the open files limit on your machine. The maximum number of open files, or file descriptors, is an operating system setting that determines how many files a process is allowed to open. To increase the open file limit, you will need to [configure ulimit settings](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/availability/ulimits/) on the machine running `cloudflared`. ## I see `failed to sufficiently increase receive buffer size` in my cloudflared logs. This buffer size increase is reported by the [quic-go library ↗](https://github.com/quic-go/quic-go) leveraged by [cloudflared ↗](https://github.com/cloudflare/cloudflared). You can learn more about the log message in the [quic-go repository ↗](https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes). This log message is generally not impactful and can be safely ignored when troubleshooting. However, if you have deployed `cloudflared` within a unique, high-bandwidth environment then buffer size can be manually overridden for testing purposes. To set the maximum receive buffer size on Linux: 1. Create a new file under `/etc/sysctl.d/`: Terminal window ``` sudo vi 98-core-rmem-max.conf ``` 2. In the file, define the desired buffer size: ``` net.core.rmem_max=2500000 ``` 3. Reboot the host machine running `cloudflared`. 4. To validate that these changes have taken effect, use the `grep` command: Terminal window ``` sudo sysctl -a | grep net.core.rmem_max ``` ``` net.core.rmem_max = 2500000 ``` ## Cloudflare Tunnel is buffering my streaming response instead of streaming it live. Proxied traffic through Cloudflare Tunnel is buffered by default unless the origin server includes the `Content-Type: text/event-stream` response header. This header tells `cloudflared` to stream data as it arrives instead of buffering the entire response. --- ## More Tunnel resources For more information, refer to the full Tunnel troubleshooting guide. [ Full Tunnel troubleshooting guide ❯ ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/tunnel/","name":"Tunnel"}}]} ``` --- --- title: Connectivity description: Connectivity for Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Connectivity This guide helps you determine whether a tunnel health alert is actually affecting your traffic. A degraded or down tunnel only matters if your traffic is currently routing through the Cloudflare data center where that tunnel is unhealthy. Note Cloudflare does not synchronize health checks among global network servers. A tunnel can be healthy in one data center and degraded in another at the same time. This is normal behavior, not an outage. ## Before you begin Understand how Cloudflare WAN health checks and traffic routing work: * Health checks run independently from every Cloudflare data center. * Each data center evaluates tunnel health based on its own probes. * Traffic enters Cloudflare at the data center closest to the source (anycast routing). * A degraded tunnel in a data center that is not handling your traffic has no impact on your connectivity. If you are experiencing actual tunnel health issues (tunnels flapping, all tunnels down, or IPsec errors), refer to [Troubleshoot tunnel health](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/tunnel-health/) instead. ## Diagnostic flowchart Use this flowchart to determine whether a tunnel health alert requires action. flowchart TD accTitle: Connectivity troubleshooting flowchart accDescr: A decision tree to determine whether a degraded tunnel alert is affecting your traffic. A["You received a tunnel
health alert"] --> B{"Is your traffic
affected?"} B -- "Yes, I have
connectivity issues" --> C["Identify your ingress
data center and check
tunnel health there"] B -- "No, traffic
flows normally" --> D{"Does the alert match
a data center carrying
your traffic?"} D -- "No" --> E["No action required.
The degraded tunnel is in
a data center not serving
your traffic."] D -- "Yes" --> C C --> G{"Are tunnels healthy
at your ingress
data center?"} G -- "Yes" --> H["The issue is not
tunnel-related. Check
Cloudflare Status and
your origin network."] G -- "No" --> I["Tunnels at your ingress
data center are unhealthy.
Refer to Troubleshoot
tunnel health."] ## 1\. Identify your ingress data center Determine which Cloudflare data center your traffic is entering. This is the only data center whose tunnel health status matters for your current connectivity. ### Use traceroute Run a `traceroute` from the source network to your Cloudflare WAN prefix. Look for the Cloudflare data center hostname in the trace output, which contains a three-letter [IATA airport code ↗](https://en.wikipedia.org/wiki/IATA%5Fairport%5Fcode) that identifies the data center. Terminal window ``` traceroute 203.0.113.1 ``` ``` 1 192.168.1.1 (192.168.1.1) 1.234 ms 2 10.0.0.1 (10.0.0.1) 5.678 ms 3 198.51.100.1 (198.51.100.1) 10.123 ms 4 198.51.100.10 (198.51.100.10) 12.345 ms 5 lhr01.cf (198.51.100.11) 15.678 ms ``` In this example, `lhr` indicates that traffic enters Cloudflare at the London (Heathrow) data center. ### Use the Cloudflare dashboard You can identify which data centers handle your traffic by using **Network Analytics**. 1. Go to the **Network Analytics** page. [ Go to **Network analytics** ](https://dash.cloudflare.com/?to=/:account/networking-insights/analytics/network-analytics/transport-analytics) 2. Select **Add filter** and filter traffic by your source IP addresses to isolate your traffic. 3. Under **Packets summary**, select the **Source data center** tab. If the tab is not visible, select the three-dot menu (`...`) to reveal additional view options and select **Source data center**. 4. Review the per-data-center traffic breakdown to identify which Cloudflare data centers are handling your traffic. 5. Cross-reference these data centers with the tunnel health status on the [**Connector health** page](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/common-settings/check-tunnel-health-dashboard/). If tunnels are healthy at the data centers carrying your traffic, a degraded tunnel alert for a different data center is not the cause of your connectivity issue. ## 2\. Correlate with Cloudflare status If your tunnels are healthy at the relevant data center but you still experience connectivity issues, check for broader platform issues. 1. Go to [Cloudflare Status ↗](https://www.cloudflarestatus.com/). 2. Look for any active incidents or maintenance at the data center you identified. 3. Check for any incidents that might affect your traffic, such as outages related to networking, BYOIP, or the services your configuration depends on. ## 3\. Gather information for support If you have worked through this guide and cannot resolve the issue, gather the following information before contacting Cloudflare support. ### Required information 1. **Account ID** and **tunnel name(s)** affected 2. **Timestamps** (in UTC) when the issue started 3. **Ingress data center** you identified (airport code, for example `LHR`, `IAD`) 4. **Symptoms observed:** * Whether user traffic is affected or only health check alerts fired * Which tunnels and data centers show degraded or down status * Whether the issue is intermittent or persistent ### Helpful diagnostic data * **Traceroute output** from your source network to your Cloudflare WAN prefix * **Dashboard screenshots** showing tunnel health at the relevant data center * **Distributed traceroutes** using tools like [ping.pe ↗](https://ping.pe) to test reachability from multiple global locations * **Packet captures** from your router if traffic loss is confirmed ## Related resources * [Troubleshoot tunnel health](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/tunnel-health/): Resolve common tunnel health issues (flapping, IPsec errors, stateful firewall drops). * [Troubleshoot routing and BGP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/routing-and-bgp/): Diagnose routing and BGP issues that affect traffic delivery. * [Check tunnel health in the dashboard](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/common-settings/check-tunnel-health-dashboard/): Monitor tunnel status per data center. * [Tunnel health