Merge branch 'production' into ranbel/warp-release

Author: ranbel

public/__redirects

@@ -187,6 +187,7 @@
 /bots/concepts/ja3-fingerprint/ /bots/concepts/ja3-ja4-fingerprint/ 301
 /bots/reference/verified-bot-categories/ /bots/concepts/bot/verified-bots/categories/ 301
 /bots/reference/verified-bot-policy/ /bots/concepts/bot/verified-bots/policy/ 301
+/bots/concepts/challenge-solve-rate/ /fundamentals/security/cloudflare-challenges/challenge-solve-rate/ 301
 
 #browser-rendering
 /browser-rendering/get-started/browser-rendering-with-do/ /browser-rendering/workers-binding-api/browser-rendering-with-do/ 301

src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx

@@ -43,9 +43,13 @@ Use managed labels to identify endpoints by use case. Cloudflare may automatical
 
 `cf-account-update`: Add this label to endpoints that participate in user account or profile updates.
 
+`cf-llm`: Services that are (partially) powered by Large Language Model (LLM).
+
 `cf-rss-feed`: Add this label to endpoints that expect traffic from RSS clients.
 
-`cf-llm`: Services that are (partially) powered by Large Language Model (LLM).
+:::note
+<Render file="rss-labels" product="bots" />
+:::
 
 ### Risk labels
 
@@ -109,4 +113,4 @@ Alternatively, you can create a user-defined label via Endpoint Management in AP
 
 ## Availability
 
-Endpoint Management's labeling service is available to all customers.
+Endpoint Management's labeling service is available to all customers.

src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx

@@ -26,14 +26,14 @@ WARP settings define the WARP client modes and permissions available to end user
 <Render file="warp/all-systems-modes-plans" />
 
 :::note
-
-To use **Admin override**, you must first have enabled the [**Lock WARP switch**](#lock-warp-switch). **Admin override** is only needed and used when the WARP lock switch is turned on.
-
+To use **Admin override**, you must first have enabled [**Lock WARP switch**](#lock-warp-switch).
 :::
 
-When the [**Lock WARP switch**](#lock-warp-switch) is enabled, users cannot toggle the WARP client on and off on their device. Enabling **Admin override** gives users the ability to temporarily turn off the WARP client using an override code provided by an admin. **Admin override** is only needed in a configuration where the **lock WARP switch** is enabled.
+When [**Lock WARP switch**](#lock-warp-switch) is enabled, users cannot toggle the WARP client on and off on their device. Enabling **Admin override** gives users the ability to temporarily turn on or off the WARP client using an override code provided by an admin. **Admin override** is only needed in a configuration where **Lock WARP switch** is enabled.
 
-**Admin override** allows end users to momentarily turn off WARP with an override code to work around a temporary network issue (for example, an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection).
+Example use cases for **Admin override** include:
+- Allowing users to momentarily turn off WARP to work around a temporary network issue such as an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection.
+- Allowing test users to turn on WARP when [Global WARP override](#global-warp-override) is in effect.
 
 As admin, you can set a **Timeout** to define how long a user can toggle the WARP switch on or off after entering the override code. Cloudflare generates a new override code every hour that an admin can send to end users. The override code's validity adheres to fixed-hour time blocks and aims to be generous to the end user.
 
@@ -53,20 +53,19 @@ To retrieve the one-time code for a user:
 2. Go to **My Team** > **Devices**.
 3. Select **View** for a connected device.
 4. Scroll down to **User details** and copy the 7-digit **Override code**.
-5. Share this code with the end user for them to enter on their device.
+5. Share this code with the user for them to enter on their device.
 
 The user will have an unlimited amount of time to activate their code.
 
 #### Enter the override code
 
-To turn off the WARP client on a user device:
+To activate the override code on a user device:
 
 1. In the WARP client, go to **Settings** > **Preferences** > **Advanced**.
 2. Select **Enter code**.
-3. Enter the override code. The WARP client will display a pop-up window showing when the override expires.
-4. Turn off the WARP switch.
+3. Enter the override code.
 
-The client will automatically reconnect after the [Auto connect period](#auto-connect), but the user can continue to turn off WARP until the override expires.
+The user can now toggle the WARP switch or use the `warp-cli connect` command. The client will automatically reconnect after the [Auto connect period](#auto-connect), but the user can continue to turn on or off WARP until the override expires.
 
