Skip to content

List examples

Account limits

This page lists the default account limits for rules, applications, fields, and other features. These limits may be increased on Enterprise accounts. To request a limit increase, contact your account team.

Any valid service token

The request will need to present the headers for any service token created for this account.

Azure® Group

Allow members of an Azure Group. The ID is the group UUID (id) in Azure.

Common name

The request will need to present a valid certificate with an expected common name.

Email

Allow a specific email address.

Access API examples

You can use the Cloudflare Access API to create policies, including individual rule blocks inside of group or policy bodies. For example, this policy allows all Cloudflare email account users to reach the application with the exception of one account:

Service token

The request will need to present the correct service token headers.

Terraform

Terraform is a tool for building, changing, and versioning infrastructure, and provides components and documentation for building Cloudflare resources. Listed below are examples to help you get started with building Access with Terraform. For a more generalized guide on configuring Cloudflare and Terraform, visit our Getting Started with Terraform and Cloudflare blog post.

DNS policy

Block users in a group from accessing a site.

HTTP policy

Block specific users from accessing a site.

Gateway API examples

You can use the Cloudflare Gateway API to create DNS, network, and HTTP policies, including policies with multiple traffic, identity, and device posture conditions.

API and Terraform

This section covers a few common use cases with the API and Terraform to manage Cloudflare Zero Trust. For more information, refer to our API documentation and Terraform reference guide.

Scoped API tokens

The administrators managing policies and groups in Cloudflare Access might be different from the users responsible for configuring WAF custom rules or other Cloudflare settings. Cloudflare Access supports scoped API tokens so that team members and automated systems can manage settings specific to Access without having permission to modify other configurations in Cloudflare.

App Launcher

With the Access App Launcher, users can open all applications that they have access to from a single dashboard.

Block page

You can display a custom block page when users fail to authenticate to an Access application. Each application can have a different block page.

Add bookmarks

With Cloudflare Zero Trust, you can show applications on the App Launcher even if those applications are not secured behind Access. This way, users can access all the applications they need to work, all in one place — regardless of whether those applications are protected by Access.

Cloudflare dashboard SSO application

By adding a Dashboard SSO application to your Cloudflare Zero Trust account, you can enforce single sign-on (SSO) to the Cloudflare dashboard with the identity provider (IdP) of your choice. SSO will be enforced for every user in your email domain.

Add web applications

Cloudflare Access allows you to secure your web applications by acting as an identity aggregator, or proxy. Users can only log in to the application if they meet the criteria you want to introduce.

Adobe Acrobat Sign

This guide covers how to configure Adobe Acrobat Sign as a SAML application in Cloudflare Zero Trust.

Area 1

Cloudflare Area 1 is an email security platform that protects your organization’s inbox from phishing, spam, and other malicious messages. This guide covers how to configure Area 1 as a SAML application in Cloudflare Zero Trust.

Asana

This guide covers how to configure Asana as a SAML application in Cloudflare Zero Trust.

Atlassian Cloud

This guide covers how to configure Atlassian Cloud as a SAML application in Cloudflare Zero Trust.

AWS

This guide covers how to configure AWS as a SAML application in Cloudflare Zero Trust.

Braintree

This guide covers how to configure Braintree as a SAML application in Cloudflare Zero Trust.

Coupa

This guide covers how to configure Coupa as a SAML application in Cloudflare Zero Trust.

Digicert

This guide covers how to configure Digicert as a SAML application in Cloudflare Zero Trust.

DocuSign

This guide covers how to configure Docusign as a SAML application in Cloudflare Zero Trust.

Dropbox

This guide covers how to configure Dropbox as a SAML application in Cloudflare Zero Trust.

Generic OIDC application

This page provides generic instructions for setting up a SaaS application in Cloudflare Access using the OpenID Connect (OIDC) authentication protocol.

Generic SAML application

This page provides generic instructions for setting up a SaaS application in Cloudflare Access using the SAML authentication protocol.

GitHub Enterprise Cloud

This guide covers how to configure GitHub Enterprise Cloud as a SAML application in Cloudflare Zero Trust.

Google Cloud

This guide covers how to configure Google Cloud as a SAML application in Cloudflare Zero Trust.

Google Workspace

This guide covers how to configure Google Workspace as a SAML application in Cloudflare Zero Trust.

Grafana Cloud

This guide covers how to configure Grafana Cloud as an OIDC application in Cloudflare Zero Trust.

Grafana

This guide covers how to configure Grafana as an OIDC application in Cloudflare Zero Trust.

Greenhouse Recruiting

This guide covers how to configure Greenhouse Recruiting as a SAML application in Cloudflare Zero Trust.

Hubspot

This guide covers how to configure Hubspot as a SAML application in Cloudflare Zero Trust.

SaaS applications

Cloudflare Access allows you to add an additional authentication layer to your SaaS applications. When you integrate a SaaS application with Access, users log in to the application with Cloudflare as the Single Sign-On provider. The user is then redirected to the configured identity providers for that application and are only granted access if they pass your Access policies.

Ironclad

This guide covers how to configure Ironclad as a SAML application in Cloudflare Zero Trust.

Jamf Pro

This guide covers how to configure Jamf Pro as a SAML application in Cloudflare Zero Trust.

Miro

This guide covers how to configure Miro as a SAML application in Cloudflare Zero Trust.

PagerDuty

This guide covers how to configure PagerDuty as a SAML application in Cloudflare Zero Trust.

Pingboard

This guide covers how to configure Pingboard as a SAML application in Cloudflare Zero Trust.

Salesforce (OIDC)

This guide covers how to configure Salesforce as an OpenID Connect (OIDC) application in Cloudflare Zero Trust.

Salesforce (SAML)

This guide covers how to configure Salesforce as a SAML application in Cloudflare Zero Trust.

ServiceNow (OIDC)

This guide covers how to configure ServiceNow as an OIDC application in Cloudflare Zero Trust.

ServiceNow (SAML)

This guide covers how to configure ServiceNow as a SAML application in Cloudflare Zero Trust.

Slack

This guide covers how to configure Slack as a SAML application in Cloudflare Zero Trust.

Smartsheet

This guide covers how to configure Smartsheet as a SAML application in Cloudflare Zero Trust.

SparkPost

This guide covers how to configure SparkPost or SparkPost EU as a SAML application in Cloudflare Zero Trust.

Tableau Cloud

This guide covers how to configure Tableau Cloud as a SAML application in Cloudflare Zero Trust.

Workday

This guide covers how to configure Workday as a SAML application in Cloudflare Zero Trust.

Zendesk

This guide covers how to configure Zendesk as a SAML application in Cloudflare Zero Trust.

Zoom

This guide covers how to configure Zoom as a SAML application in Cloudflare Zero Trust.

Self-hosted applications

Cloudflare Access allows you to securely publish internal tools and applications to the Internet by providing an authentication layer between the end user and your origin server. You can use signals from your existing identity providers (IdPs), device posture providers, and other rules to control who can access your application.

Applications

Cloudflare Zero Trust can secure self-hosted and SaaS applications with Zero Trust rules.

Login page

You can customize the login page that is displayed to end users when they go to an Access application.

Arbitrary TCP

Cloudflare Access provides a mechanism for end users to authenticate with their single sign-on (SSO) provider and connect to resources over arbitrary TCP without being on a virtual private network (VPN).

Connect using cloudflared

With Cloudflare Zero Trust, users can connect to non-HTTP applications via a public hostname without installing the WARP client. This method requires you to onboard a domain to Cloudflare and install cloudflared on both the server and the user’s device.

