[Gateway] File sandboxing (#16786)

Co-authored-by: Rebecca Tamachiro <[email protected]>
Co-authored-by: Jun Lee <[email protected]>

Author: 3 people

src/content/docs/cloudflare-one/policies/gateway/http-policies/antivirus-scanning.mdx

@@ -2,111 +2,111 @@
 pcx_content_type: concept
 title: AV scanning
 sidebar:
-  order: 8
-
+  order: 5
 ---
 
-Cloudflare Gateway protects users as they browse the Internet. When users download or upload a file to an origin on the Internet, that file could potentially contain malicious code that may cause their device to perform undesired behavior.
+import { Render, Details } from "~/components";
 
-To prevent this, Cloudflare Gateway allows admins to enable **Anti-Virus (AV) scanning** of files that are uploaded or downloaded by users as the file passes through Gateway.
+Cloudflare Gateway protects users as they browse the Internet. When users download or upload a file to an origin on the Internet, that file could potentially contain malicious code that may cause their device to perform undesired behavior. To prevent this, Cloudflare Gateway allows admins to turn on anti-virus (AV) scanning of files that are uploaded or downloaded by users as the file passes through Gateway.
 
-AV scanning of files requires organizations to go to **Settings** > **Network** > **Firewall** and enable **AV inspection**.
+In addition to scanning files, Gateway can quarantine files as your users download them. Quarantining files helps protect organizations from zero-day vulnerabilities not yet available in anti-virus databases. For more information, refer to [File sandboxing](/cloudflare-one/policies/gateway/http-policies/file-sandboxing/).
 
-## Enable AV scanning
+## Get started
 
-To enable AV scanning:
+To turn on AV scanning:
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**.
-2. In **Firewall**, enable **AV inspection**.
+2. In **Firewall**, turn on **AV inspection**.
 3. Choose whether to scan files for malicious payloads during uploads, downloads, or both. You can also block requests containing [non-scannable files](#non-scannable-files).
 
 When a request is blocked due to the presence of malware, Gateway will log the match as a Block decision in your [HTTP logs](/cloudflare-one/insights/logs/gateway-logs/#http-logs).
 
-## How Gateway determines if a file should be scanned
-
-If AV scanning is enabled, Gateway will use the following to determine whether a file is present in a request or response, and whether to scan that file (first match will result in the file being scanned):
-
-* If the Content-Disposition HTTP header is `Attachment`
-
-* If the byte signature of the body of the request matches a signature we identify as one of the following file type categories:
+## File scan criteria
 
-  * **Executable** (e.g., `.exe`, `.bat`, `.dll`, `.wasm`)
-  * **Documents** (e.g., `.doc`, `.docx`, `.pdf`, `.ppt`, `.xls`)
-  * **Compressed** (e.g., `.7z`, `.gz`, `.zip`, `.rar`)
+If AV scanning is turned on, Gateway will use the following criteria to determine whether a file is present in a request or response, and whether to scan that file. The first match will result in the file being scanned.
 
-* If the file name in the Content-Disposition header contains a file extension that indicates it is one of the file type categories above
+- If the `Content-Disposition` HTTP header is `Attachment`
+- If the byte signature of the body of the request matches a signature Gateway identifies as one of the following file type categories:
+  - **Executable** (for example, `.exe`, `.bat`, `.dll`, and `.wasm`)
+  - **Documents** (for example, `.doc`, `.docx`, `.pdf`, `.ppt`, and `.xls`)
+  - **Compressed** (for example, `.7z`, `.gz`, `.zip`, and `.rar`)
+- If the file name in the `Content-Disposition` header contains a file extension that indicates it is one of the file type categories above
 
-If none of the above conditions trigger a file to be scanned, Gateway will use the origin's Content-Type header to determine whether or not to scan the file. Additionally, Gateway will not scan files it determines to be in the Image, Video, or Audio file type categories.
+If none of the above conditions trigger a file to be scanned, Gateway will use the origin's `Content-Type` header to determine whether or not to scan the file. Additionally, Gateway will not scan files it determines to be image, video, or audio files.
 
 If a file does not trigger a scan based on the three methods above but also does not match criteria to be exempted from scanning, Gateway will default to scanning the file for malware.
 