 ### Install CA to system certificate store
 
@@ -111,6 +110,35 @@ This setting is primarily used as a prerequisite for [WARP Connector](/cloudflar
 
 The CGNAT IP assigned to a WARP device is permanent until the device unregisters from your Zero Trust organization. Disconnects and reconnects do not change the IP address assignment.
 
+### Global WARP override
+
+<Details header="Feature availability">
+
+| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
+| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| All modes                                                             | All plans                                                     |
+
+| System   | Availability | Minimum WARP version |
+| -------- | ------------ | -------------------- |
+| Windows  | ✅           | 2025.2.600.0        |
+| macOS    | ✅           |  2025.2.600.0                    |
+| Linux    | ✅           |   2025.2.600.0                |
+| iOS      | ❌           |                      |
+| Android  | ❌           |                      |
+| ChromeOS | ❌           |                      |
+
+</Details>
+
+:::note
+Requires the [Super Administrator](/cloudflare-one/roles-permissions/) role.
+:::
+
+Global WARP override allows administrators to fail open WARP in case of an incident or outage. When you turn on **Global WARP override**, Cloudflare will disconnect all Windows, macOS, and Linux WARP clients that are connected to your Zero Trust organization. This includes end user devices, [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) hosts, and [WARP-to-WARP](/cloudflare-one/connections/connect-networks/private-net/warp-to-warp/) devices. End users will receive a notification on their device and the WARP client will display `The administrator for your account has disconnected WARP`.
+
+[Auto connect](#auto-connect) and [Lock WARP switch](#lock-warp-switch) will not apply while the global override is on. Additionally, the global override will clear any existing [Admin override](#admin-override) codes. The only way for users to reconnect during a global override is by using a new [Admin override](#admin-override) code. For example, you may want to provide IT staff with a code so that they can test resolution of the incident that led to the global disconnect.
+
+To resume normal operations, turn off **Global WARP override**. If you configured an [Auto connect](#auto-connect) value, the WARP client will automatically reconnect. Otherwise WARP will remain disconnected until the user manually reconnects.
+
 ## Device settings
 
 ### Captive portal detection

src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser.mdx

@@ -22,7 +22,7 @@ To request participation in this beta, contact your account team.
 
 | System   | Availability | Minimum WARP version |
 | -------- | ------------ | -------------------- |
-| Windows  | ✅           | 2025.1.447.1         |
+| Windows  | ✅           |  2025.2.460.1        |
 | macOS    | ❌           |                      |
 | Linux    | ❌           |                      |
 | iOS      | ❌           |                      |
@@ -33,8 +33,8 @@ To request participation in this beta, contact your account team.
 
 Cloudflare WARP supports multiple user registrations on a single Windows device. When deployed in multi-user mode, the WARP client will automatically switch user registrations after a user logs in to their Windows account. All traffic to Cloudflare will be attributed to the currently active Windows user. This allows administrators to apply identity-based policies and device settings, audit user activity, and remove individual users from a shared workstation.
 
-:::note
-A user must log out of their Windows account before switching to another account. A user cannot lock the screen and log in to another account, use the **Switch users** option in Windows, or have any other type of concurrent sessions.
+:::caution[DNS logging]
+If a user enables **Log DNS queries** in the WARP GUI (or runs `warp-cli dns log enable`), WARP will store all DNS queries on the device onto disk. Any user on the device will be able to examine the DNS queries of another user.
 :::
 
 ## Enable multi-user mode
@@ -100,6 +100,7 @@ The following flowchart shows how WARP registration settings take effect as user
 flowchart TB
     start(["Enable multi-user mode"])-->reg["Active Windows user is prompted to register WARP"]
 		reg--"Log out of Windows"-->prelogin
+		reg--"Switch user"-->regexists
 
