Merge branch 'production' into chore/formatting

Author: Cherry

src/assets/images/reference-architecture/bot-management/bot-management-ra-diagram.svg

@@ -5,6 +5,70 @@ productLink: "/cloudflare-one/connections/connect-devices/warp/"
 productArea: Cloudflare One
 productAreaLink: /cloudflare-one/changelog/
 entries:
+  - publish_date: "2024-10-03"
+    title: WARP client for Linux (version 2024.9.346.0)
+    description: |-
+      A new GA release for the Linux WARP client is now available in the [package repository](https://pkg.cloudflareclient.com/). This release contains minor fixes and minor improvements.
+
+      Notable updates:
+        - Added `list targets` to the `warp-cli` to enhance the user experience with the [Access for Infrastructure SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/) solution.
+        - Added the ability to customize PCAP options in the `warp-cli`.
+        - Added a list of installed applications in `warp-diag`.
+        - Added a `tunnel reset mtu` subcommand to the `warp-cli`.
+        - Added the ability for `warp-cli` to use the team name provided in the MDM file for initial registration.
+        - Added a JSON output option to the `warp-cli`.
+        - Added the ability to execute a PCAP on multiple interfaces with `warp-cli`.
+        - Added MASQUE tunnel protocol support for the consumer version of WARP ([1.1.1.1 w/ WARP](/warp-client/)).
+        - Improved the performance of firewall operations when enforcing split tunnel configuration.
+        - Fixed an issue where device posture certificate checks were unexpectedly failing.
+        - Fixed an issue where the Linux GUI fails to open the browser login window when registering a new Zero Trust organization.
+        - Fixed an issue where clients using service tokens failed to retry after a network change.
+        - Fixed an issue where the client, when switching between WireGuard and MASQUE protocols, sometimes required a manual tunnel key reset.
+        - Fixed a known issue which required users to re-register when an older single configuration MDM file was deployed after deploying the newer, multiple configuration format.
+        - Deprecated `warp-cli` commands have been removed. If you have any workflows that use the deprecated commands, update to the new commands where necessary.
+
+      Known issues:
+        - Using MASQUE as the tunnel protocol may be incompatible if your organization has Regional Services is enabled.
+
+  - publish_date: "2024-10-03"
+    title: WARP client for Windows (version 2024.9.346.0)
+    description: |-
+      A new GA release for the Windows WARP client is now available in the [App Center](https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release). This release contains minor fixes and improvements.
+
+      Notable updates:
+        - Added `list targets` to the `warp-cli` to enhance the user experience with the [Access for Infrastructure SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/) solution.
+        - Added [pre-login](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-prelogin/) configuration details to the `warp-diag` output.
+        - Added a `tunnel reset mtu` subcommand to the `warp-cli`.
+        - Added a JSON output option to the `warp-cli`.
+        - Added the ability for `warp-cli` to use the team name provided in the MDM file for initial registration.
+        - Added the ability to execute a PCAP on multiple interfaces with `warp-cli` and `warp-dex`.
+        - Improved `warp-dex` default interface selection for PCAPs and changed `warp-dex` CLI output to JSON.
+        - Fixed an issue where the client, when switching between WireGuard and MASQUE protocols, sometimes required a manual tunnel key reset.
+        - Added MASQUE tunnel protocol support for the consumer version of WARP ([1.1.1.1 w/ WARP](/warp-client/)).
+
+      Known issues:
+        - Using MASQUE as the tunnel protocol may be incompatible if your organization has Regional Services is enabled.
+
+  - publish_date: "2024-10-03"
+    title: WARP client for macOS (version 2024.9.346.0)
+    description: |-
+      A new GA release for the macOS WARP client is now available in the [App Center](https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-macos-1/distribution_groups/release). This release contains minor fixes and improvements.
+
+      All customers running macOS Ventura 13.0 and above (including Sequoia) are advised to upgrade to this release. This release fixes an incompatibility with the firewall found on macOS Sonoma 14.4 and above that could result in the firewall being disabled.
+
+      Notable updates:
+        - Added `list targets` to the `warp-cli` to enhance the user experience with the [Access for Infrastructure SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/) solution.
+        - Added a `tunnel reset mtu` subcommand to the `warp-cli`.
+        - Added the ability for `warp-cli` to use the team name provided in the MDM file for initial registration.
+        - Added a JSON output option to the `warp-cli`.
+        - Added the ability to execute a PCAP on multiple interfaces with `warp-cli` and `warp-dex`.
+        - Improved `warp-dex` default interface selection for PCAPs and changed `warp-dex` CLI output to JSON.
+        - Improved [application posture check](/cloudflare-one/identity/devices/warp-client-checks/application-check/) compatibility with symbolically linked files.
+        - Fixed an issue where the client, when switching between WireGuard and MASQUE protocols, sometimes required a manual tunnel key reset.
+        - Added MASQUE tunnel protocol support for the consumer version of WARP ([1.1.1.1 w/ WARP](/warp-client/)).
+
+      Known issues:
+        - Using MASQUE as the tunnel protocol may be incompatible if your organization has Regional Services is enabled.
   - publish_date: "2024-09-26"
     title: WARP client for macOS (version 2024.8.457.0)
     description: |-

