[Gateway] Proxy endpoint firewall config (#19265)

maxvp · pedrosousa · web-flow · commit 8af75adc9647 · 2025-01-22T21:18:28.000Z
Co-authored-by: Pedro Sousa &lt;680496+pedrosousa@users.noreply.github.com&gt;
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx
@@ -8,9 +8,7 @@ sidebar:
 import { Details, GlossaryDefinition, TabItem, Tabs } from "~/components";
 
 :::note
-
 Only available on Enterprise plans.
-
 :::
 
 You can apply Gateway HTTP and DNS policies at the browser level by configuring a Proxy Auto-Configuration (PAC) file.
@@ -28,7 +26,6 @@ Install a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/u
 You can generate a proxy endpoint on the Zero Trust dashboard or through the Cloudflare API.
 
 :::caution
-
 All devices you add to the proxy endpoint will be able to access your Cloudflare Tunnel applications and services. If you only want to proxy web traffic, you can build a network policy that blocks those source IPs from connecting to your internal resources.
 :::
 
@@ -48,9 +45,7 @@ All devices you add to the proxy endpoint will be able to access your Cloudflare
    - **IPv6**: `2001:0db8:0000:0000:0000:1234:5678:0000/109`
 
    :::note
-
    Gateway limits the prefix length of source networks for proxy endpoints to `/8` for IPv4 networks and `/32` for IPv6 networks.
-
    :::
 
 5. Select **Save endpoint** and confirm the endpoint creation.
@@ -80,9 +75,7 @@ https://<SUBDOMAIN>.proxy.cloudflare-gateway.com
    - **IPv6**: `2001:0db8:0000:0000:0000:1234:5678:0000/32`
 
    :::note
-
    Gateway limits the prefix length of source networks for proxy endpoints to `/8` for IPv4 networks and `/32` for IPv6 networks.
-
    :::
 
 2. After running the call, you should see an output similar to
@@ -197,6 +190,118 @@ To test your configuration, you can test any [supported HTTP policy](#limitation
 
 You can now use the Proxy Endpoint selector in [network](/cloudflare-one/policies/gateway/network-policies/#proxy-endpoint) and [HTTP](/cloudflare-one/policies/gateway/http-policies/#proxy-endpoint) policies to filter traffic proxied via PAC files.
 
+## Configure firewall
+
+You may need to configure your organization's firewall to allow your users to connect to a proxy endpoint. Depending on your firewall, you will need to create a rule using either your proxy endpoint's domain or IP addresses.
+
+To get the domain of a proxy endpoint:
+
+<Tabs syncKey="dashPlusAPI">
+
+<TabItem label="Dashboard">
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Proxy endpoints**.
+2. Choose the proxy endpoint. Select **Edit**.
+3. In **Proxy Endpoint**, copy the domain.
+
+</TabItem>
+
+<TabItem label="API">
+
+1. Use the [List proxy endpoints](/api/resources/zero_trust/subresources/gateway/subresources/proxy_endpoints/methods/list/) operation to get a list of your proxy endpoints and their details. For example:
+
+   ```bash
+   curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/proxy_endpoints \
+   --header "Authorization: Bearer <API_TOKEN>"
+   ```
+
+   ```json {10} output
+   {
+    "success": true,
+    "result": {
+      "id": "ed35569b41ce4d1facfe683550f54086",
+      "created_at": "2014-01-01T05:20:00.12345Z",
+      "ips": [
+        "192.0.2.1/32"
+      ],
+      "name": "DevOps team",
+      "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com",
+      "updated_at": "2014-01-01T05:20:00.12345Z"
+    }
+   }
+   ```
+
+2. Find the proxy endpoint you want to use.
+3. Copy the value of the `subdomain` key.
+
+</TabItem>
+
+</Tabs>
+
+Using your proxy endpoint's domain, you can get the IP addresses assigned to the proxy endpoint:
+
+<Tabs>
+
+<TabItem label="macOS and Linux">
+
+1. Open a terminal.
+2. Run `dig` on your proxy endpoint's A records to get its IPv4 addresses. For example:
+
+   ```bash
+   dig A example.cloudflare-gateway.com +short
+   ```
+
+   ```txt output
+   162.159.36.5
+   162.159.36.20
+   ```
+
+3. Run `dig` on your proxy endpoint's AAAA records to get its IPv6 addresses. For example:
+
+   ```bash
+   dig AAAA example.cloudflare-gateway.com +short
+   ```
+
+   ```txt output
+   2606:4700:54::a29f:2407
+   2606:4700:5c::a29f:2e07
+   ```
+
+</TabItem>
+
+<TabItem label="Windows">
+
+1. Open a PowerShell terminal.
+2. Run `Resolve-DnsName` on your proxy endpoint's A records. Your proxy endpoint's IPv4 addresses will appear under `IPAddress`. For example:
+
+   ```powershell
+   Resolve-DnsName -Name example.cloudflare-gateway.com -Type A
+   ```
+
+   ```txt output
+   Name                                           Type   TTL   Section    IPAddress
+   ----                                           ----   ---   -------    ---------
+   example.cloudflare-gateway.com                 A      300   Answer     162.159.36.5
+   example.cloudflare-gateway.com                 A      300   Answer     162.159.36.20
+   ```
+
+3. Run `Resolve-DnsName` on your proxy endpoint's AAAA records. Your proxy endpoint's IPv6 addresses will appear under `IPAddress`. For example:
+
+   ```powershell
+   Resolve-DnsName -Name example.cloudflare-gateway.com -Type AAAA
+   ```
+
+   ```txt output
+   Name                                           Type   TTL   Section    IPAddress
+   ----                                           ----   ---   -------    ---------
+   example.cloudflare-gateway.com                 AAAA   300   Answer     2606:4700:5c::a29f:2e07
+   example.cloudflare-gateway.com                 AAAA   300   Answer     2606:4700:54::a29f:2407
+   ```
+
+</TabItem>
+
+</Tabs>
+
 ## Limitations
 
 ### Traffic limitations