Add non-HTTP applications

You can secure non-HTTP applications by connecting your private network to Cloudflare. Users reach the application by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access the application unless you build policies to allow or block specific users.

Scan for sensitive data

You can use Cloudflare Data Loss Prevention (DLP) to discover if files stored in your SaaS application contain sensitive data. To perform DLP scans in a SaaS app, first configure a DLP profile with the data patterns you want to detect, then enable those profiles in a CASB integration.

Atlassian Confluence

For the Confluence Cloud integration to function, Cloudflare CASB requires the following permissions via an OAuth 2.0 app:

Atlassian Jira

For the Jira Cloud integration to function, Cloudflare CASB requires the following permissions via an OAuth 2.0 app:

Box

For the Box integration to function, Cloudflare CASB requires the following Box permissions via an OAuth 2.0 app:

Dropbox

For the Dropbox integration to function, Cloudflare CASB requires the following Dropbox permissions via an OAuth 2.0 app:

GitHub

For the GitHub integration to function, Cloudflare CASB requires the following GitHub API permissions:

Gmail

Refer to Google Workspace integration permissions for information on which API permissions to enable.

Google Admin

Refer to Google Workspace integration permissions for information on which API permissions to enable.

Google Calendar

Refer to Google Workspace integration permissions for information on which API permissions to enable.

Google Drive

Refer to Google Workspace integration permissions for information on which API permissions to enable.

Google Workspace

This integration covers the following Google Workspace products:

Admin Center

Refer to Microsoft 365 integration permissions for information on which API permissions to enable.

Microsoft 365

This integration covers the following Microsoft 365 products:

OneDrive

Refer to Microsoft 365 integration permissions for information on which API permissions to enable.

Outlook

Refer to Microsoft 365 integration permissions for information on which API permissions to enable.

SharePoint

Refer to Microsoft 365 integration permissions for information on which API permissions to enable.

Salesforce

For the Salesforce integration to function, Cloudflare CASB requires the following Salesforce permissions via a Connected App:

ServiceNow

For the ServiceNow integration to function, Cloudflare CASB requires the following permissions:

Slack

For the Slack integration to function, Cloudflare CASB requires the following Slack API permissions:

Scan SaaS applications

Cloudflare’s API-driven Cloud Access Security Broker (CASB) scans SaaS applications for misconfigurations, unauthorized user activity, shadow IT .tippy-box { background-color: var(--sl-color-bg); color: var(--sl-color-white); }

.tippy-box[data-placement^="top"] > .tippy-arrow::before {
    border-top-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="bottom"] > .tippy-arrow::before {
    border-bottom-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="left"] > .tippy-arrow::before {
    border-left-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="right"] > .tippy-arrow::before {
    border-right-color: var(--sl-color-bg);
}

, and other data security issues that can occur after a user has successfully logged in.

Manage findings

Findings are security issues detected within SaaS applications that involve users, data at rest, and other configuration settings. With Cloudflare CASB, you can review a comprehensive list of findings in Zero Trust and immediately start taking action on the issues found.

Access

Review recent changes to Cloudflare Access.

CASB

Review recent changes to Cloudflare CASB.

Gateway

Review recent changes to Cloudflare Gateway.

Changelog

Review recent changes to Cloudflare One.

Risk score

Review recent changes to Cloudflare Zero Trust user risk scoring.

DNS over HTTPS (DoH)

With Cloudflare Gateway, you can filter DNS over HTTPS (DoH) requests by DNS location or by user without needing to install the WARP client on your devices.

DNS over TLS (DoT)

By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications.

DNS resolver IPs and hostnames

When you create a DNS location, Gateway assigns IPv4/IPv6 addresses and DoT/DoH hostnames to that location. These are the IP addresses and hostnames you send your DNS queries to for Gateway to resolve.

Add locations

DNS locations are a collection of DNS endpoints which can be mapped to physical entities such as offices, homes, or data centers.

Agentless options

If you are unable to install the WARP client on your devices (for example, Windows Server does not support the WARP client), you can use agentless options to enable a subset of Zero Trust features.

HTTP

You can apply Gateway HTTP and DNS policies at the browser level by configuring a Proxy Auto-Configuration (PAC) file.

Connect devices

Configure devices to send DNS queries to Cloudflare, or proxy all traffic leaving the device through Cloudflare’s network.

Device profiles

A device profile defines WARP client settings for a specific set of devices in your organization. You can create multiple profiles and apply different settings based on the user’s identity, the device’s location, and other criteria.

Configure WARP

You can configure WARP client settings to work alongside existing infrastructure and provide users with differential access to resources.

Managed networks

Cloudflare WARP allows you to selectively apply WARP client settings if the device is connected to a secure network location such as an office.

Route traffic

When the WARP client is deployed on a device, Cloudflare processes all DNS requests and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS requests or network traffic from WARP.

Local Domain Fallback

By default, Cloudflare Zero Trust excludes common top-level domains, used for local resolution, from being sent to Gateway for processing. These top-level domains are resolved by the local DNS resolver configured for the device on its primary interface.

Split Tunnels

Split Tunnels can be configured to exclude or include IP addresses or domains from going through WARP. This feature is commonly used to run WARP alongside a VPN (in Exclude mode) or to provide access to a specific private network (in Include mode).

WARP architecture

This guide explains how the Cloudflare WARP client interacts with a device’s operating system to route traffic in Gateway with WARP mode.

Enable Device Information Only

Device Information Only mode allows you to enforce device posture rules when a user connects to your self-hosted Access application. This mode relies on a client certificate generated from your account to establish trust between the Access application and the device.

WARP modes

You can deploy the WARP client in different modes to control the types of traffic sent to Cloudflare Gateway. The WARP mode determines which Zero Trust features are available on the device.

WARP sessions

Cloudflare Zero Trust enforces WARP client reauthentication on a per-application basis, unlike legacy VPNs which treat it as a global setting. You can configure WARP session timeouts for your Access applications or as part of your Gateway policies.

Captive portal detection

Captive portals are used by public Wi-Fi networks (such as airports, coffee shops, and hotels) to make a user agree to their Terms of Service or provide payment before allowing access to the Internet. When a user connects to the Wi-Fi, the captive portal blocks all HTTPS traffic until the user completes a captive portal login flow in their browser. This prevents the WARP client from connecting to Cloudflare. At the same time, WARP creates firewall rules on the device to send all traffic to Cloudflare. The user is therefore unable to access the captive portal login screen unless they temporarily disable WARP.

WARP settings

WARP settings define the WARP client modes and permissions available to end users.

Device enrollment permissions

Device enrollment permissions determine which users can connect new devices to your organization’s Cloudflare Zero Trust instance.

WARP with firewall

If your organization uses a firewall or other policies to restrict or intercept Internet traffic, you may need to exempt the following IP addresses and domains to allow the WARP client to connect.

Deploy WARP

Depending on how your organization is structured, you can deploy WARP in one of two ways:

Manual deployment

If you plan to direct your users to manually download and configure the WARP client, users will need to connect the client to your organization’s Cloudflare Zero Trust instance.

Managed deployment

Organizations can deploy WARP automatically to their fleet of devices in a single operation. The WARP client is compatible with the vast majority of managed deployment workflows, including mobility management solutions such as Intune or JAMF, or by executing an .msi file on desktop machines.

Parameters

Each client supports the following set of parameters as part of their deployment, regardless of the deployment mechanism.

Hexnode

This will push the app along with the configurations to the selected devices.

