Emergency Disconnect

Emergency disconnect allows organizations and administrators to disconnect and reconnect their fleet of Cloudflare One Clients (formerly WARP) independently from Cloudflare infrastructure. For example, in the event of a Cloudflare network outage you ensure that you can still manage your devices even if Cloudflare’s systems are down or unreachable.

Two mechanisms are available:

• External Emergency Disconnect: Cloudflare One Clients periodically poll a customer-hosted HTTPS endpoint for a disconnect signal. This requires network connectivity to your endpoint but works even when Cloudflare infrastructure is unreachable.
• Local Emergency Disconnect: The Cloudflare One Client monitors a local JSON file on the device for a disconnect signal. This does not require any network connectivity and is useful for disaster recovery scenarios where both Cloudflare and your own infrastructure may be unreachable.

Emergency disconnect can also be used in combination with the dashboard-initiated Disconnect the Cloudflare One Client on all devices setting. You can use any mechanism individually or together for multi-layer resilience. A disconnect signal from any source triggers disconnect; all sources must indicate normal operation for the client to reconnect. For details on how these settings interact, refer to Device client settings precedence.

Use cases

• Security Incident Response: Quickly terminate all WARP tunnels across the entire fleet.
• Compliance and Auditing: Fulfill requirements in sensitive or regulated environments that mandate an "emergency stop" capability that is fully isolated, auditable, and controlled by the organization's own infrastructure.
• Disaster Recovery: If devices cannot reach Cloudflare's API (due to a network outage, routing issue, or client-side misconfiguration), administrators retain the ability to force-disconnect the fleet via the customer-hosted endpoint or a local signal file.
• Business Continuity Planning (BCP): Trigger emergency disconnect from local BCP scripts even when both Cloudflare and your own infrastructure are unreachable.
• Local Automation: Integrate with configuration management tools (Ansible, Puppet, Chef) or monitoring agents to manage the disconnect state without maintaining an HTTPS endpoint.

Signal format

Both the external endpoint response payload and the local signal file content must be valid JSON with the following format:

{
  "emergency_disconnect": false | true
}

• If emergency_disconnect is set to true, the device will initiate an emergency disconnect.
• If emergency_disconnect is set to false, the device will continue normal operation.

Set up External Emergency Disconnect

Feature availability

Client modes	Zero Trust plans ↗
All modes	All plans

System	Availability	Minimum client version
Windows	✅	2025.10.186.0
macOS	✅	2025.10.186.0
Linux	✅	2025.10.186.0
iOS	❌
Android	❌
ChromeOS	❌

When External Emergency Disconnect is enabled, Cloudflare One Clients will periodically poll a customer-hosted HTTPS endpoint. A client will only change its connection state if it receives a valid JSON payload with the new state. Any failure to successfully retrieve the state (such as endpoint unreachability, invalid certificate fingerprint, or an improperly structured payload) will not cause a state change on the client.

External endpoint requirements

An external disconnect endpoint is an HTTPS server hosted outside of Cloudflare from which the Cloudflare One Client will fetch the emergency disconnect signal. The customer is fully responsible for managing this endpoint.

Endpoint URL

The external endpoint URL should:

• Use the HTTPS protocol.
• Use an IPv4 or IPv6 address as the host, not a domain.
• (Recommended) Use a public IP to ensure that devices can fetch the latest state regardless of their network location.

Cipher suites

The Cloudflare One Client establishes a TLS connection using Rustls ↗. Make sure your HTTPS endpoint accepts one of the cipher suites supported by Rustls ↗.

1. Create an external disconnect endpoint

To configure External Emergency Disconnect, you will need an HTTPS endpoint in your own infrastructure that serves the global disconnect signal. The Cloudflare One Client will poll the external endpoint and validate its TLS/SSL certificate against an SHA-256 fingerprint that you upload to Zero Trust. Refer to External endpoint requirements for more details.

The following example demonstrates how to deploy an external disconnect endpoint using an nginx container in Docker.

