@@ -366,15 +366,107 @@ resource "cloudflare_zero_trust_gateway_policy" "all_net_no_http_https_internet_
366366
367367Implicitly deny all of your internal IP ranges included in a list. We recommend you place this policy at the [ bottom of your policy list] ( /learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#order-of-precedence ) to ensure you explicitly approve traffic defined in the above policies.
368368
369+ <Tabs syncKey = " dashPlusAPI"
370+
371+ <TabItem label = " Dashboard"
372+
369373| Selector | Operator | Value | Action |
370374| -------------- | -------- | ---------------------- | ------ |
371375| Destination IP | in list | _ Internal Network IPs_ | Block |
372376
377+ </TabItem >
378+
379+ <TabItem label = " API"
380+
381+ ``` sh
382+ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID /gateway/rules \
383+ --header " Content-Type: application/json"
384+ --header " Authorization: Bearer $CLOUDFLARE_API_TOKEN "
385+ --data ' {
386+ "name": "All-NET-NO-HTTP-HTTPS-Internet-Deny",
387+ "description": "Block all non-web traffic towards the Internet",
388+ "precedence": 0,
389+ "enabled": true,
390+ "action": "block",
391+ "filters": [
392+ "l4"
393+ ],
394+ "traffic": "net.dst.ip in $<INTERNAL_NETWORK_IP_LIST_UUID>"
395+ }'
396+ ```
397+
398+ </TabItem >
399+
400+ <TabItem label = " Terraform"
401+
402+ ``` tf
403+ resource "cloudflare_zero_trust_gateway_policy" "all_net_no_http_https_internet_deny" {
404+ account_id = var.account_id
405+ name = "All-NET-NO-HTTP-HTTPS-Internet-Deny"
406+ description = "Block all non-web traffic towards the Internet"
407+ precedence = 0
408+ enabled = true
409+ action = "block"
410+ filters = ["l4"]
411+ traffic = "net.dst.ip in ${"$"}${cloudflare_zero_trust_list.internal_network_ip_list.id}"
412+ }
413+ ```
414+
415+ </TabItem >
416+ </Tabs >
417+
373418## All-NET-ApplicationAccess-Allow
374419
375420Only allow network traffic from known and approved devices.
376421
422+ <Tabs syncKey = " dashPlusAPI"
423+
424+ <TabItem label = " Dashboard"
425+
377426<Render
378427 file = " gateway/policies/dash-plus-api/network/enforce-device-posture"
379428 product = " cloudflare-one"
380429/>
430+
431+ </TabItem >
432+
433+ <TabItem label = " API"
434+
435+ ``` sh
436+ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID /gateway/rules \
437+ --header " Content-Type: application/json"
438+ --header " Authorization: Bearer $CLOUDFLARE_API_TOKEN "
439+ --data ' {
440+ "name": "All-NET-ApplicationAccess-Allow",
441+ "description": "Only allow network traffic from known and approved devices",
442+ "precedence": 0,
443+ "enabled": true,
444+ "action": "block",
445+ "filters": [
446+ "l4"
447+ ],
448+ "traffic": "any(net.sni.domains[*] == \"internalapp.com\")",
449+ "device_posture": "not(any(device_posture.checks.passed[*] in {\"<DEVICE_SERIAL_NUMBER_LIST_UUID>\"}))"
450+ }'
451+ ```
452+
453+ </TabItem >
454+
455+ <TabItem label = " Terraform"
456+
457+ ``` tf
458+ resource "cloudflare_zero_trust_gateway_policy" "all_net_no_http_https_internet_deny" {
459+ account_id = var.account_id
460+ name = "All-NET-ApplicationAccess-Allow"
461+ description = "Only allow network traffic from known and approved devices"
462+ precedence = 0
463+ enabled = true
464+ action = "block"
465+ filters = ["l4"]
466+ traffic = "any(net.sni.domains[*] == \"internalapp.com\")"
467+ device_posture = "not(any(device_posture.checks.passed[*] in {\"${"$"}{cloudflare_zero_trust_list.device_serial_number_list.id}\"}))"
468+ }
469+ ```
470+
471+ </TabItem >
472+ </Tabs >
0 commit comments