From e99246ed6045f329b5473ce74eee80ab086525c7 Mon Sep 17 00:00:00 2001 From: mahathih Date: Mon, 13 Jul 2026 14:53:26 -0500 Subject: [PATCH 1/4] [Cloudflare One] Traffic policies: group policy types under policy-types/ Groups the Gateway policy-type pages (DNS, Network, HTTP, Egress, Resolver, packet filtering) under a new policy-types/ directory to mirror the Zero Trust dashboard. Adds a policy-types/ overview page, 301 redirects for every moved URL, and updates internal links. No page content rewritten. --- public/__redirects | 19 +++++++++++++----- .../2026-04-14-cloudflare-mesh.mdx | 2 +- .../dlp/2025-08-25-ai-prompt-protection.mdx | 2 +- .../dlp/2025-09-25-body-phase-selector.mdx | 2 +- .../dlp/2025-10-01-new-file-type-support.mdx | 4 ++-- .../2026-06-11-custom-ai-prompt-topics.mdx | 2 +- ...-10-source-code-detection-improvements.mdx | 2 +- ...5-02-13-improvements-unscannable-files.mdx | 2 +- ...tp-redirect-custom-block-page-redirect.mdx | 2 +- ...5-04-28-FDQN-Filtering-Egress-Policies.mdx | 2 +- .../2025-05-13-new-applications-added.mdx | 2 +- ...-05-27-Protocol-Detection-availability.mdx | 2 +- .../2025-06-17-new-order-of-enforcement.mdx | 2 +- ...025-07-24-HTTP-Inspection-on-all-ports.mdx | 6 +++--- .../2025-08-21-byoip-dedicated-egress-ip.mdx | 4 ++-- ...-filtering-for-private-network-onramps.mdx | 4 ++-- ...ranular-controls-for-saas-applications.mdx | 2 +- ...0-20-schedule-dns-policies-from-the-ui.mdx | 2 +- ...02-27-new-protocol-detection-protocols.mdx | 6 +++--- ...oidc-claims-filtering-gateway-policies.mdx | 6 +++--- ...05-12-natural-language-policy-creation.mdx | 2 +- .../2025-09-18-tunnel-hostname-routing.mdx | 2 +- .../workers-vpc/2026-06-05-gateway-egress.mdx | 2 +- .../infrastructure/network-operators.mdx | 2 +- .../docs/1.1.1.1/setup/google-cloud.mdx | 2 +- .../docs/ai-gateway/features/dlp/index.mdx | 2 +- src/content/docs/byoip/index.mdx | 2 +- .../about/list-types.mdx | 4 ++-- .../cloudflare-network-firewall/plans.mdx | 2 +- .../ai-controls/mcp-portals.mdx | 8 ++++---- .../applications/non-http/index.mdx | 2 +- .../non-http/infrastructure-apps.mdx | 2 +- .../non-http/legacy-private-network-app.mdx | 4 ++-- .../non-http/self-hosted-private-app.mdx | 10 +++++----- .../short-lived-certificates-legacy.mdx | 4 ++-- .../policies/common-policies.mdx | 2 +- .../policies/isolate-application.mdx | 4 ++-- .../mutual-tls-authentication.mdx | 2 +- .../docs/cloudflare-one/changelog/gateway.mdx | 10 +++++----- .../manage-findings.mdx | 4 ++-- .../configure-detection-entries.mdx | 2 +- .../dlp-policies/common-policies.mdx | 4 ++-- .../dlp-policies/index.mdx | 6 +++--- .../dlp-policies/logging-options.mdx | 4 ++-- .../data-loss-prevention/index.mdx | 6 +++--- .../data-loss-prevention/troubleshoot-dlp.mdx | 4 ++-- .../docs/cloudflare-one/faq/policies-faq.mdx | 2 +- .../insights/analytics/gateway.mdx | 8 ++++---- .../insights/analytics/network-sessions.mdx | 2 +- .../analytics/shadow-it-discovery.mdx | 6 +++--- .../dashboard-logs/gateway-logs/index.mdx | 10 +++++----- .../cloud-and-saas/findings/index.mdx | 2 +- .../cloudflare-mesh/client-devices.mdx | 2 +- .../connectors/cloudflare-mesh/index.mdx | 8 ++++---- .../connectors/cloudflare-mesh/routes.mdx | 10 +++++----- .../private-net/cloudflared/connect-cidr.mdx | 2 +- .../cloudflared/connect-private-hostname.mdx | 6 +++--- .../private-net/cloudflared/private-dns.mdx | 4 ++-- .../cloudflare-tunnel/private-net/index.mdx | 2 +- .../cloudflare-tunnel/use-cases/grpc.mdx | 2 +- .../use-cases/ssh/ssh-device-client.mdx | 2 +- .../ssh/ssh-infrastructure-access.mdx | 2 +- .../zero-trust/cloudflare-gateway.mdx | 10 +++++----- .../zero-trust/security-services.mdx | 2 +- .../dns/locations/dns-resolver-ips.mdx | 2 +- .../dns/locations/index.mdx | 4 ++-- .../proxy-endpoints/best-practices.mdx | 4 ++-- .../configure-pac-file-on-device.mdx | 6 +++--- .../proxy-endpoints/index.mdx | 16 +++++++-------- .../networks/routes/add-routes.mdx | 2 +- .../networks/routes/reserved-ips.mdx | 4 ++-- .../remote-browser-isolation/extensions.mdx | 2 +- .../remote-browser-isolation/index.mdx | 2 +- .../isolation-policies.mdx | 4 ++-- .../known-limitations.mdx | 6 +++--- .../setup/clientless-browser-isolation.mdx | 10 +++++----- .../remote-browser-isolation/setup/index.mdx | 4 ++-- .../custom-pages/gateway-block-page.mdx | 4 ++-- .../client-checks/corp-device.mdx | 2 +- .../posture-checks/client-checks/tanium.mdx | 2 +- .../posture-checks/index.mdx | 2 +- .../reusable-components/use-rules-list.mdx | 4 ++-- .../setup/replace-vpn/device-to-device.mdx | 2 +- .../setup/replace-vpn/device-to-network.mdx | 2 +- .../setup/replace-vpn/network-to-network.mdx | 2 +- .../configure/device-profiles.mdx | 2 +- .../configure/route-traffic/index.mdx | 4 ++-- .../configure/route-traffic/local-domains.mdx | 2 +- .../configure/route-traffic/split-tunnels.mdx | 2 +- .../configure/settings/index.mdx | 2 +- .../deployment/mdm-deployment/parameters.mdx | 2 +- .../mdm-deployment/partners/intune.mdx | 2 +- .../mdm-deployment/partners/kandji.mdx | 2 +- .../mdm-deployment/windows-prelogin.mdx | 2 +- .../cloudflare-one-agent-migration.mdx | 2 +- .../devices/cloudflare-one-client/index.mdx | 10 +++++----- .../devices/cloudflare-one-client/set-up.mdx | 2 +- .../automated-deployment.mdx | 2 +- .../custom-certificate.mdx | 2 +- .../devices/user-side-certificates/index.mdx | 2 +- .../manual-deployment.mdx | 2 +- .../team-and-resources/users/risk-score.mdx | 6 +++--- .../application-app-types.mdx | 10 +++++----- .../traffic-policies/expression-syntax.mdx | 16 +++++++-------- .../traffic-policies/get-started/dns.mdx | 4 ++-- .../traffic-policies/get-started/http.mdx | 6 +++--- .../traffic-policies/get-started/index.mdx | 12 +++++------ .../traffic-policies/get-started/network.mdx | 2 +- .../cloudflare-one/traffic-policies/index.mdx | 14 ++++++------- .../dns-policies/common-policies.mdx | 6 +++--- .../{ => policy-types}/dns-policies/index.mdx | 4 ++-- .../dns-policies/test-dns-filtering.mdx | 2 +- .../dns-policies/timed-policies.mdx | 0 .../egress-policies/dedicated-egress-ips.mdx | 8 ++++---- .../egress-policies/egress-cloudflared.mdx | 6 +++--- .../egress-policies/host-selectors.mdx | 8 ++++---- .../egress-policies/index.mdx | 12 +++++------ .../http-policies/antivirus-scanning.mdx | 4 ++-- .../http-policies/common-policies.mdx | 6 +++--- .../http-policies/file-sandboxing.mdx | 4 ++-- .../http-policies/granular-controls.mdx | 8 ++++---- .../http-policies/http3.mdx | 6 +++--- .../http-policies/index.mdx | 12 +++++------ .../http-policies/tenant-control.mdx | 0 .../http-policies/tls-decryption.mdx | 20 +++++++++---------- .../traffic-policies/policy-types/index.mdx | 12 +++++++++++ .../network-policies/common-policies.mdx | 6 +++--- .../network-policies/index.mdx | 4 ++-- .../network-policies/protocol-detection.mdx | 6 +++--- .../network-policies/ssh-logging.mdx | 2 +- .../packet-filtering/add-policies.mdx | 2 +- .../best-practices/extended-ruleset.mdx | 2 +- .../packet-filtering/best-practices/index.mdx | 2 +- .../best-practices/magic-transit-egress.mdx | 2 +- .../best-practices/minimal-ruleset.mdx | 2 +- .../create-rate-limiting-policies.mdx | 0 .../enable-managed-rulesets.mdx | 2 +- .../packet-filtering/form-expressions.mdx | 0 .../packet-filtering/ids.mdx} | 2 +- .../packet-filtering/index.mdx | 0 .../network-firewall-overview.mdx | 0 .../protocol-validation-rules.mdx | 0 .../packet-filtering/ruleset-logic.mdx | 2 +- .../packet-filtering/traffic-types.mdx | 0 .../resolver-policies/index.mdx} | 2 +- .../cloudflare-one/traffic-policies/proxy.mdx | 2 +- .../tiered-policies/organizations.mdx | 8 ++++---- .../tiered-policies/tenant-api.mdx | 4 ++-- .../traffic-policies/troubleshoot-gateway.mdx | 2 +- .../tutorials/ai-wrapper-tenant-control.mdx | 4 ++-- .../clientless-access-private-dns.mdx | 6 +++--- .../tutorials/entra-id-risky-users.mdx | 2 +- .../tutorials/m365-dedicated-egress-ips.mdx | 2 +- .../tutorials/mysql-network-policy.mdx | 6 +++--- ...regional-private-dns-resolver-policies.mdx | 4 ++-- .../cloudflare-one/tutorials/s3-buckets.mdx | 4 ++-- .../tutorials/user-selectable-egress-ips.mdx | 2 +- .../zero-trust/cloudflare-gateway.mdx | 10 +++++----- .../docs/data-localization/compatibility.mdx | 2 +- .../data-localization/how-to/zero-trust.mdx | 8 ++++---- .../http/http-overrides/override-examples.mdx | 2 +- .../docs/dns/internal-dns/dns-views.mdx | 2 +- .../docs/dns/internal-dns/get-started.mdx | 6 +++--- src/content/docs/dns/internal-dns/index.mdx | 2 +- .../dns/internal-dns/internal-zones/index.mdx | 2 +- .../isolate-application.mdx | 2 +- .../gateway-create-test-policy.mdx | 2 +- .../set-policy-approval.mdx | 4 ++-- .../monitor-prompts-responses.mdx | 2 +- .../build-policies/create-policy.mdx | 4 ++-- .../enable-tls-decryption.mdx | 4 ++-- .../cloudflare-mesh.mdx | 2 +- .../build-dns-policies/create-policy.mdx | 2 +- .../recommended-dns-policies.mdx | 2 +- .../build-dns-policies/test-policy.mdx | 2 +- .../build-egress-policies/egress-policies.mdx | 4 ++-- .../build-egress-policies/index.mdx | 2 +- .../recommended-http-policies.mdx | 2 +- .../build-http-policies/tls-inspection.mdx | 2 +- .../build-network-policies/index.mdx | 2 +- .../recommended-network-policies.mdx | 4 ++-- .../concepts/security-concepts.mdx | 2 +- .../configure-device-agent/enable-proxy.mdx | 2 +- .../sso-front-door.mdx | 2 +- .../load-balancers/dns-records.mdx | 2 +- .../private-network/warp-to-tunnel.mdx | 2 +- .../architectures/sase.mdx | 2 +- .../designing-ztna-access-policies.mdx | 4 ++-- .../design-guides/network-vpn-migration.mdx | 10 +++++----- .../securing-guest-wireless-networks.mdx | 4 ++-- .../design-guides/zero-trust-for-saas.mdx | 14 ++++++------- ...roaming-experience-with-geolocated-ips.mdx | 8 ++++---- .../network/protect-data-center-networks.mdx | 2 +- .../diagrams/sase/gateway-dns-for-isp.mdx | 4 ++-- .../sase/gateway-for-protective-dns.mdx | 10 +++++----- .../sase-clientless-access-private-dns.mdx | 4 ++-- ...-access-to-saas-applications-with-sase.mdx | 2 +- .../security/securing-data-at-rest.mdx | 2 +- .../security/securing-data-in-transit.mdx | 4 ++-- .../ruleset-engine/reference/phases-list.mdx | 2 +- .../docs/security-center/indicator-feeds.mdx | 4 ++-- .../pqc-and-zero-trust.mdx | 4 ++-- .../pqc-cloudflare-products.mdx | 2 +- .../cloudflare-5xx-errors/error-526.mdx | 2 +- .../company-security/data-loss-prevention.mdx | 2 +- .../company-security/internet-access.mdx | 4 ++-- .../detections/malicious-uploads/index.mdx | 2 +- src/content/docs/warp-client/warp-modes.mdx | 2 +- .../modify-gateway-policy-precedence.mdx | 4 ++-- .../app-library-review-apps.mdx | 2 +- .../partials/cloudflare-one/aws-resolver.mdx | 2 +- .../get-started/create-http-policy.mdx | 6 +++--- .../get-started/create-network-policy.mdx | 2 +- .../gateway/inspect-on-all-ports.mdx | 2 +- .../gateway/order-of-enforcement.mdx | 14 ++++++------- .../gateway/resolver-policies-intro.mdx | 2 +- .../selectors/egress-selector-limitation.mdx | 2 +- .../gateway/selectors/sni-443.mdx | 2 +- .../cloudflare-one/troubleshooting/dlp.mdx | 4 ++-- .../troubleshooting/gateway.mdx | 2 +- .../tunnel/hostname-route-dns-advanced.mdx | 2 +- .../tunnel/troubleshoot-private-networks.mdx | 10 +++++----- .../fundamentals/cybersafe-configuration.mdx | 2 +- .../cloudflare-one-connectivity-options.mdx | 2 +- .../third-party/azure-vpn-gateway.mdx | 2 +- .../third-party/cisco-meraki-static.mdx | 2 +- .../cloudflare-wan/third-party/juniper.mdx | 2 +- .../cloudflare-wan/third-party/palo-alto.mdx | 2 +- .../cloudflare-wan/zero-trust/tunnel.mdx | 4 ++-- .../reference/traffic-steering.mdx | 2 +- .../release-notes/api-deprecations.yaml | 2 +- 231 files changed, 465 insertions(+), 444 deletions(-) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/dns-policies/common-policies.mdx (96%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/dns-policies/index.mdx (98%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/dns-policies/test-dns-filtering.mdx (96%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/dns-policies/timed-policies.mdx (100%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/egress-policies/dedicated-egress-ips.mdx (92%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/egress-policies/egress-cloudflared.mdx (91%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/egress-policies/host-selectors.mdx (81%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/egress-policies/index.mdx (92%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/http-policies/antivirus-scanning.mdx (90%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/http-policies/common-policies.mdx (98%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/http-policies/file-sandboxing.mdx (93%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/http-policies/granular-controls.mdx (91%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/http-policies/http3.mdx (85%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/http-policies/index.mdx (96%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/http-policies/tenant-control.mdx (100%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/http-policies/tls-decryption.mdx (85%) create mode 100644 src/content/docs/cloudflare-one/traffic-policies/policy-types/index.mdx rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/network-policies/common-policies.mdx (96%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/network-policies/index.mdx (98%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/network-policies/protocol-detection.mdx (93%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/network-policies/ssh-logging.mdx (98%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/packet-filtering/add-policies.mdx (97%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/packet-filtering/best-practices/extended-ruleset.mdx (96%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/packet-filtering/best-practices/index.mdx (58%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/packet-filtering/best-practices/magic-transit-egress.mdx (80%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/packet-filtering/best-practices/minimal-ruleset.mdx (97%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/packet-filtering/create-rate-limiting-policies.mdx (100%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/packet-filtering/enable-managed-rulesets.mdx (99%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/packet-filtering/form-expressions.mdx (100%) rename src/content/docs/cloudflare-one/traffic-policies/{enable-ids.mdx => policy-types/packet-filtering/ids.mdx} (87%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/packet-filtering/index.mdx (100%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/packet-filtering/network-firewall-overview.mdx (100%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/packet-filtering/protocol-validation-rules.mdx (100%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/packet-filtering/ruleset-logic.mdx (97%) rename src/content/docs/cloudflare-one/traffic-policies/{ => policy-types}/packet-filtering/traffic-types.mdx (100%) rename src/content/docs/cloudflare-one/traffic-policies/{resolver-policies.mdx => policy-types/resolver-policies/index.mdx} (99%) diff --git a/public/__redirects b/public/__redirects index 6448ec30392..f254b9695e6 100644 --- a/public/__redirects +++ b/public/__redirects @@ -1368,7 +1368,7 @@ # CF1 MSP page moved under tiered-policies /cloudflare-one/traffic-policies/managed-service-providers/ /cloudflare-one/traffic-policies/tiered-policies/tenant-api/ 301 # CF1 packet filtering overview rename -/cloudflare-one/traffic-policies/packet-filtering/magic-firewall-overview/ /cloudflare-one/traffic-policies/packet-filtering/network-firewall-overview/ 301 +/cloudflare-one/traffic-policies/packet-filtering/magic-firewall-overview/ /cloudflare-one/traffic-policies/policy-types/packet-filtering/network-firewall-overview/ 301 # cross-product magic-firewall slug renames /learning-paths/data-center-protection/enable-magic-firewall/ /learning-paths/data-center-protection/enable-network-firewall/ 301 /analytics/graphql-api/tutorials/querying-magic-firewall-samples/ /analytics/graphql-api/tutorials/querying-network-firewall-samples/ 301 @@ -2682,8 +2682,8 @@ /cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/ /cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment/ 301 /cloudflare-one/connections/connect-apps/configuration/config/ /cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/ 301 /cloudflare-one/connections/connect-devices/warp/install-cloudflare-cert/ /cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment/ 301 -/cloudflare-one/traffic-policies/packet-filtering/add-rules/ /cloudflare-one/traffic-policies/packet-filtering/add-policies/ 301 -/cloudflare-one/traffic-policies/packet-filtering/create-rate-limiting-rules/ /cloudflare-one/traffic-policies/packet-filtering/create-rate-limiting-policies/ 301 +/cloudflare-one/traffic-policies/packet-filtering/add-rules/ /cloudflare-one/traffic-policies/policy-types/packet-filtering/add-policies/ 301 +/cloudflare-one/traffic-policies/packet-filtering/create-rate-limiting-rules/ /cloudflare-one/traffic-policies/policy-types/packet-filtering/create-rate-limiting-policies/ 301 /cloudflare-one/connections/connect-networks/locations/configuring-a-location/ /cloudflare-one/team-and-resources/devices/agentless/dns/locations/ 301 /cloudflare-one/identity/authorization-cookie/cors/ /cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/ 301 /cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/ /cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/ 301 @@ -2697,7 +2697,7 @@ /cloudflare-one/data-loss-prevention/saas-apps-dlp/ /cloudflare-one/cloud-and-saas-findings/casb-dlp/ 301 /cloudflare-one/policies/data-loss-prevention/exact-data-match/ /cloudflare-one/data-loss-prevention/detection-entries/#exact-data-match 301 /cloudflare-one/policies/filtering/configuring-block-page/ /cloudflare-one/reusable-components/custom-pages/gateway-block-page/ 301 -/cloudflare-one/policies/filtering/dns-policies/safesearch/ /cloudflare-one/traffic-policies/dns-policies/#safe-search 301 +/cloudflare-one/policies/filtering/dns-policies/safesearch/ /cloudflare-one/traffic-policies/policy-types/dns-policies/#safe-search 301 /cloudflare-one/policies/gateway/block-page/ /cloudflare-one/reusable-components/custom-pages/gateway-block-page/ 301 /cloudflare-one/policies/lists/ /cloudflare-one/reusable-components/lists/ 301 /cloudflare-one/technical-limitations/ /cloudflare-one/account-limits/ 301 @@ -2727,7 +2727,7 @@ /cloudflare-one/identity/mutual-tls-authentication/ /cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/ 301 /cloudflare-one/identity/service-tokens/ /cloudflare-one/access-controls/service-credentials/service-tokens/ 301 /cloudflare-one/identity/one-time-pin/ /cloudflare-one/integrations/identity-providers/one-time-pin/ 301 -/cloudflare-one/traffic-policies/ids/ /cloudflare-one/traffic-policies/enable-ids/ 301 +/cloudflare-one/traffic-policies/ids/ /cloudflare-one/traffic-policies/policy-types/packet-filtering/ids/ 301 # Catch-all redirects (must come last) /cloudflare-one/faq/troubleshooting/ /cloudflare-one/troubleshooting/ 301 @@ -2997,3 +2997,12 @@ # Bots: signed agents deprecated -> verified bots /bots/concepts/bot/signed-agents/* /bots/concepts/bot/verified-bots/ 301 + +# Traffic policies: group policy types under policy-types/ +/cloudflare-one/traffic-policies/dns-policies/* /cloudflare-one/traffic-policies/policy-types/dns-policies/:splat 301 +/cloudflare-one/traffic-policies/network-policies/* /cloudflare-one/traffic-policies/policy-types/network-policies/:splat 301 +/cloudflare-one/traffic-policies/http-policies/* /cloudflare-one/traffic-policies/policy-types/http-policies/:splat 301 +/cloudflare-one/traffic-policies/egress-policies/* /cloudflare-one/traffic-policies/policy-types/egress-policies/:splat 301 +/cloudflare-one/traffic-policies/packet-filtering/* /cloudflare-one/traffic-policies/policy-types/packet-filtering/:splat 301 +/cloudflare-one/traffic-policies/resolver-policies/* /cloudflare-one/traffic-policies/policy-types/resolver-policies/:splat 301 +/cloudflare-one/traffic-policies/enable-ids/* /cloudflare-one/traffic-policies/policy-types/packet-filtering/ids/:splat 301 diff --git a/src/content/changelog/cloudflare-one/2026-04-14-cloudflare-mesh.mdx b/src/content/changelog/cloudflare-one/2026-04-14-cloudflare-mesh.mdx index e58bd642b25..f8539c31cde 100644 --- a/src/content/changelog/cloudflare-one/2026-04-14-cloudflare-mesh.mdx +++ b/src/content/changelog/cloudflare-one/2026-04-14-cloudflare-mesh.mdx @@ -14,7 +14,7 @@ date: 2026-04-14 - Enables any participant to reach any other participant by IP — including client-to-client, without deploying any infrastructure. - Supports [CIDR routes](/cloudflare-one/networks/connectors/cloudflare-mesh/routes/) for subnet routing through Mesh nodes. - Supports [high availability](/cloudflare-one/networks/connectors/cloudflare-mesh/high-availability/) with active-passive replicas for nodes with routes. -- All traffic flows through Cloudflare, so [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/), [device posture checks](/cloudflare-one/reusable-components/posture-checks/), and access rules apply to every connection. +- All traffic flows through Cloudflare, so [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/), [device posture checks](/cloudflare-one/reusable-components/posture-checks/), and access rules apply to every connection. ### What changed diff --git a/src/content/changelog/dlp/2025-08-25-ai-prompt-protection.mdx b/src/content/changelog/dlp/2025-08-25-ai-prompt-protection.mdx index 21f93780d77..f581cae4cae 100644 --- a/src/content/changelog/dlp/2025-08-25-ai-prompt-protection.mdx +++ b/src/content/changelog/dlp/2025-08-25-ai-prompt-protection.mdx @@ -24,7 +24,7 @@ To help you apply these topics quickly, we have also released five new predefine 3. **Granular Guardrails** - You can now build guardrails using Gateway HTTP policies with [application granular controls](/cloudflare-one/traffic-policies/http-policies/#granular-controls). Apply a DLP profile containing an [AI prompt topic detection](/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#ai-prompt-topics) to individual AI applications (for example, `ChatGPT`) and specific user actions (for example, `SendPrompt`) to block sensitive prompts. + You can now build guardrails using Gateway HTTP policies with [application granular controls](/cloudflare-one/traffic-policies/policy-types/http-policies/#granular-controls). Apply a DLP profile containing an [AI prompt topic detection](/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#ai-prompt-topics) to individual AI applications (for example, `ChatGPT`) and specific user actions (for example, `SendPrompt`) to block sensitive prompts. ![DLP](~/assets/images/changelog/dlp/ai-prompt-policy.png) diff --git a/src/content/changelog/dlp/2025-09-25-body-phase-selector.mdx b/src/content/changelog/dlp/2025-09-25-body-phase-selector.mdx index cb7025a0d50..6a3e1710f89 100644 --- a/src/content/changelog/dlp/2025-09-25-body-phase-selector.mdx +++ b/src/content/changelog/dlp/2025-09-25-body-phase-selector.mdx @@ -17,4 +17,4 @@ For example, consider a policy that blocks Social Security Numbers (SSNs). Previ All policies without this selector will continue to scan both request and response bodies to ensure continued protection. -For more information, refer to [Gateway HTTP policy selectors](/cloudflare-one/traffic-policies/http-policies/#body-phase). +For more information, refer to [Gateway HTTP policy selectors](/cloudflare-one/traffic-policies/policy-types/http-policies/#body-phase). diff --git a/src/content/changelog/dlp/2025-10-01-new-file-type-support.mdx b/src/content/changelog/dlp/2025-10-01-new-file-type-support.mdx index d003cbcb6ac..28dacb69769 100644 --- a/src/content/changelog/dlp/2025-10-01-new-file-type-support.mdx +++ b/src/content/changelog/dlp/2025-10-01-new-file-type-support.mdx @@ -12,7 +12,7 @@ We have expanded Gateway's file type controls to include: - Microsoft Software Installer (msix, appx) - Apple Software Package (pkg) -You can find these new options within the [_Upload File Types_ and _Download File Types_ selectors](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) when creating or editing an HTTP policy. The file types are categorized as follows: +You can find these new options within the [_Upload File Types_ and _Download File Types_ selectors](/cloudflare-one/traffic-policies/policy-types/http-policies/#download-and-upload-file-types) when creating or editing an HTTP policy. The file types are categorized as follows: - **System**: _Apple Disk Image (dmg)_ - **Executable**: _Microsoft Software Installer (msix)_, _Microsoft Software Installer (appx)_, _Apple Software Package (pkg)_ @@ -22,4 +22,4 @@ To ensure these file types are blocked effectively, please note the following be - DMG: Due to their file structure, DMG files are blocked at the very end of the transfer. A user's download may appear to progress but will fail at the last moment, preventing the browser from saving the file. - MSIX: To comprehensively block Microsoft Software Installers, you should also include the file type _Unscannable_. MSIX files larger than 100 MB are identified as Unscannable ZIP files during inspection. -To get started, go to your HTTP policies in Zero Trust. For a full list of file types, refer to [supported file types](/cloudflare-one/traffic-policies/http-policies/#supported-file-types). +To get started, go to your HTTP policies in Zero Trust. For a full list of file types, refer to [supported file types](/cloudflare-one/traffic-policies/policy-types/http-policies/#supported-file-types). diff --git a/src/content/changelog/dlp/2026-06-11-custom-ai-prompt-topics.mdx b/src/content/changelog/dlp/2026-06-11-custom-ai-prompt-topics.mdx index 7a3e80e3ae3..e66f96b5cd7 100644 --- a/src/content/changelog/dlp/2026-06-11-custom-ai-prompt-topics.mdx +++ b/src/content/changelog/dlp/2026-06-11-custom-ai-prompt-topics.mdx @@ -9,7 +9,7 @@ You can now define custom topics for AI prompt protection. Predefined [AI prompt You describe a custom topic in natural language, and Cloudflare DLP detects whether a prompt matches that topic based on context rather than specific keywords. For example, a topic that describes confidential merger discussions matches a prompt that paraphrases the deal, even when the prompt never uses the word merger or names the companies involved. To detect literal values such as internal codenames or product identifiers, use a [custom wordlist or pattern entry](/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#custom-wordlist-datasets) instead. -Custom topics run through the same [application granular controls](/cloudflare-one/traffic-policies/http-policies/#granular-controls) path as predefined AI prompt topics. Custom topics are available for ChatGPT, Google Gemini, Perplexity, and Claude. +Custom topics run through the same [application granular controls](/cloudflare-one/traffic-policies/policy-types/http-policies/#granular-controls) path as predefined AI prompt topics. Custom topics are available for ChatGPT, Google Gemini, Perplexity, and Claude. ## Create a custom AI prompt topic diff --git a/src/content/changelog/dlp/2026-07-10-source-code-detection-improvements.mdx b/src/content/changelog/dlp/2026-07-10-source-code-detection-improvements.mdx index 4ec0e2f8936..efa994207d1 100644 --- a/src/content/changelog/dlp/2026-07-10-source-code-detection-improvements.mdx +++ b/src/content/changelog/dlp/2026-07-10-source-code-detection-improvements.mdx @@ -11,6 +11,6 @@ Source code detection requires a minimum of 500 characters to evaluate a file. F Enable and set [confidence levels](/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-thresholds) to tune match sensitivity. A higher confidence level reduces false positives by requiring stronger signals that the content is truly source code. A lower confidence level catches more files at the cost of additional noise. -Source code detection applies to standalone source code files in [Gateway HTTP policies](/cloudflare-one/traffic-policies/http-policies/). It does not detect source code embedded within other file types or payloads, such as `.docx` files or chat messages. +Source code detection applies to standalone source code files in [Gateway HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/). It does not detect source code embedded within other file types or payloads, such as `.docx` files or chat messages. For more information, refer to [Source Code predefined profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#source-code). diff --git a/src/content/changelog/gateway/2025-02-13-improvements-unscannable-files.mdx b/src/content/changelog/gateway/2025-02-13-improvements-unscannable-files.mdx index 2a7e5cc2895..99945d81554 100644 --- a/src/content/changelog/gateway/2025-02-13-improvements-unscannable-files.mdx +++ b/src/content/changelog/gateway/2025-02-13-improvements-unscannable-files.mdx @@ -10,7 +10,7 @@ import { Render } from "~/components"; Gateway HTTP policies can now block files that are password-protected, compressed, or otherwise unscannable. -These unscannable files are now matched with the [Download and Upload File Types traffic selectors](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) for HTTP policies: +These unscannable files are now matched with the [Download and Upload File Types traffic selectors](/cloudflare-one/traffic-policies/policy-types/http-policies/#download-and-upload-file-types) for HTTP policies: diff --git a/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx b/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx index 9d9139522e9..a0fe8615c72 100644 --- a/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx +++ b/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx @@ -12,4 +12,4 @@ You can now use more flexible redirect capabilities in Cloudflare One with Gatew - A new **Redirect** action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters. - For **Block** actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL. -Learn more in our documentation for [HTTP Redirect](/cloudflare-one/traffic-policies/http-policies/#redirect) and [Block page redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page). +Learn more in our documentation for [HTTP Redirect](/cloudflare-one/traffic-policies/policy-types/http-policies/#redirect) and [Block page redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page). diff --git a/src/content/changelog/gateway/2025-04-28-FDQN-Filtering-Egress-Policies.mdx b/src/content/changelog/gateway/2025-04-28-FDQN-Filtering-Egress-Policies.mdx index 80298e44e40..79a9d0c1623 100644 --- a/src/content/changelog/gateway/2025-04-28-FDQN-Filtering-Egress-Policies.mdx +++ b/src/content/changelog/gateway/2025-04-28-FDQN-Filtering-Egress-Policies.mdx @@ -11,7 +11,7 @@ Cloudflare One administrators can now control which egress IP is used based on a - Host, Domain, Content Categories, and Application selectors are now available in the Gateway Egress policy builder in beta. - During the beta period, you can use these selectors with traffic on-ramped to Gateway with the WARP client, proxy endpoints (commonly deployed with PAC files), or Cloudflare Browser Isolation. - - For WARP client support, additional configuration is required. For more information, refer to the [WARP client configuration documentation](/cloudflare-one/traffic-policies/egress-policies/#limitations). + - For WARP client support, additional configuration is required. For more information, refer to the [WARP client configuration documentation](/cloudflare-one/traffic-policies/policy-types/egress-policies/#limitations). ![Egress by FQDN and Hostname](~/assets/images/gateway/Gateway-Egress-FQDN-Policy-preview.png) diff --git a/src/content/changelog/gateway/2025-05-13-new-applications-added.mdx b/src/content/changelog/gateway/2025-05-13-new-applications-added.mdx index 1b4a838c144..6c48b32d377 100644 --- a/src/content/changelog/gateway/2025-05-13-new-applications-added.mdx +++ b/src/content/changelog/gateway/2025-05-13-new-applications-added.mdx @@ -13,4 +13,4 @@ With this update, you can: - Manage outbound traffic more effectively - Improve your organization's security and compliance posture -For more information on creating DNS policies, see our [DNS policy documentation](/cloudflare-one/traffic-policies/dns-policies/). +For more information on creating DNS policies, see our [DNS policy documentation](/cloudflare-one/traffic-policies/policy-types/dns-policies/). diff --git a/src/content/changelog/gateway/2025-05-27-Protocol-Detection-availability.mdx b/src/content/changelog/gateway/2025-05-27-Protocol-Detection-availability.mdx index f3eb93217ff..943302c554f 100644 --- a/src/content/changelog/gateway/2025-05-27-Protocol-Detection-availability.mdx +++ b/src/content/changelog/gateway/2025-05-27-Protocol-Detection-availability.mdx @@ -11,4 +11,4 @@ All Cloudflare One Gateway users can now use Protocol detection logging and filt With Protocol Detection, admins can identify and enforce policies on traffic proxied through Gateway based on the underlying network protocol (for example, HTTP, TLS, or SSH), enabling more granular traffic control and security visibility no matter your plan tier. -This feature is available to enable in your account network settings for all accounts. For more information on using Protocol Detection, refer to the [Protocol detection documentation](/cloudflare-one/traffic-policies/network-policies/protocol-detection/). +This feature is available to enable in your account network settings for all accounts. For more information on using Protocol Detection, refer to the [Protocol detection documentation](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/). diff --git a/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx b/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx index c10d3482a08..c759f396940 100644 --- a/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx +++ b/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx @@ -7,7 +7,7 @@ hidden: false date: 2025-06-18 --- -[Gateway](/cloudflare-one/traffic-policies/) will now evaluate [Network (Layer 4) policies](/cloudflare-one/traffic-policies/network-policies/) **before** [HTTP (Layer 7) policies](/cloudflare-one/traffic-policies/http-policies/). This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users. +[Gateway](/cloudflare-one/traffic-policies/) will now evaluate [Network (Layer 4) policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) **before** [HTTP (Layer 7) policies](/cloudflare-one/traffic-policies/policy-types/http-policies/). This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users. This change will roll out progressively between **July 14–18, 2025**. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent. diff --git a/src/content/changelog/gateway/2025-07-24-HTTP-Inspection-on-all-ports.mdx b/src/content/changelog/gateway/2025-07-24-HTTP-Inspection-on-all-ports.mdx index 6d777cba096..107876cfad5 100644 --- a/src/content/changelog/gateway/2025-07-24-HTTP-Inspection-on-all-ports.mdx +++ b/src/content/changelog/gateway/2025-07-24-HTTP-Inspection-on-all-ports.mdx @@ -7,10 +7,10 @@ hidden: false date: 2025-07-24 --- -[Gateway](/cloudflare-one/traffic-policies/) can now apply [HTTP filtering](/cloudflare-one/traffic-policies/http-policies/) to all proxied HTTP requests, not just traffic on standard HTTP (`80`) and HTTPS (`443`) ports. This means all requests can now be filtered by [A/V scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), [file sandboxing](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/), [Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/#data-in-transit), and more. +[Gateway](/cloudflare-one/traffic-policies/) can now apply [HTTP filtering](/cloudflare-one/traffic-policies/policy-types/http-policies/) to all proxied HTTP requests, not just traffic on standard HTTP (`80`) and HTTPS (`443`) ports. This means all requests can now be filtered by [A/V scanning](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/), [file sandboxing](/cloudflare-one/traffic-policies/policy-types/http-policies/file-sandboxing/), [Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/#data-in-transit), and more. -You can turn this [setting](/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports) on by going to **Settings** > **Network** > **Firewall** and choosing _Inspect on all ports_. +You can turn this [setting](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/#inspect-on-all-ports) on by going to **Settings** > **Network** > **Firewall** and choosing _Inspect on all ports_. ![HTTP Inspection on all ports setting](~/assets/images/gateway/Gateway-Inspection-all-ports.png) -To learn more, refer to [Inspect on all ports (Beta)](/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). +To learn more, refer to [Inspect on all ports (Beta)](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/#inspect-on-all-ports). diff --git a/src/content/changelog/gateway/2025-08-21-byoip-dedicated-egress-ip.mdx b/src/content/changelog/gateway/2025-08-21-byoip-dedicated-egress-ip.mdx index af30dc7361d..681ba6ec0c1 100644 --- a/src/content/changelog/gateway/2025-08-21-byoip-dedicated-egress-ip.mdx +++ b/src/content/changelog/gateway/2025-08-21-byoip-dedicated-egress-ip.mdx @@ -10,8 +10,8 @@ Enterprise Gateway users can now use Bring Your Own IP (BYOIP) for dedicated egr Admins can now onboard and use their own IPv4 or IPv6 prefixes to egress traffic from Cloudflare, delivering greater control, flexibility, and compliance for network traffic. -Get started by following the [BYOIP onboarding process](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). Once your IPs are onboarded, go to **Gateway** > **Egress policies** and select or create an egress policy. In **Select an egress IP**, choose _Use dedicated egress IPs (Cloudflare or BYOIP)_, then select your BYOIP address from the dropdown menu. +Get started by following the [BYOIP onboarding process](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). Once your IPs are onboarded, go to **Gateway** > **Egress policies** and select or create an egress policy. In **Select an egress IP**, choose _Use dedicated egress IPs (Cloudflare or BYOIP)_, then select your BYOIP address from the dropdown menu. ![Screenshot of a dropdown menu adding a BYOIP IPv4 address as a dedicated egress IP in a Gateway egress policy](~/assets/images/gateway/Gateway-byoip-dedicated-egress-ips.png) -For more information, refer to [BYOIP for dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). +For more information, refer to [BYOIP for dedicated egress IPs](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). diff --git a/src/content/changelog/gateway/2025-09-11-dns-filtering-for-private-network-onramps.mdx b/src/content/changelog/gateway/2025-09-11-dns-filtering-for-private-network-onramps.mdx index 9932d31f2e9..556f760e7d1 100644 --- a/src/content/changelog/gateway/2025-09-11-dns-filtering-for-private-network-onramps.mdx +++ b/src/content/changelog/gateway/2025-09-11-dns-filtering-for-private-network-onramps.mdx @@ -10,6 +10,6 @@ date: "2025-09-11" [Magic WAN](/cloudflare-wan/zero-trust/cloudflare-gateway/#dns-filtering) and [WARP Connector](/cloudflare-one/networks/connectors/cloudflare-mesh/routes/#dns-filtering) users can now securely route their DNS traffic to the Gateway resolver without exposing traffic to the public Internet. -Routing DNS traffic to the Gateway resolver allows DNS resolution and filtering for traffic coming from private networks while preserving source internal IP visibility. This ensures Magic WAN users have full integration with our Cloudflare One features, including [Internal DNS](/cloudflare-one/traffic-policies/resolver-policies/#internal-dns) and [hostname-based policies](/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). +Routing DNS traffic to the Gateway resolver allows DNS resolution and filtering for traffic coming from private networks while preserving source internal IP visibility. This ensures Magic WAN users have full integration with our Cloudflare One features, including [Internal DNS](/cloudflare-one/traffic-policies/policy-types/resolver-policies/#internal-dns) and [hostname-based policies](/cloudflare-one/traffic-policies/policy-types/egress-policies/#selector-prerequisites). -To configure DNS filtering, change your Magic WAN or WARP Connector DNS settings to use Cloudflare's shared resolver IPs, `172.64.36.1` and `172.64.36.2`. Once you configure DNS resolution and filtering, you can use _Source Internal IP_ as a traffic selector in your [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) for routing private DNS traffic to your [Internal DNS](/dns/internal-dns/). +To configure DNS filtering, change your Magic WAN or WARP Connector DNS settings to use Cloudflare's shared resolver IPs, `172.64.36.1` and `172.64.36.2`. Once you configure DNS resolution and filtering, you can use _Source Internal IP_ as a traffic selector in your [resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) for routing private DNS traffic to your [Internal DNS](/dns/internal-dns/). diff --git a/src/content/changelog/gateway/2025-09-25-new-granular-controls-for-saas-applications.mdx b/src/content/changelog/gateway/2025-09-25-new-granular-controls-for-saas-applications.mdx index e7f169b1f2f..ca57b5f3a26 100644 --- a/src/content/changelog/gateway/2025-09-25-new-granular-controls-for-saas-applications.mdx +++ b/src/content/changelog/gateway/2025-09-25-new-granular-controls-for-saas-applications.mdx @@ -14,4 +14,4 @@ The new feature offers two methods of controlling SaaS applications: - **Application Controls** are curated groupings of Operations which provide an easy way for users to achieve a specific outcome. Application Controls may include _Upload_, _Download_, _Prompt_, _Voice_, and _Share_ depending on the application. - **Operations** are controls aligned to the most granular action a user can take. This provides a fine-grained approach to enforcing policy and generally aligns to the SaaS providers API specifications in naming and function. -Get started using [Application Granular Controls](/cloudflare-one/traffic-policies/http-policies/granular-controls) and refer to the list of [supported applications](/cloudflare-one/traffic-policies/http-policies/granular-controls/#compatible-applications). +Get started using [Application Granular Controls](/cloudflare-one/traffic-policies/policy-types/http-policies/granular-controls) and refer to the list of [supported applications](/cloudflare-one/traffic-policies/policy-types/http-policies/granular-controls/#compatible-applications). diff --git a/src/content/changelog/gateway/2025-10-20-schedule-dns-policies-from-the-ui.mdx b/src/content/changelog/gateway/2025-10-20-schedule-dns-policies-from-the-ui.mdx index 3cc7115a6e6..4567de57a92 100644 --- a/src/content/changelog/gateway/2025-10-20-schedule-dns-policies-from-the-ui.mdx +++ b/src/content/changelog/gateway/2025-10-20-schedule-dns-policies-from-the-ui.mdx @@ -6,7 +6,7 @@ products: date: "2025-10-20" --- -Admins can now create [scheduled DNS policies](/cloudflare-one/traffic-policies/dns-policies/timed-policies/) directly from the Zero Trust dashboard, without using the API. You can configure policies to be active during specific, recurring times, such as blocking social media during business hours or gaming sites on school nights. +Admins can now create [scheduled DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/timed-policies/) directly from the Zero Trust dashboard, without using the API. You can configure policies to be active during specific, recurring times, such as blocking social media during business hours or gaming sites on school nights. - **Preset Schedules**: Use built-in templates for common scenarios like Business Hours, School Days, Weekends, and more. - **Custom Schedules**: Define your own schedule with specific days and up to three non-overlapping time ranges per day. diff --git a/src/content/changelog/gateway/2026-02-27-new-protocol-detection-protocols.mdx b/src/content/changelog/gateway/2026-02-27-new-protocol-detection-protocols.mdx index f20f7a3b16f..cb447d24ef0 100644 --- a/src/content/changelog/gateway/2026-02-27-new-protocol-detection-protocols.mdx +++ b/src/content/changelog/gateway/2026-02-27-new-protocol-detection-protocols.mdx @@ -6,7 +6,7 @@ products: date: 2026-02-27 --- -Gateway [Protocol Detection](/cloudflare-one/traffic-policies/network-policies/protocol-detection/) now supports seven additional protocols in beta: +Gateway [Protocol Detection](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/) now supports seven additional protocols in beta: | Protocol | Notes | | ------------ | -------------------------------------------------- | @@ -18,8 +18,8 @@ Gateway [Protocol Detection](/cloudflare-one/traffic-policies/network-policies/p | LDAP | Lightweight Directory Access Protocol | | NTP | Network Time Protocol | -These protocols join the existing set of detected protocols (HTTP, HTTP2, SSH, TLS, DCERPC, MQTT, and TPKT) and can be used with the _Detected Protocol_ selector in [Network policies](/cloudflare-one/traffic-policies/network-policies/) to identify and filter traffic based on the application-layer protocol, without relying on port-based identification. +These protocols join the existing set of detected protocols (HTTP, HTTP2, SSH, TLS, DCERPC, MQTT, and TPKT) and can be used with the _Detected Protocol_ selector in [Network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) to identify and filter traffic based on the application-layer protocol, without relying on port-based identification. If protocol detection is enabled on your account, these protocols will automatically be logged when detected in your Gateway network traffic. -For more information on using Protocol Detection, refer to the [Protocol detection documentation](/cloudflare-one/traffic-policies/network-policies/protocol-detection/). +For more information on using Protocol Detection, refer to the [Protocol detection documentation](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/). diff --git a/src/content/changelog/gateway/2026-03-24-oidc-claims-filtering-gateway-policies.mdx b/src/content/changelog/gateway/2026-03-24-oidc-claims-filtering-gateway-policies.mdx index 0817f77a377..4e70d7879fd 100644 --- a/src/content/changelog/gateway/2026-03-24-oidc-claims-filtering-gateway-policies.mdx +++ b/src/content/changelog/gateway/2026-03-24-oidc-claims-filtering-gateway-policies.mdx @@ -10,9 +10,9 @@ Cloudflare Gateway now supports [OIDC Claims](/cloudflare-one/traffic-policies/i With this update, you can: -- Filter traffic in [DNS](/cloudflare-one/traffic-policies/dns-policies/), [HTTP](/cloudflare-one/traffic-policies/http-policies/), and [Network](/cloudflare-one/traffic-policies/network-policies/) firewall policies based on OIDC claim values. -- Apply custom [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) to route DNS queries to specific resolvers depending on a user's OIDC claims. -- Control [egress policies](/cloudflare-one/traffic-policies/egress-policies/) to assign dedicated egress IPs based on OIDC claim attributes. +- Filter traffic in [DNS](/cloudflare-one/traffic-policies/policy-types/dns-policies/), [HTTP](/cloudflare-one/traffic-policies/policy-types/http-policies/), and [Network](/cloudflare-one/traffic-policies/policy-types/network-policies/) firewall policies based on OIDC claim values. +- Apply custom [resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) to route DNS queries to specific resolvers depending on a user's OIDC claims. +- Control [egress policies](/cloudflare-one/traffic-policies/policy-types/egress-policies/) to assign dedicated egress IPs based on OIDC claim attributes. For example, you can create a policy that routes traffic differently for users with `department=engineering` in their OIDC claims, or restrict access to certain destinations based on a user's role claim. diff --git a/src/content/changelog/gateway/2026-05-12-natural-language-policy-creation.mdx b/src/content/changelog/gateway/2026-05-12-natural-language-policy-creation.mdx index 6a260edb0f5..332afcc7017 100644 --- a/src/content/changelog/gateway/2026-05-12-natural-language-policy-creation.mdx +++ b/src/content/changelog/gateway/2026-05-12-natural-language-policy-creation.mdx @@ -6,7 +6,7 @@ products: date: 2026-05-12 --- -Cloudflare Gateway now supports natural language policy creation for [DNS](/cloudflare-one/traffic-policies/dns-policies/), [HTTP](/cloudflare-one/traffic-policies/http-policies/), and [Network](/cloudflare-one/traffic-policies/network-policies/) firewall policies. Administrators can describe the outcome they want in plain language, and Cloudflare will generate a complete policy rule that populates the policy builder form. +Cloudflare Gateway now supports natural language policy creation for [DNS](/cloudflare-one/traffic-policies/policy-types/dns-policies/), [HTTP](/cloudflare-one/traffic-policies/policy-types/http-policies/), and [Network](/cloudflare-one/traffic-policies/policy-types/network-policies/) firewall policies. Administrators can describe the outcome they want in plain language, and Cloudflare will generate a complete policy rule that populates the policy builder form. ![Create with AI button on the Gateway firewall policies page](~/assets/images/changelog/gateway/gateway-create-with-ai.png) diff --git a/src/content/changelog/tunnel/2025-09-18-tunnel-hostname-routing.mdx b/src/content/changelog/tunnel/2025-09-18-tunnel-hostname-routing.mdx index 947de730982..e15b2ca5f60 100644 --- a/src/content/changelog/tunnel/2025-09-18-tunnel-hostname-routing.mdx +++ b/src/content/changelog/tunnel/2025-09-18-tunnel-hostname-routing.mdx @@ -21,6 +21,6 @@ Previously, Tunnel routes could only be defined by IP address or [CIDR range](/c - **Precise Egress Control**: Route traffic for public hostnames (e.g., `bank.example.com`) through a specific Tunnel to enforce a dedicated source IP, solving the IP allowlist problem for third-party services. - **No More IP Lists**: This feature makes the workaround of maintaining dynamic IP Lists for Tunnel connections obsolete. -Get started in the Tunnels section of the Zero Trust dashboard with your first [private hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) or [public hostname](/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared/) route. +Get started in the Tunnels section of the Zero Trust dashboard with your first [private hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) or [public hostname](/cloudflare-one/traffic-policies/policy-types/egress-policies/egress-cloudflared/) route. Learn more in our [blog post](https://blog.cloudflare.com/tunnel-hostname-routing/). \ No newline at end of file diff --git a/src/content/changelog/workers-vpc/2026-06-05-gateway-egress.mdx b/src/content/changelog/workers-vpc/2026-06-05-gateway-egress.mdx index 831ff5be6b2..04094f5f53a 100644 --- a/src/content/changelog/workers-vpc/2026-06-05-gateway-egress.mdx +++ b/src/content/changelog/workers-vpc/2026-06-05-gateway-egress.mdx @@ -15,7 +15,7 @@ Workers using a [VPC Network](/workers-vpc/configuration/vpc-networks/) binding What you get by default: -- **Visibility.** Worker egress shows up in Gateway [DNS](/cloudflare-one/traffic-policies/dns-policies/), [HTTP](/cloudflare-one/traffic-policies/http-policies/), and [Network](/cloudflare-one/traffic-policies/network-policies/) logs alongside your other traffic, so you can audit what your Workers are calling and when. +- **Visibility.** Worker egress shows up in Gateway [DNS](/cloudflare-one/traffic-policies/policy-types/dns-policies/), [HTTP](/cloudflare-one/traffic-policies/policy-types/http-policies/), and [Network](/cloudflare-one/traffic-policies/policy-types/network-policies/) logs alongside your other traffic, so you can audit what your Workers are calling and when. - **Enforcement.** Any existing Gateway policy whose selectors match a Worker request will apply — including allow / block lists, DNS category filtering, and HTTP destination rules. If you have already blocked a category for your workforce, your Workers inherit that block. diff --git a/src/content/docs/1.1.1.1/infrastructure/network-operators.mdx b/src/content/docs/1.1.1.1/infrastructure/network-operators.mdx index 47b3dd172a8..64aa4c8181c 100644 --- a/src/content/docs/1.1.1.1/infrastructure/network-operators.mdx +++ b/src/content/docs/1.1.1.1/infrastructure/network-operators.mdx @@ -31,7 +31,7 @@ Where possible, we recommend using encrypted transports (DNS over HTTPS or TLS) :::note -[Cloudflare Zero Trust](https://www.cloudflare.com/products/zero-trust/) supports customizable [DNS policies](/cloudflare-one/traffic-policies/dns-policies/), analytics, additional built-in filtering categories, and custom rate limiting capabilities. +[Cloudflare Zero Trust](https://www.cloudflare.com/products/zero-trust/) supports customizable [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/), analytics, additional built-in filtering categories, and custom rate limiting capabilities. If you require additional controls over our public 1.1.1.1 resolver, [contact us](https://www.cloudflare.com/products/zero-trust/). diff --git a/src/content/docs/1.1.1.1/setup/google-cloud.mdx b/src/content/docs/1.1.1.1/setup/google-cloud.mdx index 82bf737ffa9..e4d923f2848 100644 --- a/src/content/docs/1.1.1.1/setup/google-cloud.mdx +++ b/src/content/docs/1.1.1.1/setup/google-cloud.mdx @@ -20,7 +20,7 @@ Google Cloud lets you configure custom DNS servers at the Virtual Private Cloud :::note -If you are using [Cloudflare Zero Trust](/cloudflare-one/), you can assign [locations](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) to apply custom [DNS policies](/cloudflare-one/traffic-policies/dns-policies/) via Gateway. +If you are using [Cloudflare Zero Trust](/cloudflare-one/), you can assign [locations](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) to apply custom [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) via Gateway. ::: diff --git a/src/content/docs/ai-gateway/features/dlp/index.mdx b/src/content/docs/ai-gateway/features/dlp/index.mdx index 186ec4edcac..602c2ae4547 100644 --- a/src/content/docs/ai-gateway/features/dlp/index.mdx +++ b/src/content/docs/ai-gateway/features/dlp/index.mdx @@ -81,7 +81,7 @@ AI Gateway DLP uses the same [detection profiles](/cloudflare-one/data-loss-prev Key differences from Cloudflare One Gateway DLP: -- **No Gateway proxy or TLS decryption required** - AI Gateway inspects traffic directly as an AI proxy, so you do not need to set up [Gateway HTTP filtering](/cloudflare-one/traffic-policies/get-started/http/) or [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). +- **No Gateway proxy or TLS decryption required** - AI Gateway inspects traffic directly as an AI proxy, so you do not need to set up [Gateway HTTP filtering](/cloudflare-one/traffic-policies/get-started/http/) or [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/). - **Separate policy management** - DLP policies for AI Gateway are configured per gateway in the AI Gateway dashboard, not in Cloudflare One traffic policies. - **Separate logs** - DLP events for AI Gateway appear in [AI Gateway logs](/ai-gateway/observability/logging/), not in Cloudflare One HTTP request logs. - **Shared profiles** - DLP detection profiles (predefined and custom) are shared across both products. Changes to a profile apply everywhere it is used. diff --git a/src/content/docs/byoip/index.mdx b/src/content/docs/byoip/index.mdx index f9944c94517..092fa68cb81 100644 --- a/src/content/docs/byoip/index.mdx +++ b/src/content/docs/byoip/index.mdx @@ -27,7 +27,7 @@ import { When you use Cloudflare as a [reverse proxy](/fundamentals/concepts/how-cloudflare-works/), Cloudflare responds to DNS queries for proxied records with Cloudflare-owned IP addresses[^1]. For some organizations, it is important to keep their website or application associated with IP addresses they already own rather than using Cloudflare's. -With Bring Your Own IP (BYOIP), Cloudflare announces your IP prefixes in all our locations. Use your IPs with [Magic Transit](/magic-transit/), [Spectrum](/spectrum/), [CDN services](/cache/), or Gateway [DNS locations](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) and [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). +With Bring Your Own IP (BYOIP), Cloudflare announces your IP prefixes in all our locations. Use your IPs with [Magic Transit](/magic-transit/), [Spectrum](/spectrum/), [CDN services](/cache/), or Gateway [DNS locations](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) and [dedicated egress IPs](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/). Learn how to [get started](/byoip/get-started/). diff --git a/src/content/docs/cloudflare-network-firewall/about/list-types.mdx b/src/content/docs/cloudflare-network-firewall/about/list-types.mdx index f05a882f096..e87d57155bc 100644 --- a/src/content/docs/cloudflare-network-firewall/about/list-types.mdx +++ b/src/content/docs/cloudflare-network-firewall/about/list-types.mdx @@ -14,8 +14,8 @@ The threat intelligence feed categories are described in [Managed IP Lists](/waf ## IP lists -Use [IP lists](/waf/tools/lists/custom-lists/#ip-lists) to group services in networks, like web servers, or for lists of known bad IP addresses to make managing good network endpoints easier. IP lists are helpful for users with very expansive firewall rules with many IP lists. By default, you can add up to 10,000 IPs across all lists. Refer to [Use an IP list](/cloudflare-one/traffic-policies/packet-filtering/add-policies/#use-an-ip-list) to check an example of how to use an IP list. +Use [IP lists](/waf/tools/lists/custom-lists/#ip-lists) to group services in networks, like web servers, or for lists of known bad IP addresses to make managing good network endpoints easier. IP lists are helpful for users with very expansive firewall rules with many IP lists. By default, you can add up to 10,000 IPs across all lists. Refer to [Use an IP list](/cloudflare-one/traffic-policies/policy-types/packet-filtering/add-policies/#use-an-ip-list) to check an example of how to use an IP list. ## Geo-blocking -Geo-blocking enables you to selectively allow or block traffic to any country. Refer to [Block a country](/cloudflare-one/traffic-policies/packet-filtering/add-policies/#block-a-country) to check an example of how to block a country. +Geo-blocking enables you to selectively allow or block traffic to any country. Refer to [Block a country](/cloudflare-one/traffic-policies/policy-types/packet-filtering/add-policies/#block-a-country) to check an example of how to block a country. diff --git a/src/content/docs/cloudflare-network-firewall/plans.mdx b/src/content/docs/cloudflare-network-firewall/plans.mdx index 5e76233af36..f2daa7c62cf 100644 --- a/src/content/docs/cloudflare-network-firewall/plans.mdx +++ b/src/content/docs/cloudflare-network-firewall/plans.mdx @@ -32,5 +32,5 @@ All standard features are included with the purchase of the advanced features be - Block or allow packets based on Autonomous System Number (ASN). - Packet captures on demand for network troubleshooting. - [Protocol validation rules](/cloudflare-network-firewall/about/protocol-validation-rules/) to inspect traffic validity and enforce a positive security model. -- [Secure Web Gateway](/cloudflare-one/traffic-policies/) filtering for outbound Internet traffic (network and HTTP policies). The Secure Web Gateway supports all TCP and UDP ports, as well as traffic sourced from RFC 1918 address space. Gateway will proxy BYOIP traffic to egress via the default Cloudflare IPs or your assigned [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). +- [Secure Web Gateway](/cloudflare-one/traffic-policies/) filtering for outbound Internet traffic (network and HTTP policies). The Secure Web Gateway supports all TCP and UDP ports, as well as traffic sourced from RFC 1918 address space. Gateway will proxy BYOIP traffic to egress via the default Cloudflare IPs or your assigned [dedicated egress IPs](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/). - Intrusion Detection System (IDS). diff --git a/src/content/docs/cloudflare-one/access-controls/ai-controls/mcp-portals.mdx b/src/content/docs/cloudflare-one/access-controls/ai-controls/mcp-portals.mdx index 1434baa0d5c..718e12e7909 100644 --- a/src/content/docs/cloudflare-one/access-controls/ai-controls/mcp-portals.mdx +++ b/src/content/docs/cloudflare-one/access-controls/ai-controls/mcp-portals.mdx @@ -662,7 +662,7 @@ When Gateway routing is turned on, calls to MCP servers protected by your MCP se When a user calls a tool through the portal, the portal proxies the request to the upstream MCP server. With Gateway routing turned on, this outbound request passes through Cloudflare Gateway before reaching the upstream server. Gateway inspects the traffic and applies any matching HTTP policies, including DLP scanning. -Because portal traffic routes through Gateway, it also respects [Gateway egress policies](/cloudflare-one/traffic-policies/egress-policies/). This means outbound requests to upstream MCP servers will originate from your dedicated egress IPs or Gateway IP ranges rather than generic Cloudflare IPs. If your upstream MCP servers restrict inbound traffic by source IP (for example, to a VPN or corporate IP range), you can use egress policies to ensure portal traffic comes from a predictable set of IPs. +Because portal traffic routes through Gateway, it also respects [Gateway egress policies](/cloudflare-one/traffic-policies/policy-types/egress-policies/). This means outbound requests to upstream MCP servers will originate from your dedicated egress IPs or Gateway IP ranges rather than generic Cloudflare IPs. If your upstream MCP servers restrict inbound traffic by source IP (for example, to a VPN or corporate IP range), you can use egress policies to ensure portal traffic comes from a predictable set of IPs. :::note Gateway routing only applies to real-time tool calls made by users through the portal. Background operations such as [admin credential synchronization](#synchronize-the-mcp-server) do not route through Gateway and will not use your egress policy IPs. @@ -670,12 +670,12 @@ Gateway routing only applies to real-time tool calls made by users through the p ### TLS decryption -DLP inspection requires Gateway to decrypt TLS traffic. For portal traffic, Gateway decrypts and inspects the payload automatically — you do not need to turn on the account-level [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) setting. Because the portal terminates the connection from the MCP client and re-originates the request through Gateway, Gateway decrypts portal traffic regardless of whether the global TLS decryption setting is on. +DLP inspection requires Gateway to decrypt TLS traffic. For portal traffic, Gateway decrypts and inspects the payload automatically — you do not need to turn on the account-level [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) setting. Because the portal terminates the connection from the MCP client and re-originates the request through Gateway, Gateway decrypts portal traffic regardless of whether the global TLS decryption setting is on. -This automatic decryption applies only to traffic that flows through the portal. To inspect MCP traffic that does not pass through the portal — for example, an agent on a [device running the WARP client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) connecting directly to an upstream MCP server — you must turn on [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) as you would for any other [HTTP policy](/cloudflare-one/traffic-policies/http-policies/). +This automatic decryption applies only to traffic that flows through the portal. To inspect MCP traffic that does not pass through the portal — for example, an agent on a [device running the WARP client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) connecting directly to an upstream MCP server — you must turn on [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) as you would for any other [HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/). :::note -Portal traffic ignores the global TLS decryption setting, but it still respects [Do Not Inspect](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) HTTP policies. If a Do Not Inspect policy matches portal traffic, Gateway does not decrypt it and DLP cannot scan it. Check that your Do Not Inspect policies do not unintentionally exempt your upstream MCP servers from inspection. +Portal traffic ignores the global TLS decryption setting, but it still respects [Do Not Inspect](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) HTTP policies. If a Do Not Inspect policy matches portal traffic, Gateway does not decrypt it and DLP cannot scan it. Check that your Do Not Inspect policies do not unintentionally exempt your upstream MCP servers from inspection. ::: ### Supported transports diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/index.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/index.mdx index 13322f4ac22..a3246e19e23 100644 --- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/index.mdx +++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/index.mdx @@ -28,7 +28,7 @@ Non-HTTP applications require [connecting your private network](/cloudflare-one/ ## Cloudflare One Client -Users can connect by installing the Cloudflare One Client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access any private route. To restrict access, [create a self-hosted application](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) for a private IP range, port range, and/or hostname and build [Access policies](/cloudflare-one/access-controls/policies/) or [Gateway firewall rules](/cloudflare-one/traffic-policies/network-policies/) that allow or block specific users. +Users can connect by installing the Cloudflare One Client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access any private route. To restrict access, [create a self-hosted application](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) for a private IP range, port range, and/or hostname and build [Access policies](/cloudflare-one/access-controls/policies/) or [Gateway firewall rules](/cloudflare-one/traffic-policies/policy-types/network-policies/) that allow or block specific users. If you would like to define how users access specific infrastructure servers within your network, [create an infrastructure application](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) in Access for Infrastructure. Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including: diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx index d988ac99b61..fa829f9d38e 100644 --- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx +++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx @@ -75,7 +75,7 @@ Certain protocols require configuring the server to trust connections through Ac ## 6. Connect as a user -Users connect to the target's IP address using their preferred client software. The user must be logged into the Cloudflare One Client on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/traffic-policies/resolver-policies/) to allow connections to the target's private hostname. +Users connect to the target's IP address using their preferred client software. The user must be logged into the Cloudflare One Client on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) to allow connections to the target's private hostname. ### Connect to different VNET diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx index 2f0c700b019..6880106a0b8 100644 --- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx +++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx @@ -27,7 +27,7 @@ Existing **Private Network** applications continue to function and can still be 5. For **Value**, enter the IP address for your application (for example, `10.128.0.7`). :::note - If you would like to create a policy for an IP/CIDR range instead of a specific IP address, you can build a [Gateway Network policy](/cloudflare-one/traffic-policies/network-policies/) using the **Destination IP** selector. + If you would like to create a policy for an IP/CIDR range instead of a specific IP address, you can build a [Gateway Network policy](/cloudflare-one/traffic-policies/policy-types/network-policies/) using the **Destination IP** selector. ::: 6. Configure your [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) visibility and logo. @@ -49,7 +49,7 @@ Existing **Private Network** applications continue to function and can still be | -------------- | -------- | ------------ | ------ | | Destination IP | in | `10.128.0.7` | Block | - Policies are evaluated in [numerical order](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence), so a user with an email ending in @example.com will be able to access `10.128.0.7` while all others will be blocked. For more information on building network policies, refer to our [dedicated documentation](/cloudflare-one/traffic-policies/network-policies/). + Policies are evaluated in [numerical order](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence), so a user with an email ending in @example.com will be able to access `10.128.0.7` while all others will be blocked. For more information on building network policies, refer to our [dedicated documentation](/cloudflare-one/traffic-policies/policy-types/network-policies/). 9. Select **Add application**. diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx index 00a20e37e19..4765d85bfc4 100644 --- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx +++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx @@ -22,9 +22,9 @@ This feature replaces the legacy [private network app type](/cloudflare-one/acce ## Prerequisites - Private IPs and hostnames are reachable over the Cloudflare One Client, Cloudflare WAN (formerly Magic WAN) or Browser Isolation. For more details, refer to [Connect a private network](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/). -- Private hostnames route to your custom DNS resolver through [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) or [Gateway resolver policies](/cloudflare-one/traffic-policies/resolver-policies/). +- Private hostnames route to your custom DNS resolver through [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) or [Gateway resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/). - Public IPs and hostnames can be used to define a private application, however the IP or hostname must route through Cloudflare via [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/), [Cloudflare Mesh](/cloudflare-one/networks/connectors/cloudflare-mesh/), or [Cloudflare WAN](/cloudflare-wan/configuration/how-to/configure-routes/). -- (Optional) Turn on [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) if you want to use Access JWTs to manage [HTTPS application sessions](#https-applications). +- (Optional) Turn on [Gateway TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) if you want to use Access JWTs to manage [HTTPS application sessions](#https-applications). ## Add your application to Access @@ -73,7 +73,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/acce ::: - - - The following settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/): + - The following settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/): @@ -85,9 +85,9 @@ Users can now connect to your private application after authenticating with Clou ### HTTPS applications -If [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is turned on and a user is accessing an HTTPS application on port `443`, Cloudflare Access will present a login page in the browser and issue an [application token](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) to your origin. This is the same cookie-based authentication flow used by [self-hosted public apps](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). +If [Gateway TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) is turned on and a user is accessing an HTTPS application on port `443`, Cloudflare Access will present a login page in the browser and issue an [application token](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) to your origin. This is the same cookie-based authentication flow used by [self-hosted public apps](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). -If [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is turned off, session management is [handled in the Cloudflare One Client](#non-https-applications) instead of in the browser. +If [Gateway TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) is turned off, session management is [handled in the Cloudflare One Client](#non-https-applications) instead of in the browser. ### Non-HTTPS applications diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy.mdx index 4bab8586616..9a935d242ff 100644 --- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy.mdx +++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy.mdx @@ -33,7 +33,7 @@ To secure your server behind Cloudflare Access: 2. Create a [self-hosted Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for the server. :::note -If you do not wish to use Access, refer instead to our [SSH proxy instructions](/cloudflare-one/traffic-policies/network-policies/ssh-logging/). +If you do not wish to use Access, refer instead to our [SSH proxy instructions](/cloudflare-one/traffic-policies/policy-types/network-policies/ssh-logging/). ::: ## 2. Ensure Unix usernames match user SSO identities @@ -100,4 +100,4 @@ By default, the browser-based terminal prompts the user for a username/password --- -Your SSH server is now protected behind Cloudflare Access — users will be prompted to authenticate with your identity provider before they can connect. You can also enable SSH command logging by configuring a [Gateway Audit SSH policy](/cloudflare-one/traffic-policies/network-policies/ssh-logging/). +Your SSH server is now protected behind Cloudflare Access — users will be prompted to authenticate with your identity provider before they can connect. You can also enable SSH command logging by configuring a [Gateway Audit SSH policy](/cloudflare-one/traffic-policies/policy-types/network-policies/ssh-logging/). diff --git a/src/content/docs/cloudflare-one/access-controls/policies/common-policies.mdx b/src/content/docs/cloudflare-one/access-controls/policies/common-policies.mdx index 96fe918abed..841b1b0bfb1 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/common-policies.mdx @@ -634,7 +634,7 @@ resource "cloudflare_zero_trust_access_policy" "isolate_contractor_access" { -To restrict what users can do inside the isolated session, create a companion [Gateway HTTP policy](/cloudflare-one/traffic-policies/http-policies/) that matches traffic to the application domain. Set the action to **Isolate** and disable interactive controls in the [policy settings](/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings). +To restrict what users can do inside the isolated session, create a companion [Gateway HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/) that matches traffic to the application domain. Set the action to **Isolate** and disable interactive controls in the [policy settings](/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings).