src/content/changelogs/warp.yaml

@@ -15,9 +15,15 @@ Match count refers to the number of times that any enabled entry in the profile
 
 ## Context analysis
 
-Context analysis restricts DLP detections based on proximity keywords. Additional proximity keywords must be detected within a distance of 1000 bytes (\~1000 characters) from the original detection to trigger an action. For example, the string `123-45-6789` will only count as a detection if in proximity to keywords such as `ssn`.
+Context analysis restricts detections based on proximity keywords to prevent false positives. Proximity keywords must be detected within a distance of 1000 bytes (~1000 characters) from the original detection to trigger an context-aware detection. For example, the string `123-45-6789` will only count as a detection if in proximity to keywords such as `ssn`.
 
-Additionally, you can control context analysis for scans within files. When files are excluded from the context filter, DLP only evaluates uploaded and downloaded files based on regular expression and validation checks. Additional keywords within the file are not required.
+DLP will apply context analysis to traffic and the content of [supported files](/cloudflare-one/policies/data-loss-prevention/#supported-file-types). Supported detections include the [Financial Information](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#financial-information) and [Social Security, Insurance, Tax, and Identifier Numbers](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#social-security-insurance-tax-and-identifier-numbers) predefined profiles.
+
+### Exclude files from context analysis
+
+You can exclude the content of files from context analysis while still applying context analysis to traffic. For example, if you send an email containing the string `123-45-6789`, DLP will only count a detection if the string is in proximity to keywords such as `ssn`. If you include a file in an email containing the string `123-45-6789`, DLP will match a detection regardless of keywords.
+
+To exclude file content from context analysis, in **Exclude content type**, choose _Files_.
 
 ## Optical Character Recognition (OCR) <Badge text="Beta" variant="caution" size="small" />
 

src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx

@@ -40,6 +40,8 @@ DLP supports scanning the following file types:
 - PDF
 - ZIP files containing the above
 
+DLP will scan the text contained in Microsoft Office and PDF files.
+
 ### Size
 
 The maximum file size is 100 MB. Size limitation is assessed against the file after unzipping. ZIP files can be recursively compressed a maximum of 10 times.