checks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/tunnel-health-checks/): Technical details on how health checks work. * [Network Analytics](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/analytics/network-analytics/): Analyze traffic patterns over time. --- ## More WAN resources For more information, refer to the full Cloudflare WAN documentation. [ Full connectivity troubleshooting guide ❯ ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/connectivity/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/wan/","name":"Cloudflare WAN"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/troubleshooting/wan/connectivity/","name":"Connectivity"}}]} ``` --- --- title: IPsec description: IPsec for Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # IPsec This guide helps you diagnose IPsec tunnel issues (also called connectors in the Cloudflare dashboard), from initial establishment through ongoing operation. Use the following sections to identify your symptom and find the appropriate solution. ## Tunnel never establishes (IKE negotiation fails) ### Symptoms * Tunnel status shows `Down` and never becomes healthy * No traffic passes through the tunnel * Tunnel endpoint logs show IKE negotiation errors or retransmissions ### Possible causes and solutions #### Firewall blocking IKE traffic Your edge firewall may be blocking the traffic required for IPsec tunnel establishment. Verify your firewall permits: * UDP port `500` (IKE) * UDP port `4500` (IKE NAT-T) * IP protocol `50` (ESP) #### Crypto parameter mismatch IKE negotiation fails when Phase 1 (IKE) or Phase 2 (IPsec) parameters do not match between your tunnel endpoint and Cloudflare. Common symptoms include "no proposal chosen" errors in your device logs. Verify your parameters match Cloudflare's supported values. For the complete list, refer to [Supported configuration parameters](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/gre-ipsec-tunnels/#supported-configuration-parameters). #### Pre-shared key (PSK) mismatch Authentication failures in Phase 1 indicate a PSK mismatch. To resolve: 1. Go to **Connectors** and select your tunnel. [ Go to **Connectors** ](https://dash.cloudflare.com/?to=/:account/magic-networks/connections) 2. Select **Generate new PSK**. 3. Copy the new PSK exactly — do not add extra spaces or characters. 4. Update your tunnel endpoint with the new PSK. #### IKE ID format mismatch Cloudflare uses FQDN format for the IKE ID. If your tunnel endpoint expects a different peer identity format (such as an IP address), authentication fails even when the PSK is correct. Ensure your tunnel endpoint is configured to accept an FQDN peer identity. To find your tunnel's FQDN, go to **Connectors**, select your tunnel, and check the tunnel details. --- ## Tunnel establishes but health checks fail ### Symptoms * IKE negotiation completes successfully * Tunnel shows `Down` or `Degraded` in the dashboard * User traffic may still pass through the tunnel ### Possible causes and solutions #### Anti-replay protection enabled on tunnel endpoint This is the most common IPsec issue. Anti-replay protection expects packets to arrive in sequence from a single sender. Cloudflare's anycast architecture means tunnel traffic originates from thousands of servers, each with its own sequence counter. This causes your tunnel endpoint to drop packets as out-of-order. Disable anti-replay protection on your tunnel endpoint, or set the replay window to `0`. For a detailed explanation, refer to [Anti-replay protection](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/anti-replay-protection/). #### Health check type incompatible with stateful firewall Stateful firewalls (such as Palo Alto Networks, Check Point, Cisco, and Fortinet) drop the default _Reply_ health check packets because no matching ICMP request exists in their session table. Change the health check type from _Reply_ to _Request_. For detailed steps, refer to [Troubleshoot tunnel health](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/tunnel-health/). #### ISP blocking health check return path With unidirectional health checks, Cloudflare sends probes through the tunnel, but responses return via the public internet (direct server return). If your ISP blocks ICMP reply packets destined for Cloudflare, health checks fail even though tunnel traffic works normally. If you have egress traffic enabled, consider switching to bidirectional health checks so that both the probe and response traverse the tunnel. For configuration details, refer to [Troubleshoot tunnel health](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/tunnel-health/). #### Policy-based VPN health check failures If you use a policy-based VPN (where traffic selectors define specific prefixes rather than `0.0.0.0/0`), Reply-style health checks do not work. Reply health checks are self-addressed to Cloudflare IP addresses, which fall outside your tunnel's traffic selectors. Use Request-style health checks instead. Configure a loopback address on your tunnel endpoint as the health check target. The target must be routable and covered by the tunnel's traffic selectors (encryption domain). For more details, refer to [Troubleshoot tunnel health](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/tunnel-health/). --- ## Tunnel works intermittently (flapping) ### Symptoms * Tunnel alternates between healthy and unhealthy states * Intermittent packet loss on the tunnel * Traffic works for a period then stops without configuration changes ### Possible causes and solutions #### Anti-replay protection dropping out-of-order packets Cloudflare's anycast architecture means packets arrive from many servers with different sequence counters. Anti-replay protection interprets this as a replay attack and drops packets intermittently. Disable anti-replay protection on your tunnel endpoint, or set the replay window to `0`. For a detailed explanation, refer to [Anti-replay protection](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/anti-replay-protection/). #### Rekey events causing brief disruption When your tunnel endpoint initiates an IPsec rekey, new Security Associations (SAs) must propagate across Cloudflare's network. Rekey propagation delays have been significantly reduced and are uncommon in most deployments. However, brief tunnel degradation during rekeys can still occur in some configurations. Cloudflare never initiates rekey — only responds. All rekey attempts must come from your tunnel endpoint. If your device receives a TEMPORARY\_FAILURE response during rekey, configure Dead Peer Detection (DPD) with a "restart" action so the device re-establishes the IKE session automatically. Without DPD restart, the device can get stuck in a loop of failed rekeys. To minimize any impact from rekeys, increase SA lifetimes on your tunnel endpoint to reduce rekey frequency. Common values are 8-24 hours for IKE SA and 1-8 hours for IPsec SA. For more details, refer to [Troubleshoot tunnel health](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/tunnel-health/). #### MTU issues Packets exceeding the tunnel MTU are fragmented or dropped, causing intermittent connectivity issues. Verify MTU is set correctly — typically `1476` for GRE tunnels and `1400`\-`1450` for IPsec tunnels. For detailed guidance, refer to [MTU and MSS](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/mtu-mss/). --- ## Monitor with IPsec logs Use IPsec logs to monitor tunnel activity during the key-exchange phase of the IPsec negotiation. Configure a Logpush job to forward these logs to your preferred storage service for analysis. ### Set up an IPsec Logpush job 1. Go to the **Logpush** page. [ Go to **Logpush** ](https://dash.cloudflare.com/?to=/:account/logs) 2. Select **Create a Logpush job**. 