diff --git a/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx b/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx index 1c022491b6c..d4026f21d30 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx @@ -15,7 +15,7 @@ import { Render } from "~/components"; Requires [Cloudflare Browser Isolation](/cloudflare-one/remote-browser-isolation/). ::: -With Access policies, you can require users to open self-hosted applications in a secure [remote browser](/cloudflare-one/remote-browser-isolation/). Because the remote browser is directly integrated into our Secure Web Gateway platform, [HTTP policies](/cloudflare-one/traffic-policies/http-policies/) can be applied to isolated applications without needing to install the Cloudflare One Client. This allows you to distribute internal applications to unmanaged users while retaining control over sensitive data. +With Access policies, you can require users to open self-hosted applications in a secure [remote browser](/cloudflare-one/remote-browser-isolation/). Because the remote browser is directly integrated into our Secure Web Gateway platform, [HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/) can be applied to isolated applications without needing to install the Cloudflare One Client. This allows you to distribute internal applications to unmanaged users while retaining control over sensitive data. ## Prerequisites @@ -27,7 +27,7 @@ With Access policies, you can require users to open self-hosted applications in ## Policies for isolated applications -Traffic to the isolated Access application is filtered by your Gateway [HTTP policies](/cloudflare-one/traffic-policies/http-policies/). Useful policies include: +Traffic to the isolated Access application is filtered by your Gateway [HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/). Useful policies include: - [Identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/) to allow or block requests based on user identity. - [Data Loss Prevention policies](/cloudflare-one/data-loss-prevention/) to log or block transmission of sensitive data. diff --git a/src/content/docs/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication.mdx b/src/content/docs/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication.mdx index 219901d4eb3..c07faad5d91 100644 --- a/src/content/docs/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication.mdx +++ b/src/content/docs/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication.mdx @@ -100,7 +100,7 @@ When the authentication process completes successfully, a `CF_Authorization Set- :::caution -Cloudflare Gateway cannot inspect traffic to mTLS-protected domains. If a device has the Cloudflare One Client turned on and passes HTTP requests through Gateway, access will be blocked unless you [bypass HTTP inspection](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) for the domain. +Cloudflare Gateway cannot inspect traffic to mTLS-protected domains. If a device has the Cloudflare One Client turned on and passes HTTP requests through Gateway, access will be blocked unless you [bypass HTTP inspection](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) for the domain. ::: ### Test in a browser diff --git a/src/content/docs/cloudflare-one/changelog/gateway.mdx b/src/content/docs/cloudflare-one/changelog/gateway.mdx index 78c566120d3..398e9f52305 100644 --- a/src/content/docs/cloudflare-one/changelog/gateway.mdx +++ b/src/content/docs/cloudflare-one/changelog/gateway.mdx @@ -19,7 +19,7 @@ import { ProductChangelog, Render } from "~/components"; **Upload/Download File Size selectors for HTTP policies** -Gateway and DLP users can now create HTTP policies with the [Download and Upload File Size (MiB)](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-size) traffic selectors. This update allows users to block uploads or downloads based on file size. +Gateway and DLP users can now create HTTP policies with the [Download and Upload File Size (MiB)](/cloudflare-one/traffic-policies/policy-types/http-policies/#download-and-upload-file-size) traffic selectors. This update allows users to block uploads or downloads based on file size. ## 2025-02-02 @@ -37,7 +37,7 @@ Enterprise users can now [provide an IP address](/cloudflare-one/networks/resolv **Category filtering in the network policy builder** -Gateway users can now create network policies with the [Content Categories](/cloudflare-one/traffic-policies/network-policies/#content-categories) and [Security Risks](/cloudflare-one/traffic-policies/network-policies/#security-risks) traffic selectors. This update simplifies malicious traffic blocking and streamlines network monitoring for improved security management. +Gateway users can now create network policies with the [Content Categories](/cloudflare-one/traffic-policies/policy-types/network-policies/#content-categories) and [Security Risks](/cloudflare-one/traffic-policies/policy-types/network-policies/#security-risks) traffic selectors. This update simplifies malicious traffic blocking and streamlines network monitoring for improved security management. ## 2024-10-17 @@ -49,7 +49,7 @@ Gateway users can now generate [unique root CAs](/cloudflare-one/team-and-resour **Time-based policy duration** -Gateway now offers [time-based DNS policy duration](/cloudflare-one/traffic-policies/dns-policies/timed-policies/#time-based-policy-duration). With policy duration, you can configure a duration of time for a policy to turn on or set an exact date and time to turn a policy off. +Gateway now offers [time-based DNS policy duration](/cloudflare-one/traffic-policies/policy-types/dns-policies/timed-policies/#time-based-policy-duration). With policy duration, you can configure a duration of time for a policy to turn on or set an exact date and time to turn a policy off. ## 2024-10-04 @@ -61,7 +61,7 @@ Gateway now offers new fields in [activity logs](/cloudflare-one/insights/logs/d **File sandboxing** -Gateway users on Enterprise plans can create HTTP policies with [file sandboxing](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/) to quarantine previously unseen files downloaded by your users and scan them for malware. +Gateway users on Enterprise plans can create HTTP policies with [file sandboxing](/cloudflare-one/traffic-policies/policy-types/http-policies/file-sandboxing/) to quarantine previously unseen files downloaded by your users and scan them for malware. ## 2024-07-30 @@ -85,4 +85,4 @@ Gateway now offers the ability to selectively ignore CNAME domain categories in **Gateway file type control improvements** -Gateway now offers a more extensive, categorized [list of files](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) to control uploads and downloads. +Gateway now offers a more extensive, categorized [list of files](/cloudflare-one/traffic-policies/policy-types/http-policies/#download-and-upload-file-types) to control uploads and downloads. diff --git a/src/content/docs/cloudflare-one/cloud-and-saas-findings/manage-findings.mdx b/src/content/docs/cloudflare-one/cloud-and-saas-findings/manage-findings.mdx index badb208bcb3..ba68bd990a3 100644 --- a/src/content/docs/cloudflare-one/cloud-and-saas-findings/manage-findings.mdx +++ b/src/content/docs/cloudflare-one/cloud-and-saas-findings/manage-findings.mdx @@ -182,7 +182,7 @@ CASB will log remediation actions in **Logs** > **Admin**. For more information, ## Resolve finding with a Gateway policy -CASB detects security issues that already exist in your SaaS environment. To prevent the same issues from recurring, you can create a [Gateway HTTP policy](/cloudflare-one/traffic-policies/http-policies/) directly from a CASB finding. For example, you can block users from sharing files publicly or accessing unsanctioned applications. +CASB detects security issues that already exist in your SaaS environment. To prevent the same issues from recurring, you can create a [Gateway HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/) directly from a CASB finding. For example, you can block users from sharing files publicly or accessing unsanctioned applications. CASB supports creating a Gateway policy for findings from the [Google Workspace integration](/cloudflare-one/integrations/cloud-and-saas/google-workspace/): @@ -209,7 +209,7 @@ To create a Gateway policy directly from a CASB finding: :::note Not all CASB findings will have the **Block with Gateway HTTP policy** option. Unsupported findings can only be resolved from your application dashboard or through your domain provider. ::: -6. (Optional) [Configure the HTTP policy](/cloudflare-one/traffic-policies/http-policies/). For example, if the policy blocks an unsanctioned third-party app, you can apply the policy to some or all users, or only block uploads or downloads. +6. (Optional) [Configure the HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/). For example, if the policy blocks an unsanctioned third-party app, you can apply the policy to some or all users, or only block uploads or downloads. 7. Select **Save**. Your HTTP policy will now prevent future instances of the security finding. diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries.mdx index 76a268ab8c5..a018994ba93 100644 --- a/src/content/docs/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries.mdx @@ -180,7 +180,7 @@ Your new document entry will replace the original document entry. If your file u ## AI prompt topics -DLP uses [Application Granular Controls](/cloudflare-one/traffic-policies/http-policies/#granular-controls) to detect and categorize prompts submitted to generative AI tools. Application Granular Controls analyzes prompts for both content and user intent. Supported AI prompt protection detections include: +DLP uses [Application Granular Controls](/cloudflare-one/traffic-policies/policy-types/http-policies/#granular-controls) to detect and categorize prompts submitted to generative AI tools. Application Granular Controls analyzes prompts for both content and user intent. Supported AI prompt protection detections include: | Detection entry | Description | | --- | --- | diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/common-policies.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/common-policies.mdx index 8a0df9da96e..c73d9c8b6be 100644 --- a/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/common-policies.mdx @@ -16,7 +16,7 @@ tags: import { GlossaryTooltip, Render } from "~/components"; -The following DLP policies are commonly used to secure sensitive data in uploaded and downloaded files. They are built as [Gateway HTTP policies](/cloudflare-one/traffic-policies/http-policies/) using the [DLP Profile](/cloudflare-one/traffic-policies/http-policies/#dlp-profile) selector. +The following DLP policies are commonly used to secure sensitive data in uploaded and downloaded files. They are built as [Gateway HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/) using the [DLP Profile](/cloudflare-one/traffic-policies/policy-types/http-policies/#dlp-profile) selector. Before using these policies, complete the [prerequisites for scanning HTTP traffic](/cloudflare-one/data-loss-prevention/dlp-policies/#prerequisites). @@ -51,7 +51,7 @@ The following example blocks only contractors from uploading/downloading Financi ## Exclude Android applications -Many Android applications (such as Google Drive) use certificate pinning, which is incompatible with Gateway TLS decryption. These applications verify they are connecting directly to their own servers and will reject Gateway's inspection certificate. If needed, you can create a [Do Not Inspect policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) so that the app can continue to function on Android: +Many Android applications (such as Google Drive) use certificate pinning, which is incompatible with Gateway TLS decryption. These applications verify they are connecting directly to their own servers and will reject Gateway's inspection certificate. If needed, you can create a [Do Not Inspect policy](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) so that the app can continue to function on Android: 1. Set up an [OS version device posture check](/cloudflare-one/reusable-components/posture-checks/client-checks/os-version/) that checks for the Android operating system. diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx index 1a6479a9d32..559e7348eaa 100644 --- a/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx @@ -24,7 +24,7 @@ To scan AI prompts and responses without Gateway HTTP filtering, you can also en - Set up [Gateway HTTP filtering](/cloudflare-one/traffic-policies/get-started/http/). This routes your users' web traffic through Cloudflare Gateway so it can be inspected. - HTTP filtering requires turning on the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP traffic. -- Turn on [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption). Because most web traffic is encrypted with HTTPS, Gateway must decrypt it before DLP can scan the request body for sensitive data. +- Turn on [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#turn-on-tls-decryption). Because most web traffic is encrypted with HTTPS, Gateway must decrypt it before DLP can scan the request body for sensitive data. ## 1. Configure a DLP profile @@ -37,13 +37,13 @@ A DLP profile only defines detection patterns. DLP scans will not start until yo ## 2. Create a DLP policy -DLP Profiles may be used alongside other Cloudflare One rules in a [Gateway HTTP policy](/cloudflare-one/traffic-policies/http-policies/). To start logging or blocking traffic, create a policy for DLP: +DLP Profiles may be used alongside other Cloudflare One rules in a [Gateway HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/). To start logging or blocking traffic, create a policy for DLP: 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Traffic policies** > **Firewall policies**. Select **HTTP**. 2. Select **Add a policy**. -3. Build an [HTTP policy](/cloudflare-one/traffic-policies/http-policies/) using the [DLP Profile](/cloudflare-one/traffic-policies/http-policies/#dlp-profile) selector. For example, the following policy blocks users from uploading sensitive data to any location other than an approved corporate application. It combines three conditions: the request content matches a DLP profile, the HTTP method is `POST`, and the destination is not an approved application: +3. Build an [HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/) using the [DLP Profile](/cloudflare-one/traffic-policies/policy-types/http-policies/#dlp-profile) selector. For example, the following policy blocks users from uploading sensitive data to any location other than an approved corporate application. It combines three conditions: the request content matches a DLP profile, the HTTP method is `POST`, and the destination is not an approved application: | Selector | Operator | Value | Logic | Action | | ----------- | -------- | --------------------------------------------------------- | ----- | ------ | diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/logging-options.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/logging-options.mdx index 1d82a425096..d1df587687c 100644 --- a/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/logging-options.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/logging-options.mdx @@ -34,7 +34,7 @@ DLP can log the payload of matched HTTP requests in your Cloudflare logs. Use pa ### Turn on payload logging for a DLP policy -You can enable payload logging for any Allow or Block HTTP policy that uses the [_DLP Profile_](/cloudflare-one/traffic-policies/http-policies/#dlp-profile) selector — the filter condition that matches traffic against your DLP detection profiles. +You can enable payload logging for any Allow or Block HTTP policy that uses the [_DLP Profile_](/cloudflare-one/traffic-policies/policy-types/http-policies/#dlp-profile) selector — the filter condition that matches traffic against your DLP detection profiles. 1. Go to **Traffic policies** > **Firewall policies** > **HTTP**. 2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). @@ -84,7 +84,7 @@ DLP can detect and log the prompt topic sent to an AI tool. ### Turn on AI prompt content logging for a DLP policy -You can enable AI prompt content logging for any Allow or Block HTTP policy that uses the [_Application_](/cloudflare-one/traffic-policies/http-policies/#application) selector with a supported [Application Granular Controls](/cloudflare-one/traffic-policies/http-policies/#granular-controls) application. This means your policy must target a specific AI application (such as ChatGPT) that Gateway can inspect at a granular level. +You can enable AI prompt content logging for any Allow or Block HTTP policy that uses the [_Application_](/cloudflare-one/traffic-policies/policy-types/http-policies/#application) selector with a supported [Application Granular Controls](/cloudflare-one/traffic-policies/policy-types/http-policies/#granular-controls) application. This means your policy must target a specific AI application (such as ChatGPT) that Gateway can inspect at a granular level. 1. Go to **Traffic policies** > **Firewall policies** > **HTTP**. 2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/index.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/index.mdx index 25b51f34016..9f11f5d8b34 100644 --- a/src/content/docs/cloudflare-one/data-loss-prevention/index.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/index.mdx @@ -33,13 +33,13 @@ DLP uses [**profiles**](/cloudflare-one/data-loss-prevention/dlp-profiles/) to d Data Loss Prevention complements [Secure Web Gateway](/cloudflare-one/traffic-policies/) to detect sensitive data transferred in HTTP requests. DLP scans the HTTP body (excluding headers), which may include uploaded or downloaded files, chat messages, forms, and other web content. -DLP requires [Gateway HTTP filtering](/cloudflare-one/traffic-policies/get-started/http/) with [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) to read the contents of HTTPS traffic in transit. The depth of visibility varies for each site or application. DLP does not scan any traffic that bypasses Cloudflare Gateway (such as traffic that matches a [Do Not Inspect](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policy). +DLP requires [Gateway HTTP filtering](/cloudflare-one/traffic-policies/get-started/http/) with [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) to read the contents of HTTPS traffic in transit. The depth of visibility varies for each site or application. DLP does not scan any traffic that bypasses Cloudflare Gateway (such as traffic that matches a [Do Not Inspect](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) policy). To get started, refer to [Scan HTTP traffic with DLP](/cloudflare-one/data-loss-prevention/dlp-policies/). ## Data at rest -Data Loss Prevention complements [Cloudflare CASB](/cloudflare-one/integrations/cloud-and-saas/) (Cloud Access Security Broker) to detect sensitive data stored in your SaaS applications. CASB connects directly to SaaS application APIs to retrieve and scan files, rather than reading files as they pass through Cloudflare Gateway. Because of this, Gateway and Cloudflare One Client settings (such as [Do Not Inspect](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policies and [Split Tunnel](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) configurations) do not affect data at rest scans. +Data Loss Prevention complements [Cloudflare CASB](/cloudflare-one/integrations/cloud-and-saas/) (Cloud Access Security Broker) to detect sensitive data stored in your SaaS applications. CASB connects directly to SaaS application APIs to retrieve and scan files, rather than reading files as they pass through Cloudflare Gateway. Because of this, Gateway and Cloudflare One Client settings (such as [Do Not Inspect](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) policies and [Split Tunnel](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) configurations) do not affect data at rest scans. To get started, refer to [Scan SaaS applications with DLP](/cloudflare-one/cloud-and-saas-findings/casb-dlp/). @@ -47,7 +47,7 @@ To get started, refer to [Scan SaaS applications with DLP](/cloudflare-one/cloud - **AI Gateway** — Data Loss Prevention integrates with [Cloudflare AI Gateway](/ai-gateway/) to scan AI prompts and responses for sensitive data. To enable this, refer to [Set up DLP for AI Gateway](/ai-gateway/features/dlp/set-up-dlp/). When enabled, DLP inspects the text content of requests sent to AI providers and responses returned from AI models, without requiring Gateway HTTP filtering or TLS decryption. -- **Gateway Application Granular Controls** — [Gateway Application Granular Controls](/cloudflare-one/traffic-policies/http-policies/#granular-controls) let you control specific actions within AI applications without blocking the entire application. You can add the [DLP Profile selector](/cloudflare-one/traffic-policies/http-policies/#dlp-profile) to the same HTTP policy to scan those operations for sensitive data, as described in [Scan HTTP traffic with DLP](/cloudflare-one/data-loss-prevention/dlp-policies/). +- **Gateway Application Granular Controls** — [Gateway Application Granular Controls](/cloudflare-one/traffic-policies/policy-types/http-policies/#granular-controls) let you control specific actions within AI applications without blocking the entire application. You can add the [DLP Profile selector](/cloudflare-one/traffic-policies/policy-types/http-policies/#dlp-profile) to the same HTTP policy to scan those operations for sensitive data, as described in [Scan HTTP traffic with DLP](/cloudflare-one/data-loss-prevention/dlp-policies/). - **AI Security for Apps** — DLP complements [AI Security for Apps](/waf/detections/ai-security-for-apps/) by providing profile-based detection of sensitive data in AI traffic, while AI Security for Apps handles large language model (LLM)-specific threats such as prompt injection and unsafe topics. To detect sensitive data alongside AI Security for Apps, configure [DLP profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/) and apply them to your AI traffic policies. diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/troubleshoot-dlp.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/troubleshoot-dlp.mdx index c8593df774f..64b29248d10 100644 --- a/src/content/docs/cloudflare-one/data-loss-prevention/troubleshoot-dlp.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/troubleshoot-dlp.mdx @@ -16,7 +16,7 @@ Use this guide to troubleshoot common issues with Data Loss Prevention (DLP). ## DLP policy does not trigger or block content -DLP not inspecting or blocking content is the most common issue reported. If you have configured a [DLP policy](/cloudflare-one/data-loss-prevention/dlp-policies/) but it fails to inspect or block traffic, the cause is almost always that the traffic is not being decrypted. To use DLP to scan the content of HTTPS requests, you must turn on [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). +DLP not inspecting or blocking content is the most common issue reported. If you have configured a [DLP policy](/cloudflare-one/data-loss-prevention/dlp-policies/) but it fails to inspect or block traffic, the cause is almost always that the traffic is not being decrypted. To use DLP to scan the content of HTTPS requests, you must turn on [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/). To turn on TLS decryption: @@ -53,7 +53,7 @@ This policy only blocks uploads of financial data to file-sharing websites for a | DLP Profile | in | _Financial Information_ | And | | | User Group Names | in | `Finance Team` | | | -You can also create policies that match trusted applications using the [**Do Not Scan** action](/cloudflare-one/traffic-policies/http-policies/#do-not-scan). +You can also create policies that match trusted applications using the [**Do Not Scan** action](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-scan). ## DLP detections are inconsistent diff --git a/src/content/docs/cloudflare-one/faq/policies-faq.mdx b/src/content/docs/cloudflare-one/faq/policies-faq.mdx index 55f193deb8a..4e66d6395bc 100644 --- a/src/content/docs/cloudflare-one/faq/policies-faq.mdx +++ b/src/content/docs/cloudflare-one/faq/policies-faq.mdx @@ -21,7 +21,7 @@ Gateway and Access policies generally trigger from top to bottom based on their ## **How can I bypass the L7 firewall for a website?** -Cloudflare Gateway uses the hostname in the HTTP `CONNECT` header to identify the destination of the request. Administrators who wish to bypass a site must create a [Do Not Inspect](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policy in order to prevent HTTP inspection from occurring on both encrypted and plaintext traffic. +Cloudflare Gateway uses the hostname in the HTTP `CONNECT` header to identify the destination of the request. Administrators who wish to bypass a site must create a [Do Not Inspect](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) policy in order to prevent HTTP inspection from occurring on both encrypted and plaintext traffic. Bypassing the L7 firewall results in no HTTP traffic inspection, and logging is disabled for that HTTP session. diff --git a/src/content/docs/cloudflare-one/insights/analytics/gateway.mdx b/src/content/docs/cloudflare-one/insights/analytics/gateway.mdx index 6a76cecbeb7..75a1df8fc91 100644 --- a/src/content/docs/cloudflare-one/insights/analytics/gateway.mdx +++ b/src/content/docs/cloudflare-one/insights/analytics/gateway.mdx @@ -29,9 +29,9 @@ To review Gateway analytics: ## HTTP request analytics -Your [Gateway HTTP policies](/cloudflare-one/traffic-policies/http-policies/) power the HTTP request analytics dashboard. If you are not using Gateway HTTP policies, the dashboard will appear empty. +Your [Gateway HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/) power the HTTP request analytics dashboard. If you are not using Gateway HTTP policies, the dashboard will appear empty. -The HTTP request analytics dashboard helps you identify trends in how your HTTP policies apply over time. By visualizing allowed, [isolated](/cloudflare-one/remote-browser-isolation/) (rendered in a remote browser), and [Do Not Inspect](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) (bypassing TLS decryption) requests, the dashboard provides insights into traffic behavior and policy trends, making it easier to spot anomalies or shifts in usage patterns. +The HTTP request analytics dashboard helps you identify trends in how your HTTP policies apply over time. By visualizing allowed, [isolated](/cloudflare-one/remote-browser-isolation/) (rendered in a remote browser), and [Do Not Inspect](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) (bypassing TLS decryption) requests, the dashboard provides insights into traffic behavior and policy trends, making it easier to spot anomalies or shifts in usage patterns. To review a detailed description of an HTTP request and its associated policy: @@ -53,7 +53,7 @@ To review a detailed description of an HTTP request and its associated policy: ## DNS query analytics -Your [Gateway DNS policies](/cloudflare-one/traffic-policies/dns-policies/) power the DNS query analytics dashboard. If you are not using Gateway DNS policies, the dashboard will appear empty. +Your [Gateway DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) power the DNS query analytics dashboard. If you are not using Gateway DNS policies, the dashboard will appear empty. The DNS query analytics dashboard helps you identify trends in how your DNS policies apply over time. By visualizing allowed, blocked, and overridden (DNS response replaced by a policy-defined address) queries, the dashboard provides insights into traffic behavior and policy trends, making it easier to spot anomalies or shifts in usage patterns. @@ -76,7 +76,7 @@ To review a detailed description of a DNS query and its associated policy: ## Network policy analytics -Your [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/) power the Network policy analytics dashboard. If you are not using Gateway network policies, the dashboard will appear empty. +Your [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) power the Network policy analytics dashboard. If you are not using Gateway network policies, the dashboard will appear empty. The Network policy analytics dashboard helps you identify trends in how your Gateway network policies apply over time. By visualizing allowed, blocked, and overridden (traffic rerouted by a policy-defined rule) sessions, the dashboard provides insights into traffic behavior and policy trends, making it easier to spot anomalies or shifts in usage patterns. diff --git a/src/content/docs/cloudflare-one/insights/analytics/network-sessions.mdx b/src/content/docs/cloudflare-one/insights/analytics/network-sessions.mdx index df3f84ad019..4e43682b5ec 100644 --- a/src/content/docs/cloudflare-one/insights/analytics/network-sessions.mdx +++ b/src/content/docs/cloudflare-one/insights/analytics/network-sessions.mdx @@ -64,4 +64,4 @@ For the full list of reasons for session termination, refer to [ConnectionCloseR ## Related resources - [Zero Trust network sessions Logpush dataset](/logs/logpush/logpush-job/datasets/account/zero_trust_network_sessions/): View detailed logs for individual network sessions. -- [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/): Configure policies that apply to network traffic. +- [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/): Configure policies that apply to network traffic. diff --git a/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx b/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx index 8cec3fc26a7..ffe718a5f3d 100644 --- a/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx +++ b/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx @@ -50,10 +50,10 @@ To manage application statuses in bulk, select **Set Application Statuses** to r ### 3. Create policies -After marking applications, you can create [HTTP policies](/cloudflare-one/traffic-policies/http-policies/) based on application review status. For example, you can create policies that: +After marking applications, you can create [HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/) based on application review status. For example, you can create policies that: -- Launch all **Unreviewed** and **In review** applications in an [isolated browser](/cloudflare-one/traffic-policies/http-policies/common-policies/#1-isolate-unreviewed-or-in-review-applications). -- [Block access](/cloudflare-one/traffic-policies/http-policies/common-policies/#2-block-unapproved-applications) to all **Unapproved** applications. +- Launch all **Unreviewed** and **In review** applications in an [isolated browser](/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies/#1-isolate-unreviewed-or-in-review-applications). +- [Block access](/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies/#2-block-unapproved-applications) to all **Unapproved** applications. - Limit file upload capabilities for specific application statuses. To create an HTTP status policy directly from Shadow IT Discovery: diff --git a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx index b2a31ec6e17..0c5f1c1a6d5 100644 --- a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx @@ -66,7 +66,7 @@ These settings only apply to logs displayed in Cloudflare One. Logpush data is u | **Query name** | Name of the domain that was queried. | | **Query ID** | UUID of the query assigned by Cloudflare. | | **Email** | Email address of the user who registered the Cloudflare One Client where traffic originated from. If a non-identity on-ramp (such as a [proxy endpoint](/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/)) or machine-level authentication (such as a [service token](/cloudflare-one/access-controls/service-credentials/service-tokens/)) was used, this value will be `non_identity@.cloudflareaccess.com`. | -| **Action** | The [Action](/cloudflare-one/traffic-policies/dns-policies/#actions) Gateway applied to the query (such as Allow or Block). | +| **Action** | The [Action](/cloudflare-one/traffic-policies/policy-types/dns-policies/#actions) Gateway applied to the query (such as Allow or Block). | | **Time** | Date and time of the DNS query. | | **Resolver decision** | The reason why Gateway applied a particular **Action** to the request. Refer to the [list of resolver decisions](#resolver-decisions). | | **Resolved IPs** | Resolved IP addresses in the response. | @@ -167,7 +167,7 @@ To log failed connections, use [network session logs](/logs/logpush/logpush-job/ | **Source IP** | IP address of the user sending the packet. | | **Source Internal IP** | Private IP address assigned by the user's local network. | | **Destination IP** | IP address of the packet's target. | -| **Action** | The Gateway [Action](/cloudflare-one/traffic-policies/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). | +| **Action** | The Gateway [Action](/cloudflare-one/traffic-policies/policy-types/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). | | **Session ID** | ID of the unique session. | | **Time** | Date and time of the session. | @@ -205,7 +205,7 @@ To log failed connections, use [network session logs](/logs/logpush/logpush-job/ | **Destination IP continent** | Continent code of the IP address for the packet's destination. | | **Destination IP country** | Country code of the IP address for the packet's destination. | | **Transport protocol** | Protocol over which the packet was sent. | -| **Detected Protocol** | The detected [network protocol](/cloudflare-one/traffic-policies/network-policies/protocol-detection/). | +| **Detected Protocol** | The detected [network protocol](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/). | | **SNI** | Host whose Server Name Indication (SNI) header Gateway will filter traffic against. | | **Virtual Network** | [Virtual network](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) that the client is connected to. | | **Category details** | Category or categories associated with the packet. | @@ -229,7 +229,7 @@ Gateway does not log HTTP bodies. The exception is error requests: when an HTTP | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Host** | Hostname in the HTTP header for the HTTP request. Gateway will log the SNI in this field if it responded to the request with a Do Not Inspect action. If Gateway does not receive the SNI, this field will be empty. | | **Email** | Email address of the user who made the HTTP request. This is generated by the Cloudflare One Client. | -| **Action** | The Gateway [Action](/cloudflare-one/traffic-policies/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). | +| **Action** | The Gateway [Action](/cloudflare-one/traffic-policies/policy-types/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). | | **Request ID** | Unique ID of the request. | | **Time** | Date and time of the HTTP request. | | **Source internal IP** | Private IP address assigned by the user's local network. | @@ -285,7 +285,7 @@ Gateway does not log HTTP bodies. The exception is error requests: when an HTTP | **Categories** | [Content categories](/cloudflare-one/traffic-policies/domain-categories/) that the domain belongs to. | | **Proxy endpoint** | [PAC file proxy endpoint](/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) Gateway forwarded traffic to, if applicable. | | **Virtual Network** | [Virtual network](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) that the client is connected to. | -| **Sandbox scanned** | Status of the [file quarantine](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/). | +| **Sandbox scanned** | Status of the [file quarantine](/cloudflare-one/traffic-policies/policy-types/http-policies/file-sandboxing/). | #### File detection details diff --git a/src/content/docs/cloudflare-one/integrations/cloud-and-saas/findings/index.mdx b/src/content/docs/cloudflare-one/integrations/cloud-and-saas/findings/index.mdx index 81e60cf4679..2fd2c2fa7d1 100644 --- a/src/content/docs/cloudflare-one/integrations/cloud-and-saas/findings/index.mdx +++ b/src/content/docs/cloudflare-one/integrations/cloud-and-saas/findings/index.mdx @@ -204,7 +204,7 @@ To create a Gateway policy directly from a CASB finding: :::note Not all CASB findings will have the **Block with Gateway HTTP policy** option. Unsupported findings can only be resolved from your application dashboard or through your domain provider. ::: -6. (Optional) [Configure the HTTP policy](/cloudflare-one/traffic-policies/http-policies/). For example, if the policy blocks an unsanctioned third-party app, you can apply the policy to some or all users, or only block uploads or downloads. +6. (Optional) [Configure the HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/). For example, if the policy blocks an unsanctioned third-party app, you can apply the policy to some or all users, or only block uploads or downloads. 7. Select **Save**. Your HTTP policy will now prevent future instances of the security finding. diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-mesh/client-devices.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-mesh/client-devices.mdx index 24a67787ad1..0e9198ebfae 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-mesh/client-devices.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-mesh/client-devices.mdx @@ -53,7 +53,7 @@ Once connected, a client device can: - **Mesh nodes** — Reach any online node by its Mesh IP. SSH, database connections, API calls all work. - **Subnets behind nodes** — Access hosts on private networks that a node advertises via [CIDR routes](/cloudflare-one/networks/connectors/cloudflare-mesh/routes/) (for example, printers, databases, or servers that cannot run the client). -All traffic is subject to your [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/), so you can control which users and devices can reach specific resources. +All traffic is subject to your [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/), so you can control which users and devices can reach specific resources. ## Split Tunnel configuration diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-mesh/index.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-mesh/index.mdx index 455757a9910..c87811a264b 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-mesh/index.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-mesh/index.mdx @@ -60,7 +60,7 @@ flowchart LR CF <--> D ``` -All traffic passes through Cloudflare, so [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/), [device posture checks](/cloudflare-one/reusable-components/posture-checks/), and access rules apply to every connection. +All traffic passes through Cloudflare, so [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/), [device posture checks](/cloudflare-one/reusable-components/posture-checks/), and access rules apply to every connection. ## Mesh IPs @@ -95,9 +95,9 @@ If you have used Tailscale, WireGuard, or a similar product, here is how concept | Tailnet / mesh network | Your Cloudflare account's Mesh network | | Node / peer | Mesh node (servers) or client device (laptops/phones) | | Subnet router | Mesh node with [CIDR routes](/cloudflare-one/networks/connectors/cloudflare-mesh/routes/) | -| MagicDNS / custom DNS | [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) + [Gateway resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) | -| ACLs / access rules | [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/) + [device posture](/cloudflare-one/reusable-components/posture-checks/) | -| Exit node | Attach a public CIDR to a Mesh node and traffic to those IPs exits through that node. For broader Internet filtering, use [Gateway egress policies](/cloudflare-one/traffic-policies/egress-policies/). | +| MagicDNS / custom DNS | [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) + [Gateway resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) | +| ACLs / access rules | [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) + [device posture](/cloudflare-one/reusable-components/posture-checks/) | +| Exit node | Attach a public CIDR to a Mesh node and traffic to those IPs exits through that node. For broader Internet filtering, use [Gateway egress policies](/cloudflare-one/traffic-policies/policy-types/egress-policies/). | | Admin console | [Cloudflare dashboard](https://dash.cloudflare.com/?to=/:account/mesh) under **Networking** > **Mesh** | Key differences: diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-mesh/routes.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-mesh/routes.mdx index 237e5f5b5c9..951748b463c 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-mesh/routes.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-mesh/routes.mdx @@ -191,7 +191,7 @@ For production site-to-site deployments, consider enabling [high availability](/ ## DNS filtering -To filter DNS queries from the subnet using [Cloudflare Gateway](/cloudflare-one/traffic-policies/dns-policies/): +To filter DNS queries from the subnet using [Cloudflare Gateway](/cloudflare-one/traffic-policies/policy-types/dns-policies/): 1. **Configure DNS on your router**: Point your router's DNS to the Gateway resolver IPs: - `172.64.36.1` @@ -205,7 +205,7 @@ To filter DNS queries from the subnet using [Cloudflare Gateway](/cloudflare-one - The subnet's internal DNS resolver IP - Gateway initial resolved IP range: `100.80.0.0/16` (IPv4) and `2606:4700:0cf1:4000::/64` (IPv6) -Gateway logs DNS queries with the private source IP of the originating device. You can use this to create [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) for internal DNS records. +Gateway logs DNS queries with the private source IP of the originating device. You can use this to create [resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) for internal DNS records. ## Hostname routes @@ -285,10 +285,10 @@ If the node cannot resolve the hostname on its own, the simplest option is to ad #### Split DNS: DNS and application traffic use different connectors -You only need a Gateway [resolver policy](/cloudflare-one/traffic-policies/resolver-policies/) when the DNS query must be sent to a **different** connector than the application traffic — for example, the internal DNS server sits behind one Mesh node or Cloudflare Tunnel, while the application is reached through another. In that case: +You only need a Gateway [resolver policy](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) when the DNS query must be sent to a **different** connector than the application traffic — for example, the internal DNS server sits behind one Mesh node or Cloudflare Tunnel, while the application is reached through another. In that case: 1. Add a [CIDR route](#add-a-route) for the DNS server's IP so Gateway can reach it through the connector where the DNS server lives (a Mesh node or a [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/)). -2. Create a [resolver policy](/cloudflare-one/traffic-policies/resolver-policies/) that sends DNS queries for the hostname (or its domain) to that internal DNS server. +2. Create a [resolver policy](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) that sends DNS queries for the hostname (or its domain) to that internal DNS server. :::note[Where to run the DNS server] @@ -303,7 +303,7 @@ For a **public** hostname, the Mesh node handles resolution: Gateway sends the D ### Secure hostname traffic -After adding a hostname route, secure it with either an [Access self-hosted application](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) or [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/). For details and examples, refer to [Connect a private hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/#3-recommended-filter-network-traffic-with-gateway). +After adding a hostname route, secure it with either an [Access self-hosted application](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) or [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/). For details and examples, refer to [Connect a private hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/#3-recommended-filter-network-traffic-with-gateway). ### Limitations diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr.mdx index 9af235c9588..700250a1746 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr.mdx @@ -54,7 +54,7 @@ To connect your infrastructure with Cloudflare Tunnel: If you have applications clearly defined by IPs or hostnames, we recommend [creating an Access application](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) and managing user access alongside your SaaS and other web apps. Alternatively, if you prefer to secure a private network using a traditional firewall model, you can build Gateway network and DNS policies for IP ranges and domains. -For more information on building Gateway policies, refer to [Secure your first application](/learning-paths/replace-vpn/build-policies/create-policy/) and [Common network policies](/cloudflare-one/traffic-policies/network-policies/common-policies/#restrict-access-to-private-networks). +For more information on building Gateway policies, refer to [Secure your first application](/learning-paths/replace-vpn/build-policies/create-policy/) and [Common network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/common-policies/#restrict-access-to-private-networks). ## 5. Connect as a user diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname.mdx index 68c1f94db38..0388d148736 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname.mdx @@ -127,7 +127,7 @@ You can create an [Access self-hosted application](/cloudflare-one/access-contro #### Option 2: Gateway firewall policies -If you prefer to secure the application using a traditional firewall model, you can build Gateway network policies using the [SNI](/cloudflare-one/traffic-policies/network-policies/#sni) or [SNI Domain](/cloudflare-one/traffic-policies/network-policies/#sni-domain) selector. For an additional layer of protection, add a Gateway DNS policy to allow or block the [Host](/cloudflare-one/traffic-policies/dns-policies/#host) or [Domain](/cloudflare-one/traffic-policies/dns-policies/#domain) from resolving. +If you prefer to secure the application using a traditional firewall model, you can build Gateway network policies using the [SNI](/cloudflare-one/traffic-policies/policy-types/network-policies/#sni) or [SNI Domain](/cloudflare-one/traffic-policies/policy-types/network-policies/#sni-domain) selector. For an additional layer of protection, add a Gateway DNS policy to allow or block the [Host](/cloudflare-one/traffic-policies/policy-types/dns-policies/#host) or [Domain](/cloudflare-one/traffic-policies/policy-types/dns-policies/#domain) from resolving.
The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic. @@ -150,7 +150,7 @@ If you prefer to secure the application using a traditional firewall model, you -Additionally, SNI selectors will only apply to Cloudflare One Client traffic. If your users will be connecting from other [on-ramps](#device-connectivity), you can allow or block network traffic using the [Destination IP](/cloudflare-one/traffic-policies/network-policies/#destination-ip) selector instead of SNI. +Additionally, SNI selectors will only apply to Cloudflare One Client traffic. If your users will be connecting from other [on-ramps](#device-connectivity), you can allow or block network traffic using the [Destination IP](/cloudflare-one/traffic-policies/policy-types/network-policies/#destination-ip) selector instead of SNI. ::: ### 4. Test the connection @@ -176,7 +176,7 @@ If you cannot connect, verify the following: Address: 100.80.200.48 ``` - The query should resolve using [WARP's DNS proxy](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/#dns-traffic) and return a Gateway initial resolved IP. If the query fails to resolve or returns a different IP, check your [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) configuration and [Gateway resolver policies](/cloudflare-one/traffic-policies/resolver-policies/). + The query should resolve using [WARP's DNS proxy](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/#dns-traffic) and return a Gateway initial resolved IP. If the query fails to resolve or returns a different IP, check your [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) configuration and [Gateway resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/). 2. **Check Gateway logs** - Review your [Gateway network logs](/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/) to see if the connection is being blocked by a policy. diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns.mdx index 72e1a7deaea..8d77da5c61c 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns.mdx @@ -33,7 +33,7 @@ To resolve private DNS queries: 3. Route specific DNS queries to your internal DNS resolver using one of the following options: - [Create a Local Domain Fallback entry](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) that points to the internal DNS resolver. For example, you can instruct the Cloudflare One Client to resolve all requests for `myorg.privatecorp` through an internal resolver at `10.0.0.25` rather than attempting to resolve this publicly. - - Alternatively, [create a resolver policy](/cloudflare-one/traffic-policies/resolver-policies/#create-a-resolver-policy) that points to the internal DNS resolver. + - Alternatively, [create a resolver policy](/cloudflare-one/traffic-policies/policy-types/resolver-policies/#create-a-resolver-policy) that points to the internal DNS resolver. 4. [Enable the Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP and UDP. @@ -69,7 +69,7 @@ Use the following troubleshooting strategies if you are running into issues whil - Ensure that end-user devices are enrolled into the Cloudflare One Client by visiting [https://help.teams.cloudflare.com](https://help.teams.cloudflare.com). -- Double-check the [order of precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) for your [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/). Ensure that a more global Block or Allow policy will not supersede application-specific policies. +- Double-check the [order of precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) for your [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/). Ensure that a more global Block or Allow policy will not supersede application-specific policies. - Check your [Gateway network logs](/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/#network-logs) to see whether your UDP DNS resolutions are being allowed or blocked. diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/index.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/index.mdx index 056ba2a225c..5d10734e40a 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/index.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/index.mdx @@ -14,7 +14,7 @@ With Cloudflare Zero Trust, you can connect private networks and the services ru To reach private network IPs, end users must connect their device to Cloudflare and enroll in your Zero Trust organization. The most common method is to install the [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) on their device, or you can onboard their network traffic to Cloudflare using [Cloudflare Mesh](/cloudflare-one/networks/connectors/cloudflare-mesh/), [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/), or [Cloudflare WAN](/cloudflare-wan/zero-trust/cloudflare-tunnel/). -Administrators can optionally set [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/) to control access to services based on user identity and device posture. +Administrators can optionally set [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) to control access to services based on user identity and device posture. ## Connectors diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/grpc.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/grpc.mdx index 20e3154ad0e..587bbe13d63 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/grpc.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/grpc.mdx @@ -55,7 +55,7 @@ To establish a secure, outbound-only connection to Cloudflare: ## 4. (Recommended) Create a Gateway policy -You can configure [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/) to either block or allow access to the gRPC server. The following example consists of two policies: the first allows gRPC connections from devices that pass [device posture checks](/cloudflare-one/reusable-components/posture-checks/), and the second blocks all other traffic. Make sure that the Allow policy has higher [priority](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence). +You can configure [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) to either block or allow access to the gRPC server. The following example consists of two policies: the first allows gRPC connections from devices that pass [device posture checks](/cloudflare-one/reusable-components/posture-checks/), and the second blocks all other traffic. Make sure that the Allow policy has higher [priority](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence). ### 1. Allow secured devices diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-device-client.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-device-client.mdx index de39e26c533..dea0ebbe2e2 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-device-client.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-device-client.mdx @@ -260,7 +260,7 @@ If you cannot connect, verify the following: Address: 100.80.200.48 ``` - The query should resolve using [WARP's DNS proxy](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/#dns-traffic) and return a Gateway initial resolved IP. If the query fails to resolve or returns a different IP, check your [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) configuration and [Gateway resolver policies](/cloudflare-one/traffic-policies/resolver-policies/). + The query should resolve using [WARP's DNS proxy](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/#dns-traffic) and return a Gateway initial resolved IP. If the query fails to resolve or returns a different IP, check your [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) configuration and [Gateway resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/). 2. **Check Gateway logs** - Review your [Gateway network logs](/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/) to see if the connection is being blocked by a policy. diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx index 2b273d82931..110db157181 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx @@ -159,7 +159,7 @@ To turn off SSH command logging, delete your uploaded public key: 2. Select **Remove**. 3. Select **Remove key** to confirm. -Cloudflare will stop logging SSH commands to your targets, as well as any commands subject to [Gateway Audit SSH](/cloudflare-one/traffic-policies/network-policies/ssh-logging/) policies. +Cloudflare will stop logging SSH commands to your targets, as well as any commands subject to [Gateway Audit SSH](/cloudflare-one/traffic-policies/policy-types/network-policies/ssh-logging/) policies. diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-wan/zero-trust/cloudflare-gateway.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-wan/zero-trust/cloudflare-gateway.mdx index 37ab275a843..e80a86c5647 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-wan/zero-trust/cloudflare-gateway.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-wan/zero-trust/cloudflare-gateway.mdx @@ -21,14 +21,14 @@ import { Render } from "~/components"; warpURL: "/cloudflare-one/networks/connectors/cloudflare-wan/zero-trust/cloudflare-one-client/", cfAutoCertificatesURL: "/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment/", cfManualCertificatesURL: "/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/", - decryptTlsURL: "/cloudflare-one/traffic-policies/http-policies/tls-decryption/", - doNotInspectURL: "/cloudflare-one/traffic-policies/http-policies/#do-not-inspect", + decryptTlsURL: "/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/", + doNotInspectURL: "/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect", warpChecksURL: "/cloudflare-one/reusable-components/posture-checks/client-checks/", osVersionChecks: "/cloudflare-one/reusable-components/posture-checks/client-checks/os-version/", mwanOnrampsURL: "/cloudflare-one/networks/connectors/cloudflare-wan/on-ramps/", - gatewayResolverPoliciesURL: "/cloudflare-one/traffic-policies/resolver-policies/", - gatewayInternalDnsURL: "/cloudflare-one/traffic-policies/resolver-policies/#internal-dns", - egressPoliciesURL: "/cloudflare-one/traffic-policies/egress-policies/", + gatewayResolverPoliciesURL: "/cloudflare-one/traffic-policies/policy-types/resolver-policies/", + gatewayInternalDnsURL: "/cloudflare-one/traffic-policies/policy-types/resolver-policies/#internal-dns", + egressPoliciesURL: "/cloudflare-one/traffic-policies/policy-types/egress-policies/", gatewayLogsURL: "/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/#http-logs", tcpMssClampingURL: "/cloudflare-one/networks/connectors/cloudflare-wan/get-started/#set-maximum-segment-size", ikeURL: "/cloudflare-one/networks/connectors/cloudflare-wan/reference/gre-ipsec-tunnels/#supported-configuration-parameters", diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-wan/zero-trust/security-services.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-wan/zero-trust/security-services.mdx index 1bcbcba6460..5edb28eedfe 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-wan/zero-trust/security-services.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-wan/zero-trust/security-services.mdx @@ -16,7 +16,7 @@ import { Render } from "~/components"; file="cloudflare-wan/zero-trust/security-services" product="networking-services" params={{ - networkFirewallURL: "/cloudflare-one/traffic-policies/packet-filtering/network-firewall-overview/", + networkFirewallURL: "/cloudflare-one/traffic-policies/policy-types/packet-filtering/network-firewall-overview/", gatewaySetupURL: "/cloudflare-one/networks/connectors/cloudflare-wan/zero-trust/cloudflare-gateway/", wanTransformationURL: "/cloudflare-one/networks/connectors/cloudflare-wan/wan-transformation/", }} diff --git a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips.mdx b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips.mdx index 7480922c589..d7ad0d26a23 100644 --- a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips.mdx +++ b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips.mdx @@ -89,7 +89,7 @@ For example, for the DoH hostname `https://65y9p2vm1u.cloudflare-gateway.com/dns By default, all queries from a configured DNS location will be sent to its DNS resolver IP address to be inspected by Gateway. You can configure Gateway to only filter queries originating from specific networks within a location: 1. [Create an IP list](/cloudflare-one/reusable-components/lists/) with the IPv4 and/or IPv6 addresses that your organization will source queries from. -2. Add a [Source IP](/cloudflare-one/traffic-policies/dns-policies/#source-ip) condition to your DNS policies. +2. Add a [Source IP](/cloudflare-one/traffic-policies/policy-types/dns-policies/#source-ip) condition to your DNS policies. For example, to block security threats for specific networks, you could create the following policy: diff --git a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/dns/locations/index.mdx b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/dns/locations/index.mdx index 4640a00b958..4c9393b055a 100644 --- a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/dns/locations/index.mdx +++ b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/dns/locations/index.mdx @@ -18,7 +18,7 @@ import { GlossaryDefinition, Render } from "~/components"; 10. Change the DNS resolvers on your router, browser, or OS by following the setup instructions in the UI. 11. Select **Go to DNS Location**. Your location will appear in your list of locations. -You can now apply [DNS policies](/cloudflare-one/traffic-policies/dns-policies/) to your location using the [Location selector](/cloudflare-one/traffic-policies/dns-policies/#location). +You can now apply [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) to your location using the [Location selector](/cloudflare-one/traffic-policies/policy-types/dns-policies/#location). ## DNS endpoints @@ -55,7 +55,7 @@ Gateway requires a DoH endpoint for default DNS locations. For more information, Secure DNS locations provide additional protection against malicious domains for use in services such as [protective DNS (PDNS)](/reference-architecture/diagrams/sase/gateway-for-protective-dns/). For a DNS location to be considered secure, Gateway requires that: - Your IPv4 and IPv6 endpoints use your [BYOIP addresses](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#bring-your-own-dns-resolver-ip) (if any). -- [Source network filtering](/cloudflare-one/traffic-policies/network-policies/) is configured for your IPv4, IPv6, and DoT endpoints. +- [Source network filtering](/cloudflare-one/traffic-policies/policy-types/network-policies/) is configured for your IPv4, IPv6, and DoT endpoints. - Source network filtering or token authentication are configured for your DoH endpoints. - Any enabled endpoints for a DNS location meet security permissions. diff --git a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/best-practices.mdx b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/best-practices.mdx index 863f773d4a7..c7a6677944a 100644 --- a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/best-practices.mdx +++ b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/best-practices.mdx @@ -188,7 +188,7 @@ function FindProxyForURL(url, host) { When using PAC files for public Internet browsing (not just internal services), you may need to bypass the proxy for certain domains to prevent website functionality issues. The following are common scenarios where your proxy may interfere with traffic. :::note[Optional rules] -These bypass rules are optional and depend on your organization's security requirements. Evaluate each bypass rule against your security policies before implementation. You can also use [HTTP policies](/cloudflare-one/traffic-policies/http-policies/) to selectively filter traffic from these domains while still routing them through the proxy. +These bypass rules are optional and depend on your organization's security requirements. Evaluate each bypass rule against your security policies before implementation. You can also use [HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/) to selectively filter traffic from these domains while still routing them through the proxy. ::: ### Font and static asset providers @@ -235,7 +235,7 @@ if ( } ``` -[Do Not Inspect (DNI) policies](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) will not prevent certificate pinning errors on these connections — bypassing certificate-pinned apps in the PAC file is required. +[Do Not Inspect (DNI) policies](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) will not prevent certificate pinning errors on these connections — bypassing certificate-pinned apps in the PAC file is required. ## Test PAC files diff --git a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/configure-pac-file-on-device.mdx b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/configure-pac-file-on-device.mdx index 498cee2c92b..dcaefdedc31 100644 --- a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/configure-pac-file-on-device.mdx +++ b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/configure-pac-file-on-device.mdx @@ -225,7 +225,7 @@ To deploy proxy settings to managed Chrome browsers on any operating system: After you configure a PAC file on your device, verify that traffic routes through Gateway: 1. Open a browser on the configured device. -2. Create an [HTTP policy](/cloudflare-one/traffic-policies/http-policies/) to block a test domain (for example, `example.com`). +2. Create an [HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/) to block a test domain (for example, `example.com`). 3. Visit the blocked domain in your browser. 4. Verify that the Gateway block page appears. @@ -233,6 +233,6 @@ If the block page does not appear, refer to the [PAC file troubleshooting sectio ## Next steps -- [Create HTTP policies](/cloudflare-one/traffic-policies/http-policies/) to filter proxy endpoint traffic. +- [Create HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/) to filter proxy endpoint traffic. - Review [PAC file best practices](/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/best-practices/) for formatting, performance optimization, and bypass rules. -- Use the [Proxy Endpoint selector](/cloudflare-one/traffic-policies/http-policies/#proxy-endpoint) in HTTP and network policies to apply rules to proxy traffic. +- Use the [Proxy Endpoint selector](/cloudflare-one/traffic-policies/policy-types/http-policies/#proxy-endpoint) in HTTP and network policies to apply rules to proxy traffic. diff --git a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx index f10ef70e293..33944443fa6 100644 --- a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx +++ b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx @@ -87,7 +87,7 @@ Use source IP endpoints when: ## 1. Create a proxy endpoint :::caution -All devices you add to the proxy endpoint can access your Cloudflare Tunnel applications and services. If you only want to proxy web traffic, [create a Network policy](/cloudflare-one/traffic-policies/network-policies/common-policies/#restrict-private-network-access-to-proxy-endpoint-users) that restricts proxy endpoint traffic from connecting to your internal resources. +All devices you add to the proxy endpoint can access your Cloudflare Tunnel applications and services. If you only want to proxy web traffic, [create a Network policy](/cloudflare-one/traffic-policies/policy-types/network-policies/common-policies/#restrict-private-network-access-to-proxy-endpoint-users) that restricts proxy endpoint traffic from connecting to your internal resources. ::: @@ -342,9 +342,9 @@ Safari relies on your operating system's proxy server settings. Configure the PA ## 4. Test your HTTP policy -To test your configuration, create an [HTTP policy](/cloudflare-one/traffic-policies/http-policies/) to block a test domain. When you visit the blocked domain in your browser, you should see the Gateway block page. +To test your configuration, create an [HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/) to block a test domain. When you visit the blocked domain in your browser, you should see the Gateway block page. -You can now use the Proxy Endpoint selector in [network](/cloudflare-one/traffic-policies/network-policies/#proxy-endpoint) and [HTTP](/cloudflare-one/traffic-policies/http-policies/#proxy-endpoint) policies to filter traffic proxied via PAC files. +You can now use the Proxy Endpoint selector in [network](/cloudflare-one/traffic-policies/policy-types/network-policies/#proxy-endpoint) and [HTTP](/cloudflare-one/traffic-policies/policy-types/http-policies/#proxy-endpoint) policies to filter traffic proxied via PAC files. ## 5. (Optional) Configure firewall @@ -500,7 +500,7 @@ When using [authorization endpoints](#authorization-endpoint), be aware of the f #### TLS inspection required -Authorization endpoints require [TLS inspection](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) on all proxied traffic. Gateway must decrypt HTTPS requests to read the authorization cookie that identifies each user session. Gateway always performs TLS decryption for traffic routed through an authorization endpoint, even if you turn off TLS decryption at the account level. You cannot selectively bypass TLS inspection for specific destinations when using an authorization endpoint. +Authorization endpoints require [TLS inspection](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) on all proxied traffic. Gateway must decrypt HTTPS requests to read the authorization cookie that identifies each user session. Gateway always performs TLS decryption for traffic routed through an authorization endpoint, even if you turn off TLS decryption at the account level. You cannot selectively bypass TLS inspection for specific destinations when using an authorization endpoint. #### Plaintext HTTP traffic @@ -520,8 +520,8 @@ This occurs because browsers do not tag HTTP sub-requests with the identity cook To filter this traffic, you have two options: -- Set up an [HTTP policy](/cloudflare-one/traffic-policies/http-policies/) to block or allow all traffic matching the `auth-proxy-non-identity@.cloudflareaccess.com` email address. -- To restrict non-identity traffic to specific source IPs, create a [network policy](/cloudflare-one/traffic-policies/network-policies/) that matches both the source IP and the proxy endpoint. +- Set up an [HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/) to block or allow all traffic matching the `auth-proxy-non-identity@.cloudflareaccess.com` email address. +- To restrict non-identity traffic to specific source IPs, create a [network policy](/cloudflare-one/traffic-policies/policy-types/network-policies/) that matches both the source IP and the proxy endpoint. ### Traffic limitations @@ -532,7 +532,7 @@ Each type of proxy endpoint supports the following features: | **HTTP/HTTPS traffic** | ✅[^1] | ✅[^2] | | **Non-HTTP TCP traffic** | ✅ | — | | **UDP traffic** | — | — | -| **[HTTP3](/cloudflare-one/traffic-policies/http-policies/http3/)** | — | — | +| **[HTTP3](/cloudflare-one/traffic-policies/policy-types/http-policies/http3/)** | — | — | | **[Identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/)** | — | ✅ | | **mTLS authentication** | — | — | | **[Happy Eyeballs](https://datatracker.ietf.org/doc/html/rfc6555)** | — | — | @@ -550,4 +550,4 @@ All connections proxied through Cloudflare Gateway have a maximum guaranteed dur ### Gateway DNS and resolver policies -Gateway [DNS](/cloudflare-one/traffic-policies/dns-policies/) and [resolver](/cloudflare-one/traffic-policies/resolver-policies/) policies will always apply to traffic proxied with PAC files, regardless of device configuration. +Gateway [DNS](/cloudflare-one/traffic-policies/policy-types/dns-policies/) and [resolver](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) policies will always apply to traffic proxied with PAC files, regardless of device configuration. diff --git a/src/content/docs/cloudflare-one/networks/routes/add-routes.mdx b/src/content/docs/cloudflare-one/networks/routes/add-routes.mdx index 455f9ceb9f1..9ff4c90218c 100644 --- a/src/content/docs/cloudflare-one/networks/routes/add-routes.mdx +++ b/src/content/docs/cloudflare-one/networks/routes/add-routes.mdx @@ -61,7 +61,7 @@ To add a hostname route: 4. In **Hostname**, enter the private or public hostname that represents your application (for example, `wiki.internal.local` or `app.bank.com`). 5. Select **Create route**. -Cloudflare will now route requests to your private network. However, the route does not automatically capture traffic from end users. To enable client-side connectivity, refer to the [private hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) or [public hostname](/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared/#3-route-network-traffic-through-the-cloudflare-one-client) setup guides. +Cloudflare will now route requests to your private network. However, the route does not automatically capture traffic from end users. To enable client-side connectivity, refer to the [private hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) or [public hostname](/cloudflare-one/traffic-policies/policy-types/egress-policies/egress-cloudflared/#3-route-network-traffic-through-the-cloudflare-one-client) setup guides. ## Add a published application route diff --git a/src/content/docs/cloudflare-one/networks/routes/reserved-ips.mdx b/src/content/docs/cloudflare-one/networks/routes/reserved-ips.mdx index 90e48086627..14e56870d92 100644 --- a/src/content/docs/cloudflare-one/networks/routes/reserved-ips.mdx +++ b/src/content/docs/cloudflare-one/networks/routes/reserved-ips.mdx @@ -51,8 +51,8 @@ Gateway initial resolved IPs are ephemeral addresses used to map hostnames to de The following features use this range: - [Private hostname routing](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) — routes traffic to private applications behind Cloudflare Tunnel using their hostnames. -- [Public hostname routing](/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared/) — egresses traffic through Cloudflare Tunnel to anchor source IPs for public destinations. -- [Egress policy host selectors](/cloudflare-one/traffic-policies/egress-policies/host-selectors/) — evaluates Gateway egress policies using hostname-based selectors. +- [Public hostname routing](/cloudflare-one/traffic-policies/policy-types/egress-policies/egress-cloudflared/) — egresses traffic through Cloudflare Tunnel to anchor source IPs for public destinations. +- [Egress policy host selectors](/cloudflare-one/traffic-policies/policy-types/egress-policies/host-selectors/) — evaluates Gateway egress policies using hostname-based selectors. - [Access private applications](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) — manage access to private applications using their private hostnames. Initial resolved IPs are assigned from the `100.80.0.0/16` (IPv4) or `2606:4700:0cf1:4000::/64` (IPv6) range. This range is not configurable. diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/extensions.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/extensions.mdx index 978325a9340..b76d1caa811 100644 --- a/src/content/docs/cloudflare-one/remote-browser-isolation/extensions.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/extensions.mdx @@ -23,7 +23,7 @@ When a page is isolated, it runs in a remote browser — not in the user's local This step is not required when browsing via Clientless Web Isolation. You can access the Chrome Web Store at `https://.cloudflareaccess.com/browser/https://chromewebstore.google.com/`. ::: -Installing extensions requires Chrome Web Store isolation. Create an [HTTP policy](/cloudflare-one/traffic-policies/http-policies/) to isolate the Chrome Web Store (chromewebstore.google.com). +Installing extensions requires Chrome Web Store isolation. Create an [HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/) to isolate the Chrome Web Store (chromewebstore.google.com). ### Install an extension diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/index.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/index.mdx index c608dbdef48..56e816729fe 100644 --- a/src/content/docs/cloudflare-one/remote-browser-isolation/index.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/index.mdx @@ -19,7 +19,7 @@ Remote browser isolation is available as an add-on to Zero Trust Pay-as-you-go a Cloudflare Browser Isolation complements the [Secure Web Gateway](/cloudflare-one/traffic-policies/) (which inspects and filters HTTP/HTTPS traffic) and [Zero Trust Network Access](/cloudflare-one/networks/connectors/cloudflare-tunnel/) (which controls access to private applications) by executing active webpage content — executable code such as JavaScript and plugins — in a secure isolated browser. Because active content executes remotely instead of on the user's device, Browser Isolation protects users from zero-day attacks (attacks that exploit vulnerabilities with no available patch) and malware. -Browser Isolation also protects users from phishing attacks by preventing user input on risky websites and controlling data transmission to sensitive web applications. You can further filter isolated traffic with Gateway [HTTP](/cloudflare-one/traffic-policies/http-policies/) and [DNS](/cloudflare-one/traffic-policies/dns-policies/) policies. +Browser Isolation also protects users from phishing attacks by preventing user input on risky websites and controlling data transmission to sensitive web applications. You can further filter isolated traffic with Gateway [HTTP](/cloudflare-one/traffic-policies/policy-types/http-policies/) and [DNS](/cloudflare-one/traffic-policies/policy-types/dns-policies/) policies. Remote browsing is invisible to the user who continues to use their browser normally without changing their preferred browser and habits. Every open tab and window is automatically isolated. When the user closes the isolated browser, their session is automatically deleted. diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/isolation-policies.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/isolation-policies.mdx index c79945cdfad..d7fe9b5acf0 100644 --- a/src/content/docs/cloudflare-one/remote-browser-isolation/isolation-policies.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/isolation-policies.mdx @@ -97,7 +97,7 @@ When you isolate a website, you can also restrict what users do on that site. Th - _View in remote browser_: Users can open and view files in an isolated environment. :::note -This option does not prevent files from being downloaded into the remote browser. To prevent files being downloaded into the remote browser, use HTTP Policies to block by [Download Mime Type](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-mime-type). +This option does not prevent files from being downloaded into the remote browser. To prevent files being downloaded into the remote browser, use HTTP Policies to block by [Download Mime Type](/cloudflare-one/traffic-policies/policy-types/http-policies/#download-and-upload-mime-type). ::: ### File uploads @@ -106,7 +106,7 @@ This option does not prevent files from being downloaded into the remote browser - _Do not allow_: Prohibits users from uploading files from their local machine into an isolated website. :::note -This option does not prevent files being uploaded to websites from third-party cloud file managers or files downloaded into the remote browser download bar from other isolated websites. To prevent files being uploaded from the remote browser into an isolated website, use HTTP Policies to block by [Upload Mime Type](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-mime-type). +This option does not prevent files being uploaded to websites from third-party cloud file managers or files downloaded into the remote browser download bar from other isolated websites. To prevent files being uploaded from the remote browser into an isolated website, use HTTP Policies to block by [Upload Mime Type](/cloudflare-one/traffic-policies/policy-types/http-policies/#download-and-upload-mime-type). ::: ### Keyboard diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx index b4040d192db..acb0219c6bc 100644 --- a/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx @@ -59,9 +59,9 @@ Browser Isolation is not supported in virtualized environments (VMs). Certain selectors for Gateway HTTP policies bypass Browser Isolation, including: -- [Destination Continent IP Geolocation](/cloudflare-one/traffic-policies/http-policies/#destination-continent) -- [Destination Country IP Geolocation](/cloudflare-one/traffic-policies/http-policies/#destination-country) -- [Destination IP](/cloudflare-one/traffic-policies/http-policies/#destination-ip) +- [Destination Continent IP Geolocation](/cloudflare-one/traffic-policies/policy-types/http-policies/#destination-continent) +- [Destination Country IP Geolocation](/cloudflare-one/traffic-policies/policy-types/http-policies/#destination-country) +- [Destination IP](/cloudflare-one/traffic-policies/policy-types/http-policies/#destination-ip) You cannot use these selectors to isolate traffic and isolation matches for these selectors will not appear in your Gateway logs. Additionally, you cannot apply other policies based on these selectors while in isolation. For example, if you have a Block policy that matches traffic based on destination IP, Gateway will not block the matching traffic if it is already isolated by an Isolate policy. diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx index c0e775d854e..34d63e5478d 100644 --- a/src/content/docs/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx @@ -46,7 +46,7 @@ To open links using Browser Isolation: ## Filter DNS queries -When users browse through Clientless Web Isolation, their DNS queries (the lookups that translate domain names to IP addresses) are handled by Gateway. You can use [DNS policies](/cloudflare-one/traffic-policies/dns-policies/) to control which domains the remote browser can resolve. Enterprise users can resolve domains available only through private DNS servers by creating [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/). +When users browse through Clientless Web Isolation, their DNS queries (the lookups that translate domain names to IP addresses) are handled by Gateway. You can use [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) to control which domains the remote browser can resolve. Enterprise users can resolve domains available only through private DNS servers by creating [resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/). Gateway DNS and resolver policies will always apply to Clientless Web Isolation traffic, regardless of device configuration. @@ -66,7 +66,7 @@ If `` is not provided, users are presented with a Cloudflare Zero Trust lan ### Allow or block websites -When users visit a website through the [Clientless Web Isolation URL](#use-the-remote-browser), the traffic passes through Cloudflare Gateway. This allows you to [apply HTTP policies](/cloudflare-one/traffic-policies/http-policies/) to control what websites the remote browser can connect to, even if the user's device does not have the Cloudflare One Client installed. +When users visit a website through the [Clientless Web Isolation URL](#use-the-remote-browser), the traffic passes through Cloudflare Gateway. This allows you to [apply HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/) to control what websites the remote browser can connect to, even if the user's device does not have the Cloudflare One Client installed. For example, if you use a third-party Secure Web Gateway to block `example.com`, users can still access the page in the remote browser by visiting `https://.cloudflareaccess.com/browser/https://www.example.com/`. To block `https://.cloudflareaccess.com/browser/https://www.example.com/`, create a Cloudflare Gateway HTTP policy to block `example.com`: @@ -76,7 +76,7 @@ For example, if you use a third-party Secure Web Gateway to block `example.com`, ### Bypass TLS decryption -[TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) allows Gateway to inspect the contents of HTTPS traffic by decrypting it, applying policies, and re-encrypting it. If TLS decryption is turned on, Gateway will decrypt all sites accessed through the Clientless Web Isolation URL. Some sites are incompatible with this process (for example, sites that use certificate pinning). To connect to those sites, add a Do Not Inspect HTTP policy for the application or domain. +[TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) allows Gateway to inspect the contents of HTTPS traffic by decrypting it, applying policies, and re-encrypting it. If TLS decryption is turned on, Gateway will decrypt all sites accessed through the Clientless Web Isolation URL. Some sites are incompatible with this process (for example, sites that use certificate pinning). To connect to those sites, add a Do Not Inspect HTTP policy for the application or domain. | Selector | Operator | Value | Action | | -------- | -------- | ------------ | -------------- | @@ -84,7 +84,7 @@ For example, if you use a third-party Secure Web Gateway to block `example.com`, :::note -Clientless Web Isolation can function without TLS decryption turned on. However, TLS decryption is required to apply [HTTP policies](/cloudflare-one/traffic-policies/http-policies/) to Clientless Web Isolation traffic, because Gateway must decrypt the traffic before it can inspect and filter the content. +Clientless Web Isolation can function without TLS decryption turned on. However, TLS decryption is required to apply [HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/) to Clientless Web Isolation traffic, because Gateway must decrypt the traffic before it can inspect and filter the content. ::: @@ -101,7 +101,7 @@ All users with access to your remote browser can access your Cloudflare Tunnel a ### Disable remote browser controls -You can configure [remote browser controls](/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings) such as disabling copy/paste, printing, or keyboard input. These settings display in the Gateway [HTTP policy builder](/cloudflare-one/traffic-policies/http-policies/) when you select the Isolate action. +You can configure [remote browser controls](/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings) such as disabling copy/paste, printing, or keyboard input. These settings display in the Gateway [HTTP policy builder](/cloudflare-one/traffic-policies/policy-types/http-policies/) when you select the Isolate action. ### Sync cookies between local and remote browser diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/setup/index.