Partners

Cloudflare Zero Trust integrates with Cloudflare Technology Partner tools to help you deploy the WARP client to bigger fleets of devices. Thanks to these collaborations, you can distribute the WARP client application to end-user devices and remotely set up advanced configurations in real time.

Intune

Download the Cloudflare_WARP_<VERSION>.msi installer.

Jamf

Learn how to deploy Cloudflare WARP using Jamf.

JumpCloud

Learn how to deploy Cloudflare WARP using JumpCloud.

Kandji

Kandji deploys Cloudflare WARP as a custom app. For an overview of how Kandji deploys custom apps, refer to their knowledge base article.

Switch between Zero Trust organizations

In Cloudflare WARP, users can switch between multiple Zero Trust organizations (or other MDM parameters) that administrators specify in an MDM file. Common use cases include:

Connect WARP before Windows login

With Cloudflare Zero Trust, you can use an on-premise Active Directory (or similar) server to validate a remote user’s Windows login credentials. Before the user enters their Windows login information for the first time, the WARP client establishes a connection using a service token. This initial connection is not associated with a user identity. Once the user completes the Windows login, WARP switches to an identity-based session and applies the user registration to all future logins.

WARP with legacy VPN

The Cloudflare WARP client can run alongside most legacy third-party VPNs. Because the WARP client and third-party VPN client both enforce firewall, routing, and DNS rules on your local device, the two products will compete with each other for control over IP and DNS traffic. To ensure compatibility make sure that:

Migrate 1.1.1.1 app

Users can connect to Cloudflare Zero Trust services through an agent that runs on their device. Cloudflare previously bundled that functionality into the WARP client, an application that also provides privacy-focused DNS and VPN services for consumers (known as 1.1.1.1 w/ WARP). Supporting both enterprise and consumer functionality in the same application allowed us to build Zero Trust upon the same foundation used by millions of consumers across the globe, but has limited the pace at which changes could be released. As a result, we are launching a dedicated Cloudflare One Agent that replaces the WARP client for Zero Trust deployments.

Download WARP

You can download the WARP client from Zero Trust. To do that, go to Settings > Downloads and scroll down to Download the WARP client.

Update WARP

This guide covers best practices for updating the WARP client.

WARP

The Cloudflare WARP client allows you to protect corporate devices by securely and privately sending traffic from those devices to Cloudflare’s global network, where Cloudflare Gateway can apply advanced web filtering. The WARP client also makes it possible to apply advanced Zero Trust policies that check for a device’s health before it connects to corporate applications.

Remove WARP

The following procedures will uninstall the WARP client from your device. If you used the WARP client to deploy a root certificate, the certificate will also be removed.

First-time setup

This is a high-level, step-by-step walkthrough on how to get started with WARP in your organization. From downloading the client to sending the first queries to Cloudflare’s edge, here is a guide on how to do it for the first time.

Client errors

This page lists the error codes that can appear in the WARP client GUI. If you do not see your error below, refer to common issues or contact Cloudflare Support.

Common issues

This section covers the most common issues you might encounter as you deploy the WARP client in your organization, or turn on new features that interact with the client. If you do not see your issue listed below, refer to the troubleshooting FAQ or contact Cloudflare Support.

Known limitations

Below, you will find information on devices, software, and configurations that are incompatible with Cloudflare WARP.

Debug logs

The WARP client provides diagnostic logs that you can use to troubleshoot connectivity issues on a device.

User-side certificates

Advanced security features such as HTTPS traffic inspection, Data Loss Prevention, anti-virus scanning, and Browser Isolation require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare.

Run as a service

You can install cloudflared as a system service on Linux and Windows, and as a launch agent on macOS. In most cases, we recommend running cloudflared as a service. Running as a service helps ensure the availability of cloudflared to your origin by allowing the program to start at boot and continue running while your origin is online.

Linux

You can install cloudflared as a system service on Linux.

macOS

You can install cloudflared as a system service on macOS.

Windows

You can install cloudflared as a system service on Windows.

Configuration file

The tunnel configuration file allows you to have fine-grained control over how an instance of cloudflared will operate. In your configuration file, you can specify top-level properties for your cloudflared instance as well as configure origin-specific properties. For a full list of configuration options, type cloudflared tunnel help in your terminal.

Locally-managed tunnel

If you set up your tunnel through the CLI, the tunnel runs as an instance of cloudflared on your machine. You can configure cloudflared properties by modifying command line parameters or by editing the tunnel configuration file.

Tunnel permissions

Tunnel permissions determine who can run and manage a Cloudflare Tunnel. Two files control permissions for a locally-managed tunnel:

Useful commands

This page lists the most commonly used commands for managing local tunnels.

Origin configuration

Origin configuration parameters determine how cloudflared proxies traffic to your origin server. You can configure these settings in the dashboard for remotely-managed tunnels, or add them to your configuration file for locally-managed tunnels.

Remotely-managed tunnel

If you created a Cloudflare Tunnel from the dashboard, the tunnel runs as a service on your OS.

Tunnel run parameters

This page lists general-purpose configuration options for a Cloudflare Tunnel. You can add these flags to the cloudflared tunnel run command for remotely-managed and locally-managed tunnels. These flags can also be added as key/value pairs to your configuration file.

Tunnel availability and failover

Our lightweight and open-source connector, cloudflared, was built to be highly available without any additional configuration requirements. When you run a tunnel, cloudflared establishes four outbound-only connections between the origin server and the Cloudflare network. These four connections are made to four different servers spread across at least two distinct data centers. This model ensures high availability and mitigates the risk of individual connection failures. This means in event a single connection, server, or data center goes offline, your resources will remain available.

Ansible

Ansible is a software tool that enables at scale management of infrastructure. Ansible is agentless — all it needs to function is the ability to SSH to the target and Python installed on the target.

AWS

This guide covers how to connect an Amazon Web Services (AWS) virtual machine to Cloudflare using our lightweight connector, cloudflared.

Azure

The purpose of this guide is to walk through some best practices for accessing private resources on Azure by deploying Cloudflare’s lightweight connector, cloudflared.

GCP

This guide covers how to connect a Google Cloud Project (GCP) virtual machine to Cloudflare using our lightweight connector, cloudflared.

Kubernetes

Kubernetes is a container orchestration and management tool. Kubernetes is declarative, so you define the end state in a .yml file. A Kubernetes cluster has two components, the master, and the workers. The master is the control plane that the user interacts with to manage the containers. Worker nodes are where the containers are deployed and run. A Kubernetes cluster is connected internally through a private network. Cloudflare Tunnel can be used to expose services running inside the Kubernetes cluster to the public.

Terraform

Learn how to deploy a Cloudflare Tunnel using Terraform and our lightweight server-side daemon, cloudflared.

System requirements

Our connector, cloudflared, was designed to be lightweight and flexible enough to be effectively deployed on Raspberry Pi, your laptop or a server in a data center.

Tunnel with firewall

You can implement a positive security model with Cloudflare Tunnel by blocking all ingress traffic and allowing only egress traffic from cloudflared. Only the services specified in your tunnel configuration will be exposed to the outside world.

Migrate legacy tunnels

Originally, a Cloudflare Tunnel connection corresponded to a DNS record in your account. Requests to that hostname hit Cloudflare’s network first and our edge sends those requests over the tunnel to your origin. However, fitting an outbound-only connection into a reverse proxy creates some ergonomic and stability hurdles. The original Cloudflare Tunnel architecture attempted to both manage DNS records and create connections. When connections became disrupted, Tunnel would recreate the entire deployment. Additionally, Argo Tunnel connections could not be treated like regular origin servers in Cloudflare’s control plane and had to be managed directly from the server-side software.

