Split host selector limitations into its own page (#24515)

lfcassidy · maxvp · web-flow · commit 37ffdd6e9967 · 2025-09-30T15:39:12.000-04:00
Co-authored-by: Max Phillips &lt;mphillips@cloudflare.com&gt;
diff --git a/src/assets/images/cloudflare-one/policies/host-selector-diagram.png b/src/assets/images/cloudflare-one/policies/host-selector-diagram.png
diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/host-selectors.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/host-selectors.mdx
@@ -0,0 +1,115 @@
+---
+pcx_content_type: configuration
+title: Host selectors
+sidebar:
+  order: 2
+---
+
+import { Tabs, TabItem, Details, APIRequest } from "~/components";
+
+<Details header="Feature availability">
+
+| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
+| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| Gateway with WARP                                                                         | Enterprise                                                    |
+
+| System   | Availability | Minimum WARP version |
+| -------- | ------------ | -------------------- |
+| Windows  | ✅           | 2025.4.929.0         |
+| macOS    | ✅           | 2025.4.929.0         |
+| Linux    | ✅           | 2025.4.929.0         |
+| iOS      | ❌           |                      |
+| Android  | ❌           |                      |
+| ChromeOS | ❌           |                      |
+
+</Details>
+
+When Gateway receives a DNS query for hostname covered by the [Application](/cloudflare-one/policies/gateway/egress-policies/#application), [Content Categories](/cloudflare-one/policies/gateway/egress-policies/#content-categories), [Domain](/cloudflare-one/policies/gateway/egress-policies/#domain), and [Host](/cloudflare-one/policies/gateway/egress-policies/#host) selectors in an Egress policy, Gateway initially resolves DNS to an IP in the `100.80.0.0/16` or `2606:4700:0cf1:4000::/64` range. This process allows Gateway to map a destination IP with a hostname at [layer 4](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/) (where Gateway evaluates Egress policies). The destination IP for a hostname is not usually known at layer 4. Prior to evaluating Egress policies, the initially resolved IP is overwritten with the correct destination IP.
+
+![Example egress policy flow](~/assets/images/cloudflare-one/policies/host-selector-diagram.png)
+
+Additional configuration is required when using policies with these selectors.
+
+## Turn on Host selectors
+
+To turn on the selectors for your account:
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Network**.
+2. In **Firewall**, turn on **Host selector**.
+
+</TabItem> <TabItem label="API">
+
+Use the [Patch Zero Trust account configuration](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/edit/) endpoint to update your Zero Trust configuration. For example:
+
+<APIRequest
+	path="/accounts/{account_id}/gateway/configuration"
+	method="PATCH"
+	json={{
+		settings: {
+			host_selector: {
+				enabled: true,
+			},
+		},
+	}}
+/>
+
+</TabItem> </Tabs>
+
+## Prerequisites
+
+Traffic must be on-ramped to Gateway with the following methods:
+
+| On-ramp method                                                                             | Compatibility |
+| ------------------------------------------------------------------------------------------ | ------------- |
+| [WARP](/cloudflare-one/connections/connect-devices/warp/)                                  | ✅            |
+| [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/)              | ✅            |
+| [Browser Isolation](/cloudflare-one/policies/browser-isolation/)                           | ✅            |
+| [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) | ❌            |
+| [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/)                                     | ❌            |
+
+Unsupported traffic will be resolved with your default Gateway settings. If you use DNS locations to send a DNS query to Gateway with IPv4, IPv6, DoT, or DoH, Gateway will not return the initial resolved IP for supported traffic nor resolve unsupported traffic.
+
+### Configuration changes
+
+:::caution
+Gateway will overwrite the DNS response for all supported traffic, even if you use identity or device posture selectors to limit which users or devices are affected by the policy. In these cases, while the DNS response is overwritten, Gateway will still apply the correct Egress policy. Therefore, the configuration changes below must be applied to all of your users and device profiles.
+:::
+
+To configure your Zero Trust organization to use Host selectors with Egress policies:
+
+1.  Ensure you have deployed [WARP version 2025.4.929.0](/cloudflare-one/connections/connect-devices/warp/download-warp/) or later on your users' desktop devices. If you need to apply your policies to mobile devices or devices running a version of WARP prior to 2025.4.929.0, add and deploy the following key-value pair to your devices' [WARP configuration file](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/) (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS):
+
+    ```diff lang="xml"
+    <array>
+    	<dict>
+    +		<key>doh_in_tunnel</key>
+    +		<true/>
+    	</dict>
+    </array>
+    ```
+
+{/* prettier-ignore-start */}
+
+2.  In your WARP [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/), configure your [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) depending on the mode:
+
+    <Tabs> <TabItem label="Exclude IPs and domains">
+		1.  [Remove the route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel exclude list.
+		2.  [Add routes](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses:
+			- `100.64.0.0/12`
+			- `100.81.0.0/16`
+			- `100.82.0.0/15`
+			- `100.84.0.0/14`
+			- `100.88.0.0/13`
+			- `100.96.0.0/11`
+
+    </TabItem> <TabItem label="Include IPs and domains">
+		1.  Add the required [Zero Trust domains](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/connections/connect-devices/warp/ configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list.
+		2.  [Add a route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include the IP address `100.80.0.0/16`.
+
+    </TabItem> </Tabs>
+
+The WARP client must be set to _Gateway with WARP_ mode for traffic affected by these selectors to route correctly.
+
+{/* prettier-ignore-end */}
diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx
@@ -220,52 +220,4 @@ Gateway uses Rust to evaluate regular expressions. The Rust implementation is sl
 