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/index.mdx index 544051ac06b..ce0eed8e97e 100644 --- a/src/content/docs/cloudflare-one/remote-browser-isolation/setup/index.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/index.mdx @@ -9,7 +9,7 @@ sidebar: label: Get started --- -Browser Isolation is enabled through [Secure Web Gateway HTTP policies](/cloudflare-one/traffic-policies/http-policies/). By default, no traffic is isolated until you have added an Isolate policy to your HTTP policies. +Browser Isolation is enabled through [Secure Web Gateway HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/). By default, no traffic is isolated until you have added an Isolate policy to your HTTP policies. ## 1. Connect devices to Cloudflare @@ -32,7 +32,7 @@ To configure Browser Isolation policies: 1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Firewall policies** > **HTTP**. 2. Select **Add a policy** and enter a name for the policy. -3. Use the HTTP policy [selectors](/cloudflare-one/traffic-policies/http-policies/#selectors) and [operators](/cloudflare-one/traffic-policies/http-policies/#comparison-operators) to specify the websites or content you want to isolate. +3. Use the HTTP policy [selectors](/cloudflare-one/traffic-policies/policy-types/http-policies/#selectors) and [operators](/cloudflare-one/traffic-policies/policy-types/http-policies/#comparison-operators) to specify the websites or content you want to isolate. 4. For **Action**, choose either [_Isolate_](/cloudflare-one/remote-browser-isolation/isolation-policies/#isolate) or [_Do not Isolate_](/cloudflare-one/remote-browser-isolation/isolation-policies/#do-not-isolate). 5. (Optional) Configure [settings](/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings) for an Isolate policy. 6. Select **Create policy**. diff --git a/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx b/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx index f0ab810ee25..c48a57dfb93 100644 --- a/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx @@ -10,7 +10,7 @@ sidebar: import { Render, Tabs, TabItem } from "~/components"; -When Gateway blocks traffic with a [DNS](/cloudflare-one/traffic-policies/dns-policies/#block) or [HTTP Block policy](/cloudflare-one/traffic-policies/http-policies/#block), you can configure a block page to display in your users' browsers. You can provide a descriptive reason for blocking traffic and contact information, or you can redirect your users' browsers to another page. You can apply these customizations globally for every Block policy, or override the settings on a per-policy basis. +When Gateway blocks traffic with a [DNS](/cloudflare-one/traffic-policies/policy-types/dns-policies/#block) or [HTTP Block policy](/cloudflare-one/traffic-policies/policy-types/http-policies/#block), you can configure a block page to display in your users' browsers. You can provide a descriptive reason for blocking traffic and contact information, or you can redirect your users' browsers to another page. You can apply these customizations globally for every Block policy, or override the settings on a per-policy basis. ## Prerequisites @@ -46,7 +46,7 @@ To redirect users to a non-Cloudflare block page: Gateway will now redirect users to a custom page when user traffic matches a Block policy with the block page configured. -To create an HTTP policy to redirect URLs, refer to the [Redirect action](/cloudflare-one/traffic-policies/http-policies/#redirect). +To create an HTTP policy to redirect URLs, refer to the [Redirect action](/cloudflare-one/traffic-policies/policy-types/http-policies/#redirect). #### Policy context diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/client-checks/corp-device.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/client-checks/corp-device.mdx index cfa3de7f13d..8e3104f5f24 100644 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/client-checks/corp-device.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/client-checks/corp-device.mdx @@ -41,7 +41,7 @@ To create rules based on device serial numbers, you first need to create a [Gate 6. Select **Save**. -You can now create an [Access policy](/cloudflare-one/access-controls/policies/) or a Gateway [network policy](/cloudflare-one/traffic-policies/network-policies/common-policies/#enforce-device-posture) that checks if the device presents a serial number on your list. In Access, the serial number check will appear as a _Device Posture - Serial Number List_ selector. In Gateway, your serial number list will appear in the **Value** dropdown when you choose the [Passed Device Posture Check](/cloudflare-one/traffic-policies/network-policies/#device-posture) selector. +You can now create an [Access policy](/cloudflare-one/access-controls/policies/) or a Gateway [network policy](/cloudflare-one/traffic-policies/policy-types/network-policies/common-policies/#enforce-device-posture) that checks if the device presents a serial number on your list. In Access, the serial number check will appear as a _Device Posture - Serial Number List_ selector. In Gateway, your serial number list will appear in the **Value** dropdown when you choose the [Passed Device Posture Check](/cloudflare-one/traffic-policies/policy-types/network-policies/#device-posture) selector. ## Validate the serial number diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/client-checks/tanium.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/client-checks/tanium.mdx index ae6d288654b..9a8e06cb2c5 100644 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/client-checks/tanium.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/client-checks/tanium.mdx @@ -22,7 +22,7 @@ Not recommended for new deployments. We recommend using the [Tanium service-to-s Cloudflare Access can use endpoint data from [Tanium™](https://www.tanium.com/) to determine if a request should be allowed to reach a protected resource. When users attempt to connect to a resource protected by Access with a Tanium rule, Cloudflare Access will validate the user's identity, and the browser will connect to the Tanium agent before making a decision to grant access. :::caution[Gateway policy limitation] -The legacy Tanium integration cannot be used in [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/#device-posture). Only [Access policies](/cloudflare-one/access-controls/policies/) are supported. +The legacy Tanium integration cannot be used in [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/#device-posture). Only [Access policies](/cloudflare-one/access-controls/policies/) are supported. ::: ## Prerequisites diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/index.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/index.mdx index 3ca58c9d91a..d0efc0cc080 100644 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/index.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/index.mdx @@ -33,7 +33,7 @@ Before integrating a device posture check in a Gateway or Access policy, verify ## 3. Build a device posture policy -You can now use your device posture check in an [Access policy](/cloudflare-one/access-controls/policies/) or a Gateway [network](/cloudflare-one/traffic-policies/network-policies/common-policies/#enforce-device-posture) or [HTTP](/cloudflare-one/traffic-policies/http-policies/common-policies/#check-device-posture) policy. In Access, the enabled device posture attributes will appear in the list of available [selectors](/cloudflare-one/access-controls/policies/#selectors). In Gateway, the attributes will appear when you choose the [Passed Device Posture Check](/cloudflare-one/traffic-policies/network-policies/#device-posture) selector. +You can now use your device posture check in an [Access policy](/cloudflare-one/access-controls/policies/) or a Gateway [network](/cloudflare-one/traffic-policies/policy-types/network-policies/common-policies/#enforce-device-posture) or [HTTP](/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies/#check-device-posture) policy. In Access, the enabled device posture attributes will appear in the list of available [selectors](/cloudflare-one/access-controls/policies/#selectors). In Gateway, the attributes will appear when you choose the [Passed Device Posture Check](/cloudflare-one/traffic-policies/policy-types/network-policies/#device-posture) selector. :::caution[Gateway policy limitation] diff --git a/src/content/docs/cloudflare-one/reusable-components/use-rules-list.mdx b/src/content/docs/cloudflare-one/reusable-components/use-rules-list.mdx index 25dcd93ae40..aa4b56761ca 100644 --- a/src/content/docs/cloudflare-one/reusable-components/use-rules-list.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/use-rules-list.mdx @@ -95,8 +95,8 @@ The threat intelligence feed categories are described in [Managed IP Lists](/waf ### IP lists -Use [IP lists](/waf/tools/lists/custom-lists/#ip-lists) to group services in networks, like web servers, or for lists of known bad IP addresses to make managing good network endpoints easier. IP lists are helpful for users with very expansive firewall rules with many IP lists. By default, you can add up to 10,000 IPs across all lists. Refer to [Use an IP list](/cloudflare-one/traffic-policies/packet-filtering/add-policies/#use-an-ip-list) to check an example of how to use an IP list. +Use [IP lists](/waf/tools/lists/custom-lists/#ip-lists) to group services in networks, like web servers, or for lists of known bad IP addresses to make managing good network endpoints easier. IP lists are helpful for users with very expansive firewall rules with many IP lists. By default, you can add up to 10,000 IPs across all lists. Refer to [Use an IP list](/cloudflare-one/traffic-policies/policy-types/packet-filtering/add-policies/#use-an-ip-list) to check an example of how to use an IP list. ### Geo-blocking -Geo-blocking enables you to selectively allow or block traffic to any country. Refer to [Block a country](/cloudflare-one/traffic-policies/packet-filtering/add-policies/#block-a-country) to check an example of how to block a country. +Geo-blocking enables you to selectively allow or block traffic to any country. Refer to [Block a country](/cloudflare-one/traffic-policies/policy-types/packet-filtering/add-policies/#block-a-country) to check an example of how to block a country. diff --git a/src/content/docs/cloudflare-one/setup/replace-vpn/device-to-device.mdx b/src/content/docs/cloudflare-one/setup/replace-vpn/device-to-device.mdx index 8138bf578da..32de3dc1079 100644 --- a/src/content/docs/cloudflare-one/setup/replace-vpn/device-to-device.mdx +++ b/src/content/docs/cloudflare-one/setup/replace-vpn/device-to-device.mdx @@ -70,7 +70,7 @@ To test connectivity, `ping` the Mesh IP of one device from the other. After verifying your connection, consider securing your connected devices with policies and access controls: -- **Set up Gateway policies**: By default, all enrolled devices can reach each other over the Mesh IP space. Gateway policies let you scan, filter, and log traffic between your devices. For more information, refer to [DNS policies](/cloudflare-one/traffic-policies/dns-policies/), [Network policies](/cloudflare-one/traffic-policies/network-policies/), and [HTTP policies](/cloudflare-one/traffic-policies/http-policies/). +- **Set up Gateway policies**: By default, all enrolled devices can reach each other over the Mesh IP space. Gateway policies let you scan, filter, and log traffic between your devices. For more information, refer to [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/), [Network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/), and [HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/). - **Create an Access application**: Restrict access to specific destinations on enrolled devices with identity-based rules. For more information, refer to [Secure a private IP or hostname](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). For in-depth guidance on policy design and device posture checks, refer to the [Replace your VPN learning path](/learning-paths/replace-vpn/concepts/). diff --git a/src/content/docs/cloudflare-one/setup/replace-vpn/device-to-network.mdx b/src/content/docs/cloudflare-one/setup/replace-vpn/device-to-network.mdx index fd94785b410..2decd9e9d7e 100644 --- a/src/content/docs/cloudflare-one/setup/replace-vpn/device-to-network.mdx +++ b/src/content/docs/cloudflare-one/setup/replace-vpn/device-to-network.mdx @@ -102,7 +102,7 @@ To verify connectivity, try reaching a resource on your private network (for exa After verifying your connection, consider securing your private network with policies and access controls: -- **Set up Gateway policies**: By default, all enrolled devices can reach your entire private network. Gateway policies let you scan, filter, and log traffic between your devices and your private network. For more information, refer to [DNS policies](/cloudflare-one/traffic-policies/dns-policies/), [Network policies](/cloudflare-one/traffic-policies/network-policies/), and [HTTP policies](/cloudflare-one/traffic-policies/http-policies/). +- **Set up Gateway policies**: By default, all enrolled devices can reach your entire private network. Gateway policies let you scan, filter, and log traffic between your devices and your private network. For more information, refer to [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/), [Network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/), and [HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/). - **Create an Access application**: Restrict access to specific applications or hostnames on your private network with identity-based rules. For more information, refer to [Secure a private IP or hostname](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). - **Explore more with Zero Trust**: Review your tunnel, policies, and connected devices in the [Cloudflare One dashboard](https://one.dash.cloudflare.com). diff --git a/src/content/docs/cloudflare-one/setup/replace-vpn/network-to-network.mdx b/src/content/docs/cloudflare-one/setup/replace-vpn/network-to-network.mdx index 60cd6708aa1..070a591d8b9 100644 --- a/src/content/docs/cloudflare-one/setup/replace-vpn/network-to-network.mdx +++ b/src/content/docs/cloudflare-one/setup/replace-vpn/network-to-network.mdx @@ -76,7 +76,7 @@ Devices on both networks can now communicate through Cloudflare. To verify conne After verifying your connection, consider securing your connected networks with policies and access controls: -- **Set up Gateway policies**: By default, all traffic between your network segments flows through Cloudflare without restriction. Gateway policies let you scan, filter, and log traffic between your networks. For more information, refer to [DNS policies](/cloudflare-one/traffic-policies/dns-policies/), [Network policies](/cloudflare-one/traffic-policies/network-policies/), and [HTTP policies](/cloudflare-one/traffic-policies/http-policies/). +- **Set up Gateway policies**: By default, all traffic between your network segments flows through Cloudflare without restriction. Gateway policies let you scan, filter, and log traffic between your networks. For more information, refer to [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/), [Network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/), and [HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/). - **Create an Access application**: Restrict access to specific services or hosts on your connected networks with identity-based rules. For more information, refer to [Secure a private IP or hostname](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). - **Enable high availability**: Deploy multiple replicas of each mesh node for automatic failover. For more information, refer to [High availability](/cloudflare-one/networks/connectors/cloudflare-mesh/high-availability/). diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles.mdx index 9596b5d1f46..97e5ec779bf 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles.mdx @@ -21,7 +21,7 @@ import { Render, TabItem, Tabs, APIRequest } from "~/components"; 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Team & Resources** > **Devices** > **Device profiles** > **General profiles**. 2. Select **Create new profile**. This will make a copy of the **Default** profile. 3. Enter any name for the profile. -4. Create rules to define the devices that will use this profile. Learn more about the available [Selectors](#selectors), [Operators](/cloudflare-one/traffic-policies/network-policies/#comparison-operators), and [Values](/cloudflare-one/traffic-policies/network-policies/#value). +4. Create rules to define the devices that will use this profile. Learn more about the available [Selectors](#selectors), [Operators](/cloudflare-one/traffic-policies/policy-types/network-policies/#comparison-operators), and [Values](/cloudflare-one/traffic-policies/policy-types/network-policies/#value). 5. Configure [device client settings](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-settings) for these devices. :::note diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/index.mdx index 66459472ea3..d6deef7ac08 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/index.mdx @@ -14,7 +14,7 @@ import { GlossaryTooltip } from "~/components"; When the Cloudflare One Client (formerly WARP) is deployed on a device, Cloudflare will process all DNS queries and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS queries or network traffic from the Cloudflare One Client. For example, you may need to resolve an internal hostname with a private DNS resolver instead of Cloudflare's [public DNS resolver](/1.1.1.1/). -Cloudflare recommends Enterprise users configure [Gateway resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) to resolve traffic with custom resolvers. The Cloudflare One Client will send private DNS queries to Gateway, then Gateway will send the queries to custom resolvers based on matching policies. +Cloudflare recommends Enterprise users configure [Gateway resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) to resolve traffic with custom resolvers. The Cloudflare One Client will send private DNS queries to Gateway, then Gateway will send the queries to custom resolvers based on matching policies. Additionally, there are three options you can configure to exclude traffic from the Cloudflare One Client: @@ -85,7 +85,7 @@ flowchart TD - [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) - [Split Tunnels](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) -- [Gateway Resolver Policies](/cloudflare-one/traffic-policies/resolver-policies/) +- [Gateway Resolver Policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) #### Resolvers (where queries are resolved) diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains.mdx index 1bf10f9eae0..35aa3463bd5 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains.mdx @@ -20,7 +20,7 @@ You can add additional domains to the Local Domain Fallback list and specify a D Local Domain Fallback only applies to devices running the Cloudflare One Client. -Because DNS requests subject to Local Domain Fallback bypass the Gateway resolver, they are not subject to Gateway DNS policies or DNS logging. If you want to route DNS queries to custom resolvers and apply Gateway filtering, use [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/). If both Local Domain Fallback and resolver policies are configured for the same device, Cloudflare will apply client-side Local Domain Fallback rules first. +Because DNS requests subject to Local Domain Fallback bypass the Gateway resolver, they are not subject to Gateway DNS policies or DNS logging. If you want to route DNS queries to custom resolvers and apply Gateway filtering, use [resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/). If both Local Domain Fallback and resolver policies are configured for the same device, Cloudflare will apply client-side Local Domain Fallback rules first. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels.mdx index 7c19d930c7c..f638fffbfda 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels.mdx @@ -55,7 +55,7 @@ If you are using Split Tunnels in Include mode, you must include the following d #### Block page -If you are using Split Tunnels in Include mode and have [DNS policies](/cloudflare-one/traffic-policies/dns-policies/) with the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) enabled, you must include the IPs that blocked domains will resolve to. Unless you are using a [dedicated or BYOIP resolver IP](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#dns-resolver-ip) the block page will resolve to: +If you are using Split Tunnels in Include mode and have [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) with the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) enabled, you must include the IPs that blocked domains will resolve to. Unless you are using a [dedicated or BYOIP resolver IP](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#dns-resolver-ip) the block page will resolve to: - `162.159.36.12` - `162.159.46.12` diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/index.mdx index 36523b9df3e..c3b4e30d689 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/index.mdx @@ -152,7 +152,7 @@ The IP assigned to a device is permanent until the device unregisters from your Allows traffic on-ramped using [Cloudflare Mesh](/cloudflare-one/networks/connectors/cloudflare-mesh/) or [Cloudflare WAN](/cloudflare-one/networks/connectors/cloudflare-wan/) to route to devices enrolled in your Zero Trust organization. -Each device is assigned a virtual IP address in the CGNAT IP space (`100.96.0.0/12`) or a [custom device IP range](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-ips/). With this setting `Enabled`, users on your private network will be able to connect to these device IPs and access [TCP, UDP, and/or ICMP-based services](/cloudflare-one/traffic-policies/proxy/) on your devices. You can create [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/) to control which users and devices can access the device IPs. +Each device is assigned a virtual IP address in the CGNAT IP space (`100.96.0.0/12`) or a [custom device IP range](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-ips/). With this setting `Enabled`, users on your private network will be able to connect to these device IPs and access [TCP, UDP, and/or ICMP-based services](/cloudflare-one/traffic-policies/proxy/) on your devices. You can create [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) to control which users and devices can access the device IPs. :::note Ensure that traffic destined to your device IPs routes from your private network to Cloudflare Gateway. For example, if you are using [Cloudflare Mesh](/cloudflare-one/networks/connectors/cloudflare-mesh/) connectivity, you must configure your [Split Tunnel settings](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) so that traffic to your Mesh IPs routes through the tunnel. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters.mdx index 6c16c019b5d..3eded8d6b44 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters.mdx @@ -23,7 +23,7 @@ Most of the parameters listed below are also configurable in Cloudflare One unde ## Required for full Cloudflare Zero Trust features -For the majority of Cloudflare Zero Trust features to work, you need to specify a team name. Examples of Cloudflare Zero Trust features which depend on the team name are [HTTP policies](/cloudflare-one/traffic-policies/http-policies/), [Browser Isolation](/cloudflare-one/remote-browser-isolation/), and [device posture](/cloudflare-one/reusable-components/posture-checks/). +For the majority of Cloudflare Zero Trust features to work, you need to specify a team name. Examples of Cloudflare Zero Trust features which depend on the team name are [HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/), [Browser Isolation](/cloudflare-one/remote-browser-isolation/), and [device posture](/cloudflare-one/reusable-components/posture-checks/). ### `organization` diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/intune.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/intune.mdx index acf3a70e8b7..6c2a7aad9e9 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/intune.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/intune.mdx @@ -350,7 +350,7 @@ The following steps outline how to deploy the Cloudflare One Agent (Cloudflare O - A [Microsoft Intune account](https://intune.microsoft.com) - A Cloudflare account that has a [Zero Trust organization](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) - iOS/iPadOS devices enrolled in Intune -- [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) enabled in Cloudflare Gateway (if you plan to inspect HTTPS traffic) +- [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) enabled in Cloudflare Gateway (if you plan to inspect HTTPS traffic) ### 1. Upload user-side certificate diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/kandji.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/kandji.mdx index 9383ae84cee..44add3e9eb5 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/kandji.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/kandji.mdx @@ -238,4 +238,4 @@ exit 0 ## TLS decryption -The Kandji macOS agent uses certificate pinning, which is incompatible with [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). If Gateway TLS decryption is [turned on](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption), you must create a [Do Not Inspect policy](/cloudflare-one/traffic-policies/http-policies/common-policies/#skip-inspection-for-groups-of-applications) to exempt Kandji from SSL/TLS inspection. For more information, refer to the [Kandji documentation](https://support.kandji.io/kb/using-kandji-on-enterprise-networks#SSL/TLS-Inspection). +The Kandji macOS agent uses certificate pinning, which is incompatible with [Gateway TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/). If Gateway TLS decryption is [turned on](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#turn-on-tls-decryption), you must create a [Do Not Inspect policy](/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies/#skip-inspection-for-groups-of-applications) to exempt Kandji from SSL/TLS inspection. For more information, refer to the [Kandji documentation](https://support.kandji.io/kb/using-kandji-on-enterprise-networks#SSL/TLS-Inspection). diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-prelogin.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-prelogin.mdx index 46adf6fd6ee..e6f6f103c58 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-prelogin.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-prelogin.mdx @@ -50,7 +50,7 @@ In your [device enrollment permissions](/cloudflare-one/team-and-resources/devic ## 2. (Optional) Restrict access during pre-login -Devices enrolled via a service token are identified by the email address `non_identity@.cloudflareaccess.com`. Using this email address, you can apply specific [device profile settings](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) and [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/) during the pre-login state. For example, you could provide access to only those resources necessary to complete the Windows login and/or device management activities. +Devices enrolled via a service token are identified by the email address `non_identity@.cloudflareaccess.com`. Using this email address, you can apply specific [device profile settings](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) and [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) during the pre-login state. For example, you could provide access to only those resources necessary to complete the Windows login and/or device management activities.
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/cloudflare-one-agent-migration.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/cloudflare-one-agent-migration.mdx index a728d7c5cbd..c9ace8a8db2 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/cloudflare-one-agent-migration.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/cloudflare-one-agent-migration.mdx @@ -34,7 +34,7 @@ If you downloaded and installed the 1.1.1.1 app manually, here are the recommend 1. Update the **1.1.1.1** app to version 6.29 or above. The update ensures that 1.1.1.1 can [co-exist](#what-to-do-with-the-old-app) with the new Cloudflare One Agent app. -2. If you have enabled [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), ensure that you have a [Do Not Inspect policy](/cloudflare-one/traffic-policies/get-started/http/) in place for the following applications: +2. If you have enabled [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/), ensure that you have a [Do Not Inspect policy](/cloudflare-one/traffic-policies/get-started/http/) in place for the following applications: - _Google Services (Do Not Inspect)_ - _Google Play Store (Do Not Inspect)_ - _Google (Do Not Inspect)_ diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/index.mdx index 8a9cf386571..184b4d7b091 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/index.mdx @@ -27,7 +27,7 @@ The Cloudflare One Client (formerly WARP) securely and privately sends traffic f The Cloudflare One Client creates encrypted connections between your device and Cloudflare's network. It does this in two ways: - **Proxy tunnel** — Encrypts and routes your device's internet and private network traffic through Cloudflare, using the [WireGuard](https://www.wireguard.com/) or [MASQUE](https://blog.cloudflare.com/zero-trust-warp-with-a-masque) protocol. -- **DNS proxy** — Sends your device's DNS queries to Cloudflare over an encrypted channel ([DNS-over-HTTPS](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/)), where [Gateway DNS policies](/cloudflare-one/traffic-policies/dns-policies/) can filter them. +- **DNS proxy** — Sends your device's DNS queries to Cloudflare over an encrypted channel ([DNS-over-HTTPS](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/)), where [Gateway DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) can filter them. The client runs on all major operating systems and can be deployed through common endpoint management tools (such as Intune, JAMF, or JumpCloud). @@ -65,10 +65,10 @@ Deploying the Cloudflare One Client significantly enhances your organization's s - **Advanced web filtering and threat protection**: Activate Gateway features for your device traffic, including: - - [Anti-Virus scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/) - - [HTTP filtering](/cloudflare-one/traffic-policies/http-policies/) - - [Browser Isolation](/cloudflare-one/traffic-policies/http-policies/#isolate) - - [Identity-based policies](/cloudflare-one/traffic-policies/network-policies/) + - [Anti-Virus scanning](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/) + - [HTTP filtering](/cloudflare-one/traffic-policies/policy-types/http-policies/) + - [Browser Isolation](/cloudflare-one/traffic-policies/policy-types/http-policies/#isolate) + - [Identity-based policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) - **Application and device-specific insights**: View which SaaS applications your users are accessing and review their approval status on the [Shadow IT Discovery](/cloudflare-one/insights/analytics/shadow-it-discovery/) page. Monitor device and network performance with [Digital Experience Monitoring (DEX)](/cloudflare-one/insights/dex/) to detect connectivity or performance issues before users report them. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/set-up.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/set-up.mdx index d3541e826f9..414de00cadb 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/set-up.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/set-up.mdx @@ -80,4 +80,4 @@ By default, the Cloudflare One Client sends DNS queries to Cloudflare using an e Choose one of the [different ways](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) to deploy the Cloudflare One Client, depending on what works best for your organization. -Next, create [DNS policies](/cloudflare-one/traffic-policies/dns-policies/) to control how DNS queries from your devices get resolved. +Next, create [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) to control how DNS queries from your devices get resolved. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx index 25733a14edc..f51276aea47 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx @@ -33,7 +33,7 @@ import { Details, Render } from "~/components"; The [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) can automatically install a Cloudflare certificate or [custom root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) on Windows, macOS, and Debian/Ubuntu Linux devices. On mobile devices and Red Hat-based systems, you will need to [install the certificate manually](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/). -The certificate is required if you want to [apply HTTP policies to encrypted websites](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), display custom [block pages](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/), and more. +The certificate is required if you want to [apply HTTP policies to encrypted websites](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/), display custom [block pages](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/), and more. ## Install a certificate using the Cloudflare One Client diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx index ce17d101433..214c658d65f 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx @@ -28,7 +28,7 @@ You can upload up to five custom root certificates. If your organization require :::caution Custom certificates are limited to use between your users and the Gateway proxy. Gateway connects to origin servers using publicly trusted certificates, similar to how a browser validates secure websites. -If your users need to connect to self-signed origin servers, create an HTTP Allow policy for the origin server with the [untrusted certificate action](/cloudflare-one/traffic-policies/http-policies/#untrusted-certificates) set to _Pass through_. +If your users need to connect to self-signed origin servers, create an HTTP Allow policy for the origin server with the [untrusted certificate action](/cloudflare-one/traffic-policies/policy-types/http-policies/#untrusted-certificates) set to _Pass through_. ::: ## Generate a custom root CA diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx index 55005c37db7..6d6bd70f545 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx @@ -12,7 +12,7 @@ tags: import { Tabs, TabItem, APIRequest } from "~/components"; -Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/remote-browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. +Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/remote-browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. Zero Trust [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each account and deploys it across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/). diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment.mdx index 08917bf7ed0..65edd9b0385 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment.mdx @@ -326,7 +326,7 @@ If you do not update the application to trust the Cloudflare certificate, the ap All of the applications below first require downloading a Cloudflare certificate with [the instructions above](#download-the-cloudflare-root-certificate). On macOS, the default path to the system keychain database file is `/Library/Keychains/System.keychain`. On Windows, the default path is `\Cert:\CurrentUser\Root`. :::note -Some applications require the use of a publicly trusted certificate — they do not trust the system certificate, nor do they have a configurable private store. For these applications to function, you must add a [Do Not Inspect policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) for the domains or IPs that the application relies on. +Some applications require the use of a publicly trusted certificate — they do not trust the system certificate, nor do they have a configurable private store. For these applications to function, you must add a [Do Not Inspect policy](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) for the domains or IPs that the application relies on. ::: :::caution diff --git a/src/content/docs/cloudflare-one/team-and-resources/users/risk-score.mdx b/src/content/docs/cloudflare-one/team-and-resources/users/risk-score.mdx index 5ec0ab6973d..03b5a17f1ae 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/users/risk-score.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/users/risk-score.mdx @@ -68,9 +68,9 @@ By default, all predefined behaviors are disabled. When a behavior is enabled, C | SentinelOne threat detected on machine | [SentinelOne service provider integration](/cloudflare-one/integrations/service-providers/sentinelone/) | SentinelOne returns one or more configured [device posture attributes](/cloudflare-one/integrations/service-providers/sentinelone/#device-posture-attributes) for a user. | Ingested via service-to-service API. Frequency is administrator-configurable during device posture setup to align with SentinelOne's API rate limits. | | CrowdStrike Low ZTA security score| [CrowdStrike integration](/cloudflare-one/integrations/service-providers/crowdstrike/)| A user's device reports a score between 0-50 for any CrowdStrike Zero Trust Assessment attribute (OS Score, Overall Score, or Sensor Config score). Refer to [CrowdStrike device posture attributes](/cloudflare-one/integrations/service-providers/crowdstrike/#device-posture-attributes) for more information.| Ingested via service-to-service API. Frequency is administrator-configurable during device posture setup to align with CrowdStrike's API rate limits. | | CrowdStrike Medium ZTA security score| [CrowdStrike integration](/cloudflare-one/integrations/service-providers/crowdstrike/)| A user's device reports a score between 50-79 for any CrowdStrike Zero Trust Assessment attribute (OS Score, Overall Score, or Sensor Config score). Refer to [CrowdStrike device posture attributes](/cloudflare-one/integrations/service-providers/crowdstrike/#device-posture-attributes) for more information. | Ingested via service-to-service API. Frequency is administrator-configurable during device posture setup to align with CrowdStrike's API rate limits. | -| Interaction with Malicious File | [Gateway AV scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/) or [File sandboxing](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/) | User uploads or downloads a file flagged as malicious by Gateway's AV scanner or file sandboxing. Risk is elevated even if the file is blocked. | Evaluated per-request in milliseconds. | -| Suspicious Security Domain Visited | [Gateway DNS policies](/cloudflare-one/traffic-policies/dns-policies/) | User visits a domain categorized as a security risk or security threat. Refer to [domain categories](/cloudflare-one/traffic-policies/domain-categories/) for the full list. Risk is elevated even if the traffic is blocked. | Evaluated per-request in milliseconds. | -| High Risk Domain Visited | [Gateway DNS policies](/cloudflare-one/traffic-policies/dns-policies/) | User visits a domain categorized as questionable content, violence, or CIPA. Refer to [domain categories](/cloudflare-one/traffic-policies/domain-categories/) for the full list. Risk is elevated even if the traffic is blocked. | Evaluated per-request in milliseconds. | +| Interaction with Malicious File | [Gateway AV scanning](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/) or [File sandboxing](/cloudflare-one/traffic-policies/policy-types/http-policies/file-sandboxing/) | User uploads or downloads a file flagged as malicious by Gateway's AV scanner or file sandboxing. Risk is elevated even if the file is blocked. | Evaluated per-request in milliseconds. | +| Suspicious Security Domain Visited | [Gateway DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) | User visits a domain categorized as a security risk or security threat. Refer to [domain categories](/cloudflare-one/traffic-policies/domain-categories/) for the full list. Risk is elevated even if the traffic is blocked. | Evaluated per-request in milliseconds. | +| High Risk Domain Visited | [Gateway DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) | User visits a domain categorized as questionable content, violence, or CIPA. Refer to [domain categories](/cloudflare-one/traffic-policies/domain-categories/) for the full list. Risk is elevated even if the traffic is blocked. | Evaluated per-request in milliseconds. | ## Manage risk behaviors To toggle risk behaviors, go to **Risk score** > **Risk behaviors**. diff --git a/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx b/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx index 42732a48401..2c2b130e305 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx @@ -85,11 +85,11 @@ To prevent this, Gateway only uses support hostnames in Allow policies — it wi ## Application controls -When you use the [_Application_ selector](/cloudflare-one/traffic-policies/http-policies/#granular-controls) in an HTTP policy with the _is_ operator, you can choose specific actions and operations to match application traffic. Supported applications and operations include: +When you use the [_Application_ selector](/cloudflare-one/traffic-policies/policy-types/http-policies/#granular-controls) in an HTTP policy with the _is_ operator, you can choose specific actions and operations to match application traffic. Supported applications and operations include: -For more information, refer to [Application Granular Controls](/cloudflare-one/traffic-policies/http-policies/granular-controls/). +For more information, refer to [Application Granular Controls](/cloudflare-one/traffic-policies/policy-types/http-policies/granular-controls/). ## Usage @@ -101,7 +101,7 @@ To ensure Gateway evaluates traffic with your desired precedence, order your mos ### Do Not Inspect applications -Gateway automatically groups applications incompatible with TLS decryption into the _Do Not Inspect_ app type. As Cloudflare identifies incompatible applications, Gateway will periodically update this app type to add new applications. To ensure Gateway does not intercept any current or future incompatible traffic, you can [create a Do Not Inspect HTTP policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) with the entire _Do Not Inspect_ app type selected. +Gateway automatically groups applications incompatible with TLS decryption into the _Do Not Inspect_ app type. As Cloudflare identifies incompatible applications, Gateway will periodically update this app type to add new applications. To ensure Gateway does not intercept any current or future incompatible traffic, you can [create a Do Not Inspect HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) with the entire _Do Not Inspect_ app type selected. When managing applications with the [Application Library](/cloudflare-one/team-and-resources/app-library/), Do Not Inspect applications will appear under the corresponding application. For example, the App Library will group _Google Drive (Do Not Inspect)_ under **Google Drive**. @@ -111,7 +111,7 @@ Instead of creating a Do Not Inspect policy for an application, you may be able #### TLS decryption limitations -Applications can be incompatible with [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) for various reasons: +Applications can be incompatible with [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) for various reasons: - -For more information, refer to [DNS policies](/cloudflare-one/traffic-policies/dns-policies/). +For more information, refer to [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/). ## 4. Add optional policies -Once your first policy is active, refer to [common DNS policies](/cloudflare-one/traffic-policies/dns-policies/common-policies) for other policies you may want to add. Common additions include blocking specific content categories (such as social media or streaming), enabling SafeSearch on search engines, and restricting DNS queries so devices can only use resolvers that you have approved. +Once your first policy is active, refer to [common DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/common-policies) for other policies you may want to add. Common additions include blocking specific content categories (such as social media or streaming), enabling SafeSearch on search engines, and restricting DNS queries so devices can only use resolvers that you have approved. diff --git a/src/content/docs/cloudflare-one/traffic-policies/get-started/http.mdx b/src/content/docs/cloudflare-one/traffic-policies/get-started/http.mdx index dcf142c3edb..e5253655804 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/get-started/http.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/get-started/http.mdx @@ -34,8 +34,8 @@ To filter HTTP requests from a device: 2. [Install the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) on your device. 3. In the Cloudflare One Client Settings, log in to your organization's Cloudflare One instance. 4. [Enable the Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP. Optionally, enable the UDP proxy to also inspect QUIC traffic on port 443 — this covers HTTP/3, a newer protocol some browsers use by default. -5. To inspect HTTPS traffic, [enable TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption). TLS decryption allows Gateway to read encrypted requests. Without it, Gateway can see that a user visited `example.com` but not which specific page or what they uploaded. -6. (Optional) To scan file uploads and downloads for malware, [enable anti-virus scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/). +5. To inspect HTTPS traffic, [enable TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#turn-on-tls-decryption). TLS decryption allows Gateway to read encrypted requests. Without it, Gateway can see that a user visited `example.com` but not which specific page or what they uploaded. +6. (Optional) To scan file uploads and downloads for malware, [enable anti-virus scanning](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/). ## 2. Verify device connectivity @@ -60,4 +60,4 @@ An HTTP policy defines which requests to match (for example, uploads to file-sha ## 4. Add optional policies -Refer to our list of [common HTTP policies](/cloudflare-one/traffic-policies/http-policies/common-policies) for other policies you may want to create. Common additions include blocking file downloads by type, isolating risky websites in a [remote browser](/cloudflare-one/remote-browser-isolation/), and adding Do Not Inspect rules for applications that break under TLS decryption (for example, apps that use certificate pinning to enforce their own certificates). Do Not Inspect rules tell Gateway to skip decryption for specific destinations so those applications continue to work. +Refer to our list of [common HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies) for other policies you may want to create. Common additions include blocking file downloads by type, isolating risky websites in a [remote browser](/cloudflare-one/remote-browser-isolation/), and adding Do Not Inspect rules for applications that break under TLS decryption (for example, apps that use certificate pinning to enforce their own certificates). Do Not Inspect rules tell Gateway to skip decryption for specific destinations so those applications continue to work. diff --git a/src/content/docs/cloudflare-one/traffic-policies/get-started/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/get-started/index.mdx index 71a35500b6c..7d5052a5ef5 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/get-started/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/get-started/index.mdx @@ -44,7 +44,7 @@ After DNS filtering is in place, add network-level controls for non-HTTP traffic - Deploy the [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) and enable the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/) for TCP. - Block traffic to high-risk IP ranges or restrict which ports and protocols users can access. -- Use [protocol detection](/cloudflare-one/traffic-policies/network-policies/protocol-detection/) to identify applications by traffic pattern rather than port number. +- Use [protocol detection](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/) to identify applications by traffic pattern rather than port number. - Enable network session logging for audit trails. For setup instructions, refer to [Set up network filtering](/cloudflare-one/traffic-policies/get-started/network/). @@ -54,9 +54,9 @@ For setup instructions, refer to [Set up network filtering](/cloudflare-one/traf HTTP inspection provides the deepest visibility and the most granular controls, but it requires additional setup. - Install the [Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on user devices. -- Enable [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) to inspect HTTPS traffic. -- Create [Do Not Inspect](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policies for applications that use certificate pinning. -- Block risky file types, enable [anti-virus scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), and configure [DLP profiles](/cloudflare-one/data-loss-prevention/) to detect sensitive data. +- Enable [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) to inspect HTTPS traffic. +- Create [Do Not Inspect](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) policies for applications that use certificate pinning. +- Block risky file types, enable [anti-virus scanning](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/), and configure [DLP profiles](/cloudflare-one/data-loss-prevention/) to detect sensitive data. - Use [Browser Isolation](/cloudflare-one/remote-browser-isolation/) to render high-risk sites in a remote browser. For setup instructions, refer to [Set up HTTP filtering](/cloudflare-one/traffic-policies/get-started/http/). @@ -66,8 +66,8 @@ For setup instructions, refer to [Set up HTTP filtering](/cloudflare-one/traffic With all policy layers active, extend Gateway to cover your full network and integrate with other Cloudflare One services. - Connect branch offices and data centers with [network tunnels](/cloudflare-one/networks/) (IPsec/GRE via Magic WAN). -- Configure [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/) so third-party services can identify your organization's traffic. -- Set up [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) to route internal DNS queries to your private DNS servers. +- Configure [dedicated egress IPs](/cloudflare-one/traffic-policies/policy-types/egress-policies/) so third-party services can identify your organization's traffic. +- Set up [resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) to route internal DNS queries to your private DNS servers. - Monitor SaaS application usage with [CASB](/cloudflare-one/cloud-and-saas-findings/). :::note diff --git a/src/content/docs/cloudflare-one/traffic-policies/get-started/network.mdx b/src/content/docs/cloudflare-one/traffic-policies/get-started/network.mdx index 3f41ab1980f..7503d3b8ff5 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/get-started/network.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/get-started/network.mdx @@ -80,4 +80,4 @@ A network policy has two parts: a matcher that selects which traffic to act on ( ## 4. Add optional policies -Refer to our list of [common network policies](/cloudflare-one/traffic-policies/network-policies/common-policies) for policies you may want to create. Common additions include blocking traffic to specific IP ranges, restricting access to non-standard ports (ports other than well-known ones like 80 for HTTP and 443 for HTTPS), and using protocol detection to identify applications like BitTorrent based on their traffic patterns rather than port numbers alone. +Refer to our list of [common network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/common-policies) for policies you may want to create. Common additions include blocking traffic to specific IP ranges, restricting access to non-standard ports (ports other than well-known ones like 80 for HTTP and 443 for HTTPS), and using protocol detection to identify applications like BitTorrent based on their traffic patterns rather than port numbers alone. diff --git a/src/content/docs/cloudflare-one/traffic-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/index.mdx index b97f7bc6fc1..cfb19c68226 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/index.mdx @@ -53,7 +53,7 @@ Gateway supports several policy types because network traffic can be inspected a
-**[Packet filtering](/cloudflare-one/traffic-policies/packet-filtering/network-firewall-overview/)** inspects raw network packets and blocks traffic based on properties like source IP address or protocol. It does not need to know who the user is or what session they belong to. +**[Packet filtering](/cloudflare-one/traffic-policies/policy-types/packet-filtering/network-firewall-overview/)** inspects raw network packets and blocks traffic based on properties like source IP address or protocol. It does not need to know who the user is or what session they belong to. Use packet filtering to drop unwanted traffic before it reaches any other policy. @@ -61,7 +61,7 @@ Use packet filtering to drop unwanted traffic before it reaches any other policy
-**[DNS policies](/cloudflare-one/traffic-policies/dns-policies/)** check every DNS query your users make. When a query matches a policy rule, Gateway can block the domain from resolving — the site never loads because the domain name is never translated to an IP address. +**[DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/)** check every DNS query your users make. When a query matches a policy rule, Gateway can block the domain from resolving — the site never loads because the domain name is never translated to an IP address. DNS policies act at the earliest stage of a connection, before any content is fetched. This makes them the fastest policy type to deploy and the broadest in scope. For more information on [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/), refer to the Cloudflare Learning Center. @@ -71,7 +71,7 @@ Use DNS policies to block malicious domains, restrict content categories, or pre
-**[Network policies](/cloudflare-one/traffic-policies/network-policies/)** inspect individual TCP, UDP, and Generic Routing Encapsulation (GRE) packets. They can match on IP addresses, ports, protocols, and the server name sent at the start of an encrypted connection (Server Name Indication, or SNI). +**[Network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/)** inspect individual TCP, UDP, and Generic Routing Encapsulation (GRE) packets. They can match on IP addresses, ports, protocols, and the server name sent at the start of an encrypted connection (Server Name Indication, or SNI). Use network policies to block access to specific ports or non-HTTP services such as SSH and RDP. @@ -79,15 +79,15 @@ Use network policies to block access to specific ports or non-HTTP services such
-**[HTTP policies](/cloudflare-one/traffic-policies/http-policies/)** inspect the full content of web requests — including URLs, headers, and uploaded or downloaded files. Gateway decrypts HTTPS traffic so it can examine what DNS and network policies cannot see. This requires installing a [Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on user devices. +**[HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/)** inspect the full content of web requests — including URLs, headers, and uploaded or downloaded files. Gateway decrypts HTTPS traffic so it can examine what DNS and network policies cannot see. This requires installing a [Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on user devices. -Use HTTP policies to block specific URLs, scan file uploads for sensitive data, block malware in downloads, [quarantine suspicious files](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/) for sandbox analysis, and control which accounts users can sign in to. For example, allow your company Google Workspace account but block personal Gmail. +Use HTTP policies to block specific URLs, scan file uploads for sensitive data, block malware in downloads, [quarantine suspicious files](/cloudflare-one/traffic-policies/policy-types/http-policies/file-sandboxing/) for sandbox analysis, and control which accounts users can sign in to. For example, allow your company Google Workspace account but block personal Gmail.
-**[Egress policies](/cloudflare-one/traffic-policies/egress-policies/)** control how traffic leaves your network by assigning fixed IP addresses that belong to your organization. Third-party services can recognize these IPs as yours. +**[Egress policies](/cloudflare-one/traffic-policies/policy-types/egress-policies/)** control how traffic leaves your network by assigning fixed IP addresses that belong to your organization. Third-party services can recognize these IPs as yours. Use egress policies to connect to partners or services that only allow traffic from a known list of IP addresses. @@ -95,7 +95,7 @@ Use egress policies to connect to partners or services that only allow traffic f
-**[Resolver policies](/cloudflare-one/traffic-policies/resolver-policies/)** send DNS queries to specific DNS servers instead of the default Cloudflare resolver. +**[Resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/)** send DNS queries to specific DNS servers instead of the default Cloudflare resolver. Use resolver policies to resolve private hostnames on your internal network, route queries to your own DNS servers for compliance, or reach internal resources while connected through Cloudflare One. diff --git a/src/content/docs/cloudflare-one/traffic-policies/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/dns-policies/common-policies.mdx similarity index 96% rename from src/content/docs/cloudflare-one/traffic-policies/dns-policies/common-policies.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/dns-policies/common-policies.mdx index fd4d51e8211..3a05ca15f9c 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/dns-policies/common-policies.mdx @@ -22,7 +22,7 @@ The following Cloudflare Gateway DNS policies are commonly used to secure DNS tr For a baseline set of recommended policies, refer to [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies/). -Refer to the [DNS policies page](/cloudflare-one/traffic-policies/dns-policies/) for a comprehensive list of other selectors, operators, and actions. +Refer to the [DNS policies page](/cloudflare-one/traffic-policies/policy-types/dns-policies/) for a comprehensive list of other selectors, operators, and actions. ## Allow corporate domains @@ -85,7 +85,7 @@ You can add a list of category IDs to the [EDNS (Extension Mechanisms for DNS)]( } ``` -With the [Request Context Categories](/cloudflare-one/traffic-policies/dns-policies/#request-context-categories) selector, you can block the category IDs sent with EDNS. This is useful to filter by categories not known at the time of creating a policy, or to enforce device-specific DNS content filtering without reaching your account limit. When Gateway uses this selector to block a DNS query, the request will return an Extended DNS Error (EDE) Code 15 (`Blocked`), along with a field containing an array of the matched categories. +With the [Request Context Categories](/cloudflare-one/traffic-policies/policy-types/dns-policies/#request-context-categories) selector, you can block the category IDs sent with EDNS. This is useful to filter by categories not known at the time of creating a policy, or to enforce device-specific DNS content filtering without reaching your account limit. When Gateway uses this selector to block a DNS query, the request will return an Extended DNS Error (EDE) Code 15 (`Blocked`), along with a field containing an array of the matched categories. @@ -463,7 +463,7 @@ The following example includes two policies. The first policy allows the specifi ## Control IP version -Enterprise users can pair these policies with an [egress policy](/cloudflare-one/traffic-policies/egress-policies/) to control which IP version is used when Gateway connects to the destination server. +Enterprise users can pair these policies with an [egress policy](/cloudflare-one/traffic-policies/policy-types/egress-policies/) to control which IP version is used when Gateway connects to the destination server. Optionally, you can use the Domain selector to control the IP version for specific sites. diff --git a/src/content/docs/cloudflare-one/traffic-policies/dns-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/dns-policies/index.mdx similarity index 98% rename from src/content/docs/cloudflare-one/traffic-policies/dns-policies/index.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/dns-policies/index.mdx index b889dd53a47..9dd84709b99 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/dns-policies/index.mdx @@ -14,7 +14,7 @@ import { Details, InlineBadge, Render } from "~/components"; DNS policies let you control which websites and services your users can reach by inspecting their DNS queries — the lookups that translate domain names into IP addresses. Because DNS policies act at the lookup stage, they work across all protocols and applications, not just web browsers. -When a user makes a DNS request, [Gateway](/cloudflare-one/traffic-policies/) matches the request against the DNS policies you have set up for your organization. If the domain does not belong to any blocked categories, or if it matches an Allow or Override policy, the user's client receives an address based on DNS resolution from Cloudflare's public DNS resolver (1.1.1.1). You can also use a [resolver policy](/cloudflare-one/traffic-policies/resolver-policies/) to redirect DNS requests to a custom server. +When a user makes a DNS request, [Gateway](/cloudflare-one/traffic-policies/) matches the request against the DNS policies you have set up for your organization. If the domain does not belong to any blocked categories, or if it matches an Allow or Override policy, the user's client receives an address based on DNS resolution from Cloudflare's public DNS resolver (1.1.1.1). You can also use a [resolver policy](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) to redirect DNS requests to a custom server. A DNS policy consists of an **Action** as well as a logical expression that determines the scope of the action. To build an expression, you need to choose a **Selector** and an **Operator**, and enter a value or range of values in the **Value** field. You can use **And** and **Or** logical operators to evaluate multiple conditions. @@ -519,7 +519,7 @@ To apply DNS policies to queries forwarded through [Cloudflare WAN](/cloudflare- ### Fallback DNS -Some applications (for example, WhatsApp and Android Studio) have backup DNS servers built into their code. If their primary DNS query is blocked by Gateway, these apps automatically retry the query against their built-in DNS servers (for example, Google's `8.8.8.8`), which bypasses your policies entirely. To mitigate this behavior, you create a [Gateway Network policy](/cloudflare-one/traffic-policies/network-policies/) to block outbound DNS traffic on TCP/UDP port `53` to the fallback DNS servers. For example, to block Google's fallback DNS servers: +Some applications (for example, WhatsApp and Android Studio) have backup DNS servers built into their code. If their primary DNS query is blocked by Gateway, these apps automatically retry the query against their built-in DNS servers (for example, Google's `8.8.8.8`), which bypasses your policies entirely. To mitigate this behavior, you create a [Gateway Network policy](/cloudflare-one/traffic-policies/policy-types/network-policies/) to block outbound DNS traffic on TCP/UDP port `53` to the fallback DNS servers. For example, to block Google's fallback DNS servers: | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | -------------------- | ----- | ------ | diff --git a/src/content/docs/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/dns-policies/test-dns-filtering.mdx similarity index 96% rename from src/content/docs/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/dns-policies/test-dns-filtering.mdx index b765bb0c6ef..4b78b4cf097 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/dns-policies/test-dns-filtering.mdx @@ -85,7 +85,7 @@ For example, if you created a policy to block `example.com`, you can do the foll ### Test a security or content category -If you are blocking a [security category](/cloudflare-one/traffic-policies/dns-policies/#security-categories) or a [content category](/cloudflare-one/traffic-policies/dns-policies/#content-categories), you can test that the policy is working by using the [test domain](#common-test-domains) associated with each category. +If you are blocking a [security category](/cloudflare-one/traffic-policies/policy-types/dns-policies/#security-categories) or a [content category](/cloudflare-one/traffic-policies/policy-types/dns-policies/#content-categories), you can test that the policy is working by using the [test domain](#common-test-domains) associated with each category. Once you have configured your Gateway policy to block the category, the test domain will show a block page when you attempt to visit the domain in your browser, or will return `REFUSED` when you perform `dig` using the command-line interface. diff --git a/src/content/docs/cloudflare-one/traffic-policies/dns-policies/timed-policies.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/dns-policies/timed-policies.mdx similarity index 100% rename from src/content/docs/cloudflare-one/traffic-policies/dns-policies/timed-policies.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/dns-policies/timed-policies.mdx diff --git a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips.mdx similarity index 92% rename from src/content/docs/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips.mdx index de3e24b8e58..bda3c9e462f 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips.mdx @@ -33,7 +33,7 @@ To start routing traffic through dedicated egress IPs: 4. Select **TCP**. 5. (Optional) Select **UDP**. This will allow HTTP/3 traffic to egress with your dedicated IPs. -Dedicated egress IPs are now turned on for all network and HTTP traffic proxied by Gateway. To selectively turn on dedicated egress IPs for a subset of your traffic, refer to [egress policies](/cloudflare-one/traffic-policies/egress-policies/). +Dedicated egress IPs are now turned on for all network and HTTP traffic proxied by Gateway. To selectively turn on dedicated egress IPs for a subset of your traffic, refer to [egress policies](/cloudflare-one/traffic-policies/policy-types/egress-policies/). ## Verify egress IPs @@ -52,7 +52,7 @@ When testing against another origin, you may see either an IPv4 or IPv6 address. If your organization already owns IPv4 or IPv6 addresses from a regional Internet registry, you can use them as dedicated egress IPs instead of Cloudflare-provided addresses. To obtain an IPv6 range, refer to [American Registry for Internet Numbers (ARIN)](https://www.arin.net/resources/guide/ipv6/first_request/) or [Regional Internet Registry for Europe, Middle East and Central Asia (RIPE NCC)](https://www.ripe.net/manage-ips-and-asns/ipv6/request-ipv6/). -After you onboard your IP addresses, they appear as options when you create an [egress policy](/cloudflare-one/traffic-policies/egress-policies/) and choose **Use dedicated egress IPs (Cloudflare or BYOIP)** as the [egress method](/cloudflare-one/traffic-policies/egress-policies/#egress-methods). BYOIP dedicated egress IPs do not support [IP geolocation](#ip-geolocation). +After you onboard your IP addresses, they appear as options when you create an [egress policy](/cloudflare-one/traffic-policies/policy-types/egress-policies/) and choose **Use dedicated egress IPs (Cloudflare or BYOIP)** as the [egress method](/cloudflare-one/traffic-policies/policy-types/egress-policies/#egress-methods). BYOIP dedicated egress IPs do not support [IP geolocation](#ip-geolocation). For more information, refer to [Cloudflare BYOIP](/byoip/) or contact your account team. @@ -101,7 +101,7 @@ IP geolocation will take at least six weeks to update across databases. Websites and services use third-party IP geolocation databases to determine where a visitor is located. When you turn on dedicated egress IPs, Gateway updates these databases so they associate your new IPs with the correct city. Until the databases finish updating, services like Google Search may show incorrect regional content — for example, directing users in India to the United States landing page. -Your egress traffic geolocates to the city selected in your [egress policies](/cloudflare-one/traffic-policies/egress-policies/). Traffic that does not match an egress policy defaults to the closest dedicated egress location. Create a [catch-all egress policy](/cloudflare-one/traffic-policies/egress-policies/#catch-all-policy) before dedicated egress IPs are assigned to your account to prevent incorrect geolocation while databases update. +Your egress traffic geolocates to the city selected in your [egress policies](/cloudflare-one/traffic-policies/policy-types/egress-policies/). Traffic that does not match an egress policy defaults to the closest dedicated egress location. Create a [catch-all egress policy](/cloudflare-one/traffic-policies/policy-types/egress-policies/#catch-all-policy) before dedicated egress IPs are assigned to your account to prevent incorrect geolocation while databases update. To verify that the IP geolocation has updated, check your dedicated egress IP in one of the supported databases: @@ -138,7 +138,7 @@ Where your users' traffic physically exits the Cloudflare network depends on whe #### IPv4 -IPv4 addresses are scarce, so Cloudflare must physically route IPv4 traffic to the data center where your dedicated address is provisioned. The user connects to the nearest Cloudflare data center, and Cloudflare internally routes the traffic to the dedicated egress location configured in your [egress policies](/cloudflare-one/traffic-policies/egress-policies/). As a result, the data center shown in the user's Cloudflare One Client preferences may differ from the actual egress location. +IPv4 addresses are scarce, so Cloudflare must physically route IPv4 traffic to the data center where your dedicated address is provisioned. The user connects to the nearest Cloudflare data center, and Cloudflare internally routes the traffic to the dedicated egress location configured in your [egress policies](/cloudflare-one/traffic-policies/policy-types/egress-policies/). As a result, the data center shown in the user's Cloudflare One Client preferences may differ from the actual egress location. Performance is better when users visit domains proxied by Cloudflare ([orange-clouded](/dns/proxy-status/) domains). In this case, IPv4 traffic physically exits from the most performant data center while still appearing to originate from your dedicated egress location. diff --git a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/egress-policies/egress-cloudflared.mdx similarity index 91% rename from src/content/docs/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/egress-policies/egress-cloudflared.mdx index f12b7ca9e11..00ed3292fe6 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/egress-policies/egress-cloudflared.mdx @@ -17,7 +17,7 @@ import { Render, Details, GlossaryTooltip, DashButton } from "~/components"; -Some third-party services only accept connections from specific source IPs listed in an Access Control List (ACL). If a non-Cloudflare IP (for example, an IP from your ISP or a cloud provider like AWS) is already on their allowlist, you can route traffic through a Cloudflare Tunnel so that it exits using that same IP. This is called source IP anchoring — it allows you to keep your existing egress IPs without purchasing [Cloudflare dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). +Some third-party services only accept connections from specific source IPs listed in an Access Control List (ACL). If a non-Cloudflare IP (for example, an IP from your ISP or a cloud provider like AWS) is already on their allowlist, you can route traffic through a Cloudflare Tunnel so that it exits using that same IP. This is called source IP anchoring — it allows you to keep your existing egress IPs without purchasing [Cloudflare dedicated egress IPs](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/). For example, assume your banking service at `app.bank.com` expects traffic from an AWS IP. You install `cloudflared` in your AWS environment and add a public hostname route for `app.bank.com`. When users connect to `app.bank.com` through the Cloudflare One Client, Gateway applies your network policies and routes the filtered traffic through the Cloudflare Tunnel to AWS. The traffic then exits to the public Internet using your AWS egress IP. @@ -91,7 +91,7 @@ Your private network's CIDR block should also route through the WARP tunnel. For ## 4. (Optional) Configure network policies -You can build [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/) to filter HTTPS traffic to your public hostname on port `443`. For example, to restrict `app.bank.com` so that only certain users or groups can access it through your AWS egress IP, create two policies: one to allow authorized users, and one to block everyone else. +You can build [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) to filter HTTPS traffic to your public hostname on port `443`. For example, to restrict `app.bank.com` so that only certain users or groups can access it through your AWS egress IP, create two policies: one to allow authorized users, and one to block everyone else. 1. Allow company employees: @@ -107,7 +107,7 @@ You can build [Gateway network policies](/cloudflare-one/traffic-policies/networ | -------- | -------- | -------------- | ------ | | SNI | in | `app.bank.com` | Block | -Gateway does not support hostname-based filtering for traffic on non-`443` ports. To block traffic to `app.bank.com` on all ports, use the [Destination IP](/cloudflare-one/traffic-policies/network-policies/#destination-ip) selector and specify the public IP range of `app.bank.com`. +Gateway does not support hostname-based filtering for traffic on non-`443` ports. To block traffic to `app.bank.com` on all ports, use the [Destination IP](/cloudflare-one/traffic-policies/policy-types/network-policies/#destination-ip) selector and specify the public IP range of `app.bank.com`. ## 5. Test the connection diff --git a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/egress-policies/host-selectors.mdx similarity index 81% rename from src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/egress-policies/host-selectors.mdx index 9dba4363635..20f6ab34a40 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/egress-policies/host-selectors.mdx @@ -29,7 +29,7 @@ import { Tabs, TabItem, Details, APIRequest, Render } from "~/components";