Quick Tunnels

Developers can use the TryCloudflare tool to experiment with Cloudflare Tunnel without adding a site to Cloudflare’s DNS. TryCloudflare will launch a process that generates a random subdomain on trycloudflare.com. Requests to that subdomain will be proxied through the Cloudflare network to your web server running on localhost.

Downloads

Cloudflare Tunnel requires the installation of a lightweight server-side daemon, cloudflared, to connect your infrastructure to Cloudflare. If you are creating a tunnel through the dashboard, you can simply copy-paste the installation command shown in the dashboard.

Update cloudflared

Updates will cause cloudflared to restart which will impact traffic currently being served. You can perform zero-downtime upgrades by using Cloudflare’s Load Balancer product or by using multiple cloudflared instances.

Get started

To create and manage tunnels, you will need to install and authenticate cloudflared .tippy-box { background-color: var(--sl-color-bg); color: var(--sl-color-white); }

.tippy-box[data-placement^="top"] > .tippy-arrow::before {
    border-top-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="bottom"] > .tippy-arrow::before {
    border-bottom-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="left"] > .tippy-arrow::before {
    border-left-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="right"] > .tippy-arrow::before {
    border-right-color: var(--sl-color-bg);
}

on your origin server. cloudflared is what connects your server to Cloudflare’s global network.

Cloudflare Tunnel

Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare’s global network. Cloudflare Tunnel can connect HTTP web servers, SSH servers, remote desktops, and other protocols safely to Cloudflare. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare.

Logs

Tunnel logs record all activity between a cloudflared instance and Cloudflare’s global network, as well as all activity between cloudflared and your origin server. These logs allow you to investigate connectivity or performance issues with a Cloudflare Tunnel. You can configure your server to store persistent logs, or you can stream real-time logs from any client machine.

Metrics

Tunnel metrics show a Cloudflare Tunnel’s throughput and resource usage over time. When you run a tunnel, you can configure cloudflared to spin up a Prometheus metrics endpoint — an HTTP server that exposes metrics in Prometheus format. You can then use the Prometheus toolkit on a remote machine to scrape metrics data from the cloudflared server.

Notifications

Administrators can receive an alert when Cloudflare Tunnels in an account change their health or deployment status. Notifications can be delivered via email, webhook, and third-party services.

Connect private networks

A private network has two primary components: the server and the client. The server’s infrastructure (whether that is a single application, multiple applications, or a network segment) is connected to Cloudflare’s global network by Cloudflare Tunnel. This is done by running the cloudflared daemon on the server.

Load balancing

You can use Cloudflare Local Traffic Management (LTM) to distribute traffic across private endpoints connected via Cloudflare Tunnel. Common use cases include:

Private DNS

By default, the WARP client sends DNS requests to 1.1.1.1, Cloudflare’s public DNS resolver, for resolution. With Cloudflare Tunnel, you can connect an internal DNS resolver to Cloudflare and use it to resolve non-publicly routed domains.

Virtual networks

Virtual networks allow you to connect private networks that have overlapping IP ranges without creating conflicts for users or services. For example, an organization may want to expose two distinct virtual private cloud (VPC) networks which they consider to be “production” and “staging”. However, if the two private networks happened to receive the same RFC 1918 IP assignment, there may be two different resources with the same IP address. By creating two separate virtual networks, you can deterministically route traffic to duplicative private addresses like 10.128.0.1/32 staging and 10.128.0.1/32 production. These virtual networks will appear as user-selectable options within the WARP client GUI.

Private networks

With Cloudflare Zero Trust, you can connect private networks and the services running in those networks to Cloudflare’s global network. This involves installing a connector on the private network, and then setting up routes which define the IP addresses available in that environment. Unlike public hostname routes, private network routes can expose both HTTP and non-HTTP resources.

Site-to-site connectivity

Cloudflare WARP Connector is a piece of software 1 that enables site-to-site, bidirectional, and mesh networking connectivity without requiring changes to underlying network routing infrastructure. WARP Connector establishes a secure Layer 3 connection between a private network and Cloudflare, allowing you to:

Peer-to-peer connectivity

With Cloudflare Zero Trust, you can create a private network between any two or more devices running Cloudflare WARP. This means that you can have a private network between your phone and laptop without ever needing to be connected to the same physical network. If you already have an existing Zero Trust deployment, you can also enable this feature to add device-to-device connectivity to your private network with the press of a button. This will allow you to connect to any service that relies on TCP, UDP, or ICMP-based protocols through Cloudflare’s network.

DNS records

When you create a tunnel, Cloudflare generates a subdomain of cfargotunnel.com with the UUID of the created tunnel. You can treat <UUID>.cfargotunnel.com as if it were an origin target in the Cloudflare dashboard.

Public hostnames

With Cloudflare Tunnel, you can expose your HTTP resources to the Internet via a public hostname. For example, you can add a route that points docs.example.com to localhost:8080. Anyone can now view your local application by going to docs.example.com in their web browser.

Load balancing

When you create a tunnel, Cloudflare generates a subdomain of cfargotunnel.com with the UUID of the created tunnel. You can treat <UUID>.cfargotunnel.com as if it were a Load Balancing endpoint in the Cloudflare dashboard.

Common errors

This section covers the most common errors you might encounter when connecting resources with Cloudflare Tunnel. If you do not see your issue listed below, refer to the troubleshooting FAQ, view your Tunnel logs, or contact Cloudflare Support.

Private network connectivity

Follow this troubleshooting procedure when end users running Cloudflare WARP have issues connecting to a private network behind Cloudflare Tunnel.

gRPC

gRPC is a Remote Procedure Call (RPC) framework that allows client applications to call methods on a remote server as if they were running on the same local machine. You can connect gRPC servers and clients to Cloudflare’s global network, making it easier to build applications that use services across different data centers and environments.

Use cases

Cloudflare Tunnel creates a secure, outbound-only connection between your services and Cloudflare by deploying a lightweight connector in your environment. Here is how to use tunnels with some specific services:

RDP

The Remote Desktop Protocol (RDP) provides a graphical interface for users to connect to a computer remotely. RDP is most commonly used to facilitate simple remote access to machines or workstations which users cannot physically access. However, this also makes RDP connections the frequent subject of attacks, since a misconfiguration can inadvertently allow unauthorized access to the machine.

SMB

The Server Message Block (SMB) protocol allows users to read, write, and access shared resources on a network. Due to security risks, firewalls and ISPs usually block public connections to an SMB file share. With Cloudflare Tunnel, you can provide secure and simple SMB access to users outside of your network.

SSH

The Secure Shell Protocol (SSH) enables users to remotely access devices through the command line. With Cloudflare Zero Trust, you can make your SSH server available over the Internet without the risk of opening inbound ports on the server.

Connections

Learn how you can connect your applications, devices, and networks to Cloudflare.

Tunnels

Review frequently asked questions about tunnels in Cloudflare Zero Trust.

FAQ

Below you’ll find answers to the most commonly asked questions on Cloudflare Zero Trust, as well as a troubleshooting section to help you solve common issues and errors you may come across.

Identity

Review frequently asked questions about identity and identity providers in Cloudflare Zero Trust.

Devices

Review frequently asked questions about devices in Cloudflare Zero Trust.

General

Review frequently asked questions about Cloudflare Zero Trust.

Policies

Review frequently asked questions about policies in Cloudflare Zero Trust.

Troubleshooting

Review common troubleshooting scenarios for Cloudflare Zero Trust.

Glossary

Review definitions for Cloudflare Zero Trust terms.