3. Select **IPsec logs** as your dataset. Refer to the [Logpush documentation](https://developers.cloudflare.com/logs/logpush/) for more information about features, including the [available fields](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/ipsec%5Flogs/) in the dataset. --- ## More WAN resources For more information, refer to the full Cloudflare WAN documentation. [ Full IPsec troubleshooting guide ❯ ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/ipsec-troubleshoot/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/wan/","name":"Cloudflare WAN"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/troubleshooting/wan/ipsec/","name":"IPsec"}}]} ``` --- --- title: Routing and BGP description: Routing and BGP for Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Routing and BGP This guide helps you diagnose and resolve common routing and BGP issues with Cloudflare WAN. These issues can affect traffic delivery, cause unexpected latency, or result in connectivity loss. ## Quick diagnostic checklist If you are experiencing routing or BGP issues, check these items first: 1. **BGP session state**: Verify session is **Established**, not stuck in **Connect** or **Active**. 2. **Firewall rules**: Ensure TCP port `179` is permitted bidirectionally between your router and Cloudflare. 3. **Tunnel or CNI health**: Check that underlying connectivity is healthy. Degraded tunnels affect route priority. 4. **Static route conflicts**: Static routes take precedence over BGP routes at equal priority. ## Resolve common issues ### BGP session not establishing This section covers BGP peering sessions (beta) between your network and Cloudflare, established over [CNI](https://developers.cloudflare.com/network-interconnect/) or tunnels. #### Symptoms * BGP session never reaches **Established** state * No routes being advertised or received * Router logs show repeated connection attempts #### BGP session states | State | Meaning | Action | | --------------- | ------------------------------------ | ------------------------------------------ | | **Established** | Session up, exchanging routes | Normal operation | | **Active** | Attempting to initiate connection | Check firewall rules, verify neighbor IP | | **Connect** | TCP connection in progress | Check port 179 access, verify peering IP | | **Idle** | Session down, no connection attempts | Check configuration, verify BGP is enabled | #### Solution 1. Verify your firewall permits TCP port `179` bidirectionally between your router and the Cloudflare peering address. 2. Confirm the neighbor IP matches the Cloudflare-provided peering address exactly. 3. Verify your ASN configuration matches the dashboard settings. Only eBGP is supported, so your ASN must differ from the Cloudflare account ASN. 4. If using MD5 authentication, verify the password matches on both sides. ### Unexpected traffic routing or latency #### Symptoms * Traffic from specific regions routed through distant data centers * Higher than expected latency for regional users * Traffic not using the closest tunnel or CNI #### Causes * Tunnel health degradation causing route deprioritization * Regional route scoping misconfiguration * BGP route priorities not set as expected * Static routes overriding BGP routes #### Solution 1. **Check tunnel health**: Degraded tunnels have 500,000 added to their route priority. Down tunnels have 1,000,000 added. Traffic shifts to healthier paths, which may be in different regions. Refer to [Troubleshoot tunnel health](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/tunnel-health/) for diagnostic steps. 2. **Review route priorities**: Lower priority values indicate higher preference. Verify your routes have the expected priority configuration. * Default BGP route priority: `100` * Static routes at priority `100` take precedence over BGP routes at `100` 3. **Check regional scoping**: If you use region-scoped routes, ensure all regions have route coverage. Traffic arriving at a region without a matching route is dropped. 4. **Use Network Analytics**: Review traffic patterns to identify where traffic is landing and which paths it follows. Refer to [Network Analytics](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/analytics/network-analytics/) for usage instructions. ### CNI link failures #### Symptoms * CNI shows down in dashboard * BGP session over CNI drops * Traffic fails over to tunnels or alternate CNIs #### CNI issue layers CNI issues can occur at multiple layers: | Issue type | Impact | What to check | | ------------------ | ---------------------------------- | ---------------------------------- | | Physical link down | All traffic over that CNI affected | Light levels, cross-connect status | | BGP session down | Dynamic routes withdrawn | BGP neighbor state on your router | | Prefixes withdrawn | Specific routes unavailable | BGP advertised and received routes | A healthy physical link can still have BGP issues. A healthy BGP session can exist while specific prefixes are withdrawn. #### Solution **Check physical layer (your side):** Note In the case of interconnects provisioned by third parties, you may need to request that your provider carry these steps out. 1. Verify the interface is administratively up on your router. 2. Check optical light levels (Tx/Rx dBm). Abnormal readings indicate fiber or transceiver issues. 3. If light levels are low or absent on your receive side, contact your data center to verify cross-connect status. **Check BGP session:** 1. Verify BGP neighbor state on your router shows **Established**. 2. Check for MD5 authentication mismatches if authentication is configured. 3. Review BGP logs for error messages indicating why the session may have dropped. **Check for maintenance:** 1. Review [Cloudflare Status ↗](https://www.cloudflarestatus.com/) for scheduled maintenance affecting your CNI location. 2. Some maintenance events may temporarily affect CNI connectivity even when marked as non-disruptive. Refer to [Network Interconnect](https://developers.cloudflare.com/network-interconnect/) for CNI configuration and setup information. ### Static and BGP route conflicts #### Symptoms * BGP routes not being used despite being learned * Traffic not following expected BGP path * Route changes not taking effect as expected #### Cause Cloudflare prefers static routes when static and BGP routes share the same prefix and priority. This ensures manually configured routes take precedence unless explicitly deprioritized. #### Solution Adjust route priorities based on your preference: * **To prefer BGP routes**: Set static route priority to a higher number (for example, `150` or `200`). Higher numbers indicate lower preference. * **To prefer static routes**: Keep static route priority at or below `100`. BGP routes default to priority `100`. | Route type | Prefix | Priority | Selected | | ---------- | ----------- | -------- | ---------------------- | | Static | 10.0.0.0/24 | 100 | Yes (static wins ties) | | BGP | 10.0.0.0/24 | 100 | No | To make the BGP route preferred in this example, change the static route priority to `150` or higher, or remove the static route entirely. Refer to [Route prioritization](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/traffic-steering/#route-prioritization) for detailed information on how priorities work. ## CNI, tunnel, and BGP health Understanding the relationship between these components helps diagnose routing issues: | Component | What it monitors | Impact when unhealthy | | ----------------- | ------------------------------------------------------- | -------------------------------------------------------------- | | **CNI health** | Physical or virtual interconnect link status | BGP session may drop. All traffic over that CNI is affected. | | **Tunnel health** | Logical GRE or IPsec tunnel through health check probes | Route priority penalized. Traffic steers to healthier tunnels. | | **BGP session** | Control plane connectivity for dynamic routing | Dynamic routes withdrawn. Static routes remain unaffected. | A healthy CNI can have an unhealthy tunnel if health check probes are blocked or misconfigured. BGP routes can be withdrawn even when the underlying physical link is operational. ## Gather information for support If you have worked through this guide and still experience routing issues, gather the following information before contacting Cloudflare support. ### Required information 1. **Account ID** and affected prefix(es), tunnel name(s), or CNI identifier(s) 2. **Timestamps** (in UTC) when the issue occurred 3. **BGP