-Egress policies are evaluated at Layer 4 (https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/) of the OSI model, where only IP addresses are available — not hostnames. The [Application](/cloudflare-one/traffic-policies/egress-policies/#application), [Content Categories](/cloudflare-one/traffic-policies/egress-policies/#content-categories), [Domain](/cloudflare-one/traffic-policies/egress-policies/#domain), and [Host](/cloudflare-one/traffic-policies/egress-policies/#host) selectors need to match traffic by hostname, so Gateway uses a two-step process: +Egress policies are evaluated at Layer 4 (https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/) of the OSI model, where only IP addresses are available — not hostnames. The [Application](/cloudflare-one/traffic-policies/policy-types/egress-policies/#application), [Content Categories](/cloudflare-one/traffic-policies/policy-types/egress-policies/#content-categories), [Domain](/cloudflare-one/traffic-policies/policy-types/egress-policies/#domain), and [Host](/cloudflare-one/traffic-policies/policy-types/egress-policies/#host) selectors need to match traffic by hostname, so Gateway uses a two-step process: 1. When Gateway receives a DNS query for a hostname that matches one of these selectors, it initially resolves the query to a temporary IP in the `100.80.0.0/16` or `2606:4700:0cf1:4000::/64` range. 2. When traffic arrives with this temporary destination IP, Gateway can identify which hostname the connection belongs to, apply the correct egress policy, then replace the temporary IP with the real destination IP before forwarding the traffic. @@ -110,7 +110,7 @@ The Cloudflare One Client must be set to _Traffic and DNS mode_ for traffic affe ### DNS resolution location -For the [Application](/cloudflare-one/traffic-policies/egress-policies/#application), [Content Categories](/cloudflare-one/traffic-policies/egress-policies/#content-categories), [Domain](/cloudflare-one/traffic-policies/egress-policies/#domain), and [Host](/cloudflare-one/traffic-policies/egress-policies/#host) selectors, Gateway captures the destination IP address during the initial DNS resolution step described above. The egress policy does not change this IP address, so the destination Gateway connects to is independent of the location of the egress data center or dedicated egress IP you select. +For the [Application](/cloudflare-one/traffic-policies/policy-types/egress-policies/#application), [Content Categories](/cloudflare-one/traffic-policies/policy-types/egress-policies/#content-categories), [Domain](/cloudflare-one/traffic-policies/policy-types/egress-policies/#domain), and [Host](/cloudflare-one/traffic-policies/policy-types/egress-policies/#host) selectors, Gateway captures the destination IP address during the initial DNS resolution step described above. The egress policy does not change this IP address, so the destination Gateway connects to is independent of the location of the egress data center or dedicated egress IP you select. If the resolved destination IP and the egress IP are located in different regions, connections to destinations that enforce geo-restriction or IP-allowlisting based on the connection source may be rejected. @@ -122,10 +122,10 @@ This can affect you if you use Domain or Host egress selectors, your users are l ### DNS Override policies bypass host selectors -If a domain matches a [DNS Override policy](/cloudflare-one/traffic-policies/dns-policies/#override), Gateway will not apply the initial resolved IP mapping for that domain. This means host-based egress selectors (Application, Content Categories, Domain, and Host) will not evaluate against traffic to the overridden domain. Traffic to these domains will use the default Cloudflare egress method. +If a domain matches a [DNS Override policy](/cloudflare-one/traffic-policies/policy-types/dns-policies/#override), Gateway will not apply the initial resolved IP mapping for that domain. This means host-based egress selectors (Application, Content Categories, Domain, and Host) will not evaluate against traffic to the overridden domain. Traffic to these domains will use the default Cloudflare egress method. ### HTTPS DNS records not supported Host selectors do not support HTTPS DNS record types. When a domain uses HTTPS records for connection establishment, Gateway cannot map the DNS query to a hostname for egress policy evaluation. Traffic to these domains will use the default Cloudflare egress method instead of matching a host-based egress policy. -If you need to apply egress policies to a domain that uses HTTPS records, use an IP-based selector (such as [Destination IP](/cloudflare-one/traffic-policies/egress-policies/#destination-ip)) instead. +If you need to apply egress policies to a domain that uses HTTPS records, use an IP-based selector (such as [Destination IP](/cloudflare-one/traffic-policies/policy-types/egress-policies/#destination-ip)) instead. diff --git a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/egress-policies/index.mdx similarity index 92% rename from src/content/docs/cloudflare-one/traffic-policies/egress-policies/index.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/egress-policies/index.mdx index a8824755e6d..a1295dccb5e 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/egress-policies/index.mdx @@ -27,7 +27,7 @@ Only available on Enterprise plans. Many third-party services (for example, a bank or partner API) only allow connections from a known list of IP addresses. By default, traffic that exits through Cloudflare Gateway shares a source IP address with all other Cloudflare One Client users, so upstream services cannot identify your organization by IP alone. -[Dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) solve this problem. They are static IP addresses assigned only to your account, which you can add to upstream allowlists. +[Dedicated egress IPs](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/) solve this problem. They are static IP addresses assigned only to your account, which you can add to upstream allowlists. Egress policies control which dedicated egress IP is used for a given connection. You can match traffic on attributes such as user identity, source or destination IP address, and geolocation. Traffic that does not match an egress policy defaults to the most performant dedicated egress IP. @@ -43,7 +43,7 @@ If two data centers are equally close to the user, Gateway splits traffic betwee ## Force IP version -Some upstream services only accept connections over a specific IP version. To force all egress traffic to use IPv4 or IPv6 only, first verify you are [filtering DNS traffic](/cloudflare-one/traffic-policies/get-started/dns/), then create a DNS policy to [block AAAA or A records](/cloudflare-one/traffic-policies/dns-policies/common-policies/#control-ip-version). +Some upstream services only accept connections over a specific IP version. To force all egress traffic to use IPv4 or IPv6 only, first verify you are [filtering DNS traffic](/cloudflare-one/traffic-policies/get-started/dns/), then create a DNS policy to [block AAAA or A records](/cloudflare-one/traffic-policies/policy-types/dns-policies/common-policies/#control-ip-version). ## Example policies @@ -87,9 +87,9 @@ When you configure your egress policy, you can choose whether to egress traffic **Use dedicated egress IPs (Cloudflare or BYOIP)** routes traffic through the primary IPv4 address and IPv6 range you select in the dropdown menus. -If the data center associated with your primary IPv4 address goes down, Gateway fails over to the secondary data center to prevent traffic drops. A secondary IPv6 address is not required because IPv6 traffic can exit from any Cloudflare data center. You can use IPs provided by Cloudflare or [bring your own IP addresses (BYOIP)](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). +If the data center associated with your primary IPv4 address goes down, Gateway fails over to the secondary data center to prevent traffic drops. A secondary IPv6 address is not required because IPv6 traffic can exit from any Cloudflare data center. You can use IPs provided by Cloudflare or [bring your own IP addresses (BYOIP)](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). -To learn more about IPv4 and IPv6 egress behavior, refer to [Egress locations](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#egress-location). +To learn more about IPv4 and IPv6 egress behavior, refer to [Egress locations](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/#egress-location). ## Selectors @@ -249,6 +249,6 @@ Gateway uses Rust to evaluate regular expressions. The Rust implementation is sl ### Selector prerequisites -The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors require additional setup before they work in egress policies. Before deploying policies with these selectors, refer to [Host selectors](/cloudflare-one/traffic-policies/egress-policies/host-selectors). +The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors require additional setup before they work in egress policies. Before deploying policies with these selectors, refer to [Host selectors](/cloudflare-one/traffic-policies/policy-types/egress-policies/host-selectors). -These selectors also resolve the destination IP address when Gateway processes the DNS query, not when the egress policy is applied. If the resolved destination IP and your egress IP are in different regions, connections to destinations that enforce geo-restriction or IP-allowlisting may fail. Refer to [DNS resolution location](/cloudflare-one/traffic-policies/egress-policies/host-selectors/#dns-resolution-location) for details. +These selectors also resolve the destination IP address when Gateway processes the DNS query, not when the egress policy is applied. If the resolved destination IP and your egress IP are in different regions, connections to destinations that enforce geo-restriction or IP-allowlisting may fail. Refer to [DNS resolution location](/cloudflare-one/traffic-policies/policy-types/egress-policies/host-selectors/#dns-resolution-location) for details. diff --git a/src/content/docs/cloudflare-one/traffic-policies/http-policies/antivirus-scanning.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning.mdx similarity index 90% rename from src/content/docs/cloudflare-one/traffic-policies/http-policies/antivirus-scanning.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning.mdx index 6e7e43f287f..d586f6a40f9 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/http-policies/antivirus-scanning.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning.mdx @@ -12,7 +12,7 @@ import { Render, Details } from "~/components"; Cloudflare Gateway can scan files for malware as users upload or download them. Anti-virus (AV) scanning runs inline — Gateway inspects files as they pass through the proxy and blocks any file that contains a known malicious payload. -In addition to AV scanning, Gateway can quarantine previously unseen files into a sandbox to detect zero-day threats not yet in anti-virus databases. For more information, refer to [File sandboxing](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/). +In addition to AV scanning, Gateway can quarantine previously unseen files into a sandbox to detect zero-day threats not yet in anti-virus databases. For more information, refer to [File sandboxing](/cloudflare-one/traffic-policies/policy-types/http-policies/file-sandboxing/). ## Get started @@ -48,7 +48,7 @@ If none of these conditions match, Gateway falls back to the origin's `Content-T ## Opt content out from scanning -When an admin turns on AV scanning for uploads and/or downloads, Gateway will scan every supported file. Admins can selectively choose to disable scanning using HTTP policies. All [HTTP selectors](/cloudflare-one/traffic-policies/http-policies/#selectors) can opt HTTP traffic out from AV scanning using the **Do Not Scan** action. When traffic matches a Do Not Scan policy, nothing is scanned, regardless of file size or whether the file type is supported or not. For example, to prevent AV scanning of files uploaded to or downloaded from `example.com`, you can create the following policy: +When an admin turns on AV scanning for uploads and/or downloads, Gateway will scan every supported file. Admins can selectively choose to disable scanning using HTTP policies. All [HTTP selectors](/cloudflare-one/traffic-policies/policy-types/http-policies/#selectors) can opt HTTP traffic out from AV scanning using the **Do Not Scan** action. When traffic matches a Do Not Scan policy, nothing is scanned, regardless of file size or whether the file type is supported or not. For example, to prevent AV scanning of files uploaded to or downloaded from `example.com`, you can create the following policy: | Selector | Operator | Value | Action | | -------- | ------------- | ------------- | ----------- | diff --git a/src/content/docs/cloudflare-one/traffic-policies/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies.mdx similarity index 98% rename from src/content/docs/cloudflare-one/traffic-policies/http-policies/common-policies.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies.mdx index d31847e2498..a95062dbc91 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies.mdx @@ -17,11 +17,11 @@ tags: import { Render, Tabs, TabItem, APIRequest } from "~/components"; -The following policies are commonly used to secure HTTP traffic. HTTP policies are evaluated in order from top to bottom, and the first matching policy applies — except for [Do Not Inspect](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policies, which are always evaluated first. +The following policies are commonly used to secure HTTP traffic. HTTP policies are evaluated in order from top to bottom, and the first matching policy applies — except for [Do Not Inspect](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) policies, which are always evaluated first. For a baseline set of recommended policies, refer to [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies/). -Refer to the [HTTP policies page](/cloudflare-one/traffic-policies/http-policies/) for a comprehensive list of other selectors, operators, and actions. +Refer to the [HTTP policies page](/cloudflare-one/traffic-policies/policy-types/http-policies/) for a comprehensive list of other selectors, operators, and actions. ## Block sites @@ -300,7 +300,7 @@ When accessing origin servers with certificates not signed by a public certifica -For more information on supported file types, refer to [Download and Upload File Types](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types). +For more information on supported file types, refer to [Download and Upload File Types](/cloudflare-one/traffic-policies/policy-types/http-policies/#download-and-upload-file-types). ## Isolate or block shadow IT applications diff --git a/src/content/docs/cloudflare-one/traffic-policies/http-policies/file-sandboxing.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/file-sandboxing.mdx similarity index 93% rename from src/content/docs/cloudflare-one/traffic-policies/http-policies/file-sandboxing.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/file-sandboxing.mdx index 1576fc14c31..922f0e08e6b 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/http-policies/file-sandboxing.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/file-sandboxing.mdx @@ -14,7 +14,7 @@ import { Render, Details } from "~/components"; Available as an add-on to Zero Trust Enterprise plans. For more information, contact your account team. ::: -In addition to [anti-virus (AV) scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), Gateway can quarantine previously unseen files downloaded by your users into a sandbox and scan them for malware. +In addition to [anti-virus (AV) scanning](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/), Gateway can quarantine previously unseen files downloaded by your users into a sandbox and scan them for malware. When a file download passes AV scanning without a malware detection, Gateway quarantines the file in the [sandbox](#sandbox-environment). If the file has not been downloaded before, Gateway monitors the file's behavior and compares it to known malware patterns. During this process, Gateway displays an interstitial page in the user's browser. If the sandbox does not detect malicious activity, Gateway releases the file and downloads it to the user's device. If the sandbox detects malicious activity, Gateway blocks the download. For any subsequent downloads of the same file, Gateway remembers and applies its previous allow/block decision. @@ -56,7 +56,7 @@ To begin quarantining downloaded files, turn on file sandboxing: 2. In **Policy settings**, turn on **Open previously unseen files in a sandbox environment**. 3. (Optional) To block requests containing [non-scannable files](#non-scannable-files), select **Block requests for files that cannot be scanned**. -You can now create [Quarantine HTTP policies](/cloudflare-one/traffic-policies/http-policies/#quarantine) to determine what files to scan in the sandbox. +You can now create [Quarantine HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/#quarantine) to determine what files to scan in the sandbox. ## Create test policy diff --git a/src/content/docs/cloudflare-one/traffic-policies/http-policies/granular-controls.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/granular-controls.mdx similarity index 91% rename from src/content/docs/cloudflare-one/traffic-policies/http-policies/granular-controls.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/granular-controls.mdx index 406d3d137aa..6b07350246e 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/http-policies/granular-controls.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/granular-controls.mdx @@ -19,16 +19,16 @@ import { APIRequest, } from "~/components"; -With Application Granular Controls, you can create [Gateway HTTP policies](/cloudflare-one/traffic-policies/http-policies/) to control specific user actions within supported SaaS applications. This allows you to give users access to an application while restricting the actions that they can take within the application. +With Application Granular Controls, you can create [Gateway HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/) to control specific user actions within supported SaaS applications. This allows you to give users access to an application while restricting the actions that they can take within the application. ## Prerequisites To use Application Granular Controls, you must: - Install a [Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) or a [custom certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) on your users' devices. -- Turn on [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). +- Turn on [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/). - Turn on the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy). -- (Optional) If an application uses HTTP/3, turn on the [Gateway proxy for UDP traffic](/cloudflare-one/traffic-policies/http-policies/http3/#enable-http3-inspection). +- (Optional) If an application uses HTTP/3, turn on the [Gateway proxy for UDP traffic](/cloudflare-one/traffic-policies/policy-types/http-policies/http3/#enable-http3-inspection). - (Optional) To turn on [AI prompt logging](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content), create a [DLP payload encryption public key](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#set-a-dlp-payload-encryption-public-key). ## Create a policy with Application Granular Controls @@ -74,7 +74,7 @@ Use the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresource -For more information, refer to [HTTP policies](/cloudflare-one/traffic-policies/http-policies/). +For more information, refer to [HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/). ## Control definitions diff --git a/src/content/docs/cloudflare-one/traffic-policies/http-policies/http3.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/http3.mdx similarity index 85% rename from src/content/docs/cloudflare-one/traffic-policies/http-policies/http3.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/http3.mdx index c102820dc91..33f8f554784 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/http-policies/http3.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/http3.mdx @@ -13,13 +13,13 @@ tags: import { Details } from "~/components"; -HTTP/3 uses the QUIC protocol over UDP instead of TCP. Because Gateway's default proxy only handles TCP traffic, HTTP/3 inspection requires turning on the UDP proxy. Without it, HTTP/3 traffic bypasses HTTP inspection. [Network policies](/cloudflare-one/traffic-policies/network-policies/) still apply to the underlying UDP traffic. +HTTP/3 uses the QUIC protocol over UDP instead of TCP. Because Gateway's default proxy only handles TCP traffic, HTTP/3 inspection requires turning on the UDP proxy. Without it, HTTP/3 traffic bypasses HTTP inspection. [Network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) still apply to the underlying UDP traffic. Gateway applies HTTP policies to HTTP/3 traffic last. For more information, refer to the [order of enforcement](/cloudflare-one/traffic-policies/order-of-enforcement/#http3-traffic). ## Turn on HTTP/3 inspection -Before you can inspect any HTTPS traffic, you must deploy a [user-side certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) to your devices and turn on [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). To inspect HTTP/3 traffic, you must also turn on the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/) for UDP. +Before you can inspect any HTTPS traffic, you must deploy a [user-side certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) to your devices and turn on [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/). To inspect HTTP/3 traffic, you must also turn on the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/) for UDP. To turn on the Gateway proxy for UDP and TLS decryption: @@ -40,7 +40,7 @@ If you do not turn on the UDP proxy, HTTP/3 traffic from browsers other than Chr ## Exempt HTTP/3 traffic from inspection -If you require HTTP/3 traffic with end-to-end encryption from the client to the origin while still using the Gateway proxy, you can create a [Do Not Inspect HTTP policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) to match the desired traffic. Using a Do Not Inspect policy allows HTTP/3 traffic to preserve proxy performance and end-to-end encryption by bypassing Gateway's TLS decryption and inspection. +If you require HTTP/3 traffic with end-to-end encryption from the client to the origin while still using the Gateway proxy, you can create a [Do Not Inspect HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) to match the desired traffic. Using a Do Not Inspect policy allows HTTP/3 traffic to preserve proxy performance and end-to-end encryption by bypassing Gateway's TLS decryption and inspection. ## Force HTTP/2 traffic diff --git a/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/index.mdx similarity index 96% rename from src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/index.mdx index 0daccb6c415..fc2e9794929 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/index.mdx @@ -17,9 +17,9 @@ import { Details, InlineBadge, Render } from "~/components"; To use HTTP policies, install a [Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) or a [custom certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/). ::: -HTTP policies allow you to filter all HTTP and HTTPS requests based on URLs, hostnames, HTTP methods, file types, and other request attributes. Unlike [network policies](/cloudflare-one/traffic-policies/network-policies/) which operate at Layer 4 (TCP/UDP), HTTP policies operate at Layer 7 and can inspect the full content of web traffic. +HTTP policies allow you to filter all HTTP and HTTPS requests based on URLs, hostnames, HTTP methods, file types, and other request attributes. Unlike [network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) which operate at Layer 4 (TCP/UDP), HTTP policies operate at Layer 7 and can inspect the full content of web traffic. -By default, Gateway inspects HTTP traffic on port `80` and, with [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) turned on, HTTPS traffic on port `443`. You can also configure Gateway to [inspect HTTP/HTTPS traffic on all ports](/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). Gateway supports HTTP/3 inspection with the [UDP proxy](/cloudflare-one/traffic-policies/http-policies/http3/) turned on. +By default, Gateway inspects HTTP traffic on port `80` and, with [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) turned on, HTTPS traffic on port `443`. You can also configure Gateway to [inspect HTTP/HTTPS traffic on all ports](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/#inspect-on-all-ports). Gateway supports HTTP/3 inspection with the [UDP proxy](/cloudflare-one/traffic-policies/policy-types/http-policies/http3/) turned on. An HTTP policy consists of an **Action** and a logical expression that determines the scope of the policy. To build an expression, choose a **Selector** and an **Operator**, then enter a value or range of values in the **Value** field. You can use **And** and **Or** logical operators to evaluate multiple conditions. @@ -238,11 +238,11 @@ API value: `off` When you create a Do Not Inspect policy for a given hostname, application, or app type, you will lose the ability to log or block HTTP requests, apply DLP policies, and perform AV scanning. -Information contained within HTTPS encryption, such as the full requested URL, will not be visible if it bypasses Gateway inspection. However, you can still apply [network policies](/cloudflare-one/traffic-policies/network-policies/) to this traffic. For more information, refer to [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). +Information contained within HTTPS encryption, such as the full requested URL, will not be visible if it bypasses Gateway inspection. However, you can still apply [network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) to this traffic. For more information, refer to [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/). ::: -Do Not Inspect lets you bypass certain elements from inspection. To prevent Gateway from decrypting and inspecting HTTPS traffic, your policy must match against the Server Name Indication (SNI) in the TLS header. When accessing a Do Not Inspect site in the browser, your browser may display a **Your connection is not private** warning, which you can proceed through to connect. For more information about applications which may require a Do Not Inspect policy, refer to [TLS decryption limitations](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#inspection-limitations). +Do Not Inspect lets you bypass certain elements from inspection. To prevent Gateway from decrypting and inspecting HTTPS traffic, your policy must match against the Server Name Indication (SNI) in the TLS header. When accessing a Do Not Inspect site in the browser, your browser may display a **Your connection is not private** warning, which you can proceed through to connect. For more information about applications which may require a Do Not Inspect policy, refer to [TLS decryption limitations](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#inspection-limitations). :::note All Do Not Inspect policies are evaluated before any Allow or Block policies, regardless of their position in the policy list. For more information, refer to [Order of enforcement](/cloudflare-one/traffic-policies/order-of-enforcement/#http-policies). @@ -380,7 +380,7 @@ API value: `quarantine`
-The Quarantine action sends files in matching requests to a file sandbox to scan for malware. Gateway will only quarantine files not previously seen in the file sandbox. For more information on this action, refer to [File sandboxing](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/). +The Quarantine action sends files in matching requests to a file sandbox to scan for malware. Gateway will only quarantine files not previously seen in the file sandbox. For more information on this action, refer to [File sandboxing](/cloudflare-one/traffic-policies/policy-types/http-policies/file-sandboxing/). #### Sandbox file types @@ -440,7 +440,7 @@ When using the _is_ operator with the _Application_ selector, you can use Applic You can match traffic based on **Application Controls**, which group multiple user actions together, or **Operations**, which allow for granular control of supported API-level actions for an application. -For more information, refer to [Application Granular Controls](/cloudflare-one/traffic-policies/http-policies/granular-controls/). +For more information, refer to [Application Granular Controls](/cloudflare-one/traffic-policies/policy-types/http-policies/granular-controls/). ### Body Phase diff --git a/src/content/docs/cloudflare-one/traffic-policies/http-policies/tenant-control.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/tenant-control.mdx similarity index 100% rename from src/content/docs/cloudflare-one/traffic-policies/http-policies/tenant-control.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/tenant-control.mdx diff --git a/src/content/docs/cloudflare-one/traffic-policies/http-policies/tls-decryption.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption.mdx similarity index 85% rename from src/content/docs/cloudflare-one/traffic-policies/http-policies/tls-decryption.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption.mdx index f6c0847db3b..7ecf165e2c7 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/http-policies/tls-decryption.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption.mdx @@ -18,11 +18,11 @@ import { Tabs, } from "~/components"; -Cloudflare Gateway can perform [SSL/TLS decryption](https://www.cloudflare.com/learning/security/what-is-https-inspection/) to inspect HTTPS traffic for malware and other security risks. TLS decryption is required for HTTP policies to inspect HTTPS traffic. Without it, information contained within HTTPS encryption, such as the full URL, headers, and request body, [will not be visible to Gateway](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect). +Cloudflare Gateway can perform [SSL/TLS decryption](https://www.cloudflare.com/learning/security/what-is-https-inspection/) to inspect HTTPS traffic for malware and other security risks. TLS decryption is required for HTTP policies to inspect HTTPS traffic. Without it, information contained within HTTPS encryption, such as the full URL, headers, and request body, [will not be visible to Gateway](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect). When you turn on TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a [user-side certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/). -Cloudflare prevents traffic interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](/data-localization/). To further control what data centers traffic egresses from, you can use [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). +Cloudflare prevents traffic interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](/data-localization/). To further control what data centers traffic egresses from, you can use [dedicated egress IPs](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/). Cloudflare supports connections from users to Gateway over TLS 1.1, 1.2, and 1.3. @@ -53,7 +53,7 @@ Gateway does not support TLS decryption for applications which use: product="cloudflare-one" params={{ turnOnProcedure: - "you can turn on [protocol detection](/cloudflare-one/traffic-policies/network-policies/protocol-detection/) and configure Gateway to [inspect traffic on all ports](/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports)", + "you can turn on [protocol detection](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/) and configure Gateway to [inspect traffic on all ports](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/#inspect-on-all-ports)", }} /> @@ -64,10 +64,10 @@ Applications that use certificate pinning and mTLS authentication do not trust C If you try to perform TLS decryption on an application with an incompatible certificate configuration, the application may return an SSL or trust error and/or fail to load. To resolve this issue, you can: - Add a [Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to supported applications. -- Create a [Do Not Inspect policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) to exempt applications from inspection. The [Application selector](/cloudflare-one/traffic-policies/http-policies/#application) provides a list of trusted applications that are known to use embedded certificates. Note that if you create a Do Not Inspect policy for an application or website, you will lose the ability to log or block HTTP requests, apply DLP policies, and perform AV scanning. +- Create a [Do Not Inspect policy](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) to exempt applications from inspection. The [Application selector](/cloudflare-one/traffic-policies/policy-types/http-policies/#application) provides a list of trusted applications that are known to use embedded certificates. Note that if you create a Do Not Inspect policy for an application or website, you will lose the ability to log or block HTTP requests, apply DLP policies, and perform AV scanning. - Configure a [Split Tunnel](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) in Include mode to ensure Gateway will only inspect traffic destined for your IPs or domains. This is useful for organizations that deploy Zero Trust on users' personal devices or otherwise expect personal applications to be used. -Alternatively, to allow HTTP filtering while accessing a site with an insecure certificate, set your [Untrusted certificate action](/cloudflare-one/traffic-policies/http-policies/#untrusted-certificates) to _Pass through_. +Alternatively, to allow HTTP filtering while accessing a site with an insecure certificate, set your [Untrusted certificate action](/cloudflare-one/traffic-policies/policy-types/http-policies/#untrusted-certificates) to _Pass through_. ### Google Chrome automatic HTTPS upgrades @@ -81,7 +81,7 @@ To disable automatic HTTPS upgrades for a URL across your Zero Trust organizatio 1. Deploy a [custom root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/). -2. Create an [HTTP policy](/cloudflare-one/traffic-policies/http-policies/) to match the domain of the URL being automatically upgraded. For example: +2. Create an [HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/) to match the domain of the URL being automatically upgraded. For example: | Selector | Operator | Value | Action | | -------- | -------- | ------------- | ------ | @@ -91,7 +91,7 @@ To disable automatic HTTPS upgrades for a URL across your Zero Trust organizatio 4. Select **Create policy**. -The pass through policy will bypass insecure connection upgrades for any device connected to your Zero Trust organization. For more information, refer to [Untrusted certificates](/cloudflare-one/traffic-policies/http-policies/#untrusted-certificates). +The pass through policy will bypass insecure connection upgrades for any device connected to your Zero Trust organization. For more information, refer to [Untrusted certificates](/cloudflare-one/traffic-policies/policy-types/http-policies/#untrusted-certificates). @@ -105,13 +105,13 @@ Chrome Enterprise users can turn off automatic HTTPS upgrades for all URLs with ### Mutual TLS (mTLS) -In mutual TLS (mTLS), both the client and server present certificates to verify each other's identity. When Gateway decrypts TLS traffic, it terminates the connection from the client and creates a new connection to the origin server. Because Gateway cannot forward the client's certificate to the origin, the mTLS handshake fails. To prevent connection failures, create a [Do Not Inspect policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) for this traffic. +In mutual TLS (mTLS), both the client and server present certificates to verify each other's identity. When Gateway decrypts TLS traffic, it terminates the connection from the client and creates a new connection to the origin server. Because Gateway cannot forward the client's certificate to the origin, the mTLS handshake fails. To prevent connection failures, create a [Do Not Inspect policy](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) for this traffic. ### ESNI and ECH Websites that adhere to [ESNI or Encrypted Client Hello (ECH) standards](https://blog.cloudflare.com/encrypted-client-hello/) encrypt the Server Name Indication (SNI) during the TLS handshake and are therefore incompatible with HTTP inspection. Gateway relies on the SNI to match an HTTP request to a policy — if the SNI is encrypted, Gateway cannot determine which policy to apply. If the ECH fails, browsers will retry the TLS handshake using the unencrypted SNI from the initial request. To avoid this behavior, you can disable ECH in your users' browsers. -You can still apply all [network policy filters](/cloudflare-one/traffic-policies/network-policies/#selectors) except for SNI and SNI Domain. To restrict ESNI and ECH traffic, an option is to filter out all port `80` and `443` traffic that does not include an SNI header. +You can still apply all [network policy filters](/cloudflare-one/traffic-policies/policy-types/network-policies/#selectors) except for SNI and SNI Domain. To restrict ESNI and ECH traffic, an option is to filter out all port `80` and `443` traffic that does not include an SNI header. ## Post-quantum support @@ -133,7 +133,7 @@ By default, TLS decryption can use both TLS version 1.2 and 1.3. However, some e When FIPS compliance is enabled, Gateway will only choose [FIPS-compliant cipher suites](#cipher-suites) when connecting to the origin. If the origin does not support FIPS-compliant ciphers, the request will fail. -FIPS-compliant traffic defaults to [HTTP/3](/cloudflare-one/traffic-policies/http-policies/http3/). To enforce HTTP policies for UDP traffic, you must turn on the [Gateway proxy for UDP](/cloudflare-one/traffic-policies/http-policies/http3/#enable-http3-inspection). +FIPS-compliant traffic defaults to [HTTP/3](/cloudflare-one/traffic-policies/policy-types/http-policies/http3/). To enforce HTTP policies for UDP traffic, you must turn on the [Gateway proxy for UDP](/cloudflare-one/traffic-policies/policy-types/http-policies/http3/#enable-http3-inspection). ## FedRAMP compliance diff --git a/src/content/docs/cloudflare-one/traffic-policies/policy-types/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/index.mdx new file mode 100644 index 00000000000..93a4e521588 --- /dev/null +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/index.mdx @@ -0,0 +1,12 @@ +--- +pcx_content_type: navigation +title: Policy types +sidebar: + order: 3 +--- + +import { DirectoryListing } from "~/components"; + +Cloudflare Gateway supports several policy types to filter traffic at different network layers. Each policy type provides control at a specific layer of the network stack. + + diff --git a/src/content/docs/cloudflare-one/traffic-policies/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/network-policies/common-policies.mdx similarity index 96% rename from src/content/docs/cloudflare-one/traffic-policies/network-policies/common-policies.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/network-policies/common-policies.mdx index bcde8177898..b5df5f76672 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/network-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/network-policies/common-policies.mdx @@ -21,7 +21,7 @@ The following policies are commonly used to secure network traffic. Network poli For a baseline set of recommended policies, refer to [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies/). -Refer to the [network policies page](/cloudflare-one/traffic-policies/network-policies/) for a comprehensive list of other selectors, operators, and actions. +Refer to the [network policies page](/cloudflare-one/traffic-policies/policy-types/network-policies/) for a comprehensive list of other selectors, operators, and actions. ## Block unauthorized applications @@ -104,7 +104,7 @@ To require users to re-authenticate after a certain amount of time has elapsed, ## Allow only approved traffic -Restrict user access to only the specific sites or applications configured in your [HTTP policies](/cloudflare-one/traffic-policies/http-policies/). This pattern uses two policies: an Allow policy to permit HTTP/HTTPS traffic, followed by a Block policy to deny everything else. Place the Allow policy above the Block policy so that matching traffic is allowed before the catch-all block applies. +Restrict user access to only the specific sites or applications configured in your [HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/). This pattern uses two policies: an Allow policy to permit HTTP/HTTPS traffic, followed by a Block policy to deny everything else. Place the Allow policy above the Block policy so that matching traffic is allowed before the catch-all block applies. ### 1. Allow HTTP and HTTPS traffic @@ -167,7 +167,7 @@ Restrict user access to only the specific sites or applications configured in yo ## Filter HTTPS traffic when inspecting on all ports -If your organization blocks traffic by default with a Network policy and you want to [inspect HTTP traffic on all ports](/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports), you need to explicitly allow HTTP and TLS traffic to filter it. +If your organization blocks traffic by default with a Network policy and you want to [inspect HTTP traffic on all ports](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/#inspect-on-all-ports), you need to explicitly allow HTTP and TLS traffic to filter it. diff --git a/src/content/docs/cloudflare-one/traffic-policies/network-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/network-policies/index.mdx similarity index 98% rename from src/content/docs/cloudflare-one/traffic-policies/network-policies/index.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/network-policies/index.mdx index ac4a558d6c5..84cae1744d5 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/network-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/network-policies/index.mdx @@ -137,7 +137,7 @@ Policies with Audit SSH actions allow administrators to log SSH traffic. Gateway Gateway only audits SSH traffic over port `22`. Non-standard ports, including those specified with the [Destination Port selector](#destination-port), are not supported. -For more information on SSH logging, refer to [Configure SSH proxy and command logs](/cloudflare-one/traffic-policies/network-policies/ssh-logging/). +For more information on SSH logging, refer to [Configure SSH proxy and command logs](/cloudflare-one/traffic-policies/policy-types/network-policies/ssh-logging/). ### Block @@ -312,7 +312,7 @@ Gateway matches network traffic against the following selectors, or criteria. ### Detected Protocol -The inferred network protocol based on Cloudflare's [protocol detection](/cloudflare-one/traffic-policies/network-policies/protocol-detection/). +The inferred network protocol based on Cloudflare's [protocol detection](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/). | UI name | API example | | ----------------- | --------------------------------- | diff --git a/src/content/docs/cloudflare-one/traffic-policies/network-policies/protocol-detection.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection.mdx similarity index 93% rename from src/content/docs/cloudflare-one/traffic-policies/network-policies/protocol-detection.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection.mdx index 84848c8086d..cb89d2ee1d4 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/network-policies/protocol-detection.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection.mdx @@ -23,7 +23,7 @@ To turn on protocol detection: 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Traffic policies** > **Traffic settings** > **Proxy and inspection settings**. 2. Turn on **Allow protocol detection**. -You can now use _Detected Protocol_ as a selector in a [Network policy](/cloudflare-one/traffic-policies/network-policies/#detected-protocol). +You can now use _Detected Protocol_ as a selector in a [Network policy](/cloudflare-one/traffic-policies/policy-types/network-policies/#detected-protocol). ### Inspect on all ports @@ -38,13 +38,13 @@ You can now use _Detected Protocol_ as a selector in a [Network policy](/cloudfl #### Important considerations -**TLS interception on all ports**: When you turn on this setting, Gateway will attempt to intercept TLS traffic on every port, not just port `443`. This means all applications using TLS on non-standard ports will have their traffic intercepted by the Gateway proxy. If you only want to turn on SNI detection for Network policy filtering without full TLS interception, you will need to create [Do Not Inspect policies](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#do-not-inspect) for the specific applications or domains that use TLS on non-standard ports. +**TLS interception on all ports**: When you turn on this setting, Gateway will attempt to intercept TLS traffic on every port, not just port `443`. This means all applications using TLS on non-standard ports will have their traffic intercepted by the Gateway proxy. If you only want to turn on SNI detection for Network policy filtering without full TLS interception, you will need to create [Do Not Inspect policies](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#do-not-inspect) for the specific applications or domains that use TLS on non-standard ports. :::caution[Non-HTTP protocols inside TLS bypass network policy filtering] Once a Network policy allows a TLS connection at Layer 4, Gateway decrypts the TLS traffic. However, Gateway cannot filter non-HTTP protocols inside the TLS connection. All non-HTTPS traffic inside TLS (such as SSH over TLS, database protocols, or custom protocols) is allowed by default with no further filtering applied. If your organization uses a default-block Network policy, Gateway will still allow all non-HTTPS TLS traffic through. ::: -To use HTTP policies to filter all HTTPS traffic on all ports when using a default Block Network policy, [create a Network policy to explicitly allow HTTP and TLS traffic](/cloudflare-one/traffic-policies/network-policies/common-policies/#filter-https-traffic-when-inspecting-on-all-ports). +To use HTTP policies to filter all HTTPS traffic on all ports when using a default Block Network policy, [create a Network policy to explicitly allow HTTP and TLS traffic](/cloudflare-one/traffic-policies/policy-types/network-policies/common-policies/#filter-https-traffic-when-inspecting-on-all-ports). ## Supported protocols diff --git a/src/content/docs/cloudflare-one/traffic-policies/network-policies/ssh-logging.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/network-policies/ssh-logging.mdx similarity index 98% rename from src/content/docs/cloudflare-one/traffic-policies/network-policies/ssh-logging.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/network-policies/ssh-logging.mdx index add11400ed3..8f781752f48 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/network-policies/ssh-logging.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/network-policies/ssh-logging.mdx @@ -68,7 +68,7 @@ cat /etc/ssh/sshd_config 2. In the **Network** tab, select **Add a network policy**. -3. Name the policy and specify the [Destination IP](/cloudflare-one/traffic-policies/network-policies/#destination-ip) for your origin server. +3. Name the policy and specify the [Destination IP](/cloudflare-one/traffic-policies/policy-types/network-policies/#destination-ip) for your origin server. You can enter either a public or private IP. To use a private IP, refer to [Connect private networks](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/). diff --git a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/add-policies.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/add-policies.mdx similarity index 97% rename from src/content/docs/cloudflare-one/traffic-policies/packet-filtering/add-policies.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/add-policies.mdx index 142956eac95..2b4dfda2af0 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/add-policies.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/add-policies.mdx @@ -137,4 +137,4 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \ ## Next steps -Refer to [Form expressions](/cloudflare-one/traffic-policies/packet-filtering/form-expressions/) for more information on how to write rule expressions. +Refer to [Form expressions](/cloudflare-one/traffic-policies/policy-types/packet-filtering/form-expressions/) for more information on how to write rule expressions. diff --git a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/extended-ruleset.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/best-practices/extended-ruleset.mdx similarity index 96% rename from src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/extended-ruleset.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/best-practices/extended-ruleset.mdx index 61c5b4affcd..6693baa20ce 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/extended-ruleset.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/best-practices/extended-ruleset.mdx @@ -16,7 +16,7 @@ tags: - IPsec --- -The extended ruleset builds on the [Minimal ruleset](/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset/) by creating targeted rules for different types of systems on your network. Before creating these rules, you must [create IP lists](/waf/tools/lists/custom-lists/#ip-lists) for each category. +The extended ruleset builds on the [Minimal ruleset](/cloudflare-one/traffic-policies/policy-types/packet-filtering/best-practices/minimal-ruleset/) by creating targeted rules for different types of systems on your network. Before creating these rules, you must [create IP lists](/waf/tools/lists/custom-lists/#ip-lists) for each category. If you are unable to export your current perimeter firewall rules, consider identifying categories of systems or user groups that reside on your Magic Transit prefixes. For example: diff --git a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/best-practices/index.mdx similarity index 58% rename from src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/index.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/best-practices/index.mdx index a11495ecb58..634efa23513 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/best-practices/index.mdx @@ -12,6 +12,6 @@ import { DirectoryListing } from "~/components"; By default, Cloudflare Network Firewall allows all incoming (ingress) traffic that has passed through Cloudflare's core DDoS mitigations. To reduce your exposure to attacks and prevent unwanted traffic from reaching your network, configure rules using the following guidelines. -If you are setting up firewall rules for the first time, start with the [Minimal ruleset](/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset/). If you have existing on-premises or edge firewall rules, the best approach is to replicate those rules in Network Firewall. If you are unable to export your current firewall rules, contact your Cloudflare Implementation Manager for help translating the rules into Network Firewall rules. +If you are setting up firewall rules for the first time, start with the [Minimal ruleset](/cloudflare-one/traffic-policies/policy-types/packet-filtering/best-practices/minimal-ruleset/). If you have existing on-premises or edge firewall rules, the best approach is to replicate those rules in Network Firewall. If you are unable to export your current firewall rules, contact your Cloudflare Implementation Manager for help translating the rules into Network Firewall rules. diff --git a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/magic-transit-egress.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/best-practices/magic-transit-egress.mdx similarity index 80% rename from src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/magic-transit-egress.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/best-practices/magic-transit-egress.mdx index 61657d39a17..f1a28955ede 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/magic-transit-egress.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/best-practices/magic-transit-egress.mdx @@ -8,7 +8,7 @@ sidebar: order: 4 --- -The suggestions in the [Minimal ruleset](/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset) and [Extended ruleset](/cloudflare-one/traffic-policies/packet-filtering/best-practices/extended-ruleset) are recommendations for ingress (incoming) traffic. This page covers the additional consideration needed for egress (outgoing) traffic. +The suggestions in the [Minimal ruleset](/cloudflare-one/traffic-policies/policy-types/packet-filtering/best-practices/minimal-ruleset) and [Extended ruleset](/cloudflare-one/traffic-policies/policy-types/packet-filtering/best-practices/extended-ruleset) are recommendations for ingress (incoming) traffic. This page covers the additional consideration needed for egress (outgoing) traffic. Cloudflare Network Firewall does not track connection state (it is not "stateful"). A stateful firewall automatically allows return traffic for active connections — for example, if you send a request outbound, the response is allowed back in. Because Network Firewall is not stateful, each packet — whether ingress or egress — is evaluated independently against your rules. This means ingress block rules can inadvertently block egress traffic. diff --git a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/best-practices/minimal-ruleset.mdx similarity index 97% rename from src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/best-practices/minimal-ruleset.mdx index 98b61cf65c5..3dabb2c7b10 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/minimal-ruleset.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/best-practices/minimal-ruleset.mdx @@ -37,7 +37,7 @@ This is a suggested list and not an exhaustive list. Check which ports and proto **Match**: `(ip.proto eq "hopopt") or (not ip.proto in {"esp" "tcp" "udp" "gre" "icmp"})`
**Action**: Block
-These rules are also available as [managed rules](/cloudflare-one/traffic-policies/packet-filtering/enable-managed-rulesets/) that you can enable without manual configuration. The rules above are provided for reference and customization. +These rules are also available as [managed rules](/cloudflare-one/traffic-policies/policy-types/packet-filtering/enable-managed-rulesets/) that you can enable without manual configuration. The rules above are provided for reference and customization. ## Traffic and port types diff --git a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/create-rate-limiting-policies.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/create-rate-limiting-policies.mdx similarity index 100% rename from src/content/docs/cloudflare-one/traffic-policies/packet-filtering/create-rate-limiting-policies.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/create-rate-limiting-policies.mdx diff --git a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/enable-managed-rulesets.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/enable-managed-rulesets.mdx similarity index 99% rename from src/content/docs/cloudflare-one/traffic-policies/packet-filtering/enable-managed-rulesets.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/enable-managed-rulesets.mdx index d3fd6c9e5f0..b7ccd543dbb 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/enable-managed-rulesets.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/enable-managed-rulesets.mdx @@ -12,7 +12,7 @@ tags: With [managed rulesets](/ruleset-engine/managed-rulesets/), you can quickly deploy pre-built firewall rules maintained by Cloudflare. You use Cloudflare Network Firewall to control which managed rules are enabled. -In addition to enabling managed rulesets, you can also add and enable custom policies. Refer to [add policies](/cloudflare-one/traffic-policies/packet-filtering/add-policies/). +In addition to enabling managed rulesets, you can also add and enable custom policies. Refer to [add policies](/cloudflare-one/traffic-policies/policy-types/packet-filtering/add-policies/). :::note Before you can use managed rulesets with Cloudflare Network Firewall, your account must have managed rulesets enabled. Contact your account team to request access. diff --git a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/form-expressions.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/form-expressions.mdx similarity index 100% rename from src/content/docs/cloudflare-one/traffic-policies/packet-filtering/form-expressions.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/form-expressions.mdx diff --git a/src/content/docs/cloudflare-one/traffic-policies/enable-ids.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/ids.mdx similarity index 87% rename from src/content/docs/cloudflare-one/traffic-policies/enable-ids.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/ids.mdx index 7bff5289fd5..7e9128fab34 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/enable-ids.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/ids.mdx @@ -24,7 +24,7 @@ With Cloudflare's global anycast network, you get: - Built-in redundancy and failover. Every server runs Cloudflare's IDS software, and traffic is automatically attracted to the closest network location to its source. - Continuous deployment for improvements to Cloudflare's IDS capabilities. -Refer to [Enable IDS](/cloudflare-one/traffic-policies/enable-ids/#enable-ids) for more information on enabling IDS and creating new rulesets. After IDS is enabled, your traffic will be scanned to find malicious traffic. The detections are logged to destinations that can be configured from the dashboard. Refer to [IDS logs](/cloudflare-one/insights/logs/logpush/ids-logs/) for instructions on configuring a destination to receive the detections. Additionally, all traffic that is analyzed can be accessed via [network analytics](/analytics/network-analytics/). Refer to [GraphQL Analytics](/cloudflare-network-firewall/tutorials/graphql-analytics/) to query the analytics data. +Refer to [Enable IDS](/cloudflare-one/traffic-policies/policy-types/packet-filtering/ids/#enable-ids) for more information on enabling IDS and creating new rulesets. After IDS is enabled, your traffic will be scanned to find malicious traffic. The detections are logged to destinations that can be configured from the dashboard. Refer to [IDS logs](/cloudflare-one/insights/logs/logpush/ids-logs/) for instructions on configuring a destination to receive the detections. Additionally, all traffic that is analyzed can be accessed via [network analytics](/analytics/network-analytics/). Refer to [GraphQL Analytics](/cloudflare-network-firewall/tutorials/graphql-analytics/) to query the analytics data. Cloudflare's IDS takes advantage of the threat intelligence powered by our global network and extends the capabilities of the Cloudflare Firewall to monitor and protect your network from malicious actors. diff --git a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/index.mdx similarity index 100% rename from src/content/docs/cloudflare-one/traffic-policies/packet-filtering/index.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/index.mdx diff --git a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/network-firewall-overview.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/network-firewall-overview.mdx similarity index 100% rename from src/content/docs/cloudflare-one/traffic-policies/packet-filtering/network-firewall-overview.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/network-firewall-overview.mdx diff --git a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/protocol-validation-rules.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/protocol-validation-rules.mdx similarity index 100% rename from src/content/docs/cloudflare-one/traffic-policies/packet-filtering/protocol-validation-rules.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/protocol-validation-rules.mdx diff --git a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/ruleset-logic.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/ruleset-logic.mdx similarity index 97% rename from src/content/docs/cloudflare-one/traffic-policies/packet-filtering/ruleset-logic.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/ruleset-logic.mdx index 5b381bf5f90..6af31a4e665 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/ruleset-logic.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/ruleset-logic.mdx @@ -53,4 +53,4 @@ Managed phase rulesets are maintained by Cloudflare and contain rules based on b Cloudflare maintains the expressions and order of execution for rules in the Managed phase. You can enable, disable, or set individual rules to log matching packets. -Refer to [Enable managed rulesets](/cloudflare-one/traffic-policies/packet-filtering/enable-managed-rulesets/) for more information. +Refer to [Enable managed rulesets](/cloudflare-one/traffic-policies/policy-types/packet-filtering/enable-managed-rulesets/) for more information. diff --git a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/traffic-types.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/traffic-types.mdx similarity index 100% rename from src/content/docs/cloudflare-one/traffic-policies/packet-filtering/traffic-types.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/packet-filtering/traffic-types.mdx diff --git a/src/content/docs/cloudflare-one/traffic-policies/resolver-policies.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/resolver-policies/index.mdx similarity index 99% rename from src/content/docs/cloudflare-one/traffic-policies/resolver-policies.mdx rename to src/content/docs/cloudflare-one/traffic-policies/policy-types/resolver-policies/index.mdx index 7f41699a00f..e3685916eb6 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/resolver-policies.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/resolver-policies/index.mdx @@ -97,7 +97,7 @@ Gateway will filter, resolve, and log your queries regardless of endpoint. -For more information on creating a DNS policy, refer to [DNS policies](/cloudflare-one/traffic-policies/dns-policies/). +For more information on creating a DNS policy, refer to [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/). diff --git a/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx b/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx index 17cb59834cc..29bb4f5764d 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx @@ -44,7 +44,7 @@ By default, TCP connection attempts will timeout after 30 seconds and idle conne The UDP proxy forwards UDP traffic such as VoIP, [internal DNS requests](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns/), and thick client applications. -HTTP/3 uses the QUIC protocol over UDP. To inspect HTTP/3 traffic, turn on both TLS decryption and the UDP proxy. Gateway will then intercept the HTTP/3 connection and connect to the origin server over HTTP/2. Otherwise, HTTP/3 traffic will bypass inspection. For more information on browser-specific behavior, refer to [HTTP/3 inspection](/cloudflare-one/traffic-policies/http-policies/http3/). +HTTP/3 uses the QUIC protocol over UDP. To inspect HTTP/3 traffic, turn on both TLS decryption and the UDP proxy. Gateway will then intercept the HTTP/3 connection and connect to the origin server over HTTP/2. Otherwise, HTTP/3 traffic will bypass inspection. For more information on browser-specific behavior, refer to [HTTP/3 inspection](/cloudflare-one/traffic-policies/policy-types/http-policies/http3/). ### ICMP (Internet Control Message Protocol) diff --git a/src/content/docs/cloudflare-one/traffic-policies/tiered-policies/organizations.mdx b/src/content/docs/cloudflare-one/traffic-policies/tiered-policies/organizations.mdx index 86d96297a99..7d4dbe2edcc 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/tiered-policies/organizations.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/tiered-policies/organizations.mdx @@ -14,7 +14,7 @@ sidebar: Only available on Enterprise plans. ::: -Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/) to share configurations between and apply specific policies to accounts within an Organization. Tiered Gateway policies with Organizations support [DNS](/cloudflare-one/traffic-policies/dns-policies/), [network](/cloudflare-one/traffic-policies/network-policies/), [HTTP](/cloudflare-one/traffic-policies/http-policies/), and [resolver](/cloudflare-one/traffic-policies/resolver-policies/) policies. +Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/) to share configurations between and apply specific policies to accounts within an Organization. Tiered Gateway policies with Organizations support [DNS](/cloudflare-one/traffic-policies/policy-types/dns-policies/), [network](/cloudflare-one/traffic-policies/policy-types/network-policies/), [HTTP](/cloudflare-one/traffic-policies/policy-types/http-policies/), and [resolver](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) policies. For a DNS-only deployment using the Tenant API, refer to [Tenant API](/cloudflare-one/traffic-policies/tiered-policies/tenant-api/). @@ -96,8 +96,8 @@ In the diagram above: Tiered policies with Organizations have the following limitations: -- [Egress policies](/cloudflare-one/traffic-policies/egress-policies/) cannot be shared between accounts. -- Source accounts cannot share policies that use [device posture](/cloudflare-one/reusable-components/posture-checks/) selectors, the [Detected protocol](/cloudflare-one/traffic-policies/network-policies/#detected-protocol) selector, or the [Quarantine](/cloudflare-one/traffic-policies/http-policies/#quarantine) action. Source and recipient accounts can still create and apply policies with these selectors and actions separately from the Organization share. +- [Egress policies](/cloudflare-one/traffic-policies/policy-types/egress-policies/) cannot be shared between accounts. +- Source accounts cannot share policies that use [device posture](/cloudflare-one/reusable-components/posture-checks/) selectors, the [Detected protocol](/cloudflare-one/traffic-policies/policy-types/network-policies/#detected-protocol) selector, or the [Quarantine](/cloudflare-one/traffic-policies/policy-types/http-policies/#quarantine) action. Source and recipient accounts can still create and apply policies with these selectors and actions separately from the Organization share. - Policies can only be shared within an Organization. Sharing to sub-organizations is not supported. :::caution @@ -160,7 +160,7 @@ Changes made to shared policies will apply to all recipient accounts. Deleting a ## Manage Gateway settings -You can share certain Gateway settings - the Gateway block page and extended email address matching - from your source account to recipient accounts in your Cloudflare Organization. Other Gateway settings configured in a source account, such as [AV scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/) and [file sandboxing](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/), will not affect recipient account configurations. +You can share certain Gateway settings - the Gateway block page and extended email address matching - from your source account to recipient accounts in your Cloudflare Organization. Other Gateway settings configured in a source account, such as [AV scanning](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/) and [file sandboxing](/cloudflare-one/traffic-policies/policy-types/http-policies/file-sandboxing/), will not affect recipient account configurations. ### Share Gateway block page diff --git a/src/content/docs/cloudflare-one/traffic-policies/tiered-policies/tenant-api.mdx b/src/content/docs/cloudflare-one/traffic-policies/tiered-policies/tenant-api.mdx index 61dee092052..cbe47ff7aad 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/tiered-policies/tenant-api.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/tiered-policies/tenant-api.mdx @@ -16,7 +16,7 @@ Only available for [Cloudflare Partners](https://www.cloudflare.com/partners/) o Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or individual account level. :::caution -The Tenant API platform only supports [DNS policies](/cloudflare-one/traffic-policies/dns-policies/). To apply HTTP, network, and resolver policies, use [Cloudflare Organizations](/cloudflare-one/traffic-policies/tiered-policies/organizations/) instead. +The Tenant API platform only supports [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/). To apply HTTP, network, and resolver policies, use [Cloudflare Organizations](/cloudflare-one/traffic-policies/tiered-policies/organizations/) instead. ::: For more information, refer to the [Cloudflare Zero Trust for managed service providers](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post. @@ -24,7 +24,7 @@ For more information, refer to the [Cloudflare Zero Trust for managed service pr ## Get started -To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [DNS policies](/cloudflare-one/traffic-policies/dns-policies/). +To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/). ## Account types diff --git a/src/content/docs/cloudflare-one/traffic-policies/troubleshoot-gateway.mdx b/src/content/docs/cloudflare-one/traffic-policies/troubleshoot-gateway.mdx index 99dcde1d99d..053bf68f124 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/troubleshoot-gateway.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/troubleshoot-gateway.mdx @@ -69,7 +69,7 @@ To resolve Gateway policy precedence issues: ## TLS decryption breaks applications -Turning on [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is required for Gateway features such as Data Loss Prevention (DLP), Browser Isolation, and application-aware HTTP policies. However, it can cause issues with certain types of software. +Turning on [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) is required for Gateway features such as Data Loss Prevention (DLP), Browser Isolation, and application-aware HTTP policies. However, it can cause issues with certain types of software. ### Symptom: command-line tools (CLI tools) or native applications fail with certificate errors diff --git a/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx b/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx index c90a22223f1..ab82446c7d4 100644 --- a/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx +++ b/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx @@ -419,7 +419,7 @@ Now your AI wrapper can only be accessed by your users that successfully match y ## 5. Block access to public AI agents with Gateway -You can now block access to all unauthorized public AI agents with a Gateway [HTTP policy](/cloudflare-one/traffic-policies/http-policies/). +You can now block access to all unauthorized public AI agents with a Gateway [HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/). 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Traffic policies** > **Firewall policies** > **HTTP**. 2. Select **Add a policy**. @@ -433,7 +433,7 @@ You can now block access to all unauthorized public AI agents with a Gateway [HT This ensures that public AI agents are not accessible using a managed endpoint. -Alternatively, you can prevent users from using public AI agents by displaying a [custom block message](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#customize-the-block-page), [redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page), or a [user notification](/cloudflare-one/traffic-policies/http-policies/#cloudflare-one-client-block-notifications) directing users to the AI agent wrapper. +Alternatively, you can prevent users from using public AI agents by displaying a [custom block message](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#customize-the-block-page), [redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page), or a [user notification](/cloudflare-one/traffic-policies/policy-types/http-policies/#cloudflare-one-client-block-notifications) directing users to the AI agent wrapper. ## 6. Enforce Data Loss Prevention and Clientless Browser Isolation diff --git a/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx b/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx index 96667215c81..23342733fa1 100644 --- a/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx +++ b/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx @@ -22,7 +22,7 @@ With Cloudflare Browser Isolation and resolver policies, users can connect to pr Make sure you have: - [Cloudflare Browser Isolation](/cloudflare-one/remote-browser-isolation/) enabled on your account -- [Resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) enabled on your account +- [Resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) enabled on your account - An HTTP or HTTPS application that users access through a browser ## Create a Cloudflare Tunnel @@ -65,7 +65,7 @@ To test, open a browser and go to `https://.cloudflareaccess.com/brow 2. Select **Add a policy**. -3. Create an expression to match against the private [domain](/cloudflare-one/traffic-policies/resolver-policies/#domain) or [hostname](/cloudflare-one/traffic-policies/resolver-policies/#host) of the application: +3. Create an expression to match against the private [domain](/cloudflare-one/traffic-policies/policy-types/resolver-policies/#domain) or [hostname](/cloudflare-one/traffic-policies/policy-types/resolver-policies/#host) of the application: | Selector | Operator | Value | | -------- | -------- | -------------------- | @@ -87,7 +87,7 @@ To test, open a browser and go to `https://.cloudflareaccess.com/brow 1. Go to **Traffic policies** > **Firewall policies** > **Network**. -2. Add a [network policy](/cloudflare-one/traffic-policies/network-policies/) that targets the private IP address of your application. You can optionally include any ports or protocols relevant for application access. For example, +2. Add a [network policy](/cloudflare-one/traffic-policies/policy-types/network-policies/) that targets the private IP address of your application. You can optionally include any ports or protocols relevant for application access. For example, | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | --------------- | ----- | ------ | diff --git a/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx b/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx index fbfa9dc10b8..69601cb0e1e 100644 --- a/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx +++ b/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx @@ -156,7 +156,7 @@ Cloudflare Access will now synchronize changes in group membership with Entra ID ## 5. Create a browser isolation policy -Finally, create a [Gateway HTTP policy](/cloudflare-one/traffic-policies/http-policies/) to isolate traffic for risky user groups. +Finally, create a [Gateway HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/) to isolate traffic for risky user groups. 1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Firewall policies** > **HTTP**. diff --git a/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx b/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx index 20be140548c..3880f82bb29 100644 --- a/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx +++ b/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx @@ -28,7 +28,7 @@ You can map a named location in Microsoft Entra ID to a location associated with Make sure you have: -- In Cloudflare, a Zero Trust Enterprise plan with [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) +- In Cloudflare, a Zero Trust Enterprise plan with [dedicated egress IPs](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/) - In Microsoft 365, an organization managed with [Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/) ## Create an egress policy in Cloudflare Gateway diff --git a/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx b/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx index 0fea1aedca1..631f19d805c 100644 --- a/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx +++ b/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx @@ -24,7 +24,7 @@ By the end of this tutorial, users that pass network policies will be able to ac Make sure you have: - A MySQL database listening for remote connections and configured with users that can connect remotely -- (Optional)[Resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) enabled on your account +- (Optional)[Resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) enabled on your account ## Create a Cloudflare Tunnel @@ -47,7 +47,7 @@ The application and (optional) DNS server are now connected to Cloudflare. ## Create a Gateway network policy 1. Go to **Traffic policies** > **Network policies**. -2. Add a [network policy](/cloudflare-one/traffic-policies/network-policies/) that targets the private IP address and the port of the MySQL database (port 3306 by default). The following example allows access to the database to the users that enrolled into the Cloudflare One Client using an `@example.com` email address. The network policies can also take into consideration [device posture checks](/cloudflare-one/reusable-components/posture-checks/). +2. Add a [network policy](/cloudflare-one/traffic-policies/policy-types/network-policies/) that targets the private IP address and the port of the MySQL database (port 3306 by default). The following example allows access to the database to the users that enrolled into the Cloudflare One Client using an `@example.com` email address. The network policies can also take into consideration [device posture checks](/cloudflare-one/reusable-components/posture-checks/). | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | --------------- | ----- | ------ | @@ -67,7 +67,7 @@ To allow users to access the MySQL database using an internal hostname instead o 2. Select **Add a policy**. -3. Create an expression to match against the private [domain](/cloudflare-one/traffic-policies/resolver-policies/#domain) or [hostname](/cloudflare-one/traffic-policies/resolver-policies/#host) of the application, like in the following example: +3. Create an expression to match against the private [domain](/cloudflare-one/traffic-policies/policy-types/resolver-policies/#domain) or [hostname](/cloudflare-one/traffic-policies/policy-types/resolver-policies/#host) of the application, like in the following example: | Selector | Operator | Value | | -------- | -------- | -------------------- | diff --git a/src/content/docs/cloudflare-one/tutorials/regional-private-dns-resolver-policies.mdx b/src/content/docs/cloudflare-one/tutorials/regional-private-dns-resolver-policies.mdx index 5878bac5296..8e6e4772f2c 100644 --- a/src/content/docs/cloudflare-one/tutorials/regional-private-dns-resolver-policies.mdx +++ b/src/content/docs/cloudflare-one/tutorials/regional-private-dns-resolver-policies.mdx @@ -124,13 +124,13 @@ To test your configuration, deploy the Cloudflare One Client on a device in each - **Use backup resolvers**: Configure secondary DNS resolvers for each region to ensure high availability. - **Monitor DNS performance**: Use [Gateway Analytics](/cloudflare-one/insights/analytics/gateway/) to track DNS query performance and identify any issues with regional routing. -- **Implement network policies**: Combine resolver policies with [network policies](/cloudflare-one/traffic-policies/network-policies/) to control access to internal resources based on user identity and device posture. +- **Implement network policies**: Combine resolver policies with [network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) to control access to internal resources based on user identity and device posture. - **Consider virtual networks**: If you have overlapping IP address spaces across regions, use [virtual networks](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) to isolate traffic. - **Test failover scenarios**: Regularly test what happens when a regional DNS server becomes unavailable to ensure your backup resolvers work as expected. ## Related resources -- [Resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) +- [Resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) - [Connect private networks](/cloudflare-one/networks/connectors/cloudflare-tunnel/) - [Gateway Analytics](/cloudflare-one/insights/analytics/gateway/) - [Virtual networks](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) diff --git a/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx b/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx index 35a4c98b609..8155cdbec97 100644 --- a/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx +++ b/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx @@ -146,7 +146,7 @@ flowchart TB ### Prerequisites -- Cloudflare Zero Trust account with [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) +- Cloudflare Zero Trust account with [dedicated egress IPs](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/) - S3 bucket to be protected by Cloudflare Zero Trust ### 1. Set up a bucket policy to restrict access to a specific IP address @@ -193,7 +193,7 @@ A bucket website endpoint will be available at `http://.s3-web ### 3. Setup a dedicated egress IP policy 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Traffic policies** > **Egress policies**. Select **Add a policy**. -2. Create a policy that specifies which proxied traffic Gateway should assign a [dedicated egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) to. For more information, refer to [Egress policies](/cloudflare-one/traffic-policies/egress-policies/). +2. Create a policy that specifies which proxied traffic Gateway should assign a [dedicated egress IP](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/) to. For more information, refer to [Egress policies](/cloudflare-one/traffic-policies/policy-types/egress-policies/). 3. In **Select an egress IP**, choose _Use dedicated Cloudflare egress IPs_. Select the dedicated egress IP defined in your bucket policy. 4. Select **Create policy**. diff --git a/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx b/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx index cad10386fcb..51c79e726c9 100644 --- a/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx +++ b/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx @@ -35,7 +35,7 @@ Make sure you have: - Created two tunnels [through the dashboard](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/). - Routed `10.0.0.0/8` through one tunnel. - Routed `192.168.88.0/24` through the other tunnel. -- Received multiple [dedicated egress IP addresses](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). +- Received multiple [dedicated egress IP addresses](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/). ## Create a virtual network for each egress route diff --git a/src/content/docs/cloudflare-wan/zero-trust/cloudflare-gateway.mdx b/src/content/docs/cloudflare-wan/zero-trust/cloudflare-gateway.mdx index 7ba106f6b16..ec04b63cdeb 100644 --- a/src/content/docs/cloudflare-wan/zero-trust/cloudflare-gateway.mdx +++ b/src/content/docs/cloudflare-wan/zero-trust/cloudflare-gateway.mdx @@ -19,14 +19,14 @@ import { Render } from "~/components"; warpURL: "/cloudflare-wan/zero-trust/cloudflare-one-client/", cfAutoCertificatesURL: "/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment/", cfManualCertificatesURL: "/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/", - decryptTlsURL: "/cloudflare-one/traffic-policies/http-policies/tls-decryption/", - doNotInspectURL: "/cloudflare-one/traffic-policies/http-policies/#do-not-inspect", + decryptTlsURL: "/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/", + doNotInspectURL: "/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect", warpChecksURL: "/cloudflare-one/reusable-components/posture-checks/client-checks/", osVersionChecks: "/cloudflare-one/reusable-components/posture-checks/client-checks/os-version/", mwanOnrampsURL: "/cloudflare-wan/on-ramps/", - gatewayResolverPoliciesURL: "/cloudflare-one/traffic-policies/resolver-policies/", - gatewayInternalDnsURL: "/cloudflare-one/traffic-policies/resolver-policies/#internal-dns", - egressPoliciesURL: "/cloudflare-one/traffic-policies/egress-policies/", + gatewayResolverPoliciesURL: "/cloudflare-one/traffic-policies/policy-types/resolver-policies/", + gatewayInternalDnsURL: "/cloudflare-one/traffic-policies/policy-types/resolver-policies/#internal-dns", + egressPoliciesURL: "/cloudflare-one/traffic-policies/policy-types/egress-policies/", gatewayLogsURL: "/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/#http-logs", tcpMssClampingURL: "/cloudflare-wan/get-started/#set-maximum-segment-size", ikeURL: "/cloudflare-wan/reference/gre-ipsec-tunnels/#supported-configuration-parameters", diff --git a/src/content/docs/data-localization/compatibility.mdx b/src/content/docs/data-localization/compatibility.mdx index c6faf7cf620..ff39ef6193f 100644 --- a/src/content/docs/data-localization/compatibility.mdx +++ b/src/content/docs/data-localization/compatibility.mdx @@ -165,7 +165,7 @@ The tables below show whether each Cloudflare product is compatible with each DL [^20]: You can [bring your own certificate](https://blog.cloudflare.com/bring-your-certificates-cloudflare-gateway/) to Gateway but these cannot yet be restricted to a specific region. -[^21]: Gateway HTTP (web traffic filtering) supports Regional Services. Gateway DNS (domain name filtering) does not yet support regionalization.
ICMP proxy (forwarding network diagnostic traffic like ping) and Mesh proxy are not available to Regional Services users. [File Sandboxing](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/) (an add-on that quarantines and scans suspicious files in an isolated environment) is incompatible with DLS. +[^21]: Gateway HTTP (web traffic filtering) supports Regional Services. Gateway DNS (domain name filtering) does not yet support regionalization.