Application token

Cloudflare Access includes the application token with all authenticated requests to your origin. A typical JWT looks like this:

CORS

Cross-Origin Resource Sharing (CORS) is a mechanism that uses HTTP headers to grant a web application running on one origin permission to reach selected resources in a different origin. The web application executes a cross-origin HTTP request when it requests a resource that has a different origin from its own, including domain, protocol, or port.

Authorization cookie

When you protect a site with Cloudflare Access, Cloudflare checks every HTTP request bound for that site to ensure that the request has a valid CF_Authorization cookie. If a request does not include the cookie, Access will block the request.

Validate JWTs

When Cloudflare sends a request to your origin, the request will include an application token as a Cf-Access-Jwt-Assertion request header and as a CF_Authorization cookie.

Access integrations

These device posture checks can only be enforced for Cloudflare Access applications. They cannot be used in Gateway network policies.

Mutual TLS

Mutual TLS (mTLS) authentication ensures that traffic is both secure and trusted in both directions between a client and server. It allows requests that do not log in with an identity provider (like IoT devices) to demonstrate that they can reach a given resource. Client certificate authentication is also a second layer of security for team members who both log in with an identity provider (IdP) and present a valid client certificate.

Tanium

Cloudflare Access can use endpoint data from Tanium™ to determine if a request should be allowed to reach a protected resource. When users attempt to connect to a resource protected by Access with a Tanium rule, Cloudflare Access will validate the user’s identity, and the browser will connect to the Tanium agent before making a decision to grant access.

Device posture

With Cloudflare Zero Trust, you can configure Zero Trust policies that rely on additional signals from the WARP client or from third-party endpoint security providers. When device posture checks are configured, users can only connect to a protected application or network resource if they have a managed or healthy device.

CrowdStrike

Cloudflare Zero Trust can integrate with Crowdstrike to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from Crowdstrike. Devices are identified by their serial numbers.

Service providers

Service-to-service integrations allow the WARP client to get device posture data from a third-party API. To use this feature, you must deploy the WARP client to your devices and enable the desired posture checks.

Kolide

Cloudflare Zero Trust can integrate with Kolide to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from Kolide. Devices are identified by their serial numbers.

Microsoft Endpoint Manager

Cloudflare Zero Trust can integrate with Microsoft to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from Microsoft. Devices are identified by their serial numbers.

SentinelOne

Cloudflare Zero Trust can integrate with SentinelOne to require that users connect to certain applications from managed devices. Our service-to-service posture check identifies devices based on their serial numbers.

Tanium

Cloudflare Zero Trust can integrate with Tanium to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from Tanium. Devices are identified by their serial numbers.

Uptycs

Cloudflare Zero Trust can integrate with Uptycs to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from Uptycs. Devices are identified by their serial numbers.

Workspace ONE

Cloudflare Zero Trust can integrate with Workspace ONE to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from Workspace ONE. Devices are identified by their serial numbers.

Application check

The Application Check device posture attribute checks that a specific application process is running on a device. You can create multiple application checks for each operating system you need to run it on, or if you need to check for multiple applications.

Carbon Black

Cloudflare Zero Trust can check if Carbon Black is running on a device to determine if a request should be allowed to reach a protected resource.

Client certificate

The Client Certificate device posture attribute checks if the device has a valid certificate signed by a trusted certificate authority (CA). The posture check can be used in Gateway and Access policies to ensure that the user is connecting from a managed device.

Device serial numbers

Cloudflare Zero Trust allows you to build Zero Trust rules based on device serial numbers. You can create these rules so that access to applications is granted only to users connecting from company devices.

Device UUID

Cloudflare Zero Trust allows you to build Zero Trust rules based on device UUIDs supplied in an MDM file. You can create these rules so that access to applications is granted only to users connecting from company devices.

Disk encryption

The Disk Encryption device posture attribute ensures that disks are encrypted on a device.

Domain joined

The Domain Joined device posture attribute ensures that a user is a member of a specific Windows Active Directory domain.

File check

The File Check device posture attribute checks for the presence of a file on a device. You can create multiple file checks for each operating system you need to run it on, or if you need to check for multiple files.

Firewall

The Firewall device posture attribute ensures that a firewall is running on a device.

WARP client checks

These device posture checks are performed by the Cloudflare WARP client. To use this feature, you must deploy the WARP client to your devices and enable the desired posture checks.

OS version

The OS Version device posture attribute checks whether the version of a device’s operating system matches, is greater than or lesser than the configured value.

Require Gateway

With Require Gateway, you can allow access to your applications only to devices enrolled in your organization’s instance of Gateway. Unlike Require WARP, which will check for any WARP instance (including the consumer version), Require Gateway will only allow requests coming from devices whose traffic is filtered by your organization’s Cloudflare Gateway configuration. This policy is best used when you want to protect company-owned assets by only allowing access to employees.

Require WARP

Cloudflare Zero Trust enables you to restrict access to your applications to devices running the Cloudflare WARP client. This allows you to flexibly ensure that a user’s traffic is secure and encrypted before allowing access to a resource protected behind Cloudflare Zero Trust.

SentinelOne

Cloudflare Zero Trust can check if SentinelOne is running on a device to determine if a request should be allowed to reach a protected resource.

Active Directory® (SAML)

Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Active Directory integrates with Cloudflare Access using Security Assertion Markup Language (SAML .tippy-box { background-color: var(--sl-color-bg); color: var(--sl-color-white); }

.tippy-box[data-placement^="top"] > .tippy-arrow::before {
    border-top-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="bottom"] > .tippy-arrow::before {
    border-bottom-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="left"] > .tippy-arrow::before {
    border-left-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="right"] > .tippy-arrow::before {
    border-right-color: var(--sl-color-bg);
}

).

AWS IAM (SAML)

AWS IAM Identity Center provides SSO identity management for users who interact with AWS resources (such as EC2 instances or S3 buckets). You can integrate AWS IAM with Cloudflare Zero Trust as a SAML identity provider, which allows users to authenticate to Zero Trust using their AWS credentials.

Amazon Cognito

Amazon Cognito provides SSO identity management for end users of web and mobile apps. You can integrate Amazon Cognito as an OIDC identity provider for Cloudflare Zero Trust.

Azure AD®

You can integrate Microsoft Azure AD® (Active Directory) with Cloudflare Zero Trust and build policies based on user identity and group membership. Users will authenticate to Zero Trust using their Azure AD credentials.

Centrify (SAML)

Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the #1 cause of breaches – privileged access abuse.

Centrify

Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the number one cause of breaches: privileged access abuse.

Citrix ADC (SAML)

Cloudflare Zero Trust can integrate with Citrix ADC (formerly Citrix NetScaler ADC) as a SAML IdP. Documentation from Citrix shows you how to configure Citrix ADC as a SAML IdP. These steps are specific to Cloudflare Zero Trust.

Facebook

Use these steps to set up Facebook as your identity provider.

Generic OIDC

Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you integrate IdPs not already set in Access.

Generic SAML 2.0

Cloudflare Zero Trust integrates with any identity provider that supports SAML 2.0. If your identity provider is not listed in the integration list of login methods in Zero Trust, it can be configured using SAML 2.0 (or OpenID if OIDC based). Generic SAML can also be used if you would like to pass additional SAML headers or claims for an IdP in the integration list.

GitHub

Cloudflare Zero Trust allows your team to connect to your applications using their GitHub login. Administrators can build rules for specific individuals or using GitHub organizations. You do not need to have a GitHub organization to use the integration.

Google

You can integrate Google authentication with Cloudflare Access without a Google Workspace account. The integration allows any user with a Google account to log in (if the Access policy allows them to reach the resource). Unlike the instructions for Google Workspace, the steps below will not allow you to pull group membership information from a Google Workspace account.

