[CF1] add WARP technical details (#23590)

deadlypants1973 · thomasgauvin · commit 8166a80698ec · 2025-08-15T16:52:30.000-04:00
* [CF1] add WARP technical details

* update

* update

* final

* final

* swg link

* final updates

* final updates
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture.mdx
@@ -12,15 +12,15 @@ This guide explains how the Cloudflare WARP client interacts with a device's ope
 
 In [Gateway with DoH](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-doh) mode, the IP traffic information does not apply. In [Secure Web Gateway without DNS filtering](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) mode, the DNS traffic information does not apply.
 
-## Overview
+## WARP traffic flow
 
 The WARP client allows organizations to have granular control over the applications an end user device can access. The client forwards DNS and network traffic from the device to Cloudflare's global network, where Zero Trust policies are applied in the cloud. On all operating systems, the WARP daemon maintains three connections between the device and Cloudflare:
 
-| Connection                                                                                                                                     | Protocol | Purpose                                                                                                         |
-| ---------------------------------------------------------------------------------------------------------------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------- |
-| WARP tunnel ([via WireGuard or MASQUE](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#device-tunnel-protocol)) | UDP      | Send IP packets to Gateway for network policy enforcement, HTTP policy enforcement, and private network access. |
-| [DoH](https://www.cloudflare.com/learning/dns/dns-over-tls/)                                                                                   | HTTPS    | Send DNS requests to Gateway for DNS policy enforcement. The DoH connection is maintained inside of the WARP tunnel.      |
-| Device orchestration                                                                                                                           | HTTPS    | Perform user registration, check device posture, apply WARP profile settings.                                   |
+| Connection                                                                                                                                     | Protocol | Purpose                                                                                                              |
+| ---------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------- |
+| WARP tunnel ([via WireGuard or MASQUE](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#device-tunnel-protocol)) | UDP      | Send IP packets to Gateway for network policy enforcement, HTTP policy enforcement, and private network access.      |
+| [DoH](https://www.cloudflare.com/learning/dns/dns-over-tls/)                                                                                   | HTTPS    | Send DNS requests to Gateway for DNS policy enforcement. The DoH connection is maintained inside of the WARP tunnel. |
+| Device orchestration                                                                                                                           | HTTPS    | Perform user registration, check device posture, apply WARP profile settings.                                        |
 
 ```mermaid
 flowchart LR
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/index.mdx
@@ -8,17 +8,46 @@ head:
     content: About Cloudflare WARP
 ---
 
+## About Cloudflare WARP
+
 The Cloudflare WARP client allows you to protect corporate devices by securely and privately sending traffic from those devices to Cloudflare's global network, where [Cloudflare Gateway](/cloudflare-one/policies/gateway/) can apply advanced web filtering. The WARP client also makes it possible to apply advanced [Zero Trust policies](/cloudflare-one/identity/devices/) that check for a device's health before it connects to corporate applications.
 
-WARP is a lightweight device client, which builds proxy tunnels using either Wireguard or MASQUE, and builds a DNS proxy using DNS-over-HTTPS. WARP supports all major operating systems, all common forms of endpoint management tooling, and has a robust series of management parameters and profiles to accurately scope the needs of a diverse user base.
+## How WARP works
+
+WARP is a device client that builds proxy tunnels using either Wireguard or MASQUE, and builds a DNS proxy using DNS-over-HTTPS. WARP supports all major operating systems, all common forms of endpoint management tooling, and has a robust series of management parameters and profiles to accurately scope the needs of a diverse user base.
+
+The WARP client consists of:
+
+- Graphical User Interface (GUI): Control panel that allows end users to view WARP's [status](/cloudflare-one/connections/connect-devices/warp/troubleshooting/connectivity-status/) and perform actions such as turning WARP on or off.