ICMP proxy (forwarding network diagnostic traffic like ping) and Mesh proxy are not available to Regional Services users. [File Sandboxing](/cloudflare-one/traffic-policies/policy-types/http-policies/file-sandboxing/) (an add-on that quarantines and scans suspicious files in an isolated environment) is incompatible with DLS. [^22]: Dashboard Analytics and Logs are empty when using CMB outside the US region. Use Logpush instead. diff --git a/src/content/docs/data-localization/how-to/zero-trust.mdx b/src/content/docs/data-localization/how-to/zero-trust.mdx index ee9ca1b17e6..1a133ea83b3 100644 --- a/src/content/docs/data-localization/how-to/zero-trust.mdx +++ b/src/content/docs/data-localization/how-to/zero-trust.mdx @@ -22,12 +22,12 @@ Regional Services can be used with Gateway in all [supported regions](/data-loca ### Egress policies -Enterprise customers can purchase a [dedicated egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) (IPv4 and IPv6) or range of IPs geolocated to one or more Cloudflare network locations. -This allows your egress traffic to geolocate to the city selected in your [egress policies](/cloudflare-one/traffic-policies/egress-policies/). +Enterprise customers can purchase a [dedicated egress IP](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/) (IPv4 and IPv6) or range of IPs geolocated to one or more Cloudflare network locations. +This allows your egress traffic to geolocate to the city selected in your [egress policies](/cloudflare-one/traffic-policies/policy-types/egress-policies/). ### HTTP policies -As part of Regional Services, Cloudflare Gateway will only perform [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) when using the [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) (in default [Traffic and DNS mode](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/)). +As part of Regional Services, Cloudflare Gateway will only perform [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) when using the [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) (in default [Traffic and DNS mode](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/)). {/* TODO: Reintroduce */} {/* */} @@ -40,7 +40,7 @@ You are able to [log the payload of matched DLP rules](/cloudflare-one/data-loss ### Network policies -You are able to [configure SSH proxy and command logs](/cloudflare-one/traffic-policies/network-policies/ssh-logging/). Generate a Hybrid Public Key Encryption (HPKE) key pair and upload the public key `sshkey.pub` to your dashboard. All proxied SSH commands are immediately encrypted using this public key. The matching private key – which is in your possession – is required to view logs. +You are able to [configure SSH proxy and command logs](/cloudflare-one/traffic-policies/policy-types/network-policies/ssh-logging/). Generate a Hybrid Public Key Encryption (HPKE) key pair and upload the public key `sshkey.pub` to your dashboard. All proxied SSH commands are immediately encrypted using this public key. The matching private key – which is in your possession – is required to view logs. ### DNS policies diff --git a/src/content/docs/ddos-protection/managed-rulesets/http/http-overrides/override-examples.mdx b/src/content/docs/ddos-protection/managed-rulesets/http/http-overrides/override-examples.mdx index 9b217333fae..9f0d8924e43 100644 --- a/src/content/docs/ddos-protection/managed-rulesets/http/http-overrides/override-examples.mdx +++ b/src/content/docs/ddos-protection/managed-rulesets/http/http-overrides/override-examples.mdx @@ -113,7 +113,7 @@ A false negative is a lack of identification. In the case of DDoS protection, th To address a false negative: - If you are a WAF/CDN customer, follow the steps in the [Proactive DDoS defense](/ddos-protection/best-practices/proactive-defense/) page, which guides you on enabling the _Under Attack_ mode and creating rate limiting rules and WAF custom rules as needed. -- If you are a Magic Transit customer, [use Cloudflare Network Firewall rules](/cloudflare-one/traffic-policies/packet-filtering/add-policies/) to help mitigate the attack. +- If you are a Magic Transit customer, [use Cloudflare Network Firewall rules](/cloudflare-one/traffic-policies/policy-types/packet-filtering/add-policies/) to help mitigate the attack. ### Incomplete mitigations diff --git a/src/content/docs/dns/internal-dns/dns-views.mdx b/src/content/docs/dns/internal-dns/dns-views.mdx index c0c7e2d7852..b1871e5195e 100644 --- a/src/content/docs/dns/internal-dns/dns-views.mdx +++ b/src/content/docs/dns/internal-dns/dns-views.mdx @@ -13,7 +13,7 @@ tags: import { Details, Render, Tabs, TabItem, DashButton } from "~/components"; -Internal DNS views are logical groupings of [internal DNS zones](/dns/internal-dns/internal-zones/). As explained in the [architecture overview](/dns/internal-dns/#architecture-overview), DNS views are referenced by [Gateway resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) to define how a specific query should be resolved. +Internal DNS views are logical groupings of [internal DNS zones](/dns/internal-dns/internal-zones/). As explained in the [architecture overview](/dns/internal-dns/#architecture-overview), DNS views are referenced by [Gateway resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) to define how a specific query should be resolved. Refer to the sections below for details on how to manage your DNS views, or consider the [get started](/dns/internal-dns/get-started/) for a complete workflow. diff --git a/src/content/docs/dns/internal-dns/get-started.mdx b/src/content/docs/dns/internal-dns/get-started.mdx index b760d0ce037..9383132cc1b 100644 --- a/src/content/docs/dns/internal-dns/get-started.mdx +++ b/src/content/docs/dns/internal-dns/get-started.mdx @@ -25,7 +25,7 @@ Follow this guide to get started with Internal DNS. ## Before you begin -- Make sure you have an Enterprise account with access to [Gateway resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) and [Internal DNS](/dns/internal-dns/). +- Make sure you have an Enterprise account with access to [Gateway resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) and [Internal DNS](/dns/internal-dns/). - Consider the different ways in which you can [connect to Gateway resolver](/dns/internal-dns/connectivity/). :::caution @@ -145,7 +145,7 @@ Besides selecting an internal DNS view when setting up your resolver policies, y 1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Firewall policies** > **Resolver policies**. 2. Select **Add a policy** and enter a name and description. -3. Create an expression for the traffic you wish to route. For guidance about selectors, operators, and values, refer to [Gateway resolver policies](/cloudflare-one/traffic-policies/resolver-policies/#selectors). +3. Create an expression for the traffic you wish to route. For guidance about selectors, operators, and values, refer to [Gateway resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/#selectors). 4. Select **Use Internal DNS**. Choose the view that queries matching the expression should be sent to. 5. (Optional) Adjust the option to **Fallback through public DNS** according to your use case. @@ -156,7 +156,7 @@ Besides selecting an internal DNS view when setting up your resolver policies, y
-Use the API endpoints under [Zero Trust > Gateway > Rules](/api/resources/zero_trust/subresources/gateway/subresources/rules/) to set up resolver policies. For guidance about selectors, operators, and values, refer to [Gateway](/cloudflare-one/traffic-policies/resolver-policies/#selectors). +Use the API endpoints under [Zero Trust > Gateway > Rules](/api/resources/zero_trust/subresources/gateway/subresources/rules/) to set up resolver policies. For guidance about selectors, operators, and values, refer to [Gateway](/cloudflare-one/traffic-policies/policy-types/resolver-policies/#selectors). Use the rule settings object to define `resolve_dns_internally`, specifying `view_id` and `fallback` option. The fallback options behave as follows: diff --git a/src/content/docs/dns/internal-dns/index.mdx b/src/content/docs/dns/internal-dns/index.mdx index 2a011b31ac1..6c206b1a8fb 100644 --- a/src/content/docs/dns/internal-dns/index.mdx +++ b/src/content/docs/dns/internal-dns/index.mdx @@ -35,7 +35,7 @@ import { -Manage DNS records that should only be accessible within your private network. Internal DNS [zones](/dns/internal-dns/internal-zones/) and [views](/dns/internal-dns/dns-views/) pair up with [Gateway resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) so that you can control how a DNS query should be responded to according to query context, such as query source IP. +Manage DNS records that should only be accessible within your private network. Internal DNS [zones](/dns/internal-dns/internal-zones/) and [views](/dns/internal-dns/dns-views/) pair up with [Gateway resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) so that you can control how a DNS query should be responded to according to query context, such as query source IP. diff --git a/src/content/docs/dns/internal-dns/internal-zones/index.mdx b/src/content/docs/dns/internal-dns/internal-zones/index.mdx index 0cfe044d687..333f0ade23f 100644 --- a/src/content/docs/dns/internal-dns/internal-zones/index.mdx +++ b/src/content/docs/dns/internal-dns/internal-zones/index.mdx @@ -18,7 +18,7 @@ Internal DNS zones are groupings of internal DNS records. While [public DNS reco Refer to [Manage internal zones](/dns/internal-dns/internal-zones/setup/) for a full list of configuration conditions and step-by-step instructions. -Internal DNS zones do not get assigned Cloudflare nameservers and can only be queried via [Cloudflare Gateway](/cloudflare-one/traffic-policies/resolver-policies/) when linked to a [DNS view](/dns/internal-dns/dns-views/). The Gateway configuration must exist within the same Cloudflare account where the internal zone exists. +Internal DNS zones do not get assigned Cloudflare nameservers and can only be queried via [Cloudflare Gateway](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) when linked to a [DNS view](/dns/internal-dns/dns-views/). The Gateway configuration must exist within the same Cloudflare account where the internal zone exists. ## Resources diff --git a/src/content/docs/learning-paths/clientless-access/advanced-workflows/isolate-application.mdx b/src/content/docs/learning-paths/clientless-access/advanced-workflows/isolate-application.mdx index 689484291b3..268a1a9a5ce 100644 --- a/src/content/docs/learning-paths/clientless-access/advanced-workflows/isolate-application.mdx +++ b/src/content/docs/learning-paths/clientless-access/advanced-workflows/isolate-application.mdx @@ -19,7 +19,7 @@ Requires the Browser Isolation add-on. [Cloudflare Browser Isolation](/cloudflare-one/remote-browser-isolation/) integrates with your web-delivered Access applications to protect sensitive applications from data loss. You can build Access policies that require certain users to access your application exclusively through Browser Isolation, while other users matching different policies continue to access the application directly. For example, you may wish to layer on additional security measures for third-party contractors or other users without a corporate device. -Cloudflare sends all isolated traffic through our Secure Web Gateway inspection engine, which allows you to apply [Gateway HTTP policies](/cloudflare-one/traffic-policies/http-policies/) such as: +Cloudflare sends all isolated traffic through our Secure Web Gateway inspection engine, which allows you to apply [Gateway HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/) such as: - Restrict specific actions and HTTP request methods. - Inspect the request body to match against [Data Loss Prevention](/cloudflare-one/data-loss-prevention/) (DLP) profiles with as much specificity and control as if the user had deployed an endpoint agent. diff --git a/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-create-test-policy.mdx b/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-create-test-policy.mdx index 0b212539ce7..840904b8081 100644 --- a/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-create-test-policy.mdx +++ b/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-create-test-policy.mdx @@ -23,7 +23,7 @@ To ensure a smooth deployment, we recommend testing a simple policy before deplo :::note -When testing against frequently-visited sites, you may need to [clear the DNS cache](/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering/#clear-dns-cache) in your browser or OS. Otherwise, the DNS lookup will return the locally-cached IP address and bypass your DNS policies. +When testing against frequently-visited sites, you may need to [clear the DNS cache](/cloudflare-one/traffic-policies/policy-types/dns-policies/test-dns-filtering/#clear-dns-cache) in your browser or OS. Otherwise, the DNS lookup will return the locally-cached IP address and bypass your DNS policies. ::: You have now validated DNS filtering! diff --git a/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx b/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx index 30f05dd6ce2..f192a46bdbb 100644 --- a/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx +++ b/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx @@ -28,7 +28,7 @@ If you use specific AI tools within your organization, you may want to create po 5. For **Action**, select **Allow**. 6. Select **Create policy**. -For more information, refer to [Block unauthorized applications](/cloudflare-one/traffic-policies/http-policies/common-policies/#block-unauthorized-applications). +For more information, refer to [Block unauthorized applications](/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies/#block-unauthorized-applications). ## Create a Gateway policy to redirect users towards approved AI tools @@ -85,7 +85,7 @@ You can build policies that enable Prompt Capture for AI applications in specifi ## Configure Gateway to use ChatGPT workspace header -If your organization uses [ChatGPT Business](https://chatgpt.com/business/), you can configure a Gateway policy to enforce the use of your organization's workspace ID, ensuring all traffic to ChatGPT is correctly associated with your account. This will implement Gateway [tenant control](/cloudflare-one/traffic-policies/http-policies/tenant-control/), which lets you manage how users interact with specific applications. +If your organization uses [ChatGPT Business](https://chatgpt.com/business/), you can configure a Gateway policy to enforce the use of your organization's workspace ID, ensuring all traffic to ChatGPT is correctly associated with your account. This will implement Gateway [tenant control](/cloudflare-one/traffic-policies/policy-types/http-policies/tenant-control/), which lets you manage how users interact with specific applications. To create this policy, you will add a custom HTTP header to your Gateway policy. This header, `Chatgpt-Allowed-Workspace-Id`, ensures that only requests with your organization's unique workspace ID are permitted. diff --git a/src/content/docs/learning-paths/holistic-ai-security/monitor-ai-use/monitor-prompts-responses.mdx b/src/content/docs/learning-paths/holistic-ai-security/monitor-ai-use/monitor-prompts-responses.mdx index 38cfd98df28..ee02a2e2e73 100644 --- a/src/content/docs/learning-paths/holistic-ai-security/monitor-ai-use/monitor-prompts-responses.mdx +++ b/src/content/docs/learning-paths/holistic-ai-security/monitor-ai-use/monitor-prompts-responses.mdx @@ -12,7 +12,7 @@ products: - casb --- -When you enable [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption), you can review the prompts and responses for supported AI applications. This allows you to understand three key things about AI application usage: +When you enable [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#turn-on-tls-decryption), you can review the prompts and responses for supported AI applications. This allows you to understand three key things about AI application usage: - The sanctioned and unsanctioned AI tools your users are engaging with. - How they are interacting with them. - What information they are sharing. diff --git a/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx b/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx index be7721280e1..35e335959f2 100644 --- a/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx @@ -15,9 +15,9 @@ import { TabItem, Tabs } from "~/components"; To ensure holistic security precautions, we recommend securing each distinct private application with at least two policies: -- A [Gateway DNS policy](/cloudflare-one/traffic-policies/dns-policies/) with the appropriate identity and device posture values, targeting the domain list that defines your application. Policy enforcement happens at the request resolution event, before the user's device makes a connection request to the application itself; if denied here, no traffic will reach your private network. +- A [Gateway DNS policy](/cloudflare-one/traffic-policies/policy-types/dns-policies/) with the appropriate identity and device posture values, targeting the domain list that defines your application. Policy enforcement happens at the request resolution event, before the user's device makes a connection request to the application itself; if denied here, no traffic will reach your private network. -- A [Gateway network policy](/cloudflare-one/traffic-policies/network-policies/) with the same identity and device posture values as the DNS policy, targeting the IP list that defines your application. You can optionally include the domain list by matching the SNI header. Then, you can include any combinations of ports or protocols that are relevant for application access. Network policy enforcement happens after the user passes the DNS policy, when the user's device attempts to connect to the target application. +- A [Gateway network policy](/cloudflare-one/traffic-policies/policy-types/network-policies/) with the same identity and device posture values as the DNS policy, targeting the IP list that defines your application. You can optionally include the domain list by matching the SNI header. Then, you can include any combinations of ports or protocols that are relevant for application access. Network policy enforcement happens after the user passes the DNS policy, when the user's device attempts to connect to the target application. ## Create a Gateway policy diff --git a/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx b/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx index fceb4a9ecd0..c4f9b7c1c2a 100644 --- a/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx +++ b/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx @@ -23,9 +23,9 @@ With TLS decryption turned on, you can apply advanced Gateway policies, such as: - Scanning for sensitive data with [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/) - Starting a remote browser isolation session with [Cloudflare Browser Isolation](/cloudflare-one/remote-browser-isolation/) -These features can increase the security posture of sensitive systems, but TLS decryption can also break your users' access to certain resources. For instance, if your internal applications use self-signed certificates, you will need to either configure a [Do Not Inspect](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policy or an [Untrusted certificate _Pass through_](/cloudflare-one/traffic-policies/http-policies/#untrusted-certificates) policy to allow users to connect. To learn more, refer to [TLS decryption limitations](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#inspection-limitations). +These features can increase the security posture of sensitive systems, but TLS decryption can also break your users' access to certain resources. For instance, if your internal applications use self-signed certificates, you will need to either configure a [Do Not Inspect](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) policy or an [Untrusted certificate _Pass through_](/cloudflare-one/traffic-policies/policy-types/http-policies/#untrusted-certificates) policy to allow users to connect. To learn more, refer to [TLS decryption limitations](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#inspection-limitations). -With TLS decryption turned off, Gateway can only inspect and apply HTTP policies to unencrypted HTTP requests. However, you can still apply network policies to HTTPS traffic based on user identity, device posture, IP, resolved domain, SNI, and other attributes that support a Zero Trust security implementation. For more information, refer to [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/). +With TLS decryption turned off, Gateway can only inspect and apply HTTP policies to unencrypted HTTP requests. However, you can still apply network policies to HTTPS traffic based on user identity, device posture, IP, resolved domain, SNI, and other attributes that support a Zero Trust security implementation. For more information, refer to [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/). ## Enable TLS decryption diff --git a/src/content/docs/learning-paths/replace-vpn/connect-private-network/cloudflare-mesh.mdx b/src/content/docs/learning-paths/replace-vpn/connect-private-network/cloudflare-mesh.mdx index 59be812cb7c..e7a21c6b25b 100644 --- a/src/content/docs/learning-paths/replace-vpn/connect-private-network/cloudflare-mesh.mdx +++ b/src/content/docs/learning-paths/replace-vpn/connect-private-network/cloudflare-mesh.mdx @@ -33,5 +33,5 @@ The setup wizard in the dashboard configures enrollment, device profiles, and co ## Best practices - Enable [high availability](/cloudflare-one/networks/connectors/cloudflare-mesh/high-availability/) for production nodes with CIDR routes. -- Use [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/) to control which users and devices can reach specific resources. +- Use [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) to control which users and devices can reach specific resources. - Refer to [Tips and best practices](/cloudflare-one/networks/connectors/cloudflare-mesh/tips/) for cloud VPC configuration and running alongside Cloudflare Tunnel. diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx index 185d10c2e5a..f870171cc4e 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx @@ -35,7 +35,7 @@ To create a new DNS policy: /> 6. Select **Create policy**. -For more information, refer to [DNS policies](/cloudflare-one/traffic-policies/dns-policies/). +For more information, refer to [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/). diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 3aa125fac12..53027f72a0a 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -16,7 +16,7 @@ import { Render, Tabs, TabItem, APIRequest } from "~/components"; We recommend you add the following DNS policies to build an Internet and SaaS app security strategy for your organization. -For additional commonly used DNS policy examples, refer to [Common DNS policies](/cloudflare-one/traffic-policies/dns-policies/common-policies/). For more information on building DNS policies, refer to [DNS policies](/cloudflare-one/traffic-policies/dns-policies/). +For additional commonly used DNS policy examples, refer to [Common DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/common-policies/). For more information on building DNS policies, refer to [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/). ## All-DNS-Domain-Allowlist diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx index 6271fe5bb3e..8252df2e023 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx @@ -34,6 +34,6 @@ It is common for a misconfigured Gateway policy to accidentally block traffic to 6. In **Logs** > **Gateway** > **DNS**, verify that you see the blocked domain. 7. Slowly turn on or add other policies to your configuration. -8. When testing against frequently-visited sites, you may need to [clear the DNS cache](/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering/#clear-dns-cache) in your browser or OS. Otherwise, the DNS lookup will return the locally-cached IP address and bypass your DNS policies. +8. When testing against frequently-visited sites, you may need to [clear the DNS cache](/cloudflare-one/traffic-policies/policy-types/dns-policies/test-dns-filtering/#clear-dns-cache) in your browser or OS. Otherwise, the DNS lookup will return the locally-cached IP address and bypass your DNS policies. You have now validated DNS filtering on a test device. diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/egress-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/egress-policies.mdx index 95be3f74c21..b21bdec9f33 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/egress-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/egress-policies.mdx @@ -19,7 +19,7 @@ import { Render } from "~/components"; Only available on Enterprise plans. ::: -Egress policies allow you to determine whether your organization's traffic egresses via the default Cloudflare IP or via a [dedicated egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) assigned to your account. +Egress policies allow you to determine whether your organization's traffic egresses via the default Cloudflare IP or via a [dedicated egress IP](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/) assigned to your account. To create a new egress policy: @@ -38,4 +38,4 @@ To create a new egress policy: 5. Select **Create policy**. -For more information, refer to [Egress policies](/cloudflare-one/traffic-policies/egress-policies/). +For more information, refer to [Egress policies](/cloudflare-one/traffic-policies/policy-types/egress-policies/). diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/index.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/index.mdx index 3a42196c409..ca31f40479e 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/index.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/index.mdx @@ -17,7 +17,7 @@ Now that you have created firewall policies to secure your organization, you can :::note -The following module requires [egress policies](/cloudflare-one/traffic-policies/egress-policies/), a feature only available on Enterprise plans. If you are not an Enterprise user, you can skip ahead to [Secure SaaS applications](/learning-paths/secure-internet-traffic/secure-saas-applications/). +The following module requires [egress policies](/cloudflare-one/traffic-policies/policy-types/egress-policies/), a feature only available on Enterprise plans. If you are not an Enterprise user, you can skip ahead to [Secure SaaS applications](/learning-paths/secure-internet-traffic/secure-saas-applications/). For more information on egress policies, contact your account team. diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx index a3edb44bde9..8aa448f7355 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx @@ -16,7 +16,7 @@ import { Render, Tabs, TabItem, APIRequest } from "~/components"; We recommend you add the following HTTP policies to build an Internet and SaaS app security strategy for your organization. -For additional commonly used HTTP policy examples, refer to [Common HTTP policies](/cloudflare-one/traffic-policies/http-policies/common-policies/). For more information on building HTTP policies, refer to [HTTP policies](/cloudflare-one/traffic-policies/http-policies/). +For additional commonly used HTTP policy examples, refer to [Common HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies/). For more information on building HTTP policies, refer to [HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/). ## All-HTTP-Application-InspectBypass diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx index ca725c5f6ba..04d94e2e9b7 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx @@ -57,7 +57,7 @@ To turn on TLS inspection for your Zero Trust organization: product="cloudflare-one" params={{ turnOnProcedure: - "you can turn on [protocol detection](/cloudflare-one/traffic-policies/network-policies/protocol-detection/) and configure Gateway to [inspect traffic on all ports](/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports)", + "you can turn on [protocol detection](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/) and configure Gateway to [inspect traffic on all ports](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/#inspect-on-all-ports)", }} /> diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/index.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/index.mdx index d7abbf2703c..7d6d94e5dcf 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/index.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/index.mdx @@ -12,7 +12,7 @@ products: - browser-isolation --- -After creating policies for security based on DNS resolution, we can layer in additional security controls with the Gateway network firewall, which operates at Layer 4 of the OSI model. The Gateway network firewall allows you to build specific policies to block users or services' ability to connect to endpoints at specific IPs or on specific ports. You can also use [Protocol Detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/) to block proxying specific protocols. +After creating policies for security based on DNS resolution, we can layer in additional security controls with the Gateway network firewall, which operates at Layer 4 of the OSI model. The Gateway network firewall allows you to build specific policies to block users or services' ability to connect to endpoints at specific IPs or on specific ports. You can also use [Protocol Detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/) to block proxying specific protocols. ## Objectives diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx index 3ded2ddbe28..f4c0f06933e 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx @@ -22,7 +22,7 @@ import { We recommend you add the following network policies to build an Internet and SaaS app security strategy for your organization. -For additional commonly used network policy examples, refer to [Common network policies](/cloudflare-one/traffic-policies/network-policies/common-policies/). For more information on building network policies, refer to [Network policies](/cloudflare-one/traffic-policies/network-policies/). +For additional commonly used network policy examples, refer to [Common network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/common-policies/). For more information on building network policies, refer to [Network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/). ## Quarantined-Users-NET-Restricted-Access @@ -256,7 +256,7 @@ resource "cloudflare_zero_trust_gateway_policy" "finance_users_net_https_finance
:::note -The **Detected Protocol** selector is only available for Enterprise users. For more information, refer to [Protocol detection](/cloudflare-one/traffic-policies/network-policies/protocol-detection/). +The **Detected Protocol** selector is only available for Enterprise users. For more information, refer to [Protocol detection](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/). ::: ## All-NET-SSH-Internet-Allowlist diff --git a/src/content/docs/learning-paths/secure-internet-traffic/concepts/security-concepts.mdx b/src/content/docs/learning-paths/secure-internet-traffic/concepts/security-concepts.mdx index 4b40a2e359f..108bddf9803 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/concepts/security-concepts.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/concepts/security-concepts.mdx @@ -34,7 +34,7 @@ For more information, refer to the [Learning Center](https://www.cloudflare.com/ HTTPS inspection (also known as TLS decryption) is the process of filtering traffic by decrypting traffic sent to or from your organization, inspecting it and applying policies, then re-encrypting the traffic as it ingresses or egresses. -For more information, refer to the [Learning Center](https://www.cloudflare.com/learning/security/what-is-https-inspection/) and [TLS decryption documentation](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). +For more information, refer to the [Learning Center](https://www.cloudflare.com/learning/security/what-is-https-inspection/) and [TLS decryption documentation](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/). ## What is data loss prevention (DLP)? diff --git a/src/content/docs/learning-paths/secure-internet-traffic/configure-device-agent/enable-proxy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/configure-device-agent/enable-proxy.mdx index b8eccff02ee..bbf53146e18 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/configure-device-agent/enable-proxy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/configure-device-agent/enable-proxy.mdx @@ -21,6 +21,6 @@ import { Render } from "~/components"; 1. Go to **Traffic policies** > **Traffic settings**. 2. Enable **Allow Secure Web Gateway to proxy traffic** for TCP. 3. (Recommended) To proxy all port `443` traffic, including internal DNS queries, select **UDP**. -4. (Optional) To scan file uploads and downloads for malware, [enable anti-virus scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/). +4. (Optional) To scan file uploads and downloads for malware, [enable anti-virus scanning](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/). Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your [split tunnel settings](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#3-route-private-network-ips-through-the-cloudflare-one-client). For more information on how Gateway forwards traffic, refer to [Gateway proxy](/cloudflare-one/traffic-policies/proxy/). diff --git a/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx b/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx index 52d73e8318f..29ca6bcdf52 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx @@ -41,7 +41,7 @@ If you cannot use Access for SaaS for some or all of your SaaS apps, you can acc ### Policies based on dedicated egress IPs -With [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/), you can set explicit egress locations globally and share these IPs with your SSO provider. With this Zero Trust security approach, your users must meet all of your Cloudflare requirements (such as being enrolled in the Cloudflare One Client or Browser Isolation) when they authenticate to your SSO provider. Using your dedicated egress IPs as a control mechanism within your SSO means you can set policies on the basis of which users are subject to security policy and inspection because they are guaranteed to be proxied through Cloudflare. +With [dedicated egress IPs](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/), you can set explicit egress locations globally and share these IPs with your SSO provider. With this Zero Trust security approach, your users must meet all of your Cloudflare requirements (such as being enrolled in the Cloudflare One Client or Browser Isolation) when they authenticate to your SSO provider. Using your dedicated egress IPs as a control mechanism within your SSO means you can set policies on the basis of which users are subject to security policy and inspection because they are guaranteed to be proxied through Cloudflare. ### Generic IdP multi-factor authentication diff --git a/src/content/docs/load-balancing/load-balancers/dns-records.mdx b/src/content/docs/load-balancing/load-balancers/dns-records.mdx index 42b375e14d5..a92cd776133 100644 --- a/src/content/docs/load-balancing/load-balancers/dns-records.mdx +++ b/src/content/docs/load-balancing/load-balancers/dns-records.mdx @@ -11,7 +11,7 @@ head: content: DNS records for load balancing --- -When you [create a load balancer](/load-balancing/load-balancers/create-load-balancer/), Cloudflare automatically creates an LB DNS record for the specified **Hostname**. This functionality allows you to use a hostname with or without an existing DNS record. Private load balancers do not receive an automatic DNS record. Instead, you can configure a hostname using your internal DNS system or by applying a [Gateway Firewall override](/cloudflare-one/traffic-policies/dns-policies/#override) to a hostname. +When you [create a load balancer](/load-balancing/load-balancers/create-load-balancer/), Cloudflare automatically creates an LB DNS record for the specified **Hostname**. This functionality allows you to use a hostname with or without an existing DNS record. Private load balancers do not receive an automatic DNS record. Instead, you can configure a hostname using your internal DNS system or by applying a [Gateway Firewall override](/cloudflare-one/traffic-policies/policy-types/dns-policies/#override) to a hostname. ## Supported records diff --git a/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx b/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx index 174e2683f19..e8f481bc7f9 100644 --- a/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx +++ b/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx @@ -147,7 +147,7 @@ Cloudflare One Client traffic can now reach your private load balancer. For exam ## 4. (Optional) Assign a hostname to the load balancer -If you want your load balancer and its endpoints to be transparently accessible to users via a hostname, you can create a Gateway DNS [Override policy](/cloudflare-one/traffic-policies/dns-policies/#override) that maps the hostname to the load balancer's IP address. This ensures that traffic destined for the hostname resolves to the correct IP. +If you want your load balancer and its endpoints to be transparently accessible to users via a hostname, you can create a Gateway DNS [Override policy](/cloudflare-one/traffic-policies/policy-types/dns-policies/#override) that maps the hostname to the load balancer's IP address. This ensures that traffic destined for the hostname resolves to the correct IP. 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Traffic policies** > **Firewall policies** > **DNS**. 2. Select **Add a policy**. diff --git a/src/content/docs/reference-architecture/architectures/sase.mdx b/src/content/docs/reference-architecture/architectures/sase.mdx index 7c326f5a387..c57c1a04361 100644 --- a/src/content/docs/reference-architecture/architectures/sase.mdx +++ b/src/content/docs/reference-architecture/architectures/sase.mdx @@ -202,7 +202,7 @@ SaaS applications are inherently always connected to and accessed via the public The SWG includes policies that examine outbound traffic requests and inbound content responses to determine if the user, device, or network location has access to resources on the Internet. Organizations can use these policies to control access to approved SaaS applications, as well as detect and block the use of unapproved applications (also known as [shadow IT](https://www.cloudflare.com/learning/access-management/what-is-shadow-it/)). -Some SaaS applications allow organizations to configure an IP address allowlist, which limits access to the application based on the source IP address of the request. With Cloudflare, organizations can obtain dedicated [egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) addresses, which can be used as the source address for all traffic leaving their network. When combined with an allowlist in a SaaS application, organizations can ensure that users are only able to access applications if they are first connected to Cloudflare. (More detail on this approach is outlined in a later section about connecting user devices.) +Some SaaS applications allow organizations to configure an IP address allowlist, which limits access to the application based on the source IP address of the request. With Cloudflare, organizations can obtain dedicated [egress IP](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/) addresses, which can be used as the source address for all traffic leaving their network. When combined with an allowlist in a SaaS application, organizations can ensure that users are only able to access applications if they are first connected to Cloudflare. (More detail on this approach is outlined in a later section about connecting user devices.) Another method to secure access to SaaS applications is to configure single sign-on (SSO) so that Cloudflare becomes an identity proxy — acting as the identity provider (IDP) — as part of the authentication and authorization process. diff --git a/src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx b/src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx index 7365c6406dd..e5994ce126e 100644 --- a/src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx +++ b/src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx @@ -89,7 +89,7 @@ When a user makes a request to access an application, they must first authentica Cloudflare Access supports four main types of applications: - **Self-hosted** refers to applications that your organization hosts and manages, either on premises or in the cloud. Cloudflare creates a public hostname which it uses to proxy traffic through a secure tunnel to the application. While access via public hostnames is supported if your server is just publicly facing on the Internet, we recommend you use `cloudflared` to create a secure, outbound-only connection from your application to Cloudflare's edge. Once that occurs, Cloudflare will then reverse proxy the target application/content to your users. -- **Private IP** applications are similarly privately hosted, but lack fully-qualified public hostnames. Access can be facilitated via `cloudflared`, Cloudflare Mesh, Cloudflare WAN, or Cloudflare Network Interconnect. Remote users not connected to a network already connected to Cloudflare will need to use the device client to get access to the application via private IP and to avoid using IP addresses with users, use [internal DNS services](/cloudflare-one/traffic-policies/resolver-policies/#use-cases) to resolve private hostnames to private IP addresses. But it is possible to provide access without any software deployed to the client by using our agentless [browser isolation service](/reference-architecture/diagrams/sase/sase-clientless-access-private-dns/). +- **Private IP** applications are similarly privately hosted, but lack fully-qualified public hostnames. Access can be facilitated via `cloudflared`, Cloudflare Mesh, Cloudflare WAN, or Cloudflare Network Interconnect. Remote users not connected to a network already connected to Cloudflare will need to use the device client to get access to the application via private IP and to avoid using IP addresses with users, use [internal DNS services](/cloudflare-one/traffic-policies/policy-types/resolver-policies/#use-cases) to resolve private hostnames to private IP addresses. But it is possible to provide access without any software deployed to the client by using our agentless [browser isolation service](/reference-architecture/diagrams/sase/sase-clientless-access-private-dns/). - **SaaS** applications are accessed over the public Internet, and therefore do not require any tunnel connectivity to Cloudflare. Instead, Access acts as an identity proxy between users and the SaaS application. When a user attempts to access the SaaS app, they are first authenticated by Cloudflare, which redirects to your main identity service. SaaS applications are then configured via SAML or OAuth to trust Cloudflare. This allows organizations to implement additional security layers (like device posture checks) and centralize access control for their SaaS applications, even if the SaaS or identity provider does not natively support these features. - **Infrastructure** applications enable users to control access to individual servers, clusters or databases in a private network. Infrastructure apps work by defining a 'target' proxied over `cloudflared`, but allows users to group multiple machines under the same target - essentially, allowing users to define common access policies across potentially disparate infrastructure resources. Built-in access and command logging capabilities means organizations can maintain detailed audit trails for compliance and security investigation purposes. @@ -364,7 +364,7 @@ The key benefit here is centralizing security policy enforcement across your ent In the context of this use case, it is important to protect Salesforce — which contains sensitive customer data — against misuse, and to secure access only to authorized users. We are going to design a secure access policy that can cover both of these objectives. -The first step is to configure an [egress IP policy under Cloudflare Gateway](/cloudflare-one/traffic-policies/egress-policies/). This allows you to purchase and assign specific IPs to your users that have their traffic filtered via Gateway. Then in Salesforce, you can enforce that access is only permitted for traffic with a source IP that matches the one in your egress policy. This combination ensures that the only way to get access to Salesforce is via Cloudflare. +The first step is to configure an [egress IP policy under Cloudflare Gateway](/cloudflare-one/traffic-policies/policy-types/egress-policies/). This allows you to purchase and assign specific IPs to your users that have their traffic filtered via Gateway. Then in Salesforce, you can enforce that access is only permitted for traffic with a source IP that matches the one in your egress policy. This combination ensures that the only way to get access to Salesforce is via Cloudflare. | Egress Policy | | | :---------------------------------- | :--------------- | diff --git a/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx b/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx index ce550fee8fa..9ba40b3f2ea 100644 --- a/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx +++ b/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx @@ -109,13 +109,13 @@ Both employee devices and data center networks will connect to their closest Clo ### Connecting networks to Cloudflare -Figure 4 shows traffic from end user devices to Cloudflare and tunnels routing traffic to private data centers. When user traffic reaches the closest Cloudflare access point, Cloudflare will route traffic destined for private applications directly to the data centers, while processing Internet-bound traffic through Cloudflare's [Secure Web Gateway](/cloudflare-one/traffic-policies/) (SWG). It is possible to leverage existing DNS services to resolve requests to private addresses using Cloudflare [Gateway DNS policies](/cloudflare-one/traffic-policies/dns-policies/). [Cloudflare WAN](/cloudflare-wan/on-ramps/) is used to create IPsec tunnels between Cloudflare and data centers and is configured with static routes that determine how traffic reaches each existing network and applications. +Figure 4 shows traffic from end user devices to Cloudflare and tunnels routing traffic to private data centers. When user traffic reaches the closest Cloudflare access point, Cloudflare will route traffic destined for private applications directly to the data centers, while processing Internet-bound traffic through Cloudflare's [Secure Web Gateway](/cloudflare-one/traffic-policies/) (SWG). It is possible to leverage existing DNS services to resolve requests to private addresses using Cloudflare [Gateway DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/). [Cloudflare WAN](/cloudflare-wan/on-ramps/) is used to create IPsec tunnels between Cloudflare and data centers and is configured with static routes that determine how traffic reaches each existing network and applications. ![A high level design of Cloudflare traffic routing for phase 1 of the migration.](~/assets/images/reference-architecture/design-guide-network-vpn-migr/phase-1.svg "Figure 4: A high level design of Cloudflare traffic routing for phase 1 of the migration.") By using existing network or security appliances to terminate IPsec tunnels, secure off-ramps can be created with limited impact on the current infrastructure. These IPsec tunnels also allow for outbound server-initiated traffic to continue flowing. However, depending on the scale of the deployment, the existing appliances might run into bandwidth limitations. It is best to consider this first phase a 'pilot' or low-scale deployment to get up and running quickly and validate user-application connectivity. The next phase will improve on the design using the insights gathered during this phase. -With such a design in place, Cloudflare will be able to filter traffic based on the identity of the requesting user. For example, users authenticated to the corporate identity provider and are members of the "Engineering" group will only be allowed access to the internally hosted source code repository. Furthermore, the user device may need to pass [certain posture checks](/cloudflare-one/reusable-components/posture-checks/) before connecting. There are [example network policies](/cloudflare-one/traffic-policies/network-policies/common-policies/#restrict-access-to-private-networks) in the zero trust documentation you can use as a reference. In essence, this will enable you to define network access policies using user identities instead of their associated IP address ranges. Getting rid of traditional 5-tuple ACLs will be a first step towards a zero trust model. +With such a design in place, Cloudflare will be able to filter traffic based on the identity of the requesting user. For example, users authenticated to the corporate identity provider and are members of the "Engineering" group will only be allowed access to the internally hosted source code repository. Furthermore, the user device may need to pass [certain posture checks](/cloudflare-one/reusable-components/posture-checks/) before connecting. There are [example network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/common-policies/#restrict-access-to-private-networks) in the zero trust documentation you can use as a reference. In essence, this will enable you to define network access policies using user identities instead of their associated IP address ranges. Getting rid of traditional 5-tuple ACLs will be a first step towards a zero trust model. ### Device agent deployment @@ -148,9 +148,9 @@ For more information about deploying `cloudflared` connectors at scale: ### DNS resolution with Resolver Policies -As you can see in Figure 4, both DNS and general network traffic will flow from the employee device to Cloudflare. By default, the device agent forwards all DNS queries to Cloudflare for inspection and filtering based on [DNS policies](/cloudflare-one/traffic-policies/dns-policies/). This is great, because it will allow administrators to configure [DNS policies to block potential security threats](/cloudflare-one/traffic-policies/dns-policies/common-policies/#block-security-threats) and immediately start to protect employees as they go online. This also applies to situations where Internet traffic is from the tunnel to Cloudflare, but the client still resolves hostname requests via Cloudflare DNS services. +As you can see in Figure 4, both DNS and general network traffic will flow from the employee device to Cloudflare. By default, the device agent forwards all DNS queries to Cloudflare for inspection and filtering based on [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/). This is great, because it will allow administrators to configure [DNS policies to block potential security threats](/cloudflare-one/traffic-policies/policy-types/dns-policies/common-policies/#block-security-threats) and immediately start to protect employees as they go online. This also applies to situations where Internet traffic is from the tunnel to Cloudflare, but the client still resolves hostname requests via Cloudflare DNS services. -For internal domains, however, Cloudflare will need to know how to resolve them. This is where [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) come into play. After the DNS policies are applied to incoming DNS requests, customers can choose to forward requests for internal DNS hostnames to their internal DNS servers. For example, the domain `example.local` might be hosted on a DNS server running at 10.10.10.123. A resolver policy will make sure requests for hostnames part of that domain will be sent to that IP. +For internal domains, however, Cloudflare will need to know how to resolve them. This is where [resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) come into play. After the DNS policies are applied to incoming DNS requests, customers can choose to forward requests for internal DNS hostnames to their internal DNS servers. For example, the domain `example.local` might be hosted on a DNS server running at 10.10.10.123. A resolver policy will make sure requests for hostnames part of that domain will be sent to that IP. A tunnel exposing a route to the internal DNS server is needed. `cloudflared` should be deployed on a host that can route DNS traffic to the 10.10.10.123 IP address. Requests for internal domains via the DNS gateway will then be redirected to this DNS server, via the tunnel. @@ -215,4 +215,4 @@ The flexibility of the Cloudflare connectivity cloud to connect any device, appl ### Further reading - Cloudflare WAN integration: [WARP on-ramp to Cloudflare WAN](/cloudflare-wan/zero-trust/cloudflare-one-client/) -- Policy configuration: [Gateway Network policies](/cloudflare-one/traffic-policies/network-policies/) +- Policy configuration: [Gateway Network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) diff --git a/src/content/docs/reference-architecture/design-guides/securing-guest-wireless-networks.mdx b/src/content/docs/reference-architecture/design-guides/securing-guest-wireless-networks.mdx index 53366703a3b..eaad7d1d569 100644 --- a/src/content/docs/reference-architecture/design-guides/securing-guest-wireless-networks.mdx +++ b/src/content/docs/reference-architecture/design-guides/securing-guest-wireless-networks.mdx @@ -128,7 +128,7 @@ To get started, navigate to **DNS Locations** in the Zero Trust dashboard. For d ### Creating DNS policies -To get started, navigate to firewall policies and select DNS in the Zero Trust dashboard. For detailed, step-by-step instructions, refer to the [DNS Policies](/cloudflare-one/traffic-policies/dns-policies/) guide. +To get started, navigate to firewall policies and select DNS in the Zero Trust dashboard. For detailed, step-by-step instructions, refer to the [DNS Policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) guide. To keep your policies organized, we recommend using meaningful names that clearly indicate their purpose. For instance, a policy named **Guest-Security-Block** conveys: @@ -196,4 +196,4 @@ If you are interested in learning more about Gateway, or other aspects of the Cl - [Evolving to a SASE architecture with Cloudflare](/reference-architecture/architectures/sase/) - [Cloudflare One Appliance deployment options · Cloudflare Reference Architecture docs](/reference-architecture/diagrams/sase/cloudflare-one-appliance-deployment/) -- [DNS policies \- Cloudflare Zero Trust](/cloudflare-one/traffic-policies/dns-policies/) +- [DNS policies \- Cloudflare Zero Trust](/cloudflare-one/traffic-policies/policy-types/dns-policies/) diff --git a/src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx b/src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx index 70f74881e55..dbf43b4bacc 100644 --- a/src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx +++ b/src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx @@ -85,7 +85,7 @@ Note a section later in this document will cover how to gain visibility into, an One simple method for securing access to SaaS applications, is to only allow access from a specific set of IP addresses. This forces users to have to connect to, and have their traffic exit from a specific network and therefore ensure whatever access controls are in place on that network are applied to that traffic. -Organizations that already use IP allow lists to secure access to SaaS applications can easily migrate to Cloudflare using [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). User traffic egresses from Cloudflare to the Internet and onto the SaaS application, sourced from a set of IP addresses unique to the organization. This approach supports various ways in which users access Cloudflare before gaining access to the SaaS application: +Organizations that already use IP allow lists to secure access to SaaS applications can easily migrate to Cloudflare using [dedicated egress IPs](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/). User traffic egresses from Cloudflare to the Internet and onto the SaaS application, sourced from a set of IP addresses unique to the organization. This approach supports various ways in which users access Cloudflare before gaining access to the SaaS application: - **Hybrid employees:** Connecting to Cloudflare using our Zero Trust client, [WARP](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/). - **Office-based users:** Connecting to a local network which routes Internet bound traffic to Cloudflare through GRE or IPsec [Cloudflare WAN](/cloudflare-wan/) (formerly Magic WAN) tunnels. @@ -95,9 +95,9 @@ Organizations add the new dedicated egress IPs to the existing SaaS IP allow lis There are several advantages to using Cloudflare's dedicated egress IPs when compared with using IPs from on-prem infrastructure: -- [Dedicated egress IPs can be geolocated](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#ip-geolocation) to one or more Cloudflare data centers in a geography of your choosing, instead of being restricted to the geographic locations of your existing Internet breakout data centers. -- Users will always connect to Cloudflare [through the closest Cloudflare Data Center and Cloudflare will optimize the path towards the SaaS application](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#egress-location). -- Dedicated egress IPs are assigned to user traffic using policies that follow zero trust principles. [Egress policies](/cloudflare-one/traffic-policies/egress-policies/) can be defined that will only assign a dedicated egress IP to a user if they belong to the correct IdP group and/or pass [device posture](/cloudflare-one/reusable-components/posture-checks/) checks. Otherwise, traffic will be sourced from Cloudflare's public IP range, which may not be part of the SaaS IP allowlist, preventing access to the SaaS application while still allowing Internet usage. +- [Dedicated egress IPs can be geolocated](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/#ip-geolocation) to one or more Cloudflare data centers in a geography of your choosing, instead of being restricted to the geographic locations of your existing Internet breakout data centers. +- Users will always connect to Cloudflare [through the closest Cloudflare Data Center and Cloudflare will optimize the path towards the SaaS application](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/#egress-location). +- Dedicated egress IPs are assigned to user traffic using policies that follow zero trust principles. [Egress policies](/cloudflare-one/traffic-policies/policy-types/egress-policies/) can be defined that will only assign a dedicated egress IP to a user if they belong to the correct IdP group and/or pass [device posture](/cloudflare-one/reusable-components/posture-checks/) checks. Otherwise, traffic will be sourced from Cloudflare's public IP range, which may not be part of the SaaS IP allowlist, preventing access to the SaaS application while still allowing Internet usage. - Dedicated egress IPs imply that traffic needs to flow through Cloudflare before reaching the SaaS application. This makes it easy to add secure web gateway policies to protect data in the SaaS applications once users have authenticated. ![Figure 3: Enforce only traffic that has been secured by Cloudflare is accepted by the SaaS application.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-03.svg "Figure 3: Enforce only traffic that has been secured by Cloudflare is accepted by the SaaS application.") @@ -140,7 +140,7 @@ To mitigate these risks, controls should be implemented for both data in transit As mentioned before, all traffic can be forced through Cloudflare using the device agent, Cloudflare WAN (CWAN) tunnels, or the remote browser. This allows [secure web gateway](/cloudflare-one/traffic-policies/) policies to manage and protect data as it is uploaded or downloaded from SaaS applications. Common use cases include: -- Restricting the ability to download [all](/cloudflare-one/traffic-policies/http-policies/common-policies/#block-google-drive-downloads) or a [subset of files](/cloudflare-one/traffic-policies/http-policies/common-policies/#block-file-types) from managed SaaS applications to specific groups of users within the organization. +- Restricting the ability to download [all](/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies/#block-google-drive-downloads) or a [subset of files](/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies/#block-file-types) from managed SaaS applications to specific groups of users within the organization. - Using [Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/#_top) profiles to limit the download of data containing sensitive information from managed SaaS applications. For more information about securing data in transit, refer to our [reference architecture center](/reference-architecture/diagrams/security/securing-data-in-transit/). @@ -169,7 +169,7 @@ As described already, implementing ZTNA to secure your email platform offers num #### Tenant control -Organizations with stringent requirements about email communications for compliance or regulatory reasons, operational control or accountability, or to reduce the potential for data leaks can block access to email tenants other than the organization's own. This can be achieved by using [Cloudflare Gateway SaaS tenant controls](/cloudflare-one/traffic-policies/http-policies/tenant-control/). Cloudflare injects custom HTTP headers into the traffic flow, informing Microsoft 365 and Google Workspace of the specific tenant users are allowed to authenticate into and blocking any access attempts to any other tenant. +Organizations with stringent requirements about email communications for compliance or regulatory reasons, operational control or accountability, or to reduce the potential for data leaks can block access to email tenants other than the organization's own. This can be achieved by using [Cloudflare Gateway SaaS tenant controls](/cloudflare-one/traffic-policies/policy-types/http-policies/tenant-control/). Cloudflare injects custom HTTP headers into the traffic flow, informing Microsoft 365 and Google Workspace of the specific tenant users are allowed to authenticate into and blocking any access attempts to any other tenant. ![Figure 7: Cloudflare can enforce access to only specific cloud email tenants.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-07.svg "Figure 7: Cloudflare can enforce access to only specific cloud email tenants.") @@ -233,7 +233,7 @@ In addition to these measures, [remote browser isolation](/cloudflare-one/remote Many SaaS applications offer a free version as part of their business model to encourage users to integrate them into their work. This helps demonstrate the application's usefulness and facilitates its adoption at the corporate level ([Cloudflare follows this model as well](https://www.cloudflare.com/en-gb/plans/zero-trust-services/)). When a previously unmanaged SaaS application is officially adopted by the organization, IT teams take over its management to ensure proper support and adherence to best practices. This involves aligning the new SaaS application with all the aspects discussed in the Securing Managed SaaS Applications section. -After fully adopting the new SaaS application, access to the consumer version may be restricted. If the corporate SaaS version has a unique domain, access to other tenant domains or the consumer domain can be blocked using Cloudflare DNS and/or HTTP policies. Some SaaS solutions offer [native tenant control](/cloudflare-one/traffic-policies/http-policies/tenant-control/) through HTTP headers, which can be enforced by injecting these headers for data in transit using Cloudflare Gateway HTTP policies. +After fully adopting the new SaaS application, access to the consumer version may be restricted. If the corporate SaaS version has a unique domain, access to other tenant domains or the consumer domain can be blocked using Cloudflare DNS and/or HTTP policies. Some SaaS solutions offer [native tenant control](/cloudflare-one/traffic-policies/policy-types/http-policies/tenant-control/) through HTTP headers, which can be enforced by injecting these headers for data in transit using Cloudflare Gateway HTTP policies. ## Summary diff --git a/src/content/docs/reference-architecture/diagrams/network/optimizing-roaming-experience-with-geolocated-ips.mdx b/src/content/docs/reference-architecture/diagrams/network/optimizing-roaming-experience-with-geolocated-ips.mdx index 7552c38941a..ffd45cb1493 100644 --- a/src/content/docs/reference-architecture/diagrams/network/optimizing-roaming-experience-with-geolocated-ips.mdx +++ b/src/content/docs/reference-architecture/diagrams/network/optimizing-roaming-experience-with-geolocated-ips.mdx @@ -27,7 +27,7 @@ Cloudflare addresses these challenges by routing device traffic from the Interne 1. Cloudflare can analyse the traffic, determine the original country of origin, and then ensure that traffic egresses onto the Internet from an IP address that is geolocated to the same country of origin. 2. Cloudflare can filter traffic based on [secure web gateway](/cloudflare-one/traffic-policies/) policies, allowing you to protect devices from accessing risky Internet hosts. It also allows you to lock down access for devices to specific Internet hosts, such as only allow devices to make requests to APIs that support their function. -The architecture diagram below provides a visual representation of this solution, showing how traffic from various countries — routed via different mobile network APN — is directed through Internet breakouts. Cloudflare optimizes and secures the Internet connection by leveraging [geolocated public IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/), ensuring that the traffic is secure and regionally localized to the device location. +The architecture diagram below provides a visual representation of this solution, showing how traffic from various countries — routed via different mobile network APN — is directed through Internet breakouts. Cloudflare optimizes and secures the Internet connection by leveraging [geolocated public IPs](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/), ensuring that the traffic is secure and regionally localized to the device location. This diagram is intended for network engineers, IT architects, and decision-makers looking to improve service relevance and performance for end-users. Key use cases include multinational corporations aiming to provide faster, region-specific Internet access and services in users' native languages, ensuring a superior user experience across diverse geographical locations. @@ -52,14 +52,14 @@ _Note: Labels in this image may reflect a previous product name._ 4. **Localized Internet breakout using [Cloudflare WAN](/cloudflare-wan/) (formerly Magic WAN) and [Gateway](/cloudflare-one/traffic-policies/)**. - With Cloudflare WAN and using [dedicated egress](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) with our [secure web gateway](/cloudflare-one/traffic-policies/), Cloudflare enables Internet traffic to exit with source IPs registered in the desired country. This ensures end-users benefit from geolocalized content and services, such as access to region-specific platforms, tailored to their location. + With Cloudflare WAN and using [dedicated egress](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/) with our [secure web gateway](/cloudflare-one/traffic-policies/), Cloudflare enables Internet traffic to exit with source IPs registered in the desired country. This ensures end-users benefit from geolocalized content and services, such as access to region-specific platforms, tailored to their location. 5. **Advanced security and filtering options**. Cloudflare enhances the security of Internet breakouts with advanced features, including: - [**DNS filtering**](/cloudflare-one/traffic-policies/get-started/dns/) to manage and block access to unwanted, high risk domains. - - [**Network firewalling**](/cloudflare-one/traffic-policies/network-policies/) for enforcing detailed security policies. For example, you can restrict vehicles to only send data over the Internet to a designated set of cloud telemetry systems while blocking all other traffic. - - [**Full SSL inspection**](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) to protect against sophisticated threats and provide traffic visibility on encrypted traffic. It enables additional protections such as antivirus scanning, malware prevention, and file sandboxing. + - [**Network firewalling**](/cloudflare-one/traffic-policies/policy-types/network-policies/) for enforcing detailed security policies. For example, you can restrict vehicles to only send data over the Internet to a designated set of cloud telemetry systems while blocking all other traffic. + - [**Full SSL inspection**](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) to protect against sophisticated threats and provide traffic visibility on encrypted traffic. It enables additional protections such as antivirus scanning, malware prevention, and file sandboxing. # Related Resources diff --git a/src/content/docs/reference-architecture/diagrams/network/protect-data-center-networks.mdx b/src/content/docs/reference-architecture/diagrams/network/protect-data-center-networks.mdx index 3f3fc0caf54..20257ca976d 100644 --- a/src/content/docs/reference-architecture/diagrams/network/protect-data-center-networks.mdx +++ b/src/content/docs/reference-architecture/diagrams/network/protect-data-center-networks.mdx @@ -74,7 +74,7 @@ _Note: Labels in this image may reflect a previous product name._ 1. Each site network routes outbound Internet traffic originating from the public-facing networks to Cloudflare, via the same CNIs that inbound traffic traverses. This can be done at your site through routing techniques of your choice, such as policy based routing (PBR). 2. Upon entering the Cloudflare network, outbound Internet traffic is first routed through Cloudflare Network Firewall where it is subject to any configured network firewall policies. 3. Outbound Internet traffic is subsequently sent to [Cloudflare Gateway](/cloudflare-one/traffic-policies/), our secure web gateway service where various [policies](/cloudflare-one/traffic-policies/) enforce a comprehensive set of security and control measures on the outbound traffic, ensuring the utmost protection for your networks. For example, Gateway DNS and HTTP policies can both be configured to prevent your servers from connecting to questionable Internet sites and from downloading malware or other malicious content. -4. Once traffic clears inspection, Gateway proxies the outbound traffic to their destinations on the Internet. The source IP addresses of the outbound traffic are the Cloudflare owned IP addresses associated with the Gateway service, which if you want you can purchase and set your [own egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) +4. Once traffic clears inspection, Gateway proxies the outbound traffic to their destinations on the Internet. The source IP addresses of the outbound traffic are the Cloudflare owned IP addresses associated with the Gateway service, which if you want you can purchase and set your [own egress IP](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/) 5. Return traffic from the Internet, destined to Cloudflare's IP addresses linked to the Gateway service, is routed into Cloudflare's global network. 6. Traffic is inspected against Gateway policies. 7. Return traffic that passes Gateway inspection is routed to Cloudflare Network Firewall for further packet filtering. diff --git a/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx b/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx index 204656c57d1..3ab4f73564c 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx @@ -34,7 +34,7 @@ To distinguish queries originating from the service provider from those coming f If stable and defined source IPv4 addresses cannot be assigned to the on-premises DNS servers, service providers can instead use unique destination location endpoints. Each location is assigned a distinct [DoT](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#dns-over-tls-dot) and [DoH](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#dns-over-https-doh) hostname, as well as a unique [destination IPv6 address](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#ipv4ipv6-address). Additionally, Cloudflare can provide unique [destination IPv4 addresses upon request](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#dns-resolver-ip). ::: -DNS filtering is then enforced through DNS policies set up by the service provider to detect domains linked to [security risks](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Cloudflare continuously updates the list of risky domains using [its extensive threat intelligence](https://www.cloudflare.com/en-gb/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). Alternatively, an `[Override](/cloudflare-one/traffic-policies/dns-policies/#override)` action or [block page URL redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the service provider. +DNS filtering is then enforced through DNS policies set up by the service provider to detect domains linked to [security risks](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Cloudflare continuously updates the list of risky domains using [its extensive threat intelligence](https://www.cloudflare.com/en-gb/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/policy-types/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). Alternatively, an `[Override](/cloudflare-one/traffic-policies/policy-types/dns-policies/#override)` action or [block page URL redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the service provider. ![Figure 2: A DNS policy to prevent users from navigating to malicious domains. The action is to override and redirect the DNS query to a block page hosted by the service provider.](~/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-02.svg) @@ -64,6 +64,6 @@ To differentiate these additional services from the core DNS security offering, ## Related resources -- [Cloudflare Gateway DNS policies](/cloudflare-one/traffic-policies/dns-policies/) +- [Cloudflare Gateway DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) - [Cloudflare Blog: Using the power of Cloudflare's global network to detect malicious domains using machine learning](https://blog.cloudflare.com/threat-detection-machine-learning-models/) - [Protect ISP and telecommunications networks from DDoS attacks](/reference-architecture/diagrams/network/protecting-sp-networks-from-ddos/) diff --git a/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx b/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx index ab5939ebd28..bff537c5aeb 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx @@ -30,7 +30,7 @@ IT administrators forward public DNS requests to Cloudflare where they are filte To distinguish queries originating from the government departments and agencies they are responsible for, admins configure a location in the Cloudflare dashboard. When a DNS location is created, Gateway assigns IPv4/IPv6 addresses and DNS over TLS/HTTPS (DoT/DoH) hostnames for that location. These IP addresses and hostnames are then used by the admins to send DNS queries for resolution. In turn, the administrator configures the location object with the public IP addresses of their on-premises DNS servers, allowing Cloudflare to accurately associate queries with the corresponding location. -DNS filtering is then enforced through policies set up by the administrator to detect domains linked to [security risks](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Cloudflare continuously updates the list of high risk domains using [its extensive threat intelligence](https://www.cloudflare.com/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). Alternatively, an [Override](/cloudflare-one/traffic-policies/dns-policies/#override) action or [block page URL redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the government agency. +DNS filtering is then enforced through policies set up by the administrator to detect domains linked to [security risks](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Cloudflare continuously updates the list of high risk domains using [its extensive threat intelligence](https://www.cloudflare.com/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/policy-types/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). Alternatively, an [Override](/cloudflare-one/traffic-policies/policy-types/dns-policies/#override) action or [block page URL redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the government agency. Cloudflare's own threat intelligence can be seamlessly integrated with threat intelligence data provided by the agency or third-party sources. In this setup, the agency or the third-party entity acts as a [threat feed provider](/security-center/indicator-feeds/) to Cloudflare. This enables IT admins to create DNS policies that combine Cloudflare's security risk categories with the data sourced by the agency, for a unified and enhanced security posture (see diagram below). Additionally, [publicly available custom indicator feeds](/security-center/indicator-feeds/#publicly-available-feeds) can be accessed by eligible public and private sector organizations without the need to establish a provider relationship, further expanding security capabilities. @@ -80,21 +80,21 @@ When inspecting HTTP traffic, Cloudflare prevents interference by decrypting, in When Cloudflare Gateway is performing HTTP inspection, it extends protection beyond DNS security by enabling additional capabilities to safeguard users as they browse the Internet: -- **Anti-virus scanning (AV):** Users are protected when downloading or uploading files to or from the Internet. [Files are scanned](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/) in real time to detect malicious content. -- **Sandboxing:** For files not previously seen, Cloudflare Gateway can [quarantine them in a secure sandbox environment for analysis](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/). In this sandbox, Cloudflare monitors the file's actions and compares them against known malware patterns. Files are only released to users if no malicious content is detected. +- **Anti-virus scanning (AV):** Users are protected when downloading or uploading files to or from the Internet. [Files are scanned](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/) in real time to detect malicious content. +- **Sandboxing:** For files not previously seen, Cloudflare Gateway can [quarantine them in a secure sandbox environment for analysis](/cloudflare-one/traffic-policies/policy-types/http-policies/file-sandboxing/). In this sandbox, Cloudflare monitors the file's actions and compares them against known malware patterns. Files are only released to users if no malicious content is detected. - **Remote Browser Isolation (RBI):** [Isolation policies](/cloudflare-one/remote-browser-isolation/) can be configured to safeguard users when accessing potentially risky websites. For example, [if a user attempts to visit a newly seen domain that triggers an isolation policy](/cloudflare-one/remote-browser-isolation/isolation-policies/), the website's active content is executed in a secure, isolated browser hosted in the nearest Cloudflare data center. This ensures that zero-day attacks and malware are mitigated before they can impact the user. This remote browsing experience is seamless and transparent, allowing users to continue using their preferred browsers and workflows. Every browser tab and window is automatically isolated, and sessions are deleted when closed. ### Data protection In addition to threat protection, Cloudflare Gateway enables the implementation of robust data protection policies during HTTP inspection, including: -- **File upload controls:** Administrators can enforce policies that monitor and [restrict file uploads](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) to the Internet, preventing the inadvertent sharing of sensitive data. +- **File upload controls:** Administrators can enforce policies that monitor and [restrict file uploads](/cloudflare-one/traffic-policies/policy-types/http-policies/#download-and-upload-file-types) to the Internet, preventing the inadvertent sharing of sensitive data. - **Data Loss Prevention (DLP):** [DLP policies](/cloudflare-one/data-loss-prevention/) can be deployed to identify and block unauthorized sharing of confidential or classified information. For more details, see [securing data in transit](/reference-architecture/diagrams/security/securing-data-in-transit/). - **Remote Browser Isolation (RBI):** Beyond threat protection, [isolation policies](/cloudflare-one/remote-browser-isolation/) can enforce [user action restrictions](/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings), such as disabling copy/paste functionality or keyboard inputs, to safeguard sensitive information. For additional information, refer to [securing data in use](/reference-architecture/diagrams/security/securing-data-in-use/). ## Adopting Cloudflare Gateway as Secure Web Gateway -Expanding Cloudflare Gateway from a protective DNS service to a full-featured Secure Web Gateway is a straightforward process. Using Cloudflare's dashboard, IT administrators would configure [HTTP policies](/cloudflare-one/traffic-policies/http-policies/) in addition to existing DNS policies. These HTTP policies would enable the additional protections, namely, Antivirus Scanning, Sandboxing, Remote Browser Isolation (RBI), and Data Loss Prevention (DLP). +Expanding Cloudflare Gateway from a protective DNS service to a full-featured Secure Web Gateway is a straightforward process. Using Cloudflare's dashboard, IT administrators would configure [HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/) in addition to existing DNS policies. These HTTP policies would enable the additional protections, namely, Antivirus Scanning, Sandboxing, Remote Browser Isolation (RBI), and Data Loss Prevention (DLP). From the user's perspective, remote Workers would continue using the same device agent. To leverage these enhanced protections, they simply need to switch the device agent mode to [Traffic and DNS mode](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-and-dns-mode-default). This mode can also be enforced when using device management to deploy the agent. diff --git a/src/content/docs/reference-architecture/diagrams/sase/sase-clientless-access-private-dns.mdx b/src/content/docs/reference-architecture/diagrams/sase/sase-clientless-access-private-dns.mdx index 7d9003724f7..c4ceb6b6c1b 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/sase-clientless-access-private-dns.