configuration details:** * Your ASN and Cloudflare peering ASN * Neighbor IP addresses * Sanitized router configuration (remove passwords and keys) 4. **Current state information:** * BGP session state from your router * Dashboard screenshots showing prefix, route, or tunnel status ### Helpful diagnostic data * **Router logs**: BGP neighbor logs covering the incident timeframe * **Traceroute results**: From affected source networks to your prefix * **For CNI issues**: Optical light level readings from your equipment ### Router diagnostic commands Collect output from these commands (syntax varies by vendor): Terminal window ``` # Show BGP neighbor status show bgp neighbors # Show BGP summary show bgp ipv4 unicast summary # Show specific prefix in BGP table show bgp ipv4 unicast # Show interface status (for CNI) show interface # Show received and advertised routes show bgp ipv4 unicast neighbors routes show bgp ipv4 unicast neighbors advertised-routes ``` ## Resources * [Traffic steering](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/traffic-steering/#route-prioritization): Route prioritization, BGP communities, and ECMP behavior * [Configure routes](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/how-to/configure-routes/): Static route configuration * [Network Interconnect](https://developers.cloudflare.com/network-interconnect/): CNI setup and BGP peering * [Troubleshoot tunnel health](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/tunnel-health/): Tunnel-specific diagnostic steps * [Network Analytics](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/analytics/network-analytics/): Traffic analysis and monitoring * [Cloudflare Status ↗](https://www.cloudflarestatus.com/): Maintenance and incident notifications --- ## More WAN resources For more information, refer to the full Cloudflare WAN documentation. [ Full routing and BGP guide ❯ ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/routing-and-bgp/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/wan/","name":"Cloudflare WAN"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/troubleshooting/wan/routing-bgp/","name":"Routing and BGP"}}]} ``` --- --- title: Tunnel health description: Tunnel health for Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Tunnel health This guide helps you diagnose and resolve common tunnel health issues with Cloudflare WAN. Tunnel health checks monitor your GRE and IPsec tunnel endpoints (also called connectors in the Cloudflare dashboard) and steer traffic to the best available routes. ## Quick diagnostic checklist Use the following table to match your symptom to the most likely cause and first action: | Symptom | Most likely cause | First action | | ------------------------------------------------- | --------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | | Tunnel shows Down, never becomes healthy | Configuration mismatch or firewall blocking IKE | Check IPsec parameters and firewall rules. Refer to [IPsec tunnel establishment failures](#ipsec-tunnel-establishment-failures). | | Dashboard shows "100% degraded" for some colos | Normal — this is a state indicator, not packet loss | Check if affected colos carry your traffic. Refer to [Understanding degraded status](#understanding-degraded-status-in-the-dashboard). | | Tunnel flaps between healthy and unhealthy | Anti-replay protection or rekey disruption | Disable anti-replay protection on your router. Refer to [IPsec tunnel instability](#ipsec-tunnel-instability-or-packet-drops). | | Health checks fail but traffic flows normally | Stateful firewall dropping health check probes | Change health check type from _Reply_ to _Request_. Refer to [Tunnel shows Down but traffic is flowing](#tunnel-shows-down-but-traffic-is-flowing). | | Health checks fail on policy-based VPN tunnels | Reply health checks fall outside tunnel traffic selectors | Use Request-style health checks with a loopback target. Refer to [Policy-based VPN health check failures](#policy-based-vpn-health-check-failures). | | All tunnels degraded or down in a specific region | Network path issue between that region and your network | Check ISP connectivity. Use traceroute or MTR from your tunnel endpoint toward Cloudflare. | | All tunnels degraded or down globally | Issue at your network edge | Check your tunnel endpoint router and upstream connectivity. | ### What you can check * **Dashboard**: Tunnel health status per data center and traffic volume per tunnel (Go to **Insights** \> **Network health** \> **Network health**) * **API**: Tunnel health status via the [Cloudflare WAN tunnel health API](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/tunnel-health-checks/) * **Network Analytics**: Traffic volume, packet counts, and protocol distribution through [Network Analytics](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/analytics/network-analytics/) * **From your network**: Traceroute and MTR from your tunnel endpoint toward Cloudflare. Since Cloudflare endpoints use anycast, this tests the path to the nearest data center only. To test specific regions, use the [Cloudflare Traceroute API](https://developers.cloudflare.com/api/resources/diagnostics/subresources/traceroutes/methods/create/) to run traceroutes from specific Cloudflare locations to your network. ### What you cannot check (current limitations) * Correlation between tunnel health events and Cloudflare network incidents * Per-packet forwarding decisions (which data center forwarded which packet through which tunnel) * Historical health check probe data beyond the dashboard retention period ### Common fixes checklist If you are experiencing tunnel health issues, check these items first: 1. **Health check type**: If using a stateful firewall (such as Palo Alto Networks, Check Point, Cisco, or Fortinet), change health check type from _Reply_ to _Request_. 2. **Anti-replay protection**: Disable anti-replay protection on your router, or set the replay window to `0`. 3. **MTU settings**: Verify MTU is set correctly (typically `1476` for GRE, `1400`\-`1450` for IPsec). 4. **IPsec parameters**: Confirm your cryptographic parameters match [Cloudflare's supported configuration](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/gre-ipsec-tunnels/#supported-configuration-parameters). 5. **Health check direction**: Cloudflare WAN defaults to _Bidirectional_. 6. **Cloudflare Network Firewall rules (less common)**: Ensure ICMP traffic from [Cloudflare IP addresses ↗](https://cloudflare.com/ips/) is allowed. --- ## Tunnel health states The [Network health ↗](https://dash.cloudflare.com/?to=/:account/networking-insights/health) page in the Cloudflare dashboard displays three tunnel health states: | State | Dashboard display | Technical threshold | | ------------ | ----------------------------------------- | ------------------------------------------------------------------ | | **Healthy** | More than 80% of health checks pass | Less than 0.1% failure rate | | **Degraded** | Between 40% and 80% of health checks pass | At least 0.1% failures in last five minutes (minimum two failures) | | **Down** | Less than 40% of health checks pass | All health checks failed (at least three samples in last second) | The dashboard shows tunnel health as measured from each Cloudflare data center where your traffic lands. It is normal to see some locations reporting degraded status due to Internet path issues. Focus on locations that show traffic in the **Traffic volume (1h)** column. Probe retry behavior When a health check probe fails, Cloudflare sends two additional probes to confirm the failure. A tunnel is only marked as unhealthy if all three probes fail. This retry behavior provides resilience against random packet loss. ### Understanding degraded status in the dashboard The tunnel health dashboard reports health state per data center per tunnel. Each Cloudflare data center independently tracks the health of each tunnel. A common source of confusion is seeing "100% degraded" in the dashboard and misinterpreting it as 100% packet loss. Note that these are different. 