Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 28 additions & 5 deletions public/__redirects
Original file line number Diff line number Diff line change
Expand Up @@ -1368,7 +1368,7 @@
# CF1 MSP page moved under tiered-policies
/cloudflare-one/traffic-policies/managed-service-providers/ /cloudflare-one/traffic-policies/tiered-policies/tenant-api/ 301
# CF1 packet filtering overview rename
/cloudflare-one/traffic-policies/packet-filtering/magic-firewall-overview/ /cloudflare-one/traffic-policies/packet-filtering/network-firewall-overview/ 301
/cloudflare-one/traffic-policies/packet-filtering/magic-firewall-overview/ /cloudflare-one/traffic-policies/policy-types/packet-filtering/network-firewall-overview/ 301
# cross-product magic-firewall slug renames
/learning-paths/data-center-protection/enable-magic-firewall/ /learning-paths/data-center-protection/enable-network-firewall/ 301
/analytics/graphql-api/tutorials/querying-magic-firewall-samples/ /analytics/graphql-api/tutorials/querying-network-firewall-samples/ 301
Expand Down Expand Up @@ -2682,8 +2682,8 @@
/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/ /cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment/ 301
/cloudflare-one/connections/connect-apps/configuration/config/ /cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/ 301
/cloudflare-one/connections/connect-devices/warp/install-cloudflare-cert/ /cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment/ 301
/cloudflare-one/traffic-policies/packet-filtering/add-rules/ /cloudflare-one/traffic-policies/packet-filtering/add-policies/ 301
/cloudflare-one/traffic-policies/packet-filtering/create-rate-limiting-rules/ /cloudflare-one/traffic-policies/packet-filtering/create-rate-limiting-policies/ 301
/cloudflare-one/traffic-policies/packet-filtering/add-rules/ /cloudflare-one/traffic-policies/policy-types/packet-filtering/add-policies/ 301
/cloudflare-one/traffic-policies/packet-filtering/create-rate-limiting-rules/ /cloudflare-one/traffic-policies/policy-types/packet-filtering/create-rate-limiting-policies/ 301
/cloudflare-one/connections/connect-networks/locations/configuring-a-location/ /cloudflare-one/team-and-resources/devices/agentless/dns/locations/ 301
/cloudflare-one/identity/authorization-cookie/cors/ /cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/ 301
/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/ /cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/ 301
Expand All @@ -2697,7 +2697,7 @@
/cloudflare-one/data-loss-prevention/saas-apps-dlp/ /cloudflare-one/cloud-and-saas-findings/casb-dlp/ 301
/cloudflare-one/policies/data-loss-prevention/exact-data-match/ /cloudflare-one/data-loss-prevention/detection-entries/#exact-data-match 301
/cloudflare-one/policies/filtering/configuring-block-page/ /cloudflare-one/reusable-components/custom-pages/gateway-block-page/ 301
/cloudflare-one/policies/filtering/dns-policies/safesearch/ /cloudflare-one/traffic-policies/dns-policies/#safe-search 301
/cloudflare-one/policies/filtering/dns-policies/safesearch/ /cloudflare-one/traffic-policies/policy-types/dns-policies/#safe-search 301
/cloudflare-one/policies/gateway/block-page/ /cloudflare-one/reusable-components/custom-pages/gateway-block-page/ 301
/cloudflare-one/policies/lists/ /cloudflare-one/reusable-components/lists/ 301
/cloudflare-one/technical-limitations/ /cloudflare-one/account-limits/ 301
Expand Down Expand Up @@ -2727,7 +2727,7 @@
/cloudflare-one/identity/mutual-tls-authentication/ /cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/ 301
/cloudflare-one/identity/service-tokens/ /cloudflare-one/access-controls/service-credentials/service-tokens/ 301
/cloudflare-one/identity/one-time-pin/ /cloudflare-one/integrations/identity-providers/one-time-pin/ 301
/cloudflare-one/traffic-policies/ids/ /cloudflare-one/traffic-policies/enable-ids/ 301
/cloudflare-one/traffic-policies/ids/ /cloudflare-one/traffic-policies/policy-types/packet-filtering/ids/ 301

# Catch-all redirects (must come last)
/cloudflare-one/faq/troubleshooting/ /cloudflare-one/troubleshooting/ 301
Expand Down Expand Up @@ -2997,3 +2997,26 @@