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/sase-clientless-access-private-dns.mdx @@ -24,7 +24,7 @@ Typically, to provide access to internal resources, you use Cloudflare Zero Trus Some organizations don't like the idea of public DNS records which reference internal services, even though the ZTNA services provide strong access security, sometimes just the existence of a service name in public DNS is not desired. Exposing IP addresses directly to users is also a bad idea, they are hard to remember, and IP addresses can change. Unlike accessing a web application via a public DNS record through our proxy, applications exposed via private IP addresses also require the user to install an agent on their device to capture and route the traffic to Cloudflare which in turn routes it to the application. Installing this agent can be a challenge with third parties like partners or contractors. -So how do you allow access to private resources, without creating public DNS records and without requiring the user install software on their device? Cloudflare solved this challenge with [Resolver Policies](/cloudflare-one/traffic-policies/resolver-policies/) where internal DNS services can be used. When combined with agentless [Remote Browser Isolation](/cloudflare-one/remote-browser-isolation/), it is possible to create Zero Trust access to private web applications with only a modern web browser. Policies to control access to apps are then written in our Secure Web Gateway (SWG) service as [network firewall](/cloudflare-one/traffic-policies/network-policies/) policies. This method supports HTTP based applications, although Cloudflare does provide a browser rendering service for SSH and VNC services. +So how do you allow access to private resources, without creating public DNS records and without requiring the user install software on their device? Cloudflare solved this challenge with [Resolver Policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) where internal DNS services can be used. When combined with agentless [Remote Browser Isolation](/cloudflare-one/remote-browser-isolation/), it is possible to create Zero Trust access to private web applications with only a modern web browser. Policies to control access to apps are then written in our Secure Web Gateway (SWG) service as [network firewall](/cloudflare-one/traffic-policies/policy-types/network-policies/) policies. This method supports HTTP based applications, although Cloudflare does provide a browser rendering service for SSH and VNC services. Follow this [tutorial](/cloudflare-one/tutorials/clientless-access-private-dns/) for information on how to configure secure access to private web-based resources without having to deploy client agents. @@ -32,7 +32,7 @@ Follow this [tutorial](/cloudflare-one/tutorials/clientless-access-private-dns/) 1. Users start their access by authenticating to the [Cloudflare Browser Isolation](https://your_team_domain.cloudflareaccess.com/browser) service. Note this is a browser running on Cloudflare’s edge network, therefore all requests will by default be handled by Cloudflare. The contents are rendered back to the users’ browser via secure encrypted vector streams that use HTTPS and WebRTC channels. 2. Once the user has authenticated to the remote browser, they make a request to an internal hostname which is a record in the internal DNS service. e.g. [https://app.company.internal](https://app.company.internal) -3. Cloudflare looks up the internal hostname using [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/), and gets the private IP address from the internal DNS server. This DNS resolution takes place within the Cloudflare network and requires no DNS client changes on the user's device. +3. Cloudflare looks up the internal hostname using [resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/), and gets the private IP address from the internal DNS server. This DNS resolution takes place within the Cloudflare network and requires no DNS client changes on the user's device. 4. Cloudflare evaluates the network firewall policies and verifies if the user has permission to reach the destination addresses. 5. If the request passes the policy, it is sent via secure [QUIC](https://blog.cloudflare.com/getting-cloudflare-tunnels-to-connect-to-the-cloudflare-network-with-quic) tunnels to the Cloudflared connectors which then is reverse proxied to the application servers. All data is transmitted securely through Cloudflare back to the users’ browser via encrypted vector streams. diff --git a/src/content/docs/reference-architecture/diagrams/sase/secure-access-to-saas-applications-with-sase.mdx b/src/content/docs/reference-architecture/diagrams/sase/secure-access-to-saas-applications-with-sase.mdx index 90d55fe61bf..95d68fe2a9d 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/secure-access-to-saas-applications-with-sase.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/secure-access-to-saas-applications-with-sase.mdx @@ -55,7 +55,7 @@ When integrating with an XDR platform such as Crowdstrike, Sentinel One or Micro The following is an example set of policies which demonstrate how you can use Cloudflare to secure access to Salesforce. -The first step is using an [egress IP policy under Cloudflare Gateway](/cloudflare-one/traffic-policies/egress-policies/). This allows you to purchase and assign specific IPs to users that have their traffic filtered via Gateway. Then in Salesforce, you enforce that access is only permitted for traffic with a source IP that matches the one in your egress policy. This combination ensures that the only way to get access to Salesforce is via Cloudflare. +The first step is using an [egress IP policy under Cloudflare Gateway](/cloudflare-one/traffic-policies/policy-types/egress-policies/). This allows you to purchase and assign specific IPs to users that have their traffic filtered via Gateway. Then in Salesforce, you enforce that access is only permitted for traffic with a source IP that matches the one in your egress policy. This combination ensures that the only way to get access to Salesforce is via Cloudflare. | Egress Policy | | | :---------------------------------- | :------------- | diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx index 0cd6b8d524d..6b4be9f98a6 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx @@ -38,7 +38,7 @@ When Cloudflare CASB is combined with Cloudflare's [Secure Web Gateway](/cloudfl 2. Cloudflare's [Zero Trust Network Access](/cloudflare-one/access-controls/policies/) (ZTNA) service can integrate directly with your [SaaS applications](/cloudflare-one/access-controls/applications/http-apps/saas-apps/) using standard protocols (e.g. SAML or OIDC) to become the initial enforcement point for user access. Access calls your [identity provider](/cloudflare-one/integrations/identity-providers/) (IdP) of choice and uses additional security signals about your users and devices to make policy decisions. -3. As an extension of what was covered in Securing data in use, Cloudflare [Remote Browser Isolation](/cloudflare-one/remote-browser-isolation/) (RBI) can also be used with [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/), so that even remote clientless user’s traffic can arrive at the requested SaaS application from predictable and consistent IP addresses. +3. As an extension of what was covered in Securing data in use, Cloudflare [Remote Browser Isolation](/cloudflare-one/remote-browser-isolation/) (RBI) can also be used with [dedicated egress IPs](/cloudflare-one/traffic-policies/policy-types/egress-policies/dedicated-egress-ips/), so that even remote clientless user’s traffic can arrive at the requested SaaS application from predictable and consistent IP addresses. ## Discovering and protecting the data at rest diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx index b063ace1285..aa023c45394 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx @@ -62,9 +62,9 @@ The following diagram shows a common flow for how Cloudflare inspects a request ![Figure 4: Upload of file containing sensitive data blocked by Cloudflare DLP](~/assets/images/reference-architecture/securing-data-in-transit/securing-data-in-transit-fig4.svg "Figure 4: Upload of file containing sensitive data blocked by Cloudflare DLP") 1. User attempts to upload a file to a SaaS application (via a secure tunnel to Cloudflare created by our [device agent](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/)). [Clientless](/cloudflare-one/networks/resolvers-and-proxies/) options are supported as well. -2. Cloudflare's [Secure Web Gateway](/cloudflare-one/traffic-policies/) (SWG) will first verify that the user is permitted to use the requested SaaS application, and then scrutinize the file's payload for [malicious code](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/) and [sensitive data](/cloudflare-one/data-loss-prevention/). +2. Cloudflare's [Secure Web Gateway](/cloudflare-one/traffic-policies/) (SWG) will first verify that the user is permitted to use the requested SaaS application, and then scrutinize the file's payload for [malicious code](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/) and [sensitive data](/cloudflare-one/data-loss-prevention/). 3. The DLP profile determines the file contains national identifiers like US Social Security Numbers (SSN). -4. The Gateway policy is configured with a [Block action](/cloudflare-one/traffic-policies/http-policies/#block), so the attempt is [logged](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) and a [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) returned to the end user's web browser. +4. The Gateway policy is configured with a [Block action](/cloudflare-one/traffic-policies/policy-types/http-policies/#block), so the attempt is [logged](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) and a [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) returned to the end user's web browser. ## Related resources diff --git a/src/content/docs/ruleset-engine/reference/phases-list.mdx b/src/content/docs/ruleset-engine/reference/phases-list.mdx index 5830900dd01..a1a8b7f743b 100644 --- a/src/content/docs/ruleset-engine/reference/phases-list.mdx +++ b/src/content/docs/ruleset-engine/reference/phases-list.mdx @@ -19,7 +19,7 @@ The following tables list the [phases](/ruleset-engine/about/phases/) of Cloudfl | Phase name | Used in product/feature | | --------------------------- | ------------------------------------------------------------------------------------------------------------------------ | | `ddos_l4` | [Network-layer DDoS Attack Protection](/ddos-protection/managed-rulesets/network/network-overrides/configure-api/) | -| `magic_transit` | [Cloudflare Network Firewall](/cloudflare-one/traffic-policies/packet-filtering/add-policies/) | +| `magic_transit` | [Cloudflare Network Firewall](/cloudflare-one/traffic-policies/policy-types/packet-filtering/add-policies/) | | `magic_transit_managed` | [Cloudflare Network Firewall managed rulesets](/cloudflare-network-firewall/how-to/enable-managed-rulesets/) | | `magic_transit_ratelimit` | [Cloudflare Network Firewall rate limiting policies](/cloudflare-network-firewall/how-to/create-rate-limiting-policies/) | | `magic_transit_ids_managed` | [Cloudflare Network Firewall Intrusion Detection System (IDS)](/cloudflare-network-firewall/about/ids/) | diff --git a/src/content/docs/security-center/indicator-feeds.mdx b/src/content/docs/security-center/indicator-feeds.mdx index 5340e416b2f..7c55509e91a 100644 --- a/src/content/docs/security-center/indicator-feeds.mdx +++ b/src/content/docs/security-center/indicator-feeds.mdx @@ -135,7 +135,7 @@ Providers can create and manage a Custom Indicator Feed with the [Custom Indicat ### Use a feed in Gateway -Once an account is granted access to a feed, it will be available to match traffic as a [selector in Gateway DNS policies](/cloudflare-one/traffic-policies/dns-policies/#indicator-feeds). +Once an account is granted access to a feed, it will be available to match traffic as a [selector in Gateway DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/#indicator-feeds). 1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Firewall policies**. Select **DNS**. 2. To create a new DNS policy, select **Add a policy**. @@ -148,4 +148,4 @@ Once an account is granted access to a feed, it will be available to match traff 5. Select **Create policy**. -For more information on creating Gateway policies, refer to [DNS policies](/cloudflare-one/traffic-policies/dns-policies/). +For more information on creating Gateway policies, refer to [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/). diff --git a/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx b/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx index 1d11ed6061f..8fbfbbc9633 100644 --- a/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx +++ b/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx @@ -27,7 +27,7 @@ And off-ramps: - [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/) off-ramp (using `cloudflared`) - Cloudflare IPsec off-ramp -For traffic that egresses to the public Internet, [Cloudflare Gateway](/cloudflare-one/traffic-policies/http-policies/) also provides post-quantum encryption as a Secure Web Gateway (SWG). +For traffic that egresses to the public Internet, [Cloudflare Gateway](/cloudflare-one/traffic-policies/policy-types/http-policies/) also provides post-quantum encryption as a Secure Web Gateway (SWG). These on-ramps and off-ramps all use [hybrid post-quantum key agreement](/ssl/post-quantum-cryptography/#hybrid-key-agreement). @@ -111,7 +111,7 @@ Cloudflare also supports downgrade protection for IPsec tunnels via the [`IKE_SA A [secure web gateway (SWG)](https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/) is used to secure access to third-party websites on the public Internet by intercepting and inspecting TLS traffic. -[Cloudflare Gateway](/cloudflare-one/traffic-policies/http-policies/) [supports post-quantum cryptography for HTTPS traffic](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#post-quantum-support). As long as the third-party website that is being inspected supports post-quantum key agreement, Cloudflare's SWG also supports post-quantum key agreement. +[Cloudflare Gateway](/cloudflare-one/traffic-policies/policy-types/http-policies/) [supports post-quantum cryptography for HTTPS traffic](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#post-quantum-support). As long as the third-party website that is being inspected supports post-quantum key agreement, Cloudflare's SWG also supports post-quantum key agreement. ![Diagram of how post-quantum cryptography works with Cloudflare's Secure Web Gateway](~/assets/images/ssl/pqc-secure-web-gateway.png). diff --git a/src/content/docs/ssl/post-quantum-cryptography/pqc-cloudflare-products.mdx b/src/content/docs/ssl/post-quantum-cryptography/pqc-cloudflare-products.mdx index ebbd57eca96..bde16b9f78f 100644 --- a/src/content/docs/ssl/post-quantum-cryptography/pqc-cloudflare-products.mdx +++ b/src/content/docs/ssl/post-quantum-cryptography/pqc-cloudflare-products.mdx @@ -110,7 +110,7 @@ Mesh inherits its post-quantum protection from the [Cloudflare One Client](#clou ### Cloudflare Gateway -[Cloudflare Gateway](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#post-quantum-support) is a Secure Web Gateway that runs on Cloudflare's edge and filters HTTPS traffic egressing to the public Internet. Gateway has no client-side component; clients reach Gateway via one of several post-quantum on-ramps: +[Cloudflare Gateway](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#post-quantum-support) is a Secure Web Gateway that runs on Cloudflare's edge and filters HTTPS traffic egressing to the public Internet. Gateway has no client-side component; clients reach Gateway via one of several post-quantum on-ramps: - The [Cloudflare One Client](#cloudflare-one-client). - A [Cloudflare IPsec](#cloudflare-ipsec) tunnel. diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx index 1a1009e1b24..7f9802d7a2b 100644 --- a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx @@ -52,7 +52,7 @@ When using [Cloudflare Gateway](/cloudflare-one/traffic-policies/), an HTTP Erro - **The connection from Gateway to the origin is insecure.** Gateway does not trust origins which: - Only offer insecure cipher suites (such as RC4, RC4-MD5, or 3DES). You can use the [SSL Server Test tool](https://www.ssllabs.com/ssltest/index.html) to check which ciphers are supported by the origin. - - Do not support [FIPS-compliant ciphers](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#cipher-suites) (if you have enabled [FIPS compliance mode](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#fips-compliance)). In order to load the page, you can either disable FIPS mode or create a Do Not Inspect policy for this host (which has the effect of disabling FIPS compliance for this origin). + - Do not support [FIPS-compliant ciphers](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#cipher-suites) (if you have enabled [FIPS compliance mode](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#fips-compliance)). In order to load the page, you can either disable FIPS mode or create a Do Not Inspect policy for this host (which has the effect of disabling FIPS compliance for this origin). - Redirect all HTTPS requests to HTTP. ### Error 526 in the Workers context diff --git a/src/content/docs/use-cases/company-security/data-loss-prevention.mdx b/src/content/docs/use-cases/company-security/data-loss-prevention.mdx index 1d8291b6f0f..ebd39f9800a 100644 --- a/src/content/docs/use-cases/company-security/data-loss-prevention.mdx +++ b/src/content/docs/use-cases/company-security/data-loss-prevention.mdx @@ -28,4 +28,4 @@ Secure your organization with a cloud security platform that replaces legacy per 1. [Configure DLP policies](/cloudflare-one/data-loss-prevention/) 2. [Set up CASB integrations](/cloudflare-one/cloud-and-saas-findings/) -3. [Create Gateway HTTP policies for DLP](/cloudflare-one/traffic-policies/http-policies/) +3. [Create Gateway HTTP policies for DLP](/cloudflare-one/traffic-policies/policy-types/http-policies/) diff --git a/src/content/docs/use-cases/company-security/internet-access.mdx b/src/content/docs/use-cases/company-security/internet-access.mdx index 8a7d1612793..49bfedbcb75 100644 --- a/src/content/docs/use-cases/company-security/internet-access.mdx +++ b/src/content/docs/use-cases/company-security/internet-access.mdx @@ -31,8 +31,8 @@ Secure your organization with a cloud security platform that replaces legacy per ## Get started -1. [Set up Gateway DNS filtering](/cloudflare-one/traffic-policies/dns-policies/) -2. [Configure HTTP inspection](/cloudflare-one/traffic-policies/http-policies/) +1. [Set up Gateway DNS filtering](/cloudflare-one/traffic-policies/policy-types/dns-policies/) +2. [Configure HTTP inspection](/cloudflare-one/traffic-policies/policy-types/http-policies/) 3. [Deploy Browser Isolation](/cloudflare-one/remote-browser-isolation/setup/) ### Secure your company's Internet access diff --git a/src/content/docs/waf/detections/malicious-uploads/index.mdx b/src/content/docs/waf/detections/malicious-uploads/index.mdx index a1b13af6f2b..39ce4e2720c 100644 --- a/src/content/docs/waf/detections/malicious-uploads/index.mdx +++ b/src/content/docs/waf/detections/malicious-uploads/index.mdx @@ -24,7 +24,7 @@ This feature is available to customers on an Enterprise plan with a paid add-on. Once you turn on this detection, Cloudflare inspects all incoming traffic and identifies content objects automatically. -When Cloudflare detects one or more content objects in a request, it sends them to an antivirus (AV) scanner for analysis. The AV scanner is the same one used in [Cloudflare Zero Trust](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/). +When Cloudflare detects one or more content objects in a request, it sends them to an antivirus (AV) scanner for analysis. The AV scanner is the same one used in [Cloudflare Zero Trust](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/). Based on the scan results, the detection populates [fields](#content-scanning-fields) you can reference in rule expressions. For example, you can create a rule to block requests with malicious files, or a more specific rule that also matches on file size, file type, or URI path. diff --git a/src/content/docs/warp-client/warp-modes.mdx b/src/content/docs/warp-client/warp-modes.mdx index d98bdd1eb07..064c00644b7 100644 --- a/src/content/docs/warp-client/warp-modes.mdx +++ b/src/content/docs/warp-client/warp-modes.mdx @@ -57,7 +57,7 @@ Because this feature restricts WARP to just applications configured to use the l This will enable the **Local proxy** option in the **WARP Settings** menu. -If you enable [FIPS compliance](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#fips-compliance) for TLS decryption, you must [disable QUIC](/cloudflare-one/traffic-policies/http-policies/http3/#force-http2-traffic) in your users' browsers. Otherwise, HTTP/3 traffic will bypass inspection by the WARP client. +If you enable [FIPS compliance](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#fips-compliance) for TLS decryption, you must [disable QUIC](/cloudflare-one/traffic-policies/policy-types/http-policies/http3/#force-http2-traffic) in your users' browsers. Otherwise, HTTP/3 traffic will bypass inspection by the WARP client. ## WARP+ Unlimited diff --git a/src/content/partials/cloudflare-one/access/modify-gateway-policy-precedence.mdx b/src/content/partials/cloudflare-one/access/modify-gateway-policy-precedence.mdx index aa32236c385..76b2ddf0772 100644 --- a/src/content/partials/cloudflare-one/access/modify-gateway-policy-precedence.mdx +++ b/src/content/partials/cloudflare-one/access/modify-gateway-policy-precedence.mdx @@ -4,11 +4,11 @@ params: - protocol --- -By default, Cloudflare will evaluate Access application policies after evaluating all [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/). To evaluate Access applications before or after specific Gateway policies: +By default, Cloudflare will evaluate Access application policies after evaluating all [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/). To evaluate Access applications before or after specific Gateway policies:
  1. -In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Traffic policies** > **Firewall policies**. In **Network**, [create a Network policy](/cloudflare-one/traffic-policies/network-policies/) with the following configuration: +In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Traffic policies** > **Firewall policies**. In **Network**, [create a Network policy](/cloudflare-one/traffic-policies/policy-types/network-policies/) with the following configuration: | Selector | Operator | Value | Action | | ---------------------------- | -------- | --------- | ------ | diff --git a/src/content/partials/cloudflare-one/app-library-review-apps.mdx b/src/content/partials/cloudflare-one/app-library-review-apps.mdx index c2b62e0bb95..b97d6f99542 100644 --- a/src/content/partials/cloudflare-one/app-library-review-apps.mdx +++ b/src/content/partials/cloudflare-one/app-library-review-apps.mdx @@ -22,5 +22,5 @@ To set the status of an application: Once you mark the status of an application, its badge will change. You can filter applications by their status to review each application in the list for your organization. The review status for an application in the App Library and Shadow IT Discovery will update within one hour. :::note -Approval status does not impact a user's ability to access an application. Users are allowed or blocked according to your [Access](/cloudflare-one/access-controls/policies/) and [Gateway policies](/cloudflare-one/traffic-policies/). To filter traffic based on approval status, use the [_Application Status_](/cloudflare-one/traffic-policies/http-policies/#application-approval-status) selector. +Approval status does not impact a user's ability to access an application. Users are allowed or blocked according to your [Access](/cloudflare-one/access-controls/policies/) and [Gateway policies](/cloudflare-one/traffic-policies/). To filter traffic based on approval status, use the [_Application Status_](/cloudflare-one/traffic-policies/policy-types/http-policies/#application-approval-status) selector. ::: diff --git a/src/content/partials/cloudflare-one/aws-resolver.mdx b/src/content/partials/cloudflare-one/aws-resolver.mdx index 9a9d914decd..a814637f1e7 100644 --- a/src/content/partials/cloudflare-one/aws-resolver.mdx +++ b/src/content/partials/cloudflare-one/aws-resolver.mdx @@ -3,7 +3,7 @@ --- -Avoid configuring your [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) or [Resolver Policy](/cloudflare-one/traffic-policies/resolver-policies/) to direct all `*.amazonaws.com` DNS resolution via AWS Route 53 Resolver. +Avoid configuring your [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) or [Resolver Policy](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) to direct all `*.amazonaws.com` DNS resolution via AWS Route 53 Resolver. Some AWS endpoints (such as `ssm.us-east-1.amazonaws.com`) are public AWS endpoints that are not resolvable via internal VPC resolution. This can break AWS Console features for users on the Cloudflare One Client. diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx index f22d4d4cf06..c73b98aa533 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx @@ -12,7 +12,7 @@ To create a new HTTP policy: 2. In the **HTTP** tab, select **Add a policy**. 3. Name the policy. 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. -5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have configured TLS decryption, some applications that use [embedded certificates](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: +5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have configured TLS decryption, some applications that use [embedded certificates](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: -For more information, refer to [HTTP policies](/cloudflare-one/traffic-policies/http-policies/). +For more information, refer to [HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/). diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx index 6d42c88797f..47f21ce48c9 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx @@ -64,4 +64,4 @@ The API will respond with a summary of the policy and the result of your request -For more information, refer to [network policies](/cloudflare-one/traffic-policies/network-policies/). +For more information, refer to [network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/). diff --git a/src/content/partials/cloudflare-one/gateway/inspect-on-all-ports.mdx b/src/content/partials/cloudflare-one/gateway/inspect-on-all-ports.mdx index f9466531aa9..dc6661dd30a 100644 --- a/src/content/partials/cloudflare-one/gateway/inspect-on-all-ports.mdx +++ b/src/content/partials/cloudflare-one/gateway/inspect-on-all-ports.mdx @@ -5,6 +5,6 @@ params: import { Markdown } from "~/components"; -By default, Gateway will only inspect HTTP traffic through port `80`. Additionally, if you [turn on TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption), Gateway will inspect HTTPS traffic through port `443`. +By default, Gateway will only inspect HTTP traffic through port `80`. Additionally, if you [turn on TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#turn-on-tls-decryption), Gateway will inspect HTTPS traffic through port `443`. To detect and inspect HTTP and HTTPS traffic on ports in addition to `80` and `443`, . diff --git a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx index c98a8f8326f..3ec23a4366d 100644 --- a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx +++ b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx @@ -86,7 +86,7 @@ Connections to Zero Trust will always appear in your [Zero Trust network session ### Filter TCP SYN packets with Cloudflare Network Firewall -Because Gateway sends a TCP SYN to the destination server before evaluating policies, Gateway Network or HTTP Block policies do not prevent the initial TCP SYN from reaching the destination server. If you need to prevent TCP SYN packets from being sent to specific destination IP addresses, you can create a [Cloudflare Network Firewall](/cloudflare-one/traffic-policies/packet-filtering/) rule to block traffic at the packet level. As shown in the [enforcement flowchart](#order-of-enforcement), Cloudflare Network Firewall evaluates traffic before Gateway checks for origin availability. +Because Gateway sends a TCP SYN to the destination server before evaluating policies, Gateway Network or HTTP Block policies do not prevent the initial TCP SYN from reaching the destination server. If you need to prevent TCP SYN packets from being sent to specific destination IP addresses, you can create a [Cloudflare Network Firewall](/cloudflare-one/traffic-policies/policy-types/packet-filtering/) rule to block traffic at the packet level. As shown in the [enforcement flowchart](#order-of-enforcement), Cloudflare Network Firewall evaluates traffic before Gateway checks for origin availability. :::note Cloudflare Network Firewall is available to Enterprise users only. @@ -99,7 +99,7 @@ To block TCP SYN packets to a specific destination: 3. Create a rule with the destination IP address or CIDR range you want to block. For example, to block all traffic to `10.0.0.0/8`, use the expression `ip.dst in {10.0.0.0/8}` with a **Block** action. 4. Select **Add new policy**. -For more information on creating packet filtering rules, refer to [Add policies](/cloudflare-one/traffic-policies/packet-filtering/add-policies/). +For more information on creating packet filtering rules, refer to [Add policies](/cloudflare-one/traffic-policies/policy-types/packet-filtering/add-policies/). ## Priority between policy builders @@ -116,7 +116,7 @@ DNS and resolver policies are standalone. For example, if you block a site with ### HTTP/3 traffic -For proxied [HTTP/3 traffic](/cloudflare-one/traffic-policies/http-policies/http3/), Gateway applies your policies in the following order: +For proxied [HTTP/3 traffic](/cloudflare-one/traffic-policies/policy-types/http-policies/http3/), Gateway applies your policies in the following order: 1. DNS policies 2. Network policies @@ -137,7 +137,7 @@ When DNS queries are received, Gateway evaluates policies with pre-resolution se Despite an explicit Allow policy ordered first, policy 2 takes precedence because the _Domain_ selector is evaluated before DNS resolution. -If a policy contains both pre-resolution and post-resolution selectors, Gateway will evaluate the entire policy after DNS resolution. For information on when each selector is evaluated, refer to the [list of DNS selectors](/cloudflare-one/traffic-policies/dns-policies/#selectors). +If a policy contains both pre-resolution and post-resolution selectors, Gateway will evaluate the entire policy after DNS resolution. For information on when each selector is evaluated, refer to the [list of DNS selectors](/cloudflare-one/traffic-policies/policy-types/dns-policies/#selectors). ### Network policies @@ -145,7 +145,7 @@ Gateway evaluates network policies in [order of precedence](#order-of-precedence ### HTTP policies -Gateway applies HTTP policies based on a combination of [action type](/cloudflare-one/traffic-policies/http-policies/#actions) and [order of precedence](#order-of-precedence): +Gateway applies HTTP policies based on a combination of [action type](/cloudflare-one/traffic-policies/policy-types/http-policies/#actions) and [order of precedence](#order-of-precedence): 1. All Do Not Inspect policies are evaluated first, in order of precedence. 2. If no policies match, all Isolate policies are evaluated in order of precedence. @@ -166,7 +166,7 @@ Lastly, Gateway inspects the body of the HTTP request by evaluating it against D ### Resolver policies -When [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) are present, Gateway first evaluates any DNS policies with pre-resolution selectors, then routes any DNS queries according to the [order of precedence](#order-of-precedence) of your resolver policies, and lastly evaluates any DNS policies with post-resolution selectors. +When [resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) are present, Gateway first evaluates any DNS policies with pre-resolution selectors, then routes any DNS queries according to the [order of precedence](#order-of-precedence) of your resolver policies, and lastly evaluates any DNS policies with post-resolution selectors. ### Default behavior when no policy matches @@ -176,7 +176,7 @@ If traffic does not match any explicit Allow or Block policy, Gateway applies th | --- | --- | --- | | DNS | Allow | DNS queries resolve normally through the configured resolver. | | Network | Allow | TCP and UDP connections are allowed through the Gateway proxy. | -| HTTP | Allow | HTTP and HTTPS requests are allowed. However, if you have configured a default Block action in your [HTTP policy settings](/cloudflare-one/traffic-policies/http-policies/), unmatched traffic is blocked instead. | +| HTTP | Allow | HTTP and HTTPS requests are allowed. However, if you have configured a default Block action in your [HTTP policy settings](/cloudflare-one/traffic-policies/policy-types/http-policies/), unmatched traffic is blocked instead. | Because the default is to allow unmatched traffic, Gateway follows a permissive model. To switch to a restrictive model (block by default, allow by exception), create a catch-all Block policy at the lowest precedence in the relevant policy builder and add specific Allow policies above it. diff --git a/src/content/partials/cloudflare-one/gateway/resolver-policies-intro.mdx b/src/content/partials/cloudflare-one/gateway/resolver-policies-intro.mdx index b23ff64f747..4f4c8896df8 100644 --- a/src/content/partials/cloudflare-one/gateway/resolver-policies-intro.mdx +++ b/src/content/partials/cloudflare-one/gateway/resolver-policies-intro.mdx @@ -3,4 +3,4 @@ --- -[Resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) provide similar functionality to Local Domain Fallback but occur in Cloudflare Gateway rather than on the local device. This option is recommended if you want more granular control over private DNS resolution. For example, you can ensure that all users in a specific geography use the private DNS server closest to them, ensure that specific conditions are met before resolving private DNS traffic, and apply [Gateway DNS policies](/cloudflare-one/traffic-policies/dns-policies/) to private DNS traffic. +[Resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) provide similar functionality to Local Domain Fallback but occur in Cloudflare Gateway rather than on the local device. This option is recommended if you want more granular control over private DNS resolution. For example, you can ensure that all users in a specific geography use the private DNS server closest to them, ensure that specific conditions are met before resolving private DNS traffic, and apply [Gateway DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) to private DNS traffic. diff --git a/src/content/partials/cloudflare-one/gateway/selectors/egress-selector-limitation.mdx b/src/content/partials/cloudflare-one/gateway/selectors/egress-selector-limitation.mdx index 1d8ca2b1a82..a5eff5ffade 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/egress-selector-limitation.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/egress-selector-limitation.mdx @@ -2,4 +2,4 @@ {} --- -This selector is only available for traffic onboarded to Traffic and DNS mode, PAC files, or Browser Isolation. For more information, refer to [Selector prerequisites](/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). +This selector is only available for traffic onboarded to Traffic and DNS mode, PAC files, or Browser Isolation. For more information, refer to [Selector prerequisites](/cloudflare-one/traffic-policies/policy-types/egress-policies/#selector-prerequisites). diff --git a/src/content/partials/cloudflare-one/gateway/selectors/sni-443.mdx b/src/content/partials/cloudflare-one/gateway/selectors/sni-443.mdx index ccf454918ca..4b0873c8294 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/sni-443.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/sni-443.mdx @@ -2,4 +2,4 @@ {} --- -By default, SNI selectors only apply to HTTPS traffic on port `443`. To inspect traffic on every port, turn on [protocol detection](/cloudflare-one/traffic-policies/network-policies/protocol-detection/) and choose to [inspect on all ports](/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). +By default, SNI selectors only apply to HTTPS traffic on port `443`. To inspect traffic on every port, turn on [protocol detection](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/) and choose to [inspect on all ports](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/#inspect-on-all-ports). diff --git a/src/content/partials/cloudflare-one/troubleshooting/dlp.mdx b/src/content/partials/cloudflare-one/troubleshooting/dlp.mdx index f5913c3f3fe..2d77c7651a2 100644 --- a/src/content/partials/cloudflare-one/troubleshooting/dlp.mdx +++ b/src/content/partials/cloudflare-one/troubleshooting/dlp.mdx @@ -4,7 +4,7 @@ Use this guide to troubleshoot common issues with Data Loss Prevention (DLP). ## DLP policy does not trigger or block content -DLP not inspecting or blocking content is the most common issue reported. If you have configured a [DLP policy](/cloudflare-one/data-loss-prevention/dlp-policies/) but it fails to inspect or block traffic, the cause is almost always that the traffic is not being decrypted. To use DLP to scan the content of HTTPS requests, you must turn on [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). +DLP not inspecting or blocking content is the most common issue reported. If you have configured a [DLP policy](/cloudflare-one/data-loss-prevention/dlp-policies/) but it fails to inspect or block traffic, the cause is almost always that the traffic is not being decrypted. To use DLP to scan the content of HTTPS requests, you must turn on [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/). To turn on TLS decryption: @@ -41,7 +41,7 @@ This policy only blocks uploads of financial data to file-sharing websites for a | DLP Profile | in | _Financial Information_ | And | | | User Group Names | in | `Finance Team` | | | -You can also create policies that match trusted applications using the [**Do Not Scan** action](/cloudflare-one/traffic-policies/http-policies/#do-not-scan). +You can also create policies that match trusted applications using the [**Do Not Scan** action](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-scan). ## DLP detections are inconsistent diff --git a/src/content/partials/cloudflare-one/troubleshooting/gateway.mdx b/src/content/partials/cloudflare-one/troubleshooting/gateway.mdx index a5dd284025e..11a03d758c6 100644 --- a/src/content/partials/cloudflare-one/troubleshooting/gateway.mdx +++ b/src/content/partials/cloudflare-one/troubleshooting/gateway.mdx @@ -79,7 +79,7 @@ To resolve Gateway policy precedence issues: ## TLS decryption breaks applications -Turning on [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is required for Gateway features such as Data Loss Prevention (DLP), Browser Isolation, and application-aware HTTP policies. However, it can cause issues with certain types of software. +Turning on [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) is required for Gateway features such as Data Loss Prevention (DLP), Browser Isolation, and application-aware HTTP policies. However, it can cause issues with certain types of software. ### Symptom: command-line tools (CLI tools) or native applications fail with certificate errors diff --git a/src/content/partials/cloudflare-one/tunnel/hostname-route-dns-advanced.mdx b/src/content/partials/cloudflare-one/tunnel/hostname-route-dns-advanced.mdx index aa3363a727a..1b4505fe73b 100644 --- a/src/content/partials/cloudflare-one/tunnel/hostname-route-dns-advanced.mdx +++ b/src/content/partials/cloudflare-one/tunnel/hostname-route-dns-advanced.mdx @@ -4,7 +4,7 @@ import { DashButton } from "~/components"; -If you need `cloudflared` to use a specific internal DNS server that is different from the host's default resolver, you must explicitly connect that DNS server to Cloudflare via an [IP/CIDR route](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/). You will also need to configure a [Gateway resolver policy](/cloudflare-one/traffic-policies/resolver-policies/) to route queries to this specific private DNS server. +If you need `cloudflared` to use a specific internal DNS server that is different from the host's default resolver, you must explicitly connect that DNS server to Cloudflare via an [IP/CIDR route](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/). You will also need to configure a [Gateway resolver policy](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) to route queries to this specific private DNS server. 1. To create an IP/CIDR route for the DNS server: 1. Go to **Networking** > **Routes**. diff --git a/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx b/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx index df0e7f4e417..15917fd5431 100644 --- a/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx +++ b/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx @@ -22,7 +22,7 @@ If the Cloudflare One Client is stuck in the `Disconnected` state or frequently This step is only needed if users access your application via a private hostname (for example, `wiki.internal.local`). -- If you are using [custom resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) to handle private DNS, go to your Gateway DNS logs (**Insights** > **Logs** > **DNS query logs**) and search for DNS queries to the hostname. +- If you are using [custom resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) to handle private DNS, go to your Gateway DNS logs (**Insights** > **Logs** > **DNS query logs**) and search for DNS queries to the hostname. - If you are using [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) to handle private DNS, go to your Gateway Network logs (**Insights** > **Logs** > **Network logs**) and search for port `53` traffic to your DNS server IP. @@ -107,7 +107,7 @@ You can also use a packet capture tool such as `tcpdump` or Wireshark to trace w ## 10. Is TLS inspection affecting the connection to your application? -If there is a problem with [TLS inspection](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), the user will get an `Insecure Upstream` error when they access the application in a browser. They will probably not get an error if they access the application outside of a browser. +If there is a problem with [TLS inspection](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/), the user will get an `Insecure Upstream` error when they access the application in a browser. They will probably not get an error if they access the application outside of a browser. Customers who have [Logpush](/cloudflare-one/insights/logs/logpush/) enabled can check the [Gateway HTTP dataset](/logs/logpush/logpush-job/datasets/account/gateway_http/) for any hostnames which have an elevated rate of `526` HTTP status codes. @@ -119,10 +119,10 @@ To troubleshoot TLS inspection: | -------------- | -------- | ------------- | -------------- | | Destination IP | in | `10.2.3.4/32` | Do Not Inspect | -2. If the `Do Not Inspect` policy enables the user to connect, verify that the TLS certificate used by your application is trusted by a public CA and not self-signed. Cloudflare Gateway is unable to negotiate TLS with applications that use self-signed certificates. For more information, refer to [TLS inspection limitations](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#inspection-limitations). +2. If the `Do Not Inspect` policy enables the user to connect, verify that the TLS certificate used by your application is trusted by a public CA and not self-signed. Cloudflare Gateway is unable to negotiate TLS with applications that use self-signed certificates. For more information, refer to [TLS inspection limitations](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#inspection-limitations). To work around the issue: - - **Option 1:** Create a permanent [`Do Not Inspect` HTTP policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) for this application. - - **Option 2:** Customers who use their [own certificate infrastructure](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) for inspection can opt to create an [Allow _Pass Through_ policy](/cloudflare-one/traffic-policies/http-policies/#untrusted-certificates) which enables our proxy to accept the TLS negotiation from your application. This will allow requests to flow correctly without the need for a `Do Not Inspect` policy. + - **Option 1:** Create a permanent [`Do Not Inspect` HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) for this application. + - **Option 2:** Customers who use their [own certificate infrastructure](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) for inspection can opt to create an [Allow _Pass Through_ policy](/cloudflare-one/traffic-policies/policy-types/http-policies/#untrusted-certificates) which enables our proxy to accept the TLS negotiation from your application. This will allow requests to flow correctly without the need for a `Do Not Inspect` policy. - **Option 3:** If your application uses `HTTPS` or other common protocols, you can add a [published application](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) to your Cloudflare Tunnel and set [noTLSVerify](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/origin-parameters/#notlsverify) to `true`. This will allow `cloudflared` to trust your self-signed certificate. diff --git a/src/content/partials/fundamentals/cybersafe-configuration.mdx b/src/content/partials/fundamentals/cybersafe-configuration.mdx index e8654c6c41b..98f52b14ce4 100644 --- a/src/content/partials/fundamentals/cybersafe-configuration.mdx +++ b/src/content/partials/fundamentals/cybersafe-configuration.mdx @@ -3,7 +3,7 @@ --- -To facilitate compliance with CIPA requirements, administrators can [enable a single filtering policy option](/cloudflare-one/traffic-policies/dns-policies/common-policies/#turn-on-cipa-filter). This includes applying the required filter categories to block access to unwanted or harmful online content. +To facilitate compliance with CIPA requirements, administrators can [enable a single filtering policy option](/cloudflare-one/traffic-policies/policy-types/dns-policies/common-policies/#turn-on-cipa-filter). This includes applying the required filter categories to block access to unwanted or harmful online content. :::note diff --git a/src/content/partials/networking-services/cloudflare-one-connectivity-options.mdx b/src/content/partials/networking-services/cloudflare-one-connectivity-options.mdx index fb6b8b613c6..97f6472aed3 100644 --- a/src/content/partials/networking-services/cloudflare-one-connectivity-options.mdx +++ b/src/content/partials/networking-services/cloudflare-one-connectivity-options.mdx @@ -106,7 +106,7 @@ Use DNS locations when you need to filter DNS traffic for an entire office or ne :::note[Important to know] DNS locations filter DNS traffic only. To filter HTTP traffic, use the Cloudflare One Client or proxy endpoints. -For identity-based DNS policies without the Cloudflare One Client, configure [DNS over HTTPS with user tokens](/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-https/#filter-doh-requests-by-user). To resolve internal domain names or route queries to private DNS servers, use [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) (Enterprise only). +For identity-based DNS policies without the Cloudflare One Client, configure [DNS over HTTPS with user tokens](/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-https/#filter-doh-requests-by-user). To resolve internal domain names or route queries to private DNS servers, use [resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/) (Enterprise only). ::: For detailed configuration, refer to the [DNS locations documentation](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/). diff --git a/src/content/partials/networking-services/cloudflare-wan/third-party/azure-vpn-gateway.mdx b/src/content/partials/networking-services/cloudflare-wan/third-party/azure-vpn-gateway.mdx index 9e7fb6ed01c..3ef2d28e3fb 100644 --- a/src/content/partials/networking-services/cloudflare-wan/third-party/azure-vpn-gateway.mdx +++ b/src/content/partials/networking-services/cloudflare-wan/third-party/azure-vpn-gateway.mdx @@ -170,7 +170,7 @@ Microsoft does not permit specifying a default route (`0.0.0.0/0`) under Address ## Install Cloudflare Zero Trust CA Certificate -If you opt to route all Internet bound traffic through Cloudflare WAN and want to take advantage of [HTTPS TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), it will be necessary to install and trust the Cloudflare Zero Trust root certificate authority (CA) certificate on your user's devices. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. +If you opt to route all Internet bound traffic through Cloudflare WAN and want to take advantage of [HTTPS TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/), it will be necessary to install and trust the Cloudflare Zero Trust root certificate authority (CA) certificate on your user's devices. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. More details on how to install the root CA certificate can be found in [User-side certificates](/cloudflare-one/team-and-resources/devices/user-side-certificates/) in the Cloudflare Zero Trust documentation. diff --git a/src/content/partials/networking-services/cloudflare-wan/third-party/cisco-meraki-static.mdx b/src/content/partials/networking-services/cloudflare-wan/third-party/cisco-meraki-static.mdx index 69cc99583a9..3a35ce32bbb 100644 --- a/src/content/partials/networking-services/cloudflare-wan/third-party/cisco-meraki-static.mdx +++ b/src/content/partials/networking-services/cloudflare-wan/third-party/cisco-meraki-static.mdx @@ -217,7 +217,7 @@ Contact Cloudflare to request assistance with adding the `internal_authorized_pr ### Cloudflare Gateway HTTP policy -Define an [HTTP policy](/cloudflare-one/traffic-policies/http-policies/) to permit the tunnel monitoring probe source IP address to reach the IP/URL (HTTP — port 80/tcp). +Define an [HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/) to permit the tunnel monitoring probe source IP address to reach the IP/URL (HTTP — port 80/tcp). :::note The IP/URL is available from the **Configure health checks** section of the Meraki Dashboard (**Security & SD-WAN** > **Site-to-site VPN** > **Configure health checks**). diff --git a/src/content/partials/networking-services/cloudflare-wan/third-party/juniper.mdx b/src/content/partials/networking-services/cloudflare-wan/third-party/juniper.mdx index 74c35ae1446..7691509b264 100644 --- a/src/content/partials/networking-services/cloudflare-wan/third-party/juniper.mdx +++ b/src/content/partials/networking-services/cloudflare-wan/third-party/juniper.mdx @@ -460,7 +460,7 @@ set interfaces ge-0/0/1 unit 0 family inet filter input CF_WAN_FBF_ALL Commit changes, then test traffic from a host on the 192.168.125.0/24 subnet to ensure it is forwarded through the Cloudflare WAN IPsec Tunnels. :::note -If you have Cloudflare One configured to perform [HTTPS traffic inspection](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), ensure that you [install the Root CA certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) prior to testing connectivity to any HTTPS-based sites, otherwise you will receive untrusted certificate warning messages. +If you have Cloudflare One configured to perform [HTTPS traffic inspection](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/), ensure that you [install the Root CA certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) prior to testing connectivity to any HTTPS-based sites, otherwise you will receive untrusted certificate warning messages. ::: ## Troubleshooting diff --git a/src/content/partials/networking-services/cloudflare-wan/third-party/palo-alto.mdx b/src/content/partials/networking-services/cloudflare-wan/third-party/palo-alto.mdx index 34b5e4bec7d..1d850c4ff0c 100644 --- a/src/content/partials/networking-services/cloudflare-wan/third-party/palo-alto.mdx +++ b/src/content/partials/networking-services/cloudflare-wan/third-party/palo-alto.mdx @@ -608,7 +608,7 @@ set rulebase pbf rules cf-wan-to-internet-02 service any Commit changes, then test traffic from a host on the 192.168.125.0/24 subnet to ensure it is forwarded through the Cloudflare WAN IPsec Tunnels. :::note -If you have Cloudflare One configured to perform [HTTPS traffic inspection](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), ensure that you [install the Root CA certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) prior to testing connectivity to any HTTPS-based sites, otherwise you will receive untrusted certificate warning messages. +If you have Cloudflare One configured to perform [HTTPS traffic inspection](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/), ensure that you [install the Root CA certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) prior to testing connectivity to any HTTPS-based sites, otherwise you will receive untrusted certificate warning messages. ::: ## Troubleshooting diff --git a/src/content/partials/networking-services/cloudflare-wan/zero-trust/tunnel.mdx b/src/content/partials/networking-services/cloudflare-wan/zero-trust/tunnel.mdx index 41ddc29de0c..1d0b89d53c4 100644 --- a/src/content/partials/networking-services/cloudflare-wan/zero-trust/tunnel.mdx +++ b/src/content/partials/networking-services/cloudflare-wan/zero-trust/tunnel.mdx @@ -34,7 +34,7 @@ Cloudflare reserves the following IP ranges for Zero Trust services: | --- | --- | | `100.64.0.0/12` | [Cloudflare Source IPs](/cloudflare-wan/configuration/how-to/configure-cloudflare-source-ips/) | | `100.96.0.0/12` | [Device IPs](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-ips/) | -| `100.80.0.0/16` | [Initial resolved IPs](/cloudflare-one/traffic-policies/egress-policies/host-selectors/) | +| `100.80.0.0/16` | [Initial resolved IPs](/cloudflare-one/traffic-policies/policy-types/egress-policies/host-selectors/) | | `100.112.0.0/16` | [Private Load Balancers](/load-balancing/private-network/) | Do not configure routes that overlap with these reserved ranges. @@ -63,7 +63,7 @@ ARR requires Unified Routing mode. For more information, refer to Date: Mon, 13 Jul 2026 15:03:00 -0500 Subject: [PATCH 2/4] [Cloudflare One] Traffic policies: group reference pages under reference/ --- public/__redirects | 8 ++++++++ .../2026-05-27-cloudy-regex-assistance.mdx | 2 +- .../2025-05-14-domain-category-improvements.mdx | 2 +- .../gateway/2025-06-17-new-order-of-enforcement.mdx | 2 +- .../2025-07-28-Spam-domain-category-introduced.mdx | 2 +- .../2025-08-15-gemini-application-replaces-bard.mdx | 2 +- .../gateway/2025-10-10-new-domain-categories.mdx | 2 +- .../2025-11-06-Applications-recategorised-plan.mdx | 2 +- ...6-03-04-gateway-authorization-proxy-open-beta.mdx | 2 +- ...-03-24-oidc-claims-filtering-gateway-policies.mdx | 4 ++-- .../gateway/Gateway-application-categories-added.mdx | 2 +- .../non-http/legacy-private-network-app.mdx | 2 +- .../access-controls/policies/isolate-application.mdx | 2 +- .../docs/cloudflare-one/changelog/gateway.mdx | 2 +- .../dlp-policies/common-policies.mdx | 2 +- src/content/docs/cloudflare-one/faq/policies-faq.mdx | 2 +- .../cloudflare-one/insights/analytics/gateway.mdx | 2 +- .../insights/analytics/shadow-it-discovery.mdx | 2 +- .../docs/cloudflare-one/insights/dex/rules.mdx | 10 +++++----- .../logs/dashboard-logs/gateway-logs/index.mdx | 4 ++-- .../integrations/identity-providers/entra-id.mdx | 2 +- .../integrations/identity-providers/generic-oidc.mdx | 4 ++-- .../integrations/identity-providers/okta-saml.mdx | 2 +- .../private-net/cloudflared/private-dns.mdx | 2 +- .../connectors/cloudflare-tunnel/use-cases/grpc.mdx | 2 +- .../resolvers-and-proxies/dns/dns-over-https.mdx | 2 +- .../resolvers-and-proxies/proxy-endpoints/index.mdx | 2 +- .../remote-browser-isolation/setup/non-identity.mdx | 2 +- .../team-and-resources/app-library.mdx | 6 +++--- .../cloudflare-one-client/configure/device-ips.mdx | 8 ++++---- .../configure/device-profiles.mdx | 8 ++++---- .../configure/route-traffic/split-tunnels.mdx | 2 +- .../team-and-resources/users/risk-score.mdx | 4 ++-- .../traffic-policies/get-started/dns.mdx | 4 ++-- .../traffic-policies/get-started/index.mdx | 4 ++-- .../docs/cloudflare-one/traffic-policies/index.mdx | 6 +++--- .../policy-types/dns-policies/common-policies.mdx | 8 ++++---- .../policy-types/dns-policies/index.mdx | 6 +++--- .../policy-types/egress-policies/index.mdx | 2 +- .../policy-types/http-policies/common-policies.mdx | 2 +- .../policy-types/http-policies/http3.mdx | 2 +- .../policy-types/http-policies/index.mdx | 2 +- .../policy-types/http-policies/tenant-control.mdx | 2 +- .../{ => reference}/application-app-types.mdx | 2 +- .../{ => reference}/domain-categories.mdx | 0 .../{ => reference}/global-policies.mdx | 4 ++-- .../{ => reference}/identity-selectors.mdx | 0 .../traffic-policies/reference/index.mdx | 12 ++++++++++++ .../{ => reference}/order-of-enforcement.mdx | 0 .../policy-expressions.mdx} | 2 +- .../tiered-policies/organizations.mdx | 2 +- .../traffic-policies/troubleshoot-gateway.mdx | 2 +- .../tutorials/deploy-client-headless-linux.mdx | 2 +- .../tutorials/m365-dedicated-egress-ips.mdx | 2 +- .../regional-private-dns-resolver-policies.mdx | 2 +- .../application-based-policies/index.mdx | 2 +- .../replace-vpn/build-policies/create-policy.mdx | 4 ++-- .../replace-vpn/build-policies/policy-design.mdx | 2 +- .../build-dns-policies/create-policy.mdx | 2 +- src/content/docs/radar/glossary.mdx | 2 +- .../reference-architecture/architectures/sase.mdx | 2 +- .../securing-guest-wireless-networks.mdx | 2 +- .../diagrams/sase/gateway-dns-for-isp.mdx | 8 ++++---- .../diagrams/sase/gateway-for-protective-dns.mdx | 6 +++--- .../diagrams/security/securing-data-in-use.mdx | 6 +++--- .../investigate/change-categorization.mdx | 4 ++-- .../investigate/investigate-threats.mdx | 2 +- .../access/modify-gateway-policy-precedence.mdx | 2 +- .../cloudflare-one/gateway/debugging-policies.mdx | 2 +- .../gateway/get-started/create-http-policy.mdx | 4 ++-- .../gateway/policies/check-user-identity.mdx | 2 +- .../cloudflare-one/gateway/policy-context.mdx | 2 +- .../gateway/selectors/application-dns.mdx | 2 +- .../gateway/selectors/application-http.mdx | 2 +- .../cloudflare-one/gateway/selectors/application.mdx | 2 +- .../gateway/selectors/category-options.mdx | 2 +- .../gateway/selectors/dns-content-categories.mdx | 2 +- .../selectors/net-http-content-categories.mdx | 2 +- .../gateway/selectors/security-categories.mdx | 2 +- .../gateway/selectors/security-risks.mdx | 2 +- .../cloudflare-one/gateway/selectors/users.mdx | 2 +- .../cloudflare-one/troubleshooting/gateway.mdx | 2 +- .../tunnel/troubleshoot-private-networks.mdx | 2 +- .../fundamentals/cybersafe-cipa-subcategories.mdx | 2 +- .../zero-trust/blocklist-security-categories.mdx | 2 +- .../zero-trust/content-categories-description.mdx | 2 +- .../reference/traffic-steering.mdx | 2 +- 87 files changed, 138 insertions(+), 118 deletions(-) rename src/content/docs/cloudflare-one/traffic-policies/{ => reference}/application-app-types.mdx (99%) rename src/content/docs/cloudflare-one/traffic-policies/{ => reference}/domain-categories.mdx (100%) rename src/content/docs/cloudflare-one/traffic-policies/{ => reference}/global-policies.mdx (98%) rename src/content/docs/cloudflare-one/traffic-policies/{ => reference}/identity-selectors.mdx (100%) create mode 100644 src/content/docs/cloudflare-one/traffic-policies/reference/index.mdx rename src/content/docs/cloudflare-one/traffic-policies/{ => reference}/order-of-enforcement.mdx (100%) rename src/content/docs/cloudflare-one/traffic-policies/{expression-syntax.mdx => reference/policy-expressions.mdx} (98%) diff --git a/public/__redirects b/public/__redirects index f254b9695e6..caf01ff1136 100644 --- a/public/__redirects +++ b/public/__redirects @@ -3006,3 +3006,11 @@ /cloudflare-one/traffic-policies/packet-filtering/* /cloudflare-one/traffic-policies/policy-types/packet-filtering/:splat 301 /cloudflare-one/traffic-policies/resolver-policies/* /cloudflare-one/traffic-policies/policy-types/resolver-policies/:splat 301 /cloudflare-one/traffic-policies/enable-ids/* /cloudflare-one/traffic-policies/policy-types/packet-filtering/ids/:splat 301 + +# Traffic policies: group reference pages under reference/ +/cloudflare-one/traffic-policies/application-app-types/* /cloudflare-one/traffic-policies/reference/application-app-types/:splat 301 +/cloudflare-one/traffic-policies/domain-categories/* /cloudflare-one/traffic-policies/reference/domain-categories/:splat 301 +/cloudflare-one/traffic-policies/global-policies/* /cloudflare-one/traffic-policies/reference/global-policies/:splat 301 +/cloudflare-one/traffic-policies/identity-selectors/* /cloudflare-one/traffic-policies/reference/identity-selectors/:splat 301 +/cloudflare-one/traffic-policies/order-of-enforcement/* /cloudflare-one/traffic-policies/reference/order-of-enforcement/:splat 301 +/cloudflare-one/traffic-policies/expression-syntax/* /cloudflare-one/traffic-policies/reference/policy-expressions/:splat 301 diff --git a/src/content/changelog/cloudflare-one/2026-05-27-cloudy-regex-assistance.mdx b/src/content/changelog/cloudflare-one/2026-05-27-cloudy-regex-assistance.mdx index 8bbae273ef1..efbd5bfde79 100644 --- a/src/content/changelog/cloudflare-one/2026-05-27-cloudy-regex-assistance.mdx +++ b/src/content/changelog/cloudflare-one/2026-05-27-cloudy-regex-assistance.mdx @@ -7,7 +7,7 @@ products: date: 2026-05-27 --- -[Cloudflare Gateway](/cloudflare-one/traffic-policies/) policy selectors which support regular expressions can now be authored in the dashboard using natural language. When building a [policy](/cloudflare-one/traffic-policies/expression-syntax/) with a regex-based selector (like `matches regex`), you can describe what you want to match in plain English and the Cloudflare Agent will generate and validate a corresponding regular expression. +[Cloudflare Gateway](/cloudflare-one/traffic-policies/) policy selectors which support regular expressions can now be authored in the dashboard using natural language. When building a [policy](/cloudflare-one/traffic-policies/reference/policy-expressions/) with a regex-based selector (like `matches regex`), you can describe what you want to match in plain English and the Cloudflare Agent will generate and validate a corresponding regular expression. ![Write policy regex using natural language](~/assets/images/changelog/cloudflare-one/gateway-regex-ai-generation.png) diff --git a/src/content/changelog/gateway/2025-05-14-domain-category-improvements.mdx b/src/content/changelog/gateway/2025-05-14-domain-category-improvements.mdx index d9cb405d851..681845f58a8 100644 --- a/src/content/changelog/gateway/2025-05-14-domain-category-improvements.mdx +++ b/src/content/changelog/gateway/2025-05-14-domain-category-improvements.mdx @@ -24,4 +24,4 @@ date: 2025-05-14 | Government | Government/Legal | | Redirect | URL Alias/Redirect | -Refer to [Gateway domain categories](/cloudflare-one/traffic-policies/domain-categories/) to learn more. +Refer to [Gateway domain categories](/cloudflare-one/traffic-policies/reference/domain-categories/) to learn more. diff --git a/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx b/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx index c759f396940..dc22f412196 100644 --- a/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx +++ b/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx @@ -50,4 +50,4 @@ This update is based on user feedback and aims to: --- -To learn more, visit the [Gateway order of enforcement documentation](/cloudflare-one/traffic-policies/order-of-enforcement/). +To learn more, visit the [Gateway order of enforcement documentation](/cloudflare-one/traffic-policies/reference/order-of-enforcement/). diff --git a/src/content/changelog/gateway/2025-07-28-Spam-domain-category-introduced.mdx b/src/content/changelog/gateway/2025-07-28-Spam-domain-category-introduced.mdx index 8fdc8ab2d97..bdc3d266a88 100644 --- a/src/content/changelog/gateway/2025-07-28-Spam-domain-category-introduced.mdx +++ b/src/content/changelog/gateway/2025-07-28-Spam-domain-category-introduced.mdx @@ -14,4 +14,4 @@ We have introduced a new Security Threat category called **Scam**. Relevant doma | 21 | Security Threats | 191 | Scam | -Refer to [Gateway domain categories](/cloudflare-one/traffic-policies/domain-categories/) to learn more. +Refer to [Gateway domain categories](/cloudflare-one/traffic-policies/reference/domain-categories/) to learn more. diff --git a/src/content/changelog/gateway/2025-08-15-gemini-application-replaces-bard.mdx b/src/content/changelog/gateway/2025-08-15-gemini-application-replaces-bard.mdx index 295f092f251..ba6d21a5b48 100644 --- a/src/content/changelog/gateway/2025-08-15-gemini-application-replaces-bard.mdx +++ b/src/content/changelog/gateway/2025-08-15-gemini-application-replaces-bard.mdx @@ -7,4 +7,4 @@ The **Google Bard** application (ID: 1198) has been deprecated and fully removed Any existing Gateway policies that reference the old Google Bard application will no longer function. To ensure your policies continue to work as intended, you should update them to use the new Gemini application. We recommend replacing all instances of the deprecated Bard application with the new Gemini application in your Gateway policies. -For more information about application policies, please see the [Cloudflare Gateway documentation](/cloudflare-one/traffic-policies/application-app-types/). +For more information about application policies, please see the [Cloudflare Gateway documentation](/cloudflare-one/traffic-policies/reference/application-app-types/). diff --git a/src/content/changelog/gateway/2025-10-10-new-domain-categories.mdx b/src/content/changelog/gateway/2025-10-10-new-domain-categories.mdx index 0583881ed95..dbb45193ae7 100644 --- a/src/content/changelog/gateway/2025-10-10-new-domain-categories.mdx +++ b/src/content/changelog/gateway/2025-10-10-new-domain-categories.mdx @@ -14,4 +14,4 @@ We have added three new domain categories under the Technology parent category, | 26 | Technology | 192 | Remote Access | | 26 | Technology | 193 | Shareware/Freeware | -Refer to [Gateway domain categories](/cloudflare-one/traffic-policies/domain-categories/) to learn more. +Refer to [Gateway domain categories](/cloudflare-one/traffic-policies/reference/domain-categories/) to learn more. diff --git a/src/content/changelog/gateway/2025-11-06-Applications-recategorised-plan.mdx b/src/content/changelog/gateway/2025-11-06-Applications-recategorised-plan.mdx index 6ae683bd709..adda672fc17 100644 --- a/src/content/changelog/gateway/2025-11-06-Applications-recategorised-plan.mdx +++ b/src/content/changelog/gateway/2025-11-06-Applications-recategorised-plan.mdx @@ -77,4 +77,4 @@ Once the applications have been fully remapped by January 30, 2026, you might ob | UPS | Shopping | Business | -For more information on creating HTTP policies, refer to [Applications and app types](/cloudflare-one/traffic-policies/application-app-types/). +For more information on creating HTTP policies, refer to [Applications and app types](/cloudflare-one/traffic-policies/reference/application-app-types/). diff --git a/src/content/changelog/gateway/2026-03-04-gateway-authorization-proxy-open-beta.mdx b/src/content/changelog/gateway/2026-03-04-gateway-authorization-proxy-open-beta.mdx index 514e857b47b..493b721161d 100644 --- a/src/content/changelog/gateway/2026-03-04-gateway-authorization-proxy-open-beta.mdx +++ b/src/content/changelog/gateway/2026-03-04-gateway-authorization-proxy-open-beta.mdx @@ -14,7 +14,7 @@ This is ideal for environments where you cannot deploy a device client, such as ### Key capabilities -- **Identity-aware proxy traffic** — Users authenticate through your identity provider (Okta, Microsoft Entra ID, Google Workspace, and others) via Cloudflare Access. Logs now show exactly which user accessed which site, and you can write [identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/) like "only the Finance team can access this accounting tool." +- **Identity-aware proxy traffic** — Users authenticate through your identity provider (Okta, Microsoft Entra ID, Google Workspace, and others) via Cloudflare Access. Logs now show exactly which user accessed which site, and you can write [identity-based policies](/cloudflare-one/traffic-policies/reference/identity-selectors/) like "only the Finance team can access this accounting tool." - **Multiple identity providers** — Display one or multiple login methods simultaneously, giving flexibility for organizations managing users across different identity systems. - **Cloudflare-hosted PAC files** — Create and host [PAC files](/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#create-a-hosted-pac-file) directly in Cloudflare One with pre-configured templates for Okta and Azure, hosted at `https://pac.cloudflare-gateway.com//` on Cloudflare's global network. - **Simplified billing** — Each user occupies a seat, exactly like they do with the Cloudflare One Client. No new metrics to track. diff --git a/src/content/changelog/gateway/2026-03-24-oidc-claims-filtering-gateway-policies.mdx b/src/content/changelog/gateway/2026-03-24-oidc-claims-filtering-gateway-policies.mdx index 4e70d7879fd..afed6c0c652 100644 --- a/src/content/changelog/gateway/2026-03-24-oidc-claims-filtering-gateway-policies.mdx +++ b/src/content/changelog/gateway/2026-03-24-oidc-claims-filtering-gateway-policies.mdx @@ -6,7 +6,7 @@ products: date: 2026-03-24 --- -Cloudflare Gateway now supports [OIDC Claims](/cloudflare-one/traffic-policies/identity-selectors/#oidc-claims) as a selector in Firewall, Resolver, and Egress policies. Administrators can use custom OIDC claims from their identity provider to build fine-grained, identity-based traffic policies across all Gateway policy types. +Cloudflare Gateway now supports [OIDC Claims](/cloudflare-one/traffic-policies/reference/identity-selectors/#oidc-claims) as a selector in Firewall, Resolver, and Egress policies. Administrators can use custom OIDC claims from their identity provider to build fine-grained, identity-based traffic policies across all Gateway policy types. With this update, you can: @@ -18,4 +18,4 @@ For example, you can create a policy that routes traffic differently for users w To get started, configure [custom OIDC claims](/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) on your identity provider and use the **OIDC Claims** selector in the Gateway policy builder. -For more information, refer to [Identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/). +For more information, refer to [Identity-based policies](/cloudflare-one/traffic-policies/reference/identity-selectors/). diff --git a/src/content/changelog/gateway/Gateway-application-categories-added.mdx b/src/content/changelog/gateway/Gateway-application-categories-added.mdx index ec9c5e87eb9..146561f31ed 100644 --- a/src/content/changelog/gateway/Gateway-application-categories-added.mdx +++ b/src/content/changelog/gateway/Gateway-application-categories-added.mdx @@ -27,4 +27,4 @@ We encourage you to use this time to: - Review the new category structure. - Identify and adjust any existing HTTP policies that reference older categories to ensure a smooth transition. -For more information on creating HTTP policies, refer to [Applications and app types](/cloudflare-one/traffic-policies/application-app-types/). +For more information on creating HTTP policies, refer to [Applications and app types](/cloudflare-one/traffic-policies/reference/application-app-types/). diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx index 6880106a0b8..4d4f7fd2e0f 100644 --- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx +++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx @@ -49,7 +49,7 @@ Existing **Private Network** applications continue to function and can still be | -------------- | -------- | ------------ | ------ | | Destination IP | in | `10.128.0.7` | Block | - Policies are evaluated in [numerical order](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence), so a user with an email ending in @example.com will be able to access `10.128.0.7` while all others will be blocked. For more information on building network policies, refer to our [dedicated documentation](/cloudflare-one/traffic-policies/policy-types/network-policies/). + Policies are evaluated in [numerical order](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#order-of-precedence), so a user with an email ending in @example.com will be able to access `10.128.0.7` while all others will be blocked. For more information on building network policies, refer to our [dedicated documentation](/cloudflare-one/traffic-policies/policy-types/network-policies/). 9. Select **Add application**. diff --git a/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx b/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx index d4026f21d30..7cfa1a902c9 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx @@ -29,7 +29,7 @@ With Access policies, you can require users to open self-hosted applications in Traffic to the isolated Access application is filtered by your Gateway [HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/). Useful policies include: -- [Identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/) to allow or block requests based on user identity. +- [Identity-based policies](/cloudflare-one/traffic-policies/reference/identity-selectors/) to allow or block requests based on user identity. - [Data Loss Prevention policies](/cloudflare-one/data-loss-prevention/) to log or block transmission of sensitive data. - [Isolation policies](/cloudflare-one/remote-browser-isolation/isolation-policies/) to disable browser actions such as copy/paste, printing, or file downloads. diff --git a/src/content/docs/cloudflare-one/changelog/gateway.mdx b/src/content/docs/cloudflare-one/changelog/gateway.mdx index 398e9f52305..1fb5d16fcee 100644 --- a/src/content/docs/cloudflare-one/changelog/gateway.mdx +++ b/src/content/docs/cloudflare-one/changelog/gateway.mdx @@ -79,7 +79,7 @@ Gateway users can now select which endpoints to use for a given DNS location. Av **Gateway DNS policy setting to ignore CNAME category matches** -Gateway now offers the ability to selectively ignore CNAME domain categories in DNS policies via the [**Ignore CNAME domain categories** setting](/cloudflare-one/traffic-policies/domain-categories/#ignore-cname-domain-categories) in the policy builder and the [`ignore_cname_category_matches` setting](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) in the API. +Gateway now offers the ability to selectively ignore CNAME domain categories in DNS policies via the [**Ignore CNAME domain categories** setting](/cloudflare-one/traffic-policies/reference/domain-categories/#ignore-cname-domain-categories) in the policy builder and the [`ignore_cname_category_matches` setting](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) in the API. ## 2024-04-05 diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/common-policies.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/common-policies.mdx index c73d9c8b6be..8b89c17cf0a 100644 --- a/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/common-policies.mdx @@ -39,7 +39,7 @@ For more information on what file formats DLP can scan, refer to [Supported file ## Block uploads/downloads for specific users -You can configure access on a per-user or group basis by adding [identity-based conditions](/cloudflare-one/traffic-policies/identity-selectors/) to your policies. These selectors match against user attributes from your configured identity provider. +You can configure access on a per-user or group basis by adding [identity-based conditions](/cloudflare-one/traffic-policies/reference/identity-selectors/) to your policies. These selectors match against user attributes from your configured identity provider. The following example blocks only contractors from uploading/downloading Financial Information to file sharing apps. Users who are not in the _Contractors_ group are not affected by this policy. diff --git a/src/content/docs/cloudflare-one/faq/policies-faq.mdx b/src/content/docs/cloudflare-one/faq/policies-faq.mdx index 4e66d6395bc..6e0fef099a0 100644 --- a/src/content/docs/cloudflare-one/faq/policies-faq.mdx +++ b/src/content/docs/cloudflare-one/faq/policies-faq.mdx @@ -17,7 +17,7 @@ tags: ## What is the order of policy enforcement? -Gateway and Access policies generally trigger from top to bottom based on their position in the policy table in the UI. Exceptions include Bypass and Service Auth policies, which Access evaluates first. Similarly, for Gateway HTTP policies, Do Not Inspect and Isolate policies take precedence over all Allow or Block policies. To learn more about order of enforcement, refer to our documentation for [Access policies](/cloudflare-one/access-controls/policies/#order-of-execution) and [Gateway policies](/cloudflare-one/traffic-policies/order-of-enforcement/). +Gateway and Access policies generally trigger from top to bottom based on their position in the policy table in the UI. Exceptions include Bypass and Service Auth policies, which Access evaluates first. Similarly, for Gateway HTTP policies, Do Not Inspect and Isolate policies take precedence over all Allow or Block policies. To learn more about order of enforcement, refer to our documentation for [Access policies](/cloudflare-one/access-controls/policies/#order-of-execution) and [Gateway policies](/cloudflare-one/traffic-policies/reference/order-of-enforcement/). ## **How can I bypass the L7 firewall for a website?