100% degraded is a state, not a packet loss percentage Each Cloudflare data center is a single tracking instance for a tunnel. When a tunnel enters the degraded state in a data center, the dashboard reports that data center as "100% degraded" for that tunnel. The actual packet loss that triggered the state change may be very small — even a brief period of intermittent loss that does not noticeably affect applications can trigger the degraded state. **How degraded state is triggered:** When a health check probe fails, Cloudflare sends two additional probes. If some probes succeed and some fail, the tunnel enters degraded state for that data center. A few seconds of intermittent packet loss is enough to trigger this transition. **What to check:** Focus on data centers that show traffic in the **Traffic volume (1h)** column. A data center showing degraded status with zero or minimal traffic is informational — it indicates a path issue between that specific Cloudflare data center and your network, but it does not affect your traffic if no traffic routes through that data center. **Recovery timing:** Tunnels remain in degraded state for at least five minutes, even if health checks start succeeding immediately. Recovery from degraded to healthy requires consistently passing health checks over a sustained period and can take up to 30 minutes. For details on how tunnels transition between states, refer to [Recovery behavior](#recovery-behavior) below. ### Routing priority penalties When a tunnel becomes unhealthy, Cloudflare applies priority penalties to routes through that tunnel: * **Degraded**: Adds `500,000` to route priority * **Down**: Adds `1,000,000` to route priority These penalties shift traffic to healthier tunnels while maintaining redundancy. Cloudflare never completely removes routes, preserving failover options even when all tunnels are unhealthy. ### Recovery behavior Tunnels transition between states asymmetrically to prevent flapping: * **Healthy to Degraded/Down**: Transitions quickly when failures are detected. A tunnel can go directly from Healthy to Down if all probe retries fail. * **Down to Degraded**: Requires three consecutive successful health check probes. * **Degraded to Healthy**: Requires failure rate below 0.1% over 30 consecutive probes. Minimum state duration Tunnels remain in a degraded or down state for at least five minutes, even if health checks start succeeding immediately. This minimum duration prevents rapid flapping when there is intermittent packet loss. Additionally, a tunnel recovering from `Down` must always transition through `Degraded` before returning to `Healthy`. Recovery from degraded to healthy can take up to 30 minutes. This intentional slow recovery behavior (called hysteresis) prevents rapid state changes caused by intermittent network issues or tunnel flapping. For instructions on monitoring tunnel status, refer to [Check tunnel health in the dashboard](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/common-settings/check-tunnel-health-dashboard/). ### Health check types and directions **Health check type:** | Type | Behavior | When to use | | ------------------- | ------------------------------------- | ------------------------------------------------------------------- | | **Reply** (default) | Cloudflare sends an ICMP reply packet | Simple networks without stateful firewalls | | **Request** | Cloudflare sends an ICMP echo request | Networks with stateful firewalls (recommended for most deployments) | **Health check direction:** | Direction | Behavior | Default for | | ------------------ | ----------------------------------------------------- | ------------------------------------ | | **Bidirectional** | Probe and response both traverse the tunnel | Cloudflare WAN (formerly Magic WAN) | | **Unidirectional** | Probe traverses tunnel; response returns via Internet | Magic Transit (direct server return) | Note Unidirectional health checks can be unreliable because intermediate network devices may drop ICMP reply packets. If you have egress traffic enabled, consider switching to bidirectional health checks. --- ## Resolve common issues ### Tunnel shows `Down` but traffic is flowing #### Symptoms * Dashboard shows tunnel as `Down` or `Degraded` * Actual user traffic passes through the tunnel successfully * Health check failure rate is 100% despite working connectivity #### Cause Stateful firewalls (such as Palo Alto Networks, Check Point, Cisco, and Fortinet) drop the health check packets. By default, Cloudflare sends ICMP _Reply_ packets as health check probes. Stateful firewalls inspect these packets and look for a matching ICMP _Request_ in their session table. When no matching request exists, firewalls drop the reply as "out-of-state". #### Solution Change the health check type from _Reply_ to _Request_: 1. Go to the **Connectors** page. [ Go to **Connectors** ](https://dash.cloudflare.com/?to=/:account/magic-networks/connections) 2. In **IPsec/GRE tunnels**, select **Edit** on the affected tunnel. 3. Under **Health check type**, change from _Reply_ to _Request_. 4. Select **Update tunnel**. When you use _Request_ style health checks, Cloudflare sends an ICMP echo request. Your firewall's stateful inspection engine recognizes this as a legitimate request and automatically permits the ICMP reply response. Note If your firewall drops ICMP request packets as well, verify that your firewall policy permits ICMP traffic on the tunnel interface. --- ### Health check failures with Cloudflare Network Firewall #### Symptoms * Tunnels were healthy before enabling Cloudflare Network Firewall * After adding Cloudflare Network Firewall rules, health checks fail * Blocking ICMP traffic causes immediate health check failures #### Cause Cloudflare Network Firewall processes all traffic, including Cloudflare's health check probes. If you create a rule that blocks ICMP traffic, you also block the health check packets that Cloudflare sends to monitor tunnel status. #### Solution Add an allow rule for ICMP traffic from Cloudflare IP addresses _before_ any block rules: 1. Go to the **Firewall policies** page. [ Go to **Firewall policies** ](https://dash.cloudflare.com/?to=/:account/network-security/magic%5Ffirewall) 2. Create a new policy with the following parameters: | Field | Value | | ------------ | ----------------------------------------------------- | | **Action** | Allow | | **Protocol** | ICMP | | **Source** | [Cloudflare IP ranges ↗](https://cloudflare.com/ips/) | 1. Position this rule _before_ any rules that block ICMP traffic. For more information, refer to [Cloudflare Network Firewall rules and endpoint health checks](https://developers.cloudflare.com/cloudflare-network-firewall/about/ruleset-logic/#cloudflare-network-firewall-rules-and-magic-transit-endpoint-health-checks). --- ### IPsec tunnel instability or packet drops #### Symptoms * IPsec tunnel frequently flaps between healthy and down states * Intermittent packet loss on the tunnel * Traffic works for a period then stops without configuration changes * Router logs show packets dropped due to: * "replay check failed" * "invalid sequence number" * "invalid SPI" (Security Parameter Index) #### Cause Anti-replay protection is enabled on your router. IPsec anti-replay protection expects packets to arrive in sequence from a single sender. Cloudflare's anycast architecture means your tunnel traffic can originate from thousands of servers across hundreds of data centers. Each server maintains its own sequence counter, causing packets to arrive out-of-order from your router's perspective. #### Solution Disable anti-replay protection on your router: **For most routers:** Locate the anti-replay or replay protection setting in your IPsec configuration and disable it. **If you can only set a replay window size:** Set the replay window to `0` to effectively disable the check. **For devices that do not support disabling anti-replay:** Enable replay protection in the Cloudflare dashboard. This routes all tunnel traffic through a single server, maintaining proper sequence numbers at the cost of losing anycast benefits. 1. Go to the **Connectors** page. [ Go to **Connectors** ](https://dash.cloudflare.com/?to=/:account/magic-networks/connections) 2. In **IPsec/GRE tunnels**, select **Edit** on your IPsec tunnel. 