# Bots: signed agents deprecated -> verified bots
/bots/concepts/bot/signed-agents/* /bots/concepts/bot/verified-bots/ 301

# Traffic policies: group policy types under policy-types/
/cloudflare-one/traffic-policies/dns-policies/* /cloudflare-one/traffic-policies/policy-types/dns-policies/:splat 301
/cloudflare-one/traffic-policies/network-policies/* /cloudflare-one/traffic-policies/policy-types/network-policies/:splat 301
# Traffic policies: TLS decryption elevated to its own section
/cloudflare-one/traffic-policies/http-policies/tls-decryption/* /cloudflare-one/traffic-policies/tls-decryption/:splat 301
/cloudflare-one/traffic-policies/http-policies/http3/* /cloudflare-one/traffic-policies/tls-decryption/http3/:splat 301
/cloudflare-one/traffic-policies/http-policies/* /cloudflare-one/traffic-policies/policy-types/http-policies/:splat 301
/cloudflare-one/traffic-policies/egress-policies/* /cloudflare-one/traffic-policies/policy-types/egress-policies/:splat 301
/cloudflare-one/traffic-policies/packet-filtering/* /cloudflare-one/traffic-policies/policy-types/packet-filtering/:splat 301
/cloudflare-one/traffic-policies/resolver-policies/* /cloudflare-one/traffic-policies/policy-types/resolver-policies/:splat 301
/cloudflare-one/traffic-policies/enable-ids/* /cloudflare-one/traffic-policies/policy-types/packet-filtering/ids/:splat 301

# Traffic policies: group reference pages under reference/
/cloudflare-one/traffic-policies/application-app-types/* /cloudflare-one/traffic-policies/reference/application-app-types/:splat 301
/cloudflare-one/traffic-policies/domain-categories/* /cloudflare-one/traffic-policies/reference/domain-categories/:splat 301
/cloudflare-one/traffic-policies/global-policies/* /cloudflare-one/traffic-policies/reference/global-policies/:splat 301
/cloudflare-one/traffic-policies/identity-selectors/* /cloudflare-one/traffic-policies/reference/identity-selectors/:splat 301
/cloudflare-one/traffic-policies/order-of-enforcement/* /cloudflare-one/traffic-policies/reference/order-of-enforcement/:splat 301
/cloudflare-one/traffic-policies/expression-syntax/* /cloudflare-one/traffic-policies/reference/policy-expressions/:splat 301

# Traffic policies: Proxy page reworked into Send traffic to Gateway
/cloudflare-one/traffic-policies/proxy/* /cloudflare-one/traffic-policies/send-traffic-to-gateway/:splat 301
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ date: 2026-04-14
- Enables any participant to reach any other participant by IP — including client-to-client, without deploying any infrastructure.
- Supports [CIDR routes](/cloudflare-one/networks/connectors/cloudflare-mesh/routes/) for subnet routing through Mesh nodes.
- Supports [high availability](/cloudflare-one/networks/connectors/cloudflare-mesh/high-availability/) with active-passive replicas for nodes with routes.
- All traffic flows through Cloudflare, so [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/), [device posture checks](/cloudflare-one/reusable-components/posture-checks/), and access rules apply to every connection.
- All traffic flows through Cloudflare, so [Gateway network policies](/cloudflare-one/traffic-policies/policy-types/network-policies/), [device posture checks](/cloudflare-one/reusable-components/posture-checks/), and access rules apply to every connection.

### What changed

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ products:
date: 2026-05-27
---

[Cloudflare Gateway](/cloudflare-one/traffic-policies/) policy selectors which support regular expressions can now be authored in the dashboard using natural language. When building a [policy](/cloudflare-one/traffic-policies/expression-syntax/) with a regex-based selector (like `matches regex`), you can describe what you want to match in plain English and the Cloudflare Agent will generate and validate a corresponding regular expression.
[Cloudflare Gateway](/cloudflare-one/traffic-policies/) policy selectors which support regular expressions can now be authored in the dashboard using natural language. When building a [policy](/cloudflare-one/traffic-policies/reference/policy-expressions/) with a regex-based selector (like `matches regex`), you can describe what you want to match in plain English and the Cloudflare Agent will generate and validate a corresponding regular expression.

