|
| 1 | +--- |
| 2 | +pcx_content_type: reference |
| 3 | +title: Timed DNS policies |
| 4 | +sidebar: |
| 5 | + order: 3 |
| 6 | +--- |
| 7 | + |
| 8 | +By default, Cloudflare Gateway policies apply at all times when turned on. Gateway allows you to configure any DNS policy to activate for a specific amount of time, until an end time, or on a regular time interval. |
| 9 | + |
| 10 | +## Time-based policy duration |
| 11 | + |
| 12 | +You can use a time-based policy duration to set a specific time frame for the policy to turn on or configure an exact time for the policy to turn off. |
| 13 | + |
| 14 | +To set a duration for a DNS policy: |
| 15 | + |
| 16 | +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Gateway** > **Firewall policies** > **DNS**. |
| 17 | +2. Create a new DNS policy or choose an existing policy and select **Edit**. |
| 18 | +3. In **Configure policy settings**, turn on **Set a policy duration**. |
| 19 | +4. In **Input method**, choose _Duration_ and enter a specific amount of time until the policy turns off or choose _Exact end date_ and enter a specific date and time in your account's time zone for the policy to turn off. |
| 20 | +5. Select **Save policy**. |
| 21 | + |
| 22 | +When a policy turns off, it will remain off until you turn it back on. |
| 23 | + |
| 24 | +Policies with a set duration will retain their duration when turned off or on. For example, you can create a policy at 12:00 PM and set it to turn off after six hours. If you turn the policy off at 3:00 PM and turn it back on 4:00 PM, the policy will still turn off at 6:00 PM, six hours after the original time. |
| 25 | + |
| 26 | +### Reset a policy duration |
| 27 | + |
| 28 | +When a policy's time duration expires, you can turn the policy back on for the duration you originally configured. To reset a policy's duration, select the policy and choose **Reset policy duration**. |
| 29 | + |
| 30 | +For policies with an exact end time, you can change the time before the policy turns off. Once the policy reaches its exact end time, you will need to edit the policy and set a new end time. To set a new exact end time: |
| 31 | + |
| 32 | +1. Select the policy. |
| 33 | +2. Choose **Edit**. |
| 34 | +3. Turn on **Set a policy duration**. |
| 35 | +4. In **Input method**, choose _Exact end date_. In **Date and time**, enter a new date and time for the policy to turn off. |
| 36 | +5. Select **Save policy**. |
| 37 | + |
| 38 | +## Scheduled policies |
| 39 | + |
| 40 | +You can use the Gateway API to create a new DNS policy with a schedule or add a schedule to an existing policy. To schedule a policy, use the [Create a Zero Trust Gateway rule endpoint](/api/operations/zero-trust-gateway-rules-create-zero-trust-gateway-rule) or [Update a Zero Trust Gateway rule endpoint](/api/operations/zero-trust-gateway-rules-update-zero-trust-gateway-rule) with the `schedule` parameter set to your desired days of the week, times of day, and an optional time zone. The schedule will appear in Zero Trust under **Gateway** > **Firewall policies** > **DNS** when you select the policy. |
| 41 | + |
| 42 | +### How Gateway determines time zone |
| 43 | + |
| 44 | +If you [assign a time zone](#example-fixed-time-zone) to your schedule, Gateway will always use the current time at that time zone regardless of the user's location. This allows you to enable a policy during a certain fixed time period. |
| 45 | + |
| 46 | +If you [do not specify a time zone](#example-users-time-zone), Gateway will enable the DNS policy based on the user's local time zone. The user's time zone is inferred from the IP geolocation of their source IP address. If Gateway is unable to determine the time zone from the source IP, we will fall back to the time zone of the data center where the query was received. |
| 47 | + |
| 48 | +#### Example: Fixed time zone |
| 49 | + |
| 50 | +The following command creates a DNS policy to block `facebook.com` only on weekdays from 8:00 AM - 12:30 PM and 1:30 PM - 5:00 PM in the Chicago, USA time zone. |
| 51 | + |
| 52 | +```bash |
| 53 | +curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules" \ |
| 54 | +--header "X-Auth-Email: <EMAIL>" \ |
| 55 | +--header "X-Auth-Key: <API_KEY>" \ |
| 56 | +--header "Content-Type: application/json" \ |
| 57 | +--data '{ |
| 58 | + "name": "office-no-facebook-policy", |
| 59 | + "action": "block", |
| 60 | + "traffic": "dns.fqdn == \"facebook.com\"", |
| 61 | + "enabled": true, |
| 62 | + "schedule": { |
| 63 | + "time_zone": "America/Chicago", |
| 64 | + "mon": "08:00-12:30,13:30-17:00", |
| 65 | + "tue": "08:00-12:30,13:30-17:00", |
| 66 | + "wed": "08:00-12:30,13:30-17:00", |
| 67 | + "thu": "08:00-12:30,13:30-17:00", |
| 68 | + "fri": "08:00-12:30,13:30-17:00" |
| 69 | + } |
| 70 | +}' |
| 71 | +``` |
| 72 | + |
| 73 | +Refer to [this table](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) for a list of all time zone identifiers. |
| 74 | + |
| 75 | +#### Example: User's time zone |
| 76 | + |
| 77 | +The following command creates a DNS policy to block `clockin.com` only on weekends in the time zone where the user is currently located. |
| 78 | + |
| 79 | +```bash |
| 80 | +curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules" \ |
| 81 | +--header "X-Auth-Email: <EMAIL>" \ |
| 82 | +--header "X-Auth-Key: <API_KEY>" \ |
| 83 | +--header "Content-Type: application/json" \ |
| 84 | +--data '{ |
| 85 | + "name": "clock-in-policy", |
| 86 | + "action": "block", |
| 87 | + "traffic": "dns.fqdn == \"clockin.com\"", |
| 88 | + "enabled": true, |
| 89 | + "schedule": { |
| 90 | + "sat": "00:00-24:00", |
| 91 | + "sun": "00:00-24:00" |
| 92 | + } |
| 93 | +}' |
| 94 | +``` |
| 95 | + |
| 96 | +:::note |
| 97 | +Gateway will not change the policy's `enabled` status when inside or outside of the time period specified. When enabled, Gateway activates or deactivates the policy according to its schedule. When disabled, the policy is always deactivated. |
| 98 | +::: |
0 commit comments