Network policies
With Cloudflare Zero Trust, you can configure policies to control network-level traffic leaving your endpoints. Using network selectors like IP addresses and ports, your policies will control access to any network origin. Because Cloudflare Zero Trust integrates with your identity provider, it also gives you the ability to create identity-based network policies. This means you can now control access to non-HTTP resources on a per-user basis regardless of where they are or what device they access that resource from.
A network policy consists of an Action as well as a logical expression that determines the scope of the action. To build an expression, you need to choose a Selector and an Operator, and enter a value or range of values in the Value field. You can use And and Or logical operators to evaluate multiple conditions.
If a condition in an expression joins a query attribute (such as Source IP) and a response attribute (such as Resolved IP), then the condition will be evaluated when the response is received.
Like actions in DNS and HTTP policies, actions in network policies define which decision you want to apply to a given set of elements. You can assign one action per policy.
API value: allow
Available selectors
Traffic
- Access Infrastructure Target
- Access Private App
- Application
- Content Categories
- Destination Continent IP Geolocation
- Destination Country IP Geolocation
- Destination IP
- Destination Port
- Detected Protocol
- Protocol
- Proxy Endpoint
- Security Risks
- SNI
- SNI Domain
- Source Continent IP Geolocation
- Source Country IP Geolocation
- Source Internal IP
- Source IP
- Source Port
- Virtual Network
Identity
Device Posture
Policies with Allow actions allow network traffic to reach certain IPs or ports. For example, the following configuration allows specific users to reach a given IP address:
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Destination IP | in | 92.100.02.102 | And | Allow |
| in | *@example.com |
API value: audit_ssh
Available selectors
Traffic
- Application
- Destination Continent IP Geolocation
- Destination Country IP Geolocation
- Destination IP
- Source Continent IP Geolocation
- Source Country IP Geolocation
- Source Internal IP
- Source IP
- Source Port
- Virtual Network
Identity
Device Posture
Policies with Audit SSH actions allow administrators to log SSH traffic. Gateway will detect SSH traffic over port 22. For example, the following configuration logs SSH commands sent to a given IP address:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Destination IP | in | 203.0.113.83 | Audit SSH |
Gateway only audits SSH traffic over port 22. Non-standard ports, including those specified with the Destination Port selector, are not supported.
For more information on SSH logging, refer to Configure SSH proxy and command logs.
API value: block
Available selectors
Traffic
- Access Infrastructure Target
- Access Private App
- Application
- Content Categories
- Destination Continent IP Geolocation
- Destination Country IP Geolocation
- Destination IP
- Destination Port
- Detected Protocol
- Protocol
- Proxy Endpoint
- Security Risks
- SNI
- SNI Domain
- Source Continent IP Geolocation
- Source Country IP Geolocation
- Source Internal IP
- Source IP
- Source Port
- Virtual Network
Identity
Device Posture
Policies with Block actions block network traffic from reaching certain IPs or ports. For example, the following configuration blocks all traffic directed to port 443:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Destination Port | in | 443 | Block |
Feature availability
| WARP modes | Zero Trust plans ↗ |
|---|---|
| Enterprise |
| System | Availability | Minimum WARP version |
|---|---|---|
| Windows | ✅ | 2024.1.159.0 |
| macOS | ✅ | 2024.1.160.0 |
| Linux | ❌ | |
| iOS | ✅ | 1.7 |
| Android | ✅ | 1.4 |
| ChromeOS | ✅ | 1.4 |
Turn on Display block notification for WARP Client to display notifications for Gateway block events. Blocked users will receive an operating system notification from the WARP client with a custom message you set. If you do not set a custom message, the WARP client will display a default message. Custom messages must be 100 characters or less. WARP will only display one notification per minute.
Upon selecting the notification, WARP will direct your users to the Gateway block page you have configured. Optionally, you can direct users to a custom URL, such as an internal support form.
When you turn on Send policy context, Gateway will append details of the matching request to the redirected URL as a query string. Not every context field will be included. Potential policy context fields include:
Policy context fields
| Field | Definition | Example |
|---|---|---|
| User email | Email of the user that made the query. | &cf_user_email=user@example.com |
| Site URL | Full URL of the original HTTP request or domain name in DNS query. | &cf_site_uri=https%3A%2F%2Fmalware.testcategory.com%2F |
| URL category | Domain categories of the URL to be redirected. | &cf_request_categories=New%20Domains,Newly%20Seen%20Domains |
| Original HTTP referer | For HTTP traffic, the original HTTP referer header of the HTTP request. | &cf_referer=https%3A%2F%2Fexample.com%2F |
| Rule ID | ID of the Gateway policy that matched the request. | &cf_rule_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 |
| Source IP | Source IP address of the device that matched the policy. | &cf_source_ip=203.0.113.5 |
| Device ID | UUID of the device that matched the policy. | &cf_device_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 |
| Application names | Name of the application the redirected domain corresponds to, if any. | &cf_application_name=Salesforce |
| Filter | The traffic type filter that triggered the block. | &cf_filter=http, &cf_filter=dns, &cf_filter=av, or &cf_filter=l4 |
| Account ID | Cloudflare account ID of the associated Zero Trust account. | &cf_account_id=d57c3de47a013c03ca7e237dd3e61d7d |
| Query ID | ID of the DNS query for which the redirect took effect. | &cf_query_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 |
| Connection ID | ID of the proxy connection for which the redirect took effect. | &cf_connection_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 |
| Request ID | ID of the HTTP request for which the redirect took effect. | &cf_request_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 |
Ensure that your operating system allows notifications for WARP. Your device may not display notifications if focus, do not disturb, or screen sharing settings are turned on. To turn on client notifications on macOS devices running DisplayLink software, you may have to allow system notifications when mirroring your display. For more information, refer to the macOS documentation ↗.
API value: l4_override