![Write policy regex using natural language](~/assets/images/changelog/cloudflare-one/gateway-regex-ai-generation.png)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ To help you apply these topics quickly, we have also released five new predefine

3. **Granular Guardrails**

You can now build guardrails using Gateway HTTP policies with [application granular controls](/cloudflare-one/traffic-policies/http-policies/#granular-controls). Apply a DLP profile containing an [AI prompt topic detection](/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#ai-prompt-topics) to individual AI applications (for example, `ChatGPT`) and specific user actions (for example, `SendPrompt`) to block sensitive prompts.
You can now build guardrails using Gateway HTTP policies with [application granular controls](/cloudflare-one/traffic-policies/policy-types/http-policies/#granular-controls). Apply a DLP profile containing an [AI prompt topic detection](/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#ai-prompt-topics) to individual AI applications (for example, `ChatGPT`) and specific user actions (for example, `SendPrompt`) to block sensitive prompts.

![DLP](~/assets/images/changelog/dlp/ai-prompt-policy.png)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,4 @@ For example, consider a policy that blocks Social Security Numbers (SSNs). Previ

All policies without this selector will continue to scan both request and response bodies to ensure continued protection.

For more information, refer to [Gateway HTTP policy selectors](/cloudflare-one/traffic-policies/http-policies/#body-phase).
For more information, refer to [Gateway HTTP policy selectors](/cloudflare-one/traffic-policies/policy-types/http-policies/#body-phase).
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ We have expanded Gateway's file type controls to include:
- Microsoft Software Installer (msix, appx)
- Apple Software Package (pkg)

You can find these new options within the [_Upload File Types_ and _Download File Types_ selectors](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) when creating or editing an HTTP policy. The file types are categorized as follows:
You can find these new options within the [_Upload File Types_ and _Download File Types_ selectors](/cloudflare-one/traffic-policies/policy-types/http-policies/#download-and-upload-file-types) when creating or editing an HTTP policy. The file types are categorized as follows:

- **System**: _Apple Disk Image (dmg)_
- **Executable**: _Microsoft Software Installer (msix)_, _Microsoft Software Installer (appx)_, _Apple Software Package (pkg)_
Expand All @@ -22,4 +22,4 @@ To ensure these file types are blocked effectively, please note the following be
- DMG: Due to their file structure, DMG files are blocked at the very end of the transfer. A user's download may appear to progress but will fail at the last moment, preventing the browser from saving the file.
- MSIX: To comprehensively block Microsoft Software Installers, you should also include the file type _Unscannable_. MSIX files larger than 100 MB are identified as Unscannable ZIP files during inspection.

To get started, go to your HTTP policies in Zero Trust. For a full list of file types, refer to [supported file types](/cloudflare-one/traffic-policies/http-policies/#supported-file-types).
To get started, go to your HTTP policies in Zero Trust. For a full list of file types, refer to [supported file types](/cloudflare-one/traffic-policies/policy-types/http-policies/#supported-file-types).
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ You can now define custom topics for AI prompt protection. Predefined [AI prompt

You describe a custom topic in natural language, and Cloudflare DLP detects whether a prompt matches that topic based on context rather than specific keywords. For example, a topic that describes confidential merger discussions matches a prompt that paraphrases the deal, even when the prompt never uses the word merger or names the companies involved. To detect literal values such as internal codenames or product identifiers, use a [custom wordlist or pattern entry](/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#custom-wordlist-datasets) instead.

Custom topics run through the same [application granular controls](/cloudflare-one/traffic-policies/http-policies/#granular-controls) path as predefined AI prompt topics. Custom topics are available for ChatGPT, Google Gemini, Perplexity, and Claude.
Custom topics run through the same [application granular controls](/cloudflare-one/traffic-policies/policy-types/http-policies/#granular-controls) path as predefined AI prompt topics. Custom topics are available for ChatGPT, Google Gemini, Perplexity, and Claude.

## Create a custom AI prompt topic

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@ Source code detection requires a minimum of 500 characters to evaluate a file. F

Enable and set [confidence levels](/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-thresholds) to tune match sensitivity. A higher confidence level reduces false positives by requiring stronger signals that the content is truly source code. A lower confidence level catches more files at the cost of additional noise.

Source code detection applies to standalone source code files in [Gateway HTTP policies](/cloudflare-one/traffic-policies/http-policies/). It does not detect source code embedded within other file types or payloads, such as `.docx` files or chat messages.
Source code detection applies to standalone source code files in [Gateway HTTP policies](/cloudflare-one/traffic-policies/policy-types/http-policies/). It does not detect source code embedded within other file types or payloads, such as `.docx` files or chat messages.