Google Workspace

You can integrate a Google Workspace (formerly Google Suite) account with Cloudflare Access. Unlike the instructions for generic Google authentication, the steps below will allow you to pull group membership information from your Google Workspace account.

SSO integration

Cloudflare Zero Trust allows you to integrate your organization’s identity providers (IdPs) with Cloudflare Access. Your team can simultaneously use multiple providers, reducing friction when working with partners or contractors.

Jumpcloud (SAML)

JumpCloud provides Directory-as-a-Service® to securely connect user identities to systems, apps, files, and networks. Cloudflare Access integrates with JumpCloud using the SAML protocol. This documentation from JumpCloud can help you configure applications within your JumpCloud deployment.

Keycloak (SAML)

Keycloak is an open source identity and access management solution built by JBoss. If you need a Keycloak lab environment for testing, refer to this example.

LinkedIn

Cloudflare Access allows your users to use LinkedIn as their identity provider (IdP).

Okta (SAML)

Cloudflare Zero Trust can integrate SAML with Okta as an identity provider.

Okta

Okta provides cloud software that helps companies manage and secure user authentication to modern applications, and helps developers build identity controls into applications, website web services, and devices. You can integrate Okta with Cloudflare Zero Trust and build rules based on user identity and group membership. Cloudflare Zero Trust supports Okta integrations using either the OIDC (default) or SAML protocol.

OneLogin

OneLogin provides SSO identity management. Cloudflare Access supports OneLogin as an OIDC identity provider.

OneLogin (SAML)

OneLogin provides SSO identity management. Cloudflare Access supports OneLogin as an SAML identity provider.

PingFederate®

The PingFederate® offering from PingIdentity provides SSO identity management. Cloudflare Access supports PingFederate as a SAML identity provider.

PingOne®

The PingOne® cloud platform from PingIdentity provides SSO identity management. Cloudflare Access supports PingOne as an OIDC identity provider.

PingOne® (SAML)

The PingOne® cloud platform from PingIdentity provides SSO identity management. Cloudflare Access supports PingOne as a SAML identity provider.

Signed AuthN requests (SAML)

In a SAML request flow, Cloudflare Access functions as the service provider (SP) to the identity provider (IdP). Cloudflare Access sends a SAML request to your IdP. The signing certificate that you upload from your SAML provider verifies the response.

Yandex

Yandex is a web search engine that also offers identity provider (IdP) services.

Identity

Cloudflare Zero Trust integrates with your organization’s identity provider to apply Zero Trust and Secure Web Gateway policies. If you work with partners, contractors, or other organizations, you can integrate multiple identity providers simultaneously.

One-time PIN login

Cloudflare Access can send a one-time PIN (OTP) to approved email addresses as an alternative to integrating an identity provider. You can simultaneously configure OTP login and the identity provider of your choice to allow users to select their own authentication method.

Service tokens

You can provide automated systems with service tokens to authenticate against your Zero Trust policies. Cloudflare Access will generate service tokens that consist of a Client ID and a Client Secret. Automated systems or applications can then use these values to reach an application protected by Access.

Access groups

An Access group is a set of rules that can be configured once and then quickly applied across many Access applications. You can assign an Access group to any Access policy, and all the criteria from the selected group will apply to that application.

SCIM provisioning

System for Cross-domain Identity Management (SCIM) is an open standard protocol that allows identity providers to synchronize user identity information with cloud applications and services. After configuring SCIM, user identities that you create, edit, or delete in the identity provider are automatically updated across all supported applications. This makes it easier for IT admins to onboard new users, update their groups and permissions, and revoke access in the event of an employee termination or security breach.

Seat management

Cloudflare Zero Trust subscriptions consist of seats that active users in your account consume. Active users are added to Zero Trust through any authentication event.

Session management

A user session determines how long a user can access an Access application without re-authenticating.

Short-lived certificates

Cloudflare Access can replace traditional SSH key models with short-lived certificates issued to your users based on the token generated by their Access login. In traditional models, users generate a keypair and commit their public key into an infrastructure management tool, like Salt, or otherwise upload it to an administrator. These keys can remain unchanged for months or years.

Overview

Cloudflare Zero Trust replaces legacy security perimeters with our global network, making the Internet faster and safer for teams around the world. Refer to our reference architecture to learn how to evolve your network and security architecture to our SASE platform.

Shadow IT Discovery

The Shadow IT Discovery page provides visibility into the SaaS applications and private network origins your end users are visiting. This information allows you to create identity and device-driven Zero Trust policies to secure your users and data.

Gateway analytics

To see the top Allowed and Blocked requests across all of your DNS locations, go to Analytics > Gateway. You can filter the data by selecting a specific location and/or time.

Analytics

The Analytics section of Zero Trust provides a summary of your Access application and Gateway DNS traffic.

Fleet status

With DEX, you can monitor your users’ devices and connection status.

Digital Experience Monitoring

Digital Experience Monitoring provides visibility into device, network, and application performance across your Zero Trust organization. This information enables you to understand the state of your WARP client deployment and quickly resolve issues impacting end-user productivity.

Notifications

Administrators can receive alerts when Cloudflare detects connectivity issues with the WARP client or degraded application performance. Notifications can be delivered via email, webhook, and third-party services.

HTTP test

An HTTP test sends a GET request from an end-user device to a specific web application. You can use the response metrics to troubleshoot connectivity issues. For example, you can check whether the application is inaccessible for all users in your organization, or only certain ones.

Tests

With Digital Experience Monitoring (DEX), you can test if your devices can connect to a private or public endpoint through the WARP client. This tool allows you to monitor availability for a given application and investigate performance issues reported by your end users. DEX tests will only run when the WARP client is turned on, whereas fleet status metrics are always available.

Traceroute test

A traceroute test measures the network path of an IP packet from an end-user device to a server. You can use the test results to troubleshoot network issues. For example, increased latency may indicate a problem with connectivity along the network path.

View test results

You can use the results of a DEX test to monitor availability and performance for a specific application.

Insights

Cloudflare Zero Trust gives you comprehensive and in-depth visibility into your network. Whether you need data on network usage, on security threats blocked by Cloudflare Zero Trust, or on how many users have logged in to your applications this month, Zero Trust provides you with the right tools for the job.

Access audit logs

Use Access audit logs to review authentication events and HTTP requests to protected URI paths.

Gateway activity logs

Gateway activity logs show the individual DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted SSH command logs for sessions proxied by Gateway.

Manage PII

Cloudflare Gateway gives you multiple ways to safely handle your employees’ personally identifiable information (PII). You can choose to exclude PII from activity logging, or you can choose to redact PII from everyone except for designated administrators.

Logs

Review detailed logs for your Zero Trust organization.

Logpush integration

With Cloudflare’s Logpush service, you can configure the automatic export of Zero Trust logs to third-party storage destinations or to security information and event management (SIEM) tools. Once exported, your team can analyze and audit the data as needed.

RData

Cloudflare Gateway logs DNS query information in RData, a Base64-encoded binary format. The following resource record fields are available for each query:

Posture logs

Posture logs show the device posture check results reported by the WARP client.

Tunnel audit logs

Audit logs for Tunnel are available in the account section of the Cloudflare dashboard which you can find by selecting your name or email in the upper right-hand corner of the dashboard. The following actions are logged:

User logs

User logs show a list of all users who have authenticated to Cloudflare Zero Trust. For each user who has logged in, you can view their enrolled devices, login history, seat usage, and identity used for policy enforcement.