src/content/docs/cloudflare-one/policies/data-loss-prevention/index.mdx

@@ -0,0 +1,63 @@
+---
+title: Bot management
+pcx_content_type: reference-architecture-diagram
+products:
+  - Bots
+sidebar:
+  order: 1
+  label: Bot management
+updated: 2024-10-04
+---
+
+## Introduction
+
+Cloudflare has bot management capabilities to help identify and mitigate automated traffic to protect domains from bad bots. [Bot Fight Mode](/bots/get-started/free/) and [Super Bot Fight Mode](/bots/get-started/biz-and-ent/) are options available on Free and Pro/Business accounts respectively. They offer a subset of features and capabilities available for Enterprise accounts. This reference architecture diagram focuses on [Enterprise Bot Management](/bots/get-started/bm-subscription/) available for Enterprise customers.
+
+With [Enterprise Bot Management](https://developers.cloudflare.com/bots/get-started/bm-subscription/) customers have the maximum protection, features, and capability. A [bot score](https://developers.cloudflare.com/bots/concepts/bot-score/) is exposed for every request. Cloudflare applies a layered detection approach to Bot Management with several detection engines that cumulatively can impact the bot score. A bot score is a score from 1 to 99 that indicates the likelihood that the request came from a bot. Scores below 30 are commonly associated with bot traffic and customers can then take action on this score with [WAF custom rules](https://developers.cloudflare.com/waf/custom-rules/) or [Workers](https://developers.cloudflare.com/workers/runtime-apis/request/#incomingrequestcfproperties). Additionally, customers can view this score along with other bot specifics like bot score source, bot detection IDs, and bot detection tags in the Bots, Security Analytics, and Events dashboards; these fields can also be seen in more detailed logs in Log Explorer or, with Log Push, logs with these respective fields can be exported to 3rd party SIEMs/Analytics platforms.
+
+## Definitions
+
+- **Bot Score:** A [bot score](/bots/concepts/cloudflare-bot-tags/) is a score from 1 to 99 that indicates how likely that request came from a bot. A score of 1 means Cloudflare is certain the request was automated.
+- **Bot Score Source:** Bot Score Source is the detection engine used for the bot score.
+- **Bot Detection ID:** [Detection IDs](/bots/concepts/detection-ids/) are static rules used to detect predictable bot behavior with no overlap with human traffic. Detection IDs cause a bot to receive a score source of heuristics with a score of 1.
+- **Bot Tag:** [Bot tags](/bots/concepts/cloudflare-bot-tags/) provide more detail about why Cloudflare assigned a [bot score](/bots/concepts/bot-score/) to a request.
+- **Verified Bots:** Cloudflare maintains [a list of "Verified" good bots](https://radar.cloudflare.com/traffic/verified-bots) which can be used in policies to insure good bots such as those associated with a search engine are not blocked.
+- **AI Bots:** [If the feature is enabled](/bots/concepts/bot/#ai-bots), Cloudflare will detect and block verified AI bots that respect `robots.txt` and crawl rate, and do not hide their behavior from your website. The rule has also been expanded to include more signatures of AI bots that do not follow the rules.
+
+## Cloudflare Bot Management Detection Engines
+
+- **Heuristics:** Cloudflare conducts a number of heuristic checks to identify automated traffic, and requests are matched against a growing database of malicious fingerprints. The [Heuristics engine](/bots/concepts/bot-score/#heuristics) immediately gives automated requests a score of 1.
+- **Machine Learning (ML):** The [ML engine](/bots/concepts/bot-score/#machine-learning) accounts for the majority of all detections, human and bot. The ML model leverages Cloudflare's global network, which proxies billions of requests daily, to identify both automated and human traffic. The ML engine produces scores 2 through 99.
+- **Anomaly Detection (AD):** The [AD engine](/bots/concepts/bot-score/#anomaly-detection) is an optional detection engine that uses a form of unsupervised learning. Cloudflare records a baseline of a domain's traffic and uses the baseline to intelligently detect outlier requests. Anomaly Detection is user agent-agnostic and can be turned on or off by your account team. Cloudflare does not recommend AD for domains that use [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/) or expect large amounts of API traffic. The AD engine immediately gives automated requests a score of 1.
+- **JavaScript Detections (JSD)**: The [JSD engine](/bots/concepts/bot-score/#javascript-detections) identifies headless browsers and other malicious fingerprints. This engine performs a lightweight, invisible JavaScript injection on the client side of any request. The JSD engine either blocks, challenges, or passes requests to other engines. JSD is enabled by default but is completely optional.
+
+## Bot Dashboards, Analytics, and Logs
+
+Cloudflare bot score and bot traffic analysis is available in several locations.
+
+- **Bots dashboard:**
+  Customers can easily see bot activity up to 30 days back and filter on bot score and other bot, traffic, and request filters. The [bot feedback loop](/bots/concepts/feedback-loop/) allows customers to report back to Cloudflare any false positives or false negatives for further investigation.
+- **Security Analytics:**
+  Security Analytics brings together all of Cloudflare's detection capabilities in one dashboard and provides a broad view of all traffic across the site. The Bots Likelihood graph and widget provide visibility and allow customers to easily view and filter based on bot score and respective categorization of Automated, Likely Automated, Human, and Likely Human.
+- **Events:**
+  Events displays all events the WAF took action on. Events and logs can easily be filtered by bot score and other bot, traffic, or request criteria.
+- **Log Explorer:**
+  Customers can use Log Explorer to pull additional detailed log data. Logs can easily be filtered by bot score and other bot, traffic, or request criteria.
+- **Log Push:**
+  Customers can also export logs to a third party SIEM or Analytics platform. Bot score, bot score source, bot detection IDs, and bot detection tags can all be exported as part of the logs.
+
+  ## Bot Management Traffic Flow
+
+![Figure 1: How Cloudflare identifies, scores and processes traffic from bots.](~/assets/images/reference-architecture/bot-management/bot-management-ra-diagram.svg "Figure 1: How Cloudflare identifies, scores and processes traffic from bots.")
+
+1. Client request is sent to the closest Cloudflare Data Center via anycast ensuring low latency.
+2. Cloudflare applies a layered approach for bot detection; each detection mechanism impacts the bot score assigned by Cloudflare to every request. Every request is assigned a bot score between 1-99 inclusive.
+3. Once the client request has been processed by all of Cloudflare's detection engines and assigned a bot score, defined security policies will be executed, some of which may also be leveraging bot score. Various actions can be taken based on the assigned bot score including the block, allow, rate limit, NoCAPTCHA Challenge.
+4. Cloudflare provides analytics and insights into traffic and requests traversing the Cloudflare network. Customers can use the Bots, Security Analytics, Events, and Log Explorer dashboards to understand the overall traffic and bots activity across their site. Customers can also export logs to third party SIEM and Analytics Platforms.
+
+# Related Resources
+
+- [Cloudflare Bot Management Product Page](https://www.cloudflare.com/application-services/products/bot-management/)
+- [Cloudflare Blog - Bot Management](https://blog.cloudflare.com/tag/bot-management/)
+- [Bots documentation](/bots/)
+- [Video: Cloudflare Bot Management and Turnstile with Demo](https://youtu.be/6EnekTohO7I?si=tk8FUB0xtk1PxsJV)