3. Enable **Replay protection**. 4. Select **Update tunnel**. **For Cisco IOS/IOS-XE routers experiencing "invalid SPI" errors:** Enable ISAKMP invalid SPI recovery to help the router resynchronize Security Associations: ``` configure terminal crypto isakmp invalid-spi-recovery exit ``` Warning Enabling replay protection in Cloudflare reduces the performance and resilience benefits of the anycast architecture. Only use this option when your device does not support disabling anti-replay protection. For a detailed explanation of why this setting is necessary, refer to [Anti-replay protection](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/anti-replay-protection/). --- ### Tunnel degraded after rekey events #### Symptoms * Tunnel health drops to `Degraded` or `Down` periodically * Issues coincide with IPsec rekey intervals (typically every few hours) * Tunnel recovers automatically after 1-3 minutes * Router logs show successful rekey completion #### Cause When your tunnel endpoint initiates an IPsec rekey, new Security Associations (SAs) must propagate across Cloudflare's network. Rekey propagation delays have been significantly reduced and are uncommon in most deployments. However, brief tunnel degradation during rekeys can still occur in some configurations. Cloudflare never initiates rekey — only responds. All rekey attempts must come from your tunnel endpoint. If your device receives a TEMPORARY\_FAILURE response during rekey, it must re-establish the IKE session to recover. #### Solution This behavior is expected and the tunnel will automatically recover. To minimize impact: 1. **Configure Dead Peer Detection (DPD) with restart**: Set your tunnel endpoint's DPD action to "restart" so it automatically re-establishes the IKE session if a rekey fails with TEMPORARY\_FAILURE. Without DPD restart, the device can get stuck in a loop of failed rekeys. 2. **Increase rekey intervals**: Configure longer SA lifetimes on your tunnel endpoint to reduce rekey frequency. Common values are 8-24 hours for IKE SA and 1-8 hours for IPsec SA. 3. **Adjust health check sensitivity**: If brief degradation during rekeys triggers alerts, consider lowering the health check rate: 1. Go to the **Connectors** page. [ Go to **Connectors** ](https://dash.cloudflare.com/?to=/:account/magic-networks/connections) 1. In **IPsec/GRE tunnels**, select **Edit** on the tunnel. 2. Change **Health check rate** to _Low_. 4. **Stagger rekey times**: If you have multiple tunnels, configure different SA lifetimes so they do not rekey simultaneously. --- ### Bidirectional health check failures #### Symptoms * Health checks configured as bidirectional fail consistently * Unidirectional health checks work correctly * Traffic flows through the tunnel normally #### Cause Bidirectional health checks require both the probe and response to traverse the tunnel. Your router must: 1. Accept ICMP packets destined for the tunnel interface IP addresses 2. Route the ICMP response back through the tunnel to Cloudflare If traffic selectors or firewall rules do not permit this traffic, bidirectional health checks fail. #### Solution **For IPsec tunnels:** Configure traffic selectors to accept packets for the tunnel interface addresses. For example, if your tunnel interface address is `10.252.2.27/31`: * Permit traffic to/from `10.252.2.26` (Cloudflare side) * Permit traffic to/from `10.252.2.27` (your side) **For all tunnel types:** Ensure your firewall permits ICMP traffic on the tunnel interface. Many firewalls require explicit rules to allow management traffic (including ping) on tunnel interfaces. For detailed information on how bidirectional health checks work, refer to [Tunnel health checks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/tunnel-health-checks/). --- ### IPsec tunnel establishment failures #### Symptoms * Tunnel status shows `Down` and never becomes healthy * No traffic passes through the tunnel * Router logs show IKE negotiation failures #### Cause IPsec tunnel establishment can fail due to several configuration mismatches: | Issue | Symptom | | ----------------------------- | ----------------------------------------------- | | **Crypto parameter mismatch** | IKE negotiation fails with "no proposal chosen" | | **Incorrect PSK** | Authentication failures in Phase 1 | | **Wrong IKE ID format** | Authentication failures despite correct PSK | | **Firewall blocking IKE** | No IKE traffic reaches Cloudflare | #### Solution 1. **Verify crypto parameters match Cloudflare's supported configuration:** **Phase 1 (IKE)** | Parameter | Supported values | | -------------- | --------------------------- | | IKE version | IKEv2 only | | Encryption | AES-GCM-16, AES-CBC-256 | | Authentication | SHA-256, SHA-384, SHA-512 | | DH Group | DH group 14, 15, 16, 19, 20 | **Phase 2 (IPsec)** | Parameter | Supported values | | -------------- | --------------------------- | | Encryption | AES-GCM-16, AES-CBC-256 | | Authentication | SHA-256, SHA-512 | | PFS Group | DH group 14, 15, 16, 19, 20 | 1. **Verify the Pre-Shared Key (PSK):** * Regenerate the PSK in the Cloudflare dashboard * Copy the new PSK exactly (no extra spaces or characters) * Update your router with the new PSK 2. **Check the IKE ID format:** Cloudflare uses FQDN format for the IKE ID. Ensure your router is configured to accept an FQDN peer identity. The FQDN is displayed in the tunnel details in the Cloudflare dashboard. 3. **Verify firewall rules:** Ensure your edge firewall permits: * UDP port `500` (IKE) * UDP port `4500` (IKE NAT-T) * IP protocol `50` (ESP) For the complete list of supported parameters, refer to [Supported configuration parameters](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/gre-ipsec-tunnels/#supported-configuration-parameters). --- ### Policy-based VPN health check failures #### Symptoms * Health checks fail consistently on policy-based IPsec tunnels * Traffic matching the tunnel's traffic selectors (encryption domain) flows normally * Route-based tunnels on the same device work correctly #### Cause Policy-based IPsec tunnels use traffic selectors to define which prefixes are permitted in the tunnel. Reply-style health checks are self-addressed to Cloudflare IP addresses. These addresses fall outside the tunnel's traffic selectors (which only permit customer network destinations), so the tunnel endpoint drops the health check packets. Additionally, some firewalls (such as Check Point) may flag Reply-style health check packets as spoofed due to their self-addressed nature, even on route-based tunnels. #### Solution 1. Change the health check type from _Reply_ to _Request_. 2. Configure a loopback address on your tunnel endpoint as the health check target. The target must be: * Routable from the tunnel endpoint * Covered by the tunnel's traffic selectors (encryption domain) 3. For bidirectional health checks, ensure the health check source (the tunnel Interface Address configured in the Cloudflare dashboard) is also covered by a traffic selector. Note Policy-based tunnels use a separate Child SA for each set of traffic selectors. There is a limit of approximately 100 Child SAs per tunnel. The health check traffic may use its own Child SA, which can go down independently from the Child SAs carrying your application traffic. --- ## Vendor-specific guidance ### Common vendor-specific issues | Vendor | Common issue | Solution | | ---------------------- | ---------------------------------------- | ---------------------------------------------------------- | | **Palo Alto Networks** | Health checks fail with default settings | Change health check type to _Request_; disable anti-replay | | **Cisco Meraki** | Cannot disable anti-replay | Enable replay protection in Cloudflare dashboard | | **AWS VPN Gateway** | Cannot disable anti-replay | Enable replay protection in Cloudflare dashboard | | **VeloCloud** | Cannot disable anti-replay | Enable replay protection in Cloudflare dashboard | | **Check Point** | Out-of-state packet drops | Change health check type to _Request_ | --- ## Gather information for