** diff --git a/src/content/docs/cloudflare-one/insights/analytics/gateway.mdx b/src/content/docs/cloudflare-one/insights/analytics/gateway.mdx index 75a1df8fc91..564ed816af7 100644 --- a/src/content/docs/cloudflare-one/insights/analytics/gateway.mdx +++ b/src/content/docs/cloudflare-one/insights/analytics/gateway.mdx @@ -111,7 +111,7 @@ You can use the [GraphQL Analytics API](/analytics/graphql-api/) to query your G | `gatewayResolverQueriesAdaptiveGroups` | Metrics for Gateway DNS queries with adaptive sampling. | | `gatewayResolverByRuleExecutionPerformanceAdaptiveGroups` | Time to execute Gateway DNS policies on the Cloudflare global network. | | `gatewayResolverByCustomResolverGroups` | Metrics for Gateway DNS queries resolved using custom resolvers. | -| `gatewayResolverByCategoryAdaptiveGroups` | Metrics for Gateway DNS queries sorted by [domain category](/cloudflare-one/traffic-policies/domain-categories/) with adaptive sampling. | +| `gatewayResolverByCategoryAdaptiveGroups` | Metrics for Gateway DNS queries sorted by [domain category](/cloudflare-one/traffic-policies/reference/domain-categories/) with adaptive sampling. | To explore the schema, you can use a GraphQL client such as [GraphiQL](https://github.com/graphql/graphiql/tree/main/packages/graphiql#readme) or [Altair](https://altairgraphql.dev/). diff --git a/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx b/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx index ffe718a5f3d..bd4eafbc063 100644 --- a/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx +++ b/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx @@ -41,7 +41,7 @@ Review the Shadow IT SaaS analytics dashboard for application usage. Filter the | Field | Description | | ---------------- | ---------------------------------------------------------------------------------------------------------------------------- | | Application | SaaS application's name and logo. | - | Application type | [Application type](/cloudflare-one/traffic-policies/application-app-types/#app-types) assigned by Cloudflare One. | + | Application type | [Application type](/cloudflare-one/traffic-policies/reference/application-app-types/#app-types) assigned by Cloudflare One. | | Status | Application's approval status. | | Secured | Whether the application is currently secured behind Cloudflare Access. | | Users | Number of users who connected to the application over the period of time specified on the Shadow IT Discovery overview page. | diff --git a/src/content/docs/cloudflare-one/insights/dex/rules.mdx b/src/content/docs/cloudflare-one/insights/dex/rules.mdx index 0823f895e22..cc390180976 100644 --- a/src/content/docs/cloudflare-one/insights/dex/rules.mdx +++ b/src/content/docs/cloudflare-one/insights/dex/rules.mdx @@ -34,14 +34,14 @@ Review the available selectors and their scope in the following list. | Selector | Description | | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -| **User email** | For specifying [user emails](/cloudflare-one/traffic-policies/identity-selectors/#user-email). | -| **User group emails** | For specifying [group emails](/cloudflare-one/traffic-policies/identity-selectors/#user-group-email). | -| **User group IDs** | For specifying [group IDs](/cloudflare-one/traffic-policies/identity-selectors/#user-group-ids). | -| **User group names** | For specifying a [group name](/cloudflare-one/traffic-policies/identity-selectors/#user-group-names). | +| **User email** | For specifying [user emails](/cloudflare-one/traffic-policies/reference/identity-selectors/#user-email). | +| **User group emails** | For specifying [group emails](/cloudflare-one/traffic-policies/reference/identity-selectors/#user-group-email). | +| **User group IDs** | For specifying [group IDs](/cloudflare-one/traffic-policies/reference/identity-selectors/#user-group-ids). | +| **User group names** | For specifying a [group name](/cloudflare-one/traffic-policies/reference/identity-selectors/#user-group-names). | | **Operating systems** | For specifying operating systems. | | **Operating system version** | For specifying an operating system version (use Operator `in`) or versions (use Operator `is`). | | **Managed network** | For specifying users accessing the network from the office (managed network) compared to those accessing remotely. | -| **SAML attributes** | For specifying a value from the [SAML Attribute Assertion](/cloudflare-one/traffic-policies/identity-selectors/#saml-attributes). | +| **SAML attributes** | For specifying a value from the [SAML Attribute Assertion](/cloudflare-one/traffic-policies/reference/identity-selectors/#saml-attributes). | | **Colos** | For specifying a Cloudflare data center (colocation) that users are connected to. | ## Add a rule to a test diff --git a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx index 0c5f1c1a6d5..c1b33a7a74b 100644 --- a/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/index.mdx @@ -100,7 +100,7 @@ These settings only apply to logs displayed in Cloudflare One. Logpush data is u | ------------------------------------------ | ----------------------------------------------------------------------------------------------------- | | **Query ID** | UUID of the query assigned by Cloudflare. | | **Query type** | Type of [DNS query](https://en.wikipedia.org/wiki/List_of_DNS_record_types). | -| **Initial query domain categories** | [Content categories](/cloudflare-one/traffic-policies/domain-categories/) that the domain belongs to. | +| **Initial query domain categories** | [Content categories](/cloudflare-one/traffic-policies/reference/domain-categories/) that the domain belongs to. | | **Matched categories** | Name of the Gateway policy category that match the domain. | | **Matched indicator feed names** | Name of the indicator feeds that matched a Gateway policy. | | **Query indicator feed names** | Name of the indicator feeds that a matched domain or IP belongs to. | @@ -282,7 +282,7 @@ Gateway does not log HTTP bodies. The exception is error requests: when an HTTP | **Category details** | Detailed information on the category the blocked file belongs to. | | **Application ID** | ID of the application that matched the domain. | | **Application name** | Name of the application that matched the domain. | -| **Categories** | [Content categories](/cloudflare-one/traffic-policies/domain-categories/) that the domain belongs to. | +| **Categories** | [Content categories](/cloudflare-one/traffic-policies/reference/domain-categories/) that the domain belongs to. | | **Proxy endpoint** | [PAC file proxy endpoint](/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) Gateway forwarded traffic to, if applicable. | | **Virtual Network** | [Virtual network](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) that the client is connected to. | | **Sandbox scanned** | Status of the [file quarantine](/cloudflare-one/traffic-policies/policy-types/http-policies/file-sandboxing/). | diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/entra-id.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/entra-id.mdx index 3c01fb71420..01364c5fa5a 100644 --- a/src/content/docs/cloudflare-one/integrations/identity-providers/entra-id.mdx +++ b/src/content/docs/cloudflare-one/integrations/identity-providers/entra-id.mdx @@ -256,7 +256,7 @@ When [SCIM synchronization is enabled](#synchronize-users-and-groups), your Entr If building an Access policy, choose the _Azure Groups_ selector. ![Azure group names displayed in the Access policy builder](~/assets/images/cloudflare-one/identity/azure/azure-scim-groups.png) -If building a Gateway policy, choose the [_User Group Names_](/cloudflare-one/traffic-policies/identity-selectors/#user-group-names) selector. +If building a Gateway policy, choose the [_User Group Names_](/cloudflare-one/traffic-policies/reference/identity-selectors/#user-group-names) selector. ### Manual entry diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/generic-oidc.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/generic-oidc.mdx index 2f14e4fdee0..bea2a81ec9e 100644 --- a/src/content/docs/cloudflare-one/integrations/identity-providers/generic-oidc.mdx +++ b/src/content/docs/cloudflare-one/integrations/identity-providers/generic-oidc.mdx @@ -146,7 +146,7 @@ If you would like to build policies based on IdP groups: ### Custom OIDC claims -All OIDC IdP integrations support the use of custom OIDC claims. Once configured, Access will add the claims to the [Access JWT](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) for consumption by your origin services. You can reference the custom OIDC claims in [Access policies](/cloudflare-one/access-controls/policies/) and [Gateway policies](/cloudflare-one/traffic-policies/identity-selectors/#oidc-claims), offering a means to control user access to applications based on custom identity attributes. +All OIDC IdP integrations support the use of custom OIDC claims. Once configured, Access will add the claims to the [Access JWT](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) for consumption by your origin services. You can reference the custom OIDC claims in [Access policies](/cloudflare-one/access-controls/policies/) and [Gateway policies](/cloudflare-one/traffic-policies/reference/identity-selectors/#oidc-claims), offering a means to control user access to applications based on custom identity attributes. To add a custom OIDC claim to an IdP integration: @@ -163,7 +163,7 @@ To add a custom OIDC claim to an IdP integration: }, ``` -You can now build an Access policy for the custom claim using the **OIDC Claim** or **IdP OIDC Claim** selector. You can also use custom OIDC claims as [identity-based selectors in Gateway policies](/cloudflare-one/traffic-policies/identity-selectors/#oidc-claims). The custom claim will be passed to origins behind Access in a [JWT](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/#custom-saml-attributes-and-oidc-claims). +You can now build an Access policy for the custom claim using the **OIDC Claim** or **IdP OIDC Claim** selector. You can also use custom OIDC claims as [identity-based selectors in Gateway policies](/cloudflare-one/traffic-policies/reference/identity-selectors/#oidc-claims). The custom claim will be passed to origins behind Access in a [JWT](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/#custom-saml-attributes-and-oidc-claims). #### Email claim diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/okta-saml.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/okta-saml.mdx index 79f3808c723..f6a2996fee1 100644 --- a/src/content/docs/cloudflare-one/integrations/identity-providers/okta-saml.mdx +++ b/src/content/docs/cloudflare-one/integrations/identity-providers/okta-saml.mdx @@ -75,7 +75,7 @@ To set up SAML with Okta as your identity provider: 16. (Recommended) Enable **Sign SAML authentication request**. -17. (Recommended) Under **SAML attributes**, add the `email` and `groups` attributes. The `groups` attribute is required if you want to create policies based on [Okta groups](/cloudflare-one/traffic-policies/identity-selectors/#okta-saml). +17. (Recommended) Under **SAML attributes**, add the `email` and `groups` attributes. The `groups` attribute is required if you want to create policies based on [Okta groups](/cloudflare-one/traffic-policies/reference/identity-selectors/#okta-saml). ![Adding optional SAML attributes in Cloudflare One](~/assets/images/cloudflare-one/identity/okta-saml/okta-saml-6.png) diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns.mdx index 8d77da5c61c..bfd1d9cf814 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns.mdx @@ -69,7 +69,7 @@ Use the following troubleshooting strategies if you are running into issues whil - Ensure that end-user devices are enrolled into the Cloudflare One Client by visiting [https://help.teams.cloudflare.com](https://help.teams.cloudflare.com). -- Double-check the [order of precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) for your [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/). Ensure that a more global Block or Allow policy will not supersede application-specific policies. +- Double-check the [order of precedence](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#order-of-precedence) for your [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/). Ensure that a more global Block or Allow policy will not supersede application-specific policies. - Check your [Gateway network logs](/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/#network-logs) to see whether your UDP DNS resolutions are being allowed or blocked. diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/grpc.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/grpc.mdx index 587bbe13d63..c1697bb4002 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/grpc.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/grpc.mdx @@ -55,7 +55,7 @@ To establish a secure, outbound-only connection to Cloudflare: ## 4. (Recommended) Create a Gateway policy -You can configure [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) to either block or allow access to the gRPC server. The following example consists of two policies: the first allows gRPC connections from devices that pass [device posture checks](/cloudflare-one/reusable-components/posture-checks/), and the second blocks all other traffic. Make sure that the Allow policy has higher [priority](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence). +You can configure [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) to either block or allow access to the gRPC server. The following example consists of two policies: the first allows gRPC connections from devices that pass [device posture checks](/cloudflare-one/reusable-components/posture-checks/), and the second blocks all other traffic. Make sure that the Allow policy has higher [priority](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#order-of-precedence). ### 1. Allow secured devices diff --git a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-https.mdx b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-https.mdx index e4e21adc010..567f732343f 100644 --- a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-https.mdx +++ b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-https.mdx @@ -311,4 +311,4 @@ If the site is blocked and you have turned on the [block page](/cloudflare-one/r
-You can verify that the request was associated with the correct user email by checking your [Gateway DNS logs](/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). To filter these requests, build a DNS policy using any of the Gateway [identity-based selectors](/cloudflare-one/traffic-policies/identity-selectors/). +You can verify that the request was associated with the correct user email by checking your [Gateway DNS logs](/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). To filter these requests, build a DNS policy using any of the Gateway [identity-based selectors](/cloudflare-one/traffic-policies/reference/identity-selectors/). diff --git a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx index 33944443fa6..005a18d4040 100644 --- a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx +++ b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx @@ -533,7 +533,7 @@ Each type of proxy endpoint supports the following features: | **Non-HTTP TCP traffic** | ✅ | — | | **UDP traffic** | — | — | | **[HTTP3](/cloudflare-one/traffic-policies/policy-types/http-policies/http3/)** | — | — | -| **[Identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/)** | — | ✅ | +| **[Identity-based policies](/cloudflare-one/traffic-policies/reference/identity-selectors/)** | — | ✅ | | **mTLS authentication** | — | — | | **[Happy Eyeballs](https://datatracker.ietf.org/doc/html/rfc6555)** | — | — | | **Browser HTTPS auto-upgrade** | —[^3] | —[^3] | diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/setup/non-identity.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/non-identity.mdx index 81deb161780..c958372fa0a 100644 --- a/src/content/docs/cloudflare-one/remote-browser-isolation/setup/non-identity.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/non-identity.mdx @@ -8,7 +8,7 @@ sidebar: order: 5 --- -On-ramps are the methods used to route traffic from your network to Cloudflare for inspection. With Cloudflare One, you can isolate HTTP traffic from on-ramps such as [proxy endpoints](/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) (which your browser connects to via PAC files to send traffic through Gateway) or [Cloudflare WAN](/cloudflare-wan/zero-trust/cloudflare-gateway/) (formerly Magic WAN, which connects your network to Cloudflare through GRE or IPsec tunnels). Since these on-ramps do not require users to log in to the Cloudflare One Client, [identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/) are not supported. +On-ramps are the methods used to route traffic from your network to Cloudflare for inspection. With Cloudflare One, you can isolate HTTP traffic from on-ramps such as [proxy endpoints](/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) (which your browser connects to via PAC files to send traffic through Gateway) or [Cloudflare WAN](/cloudflare-wan/zero-trust/cloudflare-gateway/) (formerly Magic WAN, which connects your network to Cloudflare through GRE or IPsec tunnels). Since these on-ramps do not require users to log in to the Cloudflare One Client, [identity-based policies](/cloudflare-one/traffic-policies/reference/identity-selectors/) are not supported. :::note diff --git a/src/content/docs/cloudflare-one/team-and-resources/app-library.mdx b/src/content/docs/cloudflare-one/team-and-resources/app-library.mdx index 6ad23ef97a7..d163b4fff2b 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/app-library.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/app-library.mdx @@ -14,9 +14,9 @@ import { Render, GlossaryTooltip } from "~/components"; The Application Library allows users to manage their SaaS applications in Cloudflare One by consolidating views across all relevant products: [Gateway](/cloudflare-one/traffic-policies/), [Access](/cloudflare-one/access-controls/policies/), and [Cloud Access Security Broker (CASB)](/cloudflare-one/integrations/cloud-and-saas/). The App Library provides visibility and control for available applications, as well as the ability to view categorized hostnames and manage configuration for Access for SaaS and Gateway policies. For example, you can use the App Library to review how Gateway uses specific hostnames to match against application traffic. -To access the App Library in the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Team & Resources** > **Application library**. Each application card will list the number of hostnames associated with the application, the supported Cloudflare One product usage, and the [app type](/cloudflare-one/traffic-policies/application-app-types/#app-types). +To access the App Library in the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Team & Resources** > **Application library**. Each application card will list the number of hostnames associated with the application, the supported Cloudflare One product usage, and the [app type](/cloudflare-one/traffic-policies/reference/application-app-types/#app-types). -The App Library groups [Do Not Inspect applications](/cloudflare-one/traffic-policies/application-app-types/#do-not-inspect-applications) within the corresponding application. For example, the App Library will group _Google Drive (Do Not Inspect)_ under **Google Drive**. Traffic that does not match a known application will not be included in the App Library. +The App Library groups [Do Not Inspect applications](/cloudflare-one/traffic-policies/reference/application-app-types/#do-not-inspect-applications) within the corresponding application. For example, the App Library will group _Google Drive (Do Not Inspect)_ under **Google Drive**. Traffic that does not match a known application will not be included in the App Library. ## View application details @@ -29,7 +29,7 @@ The **Overview** tab shows details about an application, including: - Name - Shadow IT [review status](#review-applications) - Number of hostnames -- [App type](/cloudflare-one/traffic-policies/application-app-types/#app-types) +- [App type](/cloudflare-one/traffic-policies/reference/application-app-types/#app-types) - Supported Cloudflare One applications - Application ID for use with the API and Terraform diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-ips.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-ips.mdx index 37fcc00fd1e..171076f2586 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-ips.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-ips.mdx @@ -116,7 +116,7 @@ Apply a device profile based on the user's email. #### User group emails -Apply a device IP profile based on an [IdP group](/cloudflare-one/traffic-policies/identity-selectors/#idp-groups-in-gateway) email address of which the user is configured as a member in the IdP. +Apply a device IP profile based on an [IdP group](/cloudflare-one/traffic-policies/reference/identity-selectors/#idp-groups-in-gateway) email address of which the user is configured as a member in the IdP. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles.mdx index 97e5ec779bf..f56571757ce 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles.mdx @@ -153,7 +153,7 @@ Apply a device profile based on the user's email. ### User group emails -Apply a device profile based on an [IdP group](/cloudflare-one/traffic-policies/identity-selectors/#idp-groups-in-gateway) email address of which the user is configured as a member in the IdP. +Apply a device profile based on an [IdP group](/cloudflare-one/traffic-policies/reference/identity-selectors/#idp-groups-in-gateway) email address of which the user is configured as a member in the IdP. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels.mdx index f638fffbfda..c40bea3c363 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels.mdx @@ -73,7 +73,7 @@ Domain-based split tunneling has a few ramifications you should be aware of befo - Routes excluded or included from Cloudflare One Client and Gateway visibility may change day to day, and may be different for each user depending on where they are. - You may inadvertently exclude or include additional hostnames that happen to share an IP address. This commonly occurs if you add a domain hosted by a CDN or large Internet provider such as Cloudflare, AWS, or Azure. For example, if you wanted to exclude a VPN hosted on AWS, do not add `*.amazonaws.com` as that will open up your devices to all traffic on AWS. Instead, add the specific VPN endpoint (`*.cvpn-endpoint-.prod.clientvpn.us-west-2.amazonaws.com`). -- Most services are a collection of hostnames. Until Split Tunnels mode supports [App Types](/cloudflare-one/traffic-policies/application-app-types/), you will need to manually add all domains used by a particular app or service. +- Most services are a collection of hostnames. Until Split Tunnels mode supports [App Types](/cloudflare-one/traffic-policies/reference/application-app-types/), you will need to manually add all domains used by a particular app or service. - The Cloudflare One Client must handle the DNS lookup request for the domain. If a DNS result has been previously cached by the operating system or otherwise intercepted (for example, via your browser's secure DNS settings), the IP address will not be dynamically added to your Split Tunnel. ### Valid domains diff --git a/src/content/docs/cloudflare-one/team-and-resources/users/risk-score.mdx b/src/content/docs/cloudflare-one/team-and-resources/users/risk-score.mdx index 03b5a17f1ae..8e88fea6d10 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/users/risk-score.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/users/risk-score.mdx @@ -69,8 +69,8 @@ By default, all predefined behaviors are disabled. When a behavior is enabled, C | CrowdStrike Low ZTA security score| [CrowdStrike integration](/cloudflare-one/integrations/service-providers/crowdstrike/)| A user's device reports a score between 0-50 for any CrowdStrike Zero Trust Assessment attribute (OS Score, Overall Score, or Sensor Config score). Refer to [CrowdStrike device posture attributes](/cloudflare-one/integrations/service-providers/crowdstrike/#device-posture-attributes) for more information.| Ingested via service-to-service API. Frequency is administrator-configurable during device posture setup to align with CrowdStrike's API rate limits. | | CrowdStrike Medium ZTA security score| [CrowdStrike integration](/cloudflare-one/integrations/service-providers/crowdstrike/)| A user's device reports a score between 50-79 for any CrowdStrike Zero Trust Assessment attribute (OS Score, Overall Score, or Sensor Config score). Refer to [CrowdStrike device posture attributes](/cloudflare-one/integrations/service-providers/crowdstrike/#device-posture-attributes) for more information. | Ingested via service-to-service API. Frequency is administrator-configurable during device posture setup to align with CrowdStrike's API rate limits. | | Interaction with Malicious File | [Gateway AV scanning](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/) or [File sandboxing](/cloudflare-one/traffic-policies/policy-types/http-policies/file-sandboxing/) | User uploads or downloads a file flagged as malicious by Gateway's AV scanner or file sandboxing. Risk is elevated even if the file is blocked. | Evaluated per-request in milliseconds. | -| Suspicious Security Domain Visited | [Gateway DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) | User visits a domain categorized as a security risk or security threat. Refer to [domain categories](/cloudflare-one/traffic-policies/domain-categories/) for the full list. Risk is elevated even if the traffic is blocked. | Evaluated per-request in milliseconds. | -| High Risk Domain Visited | [Gateway DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) | User visits a domain categorized as questionable content, violence, or CIPA. Refer to [domain categories](/cloudflare-one/traffic-policies/domain-categories/) for the full list. Risk is elevated even if the traffic is blocked. | Evaluated per-request in milliseconds. | +| Suspicious Security Domain Visited | [Gateway DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) | User visits a domain categorized as a security risk or security threat. Refer to [domain categories](/cloudflare-one/traffic-policies/reference/domain-categories/) for the full list. Risk is elevated even if the traffic is blocked. | Evaluated per-request in milliseconds. | +| High Risk Domain Visited | [Gateway DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) | User visits a domain categorized as questionable content, violence, or CIPA. Refer to [domain categories](/cloudflare-one/traffic-policies/reference/domain-categories/) for the full list. Risk is elevated even if the traffic is blocked. | Evaluated per-request in milliseconds. | ## Manage risk behaviors To toggle risk behaviors, go to **Risk score** > **Risk behaviors**. diff --git a/src/content/docs/cloudflare-one/traffic-policies/get-started/dns.mdx b/src/content/docs/cloudflare-one/traffic-policies/get-started/dns.mdx index 9f655a917ed..dc3c5134571 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/get-started/dns.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/get-started/dns.mdx @@ -77,7 +77,7 @@ A DNS policy has two parts: a **traffic condition** that defines which queries t 2. In the **DNS** tab, select **Add a policy**. 3. Name the policy. 4. Under **Traffic**, use the condition builder to define which DNS queries this policy applies to. Select a selector (such as **Security Categories**), an operator (such as **in**), and one or more values. -5. Choose an **Action** to take when traffic matches the condition. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/traffic-policies/domain-categories/#security-categories): +5. Choose an **Action** to take when traffic matches the condition. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/traffic-policies/reference/domain-categories/#security-categories): @@ -59,7 +59,7 @@ To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/z ## Block security threats -Block [security categories](/cloudflare-one/traffic-policies/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. +Block [security categories](/cloudflare-one/traffic-policies/reference/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. -Policies with Allow actions explicitly permit DNS queries to resolve. Gateway uses a [first-match principle](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence), which means that if an Allow policy matches a query at a higher precedence than a Block policy, the query will be allowed to resolve. For example, the following configuration allows DNS queries to reach domains categorized as belonging to the Education content category: +Policies with Allow actions explicitly permit DNS queries to resolve. Gateway uses a [first-match principle](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#order-of-precedence), which means that if an Allow policy matches a query at a higher precedence than a Block policy, the query will be allowed to resolve. For example, the following configuration allows DNS queries to reach domains categorized as belonging to the Education content category: | Selector | Operator | Value | Action | | ------------------ | -------- | ----------- | ------ | @@ -302,7 +302,7 @@ Each selector is evaluated during a specific phase of the DNS resolution process - **During DNS resolution** — Gateway inspects information discovered while resolving the query (for example, the authoritative nameserver IP). - **After DNS resolution** — Gateway inspects the DNS answer (for example, the resolved IP or CNAME record) after resolution completes. -The Override action cannot be used with selectors evaluated during or after DNS resolution, because the override must be applied before the answer is returned. For more information on how evaluation phase interacts with precedence, refer to [order of enforcement](/cloudflare-one/traffic-policies/order-of-enforcement/#dns-policies). +The Override action cannot be used with selectors evaluated during or after DNS resolution, because the override must be applied before the answer is returned. For more information on how evaluation phase interacts with precedence, refer to [order of enforcement](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#dns-policies). ### Application @@ -445,7 +445,7 @@ Use this selector to filter based on the IP addresses that the query resolves to ### Request Context Categories -Use this selector to match a dynamic list of [category IDs](/cloudflare-one/traffic-policies/domain-categories/#category-and-subcategory-ids) sent in the [EDNS (Extension Mechanisms for DNS)](https://datatracker.ietf.org/doc/html/rfc6891) portion of a DNS query. EDNS allows extra metadata to be attached to a DNS query beyond the standard fields. Gateway reads category IDs from the EDNS OPT code `65050`. +Use this selector to match a dynamic list of [category IDs](/cloudflare-one/traffic-policies/reference/domain-categories/#category-and-subcategory-ids) sent in the [EDNS (Extension Mechanisms for DNS)](https://datatracker.ietf.org/doc/html/rfc6891) portion of a DNS query. EDNS allows extra metadata to be attached to a DNS query beyond the standard fields. Gateway reads category IDs from the EDNS OPT code `65050`. | UI name | API example | Evaluation phase | | -------------------------- | ------------------------------------------- | --------------------- | diff --git a/src/content/docs/cloudflare-one/traffic-policies/policy-types/egress-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/egress-policies/index.mdx index a1295dccb5e..df6e63a2c41 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/policy-types/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/egress-policies/index.mdx @@ -73,7 +73,7 @@ Without a catch-all policy, any traffic that does not match an explicit egress p | --------------------- | -------- | -------- | ------------------------ | -------------------------------- | | Default egress policy | Protocol | in | `All options (Protocol)` | Cloudflare default egress method | -Gateway policies evaluate from [top to bottom](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) in the UI. Place the catch-all policy at the bottom of the list so that more specific policies are evaluated first. +Gateway policies evaluate from [top to bottom](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#order-of-precedence) in the UI. Place the catch-all policy at the bottom of the list so that more specific policies are evaluated first. ## Egress methods diff --git a/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies.mdx index a95062dbc91..9d72e3db318 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies.mdx @@ -146,7 +146,7 @@ Block content categories which go against your organization's acceptable use pol Certain client applications, such as Zoom or Apple services, rely on certificate pinning. These applications verify they are connecting directly to their own servers and will reject Gateway's TLS inspection certificate. To avoid connection errors, you must add a Do Not Inspect HTTP policy for these applications. -Gateway [evaluates Do Not Inspect policies first](/cloudflare-one/traffic-policies/order-of-enforcement/#http-policies), regardless of their position in the policy list. Cloudflare recommends moving your Do Not Inspect policies to the top of the list to reduce confusion. +Gateway [evaluates Do Not Inspect policies first](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#http-policies), regardless of their position in the policy list. Cloudflare recommends moving your Do Not Inspect policies to the top of the list to reduce confusion. diff --git a/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/http3.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/http3.mdx index 33f8f554784..d4dfc27398a 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/http3.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/http3.mdx @@ -15,7 +15,7 @@ import { Details } from "~/components"; HTTP/3 uses the QUIC protocol over UDP instead of TCP. Because Gateway's default proxy only handles TCP traffic, HTTP/3 inspection requires turning on the UDP proxy. Without it, HTTP/3 traffic bypasses HTTP inspection. [Network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) still apply to the underlying UDP traffic. -Gateway applies HTTP policies to HTTP/3 traffic last. For more information, refer to the [order of enforcement](/cloudflare-one/traffic-policies/order-of-enforcement/#http3-traffic). +Gateway applies HTTP policies to HTTP/3 traffic last. For more information, refer to the [order of enforcement](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#http3-traffic). ## Turn on HTTP/3 inspection diff --git a/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/index.mdx index fc2e9794929..9a2195deceb 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/index.mdx @@ -245,7 +245,7 @@ Information contained within HTTPS encryption, such as the full requested URL, w Do Not Inspect lets you bypass certain elements from inspection. To prevent Gateway from decrypting and inspecting HTTPS traffic, your policy must match against the Server Name Indication (SNI) in the TLS header. When accessing a Do Not Inspect site in the browser, your browser may display a **Your connection is not private** warning, which you can proceed through to connect. For more information about applications which may require a Do Not Inspect policy, refer to [TLS decryption limitations](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#inspection-limitations). :::note -All Do Not Inspect policies are evaluated before any Allow or Block policies, regardless of their position in the policy list. For more information, refer to [Order of enforcement](/cloudflare-one/traffic-policies/order-of-enforcement/#http-policies). +All Do Not Inspect policies are evaluated before any Allow or Block policies, regardless of their position in the policy list. For more information, refer to [Order of enforcement](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#http-policies). ::: ### Do Not Isolate diff --git a/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/tenant-control.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/tenant-control.mdx index f7d50200732..c232b78ee5e 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/tenant-control.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/tenant-control.mdx @@ -50,7 +50,7 @@ Depending on which SaaS application your organization needs access to, different ### Microsoft 365 -Microsoft 365 tenant control requires two policies. When you order your policies, make sure they follow [order of precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence). +Microsoft 365 tenant control requires two policies. When you order your policies, make sure they follow [order of precedence](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#order-of-precedence). | Precedence | Selector | Operator | Value | Action | Untrusted certificate action | | ---------- | -------- | -------- | ---------------- | ------ | ---------------------------- | diff --git a/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx b/src/content/docs/cloudflare-one/traffic-policies/reference/application-app-types.mdx similarity index 99% rename from src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx rename to src/content/docs/cloudflare-one/traffic-policies/reference/application-app-types.mdx index 2c2b130e305..79daaa183aa 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/reference/application-app-types.mdx @@ -97,7 +97,7 @@ For more information, refer to [Application Granular Controls](/cloudflare-one/t Overlapping hostnames are most common for vendors with many applications, such as Google or Meta. When you use the Application selector in Gateway policies, actions taken by Gateway will be limited to the specific application defined. Gateway will also log other applications that use the same hostnames, but it will not take action unless the application was matched by the policy. For example, both the Facebook and Facebook Messenger apps use the `chat-e2ee.facebook.com` hostname. When evaluating traffic to the Facebook Messenger app, Gateway will only take action on Facebook Messenger traffic but may log both the Facebook and Facebook Messenger apps. -To ensure Gateway evaluates traffic with your desired precedence, order your most specific policies with the highest priority according to [order of precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#priority-within-a-policy-builder). +To ensure Gateway evaluates traffic with your desired precedence, order your most specific policies with the highest priority according to [order of precedence](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#priority-within-a-policy-builder). ### Do Not Inspect applications diff --git a/src/content/docs/cloudflare-one/traffic-policies/domain-categories.mdx b/src/content/docs/cloudflare-one/traffic-policies/reference/domain-categories.mdx similarity index 100% rename from src/content/docs/cloudflare-one/traffic-policies/domain-categories.mdx rename to src/content/docs/cloudflare-one/traffic-policies/reference/domain-categories.mdx diff --git a/src/content/docs/cloudflare-one/traffic-policies/global-policies.mdx b/src/content/docs/cloudflare-one/traffic-policies/reference/global-policies.mdx similarity index 98% rename from src/content/docs/cloudflare-one/traffic-policies/global-policies.mdx rename to src/content/docs/cloudflare-one/traffic-policies/reference/global-policies.mdx index 64308a2ccb3..a35bcb13d39 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/global-policies.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/reference/global-policies.mdx @@ -14,7 +14,7 @@ Cloudflare Zero Trust applies a set of global policies to all accounts. These po Zero Trust logs prepend an identifier to global policy names. For example, matches for the global policy **Allow Zero Trust Services** will appear in your logs with the name **Global Policy - Allow Zero Trust Services**. -The following policies are sorted by [order of precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) within each policy type. +The following policies are sorted by [order of precedence](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#order-of-precedence) within each policy type. ## DNS resolution policies @@ -87,6 +87,6 @@ Gateway enforces global DNS and resolver policies before any other policies. Thi | Bypass OCSP | `00000001-34ce-47c7-ad0f-199f46eba194` | Application | Online Certificate Status Protocol | bypass | Enables OCSP stapling. | | Allow Access Apps L7 | `00000001-8d6b-4951-8a18-3bbc9010976c` | Hostname | `*.cloudflareaccess.com` and `*.fed.cloudflareaccess.com` | allow | Allows Cloudflare Access applications. | | Prevent Block Page Loop | `00000001-48b1-4ade-93c1-f0f3759dc19c` | Hostname | `blocked.teams.cloudflare.com` and `blocked.teams.fed.cloudflare.com` | bypass | Prevents an infinite loop on the Gateway block page. | -| Always Blocked Categories | `00000001-bed5-462e-b0f1-2e2c3555e9f7` | Content Category | [Child Abuse category](/cloudflare-one/traffic-policies/domain-categories/#category-and-subcategory-ids) | block | Blocks child abuse materials (CSAM). | +| Always Blocked Categories | `00000001-bed5-462e-b0f1-2e2c3555e9f7` | Content Category | [Child Abuse category](/cloudflare-one/traffic-policies/reference/domain-categories/#category-and-subcategory-ids) | block | Blocks child abuse materials (CSAM). | | Don't Isolate RBI Help Pages | `00000001-1a18-431f-9c9d-bce431f1002a` | Hostname | `developers.cloudflare.com` and `help.cloudflarebrowser.com` | noisolate | Prevents browser isolation of Cloudflare developer docs and help pages to help users troubleshoot configuration issues. | | Don't AV Scan CF Speed | `00000001-c194-408f-87dd-9a366ce76e12` | Hostname | `speed.cloudflare.com` | noscan | Allows files transferred by the Cloudflare speed test. | diff --git a/src/content/docs/cloudflare-one/traffic-policies/identity-selectors.mdx b/src/content/docs/cloudflare-one/traffic-policies/reference/identity-selectors.mdx similarity index 100% rename from src/content/docs/cloudflare-one/traffic-policies/identity-selectors.mdx rename to src/content/docs/cloudflare-one/traffic-policies/reference/identity-selectors.mdx diff --git a/src/content/docs/cloudflare-one/traffic-policies/reference/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/reference/index.mdx new file mode 100644 index 00000000000..dbe3b1249d3 --- /dev/null +++ b/src/content/docs/cloudflare-one/traffic-policies/reference/index.mdx @@ -0,0 +1,12 @@ +--- +pcx_content_type: navigation +title: Reference +sidebar: + order: 6 +--- + +import { DirectoryListing } from "~/components"; + +This section contains reference documentation for Cloudflare Gateway traffic policies. + + diff --git a/src/content/docs/cloudflare-one/traffic-policies/order-of-enforcement.mdx b/src/content/docs/cloudflare-one/traffic-policies/reference/order-of-enforcement.mdx similarity index 100% rename from src/content/docs/cloudflare-one/traffic-policies/order-of-enforcement.mdx rename to src/content/docs/cloudflare-one/traffic-policies/reference/order-of-enforcement.mdx diff --git a/src/content/docs/cloudflare-one/traffic-policies/expression-syntax.mdx b/src/content/docs/cloudflare-one/traffic-policies/reference/policy-expressions.mdx similarity index 98% rename from src/content/docs/cloudflare-one/traffic-policies/expression-syntax.mdx rename to src/content/docs/cloudflare-one/traffic-policies/reference/policy-expressions.mdx index 20d1bfc32e8..87b07cc98d0 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/expression-syntax.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/reference/policy-expressions.mdx @@ -166,5 +166,5 @@ Do not reference the [Ruleset Engine fields reference](/ruleset-engine/rules-lan - [DNS policies](/cloudflare-one/traffic-policies/policy-types/dns-policies/) - [HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/) - [Network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) -- [Identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/) +- [Identity-based policies](/cloudflare-one/traffic-policies/reference/identity-selectors/) - [Lists](/cloudflare-one/reusable-components/lists/) diff --git a/src/content/docs/cloudflare-one/traffic-policies/tiered-policies/organizations.mdx b/src/content/docs/cloudflare-one/traffic-policies/tiered-policies/organizations.mdx index 7d4dbe2edcc..3db30a70ecf 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/tiered-policies/organizations.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/tiered-policies/organizations.mdx @@ -177,7 +177,7 @@ To modify share recipients or unshare the setting, select the three-dot menu and ### Share extended email address matching -To share your [extended email address matching](/cloudflare-one/traffic-policies/identity-selectors/#extended-email-addresses) settings from a source account to a recipient account: +To share your [extended email address matching](/cloudflare-one/traffic-policies/reference/identity-selectors/#extended-email-addresses) settings from a source account to a recipient account: 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Traffic policies** > **Traffic settings**. 2. In **Firewall** > **Matched extended email address**, select the three-dot menu and choose **Share**. diff --git a/src/content/docs/cloudflare-one/traffic-policies/troubleshoot-gateway.mdx b/src/content/docs/cloudflare-one/traffic-policies/troubleshoot-gateway.mdx index 053bf68f124..95b0e551b2d 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/troubleshoot-gateway.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/troubleshoot-gateway.mdx @@ -58,7 +58,7 @@ A common point of confusion is how Gateway evaluates its different policy types You have a high-precedence Allow or Do Not Scan policy for a specific application (such as Allow finance.example.com), but Gateway still block traffic with a low-precedence Block policy (such as Block All High-Risk Sites). -The most important concept is [Gateway policy precedence](/cloudflare-one/traffic-policies/order-of-enforcement/), which Gateway enforces based on the policy's order number. A lower order number in the list means a higher precedence. Gateway stops processing further policies when it encounters the first rule that matches. +The most important concept is [Gateway policy precedence](/cloudflare-one/traffic-policies/reference/order-of-enforcement/), which Gateway enforces based on the policy's order number. A lower order number in the list means a higher precedence. Gateway stops processing further policies when it encounters the first rule that matches. To resolve Gateway policy precedence issues: diff --git a/src/content/docs/cloudflare-one/tutorials/deploy-client-headless-linux.mdx b/src/content/docs/cloudflare-one/tutorials/deploy-client-headless-linux.mdx index bdd620ace9d..564aeb83307 100644 --- a/src/content/docs/cloudflare-one/tutorials/deploy-client-headless-linux.mdx +++ b/src/content/docs/cloudflare-one/tutorials/deploy-client-headless-linux.mdx @@ -14,7 +14,7 @@ tags: import { Render, GlossaryTooltip } from "~/components"; -This tutorial explains how to deploy the [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) on Linux devices using a service token and an installation script. This deployment workflow is designed for headless servers - that is, servers which do not have access to a browser for identity provider logins - and for situations where you want to fully automate the onboarding process. Because devices will not register through an identity provider, [identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/) and logging will be unavailable. +This tutorial explains how to deploy the [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) on Linux devices using a service token and an installation script. This deployment workflow is designed for headless servers - that is, servers which do not have access to a browser for identity provider logins - and for situations where you want to fully automate the onboarding process. Because devices will not register through an identity provider, [identity-based policies](/cloudflare-one/traffic-policies/reference/identity-selectors/) and logging will be unavailable. :::note This tutorial focuses on deploying the Cloudflare One Client as an endpoint device agent. If you are looking to deploy the Cloudflare One Client as a gateway to a private network, refer to the [Cloudflare Mesh documentation](/cloudflare-one/networks/connectors/cloudflare-mesh/). diff --git a/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx b/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx index 3880f82bb29..ce824ed0209 100644 --- a/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx +++ b/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx @@ -37,7 +37,7 @@ Make sure you have: 2. Select **Add a policy**. -3. Name your policy, then add conditions to check users are configured in Microsoft Entra ID. For example, you can check for [identity conditions](/cloudflare-one/traffic-policies/identity-selectors/): +3. Name your policy, then add conditions to check users are configured in Microsoft Entra ID. For example, you can check for [identity conditions](/cloudflare-one/traffic-policies/reference/identity-selectors/): | Selector | Operator | Value | | ---------------- | -------- | --------------------------------------------- | diff --git a/src/content/docs/cloudflare-one/tutorials/regional-private-dns-resolver-policies.mdx b/src/content/docs/cloudflare-one/tutorials/regional-private-dns-resolver-policies.mdx index 8e6e4772f2c..e64cf428ff4 100644 --- a/src/content/docs/cloudflare-one/tutorials/regional-private-dns-resolver-policies.mdx +++ b/src/content/docs/cloudflare-one/tutorials/regional-private-dns-resolver-policies.mdx @@ -89,7 +89,7 @@ Create a catch-all policy for users in regions without a dedicated DNS server, o ## 3. Configure policy order -Gateway will apply resolver policies based on [order of precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence). Ensure your policies are ordered from most specific to least specific: +Gateway will apply resolver policies based on [order of precedence](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#order-of-precedence). Ensure your policies are ordered from most specific to least specific: 1. Go to **Traffic policies** > **Resolver policies**. 2. Use the drag handle to reorder policies: diff --git a/src/content/docs/cloudflare-wan/configuration/appliance/network-options/application-based-policies/index.mdx b/src/content/docs/cloudflare-wan/configuration/appliance/network-options/application-based-policies/index.mdx index f1b37b117ad..c157cb128e0 100644 --- a/src/content/docs/cloudflare-wan/configuration/appliance/network-options/application-based-policies/index.mdx +++ b/src/content/docs/cloudflare-wan/configuration/appliance/network-options/application-based-policies/index.mdx @@ -14,6 +14,6 @@ import { Render } from "~/components"; params={{ gatewayPoliciesURL: "/cloudflare-one/traffic-policies/", appTypesGatewayURL: - "/cloudflare-one/traffic-policies/application-app-types/", + "/cloudflare-one/traffic-policies/reference/application-app-types/", }} /> diff --git a/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx b/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx index 35e335959f2..ef20219bc43 100644 --- a/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx @@ -258,8 +258,8 @@ resource "cloudflare_zero_trust_gateway_policy" "network_catch_all" { -Network policies are evaluated in [top-down order](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence), so if a user does not match an explicitly defined policy for an application, they will be blocked. -To learn how multiple policies interact, refer to [Order of enforcement](/cloudflare-one/traffic-policies/order-of-enforcement/). +Network policies are evaluated in [top-down order](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#order-of-precedence), so if a user does not match an explicitly defined policy for an application, they will be blocked. +To learn how multiple policies interact, refer to [Order of enforcement](/cloudflare-one/traffic-policies/reference/order-of-enforcement/). :::note diff --git a/src/content/docs/learning-paths/replace-vpn/build-policies/policy-design.mdx b/src/content/docs/learning-paths/replace-vpn/build-policies/policy-design.mdx index 29387c50590..cf0687132c6 100644 --- a/src/content/docs/learning-paths/replace-vpn/build-policies/policy-design.mdx +++ b/src/content/docs/learning-paths/replace-vpn/build-policies/policy-design.mdx @@ -31,7 +31,7 @@ We recommend the following approach when planning your Zero Trust Network Access #### Identity -Determine which identity provider you will use as the source of truth for user email, user groups, and other [identity-based attributes](/cloudflare-one/traffic-policies/identity-selectors/). +Determine which identity provider you will use as the source of truth for user email, user groups, and other [identity-based attributes](/cloudflare-one/traffic-policies/reference/identity-selectors/). :::note diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx index f870171cc4e..d3dc86a765c 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx @@ -28,7 +28,7 @@ To create a new DNS policy: 2. In the **DNS** tab, select **Add a policy**. 3. Name the policy. 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. -5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/traffic-policies/domain-categories/#security-categories): +5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/traffic-policies/reference/domain-categories/#security-categories): - Internet service providers are constantly exploring new revenue opportunities to expand their business, and many are now turning to security as a value-added service alongside their connectivity offerings. Traditionally, integrating security with connectivity posed significant challenges due to the reliance on legacy solutions that required costly on-premises hardware. This makes it difficult to deploy and manage and introduces post-deployment struggles with scalability and availability. -Today these limitations can be addressed through cloud-based solutions like [Cloudflare Gateway](/cloudflare-one/traffic-policies/), our Secure Web Gateway service. Cloudflare Gateway's DNS filtering capabilities allow service providers to offer enhanced security as a value-added service for residential and mobile subscribers or B2B clients. With easy-to-create policies backed by Cloudflare's [extensive threat intelligence](https://www.cloudflare.com/en-gb/security/), service providers can effectively safeguard their customers from accessing potentially [harmful domains](/cloudflare-one/traffic-policies/domain-categories/#security-categories). +Today these limitations can be addressed through cloud-based solutions like [Cloudflare Gateway](/cloudflare-one/traffic-policies/), our Secure Web Gateway service. Cloudflare Gateway's DNS filtering capabilities allow service providers to offer enhanced security as a value-added service for residential and mobile subscribers or B2B clients. With easy-to-create policies backed by Cloudflare's [extensive threat intelligence](https://www.cloudflare.com/en-gb/security/), service providers can effectively safeguard their customers from accessing potentially [harmful domains](/cloudflare-one/traffic-policies/reference/domain-categories/#security-categories). Moreover, Cloudflare Gateway eliminates concerns around availability, performance, and scalability, as it is built on [Cloudflare's 1.1.1.1 public DNS resolver](/1.1.1.1/), one of the [fastest](https://www.dnsperf.com/#!dns-providers) and most widely-used DNS resolvers in the world. @@ -34,11 +34,11 @@ To distinguish queries originating from the service provider from those coming f If stable and defined source IPv4 addresses cannot be assigned to the on-premises DNS servers, service providers can instead use unique destination location endpoints. Each location is assigned a distinct [DoT](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#dns-over-tls-dot) and [DoH](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#dns-over-https-doh) hostname, as well as a unique [destination IPv6 address](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#ipv4ipv6-address). Additionally, Cloudflare can provide unique [destination IPv4 addresses upon request](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#dns-resolver-ip). ::: -DNS filtering is then enforced through DNS policies set up by the service provider to detect domains linked to [security risks](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Cloudflare continuously updates the list of risky domains using [its extensive threat intelligence](https://www.cloudflare.com/en-gb/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/policy-types/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). Alternatively, an `[Override](/cloudflare-one/traffic-policies/policy-types/dns-policies/#override)` action or [block page URL redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the service provider. +DNS filtering is then enforced through DNS policies set up by the service provider to detect domains linked to [security risks](/cloudflare-one/traffic-policies/reference/domain-categories/#security-categories). Cloudflare continuously updates the list of risky domains using [its extensive threat intelligence](https://www.cloudflare.com/en-gb/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/policy-types/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). Alternatively, an `[Override](/cloudflare-one/traffic-policies/policy-types/dns-policies/#override)` action or [block page URL redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the service provider. ![Figure 2: A DNS policy to prevent users from navigating to malicious domains. The action is to override and redirect the DNS query to a block page hosted by the service provider.](~/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-02.svg) -To achieve more precise control over which domains are allowed or blocked, the service provider can configure additional Allowed Domain and Blocked Domains policies. By setting these policies with [lower precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) than the Security Risks policy, the service provider can override the Security Risks policy for specific domains. +To achieve more precise control over which domains are allowed or blocked, the service provider can configure additional Allowed Domain and Blocked Domains policies. By setting these policies with [lower precedence](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#order-of-precedence) than the Security Risks policy, the service provider can override the Security Risks policy for specific domains. To streamline the management of allowed and blocked domains, use [lists](/cloudflare-one/reusable-components/lists/). Lists are easily updated through the dashboard or via [APIs](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/update/), making policy adjustments more efficient. @@ -52,7 +52,7 @@ In cases of a miscategorization of domains, raise a [categorization change reque ## Additional offerings based on DNS filtering capabilities -Service providers can enhance their offerings by using Cloudflare Gateway DNS policies to deliver additional value-added services alongside the base DNS security service. By using the same solution, service providers can develop customized content category filtering services. These services can be easily constructed using Cloudflare's built-in [content categories](/cloudflare-one/traffic-policies/domain-categories/#content-categories) and [application types](/cloudflare-one/traffic-policies/application-app-types/), as well as the service provider's own custom allow and block lists. +Service providers can enhance their offerings by using Cloudflare Gateway DNS policies to deliver additional value-added services alongside the base DNS security service. By using the same solution, service providers can develop customized content category filtering services. These services can be easily constructed using Cloudflare's built-in [content categories](/cloudflare-one/traffic-policies/reference/domain-categories/#content-categories) and [application types](/cloudflare-one/traffic-policies/reference/application-app-types/), as well as the service provider's own custom allow and block lists. Some potential applications include: diff --git a/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx b/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx index bff537c5aeb..56c90183662 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx @@ -14,7 +14,7 @@ description: >- Protective DNS services are security services that analyze DNS queries and block access to malicious websites and other harmful online content. As technology becomes increasingly vital for public sector operations, government departments are looking to adopt these cybersecurity services to bolster incident detection and response, and to build more resilient enterprise networks. Traditionally, deploying this type of solution posed significant challenges due to the reliance on legacy systems that required costly on-premises hardware. This makes it difficult to deploy and manage, and introduces post-deployment struggles with scalability and availability. -Today, these limitations can be addressed through cloud-based solutions like [Cloudflare Gateway](/cloudflare-one/traffic-policies/), our Secure Web Gateway service. Cloudflare Gateway's DNS filtering capabilities allow administrators to offer enhanced security. With easy-to-create policies backed by Cloudflare's [extensive threat intelligence](https://www.cloudflare.com/en-gb/security/), government agencies can effectively safeguard their end users from accessing potentially [harmful domains](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Additionally, agencies can further strengthen these defenses by [integrating their own threat intelligence data](https://developers.cloudflare.com/security-center/indicator-feeds/) into the policies. +Today, these limitations can be addressed through cloud-based solutions like [Cloudflare Gateway](/cloudflare-one/traffic-policies/), our Secure Web Gateway service. Cloudflare Gateway's DNS filtering capabilities allow administrators to offer enhanced security. With easy-to-create policies backed by Cloudflare's [extensive threat intelligence](https://www.cloudflare.com/en-gb/security/), government agencies can effectively safeguard their end users from accessing potentially [harmful domains](/cloudflare-one/traffic-policies/reference/domain-categories/#security-categories). Additionally, agencies can further strengthen these defenses by [integrating their own threat intelligence data](https://developers.cloudflare.com/security-center/indicator-feeds/) into the policies. Finally, Cloudflare Gateway eliminates concerns around availability, performance, and scalability, as it is built on [Cloudflare's 1.1.1.1 public DNS resolver](/1.1.1.1/), one of the [fastest](https://www.dnsperf.com/#!dns-providers) and most widely used DNS resolvers in the world. @@ -30,7 +30,7 @@ IT administrators forward public DNS requests to Cloudflare where they are filte To distinguish queries originating from the government departments and agencies they are responsible for, admins configure a location in the Cloudflare dashboard. When a DNS location is created, Gateway assigns IPv4/IPv6 addresses and DNS over TLS/HTTPS (DoT/DoH) hostnames for that location. These IP addresses and hostnames are then used by the admins to send DNS queries for resolution. In turn, the administrator configures the location object with the public IP addresses of their on-premises DNS servers, allowing Cloudflare to accurately associate queries with the corresponding location. -DNS filtering is then enforced through policies set up by the administrator to detect domains linked to [security risks](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Cloudflare continuously updates the list of high risk domains using [its extensive threat intelligence](https://www.cloudflare.com/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/policy-types/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). Alternatively, an [Override](/cloudflare-one/traffic-policies/policy-types/dns-policies/#override) action or [block page URL redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the government agency. +DNS filtering is then enforced through policies set up by the administrator to detect domains linked to [security risks](/cloudflare-one/traffic-policies/reference/domain-categories/#security-categories). Cloudflare continuously updates the list of high risk domains using [its extensive threat intelligence](https://www.cloudflare.com/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/policy-types/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). Alternatively, an [Override](/cloudflare-one/traffic-policies/policy-types/dns-policies/#override) action or [block page URL redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the government agency. Cloudflare's own threat intelligence can be seamlessly integrated with threat intelligence data provided by the agency or third-party sources. In this setup, the agency or the third-party entity acts as a [threat feed provider](/security-center/indicator-feeds/) to Cloudflare. This enables IT admins to create DNS policies that combine Cloudflare's security risk categories with the data sourced by the agency, for a unified and enhanced security posture (see diagram below). Additionally, [publicly available custom indicator feeds](/security-center/indicator-feeds/#publicly-available-feeds) can be accessed by eligible public and private sector organizations without the need to establish a provider relationship, further expanding security capabilities. @@ -52,7 +52,7 @@ The device agent is compatible with the [leading desktop and mobile operating sy ### Additional controls -To achieve more precise control over which domains are allowed or blocked, the administrator can configure additional Allowed Domain and Blocked Domain policies. By setting these policies with [lower precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) than the Security Risks policy, the agency can override the Security Risks policy for specific domains. +To achieve more precise control over which domains are allowed or blocked, the administrator can configure additional Allowed Domain and Blocked Domain policies. By setting these policies with [lower precedence](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#order-of-precedence) than the Security Risks policy, the agency can override the Security Risks policy for specific domains. To streamline the management of allowed and blocked domains, use [lists](/cloudflare-one/reusable-components/lists/). Lists are easily updated through the dashboard or via [APIs](/api/operations/zero-trust-lists-update-zero-trust-list), making policy adjustments more efficient. diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-use.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-use.mdx index 97587527802..4acbd7f7367 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-use.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-use.mdx @@ -26,9 +26,9 @@ Even more, organizations can enforce specific data in use access controls, like Common policies used with RBI: -- Content category - [Social Networks](/cloudflare-one/traffic-policies/domain-categories/) (e.g. Facebook): Given the large volumes of data that popular social media platforms collect, these apps are an attractive target and yet another attack vector for malicious entities. RBI allows for limiting what data, especially if that data matches a DLP profile, from being pasted into these applications. -- Application - [Artificial Intelligence](/cloudflare-one/traffic-policies/application-app-types/) (e.g. ChatGPT): Generative AI tools can boost employee productivity, but understanding who is using them and for what is imperative at this stage of the generative AI evolution. Again, DLP profiles here can be applied to prevent the copy and pasting of sensitive data into public AI tools. -- Application - [SaaS](/cloudflare-one/traffic-policies/application-app-types/) (e.g. Salesforce, Zendesk, etc): These applications can often contain highly confidential data. RBI can be used to really lock down access for risky users that require some access, such as contractors or partners. Controls such as preventing printing, or even preventing any keyboard input at all, can result in third party users only looking at a read only view of the application, as if RBI is a pane of glass between the user and the data. +- Content category - [Social Networks](/cloudflare-one/traffic-policies/reference/domain-categories/) (e.g. Facebook): Given the large volumes of data that popular social media platforms collect, these apps are an attractive target and yet another attack vector for malicious entities. RBI allows for limiting what data, especially if that data matches a DLP profile, from being pasted into these applications. +- Application - [Artificial Intelligence](/cloudflare-one/traffic-policies/reference/application-app-types/) (e.g. ChatGPT): Generative AI tools can boost employee productivity, but understanding who is using them and for what is imperative at this stage of the generative AI evolution. Again, DLP profiles here can be applied to prevent the copy and pasting of sensitive data into public AI tools. +- Application - [SaaS](/cloudflare-one/traffic-policies/reference/application-app-types/) (e.g. Salesforce, Zendesk, etc): These applications can often contain highly confidential data. RBI can be used to really lock down access for risky users that require some access, such as contractors or partners. Controls such as preventing printing, or even preventing any keyboard input at all, can result in third party users only looking at a read only view of the application, as if RBI is a pane of glass between the user and the data. The following diagram visualizes a typical interaction between a user, RBI and a website such as ChatGPT. diff --git a/src/content/docs/security-center/investigate/change-categorization.mdx b/src/content/docs/security-center/investigate/change-categorization.mdx index c2efde74687..bbabbcb9548 100644 --- a/src/content/docs/security-center/investigate/change-categorization.mdx +++ b/src/content/docs/security-center/investigate/change-categorization.mdx @@ -13,7 +13,7 @@ import { DashButton } from "~/components"; Cloudflare sorts domains into categories based on their content and security type. You can request categorization changes via the [dashboard](#via-the-cloudflare-dashboard), [Cloudflare Radar](#via-cloudflare-radar), or the [API](#via-the-api). -For a detailed list of categories, refer to [Domain categories](/cloudflare-one/traffic-policies/domain-categories/). +For a detailed list of categories, refer to [Domain categories](/cloudflare-one/traffic-policies/reference/domain-categories/). ## Via the Cloudflare dashboard @@ -27,7 +27,7 @@ To request a categorization change via the Cloudflare dashboard: 3. In **Domain overview**, select **Request to change categorization**. -4. Choose whether to change a [security category](/cloudflare-one/traffic-policies/domain-categories/#security-categories) or a [content category](/cloudflare-one/traffic-policies/domain-categories/#content-categories). +4. Choose whether to change a [security category](/cloudflare-one/traffic-policies/reference/domain-categories/#security-categories) or a [content category](/cloudflare-one/traffic-policies/reference/domain-categories/#content-categories). 5. Choose which categories you want to add or remove from the domain. diff --git a/src/content/docs/security-center/investigate/investigate-threats.mdx b/src/content/docs/security-center/investigate/investigate-threats.mdx index 48ce56a091e..8c6907a62b7 100644 --- a/src/content/docs/security-center/investigate/investigate-threats.mdx +++ b/src/content/docs/security-center/investigate/investigate-threats.mdx @@ -38,7 +38,7 @@ When you search for a domain name, Cloudflare will provide an overview of the do {/* TODO: Reintroduce */} {/* */} -For a detailed list of categories, refer to [Domain categories](/cloudflare-one/traffic-policies/domain-categories/). +For a detailed list of categories, refer to [Domain categories](/cloudflare-one/traffic-policies/reference/domain-categories/). A domain can have multiple categories. Cloudflare displays both the parent category and the detailed child category. You can [request category changes](/security-center/investigate/change-categorization/) for a domain. Miscategorized domains can also request to have a category added. This request goes through an approval process with the Cloudflare team. diff --git a/src/content/partials/cloudflare-one/access/modify-gateway-policy-precedence.mdx b/src/content/partials/cloudflare-one/access/modify-gateway-policy-precedence.mdx index 76b2ddf0772..a8be40831e7 100644 --- a/src/content/partials/cloudflare-one/access/modify-gateway-policy-precedence.mdx +++ b/src/content/partials/cloudflare-one/access/modify-gateway-policy-precedence.mdx @@ -20,7 +20,7 @@ In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust*
  • Update the policy's [order of - precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) + precedence](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#order-of-precedence) using the dashboard or API.
  • diff --git a/src/content/partials/cloudflare-one/gateway/debugging-policies.mdx b/src/content/partials/cloudflare-one/gateway/debugging-policies.mdx index eec835ed93e..0a6480a5e5f 100644 --- a/src/content/partials/cloudflare-one/gateway/debugging-policies.mdx +++ b/src/content/partials/cloudflare-one/gateway/debugging-policies.mdx @@ -5,4 +5,4 @@ 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Traffic policies** > **Firewall policies**. 2. Disable all DNS, Network, and HTTP policies and see if the issue persists. It may take up to two minutes for the change to take effect. Note that all policy enforcement happens on the Cloudflare global network, not on your local device. -3. Slowly re-enable your policies. Once you have narrowed down the issue, modify the policies or their [order of enforcement](/cloudflare-one/traffic-policies/order-of-enforcement/). +3. Slowly re-enable your policies. Once you have narrowed down the issue, modify the policies or their [order of enforcement](/cloudflare-one/traffic-policies/reference/order-of-enforcement/). diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx index c73b98aa533..8800b67cf6a 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx @@ -19,7 +19,7 @@ To create a new HTTP policy: product="cloudflare-one" /> - Cloudflare also recommends adding a policy to block [known threats](/cloudflare-one/traffic-policies/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence: + Cloudflare also recommends adding a policy to block [known threats](/cloudflare-one/traffic-policies/reference/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence: **Firewall policies** and compare the [order of enforcement](/cloudflare-one/traffic-policies/order-of-enforcement/) of the matched policy versus the expected policy. +2. Go to **Traffic policies** > **Firewall policies** and compare the [order of enforcement](/cloudflare-one/traffic-policies/reference/order-of-enforcement/) of the matched policy versus the expected policy. 3. Compare the Gateway log values with the expected policy criteria. - If the mismatched value is related to identity, [check the user registry](/cloudflare-one/team-and-resources/users/users/) and verify the values that are passed to Gateway from your IdP. Cloudflare updates the registry when the user enrolls in the Cloudflare One Client. If the user's identity is outdated, ask the user to re-authenticate the client (**Profile** > **Account information** > **Re-authenticate**)[^1]. diff --git a/src/content/partials/fundamentals/cybersafe-cipa-subcategories.mdx b/src/content/partials/fundamentals/cybersafe-cipa-subcategories.mdx index 5c9104ac3a5..538ee927127 100644 --- a/src/content/partials/fundamentals/cybersafe-cipa-subcategories.mdx +++ b/src/content/partials/fundamentals/cybersafe-cipa-subcategories.mdx @@ -33,4 +33,4 @@ Cloudflare’s recommended CIPA rule blocks the following content subcategories: * Violence * Weapons -Review the [domain categories](/cloudflare-one/traffic-policies/domain-categories/) for more information. +Review the [domain categories](/cloudflare-one/traffic-policies/reference/domain-categories/) for more information. diff --git a/src/content/partials/learning-paths/zero-trust/blocklist-security-categories.mdx b/src/content/partials/learning-paths/zero-trust/blocklist-security-categories.mdx index 060cde6c116..57ececd8ba8 100644 --- a/src/content/partials/learning-paths/zero-trust/blocklist-security-categories.mdx +++ b/src/content/partials/learning-paths/zero-trust/blocklist-security-categories.mdx @@ -3,4 +3,4 @@ --- -Block [security categories](/cloudflare-one/traffic-policies/domain-categories/#security-categories), such as **Command and Control & Botnet** and **Malware**, based on Cloudflare's threat intelligence. +Block [security categories](/cloudflare-one/traffic-policies/reference/domain-categories/#security-categories), such as **Command and Control & Botnet** and **Malware**, based on Cloudflare's threat intelligence. diff --git a/src/content/partials/learning-paths/zero-trust/content-categories-description.mdx b/src/content/partials/learning-paths/zero-trust/content-categories-description.mdx index 2a7d3163a8d..d3b6a2cab63 100644 --- a/src/content/partials/learning-paths/zero-trust/content-categories-description.mdx +++ b/src/content/partials/learning-paths/zero-trust/content-categories-description.mdx @@ -3,6 +3,6 @@ params: - policyType --- -Entries in the [security risk content subcategory](/cloudflare-one/traffic-policies/domain-categories/#security-risk-subcategories), such as **New Domains**, do not always pose a security threat. We recommend you first create an Allow policy to track policy matching and identify any false positives. You can add false positives to your **Trusted Domains** list used in **All-{props.policyType}-Domain-Allowlist**. +Entries in the [security risk content subcategory](/cloudflare-one/traffic-policies/reference/domain-categories/#security-risk-subcategories), such as **New Domains**, do not always pose a security threat. We recommend you first create an Allow policy to track policy matching and identify any false positives. You can add false positives to your **Trusted Domains** list used in **All-{props.policyType}-Domain-Allowlist**. After your test is complete, we recommend you change the action to Block to minimize risk to your organization. diff --git a/src/content/partials/networking-services/reference/traffic-steering.mdx b/src/content/partials/networking-services/reference/traffic-steering.mdx index 031e76db89d..8b1e2984465 100644 --- a/src/content/partials/networking-services/reference/traffic-steering.mdx +++ b/src/content/partials/networking-services/reference/traffic-steering.mdx @@ -723,7 +723,7 @@ You need to enable
    legacy health checks alongside

    By default, Cloudflare balances and steers traffic based on network-layer characteristics (IP, port etc). If you are using the {props.productName} Connector, you can also steer traffic based on well-known applications. Application-aware policies provide easier management and more granularity over traffic flows. - For more information, refer to Applications and app types.

    + For more information, refer to Applications and app types.