 ### Selector prerequisites
 
-The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors are only available for traffic on-ramped to Gateway with the following methods:
-
-<Render file="gateway/egress-selector-onramps" product="cloudflare-one" />
-
-When you use these selectors in an egress policy for traffic from a supported on-ramp, Gateway will assign <GlossaryTooltip term="initial resolved IP">initial resolved IPs</GlossaryTooltip> to the DNS queries, then apply the correct egress IP according to the egress policy. Unsupported traffic will be resolved with your default Gateway settings. Gateway will only overwrite the DNS response when the query matches a condition in the egress policy. If you use [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) to send a DNS query to Gateway with IPv4, IPv6, DoT, or DoH, Gateway will not return the initial resolved IP for supported traffic nor resolve unsupported traffic.
-
-Gateway will overwrite the DNS response for all supported traffic, even if you use identity or device posture selectors to limit which users or devices are affected by the policy. In these cases, while the DNS response is overwritten, Gateway will still apply the correct egress policy.
-
-To turn on the selectors for your account:
-
-<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
-
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Network**.
-2. In **Firewall**, turn on **Host selector**.
-
-</TabItem> <TabItem label="API">
-
-Use the [Patch Zero Trust account configuration](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/edit/) endpoint to update your Zero Trust configuration. For example:
-
-<APIRequest
-	path="/accounts/{account_id}/gateway/configuration"
-	method="PATCH"
-	json={{
-		settings: {
-			host_selector: {
-				enabled: true,
-			},
-		},
-	}}
-/>
-
-</TabItem> </Tabs>
-
-Additionally, to use these selectors to filter traffic onboarded with WARP, you need to:
-
-1.  Ensure you have deployed [WARP version 2025.4.929.0](/cloudflare-one/connections/connect-devices/warp/download-warp/) or later on your users' desktop devices. If you need to apply your policies to mobile devices or devices running a version of WARP prior to 2025.4.929.0, add and deploy the following key-value pair to your devices' [WARP configuration file](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/) (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS):
-
-    ```diff lang="xml"
-    <array>
-    	<dict>
-    +		<key>doh_in_tunnel</key>
-    +		<true/>
-    	</dict>
-    </array>
-    ```
-
-2. <Render file="gateway/egress-selector-split-tunnels" product="cloudflare-one" />
-
-The WARP client must be set to _Gateway with WARP_ mode for traffic affected by these selectors to route correctly.
+The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors require configuration changes in order to be operational. Before deploying policies with these selectors, refer to [Host selectors](/cloudflare-one/policies/gateway/egress-policies/#host-selectors).