support If you have worked through this guide and still experience tunnel health issues, gather the following information before contacting Cloudflare support: ### Required information 1. **Account ID** and **Tunnel name(s)** affected 2. **Timestamps** (in UTC) when the issue occurred 3. **Tunnel configuration details:** * Tunnel type (GRE or IPsec) * Health check type (Request or Reply) * Health check direction (Bidirectional or Unidirectional) * Health check rate (Low, Medium, or High) 4. **Router information:** * Vendor and model * Firmware/software version * IPsec configuration (sanitized to remove PSK) 5. **Symptoms observed:** * Dashboard tunnel health status * Whether user traffic is affected * Error messages from router logs ### Helpful diagnostic data * **Packet captures** from your router showing tunnel traffic * **Router logs** covering the time period of the issue * **Traceroute** results from your network to Cloudflare endpoints * **Screenshots** of the tunnel health dashboard * **Distributed traceroutes** using tools like [ping.pe ↗](https://ping.pe) to test reachability from multiple global locations ### Router diagnostic commands Collect output from these commands (syntax varies by vendor): * IPsec SA status: `show crypto ipsec sa` * IKE SA status: `show crypto isakmp sa` * Tunnel interface status: `show interface tunnel ` * Routing table: `show ip route` --- ## Resources * [Tunnel health checks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/tunnel-health-checks/): Technical details on health check behavior * [Anti-replay protection](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/anti-replay-protection/): Why anti-replay must be disabled * [Configure tunnel endpoints](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/how-to/configure-tunnel-endpoints/): Tunnel setup instructions * [Check tunnel health in the dashboard](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/common-settings/check-tunnel-health-dashboard/): Dashboard navigation guide * [Network Analytics](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/analytics/network-analytics/): Traffic analysis tools --- ## More WAN resources For more information, refer to the full Cloudflare WAN documentation. [ Full tunnel health guide ❯ ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/troubleshooting/tunnel-health/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/troubleshooting/wan/","name":"Cloudflare WAN"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/troubleshooting/wan/tunnel-health/","name":"Tunnel health"}}]} ``` --- --- title: Cloudflare One Client description: Cloudflare One Client for Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Cloudflare One Client This guide helps you diagnose and resolve common issues with the Cloudflare One Client (formerly WARP). It covers how to troubleshoot the Cloudflare One Client on desktop operating systems, including Windows, macOS, and Linux. 1. **Before you start**: [Prerequisites](#prerequisites), permissions, [version control](#check-your-client-version), and client basics. 2. **Collect logs**: Through the [Cloudflare dashboard](#option-a-collect-logs-via-the-cloudflare-dashboard) (with DEX remote capture) or the [command-line interface](#option-b-collect-logs-via-the-cli) (CLI) (`warp-diag`). 3. **Review logs**: [Status](#check-client-status), [settings](#check-client-settings), [profile ID](#profile-id), [split tunnel](#exclude-mode-with-hostsips) configuration, and other settings. 4. **Fix common misconfigurations**: [Profile mismatch](#wrong-profile-id), [split tunnel issues](#wrong-split-tunnel-configuration), [managed network issues](#review-your-managed-network-settings), [user group mismatch](#check-a-users-group-membership). 5. **File a support ticket**: [How to file a ticket](#5-file-a-support-ticket) after you have exhausted your troubleshooting options. AI-assisted troubleshooting Cloudflare One includes two free AI helpers to speed up Cloudflare One Client investigations: [**Diagnostics Analyzer**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#diagnostics-analyzer-beta) \- Uses AI to parse a device's client diagnostic log and summarizes key events, likely causes, and recommended next steps in a concise summary. This analyzer is available for logs collected via the dashboard. [**DEX MCP server**](https://developers.cloudflare.com/cloudflare-one/insights/dex/dex-mcp-server/) — An AI tool that allows customers to ask a question like, "Show me the connectivity and performance metrics for the device used by [carly@acme.com](mailto:carly@acme.com)", and receive an answer that contains data from the DEX API. ## 1\. Before you start ### Prerequisites * You must have completed the [Zero Trust onboarding flow](https://developers.cloudflare.com/cloudflare-one/setup/) with a Zero Trust organization created. * You must have the Cloudflare One Client installed on an end user device. * You must have a [role](https://developers.cloudflare.com/cloudflare-one/roles-permissions/) that gives admin permission to access logs on the Cloudflare dashboard. ### Check your client version Many troubleshooting issues are caused by outdated client versions. For the best performance and compatibility, administrators should check for new releases and [update the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/) before attempting to troubleshoot other issues. After updating the Cloudflare One Client, monitor the issue to see if it recurs. If the issue persists, continue with the troubleshooting guide. #### Via the device * [ Version 2026.2+ ](#tab-panel-5443) * [ Version 2026.1 and earlier ](#tab-panel-5444) 1. Open the Cloudflare One Client on your desktop. 2. Select **About**. 3. Compare your device's version with the [latest version](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). 1. Open the Cloudflare One Client on the desktop. 2. Select the gear icon. 3. Select **About WARP**. 4. Compare your device's version with the [latest version of the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). #### Via the Cloudflare dashboard 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and go to **Zero Trust** \> **Team & Resources** \> **Devices** \> **Your devices**. 2. Select the device you want to investigate. 3. Find the device's client version under **Client version** in the side menu. 4. Compare your device's version with the [latest version of the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). ### Client basics Understand the Cloudflare One Client's architecture, installation paths, and modes to help you diagnose issues with greater accuracy. Chapters * ![Introduction and WARP GUI Basics](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=0s) **Introduction and WARP GUI Basics** 0s * ![Consumer vs. Corporate WARP](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=57s) **Consumer vs. Corporate WARP** 57s * ![Device Profiles Explained](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=95s) **Device Profiles Explained** 1m35s * ![WARP Operating Modes](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=132s) **WARP Operating Modes** 2m12s * ![Split Tunneling](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=224s) **Split Tunneling** 3m44s * ![Conclusion](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=296s) **Conclusion** 4m56s #### Client architecture The Cloudflare One Client consists of: * **Graphical User Interface (GUI)**: Control panel that allows end users to view the client's [status](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/connectivity-status/) and perform actions such as turning the Cloudflare One Client on or off. * **WARP daemon (or service)**: Core background component responsible for establishing secure tunnels (using WireGuard or MASQUE) and handling all client functionality on your device. Refer to [client architecture](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/) for more information on how the Cloudflare One Client interacts with a device's operating system to route traffic. #### Client installation details The GUI and daemon (or service) have different names and are stored in the following