src/content/docs/reference-architecture/diagrams/bots/bot-management.mdx

@@ -0,0 +1,10 @@
+---
+title: Bots
+pcx_content_type: navigation
+sidebar:
+  order: 2
+---
+
+import { DirectoryListing } from "~/components";
+
+<DirectoryListing />

src/content/docs/reference-architecture/diagrams/bots/index.mdx

@@ -118,6 +118,10 @@ Registrants transferring a `.us` domain will always receive a FOA email.
 
 :::
 
+## Bulk domain transfers
+
+The process for transferring domains in bulk to Cloudflare is the same process as transferring a single domain. Even if you transfer multiple domains in bulk, you will be charged for each domain as bulk billing is not yet available.
+
 ## Transfer statuses
 
 You can check the status of your transfer in **Account Home** > **Overview** > **Domain Registration** for your domain. Below, you can find a list of the possible transfer statuses.

src/content/docs/registrar/get-started/transfer-domain-to-cloudflare.mdx

@@ -363,11 +363,11 @@ If the first two rules don't match, the final rule of any will match all remaini
 By default, Stream embed codes can be used on any domain. If needed, you can limit the domains a video can be embedded on from the Stream dashboard.
 
 In the dashboard, you will see a text box by each video labeled `Enter allowed origin domains separated by commas`. If you click on it, you can list the domains that the Stream embed code should be able to be used on.
-
-* `*.badtortilla.com` covers a.badtortilla.com, a.b.badtortilla.com and does not cover badtortilla.com
+`
+* `*.badtortilla.com` covers `a.badtortilla.com`, `a.b.badtortilla.com` and does not cover `badtortilla.com`
 * `example.com` does not cover [www.example.com](http://www.example.com) or any subdomain of example.com
 * `localhost` requires a port if it is not being served over HTTP on port 80 or over HTTPS on port 443
-* There's no path support - `example.com` covers example.com/\*
+* There is no path support - `example.com` covers `example.com/\*`
 
 You can also control embed limitation programmatically using the Stream API. `uid` in the example below refers to the video id.
 
@@ -377,6 +377,10 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/stream/{video_ui
 --data "{\"uid\": \"<VIDEO_UID>\", \"allowedOrigins\": [\"example.com\"]}"
 ```
 
+### Allowed Origins
+
+The Allowed Origins feature lets you specify which origins are allowed for playback. This feature works even if you are using your own video player. When using your own video player, Allowed Origins restricts which domain the HLS/DASH manifests and the video segments can be requested from. 
+
 ### Signed URLs
 
 Combining signed URLs with embedding restrictions allows you to strongly control how your videos are viewed. This lets you serve only trusted users while preventing the signed URL from being hosted on an unknown site.