     subgraph preloginbehavior["Windows login screen"]
 		prelogin{{"Is there a pre-login <br />registration?"}}
@@ -114,3 +115,13 @@ flowchart TB
 		regexists-. "No" .->reg
 ```
 
+### Fast user switching
+
+:::note
+Requires [multi-user mode](#enable-multi-user-mode).
+:::
+
+[Fast user switching](https://learn.microsoft.com/windows/win32/shell/fast-user-switching) is a Windows feature that allows users to switch accounts without logging out. With fast user switching, multiple users may be logged in to the device and generating network traffic. The WARP client will attribute all traffic to the user who has the [interactive windows station](http://techcommunity.microsoft.com/blog/askperf/sessions-desktops-and-windows-stations/372473). For example, if user A is logged in and fast user switches to user B, traffic from both accounts will appear to come from user B. This is because user B is now actively using the Windows desktop GUI. Now assume that user B logs out and there is no [pre-login registration](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-prelogin/); WARP will continue to attribute traffic to user B until user A logs back in to the Windows desktop.
+
+To accurately attribute network traffic to specific users, Cloudflare recommends disabling fast user switching or at the very least configuring a [pre-login registration](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-prelogin/).
+

src/content/docs/fundamentals/security/cloudflare-challenges/challenge-passage.mdx

@@ -1,7 +1,8 @@
 ---
 pcx_content_type: reference
 title: Challenge Passage
-
+sidebar:
+    order: 2
 ---
 
 When a visitor solves a [Cloudflare challenge](/fundamentals/security/cloudflare-challenges/) - as part of a [WAF custom rule](/waf/custom-rules/) or [IP Access rule](/waf/tools/ip-access-rules/) - you can set the **Challenge Passage** to prevent them from having to solve future challenges for a specified period of time.

src/content/docs/bots/concepts/challenge-solve-rate.mdx renamed to src/content/docs/fundamentals/security/cloudflare-challenges/challenge-solve-rate.mdx

@@ -1,8 +1,8 @@
 ---
 pcx_content_type: concept
-title: Challenge Solve Rate (CSR)
+title: Challenge solve rate (CSR)
 sidebar:
-  order: 2
+  order: 3
 
 ---
 

src/content/docs/turnstile/index.mdx

@@ -77,7 +77,7 @@ Refer to [Cloudflare Turnstile's product page](https://www.cloudflare.com/produc
 ## Features
 
 <Feature header="Turnstile Analytics" href="/turnstile/turnstile-analytics/">
-	Assess the number of challenges issued, evaluate the challenge solve rate, and
+	Assess the number of challenges issued, evaluate the [challenge solve rate](/fundamentals/security/cloudflare-challenges/challenge-solve-rate/), and
 	view the metrics of issued challenges.
 </Feature>
 

src/content/docs/turnstile/tutorials/implicit-vs-explicit-rendering.mdx

@@ -264,5 +264,5 @@ Remember to perform server-side validation of the response token to complete the
 ## Additional resources
 
 - [Server-side validation](/turnstile/get-started/server-side-validation/): A guide on how to implement server-side validation to ensure that only valid, human-generated responses are accepted by your application.
-- [Turnstile Analytics](/turnstile/turnstile-analytics/): A guide on how to access and interpret Turnstile Analytics data, allowing you to monitor key metrics, access the number of challenges issued, and evaluate the challenge solve rate (CSR).
+- [Turnstile Analytics](/turnstile/turnstile-analytics/): A guide on how to access and interpret Turnstile Analytics data, allowing you to monitor key metrics, access the number of challenges issued, and evaluate the [challenge solve rate (CSR)](/fundamentals/security/cloudflare-challenges/challenge-solve-rate/).
 - [Turnstile API Reference](/api/resources/turnstile/subresources/widgets/methods/list/): Comprehensive documentation for the Turnstile API, providing detailed information on API operations for managing Turnstile widgets, including how to list, create, and update widgets via API calls.

src/content/docs/turnstile/tutorials/integrating-turnstile-waf-and-bot-management.mdx

@@ -180,4 +180,4 @@ If you are interested in customizing Turnstile, refer to the resources below for
 
 - [Client-side rendering](/turnstile/get-started/client-side-rendering/). Learn how to customize how and when Turnstile renders in your user interface, to better fit your application's needs and user experience.
 - [Server-side validation](/turnstile/get-started/server-side-validation/). Learn how Turnstile's API works, including request parameters, as well as how to handle different types of responses, including error codes.
-- [Turnstile Analytics](/turnstile/turnstile-analytics/). Learn how to view Turnstile's analytics in the Cloudflare dashboard. This includes metrics on the number of challenges issued, as well as the CSR (Challenge Solve Rate).
+- [Turnstile Analytics](/turnstile/turnstile-analytics/). Learn how to view Turnstile's analytics in the Cloudflare dashboard. This includes metrics on the number of challenges issued, as well as the [challenge solve rate (CSR)](/fundamentals/security/cloudflare-challenges/challenge-solve-rate/).

src/content/glossary/bots.yaml

@@ -13,7 +13,7 @@ entries:
     general_definition: |-
       Additional information about a bot request, such as why Cloudflare has given it a bot score and whether the request came from a verified bot or a category of verified bots.
 
-  - term: Challenge Solve Rate (CSR)
+  - term: Challenge solve rate (CSR)
     general_definition: |-
       The percentage of issued challenges that were solved.