locations: Windows | Windows | | | -------------------- | ------------------------------------------------------------------------------------------------------------- | | **Service / Daemon** | C:\\Program Files\\Cloudflare\\Cloudflare WARP\\warp-svc.exe | | **GUI application** | C:\\Program Files\\Cloudflare\\Cloudflare WARP\\Cloudflare WARP.exe | | **Logs Location** | DaemonC:\\ProgramData\\Cloudflare\\GUI LogsC:\\Users\\.WARP\\AppData\\Localor%LOCALAPPDATA%\\Cloudflare | macOS | macOS | | | -------------------- | --------------------------------------------------------------------------------- | | **Service / Daemon** | /Applications/Cloudflare WARP.app/Contents/Resources/CloudflareWARP | | **GUI application** | /Applications/Cloudflare WARP.app/Contents/MacOS/Cloudflare WARP | | **Logs Location** | Daemon/Library/Application Support/Cloudflare/GUI Logs\~/Library/Logs/Cloudflare/ | Linux | Linux | | | -------------------- | ------------------------------------------------- | | **Service / Daemon** | /bin/warp-svc | | **GUI application** | /bin/warp-taskbar | | **Logs Location** | /var/log/cloudflare-warp//var/lib/cloudflare-warp | Along with the Cloudflare One Client GUI and daemon, `warp-cli` and `warp-diag` are also [installed](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/) on the machine and added to the system path for use from any terminal session. [warp-diag](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/) is a command-line diagnostics tool that collects logs, configuration details, and connectivity data from the Cloudflare One Client to help troubleshoot issues. `warp-cli` is the command-line interface (CLI) for managing and configuring the Cloudflare One Client, allowing users to connect, disconnect, and adjust settings programmatically. #### Client modes The Cloudflare One Client operates in several modes, each with different traffic handling capabilities: Each client mode offers a different set of Zero Trust features. | Client mode | DNS Filtering | Network Filtering | HTTP Filtering | Service mode (displayed in warp-cli settings) | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ----------------- | -------------- | --------------------------------------------- | | [**Traffic and DNS mode (default)**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-and-dns-mode-default) | ✅ | ✅ | ✅ | WarpWithDnsOverHttps | | [**DNS only mode**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) | ✅ | ❌ | ❌ | DnsOverHttps | | [**Traffic only mode**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-only-mode) | ❌ | ✅ | ✅ | TunnelOnly | | [**Local proxy mode**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) | ❌ | ❌ | ✅ | WarpProxy | | [**Posture only mode**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#posture-only-mode) | ❌ | ❌ | ❌ | PostureOnly | ## 2\. Collect diagnostic logs You can collect diagnostic logs in two ways: the [Cloudflare dashboard](#option-a-collect-logs-via-the-cloudflare-dashboard) or the [warp-diag](#option-b-collect-logs-via-the-cli) command-line interface (CLI). ### Option A: Collect logs via the Cloudflare dashboard Collect client diagnostic logs remotely from the Cloudflare dashboard by using Digital Experience Monitoring's (DEX) remote captures. Best practice To troubleshoot effectively, Cloudflare recommends reproducing the issue and noting your timestamps immediately before collecting logs. Though recreating the issue may not be possible in all cases, reproducing the issue right before diagnostic log collection or during the window that a packet capture (PCAP) is running will help you troubleshoot with greater visibility. Refer to [diagnostic log retention window](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#log-retention-window) to learn more. #### Start a remote capture Devices must be actively connected to the Internet for remote captures to run. To capture data from a remote device: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **DEX** \> **Remote captures**. 2. Select up to 10 devices that you want to run a capture on. Devices must be [registered](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) in your Zero Trust organization. 3. Configure the types of captures to run. * **Packet captures (PCAP)**: Performs packet captures for traffic outside of the WARP tunnel (default network interface) and traffic inside of the WARP tunnel ([virtual interface](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/#ip-traffic)). * **Device diagnostic logs**: Generates a [Cloudflare One Client diagnostic log](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diag-logs) of the past 96 hours. To include a routing test for all IPs and domains in your [Split Tunnel configuration](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/), select **Test all routes**. Note **Test all routes** will extend the time for diagnostics to run and may temporarily impact device performance during the test. You must select Device Diagnostic Logs. You can also choose to run a PCAP and reproduce the issue in the window the PCAP is running to gain further network insight. The scope of this troubleshooting covers only client diagnostic logs. If not choosing PCAPs, reproduce the issue right before running diagnostics. 4. Select **Run diagnostics**. DEX will now send capture requests to the configured devices. If the Cloudflare One Client is disconnected, the capture will time out after 10 minutes. #### Check remote capture status To view a list of captures, go to **Insights** \> **Digital experience** \> **Diagnostics**. The **Status** column displays one of the following options: * **Success**: The capture is complete and ready for download. Any partially successful captures will still upload to Cloudflare. For example, there could be a scenario where the PCAP succeeds on the primary network interface but fails on the WARP tunnel interface. You can [review PCAP results](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/client-packet-capture/#download-remote-captures) to determine which PCAPs succeeded or failed. * **Running**: The capture is in progress on the device. * **Pending Upload**: The capture is complete but not yet ready for download. * **Failed**: The capture has either timed out or encountered an error. To retry the capture, check the Cloudflare One Client version and [connectivity status](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/#fleet-status), then start a [new capture](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/client-packet-capture/#start-a-remote-capture). #### Download remote captures 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **DEX** \> **Remote captures**. 2. Find a successful capture. 3. Select the three-dot menu and select **Download**. This will download a ZIP file to your local machine called `.zip`. DEX will store capture data according to our [log retention policy](https://developers.cloudflare.com/cloudflare-one/insights/logs/#log-retention). After you have your diagnostic files, go to [Review key files](#option-b-collect-logs-via-the-cli) to continue troubleshooting. AI-assisted troubleshooting The [diagnostics analyzer](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#diagnostics-analyzer-beta) uses AI to parse a device's client diagnostic log and summarizes key events, likely causes, and recommended next steps in a concise summary. After you run a [DEX remote capture](#option-a-collect-logs-via-the-cloudflare-dashboard) for client diagnostics: 1. Go to **Insights** \> **Digital experience** and select the **Diagnostics** tab. 2. Find your capture in the list of captures. 3. Select the three-dot icon next to **Status** \> select **View Device Diag** to generate an AI summary. This analyzer is available for logs collected via the dashboard. ### Option B: Collect logs via the CLI Collect client diagnostic logs on your desktop using the `warp-diag` CLI. To view client logs on desktop devices: * [ macOS ](#tab-panel-5447) * [ Windows ](#tab-panel-5448) * [ Linux ](#tab-panel-5449) 1. Open a Terminal window. 2. Run the `warp-diag` tool: Terminal window ``` warp-diag ``` This will place a `warp-debugging-info--