Risk score

Zero Trust risk scoring detects user activity and behaviors that could introduce risk to your organization’s systems and data. Risk scores add user and entity behavior analytics (UEBA) to the Zero Trust platform.

Application paths

Application paths define the URLs protected by an Access policy. When adding a self-hosted web application to Access, you can choose to protect the entire website by entering its apex domain, or alternatively, protect specific subdomains and paths.

External Evaluation rules

With Cloudflare Access, you can create Allow or Block policies which evaluate the user based on custom criteria. This is done by adding an External Evaluation rule to your policy. The External Evaluation selector requires two values:

Access

Cloudflare Access determines who can reach your application by applying the Access policies you configure.

Isolate self-hosted application

With Access policies, you can require users to open self-hosted applications in a secure remote browser. Because the remote browser is directly integrated into our Secure Web Gateway platform, HTTP policies can be applied to isolated applications without needing to install the WARP client. This allows you to distribute internal applications to unmanaged users while retaining control over sensitive data.

Enforce MFA

With Zero Trust policies, you can require that users log in to certain applications with specific types of multifactor authentication (MFA) methods. For example, you can create rules that only allow users to reach a given application if they authenticate with a physical hard key.

Manage Access policies

Access policies are properties of applications. When setting up an Access application, you will be prompted to create at least one policy for the application. You can go back and create, edit, or delete policies at any time.

Require Purpose Justification

Cloudflare Access allows security and IT teams to present users with a purpose justification screen directly after they log in to an Access application. This allows organizations to audit not only for who is accessing their resources, but also for why they are requesting access.

Temporary authentication

With Cloudflare Access, you can require that users obtain approval before they can access a specific application. The administrator will receive an email notification to approve or deny the request. Unlike a typical Allow policy, the user will have to request access at the end of each session. This allows you to define the users who should have persistent access and those who must request temporary access.

Accessibility

Browser Isolation has a built-in screen reader which enables people with visual impairments to browse isolated pages.

Extensions

Browser Isolation supports running native Chromium Web Extensions in the remote browser.

Browser Isolation

Cloudflare Browser Isolation complements the Secure Web Gateway and Zero Trust Network Access solutions by executing active webpage content in a secure isolated browser. Executing active content remotely from the endpoint protects users from zero-day attacks and malware. In addition to protecting endpoints, Browser Isolation also protects users from phishing attacks by preventing user input on risky websites and controlling data transmission to sensitive web applications. You can further filter isolated traffic with Gateway HTTP and DNS policies.

Isolation policies

With Browser Isolation, you can define policies to dynamically isolate websites based on identity, security threats, or content.

Known limitations

Below, you will find information regarding the current limitations for Browser Isolation.

Browser Isolation with firewall

If your organization uses a firewall or other policies to restrict Internet traffic, you may need to make a few changes to allow Browser Isolation to connect.

Clientless Web Isolation

Clientless Web Isolation allows users to securely browse high risk or sensitive websites in a remote browser without having to install the Cloudflare WARP client on their device.

Set up Browser Isolation

Browser Isolation is enabled through Secure Web Gateway HTTP policies. By default, no traffic is isolated until you have added an Isolate policy to your HTTP policies.

Non-identity on-ramps

With Cloudflare Zero Trust, you can isolate HTTP traffic from on-ramps such as proxy endpoints or Magic WAN. Since these on-ramps do not require users to log in to Cloudflare WARP, identity-based policies are not supported.

DLP datasets

Cloudflare DLP can scan your web traffic and SaaS applications for specific data defined in a custom dataset. Sensitive data can be hashed before reaching Cloudflare and redacted from matches in payload logs.

Common policies

The following in-line DLP policies are commonly used to secure data in uploaded and downloaded files.

Scan HTTP traffic

You can scan HTTP traffic for sensitive data through Secure Web Gateway policies. To perform DLP filtering, first configure a DLP profile with the data patterns you want to detect, and then build a Gateway HTTP policy to allow or block the sensitive data from leaving your organization. Gateway will parse and scan your HTTP traffic for strings matching the keywords or regular expressions (regexes) specified in the DLP profile.

Log the payload of matched rules

Data Loss Prevention allows you to log the data that triggered a specific DLP policy. This data is stored in the portion of the HTTP request known as the payload. Payload logging is especially useful when diagnosing the behavior of DLP rules. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later. The stored data will include a redacted version of the match, plus 20 bytes of additional context on both sides of the match.

Profile settings

This page lists the advanced settings available when configuring a predefined or custom DLP profile.

Configure a DLP profile

A DLP profile is a collection of regular expressions (also known as detection entries) that define the data patterns you want to detect. Cloudflare DLP provides predefined profiles for common detections, or you can build custom DLP profiles specific to your data, organization, and risk tolerance.

Integration profiles

Cloudflare DLP integration profiles enable data loss prevention support for third-party data classification providers. Data classification information is retrieved from the third-party platform and populated into a DLP Profile. You can then enable detection entries in the profile and create a DLP policy to allow or block matching data.

Predefined profiles

Cloudflare Zero Trust provides predefined DLP profiles for common types of sensitive data. Some profiles include built-in validation checks to increase detection granularity. Additionally, you can configure advanced settings for predefined profiles.

Data Loss Prevention

Cloudflare Data Loss Prevention (DLP) allows you to scan your web traffic and SaaS applications for the presence of sensitive data such as social security numbers, financial information, secret keys, and source code.

Applications and app types

Gateway allows you to create DNS, Network, and HTTP policies based on applications and app types. You can select individual applications or groups of app types to filter specific traffic on your network.

Block page

Gateway responds to any domain blocked at the DNS level with 0.0.0.0 for IPv4 queries or :: for IPv6 queries, and does not return that blocked domain’s IP address. As a result, the browser will show a browser default error page, and users will not be able to reach that website. This may cause confusion and lead some users to think that their Internet connection is not working.

Common policies

The following policies are commonly used to secure DNS traffic.

DNS policies

When a user makes a DNS request to Gateway, Gateway matches the request against the DNS policies you have set up for your organization. If the domain does not belong to any blocked categories, or if it matches an Override policy, the user’s client receives the DNS resolution and initiates an HTTP connection.

Scheduled DNS policies

Cloudflare Gateway allows you to configure any DNS policy to activate or deactivate on a regular time interval.

Domain categories

Cloudflare Gateway allows you to block known and potential security risks on the public Internet, as well as specific categories of content. Domains are categorized by Cloudflare Radar.

Dedicated egress IPs

Dedicated egress IPs are static IP addresses that can be used to allowlist traffic from your organization. These IPs are unique to your account and are not used by any other customers routing traffic through Cloudflare’s network. Each dedicated egress IP consists of an IPv4 address and an IPv6 range that are assigned to a specific Cloudflare data center. At minimum, Cloudflare will provision your account with two dedicated egress IPs corresponding to data centers in two different cities.

Egress policies

When your users connect to the Internet through Cloudflare Gateway, by default their traffic is assigned a source IP address that is shared across all Cloudflare WARP users. Enterprise users can purchase dedicated egress IPs to ensure that egress traffic from your organization is assigned a unique, static IP. These source IPs are dedicated to your account and can be used within allowlists on upstream services.

Global policies

Cloudflare Zero Trust applies a set of global policies to all accounts.

AV scanning

Cloudflare Gateway protects users as they browse the Internet. When users download or upload a file to an origin on the Internet, that file could potentially contain malicious code that may cause their device to perform undesired behavior.

Common policies

The following policies are commonly used to secure HTTP traffic.