+- WARP daemon (or service): Core background component responsible for establishing secure tunnels (using WireGuard or MASQUE) and handling all WARP functionality on your device.
+
+Refer to [WARP architecture](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/) for more information on how WARP client interacts with a device's operating system to route traffic.
+
+## Key benefits of using WARP
+
+Deploying the WARP client significantly enhances your organization's security and visibility within Cloudflare Zero Trust:
+
+- **Unified security policies everywhere**: With the WARP client deployed in the Gateway with WARP mode, [Gateway policies](/cloudflare-one/policies/gateway/) are not location-dependent — they can be enforced anywhere.
+
+- **Advanced web filtering and threat protection**: Activate Gateway features for your device traffic, including:
+
+      - [Anti-Virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/)
+      - [HTTP filtering](/cloudflare-one/policies/gateway/http-policies/)
+      - [Browser Isolation](/cloudflare-one/policies/gateway/http-policies/#isolate)
+      - [Identity-based policies](/cloudflare-one/policies/gateway/network-policies/)
+
+- **Application and device-specific insights**: With WARP installed on your corporate devices, you can view detailed application and user-level activity on the [Zero Trust Shadow IT Discovery](/cloudflare-one/insights/analytics/shadow-it-discovery/) page, while also monitoring device and network performance with [Digital Experience Monitoring (DEX)](/cloudflare-one/insights/dex/) to proactively detect and resolve issues.
+
+- **Device posture checks**: The WARP client provides advanced Zero Trust protection by making it possible to check for [device posture](/cloudflare-one/identity/devices/). By setting up device posture checks, you can build Zero Trust policies that check for a device's location, disk encryption status, OS version, and more.
+
+- **Secure private and infrastructure access**: WARP lets devices connect to [private networks](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) over Cloudflare Tunnel and is required for [Access for Infrastructure](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/), enabling secure SSH with short-lived certificates and detailed logging.
 
-WARP has flexible [operating modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) and can control device traffic as a proxy, control device DNS traffic as a DNS proxy, or both. It is the most common method to send traffic from user devices to be filtered and decrypted by Cloudflare Gateway.
+## WARP modes
 
-Downloading and deploying the WARP client to your devices enhances the protection Cloudflare Zero Trust can provide to your users and data, wherever they are.
+WARP offers flexible [operating modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) to suit your specific needs. WARP can control device traffic as a full proxy, manage only DNS traffic as a DNS proxy, or both. WARP is the most common method for sending user device traffic through Cloudflare Gateway for filtering and decryption.
 
-The WARP client provides in-depth protection for your organization in a few ways:
+## Next steps
 
-- **WARP lets you enforce security policies anywhere**. With the WARP client deployed in the Gateway with WARP mode, Gateway policies are not location-dependent — they can be enforced anywhere.
-- **WARP lets you enforce HTTP filtering and user-based policies**. Download and install the WARP client to enable Gateway features such as [Anti-Virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), [HTTP filtering](/cloudflare-one/policies/gateway/http-policies/), [Browser Isolation](/cloudflare-one/policies/gateway/http-policies/#isolate), and [identity-based policies](/cloudflare-one/policies/gateway/network-policies/).
-- **WARP lets you have in-depth, application-specific insights**. With WARP installed on your corporate devices, you can populate the [Zero Trust Shadow IT Discovery](/cloudflare-one/insights/analytics/shadow-it-discovery/) page with visibility down to the application and user level. This makes it easy to discover, analyze, and take action on any shadow IT your users may be using every day.
-- **WARP allows you to build rich device posture rules.** The WARP client provides advanced Zero Trust protection by making it possible to check for [device posture](/cloudflare-one/identity/devices/). By setting up device posture checks, you can build Zero Trust policies that check for a device's location, disk encryption status, OS version, and more.
+- Review the [first-time setup](/cloudflare-one/connections/connect-devices/warp/set-up-warp/) guide to [install](/cloudflare-one/connections/connect-devices/warp/download-warp/) and [deploy](/cloudflare-one/connections/connect-devices/warp/deployment/) the WARP client on your corporate devices.
+- Review possible [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) and [settings](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/) to best suit your organization's needs.
+- Explore [Cloudflare Gateway](/cloudflare-one/policies/gateway/) to enforce advanced DNS, network, HTTP, and egress policies with WARP.