For more information, refer to [Source Code predefined profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#source-code).
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import { Render } from "~/components";

Gateway HTTP policies can now block files that are password-protected, compressed, or otherwise unscannable.

These unscannable files are now matched with the [Download and Upload File Types traffic selectors](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) for HTTP policies:
These unscannable files are now matched with the [Download and Upload File Types traffic selectors](/cloudflare-one/traffic-policies/policy-types/http-policies/#download-and-upload-file-types) for HTTP policies:

<Render file="gateway/policies/unscannable-files" product="cloudflare-one" />

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,4 @@ You can now use more flexible redirect capabilities in Cloudflare One with Gatew
- A new **Redirect** action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters.
- For **Block** actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL.

Learn more in our documentation for [HTTP Redirect](/cloudflare-one/traffic-policies/http-policies/#redirect) and [Block page redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page).
Learn more in our documentation for [HTTP Redirect](/cloudflare-one/traffic-policies/policy-types/http-policies/#redirect) and [Block page redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page).
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Cloudflare One administrators can now control which egress IP is used based on a

- Host, Domain, Content Categories, and Application selectors are now available in the Gateway Egress policy builder in beta.
- During the beta period, you can use these selectors with traffic on-ramped to Gateway with the WARP client, proxy endpoints (commonly deployed with PAC files), or Cloudflare Browser Isolation.
- For WARP client support, additional configuration is required. For more information, refer to the [WARP client configuration documentation](/cloudflare-one/traffic-policies/egress-policies/#limitations).
- For WARP client support, additional configuration is required. For more information, refer to the [WARP client configuration documentation](/cloudflare-one/traffic-policies/policy-types/egress-policies/#limitations).

![Egress by FQDN and Hostname](~/assets/images/gateway/Gateway-Egress-FQDN-Policy-preview.png)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,4 @@ With this update, you can:
- Manage outbound traffic more effectively
- Improve your organization's security and compliance posture

For more information on creating DNS policies, see our [DNS policy documentation](/cloudflare-one/traffic-policies/dns-policies/).
For more information on creating DNS policies, see our [DNS policy documentation](/cloudflare-one/traffic-policies/policy-types/dns-policies/).
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,4 @@ date: 2025-05-14
| Government | Government/Legal |
| Redirect | URL Alias/Redirect |

Refer to [Gateway domain categories](/cloudflare-one/traffic-policies/domain-categories/) to learn more.
Refer to [Gateway domain categories](/cloudflare-one/traffic-policies/reference/domain-categories/) to learn more.
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,4 @@ All Cloudflare One Gateway users can now use Protocol detection logging and filt

With Protocol Detection, admins can identify and enforce policies on traffic proxied through Gateway based on the underlying network protocol (for example, HTTP, TLS, or SSH), enabling more granular traffic control and security visibility no matter your plan tier.

This feature is available to enable in your account network settings for all accounts. For more information on using Protocol Detection, refer to the [Protocol detection documentation](/cloudflare-one/traffic-policies/network-policies/protocol-detection/).
This feature is available to enable in your account network settings for all accounts. For more information on using Protocol Detection, refer to the [Protocol detection documentation](/cloudflare-one/traffic-policies/policy-types/network-policies/protocol-detection/).
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ hidden: false
date: 2025-06-18
---

[Gateway](/cloudflare-one/traffic-policies/) will now evaluate [Network (Layer 4) policies](/cloudflare-one/traffic-policies/network-policies/) **before** [HTTP (Layer 7) policies](/cloudflare-one/traffic-policies/http-policies/). This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users.
[Gateway](/cloudflare-one/traffic-policies/) will now evaluate [Network (Layer 4) policies](/cloudflare-one/traffic-policies/policy-types/network-policies/) **before** [HTTP (Layer 7) policies](/cloudflare-one/traffic-policies/policy-types/http-policies/). This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users.

This change will roll out progressively between **July 14–18, 2025**. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent.

Expand Down Expand Up @@ -50,4 +50,4 @@ This update is based on user feedback and aims to:

---

To learn more, visit the [Gateway order of enforcement documentation](/cloudflare-one/traffic-policies/order-of-enforcement/).
To learn more, visit the [Gateway order of enforcement documentation](/cloudflare-one/traffic-policies/reference/order-of-enforcement/).
Loading