HTTP/3

Gateway supports inspection of HTTP/3 traffic, which uses the QUIC protocol over UDP. HTTP/3 inspection requires traffic to be proxied over UDP.

HTTP policies

HTTP policies allow you to intercept all HTTP and HTTPS requests and either block, allow, or override specific elements such as websites, IP addresses, and file types. HTTP policies operate on Layer 7 for all TCP (and optionally UDP) traffic sent over ports 80 and 443.

Tenant control

With Gateway tenant control, you can allow your users access to corporate SaaS applications while blocking access to personal applications. This helps prevent the loss of sensitive or confidential data from a corporate network.

TLS decryption

Cloudflare Gateway can perform SSL/TLS decryption in order to inspect HTTPS traffic for malware and other security risks. When you enable TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a user-side certificate.

WebSocket traffic

Gateway does not inspect or log WebSocket traffic. Instead, Gateway will only log the HTTP details used to make the WebSocket connection, as well as network session information. To filter your WebSocket traffic, create a policy with the 101 HTTP response code.

Identity-based policies

With Cloudflare Zero Trust, you can create Secure Web Gateway policies that filter outbound traffic down to the user identity level. To do that, you can build DNS, HTTP or Network policies using a set of identity-based selectors. These selectors require you to deploy the Zero Trust WARP client in Gateway with WARP mode.

Secure Web Gateway

Cloudflare Gateway, our comprehensive Secure Web Gateway, allows you to set up policies to inspect DNS, Network, HTTP, and Egress traffic.

DNS filtering

Secure Web Gateway allows you to inspect DNS traffic and control which websites users can visit.

HTTP filtering

Secure Web Gateway allows you to inspect HTTP traffic and control which websites users can visit.

Get started

This section covers best practices for setting up DNS, HTTP, and network filtering policies.

Network filtering

Secure Web Gateway allows you to apply policies at the network level (Layers 3 and 4) to control which websites and non-HTTP applications users can access.

Lists

With Cloudflare Zero Trust, you can create lists of URLs, hostnames, or other entries to reference when creating Gateway policies or Access policies. This allows you to quickly create rules that match and take actions against several items at once.

Common policies

The following policies are commonly used to secure network traffic.

Network policies

With Cloudflare Zero Trust, you can configure policies to control network-level traffic leaving your endpoints. Using network selectors like IP addresses and ports, your policies will control access to any network origin. Because Cloudflare Zero Trust integrates with your identity provider, it also gives you the ability to create identity-based network policies. This means you can now control access to non-HTTP resources on a per-user basis regardless of where they are or what device they access that resource from.

Protocol detection

Gateway supports the detection, logging, and filtering of network protocols using packet attributes.

SSH proxy and command logs

Cloudflare Zero Trust supports SSH proxying and command logging using Secure Web Gateway and the WARP client.

Order of enforcement

With Cloudflare Gateway, you can enable and configure any combination of DNS, network, and HTTP policies.

Proxy

You can forward HTTP and network traffic to Gateway for logging and filtering. Gateway can proxy both outbound traffic and traffic directed to resources connected via a Cloudflare Tunnel, GRE tunnel, or IPsec tunnel.

Resolver policies

By default, Gateway sends DNS requests to 1.1.1.1, Cloudflare’s public DNS resolver, for resolution. Enterprise users can instead create Gateway policies to route DNS queries to custom resolvers.

Policies

A policy is a set of rules that regulate network activity, such as who logs in to your applications or which websites your users can reach.

Roles and permissions

When creating a Cloudflare Zero Trust account, you will be given the Super Administrator role. As a Super Administrator, you can invite members to join your Zero Trust account and assign them different roles. There is no limit to the number of members which can be added to a given account. Any members with the proper permissions will be able to make configuration changes while actively logged into Zero Trust (unless read-only mode is enabled).

Get started

This guide covers the recommended steps to start securing your users and devices with Cloudflare Zero Trust.

Use Azure AD Conditional Access policies in Cloudflare Access

With Azure Active Directory (AD)‘s Conditional Access, administrators can enforce policies on applications and users directly in Azure AD. Conditional Access has a set of checks that are specialized to Windows and are often preferred by organizations with Windows power users.

Isolate Azure AD risky users

Azure Active Directory (AD) calculates a user’s risk level based on the probability that their account has been compromised. With Cloudflare Zero Trust, you can synchronize the Azure AD risky users list with Cloudflare Access and apply more stringent Zero Trust policies to users at higher risk.

Connect through Cloudflare Access using a CLI

Cloudflare’s cloudflared command-line tool allows you to interact with endpoints protected by Cloudflare Access. You can use cloudflared to interact with a protected application’s API.

Access a web application via its private hostname without WARP

With Cloudflare Browser Isolation and resolver policies, users can connect to private web-based applications via their private hostnames without needing to install the WARP client. By the end of this tutorial, users who pass your Gateway DNS and network policies will be able to access your private application at https://<your-team-name>.cloudflareaccess.com/browser/https://internalrecord.com.

Zero Trust GitLab SSH & HTTP

You can use Cloudflare Access to add Zero Trust rules to a self-hosted instance of GitLab. Combined with Cloudflare Tunnel, users can connect through HTTP and SSH and authenticate with your team’s identity provider.

Monitor Cloudflare Tunnel with Grafana

Grafana is a dashboard tool that visualizes data stored in other databases. You can use Grafana to convert your tunnel metrics into actionable insights.

Tutorials

View tutorials for Cloudflare Zero Trust.

Integrate Microsoft MCAS with Cloudflare Zero Trust

Many security teams rely on Microsoft MCAS (Microsoft Cloud App Security), Microsoft’s CASB solution, to identify and block threats on the Internet, as well as allow or block access to cloud applications. This tutorial covers how to integrate MCAS with Cloudflare Zero Trust, and create Gateway HTTP policies to ensure visibility and control over data.

Migrate to Named Tunnels with Load Balancer

Cloudflare Tunnel is available in two deployment modes: “Legacy” Tunnel and “Named” Tunnel. Named Tunnel mode improves maintainability and stability by distinguishing between routing and configuration.

MongoDB SSH

You can build Zero Trust rules to secure connections to MongoDB deployments using Cloudflare Access and Cloudflare Tunnel. Cloudflare Tunnel requires a lightweight daemon, cloudflared, running alongisde the deployment and as on the client side.

Require U2F with Okta

Many identity providers, like Okta, support multiple multifactor authentication (MFA) options simultaneously. For example, Okta will allow you to login with your password and a temporary code generated in an app or a U2F hard key like a Yubikey.

Use Cloudflare R2 as a Zero Trust log destination

This tutorial covers how to build a Cloudflare R2 bucket to store logs, and how to connect the bucket to the Zero Trust Logpush service to store logs persistently and export them into other tools.

Protect access to Amazon S3 buckets with Cloudflare Zero Trust

This tutorial demonstrates how to secure access to Amazon S3 buckets with Cloudflare Zero Trust so that data in these buckets is not publicly exposed on the Internet. You can combine Cloudflare Access and AWS VPC endpoints. Enterprise may also use Cloudflare Gateway egress policies with dedicated egress IPs.

Use virtual networks to change user egress IPs

This tutorial gives administrators an easy way to allow their users to change their egress IP address between any of your assigned dedicated egress IP addresses. Your users can choose which egress IP to use by switching virtual networks directly from in the WARP client.

Render a VNC client in browser

Cloudflare can render a Virtual Network Computer (VNC) terminal in your browser without any client software or configuration required.

import { ListExamples } from "~/components";
<ListExamples
directory="cloudflare-one"
/>