1. Generate a TLS/SSL certificate:

   openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout key.pem -out cert.pem

   You will be prompted to fill in Distinguished Name (DN) fields. Fill in your organization's information or press Enter to use the default values.

   The command will output a certificate in PEM format and its private key. Store these files in a secure place.

2. Configure an HTTPS server on your network to use this certificate and key:

   a. Create an nginx configuration file called nginx.conf:

   nginx.conf

   events {
     worker_connections  1024;
   }
   
   http {
       server {
           listen              443 ssl;
           ssl_certificate     /certs/cert.pem;
           ssl_certificate_key /certs/key.pem;
           location /status/disconnect {
               default_type application/json;
               return 200 '{"emergency_disconnect": false}';
           }
       }
   }

   If needed, replace /certs/cert.pem and /certs/key.pem with the locations of your certificate and key.

   b. Add the nginx image to your Docker compose file:

   docker-compose.yml

   services:
     nginx:
       image: nginx:latest
       ports:
         - 3333:443
       volumes:
         - ./nginx.conf:/etc/nginx/nginx.conf:ro
         - ./certs:/certs:ro

   If needed, replace ./nginx.conf and ./certs with the locations of your nginx configuration file and certificate.

   c. Start the server:

   docker compose up -d

3. To test that the HTTPS endpoint is working, run a curl command from the end user's device. You need to pass the --insecure option because we are using a self-signed certificate.

   curl --insecure https://<server-ip>:3333/status/disconnect

   {"emergency_disconnect": false}

2. Extract the SHA-256 fingerprint

Local certificate

To obtain the SHA-256 fingerprint of a local certificate:

openssl x509 -noout -fingerprint -sha256 -inform pem -in cert.pem | tr -d :

The output will look something like:

SHA256 Fingerprint=DD4F4806C57A5BBAF1AA5B080F0541DA75DB468D0A1FE731310149500CCD8662

Remote server

To test connectivity and obtain the SHA-256 fingerprint of a remote server:

openssl s_client -connect <private-server-IP>:443 < /dev/null 2> /dev/null | openssl x509 -noout -fingerprint -sha256 | tr -d :

The output will look something like:

SHA256 Fingerprint=DD4F4806C57A5BBAF1AA5B080F0541DA75DB468D0A1FE731310149500CCD8662

3. Turn on External Emergency Disconnect

Dashboard

To configure External Emergency Disconnect using the dashboard:

1. In the Cloudflare dashboard ↗, go to Zero Trust > Team & Resources > Devices > Management.
2. Select Global disconnection settings.
3. Find Manage device connection using an external signal and select Edit.
4. Configure the following fields:
   • Endpoint IP address and port: Enter the HTTPS URL from which to fetch the external disconnect signal (for example, https://192.0.2.1:3333/status/disconnect). The endpoint must use HTTPS and have an IPv4 or IPv6 address as the host.
   • Polling frequency: Choose how often the Cloudflare One Client should fetch the external disconnect signal.
   • Certificate fingerprint: Enter the SHA-256 fingerprint of the HTTPS server certificate (for example, DD4F4806C57A5BBAF1AA5B080F0541DA75DB468D0A1FE731310149500CCD8662).
5. Select Save.
6. Turn on Manage device connection using an external signal.

All Cloudflare One Clients in your organization will now start polling the external endpoint and connect or disconnect based on the response payload.

API

To configure External Emergency Disconnect using the API, send a PATCH request to the /devices/settings endpoint:

Required API token permissions

At least one of the following token permissions is required:

• Zero Trust Write

Patch device settings for a Zero Trust account

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/settings" \
  --request PATCH \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "external_emergency_signal_enabled": true,
    "external_emergency_signal_url": "https://192.0.2.1:3333/status/disconnect",
    "external_emergency_signal_fingerprint": "DD4F4806C57A5BBAF1AA5B080F0541DA75DB468D0A1FE731310149500CCD8662",
    "external_emergency_signal_interval": "1m"
  }'

MDM

To configure External Emergency Disconnect using an MDM, add the following parameters to your MDM file:

<key>external_emergency_signal_url</key>
<string>https://192.0.2.1:3333/status/disconnect</string>
<key>external_emergency_signal_fingerprint</key>
<string>DD4F4806C57A5BBAF1AA5B080F0541DA75DB468D0A1FE731310149500CCD8662</string>
<key>external_emergency_signal_interval</key>
<integer>60</integer>

Split Tunnels in Include mode

The Cloudflare One Client will automatically exclude the external endpoint IP address from the WARP tunnel. If a device profile uses Split Tunnels in Include mode, ensure that your Split Tunnel entries do not contain the external endpoint IP; otherwise the Cloudflare One Client will exclude the entire Split Tunnel entry from the tunnel.

4. Test External Emergency Disconnect

1. Ensure that the Cloudflare One Client is connected.

2. Ensure that the External Emergency Disconnect feature is turned on.

3. In your external endpoint configuration, change emergency_disconnect to true:

   { "emergency_disconnect": true }

4. You may need to reload the server to apply changes. To reload the example nginx server:

   docker exec <container-name-or-id> nginx -s reload

The Cloudflare One Client will automatically disconnect within the configured polling interval, and the Cloudflare One Client GUI will display Admin directed disconnect. To reconnect all devices, change emergency_disconnect back to false.

Set up Local Emergency Disconnect

Feature availability

Client modes	Zero Trust plans ↗
All modes	All plans

System	Availability	Minimum client version
Windows	✅	2026.5.0
macOS	✅	2026.5.0
Linux	✅	2026.5.0
iOS	❌
Android	❌
ChromeOS	❌

Local Emergency Disconnect allows organizations to trigger an emergency disconnect on the device itself, without requiring network access to any remote infrastructure. The Cloudflare One Client monitors a local JSON file at a fixed, admin-writable path. When the file contains a disconnect signal, the client enters the emergency disconnect state. Local scripts, configuration management tools (such as Ansible, Puppet, or Chef), or monitoring agents can create or modify the signal file directly on the device.

Signal file path

The Cloudflare One Client monitors a fixed file path that requires administrative privilege to modify. The path is not configurable.

Operating system	File path
Windows	%PROGRAMDATA%\Cloudflare\emergency_disconnect.json
macOS	/Library/Application Support/Cloudflare/emergency_disconnect.json
Linux	/var/lib/cloudflare-warp/emergency_disconnect.json

The signal file uses the same JSON format as the external HTTPS endpoint. If the file does not exist, the client treats it as normal operation (false). If the file contains invalid JSON, the client logs an error and does not change state. The client reacts to file changes within 30 seconds.

1. Turn on Local Emergency Disconnect

To enable the feature, deploy the local_emergency_signal_enabled parameter via your MDM. Add the following to your MDM file:

<key>local_emergency_signal_enabled</key>
<true />

The Cloudflare One Client will begin monitoring the signal file path once the MDM setting is applied. Configuration changes take effect without requiring a client restart.

2. Test Local Emergency Disconnect

1. Ensure that the Cloudflare One Client is connected.
2. Ensure that Local Emergency Disconnect is turned on.
3. Create the signal file at the appropriate path for your operating system with the following content:

macOS

sudo tee "/Library/Application Support/Cloudflare/emergency_disconnect.json" <<< '{"emergency_disconnect": true}'

Windows

Open an elevated PowerShell prompt and run:

Set-Content -Path "$env:PROGRAMDATA\Cloudflare\emergency_disconnect.json" -Value '{"emergency_disconnect": true}'

Linux

sudo tee /var/lib/cloudflare-warp/emergency_disconnect.json <<< '{"emergency_disconnect": true}'

The Cloudflare One Client will automatically disconnect within 30 seconds, and the Cloudflare One Client GUI will display Admin directed disconnect.

