Protocol detection

Gateway supports the detection, logging, and filtering of network protocols using packet attributes.

Protocol detection only applies to devices connected to Cloudflare One via the WARP client in Traffic and DNS mode mode.

Turn on protocol detection

To turn on protocol detection:

1. In Cloudflare One ↗, go to Traffic policies > Traffic settings > Proxy and inspection settings.
2. Turn on Allow protocol detection.

You can now use Detected Protocol as a selector in a Network policy.

Inspect on all ports Beta

By default, Gateway will only inspect HTTP traffic through port 80. Additionally, if you turn on TLS decryption, Gateway will inspect HTTPS traffic through port 443.

To detect and inspect HTTP and HTTPS traffic on ports in addition to 80 and 443, under Manage HTTP inspection by port, choose Inspect on all ports.

Important considerations

TLS interception on all ports: When you turn on this setting, Gateway will attempt to intercept TLS traffic on every port, not just port 443. This means all applications using TLS on non-standard ports will have their traffic intercepted by the Gateway proxy. If you only want to turn on SNI detection for Network policy filtering without full TLS interception, you will need to create Do Not Inspect policies for the specific applications or domains that use TLS on non-standard ports.

Non-HTTP protocols inside TLS bypass network policy filtering

Once a Network policy allows a TLS connection at Layer 4, Gateway decrypts the TLS traffic. However, Gateway cannot filter non-HTTP protocols inside the TLS connection. All non-HTTPS traffic inside TLS (such as SSH over TLS, database protocols, or custom protocols) is allowed by default with no further filtering applied. If your organization uses a default-block Network policy, Gateway will still allow all non-HTTPS TLS traffic through.

To use HTTP policies to filter all HTTPS traffic on all ports when using a default Block Network policy, create a Network policy to explicitly allow HTTP and TLS traffic.

Supported protocols

Gateway supports detection and filtering of the following protocols:

Protocol	Notes
HTTP	Hypertext Transfer Protocol (HTTP/1.1).
HTTP2	Hypertext Transfer Protocol Version 2.
SSH	Secure Shell Protocol — remote login and command execution.
TLS	Transport Layer Security. Gateway detects TLS versions 1.1 through 1.3 with the TLS value.
DCERPC	Distributed Computing Environment / Remote Procedure Call.
MQTT	Message Queuing Telemetry Transport — lightweight IoT messaging protocol.
TPKT	TPKT commonly initiates RDP sessions, so you can use it to identify and filter RDP traffic.
IMAP Beta	Internet Message Access Protocol — email retrieval.
POP3 Beta	Post Office Protocol v3 — email retrieval.
SMTP Beta	Simple Mail Transfer Protocol — email sending.
MYSQL Beta	MySQL database wire protocol.
RSYNC-DAEMON Beta	rsync daemon protocol.
LDAP Beta	Lightweight Directory Access Protocol.
NTP Beta	Network Time Protocol.

Example network policy

You can create network policies that filter traffic based on protocol detections rather than common ports. For example, you can block all SSH traffic on your network without blocking port 22 or any other non-default ports:

Selector	Operator	Value	Action
Detected Protocol	in	SSH	Block