    ) } From 009d004e76c4652b7ef11249761bc77974242d84 Mon Sep 17 00:00:00 2001 From: mahathih Date: Mon, 13 Jul 2026 15:04:24 -0500 Subject: [PATCH 3/4] [Cloudflare One] Traffic policies: elevate TLS decryption to its own top-level section --- public/__redirects | 3 +++ src/content/docs/ai-gateway/features/dlp/index.mdx | 2 +- .../access-controls/ai-controls/mcp-portals.mdx | 4 ++-- .../applications/non-http/self-hosted-private-app.mdx | 8 ++++---- .../data-loss-prevention/dlp-policies/index.mdx | 2 +- .../docs/cloudflare-one/data-loss-prevention/index.mdx | 2 +- .../data-loss-prevention/troubleshoot-dlp.mdx | 2 +- .../cloudflare-wan/zero-trust/cloudflare-gateway.mdx | 2 +- .../resolvers-and-proxies/proxy-endpoints/index.mdx | 4 ++-- .../setup/clientless-browser-isolation.mdx | 2 +- .../deployment/mdm-deployment/partners/intune.mdx | 2 +- .../deployment/mdm-deployment/partners/kandji.mdx | 2 +- .../download/cloudflare-one-agent-migration.mdx | 2 +- .../user-side-certificates/automated-deployment.mdx | 2 +- .../devices/user-side-certificates/index.mdx | 2 +- .../cloudflare-one/traffic-policies/get-started/http.mdx | 2 +- .../cloudflare-one/traffic-policies/get-started/index.mdx | 2 +- .../policy-types/http-policies/granular-controls.mdx | 4 ++-- .../traffic-policies/policy-types/http-policies/index.mdx | 6 +++--- .../policy-types/network-policies/protocol-detection.mdx | 2 +- .../docs/cloudflare-one/traffic-policies/proxy.mdx | 2 +- .../traffic-policies/reference/application-app-types.mdx | 2 +- .../http-policies => tls-decryption}/http3.mdx | 2 +- .../tls-decryption.mdx => tls-decryption/index.mdx} | 2 +- .../traffic-policies/troubleshoot-gateway.mdx | 2 +- .../docs/cloudflare-wan/zero-trust/cloudflare-gateway.mdx | 2 +- src/content/docs/data-localization/how-to/zero-trust.mdx | 2 +- .../monitor-ai-use/monitor-prompts-responses.mdx | 2 +- .../configure-device-agent/enable-tls-decryption.mdx | 2 +- .../concepts/security-concepts.mdx | 2 +- .../optimizing-roaming-experience-with-geolocated-ips.mdx | 2 +- .../ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx | 2 +- .../post-quantum-cryptography/pqc-cloudflare-products.mdx | 2 +- .../http-status-codes/cloudflare-5xx-errors/error-526.mdx | 2 +- src/content/docs/warp-client/warp-modes.mdx | 2 +- .../gateway/get-started/create-http-policy.mdx | 4 ++-- .../cloudflare-one/gateway/inspect-on-all-ports.mdx | 2 +- .../cloudflare-one/gateway/order-of-enforcement.mdx | 2 +- .../partials/cloudflare-one/troubleshooting/dlp.mdx | 2 +- .../partials/cloudflare-one/troubleshooting/gateway.mdx | 2 +- .../tunnel/troubleshoot-private-networks.mdx | 4 ++-- .../cloudflare-wan/third-party/azure-vpn-gateway.mdx | 2 +- .../cloudflare-wan/third-party/juniper.mdx | 2 +- .../cloudflare-wan/third-party/palo-alto.mdx | 2 +- 44 files changed, 56 insertions(+), 53 deletions(-) rename src/content/docs/cloudflare-one/traffic-policies/{policy-types/http-policies => tls-decryption}/http3.mdx (94%) rename src/content/docs/cloudflare-one/traffic-policies/{policy-types/http-policies/tls-decryption.mdx => tls-decryption/index.mdx} (98%) diff --git a/public/__redirects b/public/__redirects index caf01ff1136..607d648ddbd 100644 --- a/public/__redirects +++ b/public/__redirects @@ -3001,6 +3001,9 @@ # Traffic policies: group policy types under policy-types/ /cloudflare-one/traffic-policies/dns-policies/* /cloudflare-one/traffic-policies/policy-types/dns-policies/:splat 301 /cloudflare-one/traffic-policies/network-policies/* /cloudflare-one/traffic-policies/policy-types/network-policies/:splat 301 +# Traffic policies: TLS decryption elevated to its own section +/cloudflare-one/traffic-policies/http-policies/tls-decryption/* /cloudflare-one/traffic-policies/tls-decryption/:splat 301 +/cloudflare-one/traffic-policies/http-policies/http3/* /cloudflare-one/traffic-policies/tls-decryption/http3/:splat 301 /cloudflare-one/traffic-policies/http-policies/* /cloudflare-one/traffic-policies/policy-types/http-policies/:splat 301 /cloudflare-one/traffic-policies/egress-policies/* /cloudflare-one/traffic-policies/policy-types/egress-policies/:splat 301 /cloudflare-one/traffic-policies/packet-filtering/* /cloudflare-one/traffic-policies/policy-types/packet-filtering/:splat 301 diff --git a/src/content/docs/ai-gateway/features/dlp/index.mdx b/src/content/docs/ai-gateway/features/dlp/index.mdx index 602c2ae4547..d9e2321fc89 100644 --- a/src/content/docs/ai-gateway/features/dlp/index.mdx +++ b/src/content/docs/ai-gateway/features/dlp/index.mdx @@ -81,7 +81,7 @@ AI Gateway DLP uses the same [detection profiles](/cloudflare-one/data-loss-prev Key differences from Cloudflare One Gateway DLP: -- **No Gateway proxy or TLS decryption required** - AI Gateway inspects traffic directly as an AI proxy, so you do not need to set up [Gateway HTTP filtering](/cloudflare-one/traffic-policies/get-started/http/) or [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/). +- **No Gateway proxy or TLS decryption required** - AI Gateway inspects traffic directly as an AI proxy, so you do not need to set up [Gateway HTTP filtering](/cloudflare-one/traffic-policies/get-started/http/) or [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/). - **Separate policy management** - DLP policies for AI Gateway are configured per gateway in the AI Gateway dashboard, not in Cloudflare One traffic policies. - **Separate logs** - DLP events for AI Gateway appear in [AI Gateway logs](/ai-gateway/observability/logging/), not in Cloudflare One HTTP request logs. - **Shared profiles** - DLP detection profiles (predefined and custom) are shared across both products. Changes to a profile apply everywhere it is used. diff --git a/src/content/docs/cloudflare-one/access-controls/ai-controls/mcp-portals.mdx b/src/content/docs/cloudflare-one/access-controls/ai-controls/mcp-portals.mdx index 718e12e7909..faebdfcb594 100644 --- a/src/content/docs/cloudflare-one/access-controls/ai-controls/mcp-portals.mdx +++ b/src/content/docs/cloudflare-one/access-controls/ai-controls/mcp-portals.mdx @@ -670,9 +670,9 @@ Gateway routing only applies to real-time tool calls made by users through the p ### TLS decryption -DLP inspection requires Gateway to decrypt TLS traffic. For portal traffic, Gateway decrypts and inspects the payload automatically — you do not need to turn on the account-level [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) setting. Because the portal terminates the connection from the MCP client and re-originates the request through Gateway, Gateway decrypts portal traffic regardless of whether the global TLS decryption setting is on. +DLP inspection requires Gateway to decrypt TLS traffic. For portal traffic, Gateway decrypts and inspects the payload automatically — you do not need to turn on the account-level [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/) setting. Because the portal terminates the connection from the MCP client and re-originates the request through Gateway, Gateway decrypts portal traffic regardless of whether the global TLS decryption setting is on. -This automatic decryption applies only to traffic that flows through the portal. To inspect MCP traffic that does not pass through the portal — for example, an agent on a [device running the WARP client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) connecting directly to an upstream MCP server — you must turn on [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) as you would for any other [HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/). +This automatic decryption applies only to traffic that flows through the portal. To inspect MCP traffic that does not pass through the portal — for example, an agent on a [device running the WARP client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) connecting directly to an upstream MCP server — you must turn on [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/) as you would for any other [HTTP policy](/cloudflare-one/traffic-policies/policy-types/http-policies/). :::note Portal traffic ignores the global TLS decryption setting, but it still respects [Do Not Inspect](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) HTTP policies. If a Do Not Inspect policy matches portal traffic, Gateway does not decrypt it and DLP cannot scan it. Check that your Do Not Inspect policies do not unintentionally exempt your upstream MCP servers from inspection. diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx index 4765d85bfc4..0240b652604 100644 --- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx +++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx @@ -24,7 +24,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/acce - Private IPs and hostnames are reachable over the Cloudflare One Client, Cloudflare WAN (formerly Magic WAN) or Browser Isolation. For more details, refer to [Connect a private network](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/). - Private hostnames route to your custom DNS resolver through [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) or [Gateway resolver policies](/cloudflare-one/traffic-policies/policy-types/resolver-policies/). - Public IPs and hostnames can be used to define a private application, however the IP or hostname must route through Cloudflare via [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/), [Cloudflare Mesh](/cloudflare-one/networks/connectors/cloudflare-mesh/), or [Cloudflare WAN](/cloudflare-wan/configuration/how-to/configure-routes/). -- (Optional) Turn on [Gateway TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) if you want to use Access JWTs to manage [HTTPS application sessions](#https-applications). +- (Optional) Turn on [Gateway TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/) if you want to use Access JWTs to manage [HTTPS application sessions](#https-applications). ## Add your application to Access @@ -73,7 +73,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/acce ::: - - - The following settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/): + - The following settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/): @@ -85,9 +85,9 @@ Users can now connect to your private application after authenticating with Clou ### HTTPS applications -If [Gateway TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) is turned on and a user is accessing an HTTPS application on port `443`, Cloudflare Access will present a login page in the browser and issue an [application token](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) to your origin. This is the same cookie-based authentication flow used by [self-hosted public apps](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). +If [Gateway TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/) is turned on and a user is accessing an HTTPS application on port `443`, Cloudflare Access will present a login page in the browser and issue an [application token](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) to your origin. This is the same cookie-based authentication flow used by [self-hosted public apps](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). -If [Gateway TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) is turned off, session management is [handled in the Cloudflare One Client](#non-https-applications) instead of in the browser. +If [Gateway TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/) is turned off, session management is [handled in the Cloudflare One Client](#non-https-applications) instead of in the browser. ### Non-HTTPS applications diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx index 559e7348eaa..0061476a228 100644 --- a/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx @@ -24,7 +24,7 @@ To scan AI prompts and responses without Gateway HTTP filtering, you can also en - Set up [Gateway HTTP filtering](/cloudflare-one/traffic-policies/get-started/http/). This routes your users' web traffic through Cloudflare Gateway so it can be inspected. - HTTP filtering requires turning on the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP traffic. -- Turn on [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#turn-on-tls-decryption). Because most web traffic is encrypted with HTTPS, Gateway must decrypt it before DLP can scan the request body for sensitive data. +- Turn on [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/#turn-on-tls-decryption). Because most web traffic is encrypted with HTTPS, Gateway must decrypt it before DLP can scan the request body for sensitive data. ## 1. Configure a DLP profile diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/index.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/index.mdx index 9f11f5d8b34..04721528129 100644 --- a/src/content/docs/cloudflare-one/data-loss-prevention/index.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/index.mdx @@ -33,7 +33,7 @@ DLP uses [**profiles**](/cloudflare-one/data-loss-prevention/dlp-profiles/) to d Data Loss Prevention complements [Secure Web Gateway](/cloudflare-one/traffic-policies/) to detect sensitive data transferred in HTTP requests. DLP scans the HTTP body (excluding headers), which may include uploaded or downloaded files, chat messages, forms, and other web content. -DLP requires [Gateway HTTP filtering](/cloudflare-one/traffic-policies/get-started/http/) with [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) to read the contents of HTTPS traffic in transit. The depth of visibility varies for each site or application. DLP does not scan any traffic that bypasses Cloudflare Gateway (such as traffic that matches a [Do Not Inspect](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) policy). +DLP requires [Gateway HTTP filtering](/cloudflare-one/traffic-policies/get-started/http/) with [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/) to read the contents of HTTPS traffic in transit. The depth of visibility varies for each site or application. DLP does not scan any traffic that bypasses Cloudflare Gateway (such as traffic that matches a [Do Not Inspect](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) policy). To get started, refer to [Scan HTTP traffic with DLP](/cloudflare-one/data-loss-prevention/dlp-policies/). diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/troubleshoot-dlp.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/troubleshoot-dlp.mdx index 64b29248d10..2fb2100d6f0 100644 --- a/src/content/docs/cloudflare-one/data-loss-prevention/troubleshoot-dlp.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/troubleshoot-dlp.mdx @@ -16,7 +16,7 @@ Use this guide to troubleshoot common issues with Data Loss Prevention (DLP). ## DLP policy does not trigger or block content -DLP not inspecting or blocking content is the most common issue reported. If you have configured a [DLP policy](/cloudflare-one/data-loss-prevention/dlp-policies/) but it fails to inspect or block traffic, the cause is almost always that the traffic is not being decrypted. To use DLP to scan the content of HTTPS requests, you must turn on [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/). +DLP not inspecting or blocking content is the most common issue reported. If you have configured a [DLP policy](/cloudflare-one/data-loss-prevention/dlp-policies/) but it fails to inspect or block traffic, the cause is almost always that the traffic is not being decrypted. To use DLP to scan the content of HTTPS requests, you must turn on [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/). To turn on TLS decryption: diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-wan/zero-trust/cloudflare-gateway.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-wan/zero-trust/cloudflare-gateway.mdx index e80a86c5647..691b266b634 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-wan/zero-trust/cloudflare-gateway.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-wan/zero-trust/cloudflare-gateway.mdx @@ -21,7 +21,7 @@ import { Render } from "~/components"; warpURL: "/cloudflare-one/networks/connectors/cloudflare-wan/zero-trust/cloudflare-one-client/", cfAutoCertificatesURL: "/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment/", cfManualCertificatesURL: "/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/", - decryptTlsURL: "/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/", + decryptTlsURL: "/cloudflare-one/traffic-policies/tls-decryption/", doNotInspectURL: "/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect", warpChecksURL: "/cloudflare-one/reusable-components/posture-checks/client-checks/", osVersionChecks: "/cloudflare-one/reusable-components/posture-checks/client-checks/os-version/", diff --git a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx index 005a18d4040..1c38fa99f38 100644 --- a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx +++ b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx @@ -500,7 +500,7 @@ When using [authorization endpoints](#authorization-endpoint), be aware of the f #### TLS inspection required -Authorization endpoints require [TLS inspection](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) on all proxied traffic. Gateway must decrypt HTTPS requests to read the authorization cookie that identifies each user session. Gateway always performs TLS decryption for traffic routed through an authorization endpoint, even if you turn off TLS decryption at the account level. You cannot selectively bypass TLS inspection for specific destinations when using an authorization endpoint. +Authorization endpoints require [TLS inspection](/cloudflare-one/traffic-policies/tls-decryption/) on all proxied traffic. Gateway must decrypt HTTPS requests to read the authorization cookie that identifies each user session. Gateway always performs TLS decryption for traffic routed through an authorization endpoint, even if you turn off TLS decryption at the account level. You cannot selectively bypass TLS inspection for specific destinations when using an authorization endpoint. #### Plaintext HTTP traffic @@ -532,7 +532,7 @@ Each type of proxy endpoint supports the following features: | **HTTP/HTTPS traffic** | ✅[^1] | ✅[^2] | | **Non-HTTP TCP traffic** | ✅ | — | | **UDP traffic** | — | — | -| **[HTTP3](/cloudflare-one/traffic-policies/policy-types/http-policies/http3/)** | — | — | +| **[HTTP3](/cloudflare-one/traffic-policies/tls-decryption/http3/)** | — | — | | **[Identity-based policies](/cloudflare-one/traffic-policies/reference/identity-selectors/)** | — | ✅ | | **mTLS authentication** | — | — | | **[Happy Eyeballs](https://datatracker.ietf.org/doc/html/rfc6555)** | — | — | diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx index 34d63e5478d..a39fe9fc726 100644 --- a/src/content/docs/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx @@ -76,7 +76,7 @@ For example, if you use a third-party Secure Web Gateway to block `example.com`, ### Bypass TLS decryption -[TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) allows Gateway to inspect the contents of HTTPS traffic by decrypting it, applying policies, and re-encrypting it. If TLS decryption is turned on, Gateway will decrypt all sites accessed through the Clientless Web Isolation URL. Some sites are incompatible with this process (for example, sites that use certificate pinning). To connect to those sites, add a Do Not Inspect HTTP policy for the application or domain. +[TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/) allows Gateway to inspect the contents of HTTPS traffic by decrypting it, applying policies, and re-encrypting it. If TLS decryption is turned on, Gateway will decrypt all sites accessed through the Clientless Web Isolation URL. Some sites are incompatible with this process (for example, sites that use certificate pinning). To connect to those sites, add a Do Not Inspect HTTP policy for the application or domain. | Selector | Operator | Value | Action | | -------- | -------- | ------------ | -------------- | diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/intune.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/intune.mdx index 6c2a7aad9e9..9b37410d090 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/intune.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/intune.mdx @@ -350,7 +350,7 @@ The following steps outline how to deploy the Cloudflare One Agent (Cloudflare O - A [Microsoft Intune account](https://intune.microsoft.com) - A Cloudflare account that has a [Zero Trust organization](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) - iOS/iPadOS devices enrolled in Intune -- [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) enabled in Cloudflare Gateway (if you plan to inspect HTTPS traffic) +- [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/) enabled in Cloudflare Gateway (if you plan to inspect HTTPS traffic) ### 1. Upload user-side certificate diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/kandji.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/kandji.mdx index 44add3e9eb5..3c6c80335c4 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/kandji.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/kandji.mdx @@ -238,4 +238,4 @@ exit 0 ## TLS decryption -The Kandji macOS agent uses certificate pinning, which is incompatible with [Gateway TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/). If Gateway TLS decryption is [turned on](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#turn-on-tls-decryption), you must create a [Do Not Inspect policy](/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies/#skip-inspection-for-groups-of-applications) to exempt Kandji from SSL/TLS inspection. For more information, refer to the [Kandji documentation](https://support.kandji.io/kb/using-kandji-on-enterprise-networks#SSL/TLS-Inspection). +The Kandji macOS agent uses certificate pinning, which is incompatible with [Gateway TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/). If Gateway TLS decryption is [turned on](/cloudflare-one/traffic-policies/tls-decryption/#turn-on-tls-decryption), you must create a [Do Not Inspect policy](/cloudflare-one/traffic-policies/policy-types/http-policies/common-policies/#skip-inspection-for-groups-of-applications) to exempt Kandji from SSL/TLS inspection. For more information, refer to the [Kandji documentation](https://support.kandji.io/kb/using-kandji-on-enterprise-networks#SSL/TLS-Inspection). diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/cloudflare-one-agent-migration.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/cloudflare-one-agent-migration.mdx index c9ace8a8db2..4432bd151a8 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/cloudflare-one-agent-migration.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/cloudflare-one-agent-migration.mdx @@ -34,7 +34,7 @@ If you downloaded and installed the 1.1.1.1 app manually, here are the recommend 1. Update the **1.1.1.1** app to version 6.29 or above. The update ensures that 1.1.1.1 can [co-exist](#what-to-do-with-the-old-app) with the new Cloudflare One Agent app. -2. If you have enabled [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/), ensure that you have a [Do Not Inspect policy](/cloudflare-one/traffic-policies/get-started/http/) in place for the following applications: +2. If you have enabled [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/), ensure that you have a [Do Not Inspect policy](/cloudflare-one/traffic-policies/get-started/http/) in place for the following applications: - _Google Services (Do Not Inspect)_ - _Google Play Store (Do Not Inspect)_ - _Google (Do Not Inspect)_ diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx index f51276aea47..330d789ca4f 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx @@ -33,7 +33,7 @@ import { Details, Render } from "~/components"; The [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) can automatically install a Cloudflare certificate or [custom root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) on Windows, macOS, and Debian/Ubuntu Linux devices. On mobile devices and Red Hat-based systems, you will need to [install the certificate manually](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/). -The certificate is required if you want to [apply HTTP policies to encrypted websites](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/), display custom [block pages](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/), and more. +The certificate is required if you want to [apply HTTP policies to encrypted websites](/cloudflare-one/traffic-policies/tls-decryption/), display custom [block pages](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/), and more. ## Install a certificate using the Cloudflare One Client diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx index 6d6bd70f545..9b9b0574647 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx @@ -12,7 +12,7 @@ tags: import { Tabs, TabItem, APIRequest } from "~/components"; -Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/remote-browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. +Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/traffic-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/remote-browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. Zero Trust [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each account and deploys it across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/). diff --git a/src/content/docs/cloudflare-one/traffic-policies/get-started/http.mdx b/src/content/docs/cloudflare-one/traffic-policies/get-started/http.mdx index e5253655804..9052022c0d2 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/get-started/http.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/get-started/http.mdx @@ -34,7 +34,7 @@ To filter HTTP requests from a device: 2. [Install the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) on your device. 3. In the Cloudflare One Client Settings, log in to your organization's Cloudflare One instance. 4. [Enable the Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP. Optionally, enable the UDP proxy to also inspect QUIC traffic on port 443 — this covers HTTP/3, a newer protocol some browsers use by default. -5. To inspect HTTPS traffic, [enable TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#turn-on-tls-decryption). TLS decryption allows Gateway to read encrypted requests. Without it, Gateway can see that a user visited `example.com` but not which specific page or what they uploaded. +5. To inspect HTTPS traffic, [enable TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/#turn-on-tls-decryption). TLS decryption allows Gateway to read encrypted requests. Without it, Gateway can see that a user visited `example.com` but not which specific page or what they uploaded. 6. (Optional) To scan file uploads and downloads for malware, [enable anti-virus scanning](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/). ## 2. Verify device connectivity diff --git a/src/content/docs/cloudflare-one/traffic-policies/get-started/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/get-started/index.mdx index bef610239f7..f6fa71d1773 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/get-started/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/get-started/index.mdx @@ -54,7 +54,7 @@ For setup instructions, refer to [Set up network filtering](/cloudflare-one/traf HTTP inspection provides the deepest visibility and the most granular controls, but it requires additional setup. - Install the [Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on user devices. -- Enable [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) to inspect HTTPS traffic. +- Enable [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/) to inspect HTTPS traffic. - Create [Do Not Inspect](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) policies for applications that use certificate pinning. - Block risky file types, enable [anti-virus scanning](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/), and configure [DLP profiles](/cloudflare-one/data-loss-prevention/) to detect sensitive data. - Use [Browser Isolation](/cloudflare-one/remote-browser-isolation/) to render high-risk sites in a remote browser. diff --git a/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/granular-controls.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/granular-controls.mdx index 6b07350246e..0d0385528fd 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/granular-controls.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/granular-controls.mdx @@ -26,9 +26,9 @@ With Application Granular Controls, you can create [Gateway HTTP policies](/clou To use Application Granular Controls, you must: - Install a [Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) or a [custom certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) on your users' devices. -- Turn on [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/). +- Turn on [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/). - Turn on the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy). -- (Optional) If an application uses HTTP/3, turn on the [Gateway proxy for UDP traffic](/cloudflare-one/traffic-policies/policy-types/http-policies/http3/#enable-http3-inspection). +- (Optional) If an application uses HTTP/3, turn on the [Gateway proxy for UDP traffic](/cloudflare-one/traffic-policies/tls-decryption/http3/#enable-http3-inspection). - (Optional) To turn on [AI prompt logging](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content), create a [DLP payload encryption public key](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#set-a-dlp-payload-encryption-public-key). ## Create a policy with Application Granular Controls diff --git a/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/index.mdx index 9a2195deceb..b6376727af8 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/index.mdx @@ -19,7 +19,7 @@ To use HTTP policies, install a [Cloudflare root certificate](/cloudflare-one/te HTTP policies allow you to filter all HTTP and HTTPS requests based on URLs, hostnames, HTTP methods, file types, and other request attributes. Unlike [network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) which operate at Layer 4 (TCP/UDP), HTTP policies operate at Layer 7 and can inspect the full content of web traffic. -By default, Gateway inspects HTTP traffic on port `80` and, with [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) turned on, HTTPS traffic on port `443`. You can also configure Gateway to [inspect HTTP/HTTPS traffic on all ports](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/#inspect-on-all-ports). Gateway supports HTTP/3 inspection with the [UDP proxy](/cloudflare-one/traffic-policies/policy-types/http-policies/http3/) turned on. +By default, Gateway inspects HTTP traffic on port `80` and, with [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/) turned on, HTTPS traffic on port `443`. You can also configure Gateway to [inspect HTTP/HTTPS traffic on all ports](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/#inspect-on-all-ports). Gateway supports HTTP/3 inspection with the [UDP proxy](/cloudflare-one/traffic-policies/tls-decryption/http3/) turned on. An HTTP policy consists of an **Action** and a logical expression that determines the scope of the policy. To build an expression, choose a **Selector** and an **Operator**, then enter a value or range of values in the **Value** field. You can use **And** and **Or** logical operators to evaluate multiple conditions. @@ -238,11 +238,11 @@ API value: `off` When you create a Do Not Inspect policy for a given hostname, application, or app type, you will lose the ability to log or block HTTP requests, apply DLP policies, and perform AV scanning. -Information contained within HTTPS encryption, such as the full requested URL, will not be visible if it bypasses Gateway inspection. However, you can still apply [network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) to this traffic. For more information, refer to [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/). +Information contained within HTTPS encryption, such as the full requested URL, will not be visible if it bypasses Gateway inspection. However, you can still apply [network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) to this traffic. For more information, refer to [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/). ::: -Do Not Inspect lets you bypass certain elements from inspection. To prevent Gateway from decrypting and inspecting HTTPS traffic, your policy must match against the Server Name Indication (SNI) in the TLS header. When accessing a Do Not Inspect site in the browser, your browser may display a **Your connection is not private** warning, which you can proceed through to connect. For more information about applications which may require a Do Not Inspect policy, refer to [TLS decryption limitations](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#inspection-limitations). +Do Not Inspect lets you bypass certain elements from inspection. To prevent Gateway from decrypting and inspecting HTTPS traffic, your policy must match against the Server Name Indication (SNI) in the TLS header. When accessing a Do Not Inspect site in the browser, your browser may display a **Your connection is not private** warning, which you can proceed through to connect. For more information about applications which may require a Do Not Inspect policy, refer to [TLS decryption limitations](/cloudflare-one/traffic-policies/tls-decryption/#inspection-limitations). :::note All Do Not Inspect policies are evaluated before any Allow or Block policies, regardless of their position in the policy list. For more information, refer to [Order of enforcement](/cloudflare-one/traffic-policies/reference/order-of-enforcement/#http-policies). diff --git a/src/content/docs/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection.mdx index cb89d2ee1d4..6aed44b61e0 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection.mdx @@ -38,7 +38,7 @@ You can now use _Detected Protocol_ as a selector in a [Network policy](/cloudfl #### Important considerations -**TLS interception on all ports**: When you turn on this setting, Gateway will attempt to intercept TLS traffic on every port, not just port `443`. This means all applications using TLS on non-standard ports will have their traffic intercepted by the Gateway proxy. If you only want to turn on SNI detection for Network policy filtering without full TLS interception, you will need to create [Do Not Inspect policies](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#do-not-inspect) for the specific applications or domains that use TLS on non-standard ports. +**TLS interception on all ports**: When you turn on this setting, Gateway will attempt to intercept TLS traffic on every port, not just port `443`. This means all applications using TLS on non-standard ports will have their traffic intercepted by the Gateway proxy. If you only want to turn on SNI detection for Network policy filtering without full TLS interception, you will need to create [Do Not Inspect policies](/cloudflare-one/traffic-policies/tls-decryption/#do-not-inspect) for the specific applications or domains that use TLS on non-standard ports. :::caution[Non-HTTP protocols inside TLS bypass network policy filtering] Once a Network policy allows a TLS connection at Layer 4, Gateway decrypts the TLS traffic. However, Gateway cannot filter non-HTTP protocols inside the TLS connection. All non-HTTPS traffic inside TLS (such as SSH over TLS, database protocols, or custom protocols) is allowed by default with no further filtering applied. If your organization uses a default-block Network policy, Gateway will still allow all non-HTTPS TLS traffic through. diff --git a/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx b/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx index 29bb4f5764d..1ebfe5c021c 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx @@ -44,7 +44,7 @@ By default, TCP connection attempts will timeout after 30 seconds and idle conne The UDP proxy forwards UDP traffic such as VoIP, [internal DNS requests](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns/), and thick client applications. -HTTP/3 uses the QUIC protocol over UDP. To inspect HTTP/3 traffic, turn on both TLS decryption and the UDP proxy. Gateway will then intercept the HTTP/3 connection and connect to the origin server over HTTP/2. Otherwise, HTTP/3 traffic will bypass inspection. For more information on browser-specific behavior, refer to [HTTP/3 inspection](/cloudflare-one/traffic-policies/policy-types/http-policies/http3/). +HTTP/3 uses the QUIC protocol over UDP. To inspect HTTP/3 traffic, turn on both TLS decryption and the UDP proxy. Gateway will then intercept the HTTP/3 connection and connect to the origin server over HTTP/2. Otherwise, HTTP/3 traffic will bypass inspection. For more information on browser-specific behavior, refer to [HTTP/3 inspection](/cloudflare-one/traffic-policies/tls-decryption/http3/). ### ICMP (Internet Control Message Protocol) diff --git a/src/content/docs/cloudflare-one/traffic-policies/reference/application-app-types.mdx b/src/content/docs/cloudflare-one/traffic-policies/reference/application-app-types.mdx index 79daaa183aa..0c32d28ba73 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/reference/application-app-types.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/reference/application-app-types.mdx @@ -111,7 +111,7 @@ Instead of creating a Do Not Inspect policy for an application, you may be able #### TLS decryption limitations -Applications can be incompatible with [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) for various reasons: +Applications can be incompatible with [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/) for various reasons: - */} diff --git a/src/content/docs/learning-paths/holistic-ai-security/monitor-ai-use/monitor-prompts-responses.mdx b/src/content/docs/learning-paths/holistic-ai-security/monitor-ai-use/monitor-prompts-responses.mdx index ee02a2e2e73..d9106a70a76 100644 --- a/src/content/docs/learning-paths/holistic-ai-security/monitor-ai-use/monitor-prompts-responses.mdx +++ b/src/content/docs/learning-paths/holistic-ai-security/monitor-ai-use/monitor-prompts-responses.mdx @@ -12,7 +12,7 @@ products: - casb --- -When you enable [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#turn-on-tls-decryption), you can review the prompts and responses for supported AI applications. This allows you to understand three key things about AI application usage: +When you enable [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/#turn-on-tls-decryption), you can review the prompts and responses for supported AI applications. This allows you to understand three key things about AI application usage: - The sanctioned and unsanctioned AI tools your users are engaging with. - How they are interacting with them. - What information they are sharing. diff --git a/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx b/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx index c4f9b7c1c2a..0fe2715a97f 100644 --- a/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx +++ b/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx @@ -23,7 +23,7 @@ With TLS decryption turned on, you can apply advanced Gateway policies, such as: - Scanning for sensitive data with [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/) - Starting a remote browser isolation session with [Cloudflare Browser Isolation](/cloudflare-one/remote-browser-isolation/) -These features can increase the security posture of sensitive systems, but TLS decryption can also break your users' access to certain resources. For instance, if your internal applications use self-signed certificates, you will need to either configure a [Do Not Inspect](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) policy or an [Untrusted certificate _Pass through_](/cloudflare-one/traffic-policies/policy-types/http-policies/#untrusted-certificates) policy to allow users to connect. To learn more, refer to [TLS decryption limitations](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#inspection-limitations). +These features can increase the security posture of sensitive systems, but TLS decryption can also break your users' access to certain resources. For instance, if your internal applications use self-signed certificates, you will need to either configure a [Do Not Inspect](/cloudflare-one/traffic-policies/policy-types/http-policies/#do-not-inspect) policy or an [Untrusted certificate _Pass through_](/cloudflare-one/traffic-policies/policy-types/http-policies/#untrusted-certificates) policy to allow users to connect. To learn more, refer to [TLS decryption limitations](/cloudflare-one/traffic-policies/tls-decryption/#inspection-limitations). With TLS decryption turned off, Gateway can only inspect and apply HTTP policies to unencrypted HTTP requests. However, you can still apply network policies to HTTPS traffic based on user identity, device posture, IP, resolved domain, SNI, and other attributes that support a Zero Trust security implementation. For more information, refer to [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/). diff --git a/src/content/docs/learning-paths/secure-internet-traffic/concepts/security-concepts.mdx b/src/content/docs/learning-paths/secure-internet-traffic/concepts/security-concepts.mdx index 108bddf9803..ba877e8d523 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/concepts/security-concepts.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/concepts/security-concepts.mdx @@ -34,7 +34,7 @@ For more information, refer to the [Learning Center](https://www.cloudflare.com/ HTTPS inspection (also known as TLS decryption) is the process of filtering traffic by decrypting traffic sent to or from your organization, inspecting it and applying policies, then re-encrypting the traffic as it ingresses or egresses. -For more information, refer to the [Learning Center](https://www.cloudflare.com/learning/security/what-is-https-inspection/) and [TLS decryption documentation](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/). +For more information, refer to the [Learning Center](https://www.cloudflare.com/learning/security/what-is-https-inspection/) and [TLS decryption documentation](/cloudflare-one/traffic-policies/tls-decryption/). ## What is data loss prevention (DLP)? diff --git a/src/content/docs/reference-architecture/diagrams/network/optimizing-roaming-experience-with-geolocated-ips.mdx b/src/content/docs/reference-architecture/diagrams/network/optimizing-roaming-experience-with-geolocated-ips.mdx index ffd45cb1493..913742c40f0 100644 --- a/src/content/docs/reference-architecture/diagrams/network/optimizing-roaming-experience-with-geolocated-ips.mdx +++ b/src/content/docs/reference-architecture/diagrams/network/optimizing-roaming-experience-with-geolocated-ips.mdx @@ -59,7 +59,7 @@ _Note: Labels in this image may reflect a previous product name._ Cloudflare enhances the security of Internet breakouts with advanced features, including: - [**DNS filtering**](/cloudflare-one/traffic-policies/get-started/dns/) to manage and block access to unwanted, high risk domains. - [**Network firewalling**](/cloudflare-one/traffic-policies/policy-types/network-policies/) for enforcing detailed security policies. For example, you can restrict vehicles to only send data over the Internet to a designated set of cloud telemetry systems while blocking all other traffic. - - [**Full SSL inspection**](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) to protect against sophisticated threats and provide traffic visibility on encrypted traffic. It enables additional protections such as antivirus scanning, malware prevention, and file sandboxing. + - [**Full SSL inspection**](/cloudflare-one/traffic-policies/tls-decryption/) to protect against sophisticated threats and provide traffic visibility on encrypted traffic. It enables additional protections such as antivirus scanning, malware prevention, and file sandboxing. # Related Resources diff --git a/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx b/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx index 8fbfbbc9633..68a115f7085 100644 --- a/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx +++ b/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx @@ -111,7 +111,7 @@ Cloudflare also supports downgrade protection for IPsec tunnels via the [`IKE_SA A [secure web gateway (SWG)](https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/) is used to secure access to third-party websites on the public Internet by intercepting and inspecting TLS traffic. -[Cloudflare Gateway](/cloudflare-one/traffic-policies/policy-types/http-policies/) [supports post-quantum cryptography for HTTPS traffic](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#post-quantum-support). As long as the third-party website that is being inspected supports post-quantum key agreement, Cloudflare's SWG also supports post-quantum key agreement. +[Cloudflare Gateway](/cloudflare-one/traffic-policies/policy-types/http-policies/) [supports post-quantum cryptography for HTTPS traffic](/cloudflare-one/traffic-policies/tls-decryption/#post-quantum-support). As long as the third-party website that is being inspected supports post-quantum key agreement, Cloudflare's SWG also supports post-quantum key agreement. ![Diagram of how post-quantum cryptography works with Cloudflare's Secure Web Gateway](~/assets/images/ssl/pqc-secure-web-gateway.png). diff --git a/src/content/docs/ssl/post-quantum-cryptography/pqc-cloudflare-products.mdx b/src/content/docs/ssl/post-quantum-cryptography/pqc-cloudflare-products.mdx index bde16b9f78f..7fab9c0359d 100644 --- a/src/content/docs/ssl/post-quantum-cryptography/pqc-cloudflare-products.mdx +++ b/src/content/docs/ssl/post-quantum-cryptography/pqc-cloudflare-products.mdx @@ -110,7 +110,7 @@ Mesh inherits its post-quantum protection from the [Cloudflare One Client](#clou ### Cloudflare Gateway -[Cloudflare Gateway](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#post-quantum-support) is a Secure Web Gateway that runs on Cloudflare's edge and filters HTTPS traffic egressing to the public Internet. Gateway has no client-side component; clients reach Gateway via one of several post-quantum on-ramps: +[Cloudflare Gateway](/cloudflare-one/traffic-policies/tls-decryption/#post-quantum-support) is a Secure Web Gateway that runs on Cloudflare's edge and filters HTTPS traffic egressing to the public Internet. Gateway has no client-side component; clients reach Gateway via one of several post-quantum on-ramps: - The [Cloudflare One Client](#cloudflare-one-client). - A [Cloudflare IPsec](#cloudflare-ipsec) tunnel. diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx index 7f9802d7a2b..05ae63aa579 100644 --- a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx @@ -52,7 +52,7 @@ When using [Cloudflare Gateway](/cloudflare-one/traffic-policies/), an HTTP Erro - **The connection from Gateway to the origin is insecure.** Gateway does not trust origins which: - Only offer insecure cipher suites (such as RC4, RC4-MD5, or 3DES). You can use the [SSL Server Test tool](https://www.ssllabs.com/ssltest/index.html) to check which ciphers are supported by the origin. - - Do not support [FIPS-compliant ciphers](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#cipher-suites) (if you have enabled [FIPS compliance mode](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#fips-compliance)). In order to load the page, you can either disable FIPS mode or create a Do Not Inspect policy for this host (which has the effect of disabling FIPS compliance for this origin). + - Do not support [FIPS-compliant ciphers](/cloudflare-one/traffic-policies/tls-decryption/#cipher-suites) (if you have enabled [FIPS compliance mode](/cloudflare-one/traffic-policies/tls-decryption/#fips-compliance)). In order to load the page, you can either disable FIPS mode or create a Do Not Inspect policy for this host (which has the effect of disabling FIPS compliance for this origin). - Redirect all HTTPS requests to HTTP. ### Error 526 in the Workers context diff --git a/src/content/docs/warp-client/warp-modes.mdx b/src/content/docs/warp-client/warp-modes.mdx index 064c00644b7..7b0c4517616 100644 --- a/src/content/docs/warp-client/warp-modes.mdx +++ b/src/content/docs/warp-client/warp-modes.mdx @@ -57,7 +57,7 @@ Because this feature restricts WARP to just applications configured to use the l This will enable the **Local proxy** option in the **WARP Settings** menu. -If you enable [FIPS compliance](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#fips-compliance) for TLS decryption, you must [disable QUIC](/cloudflare-one/traffic-policies/policy-types/http-policies/http3/#force-http2-traffic) in your users' browsers. Otherwise, HTTP/3 traffic will bypass inspection by the WARP client. +If you enable [FIPS compliance](/cloudflare-one/traffic-policies/tls-decryption/#fips-compliance) for TLS decryption, you must [disable QUIC](/cloudflare-one/traffic-policies/tls-decryption/http3/#force-http2-traffic) in your users' browsers. Otherwise, HTTP/3 traffic will bypass inspection by the WARP client. ## WARP+ Unlimited diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx index 8800b67cf6a..e7b9d3851b5 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx @@ -12,7 +12,7 @@ To create a new HTTP policy: 2. In the **HTTP** tab, select **Add a policy**. 3. Name the policy. 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. -5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have configured TLS decryption, some applications that use [embedded certificates](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: +5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have configured TLS decryption, some applications that use [embedded certificates](/cloudflare-one/traffic-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: . diff --git a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx index 3ec23a4366d..1140c282562 100644 --- a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx +++ b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx @@ -116,7 +116,7 @@ DNS and resolver policies are standalone. For example, if you block a site with ### HTTP/3 traffic -For proxied [HTTP/3 traffic](/cloudflare-one/traffic-policies/policy-types/http-policies/http3/), Gateway applies your policies in the following order: +For proxied [HTTP/3 traffic](/cloudflare-one/traffic-policies/tls-decryption/http3/), Gateway applies your policies in the following order: 1. DNS policies 2. Network policies diff --git a/src/content/partials/cloudflare-one/troubleshooting/dlp.mdx b/src/content/partials/cloudflare-one/troubleshooting/dlp.mdx index 2d77c7651a2..45c9ab43c60 100644 --- a/src/content/partials/cloudflare-one/troubleshooting/dlp.mdx +++ b/src/content/partials/cloudflare-one/troubleshooting/dlp.mdx @@ -4,7 +4,7 @@ Use this guide to troubleshoot common issues with Data Loss Prevention (DLP). ## DLP policy does not trigger or block content -DLP not inspecting or blocking content is the most common issue reported. If you have configured a [DLP policy](/cloudflare-one/data-loss-prevention/dlp-policies/) but it fails to inspect or block traffic, the cause is almost always that the traffic is not being decrypted. To use DLP to scan the content of HTTPS requests, you must turn on [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/). +DLP not inspecting or blocking content is the most common issue reported. If you have configured a [DLP policy](/cloudflare-one/data-loss-prevention/dlp-policies/) but it fails to inspect or block traffic, the cause is almost always that the traffic is not being decrypted. To use DLP to scan the content of HTTPS requests, you must turn on [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/). To turn on TLS decryption: diff --git a/src/content/partials/cloudflare-one/troubleshooting/gateway.mdx b/src/content/partials/cloudflare-one/troubleshooting/gateway.mdx index 83d7763fcd6..aa19da61dd9 100644 --- a/src/content/partials/cloudflare-one/troubleshooting/gateway.mdx +++ b/src/content/partials/cloudflare-one/troubleshooting/gateway.mdx @@ -79,7 +79,7 @@ To resolve Gateway policy precedence issues: ## TLS decryption breaks applications -Turning on [TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/) is required for Gateway features such as Data Loss Prevention (DLP), Browser Isolation, and application-aware HTTP policies. However, it can cause issues with certain types of software. +Turning on [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/) is required for Gateway features such as Data Loss Prevention (DLP), Browser Isolation, and application-aware HTTP policies. However, it can cause issues with certain types of software. ### Symptom: command-line tools (CLI tools) or native applications fail with certificate errors diff --git a/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx b/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx index afaf44f604f..b5e8e011b95 100644 --- a/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx +++ b/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx @@ -107,7 +107,7 @@ You can also use a packet capture tool such as `tcpdump` or Wireshark to trace w ## 10. Is TLS inspection affecting the connection to your application? -If there is a problem with [TLS inspection](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/), the user will get an `Insecure Upstream` error when they access the application in a browser. They will probably not get an error if they access the application outside of a browser. +If there is a problem with [TLS inspection](/cloudflare-one/traffic-policies/tls-decryption/), the user will get an `Insecure Upstream` error when they access the application in a browser. They will probably not get an error if they access the application outside of a browser. Customers who have [Logpush](/cloudflare-one/insights/logs/logpush/) enabled can check the [Gateway HTTP dataset](/logs/logpush/logpush-job/datasets/account/gateway_http/) for any hostnames which have an elevated rate of `526` HTTP status codes. @@ -119,7 +119,7 @@ To troubleshoot TLS inspection: | -------------- | -------- | ------------- | -------------- | | Destination IP | in | `10.2.3.4/32` | Do Not Inspect | -2. If the `Do Not Inspect` policy enables the user to connect, verify that the TLS certificate used by your application is trusted by a public CA and not self-signed. Cloudflare Gateway is unable to negotiate TLS with applications that use self-signed certificates. For more information, refer to [TLS inspection limitations](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/#inspection-limitations). +2. If the `Do Not Inspect` policy enables the user to connect, verify that the TLS certificate used by your application is trusted by a public CA and not self-signed. Cloudflare Gateway is unable to negotiate TLS with applications that use self-signed certificates. For more information, refer to [TLS inspection limitations](/cloudflare-one/traffic-policies/tls-decryption/#inspection-limitations). To work around the issue: diff --git a/src/content/partials/networking-services/cloudflare-wan/third-party/azure-vpn-gateway.mdx b/src/content/partials/networking-services/cloudflare-wan/third-party/azure-vpn-gateway.mdx index 3ef2d28e3fb..e75f0c5acfb 100644 --- a/src/content/partials/networking-services/cloudflare-wan/third-party/azure-vpn-gateway.mdx +++ b/src/content/partials/networking-services/cloudflare-wan/third-party/azure-vpn-gateway.mdx @@ -170,7 +170,7 @@ Microsoft does not permit specifying a default route (`0.0.0.0/0`) under Address ## Install Cloudflare Zero Trust CA Certificate -If you opt to route all Internet bound traffic through Cloudflare WAN and want to take advantage of [HTTPS TLS decryption](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/), it will be necessary to install and trust the Cloudflare Zero Trust root certificate authority (CA) certificate on your user's devices. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. +If you opt to route all Internet bound traffic through Cloudflare WAN and want to take advantage of [HTTPS TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/), it will be necessary to install and trust the Cloudflare Zero Trust root certificate authority (CA) certificate on your user's devices. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. More details on how to install the root CA certificate can be found in [User-side certificates](/cloudflare-one/team-and-resources/devices/user-side-certificates/) in the Cloudflare Zero Trust documentation. diff --git a/src/content/partials/networking-services/cloudflare-wan/third-party/juniper.mdx b/src/content/partials/networking-services/cloudflare-wan/third-party/juniper.mdx index 7691509b264..8dd6f8aae2a 100644 --- a/src/content/partials/networking-services/cloudflare-wan/third-party/juniper.mdx +++ b/src/content/partials/networking-services/cloudflare-wan/third-party/juniper.mdx @@ -460,7 +460,7 @@ set interfaces ge-0/0/1 unit 0 family inet filter input CF_WAN_FBF_ALL Commit changes, then test traffic from a host on the 192.168.125.0/24 subnet to ensure it is forwarded through the Cloudflare WAN IPsec Tunnels. :::note -If you have Cloudflare One configured to perform [HTTPS traffic inspection](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/), ensure that you [install the Root CA certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) prior to testing connectivity to any HTTPS-based sites, otherwise you will receive untrusted certificate warning messages. +If you have Cloudflare One configured to perform [HTTPS traffic inspection](/cloudflare-one/traffic-policies/tls-decryption/), ensure that you [install the Root CA certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) prior to testing connectivity to any HTTPS-based sites, otherwise you will receive untrusted certificate warning messages. ::: ## Troubleshooting diff --git a/src/content/partials/networking-services/cloudflare-wan/third-party/palo-alto.mdx b/src/content/partials/networking-services/cloudflare-wan/third-party/palo-alto.mdx index 1d850c4ff0c..8c8a591cef9 100644 --- a/src/content/partials/networking-services/cloudflare-wan/third-party/palo-alto.mdx +++ b/src/content/partials/networking-services/cloudflare-wan/third-party/palo-alto.mdx @@ -608,7 +608,7 @@ set rulebase pbf rules cf-wan-to-internet-02 service any Commit changes, then test traffic from a host on the 192.168.125.0/24 subnet to ensure it is forwarded through the Cloudflare WAN IPsec Tunnels. :::note -If you have Cloudflare One configured to perform [HTTPS traffic inspection](/cloudflare-one/traffic-policies/policy-types/http-policies/tls-decryption/), ensure that you [install the Root CA certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) prior to testing connectivity to any HTTPS-based sites, otherwise you will receive untrusted certificate warning messages. +If you have Cloudflare One configured to perform [HTTPS traffic inspection](/cloudflare-one/traffic-policies/tls-decryption/), ensure that you [install the Root CA certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) prior to testing connectivity to any HTTPS-based sites, otherwise you will receive untrusted certificate warning messages. ::: ## Troubleshooting From b5151b56199620a92359240c5473b715f67a3561 Mon Sep 17 00:00:00 2001 From: mahathih Date: Mon, 13 Jul 2026 15:05:57 -0500 Subject: [PATCH 4/4] [Cloudflare One] Traffic policies: rework Proxy into Send traffic to Gateway; refresh overview --- public/__redirects | 3 ++ .../dlp-policies/index.mdx | 2 +- .../cloudflare-mesh/get-started.mdx | 4 +- .../private-net/cloudflared/private-dns.mdx | 2 +- .../troubleshoot-tunnels/common-errors.mdx | 2 +- .../ssh/ssh-infrastructure-access.mdx | 2 +- .../configure/settings/index.mdx | 2 +- .../traffic-policies/get-started/http.mdx | 2 +- .../traffic-policies/get-started/index.mdx | 2 +- .../traffic-policies/get-started/network.mdx | 4 +- .../cloudflare-one/traffic-policies/index.mdx | 12 +++--- .../http-policies/granular-controls.mdx | 2 +- .../reference/application-app-types.mdx | 2 +- ...{proxy.mdx => send-traffic-to-gateway.mdx} | 40 ++++++++++++------- .../traffic-policies/tls-decryption/http3.mdx | 2 +- .../configure-device-agent/enable-proxy.mdx | 2 +- .../tunnel/enable-gateway-proxy.mdx | 4 +- 17 files changed, 51 insertions(+), 38 deletions(-) rename src/content/docs/cloudflare-one/traffic-policies/{proxy.mdx => send-traffic-to-gateway.mdx} (59%) diff --git a/public/__redirects b/public/__redirects index 607d648ddbd..91d33f8f612 100644 --- a/public/__redirects +++ b/public/__redirects @@ -3017,3 +3017,6 @@ /cloudflare-one/traffic-policies/identity-selectors/* /cloudflare-one/traffic-policies/reference/identity-selectors/:splat 301 /cloudflare-one/traffic-policies/order-of-enforcement/* /cloudflare-one/traffic-policies/reference/order-of-enforcement/:splat 301 /cloudflare-one/traffic-policies/expression-syntax/* /cloudflare-one/traffic-policies/reference/policy-expressions/:splat 301 + +# Traffic policies: Proxy page reworked into Send traffic to Gateway +/cloudflare-one/traffic-policies/proxy/* /cloudflare-one/traffic-policies/send-traffic-to-gateway/:splat 301 diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx index 0061476a228..0ff55667fea 100644 --- a/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx @@ -23,7 +23,7 @@ To scan AI prompts and responses without Gateway HTTP filtering, you can also en ## Prerequisites - Set up [Gateway HTTP filtering](/cloudflare-one/traffic-policies/get-started/http/). This routes your users' web traffic through Cloudflare Gateway so it can be inspected. - - HTTP filtering requires turning on the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP traffic. + - HTTP filtering requires turning on the [Gateway proxy](/cloudflare-one/traffic-policies/send-traffic-to-gateway/#turn-on-the-gateway-proxy) for TCP traffic. - Turn on [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/#turn-on-tls-decryption). Because most web traffic is encrypted with HTTPS, Gateway must decrypt it before DLP can scan the request body for sensitive data. ## 1. Configure a DLP profile diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-mesh/get-started.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-mesh/get-started.mdx index 7e473086501..f99d7dd21a0 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-mesh/get-started.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-mesh/get-started.mdx @@ -93,7 +93,7 @@ When you create your first Mesh node, the setup wizard automatically provisions | [Device enrollment policy](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/device-enrollment/) | Allows devices to enroll into your Cloudflare One account using email-based [one-time PIN](/cloudflare-one/integrations/identity-providers/one-time-pin/). Only created if you do not already have an existing device enrollment policy in your account. | | [Device profile](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) | Creates a profile configured with [Split Tunnels](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) in **Include mode**, so only Mesh traffic routes through Cloudflare. This prevents disrupting existing network connectivity on your server. Only created if you do not already have an active Mesh node (formerly WARP Connector) in your account. | | [Allow all Cloudflare One traffic to reach enrolled devices](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-all-cloudflare-one-traffic-to-reach-enrolled-devices) and [Assign a unique IP address to each device](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#assign-a-unique-ip-address-to-each-device) | Enables device-to-device connectivity for Mesh networking. | -| [Gateway proxy](/cloudflare-one/traffic-policies/proxy/) | Enables the TCP, UDP, and ICMP traffic proxy for Mesh communication. | +| [Gateway proxy](/cloudflare-one/traffic-policies/send-traffic-to-gateway/) | Enables the TCP, UDP, and ICMP traffic proxy for Mesh communication. | ### Existing Cloudflare One accounts @@ -104,7 +104,7 @@ If your account already has a Cloudflare One deployment, the setup wizard will n - [ ] **Mesh connectivity** — In your device profile settings, enable [Allow all Cloudflare One traffic to reach enrolled devices](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-all-cloudflare-one-traffic-to-reach-enrolled-devices). - [ ] **Unique device IPs** — Enable [Assign a unique IP address to each device](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#assign-a-unique-ip-address-to-each-device) so that each participant gets a routable Mesh IP. - [ ] **Client mode** — Mesh nodes must run in [Traffic and DNS mode](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/). DNS-only or proxy-only modes are not supported. -- [ ] **Traffic proxying** — Enable the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/) for TCP, UDP, and ICMP so that Mesh traffic can flow between devices. +- [ ] **Traffic proxying** — Enable the [Gateway proxy](/cloudflare-one/traffic-policies/send-traffic-to-gateway/) for TCP, UDP, and ICMP so that Mesh traffic can flow between devices. ## Troubleshooting diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns.mdx index bfd1d9cf814..3f65a517e2b 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns.mdx @@ -35,7 +35,7 @@ To resolve private DNS queries: - [Create a Local Domain Fallback entry](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) that points to the internal DNS resolver. For example, you can instruct the Cloudflare One Client to resolve all requests for `myorg.privatecorp` through an internal resolver at `10.0.0.25` rather than attempting to resolve this publicly. - Alternatively, [create a resolver policy](/cloudflare-one/traffic-policies/policy-types/resolver-policies/#create-a-resolver-policy) that points to the internal DNS resolver. -4. [Enable the Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP and UDP. +4. [Enable the Gateway proxy](/cloudflare-one/traffic-policies/send-traffic-to-gateway/#turn-on-the-gateway-proxy) for TCP and UDP. 5. Finally, ensure that your tunnel uses QUIC as the default [transport protocol](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#protocol). This will enable `cloudflared` to proxy UDP-based traffic which is required in most cases to resolve DNS queries. diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx index 80744b348f2..5337e981844 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx @@ -62,7 +62,7 @@ For connection setup failures caused by blocked QUIC traffic, refer to the QUIC ## `ping` and `traceroute` commands do not work. -To ping an IP address behind Cloudflare Tunnel, your system must allow ICMP traffic through `cloudflared`. For configuration instructions, refer to the [ICMP proxy documentation](/cloudflare-one/traffic-policies/proxy/#icmp). +To ping an IP address behind Cloudflare Tunnel, your system must allow ICMP traffic through `cloudflared`. For configuration instructions, refer to the [ICMP proxy documentation](/cloudflare-one/traffic-policies/send-traffic-to-gateway/#icmp). ## I see `Error: This route's network is inside an existing subnet's network at "100.96.0.0/12"`. diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx index 110db157181..53e12f9d10b 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx @@ -35,7 +35,7 @@ import { Tabs, TabItem, Badge, Render, APIRequest, DashButton } from "~/componen To connect your devices to Cloudflare: 1. [Deploy the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) on your devices in Traffic and DNS mode. -2. [Enable the Gateway proxy for TCP](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy). +2. [Enable the Gateway proxy for TCP](/cloudflare-one/traffic-policies/send-traffic-to-gateway/#turn-on-the-gateway-proxy). 3. [Create device enrollment rules](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/device-enrollment/) to determine which devices can enroll to your Zero Trust organization. ## 3. Route server IPs through the Cloudflare One Client diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/index.mdx index c3b4e30d689..45f5d23c475 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/index.mdx @@ -152,7 +152,7 @@ The IP assigned to a device is permanent until the device unregisters from your Allows traffic on-ramped using [Cloudflare Mesh](/cloudflare-one/networks/connectors/cloudflare-mesh/) or [Cloudflare WAN](/cloudflare-one/networks/connectors/cloudflare-wan/) to route to devices enrolled in your Zero Trust organization. -Each device is assigned a virtual IP address in the CGNAT IP space (`100.96.0.0/12`) or a [custom device IP range](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-ips/). With this setting `Enabled`, users on your private network will be able to connect to these device IPs and access [TCP, UDP, and/or ICMP-based services](/cloudflare-one/traffic-policies/proxy/) on your devices. You can create [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) to control which users and devices can access the device IPs. +Each device is assigned a virtual IP address in the CGNAT IP space (`100.96.0.0/12`) or a [custom device IP range](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-ips/). With this setting `Enabled`, users on your private network will be able to connect to these device IPs and access [TCP, UDP, and/or ICMP-based services](/cloudflare-one/traffic-policies/send-traffic-to-gateway/) on your devices. You can create [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) to control which users and devices can access the device IPs. :::note Ensure that traffic destined to your device IPs routes from your private network to Cloudflare Gateway. For example, if you are using [Cloudflare Mesh](/cloudflare-one/networks/connectors/cloudflare-mesh/) connectivity, you must configure your [Split Tunnel settings](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) so that traffic to your Mesh IPs routes through the tunnel. diff --git a/src/content/docs/cloudflare-one/traffic-policies/get-started/http.mdx b/src/content/docs/cloudflare-one/traffic-policies/get-started/http.mdx index 9052022c0d2..f646bf7ffee 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/get-started/http.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/get-started/http.mdx @@ -33,7 +33,7 @@ To filter HTTP requests from a device: 1. [Install the Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device. 2. [Install the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) on your device. 3. In the Cloudflare One Client Settings, log in to your organization's Cloudflare One instance. -4. [Enable the Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP. Optionally, enable the UDP proxy to also inspect QUIC traffic on port 443 — this covers HTTP/3, a newer protocol some browsers use by default. +4. [Enable the Gateway proxy](/cloudflare-one/traffic-policies/send-traffic-to-gateway/#turn-on-the-gateway-proxy) for TCP. Optionally, enable the UDP proxy to also inspect QUIC traffic on port 443 — this covers HTTP/3, a newer protocol some browsers use by default. 5. To inspect HTTPS traffic, [enable TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/#turn-on-tls-decryption). TLS decryption allows Gateway to read encrypted requests. Without it, Gateway can see that a user visited `example.com` but not which specific page or what they uploaded. 6. (Optional) To scan file uploads and downloads for malware, [enable anti-virus scanning](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/). diff --git a/src/content/docs/cloudflare-one/traffic-policies/get-started/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/get-started/index.mdx index f6fa71d1773..38833e4a51d 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/get-started/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/get-started/index.mdx @@ -42,7 +42,7 @@ For setup instructions, refer to [Set up DNS filtering](/cloudflare-one/traffic- After DNS filtering is in place, add network-level controls for non-HTTP traffic. -- Deploy the [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) and enable the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/) for TCP. +- Deploy the [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) and enable the [Gateway proxy](/cloudflare-one/traffic-policies/send-traffic-to-gateway/) for TCP. - Block traffic to high-risk IP ranges or restrict which ports and protocols users can access. - Use [protocol detection](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/) to identify applications by traffic pattern rather than port number. - Enable network session logging for audit trails. diff --git a/src/content/docs/cloudflare-one/traffic-policies/get-started/network.mdx b/src/content/docs/cloudflare-one/traffic-policies/get-started/network.mdx index 7503d3b8ff5..7d95bc19de4 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/get-started/network.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/get-started/network.mdx @@ -33,7 +33,7 @@ To filter network traffic from a device such as a laptop or phone: 1. [Install the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) on your device. 2. In the Cloudflare One Client Settings, log in to your organization's Cloudflare One instance. 3. (Optional) If you want to display a [custom block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) when users are blocked, [install the Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device. Without the certificate, blocked users will see a generic browser connection error instead of an informative page. -4. [Enable the Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP. The Gateway proxy is what routes your device's traffic through Cloudflare so network policies can inspect it — without it enabled, your policies will have no effect. Optionally, enable the UDP proxy to also inspect QUIC traffic (a newer protocol used by HTTP/3 connections) on port 443. +4. [Enable the Gateway proxy](/cloudflare-one/traffic-policies/send-traffic-to-gateway/#turn-on-the-gateway-proxy) for TCP. The Gateway proxy is what routes your device's traffic through Cloudflare so network policies can inspect it — without it enabled, your policies will have no effect. Optionally, enable the UDP proxy to also inspect QUIC traffic (a newer protocol used by HTTP/3 connections) on port 443. ### Connect private networks @@ -67,7 +67,7 @@ To verify your device is connected to Cloudflare One: 5. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Insights** > **Logs** > **Network logs**. Before building network policies, make sure you see network logs from the Source IP assigned to your device. -If no logs appear after a few minutes, check two things: first, verify that the [Gateway proxy is turned on](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy). Second, confirm that the device is enrolled in your Zero Trust organization by checking the Cloudflare One Client connection status. +If no logs appear after a few minutes, check two things: first, verify that the [Gateway proxy is turned on](/cloudflare-one/traffic-policies/send-traffic-to-gateway/#turn-on-the-gateway-proxy). Second, confirm that the device is enrolled in your Zero Trust organization by checking the Cloudflare One Client connection status. ## 3. Create your first network policy diff --git a/src/content/docs/cloudflare-one/traffic-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/index.mdx index 458ec463f65..ec237b5dbd6 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/index.mdx @@ -6,6 +6,7 @@ products: title: Traffic policies sidebar: order: 9 + label: Overview tags: - DNS - Video @@ -53,7 +54,7 @@ Gateway supports several policy types because network traffic can be inspected a
    -**[Packet filtering](/cloudflare-one/traffic-policies/policy-types/packet-filtering/network-firewall-overview/)** inspects raw network packets and blocks traffic based on properties like source IP address or protocol. It does not need to know who the user is or what session they belong to. +**[Packet filtering](/cloudflare-one/traffic-policies/policy-types/packet-filtering/)** inspects raw network packets and blocks traffic based on properties like source IP address or protocol. It does not need to know who the user is or what session they belong to. Use packet filtering to drop unwanted traffic before it reaches any other policy. @@ -162,14 +163,14 @@ The connection method (on-ramp) you use determines which policy types Gateway ca | [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) (WARP) | Yes | Yes | Yes | Roaming users on managed devices (laptops, phones) | | [DNS resolver](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) configuration | Yes | No | No | Unmanaged devices, entire networks, or initial rollout | | [Proxy endpoint](/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) (PAC file) | No | No | Yes (browser only) | Browser-level HTTP filtering without a device agent | -| [Network tunnel](/cloudflare-one/networks/) (IPsec/GRE via Magic WAN) | Yes | Yes | Yes | Branch offices, data centers, and site-level connectivity | +| [Cloudflare WAN](/cloudflare-one/networks/connectors/cloudflare-wan/) | Yes | Yes | Yes | Branch offices, data centers, and site-level connectivity | - The **Cloudflare One Client** provides the broadest coverage and is the recommended method for per-device deployments. - **DNS resolver** configuration is the easiest to deploy (change a DNS setting on your router or device) and provides immediate protection, but it only enforces DNS policies. - **Proxy endpoints** enable HTTP inspection through browser proxy configuration without installing an agent, but they are limited to browser traffic. -- **Network tunnels** route all site traffic through Gateway and are best for protecting entire office locations or data centers. +- **Cloudflare WAN** routes site traffic through Gateway and is best for protecting entire office locations or data centers. -You can combine multiple on-ramps. For example, use the Cloudflare One Client for remote employees and network tunnels for branch offices. +You can combine multiple connection methods. For example, use the Cloudflare One Client for remote employees and Cloudflare WAN for branch offices. For more information, refer to [Send traffic to Gateway](/cloudflare-one/traffic-policies/send-traffic-to-gateway/). ## How Gateway processes traffic @@ -196,9 +197,8 @@ flowchart LR 4. Gateway evaluates the request against your configured policies in [order of enforcement](/cloudflare-one/traffic-policies/reference/order-of-enforcement/): DNS policies first, then network policies, then HTTP policies. 5. If policies allow the request, Gateway proxies it to the destination server and inspects the response on the return path. -For details on how Gateway proxies traffic and establishes connections, refer to [Proxy](/cloudflare-one/traffic-policies/proxy/). +For details on how to connect devices, networks, and private resources to Gateway, refer to [Send traffic to Gateway](/cloudflare-one/traffic-policies/send-traffic-to-gateway/). ## Troubleshoot Cloudflare Gateway policies For help resolving common issues with Cloudflare Gateway policies, refer to [Troubleshooting](/cloudflare-one/traffic-policies/troubleshooting/). - diff --git a/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/granular-controls.mdx b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/granular-controls.mdx index 0d0385528fd..096b6855168 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/granular-controls.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/policy-types/http-policies/granular-controls.mdx @@ -27,7 +27,7 @@ To use Application Granular Controls, you must: - Install a [Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) or a [custom certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) on your users' devices. - Turn on [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/). -- Turn on the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy). +- Turn on the [Gateway proxy](/cloudflare-one/traffic-policies/send-traffic-to-gateway/#turn-on-the-gateway-proxy). - (Optional) If an application uses HTTP/3, turn on the [Gateway proxy for UDP traffic](/cloudflare-one/traffic-policies/tls-decryption/http3/#enable-http3-inspection). - (Optional) To turn on [AI prompt logging](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content), create a [DLP payload encryption public key](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#set-a-dlp-payload-encryption-public-key). diff --git a/src/content/docs/cloudflare-one/traffic-policies/reference/application-app-types.mdx b/src/content/docs/cloudflare-one/traffic-policies/reference/application-app-types.mdx index 0c32d28ba73..f90d002a0b9 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/reference/application-app-types.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/reference/application-app-types.mdx @@ -65,7 +65,7 @@ Gateway sorts applications into the following app type groups: | Sports | Sports streaming and news applications | | Travel | Travel related applications | | Video Streaming & Editing | Applications used for streaming and editing video | -| [Do Not Inspect](#do-not-inspect-applications) | Applications incompatible with the TLS certificate required by the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/) | +| [Do Not Inspect](#do-not-inspect-applications) | Applications incompatible with the TLS certificate required by the [Gateway proxy](/cloudflare-one/traffic-policies/send-traffic-to-gateway/) | ## Application hostnames diff --git a/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx b/src/content/docs/cloudflare-one/traffic-policies/send-traffic-to-gateway.mdx similarity index 59% rename from src/content/docs/cloudflare-one/traffic-policies/proxy.mdx rename to src/content/docs/cloudflare-one/traffic-policies/send-traffic-to-gateway.mdx index 1ebfe5c021c..a9c63d50894 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/send-traffic-to-gateway.mdx @@ -1,34 +1,42 @@ --- pcx_content_type: concept -description: How Proxy works in Gateway. +description: Choose how devices, networks, and private resources send traffic to Cloudflare Gateway for inspection and filtering. products: - cloudflare-one -title: Proxy +title: Send traffic to Gateway sidebar: - order: 12 + order: 1 tags: - TCP - UDP - ICMP --- -import { Tabs, TabItem, Render } from "~/components"; +import { Tabs, TabItem, Details } from "~/components"; -You can forward [HTTP](/cloudflare-one/traffic-policies/get-started/http/) and [network](/cloudflare-one/traffic-policies/get-started/network/) traffic to Gateway for logging and filtering. Gateway can proxy both outbound traffic and traffic directed to resources connected via a Cloudflare Tunnel, Generic Routing Encapsulation (GRE) tunnel, or IPsec tunnel. When a user connects to the Gateway proxy, Gateway will accept the connection and establish a new, separate connection to the origin server. +Cloudflare Gateway can inspect traffic after it reaches Cloudflare. The connection method you choose determines which traffic Gateway receives and which policy types Gateway can enforce. -The Gateway proxy is required for filtering HTTP and network traffic via the Cloudflare One Client in Traffic and DNS mode. To proxy HTTP traffic without deploying the Cloudflare One Client, you can configure [PAC files](/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) on your devices. +You can send traffic to Gateway from individual devices, DNS resolvers, browsers, offices, data centers, and private networks. You can also combine methods. For example, use the Cloudflare One Client for roaming users and Cloudflare WAN for branch offices. -## Proxy algorithm +## Choose a connection method -Gateway uses the [Happy Eyeballs algorithm](https://datatracker.ietf.org/doc/html/rfc6555), which tries IPv4 and IPv6 connections with a staggered fallback and uses whichever address family responds first, to proxy traffic in the following order: +The following table summarizes the main ways to send traffic to Gateway: -1. The user's browser initiates the TCP handshake by sending Gateway a TCP SYN segment. -2. Gateway sends a SYN segment to the origin server. -3. If the origin server sends a SYN-ACK segment back, Gateway establishes separate TCP connections between the user and Gateway and between Gateway and the origin server. -4. Gateway inspects and filters traffic received from the user. -5. If the traffic passes inspection, Gateway proxies traffic bidirectionally between the user and the origin server. +| Connection method | Traffic sent to Gateway | Best for | Next step | +| --- | --- | --- | --- | +| [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) | Device DNS, network, and HTTP traffic | Managed laptops, phones, and desktops | [Set up the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/set-up/) | +| [DNS locations](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) | DNS queries | Networks, unmanaged devices, or DNS-only filtering | [Add a DNS location](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) | +| [Proxy endpoints](/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) | Browser HTTP and HTTPS traffic | Browser-level filtering without a device client | [Create a proxy endpoint](/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#1-create-a-proxy-endpoint) | +| [Cloudflare WAN](/cloudflare-one/networks/connectors/cloudflare-wan/) | Site traffic through GRE, IPsec, CNI, or the Cloudflare One Appliance | Offices, data centers, and private networks | [Choose a Cloudflare WAN on-ramp](/cloudflare-one/networks/connectors/cloudflare-wan/on-ramps/) | +| [Cloudflare Mesh](/cloudflare-one/networks/connectors/cloudflare-mesh/) | Private IP traffic between Mesh participants | Device-to-device, site-to-site, and mesh connectivity | [Create a Mesh node](/cloudflare-one/networks/connectors/cloudflare-mesh/get-started/) | - +## Connect private resources + +Gateway can also inspect traffic that is directed to private resources connected to Cloudflare. Use the method that matches how users and services need to reach those resources: + +- [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/) connects specific private applications, hostnames, or IP routes to Cloudflare with `cloudflared`. +- [Cloudflare Mesh](/cloudflare-one/networks/connectors/cloudflare-mesh/) connects devices, servers, and subnets through Mesh IPs. +- [Cloudflare WAN](/cloudflare-one/networks/connectors/cloudflare-wan/) connects sites and networks with Cloudflare WAN on-ramps. ## Supported protocols @@ -54,7 +62,7 @@ The ICMP proxy allows ICMP traffic to reach your private network through Gateway Gateway cannot log or filter ICMP traffic. ::: -#### Allow ICMP traffic through `cloudflared` +
    To use the ICMP proxy with Cloudflare Tunnel, you may need to configure the `cloudflared` host to allow ICMP traffic through `cloudflared`. @@ -118,6 +126,8 @@ By default the [`cloudflared` Docker container](https://github.com/cloudflare/cl +
    + ## Turn on the Gateway proxy The Gateway proxy toggle only applies to traffic from Cloudflare One Client devices. Gateway will always proxy traffic sent with [PAC files](/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) or [Browser Isolation](/cloudflare-one/remote-browser-isolation/) regardless of this setting. diff --git a/src/content/docs/cloudflare-one/traffic-policies/tls-decryption/http3.mdx b/src/content/docs/cloudflare-one/traffic-policies/tls-decryption/http3.mdx index 718d21b569b..6bdb24cdb9d 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/tls-decryption/http3.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/tls-decryption/http3.mdx @@ -19,7 +19,7 @@ Gateway applies HTTP policies to HTTP/3 traffic last. For more information, refe ## Turn on HTTP/3 inspection -Before you can inspect any HTTPS traffic, you must deploy a [user-side certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) to your devices and turn on [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/). To inspect HTTP/3 traffic, you must also turn on the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/) for UDP. +Before you can inspect any HTTPS traffic, you must deploy a [user-side certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) to your devices and turn on [TLS decryption](/cloudflare-one/traffic-policies/tls-decryption/). To inspect HTTP/3 traffic, you must also turn on the [Gateway proxy](/cloudflare-one/traffic-policies/send-traffic-to-gateway/) for UDP. To turn on the Gateway proxy for UDP and TLS decryption: diff --git a/src/content/docs/learning-paths/secure-internet-traffic/configure-device-agent/enable-proxy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/configure-device-agent/enable-proxy.mdx index bbf53146e18..296a869dcbe 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/configure-device-agent/enable-proxy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/configure-device-agent/enable-proxy.mdx @@ -23,4 +23,4 @@ import { Render } from "~/components"; 3. (Recommended) To proxy all port `443` traffic, including internal DNS queries, select **UDP**. 4. (Optional) To scan file uploads and downloads for malware, [enable anti-virus scanning](/cloudflare-one/traffic-policies/policy-types/http-policies/antivirus-scanning/). -Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your [split tunnel settings](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#3-route-private-network-ips-through-the-cloudflare-one-client). For more information on how Gateway forwards traffic, refer to [Gateway proxy](/cloudflare-one/traffic-policies/proxy/). +Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your [split tunnel settings](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#3-route-private-network-ips-through-the-cloudflare-one-client). For more information on how Gateway forwards traffic, refer to [Gateway proxy](/cloudflare-one/traffic-policies/send-traffic-to-gateway/). diff --git a/src/content/partials/cloudflare-one/tunnel/enable-gateway-proxy.mdx b/src/content/partials/cloudflare-one/tunnel/enable-gateway-proxy.mdx index 423237a929b..3db2984ff89 100644 --- a/src/content/partials/cloudflare-one/tunnel/enable-gateway-proxy.mdx +++ b/src/content/partials/cloudflare-one/tunnel/enable-gateway-proxy.mdx @@ -10,7 +10,7 @@ import { Tabs, TabItem } from "~/components"; 2. In **Proxy and inspection**, turn on **Allow Secure Web Gateway to proxy traffic**. 3. Select **TCP**. 4. Select **UDP** (required to proxy traffic to internal DNS resolvers). -5. (Recommended) To proxy traffic for diagnostic tools such as `ping` and `traceroute`, select **ICMP**. You may also need to [update your system](/cloudflare-one/traffic-policies/proxy/#icmp) to allow ICMP traffic through `cloudflared`. +5. (Recommended) To proxy traffic for diagnostic tools such as `ping` and `traceroute`, select **ICMP**. You may also need to [update your system](/cloudflare-one/traffic-policies/send-traffic-to-gateway/#icmp) to allow ICMP traffic through `cloudflared`. @@ -31,4 +31,4 @@ import { Tabs, TabItem } from "~/components"; -Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your [split tunnel settings](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#3-route-private-network-ips-through-the-cloudflare-one-client). For more information on how Gateway forwards traffic, refer to [Gateway proxy](/cloudflare-one/traffic-policies/proxy/). +Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your [split tunnel settings](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#3-route-private-network-ips-through-the-cloudflare-one-client). For more information on how Gateway forwards traffic, refer to [Gateway proxy](/cloudflare-one/traffic-policies/send-traffic-to-gateway/).