[ZT] add egress ip page (cloudflare#4570)

* add egress ip page (to be expanded upon later)

* reword description

* more rewording

* add ip geolocation info

* edit reason behind disabling QUIC

* edit Google Chrome QUIC description

* update configuration guidelines section

* fix broken links

* fix broken link

* Update content/cloudflare-one/policies/filtering/http-policies/incompatible-traffic.md

Co-authored-by: abracchi-tw <[email protected]>

* Update content/cloudflare-one/policies/filtering/egress-policies.md

Co-authored-by: abracchi-tw <[email protected]>

Co-authored-by: abracchi-tw <[email protected]>

Author: ranbel

content/cloudflare-one/faq/teams-policies-faq.md

@@ -22,7 +22,7 @@ Bypassing the L7 firewall results in no HTTP traffic inspection, and logging is
 
 ## **I see an error when browsing Google-related pages. What is the problem?**
 
-If you have enabled the WARP client and are sending requests through Gateway, you need to [disable the QUIC protocol](/cloudflare-one/policies/filtering/http-policies/configuration-guidelines/#enabling-access-to-Google-services) within Google Chrome. This will prevent you from encountering issues such as users who are able to connect to Google-related sites and services (like YouTube) that are explicitly blocked by a Gateway policy.
+If you have enabled the WARP client and are sending requests through Gateway, you need to [disable the QUIC protocol](/cloudflare-one/policies/filtering/http-policies/incompatible-traffic/#disable-quic-in-google-chrome) within Google Chrome. This will prevent you from encountering issues such as users who are able to connect to Google-related sites and services (like YouTube) that are explicitly blocked by a Gateway policy.
 
 Google Chrome uses QUIC to connect to all Google services by default. This means all requests to Google services via the Google Chrome browser use UDP instead of TCP. **At this time, Gateway does not support inspection of QUIC traffic, and requests using QUIC will bypass Gateway HTTP policies**. Gateway does prevent standard HTTP requests from negotiating to using QUIC with the `Alt-Svc` header by removing this header from HTTP requests.
 

content/cloudflare-one/identity/devices/mutual-tls-authentication.md

@@ -74,7 +74,7 @@ To enforce mTLS authentication from the [Zero Trust dashboard](https://dash.team
 
 {{<Aside type="warning">}}
 
-Cloudflare Gateway cannot inspect traffic to mTLS-protected domains. If a device has the WARP client turned on and passes HTTP requests through Gateway, access will be blocked unless you [bypass HTTP inspection](/cloudflare-one/policies/filtering/http-policies/configuration-guidelines/#enabling-mTLS-authentication) for the domain.
+Cloudflare Gateway cannot inspect traffic to mTLS-protected domains. If a device has the WARP client turned on and passes HTTP requests through Gateway, access will be blocked unless you [bypass HTTP inspection](/cloudflare-one/policies/filtering/http-policies/#do-not-inspect) for the domain.
 {{</Aside>}}
 
 ## Test using cURL

content/cloudflare-one/policies/filtering/egress-policies.md

@@ -0,0 +1,28 @@
+---
+pcx-content-type: concept
+title: Dedicated egress IPs
+layout: single
+weight: 12
+---
+
+# Dedicated egress IPs
+
+{{<Aside type="note">}}
+Dedicated egress IPs are only available on Enterprise plans.
+{{</Aside>}}
+
+When your users connect to the Internet through Cloudflare Gateway, by default their traffic is assigned a source IP address that is shared across all Cloudflare WARP users. Enterprise customers can purchase dedicated egress IPs to ensure that egress traffic from your organization is assigned a unique, static IP. These source IPs are dedicated to your account and can be used within allowlists on upstream services.
+
+All traffic proxied by Gateway will route via these dedicated egress IPs.
+
+## IP geolocation
+
+Each dedicated egress IP is associated with a Cloudflare data center, and your egress traffic will share the same IP geolocation as the data center. When you purchase a dedicated egress IP, you can request a specific city to egress from. If you have multiple egress IPs, your end users will be automatically routed to the closest one.
+
+It can take anywhere from one week to up to four weeks for websites to recognize the updated IP geolocation. For example, if your users are in India, they would get a U.S. Google landing page instead of the Indian Google landing page until Google picks up the updated IP geolocation.
+
+## TCP/UDP support
+
+At this time, only TCP traffic can be proxied through dedicated egress IPs. UDP traffic will egress from the default shared IP ranges instead of your dedicated IPs.
+
+Google Chrome by default uses the UDP-based QUIC protocol to connect to websites. In order to route traffic from Chrome through your dedicated egress IPs, you must [disable QUIC in Google Chrome](/cloudflare-one/policies/filtering/http-policies/incompatible-traffic/#disable-quic-in-google-chrome).  This forces the browser to connect using TCP instead of UDP.

content/cloudflare-one/policies/filtering/http-policies/configuration-guidelines.md

@@ -0,0 +1,42 @@
+---
+pcx-content-type: concept
+title: Incompatible traffic
+weight: 5
+---
+
+# Traffic incompatible with Gateway inspection
+
+The following types of HTTP traffic are incompatible with Gateway inspection.
+
+## Do Not Inspect applications
+
+Gateway does not support TLS decryption for applications which use:
+
+- Embedded certificates
+- Self-signed certificates
+- Mutual TLS (mTLS) authentication
+
+To allow these types of requests through Gateway, you must add a [*Do Not Inspect*](/cloudflare-one/policies/filtering/http-policies/#do-not-inspect) HTTP policy for these applications and domains.
+
+## HTTP/3 traffic
+
+Gateway does not currently support inspection of HTTP/3 traffic.
+
+### Disable QUIC in Google Chrome
+
+Google Chrome by default enables support for QUIC, which is used to connect to HTTP/3 capable webpages. In order to apply HTTP policies to Google Chrome traffic, you will need to disable QUIC in the browser. This forces the browser to fall back to HTTP/2.
+
+To manually disable QUIC in the Google Chrome browser:
+
+1. In the address bar, type: `chrome://flags#enable-quic`.
+2. Set the **Experimental QUIC protocol** flag to `Disabled`.
+3. Relaunch Chrome for the setting to take effect.
+
+The following Windows registry key (or Mac/Linux preference) can be used to disable QUIC in Chrome, and can be enforced via GPO or equivalent:
+
+- **Data type:** `Boolean [Windows:REG_DWORD]`
+- **Windows registry location for Windows clients:** `Software\Policies\Google\Chrome\QuicAllowed`
+- **Windows registry location for Google Chrome OS clients:** `Software\Policies\Google\ChromeOS\QuicAllowed`
+- **Mac/Linux preference name:** `QuicAllowed`
+- **Description:** If this policy is set to true (or not set), usage of QUIC is allowed. If the policy is set to false, usage of QUIC is not allowed.
+- **Recommended value:** `Windows: 0x00000000`, `Linux: false`, `Mac: <false />`