[ZT] WARP with firewall updates for 2025.4.589.1 (#21990)

* connectivity check IPs

* Masque TCP fallback

Author: ranbel

src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx

@@ -52,7 +52,9 @@ WARP connects to the following IP addresses, depending on which [tunnel protocol
 | IPv4 address   | `162.159.197.0/24`                                                                             |
 | IPv6 address   | `2606:4700:102::/48`                                                                           |
 | Default port   | `UDP 443`                                                                                      |
-| Fallback ports | `UDP 500` <br/> `UDP 1701` <br/> `UDP 4500` <br/> `UDP 4443` <br/> `UDP 8443` <br/> `UDP 8095` |
+| Fallback ports | `UDP 500` <br/> `UDP 1701` <br/> `UDP 4500` <br/> `UDP 4443` <br/> `UDP 8443` <br/> `UDP 8095` <br/> `TCP 443` [^1] |
+
+[^1]: Required for HTTP/2 fallback
 
 :::note
 
@@ -67,13 +69,25 @@ The following domains are used as part of our captive portal check:
 - `cloudflareok.com`
 - `cloudflarecp.com`
 
-## Connectivity check
+## Connectivity checks
+
+As part of establishing the WARP connection, the client runs connectivity checks inside and outside of the WARP tunnel.
+
+### Outside tunnel
+
+The client connects to the following destinations to verify general Internet connectivity outside of the WARP tunnel. Make sure that these IPs and domains are on your firewall allowlist.
+
+- `engage.cloudflareclient.com`: The client will always send requests directly to an IP in the [WARP ingress IPv4 or IPv6 range](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) (or to your [`override_warp_endpoint`](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/#override_warp_endpoint) if set). Requests will not use a proxy server, even if one is configured for the system.
+- `162.159.197.3`
+- `2606:4700:102::3`
 
-As part of establishing the WARP connection, the client will check the following HTTPS URLs to validate a successful connection:
+### Inside tunnel
 
-- `engage.cloudflareclient.com` verifies general Internet connectivity outside of the WARP tunnel. These requests are always sent directly to an IP in the [WARP ingress IPv4 or IPv6 range](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) (or to your [`override_warp_endpoint`](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/#override_warp_endpoint) if set). Requests will not use a proxy server, even if one is configured for the system.
+The client connects to the following destinations to verify connectivity inside of the WARP tunnel. Because this check happens inside of the tunnel, you do not need to add these IPs and domains to your firewall allowlist. However, since the requests go through Gateway, ensure that they are not blocked by a Gateway HTTP or Network policy.
 
-- `connectivity.cloudflareclient.com` verifies connectivity inside of the WARP tunnel. Because this check happens inside of the tunnel, you do not need to add `connectivity.cloudflareclient.com` to your firewall allowlist.
+- `connectivity.cloudflareclient.com`
+- `162.159.197.4`
+- `2606:4700:102::4`
 
 ## NEL reporting (optional)
 

src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/client-errors.mdx

@@ -45,7 +45,7 @@ This page lists the error codes that can appear in the WARP client GUI. If you d
 
 ### Cause
 
-The initial [connectivity check](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-check) failed for an unknown reason. Refer to [Unable to connect WARP](/cloudflare-one/connections/connect-devices/warp/troubleshooting/common-issues/#unable-to-connect-warp) for the most common reasons why this error occurs.
+The initial [connectivity check](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-checks) failed for an unknown reason. Refer to [Unable to connect WARP](/cloudflare-one/connections/connect-devices/warp/troubleshooting/common-issues/#unable-to-connect-warp) for the most common reasons why this error occurs.
 
 ### Resolution
 
@@ -164,7 +164,7 @@ A router, firewall, antivirus software, or other third-party security product is
 
 ### Cause
 
-The [connectivity check](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-check) inside of the WARP tunnel has failed.
+The [connectivity check](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-checks) inside of the WARP tunnel has failed.
 
 ### Resolution
 

src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/warp-logs.mdx

@@ -64,7 +64,7 @@ The `warp-debugging-info-<date>-<time>.zip` archive contains the following files
 | `boringtun.log`                                                                                     | Log for the WARP tunnel that serves traffic from the device to Cloudflare's global network.                                                                                                                                                                                                                                                 |
 | `bound-dns-ports.txt`                                                                               | Active processes on port `53`.                                                                                                                                                                                                                                                                                                              |
 | `captive-portal-hotspot-detect.txt`                                                                 | HTTP response of `captive.apple.com`                                                                                                                                                                                                                                                                                                        |
-| `connectivity.txt`                                                                                  | DNS resolution and HTTP trace requests to [validate a successful connection](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-check). Can be used to determine whether traffic is routing through the WARP tunnel.                                                                                        |
+| `connectivity.txt`                                                                                  | DNS resolution and HTTP trace requests to [validate a successful connection](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-checks). Can be used to determine whether traffic is routing through the WARP tunnel.                                                                                        |
 | `daemon_dns.log`                                                                                    | Contains detailed DNS logs if **Log DNS queries** is enabled in the WARP client.                                                                                                                                                                                                                                                            |
 | `daemon.log`                                                                                        | Detailed log of all actions performed by the WARP client, including all communication between the device and Cloudflare's global network. **Note:** This is the most useful debug log.                                                                                                                                                      |
 | `date.txt`                                                                                          | Date and time (UTC) when you ran the `warp-diag` command.                                                                                                                                                                                                                                                                                   |

src/content/warp-releases/linux/beta/2025.4.589.1.yaml

@@ -4,7 +4,7 @@ releaseNotes: |-
   - Improved DEX test error reporting.
   - Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.
   - Added a TCP fallback for the MASQUE tunnel protocol to improve compatibility with networks on MASQUE.
-  - Added new IP addresses for [tunnel connectivity checks](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-check). If your organization uses a firewall or other policies you will need to exempt these IPs.
+  - Added new IP addresses for [tunnel connectivity checks](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs.
   - Fixed an issue where frequent network changes could cause WARP to become unresponsive.
   - DNS over HTTPS traffic is now included in the WARP tunnel by default.
 version: 2025.4.589.1

src/content/warp-releases/macos/beta/2025.4.589.1.yaml

@@ -5,7 +5,7 @@ releaseNotes: |-
   - Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.
   - Improved captive portal detection.
   - Added a TCP fallback for the MASQUE tunnel protocol to improve compatibility with networks on MASQUE.
-  - Added new IP addresses for [tunnel connectivity checks](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-check). If your organization uses a firewall or other policies you will need to exempt these IPs.
+  - Added new IP addresses for [tunnel connectivity checks](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs.
   - DNS over HTTPS traffic is now included in the WARP tunnel by default.
   - Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met.
   - Added a [Collect Captive Portal Diag](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/captive-portals/#get-captive-portal-logs) button in the client GUI to make it easier for users to collect captive portal debugging diagnostics.

src/content/warp-releases/windows/beta/2025.4.589.1.yaml

@@ -7,7 +7,7 @@ releaseNotes: |-
   - Improved WARP client UI high contrast mode.
   - Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.
   - Added a TCP fallback for the MASQUE tunnel protocol to improve compatibility with networks on MASQUE.
-  - Added new IP addresses for [tunnel connectivity checks](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-check). If your organization uses a firewall or other policies you will need to exempt these IPs.
+  - Added new IP addresses for [tunnel connectivity checks](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs.
   - DNS over HTTPS traffic is now included in the WARP tunnel by default.
   - Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met.
   - Added a [Collect Captive Portal Diag](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/captive-portals/#get-captive-portal-logs) button in the client GUI to make it easier for users to collect captive portal debugging diagnostics.