You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx
+9-1Lines changed: 9 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,6 +15,8 @@ The WARP client connects to Cloudflare via a standard HTTPS connection outside t
15
15
16
16
<Renderfile="warp/client-orchestration-ips" />
17
17
18
+
Although `zero-trust-client.cloudflareclient.com` may resolve to different IP addresses, this domain is hardcoded to the IPs listed above.
19
+
18
20
## DoH IP
19
21
20
22
:::note
@@ -26,6 +28,8 @@ In [Gateway with DoH](/cloudflare-one/connections/connect-devices/warp/configure
26
28
- IPv4 DoH Addresses: `162.159.36.1` and `162.159.46.1`
27
29
- IPv6 DoH Addresses: `2606:4700:4700::1111` and `2606:4700:4700::1001`
28
30
31
+
Although `<ACCOUNT_ID>.cloudflare-gateway.com` may resolve to different IP addresses, this domain is hardcoded to the IPs listed above.
32
+
29
33
### Android devices
30
34
31
35
If you are deploying the Cloudflare One Agent on Android/ChromeOS, you must also add `cloudflare-dns.com` to your firewall exception list. On Android/ChromeOS devices, WARP uses `cloudflare-dns.com` to resolve domains on your [Split Tunnel list](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#domain-based-split-tunnels).
@@ -89,6 +93,8 @@ The client connects to the following destinations to verify general Internet con
89
93
-`162.159.197.3`
90
94
-`2606:4700:102::3`
91
95
96
+
Although `engage.cloudflareclient.com` may resolve to different IP addresses, this domain is hardcoded to the IPs listed above.
97
+
92
98
### Inside tunnel
93
99
94
100
The WARP client connects to the following IPs to verify connectivity inside of the WARP tunnel:
@@ -98,7 +104,9 @@ The WARP client connects to the following IPs to verify connectivity inside of t
98
104
99
105
Because this check happens inside of the tunnel, you do not need to add these IPs to your firewall allowlist. However, since the requests go through Gateway, ensure that they are not blocked by a Gateway HTTP or Network policy.
100
106
101
-
Thought it may be visible in `warp-diag` and other logs, `connectivity.cloudflareclient.com` is used internally by WARP and should not be used in firewall policies.
107
+
Although `connectivity.cloudflareclient.com` may appear in `warp-diag` and other logs, it is used internally by WARP and should not be used in firewall policies.
108
+
109
+
If your firewall allows traffic only by domain, you may need to explicitly allow `connectivity.cloudflareclient.com`. Be aware that this domain can resolve to different IP addresses. However, this domain is hardcoded to the IPs listed above. To avoid connectivity issues, ensure that `162.159.197.4` and `2606:4700:102::4` are permitted through your firewall.
0 commit comments