To reconnect, change emergency_disconnect to false or remove the file:

macOS

sudo rm "/Library/Application Support/Cloudflare/emergency_disconnect.json"

Windows

Remove-Item "$env:PROGRAMDATA\Cloudflare\emergency_disconnect.json"

Linux

sudo rm /var/lib/cloudflare-warp/emergency_disconnect.json

Logs

Since emergency disconnect signals from external endpoints and local files are independent from Cloudflare's infrastructure, these disconnects are not logged by Cloudflare. Dashboard logs will only report changes to feature settings (such as turning on/off the feature or changing the endpoint URL), not disconnection events.

To get the current emergency disconnect status on a device, run:

warp-cli settings

Merged configuration:
(override)  Emergency disconnect: true (issued @ 2025-12-09T13:57:42.597864Z)

The current status is also available in client diagnostic logs in warp-settings.txt.

Clear emergency disconnect state

Clear External Emergency Disconnect

If the external endpoint becomes unavailable or serves an invalid configuration, Cloudflare One Clients can get stuck in the emergency disconnect state. You can recover clients by removing their External Emergency Disconnect configuration:

Dashboard

1. In the Cloudflare dashboard ↗, go to Zero Trust > Team & Resources > Devices > Management.
2. Select Global disconnection settings.
3. Turn off Manage device connection using an external signal.

Cloudflare will propagate the new setting to clients, instructing them to stop polling and discard the cached emergency state.

API

Send a PATCH request with the endpoint URL and fingerprint set to empty strings:

Required API token permissions

At least one of the following token permissions is required:

• Zero Trust Write

Patch device settings for a Zero Trust account

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/settings" \
  --request PATCH \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "external_emergency_signal_enabled": false,
    "external_emergency_signal_url": "",
    "external_emergency_signal_fingerprint": "",
    "external_emergency_signal_interval": "1m"
  }'

Cloudflare will propagate the new settings to clients, instructing them to stop polling and discard the cached emergency state.

MDM

If you deployed External Emergency Disconnect using an MDM, remove the external_emergency_signal_url key (and other related keys) from the MDM profile. Then, use your MDM to push the changes to devices. The Cloudflare One Client will stop polling the external endpoint and discard its cached emergency state.

Alternatively, users can switch the Cloudflare One Client to a different MDM configuration that does not have the feature configured.

Clear Local Emergency Disconnect

To clear the local emergency disconnect state:

1. Remove or update the signal file so that emergency_disconnect is false.
2. Alternatively, remove the local_emergency_signal_enabled key from your MDM profile and push the change to devices to turn off the feature. The client will stop monitoring the local file and discard its cached local signal state.

Local client reset

As a last resort, you can use the CLI to reset emergency disconnect on an individual device:

warp-cli registration delete

This command will clear the client registration, clear the local policy, and discard the cached emergency state. To reconnect, you will need to turn off External Emergency Disconnect and then re-enroll the Cloudflare One Client with your Zero Trust organization.

Device client settings precedence

Learn how global disconnect settings interact and how they impact other device client profile settings.

Global disconnection settings

The client will honor disconnect signals from the Cloudflare dashboard (via Disconnect the Cloudflare One Client on all devices), the external endpoint, and the local signal file. A global disconnect is enforced if any source triggers it. All sources must indicate normal operation for the client to reconnect.

The following table shows how the three signal sources combine. If any source indicates disconnect, the client disconnects.

Dashboard (Disconnect all devices)	External endpoint	Local file	Result
On	true	true	Force disconnected
On	true	false/absent	Force disconnected
On	false	true	Force disconnected
On	false	false/absent	Force disconnected
Off	true	true	Force disconnected
Off	true	false/absent	Force disconnected
Off	false	true	Force disconnected
Off	false	false/absent	Normal operation

Auto connect

Auto connect does not apply while a global disconnect is in effect.

Lock device client switch

Lock device client switch does not apply while a global disconnect is in effect. Users will be unable to connect the Cloudflare One Client unless they have an admin override code.

Admin override

A global disconnect will clear any existing admin override codes. The only way for users to reconnect during a global disconnect is by using a new admin override code. For example, you may want to provide IT staff with a code so that they can test resolution of the incident that led to the global disconnect. The override code will exempt a specific user and device from the global disconnect until the override timeout expires.