-## Non-scannable files
-
-Not all files are able to be scanned. For example, this is the case for password protected files that cannot be opened due to encryption. Admins can choose whether to **fail open** (allow the file to pass through unscanned) or to **fail closed** (deny the file transfer).
-
-The following files cannot be scanned and will be blocked or allowed based on whether the admin configured Gateway to fail open or closed:
-
-* Files larger than 15MB cannot be scanned.
-* Password protected archives
-* Archives with more than 3 recursion levels
-* Archives with more than 300 files
-* PGP encrypted files
-
 ## Opt content out from scanning
 
-When an admin enables AV scanning for uploads and/or downloads, Gateway will scan every supported file. Admins can selectively choose to disable scanning by leveraging the HTTP rules. All [HTTP selectors](/cloudflare-one/policies/gateway/http-policies/#selectors) can be used to opt HTTP traffic out from AV scanning using the Do Not Scan action. For example, to prevent AV scanning of files uploaded to or downloaded from `example.com`, an admin would configure the following rule:
+When an admin turns on AV scanning for uploads and/or downloads, Gateway will scan every supported file. Admins can selectively choose to disable scanning using HTTP policies. All [HTTP selectors](/cloudflare-one/policies/gateway/http-policies/#selectors) can opt HTTP traffic out from AV scanning using the **Do Not Scan** action. When traffic matches a Do Not Scan policy, nothing is scanned, regardless of file size or whether the file type is supported or not. For example, to prevent AV scanning of files uploaded to or downloaded from `example.com`, you can create the following policy:
 
 | Selector | Operator      | Value         | Action      |
 | -------- | ------------- | ------------- | ----------- |
 | Hostname | matches regex | `example.com` | Do Not Scan |
 
-Opting out of AV scanning applies to both uploads and downloads of files (i.e., it matches the global AV scanning setting). If an admin has chosen, for example, to only globally scan uploads, then opting out of AV scanning only applies to uploads.
+Opting out of AV scanning applies to uploads and/or downloads of files, matching your account's global AV scanning setting. For example, if you have configured Gateway to globally scan uploads only, then opting out of AV scanning will only apply to uploads.
 
-When traffic matches a Do Not Scan rule, nothing is scanned, regardless of file size or whether the file type is supported or not.
+## Compatibility
 
-## Supported compressed file types
+### Supported compressed file types
 
 In addition to standard object files like PDFs, Zero Trust supports AV scanning for the following archive types:
 
-* 7-Zip
-* 7-Zip SFX
-* ACE
-* ACE SFX
-* AutoHotkey
-* AutoIt
-* BASE64
-* BZ2
-* CHM Help Files
-* CPIO SVR4
-* Chrome Extension (CRX) Package Format
-* eXtensible ARchive format (XAR)
-* GZIP compressed files
-* ISO 9660
-* Inno Setup
-* Indigo Rose Setup Factory
-* Java ARchive
-* LZH/LHA
-* MacBinary
-* MIME base64
-* MSCOMPRESS
-* Microsoft CAB
-* Microsoft TNEF
-* NSIS Nullsoft Installer
-* Office Legacy XML
-* PGP signed message, document, etc.
-* RPM
-* RAR
-* SAPCar
-* Self-extracting ARJ
-* Self-extracting CA
-* Self-extracting LZH/LHA
-* Self-extracting RAR
-* Self-extracting ZIP
-* Smart Install Maker
-* TAR
-* UUE and XXE compressed files
-* Windows Imaging File (WIM)
-* XE compressed files (UUE and XXE)
-* XZ file format
-* ZIP
-* ZOO
+<Details header="Supported compressed file types">
+
+- 7-Zip
+- 7-Zip SFX
+- ACE
+- ACE SFX
+- AutoHotkey
+- AutoIt
+- BASE64
+- BZ2
+- CHM Help Files
+- CPIO SVR4
+- Chrome Extension (CRX) Package Format
+- eXtensible ARchive format (XAR)
+- GZIP compressed files
+- ISO 9660
+- Inno Setup
+- Indigo Rose Setup Factory
+- Java ARchive
+- LZH/LHA
+- MacBinary
+- MIME base64
+- MSCOMPRESS
+- Microsoft CAB
+- Microsoft TNEF
+- NSIS Nullsoft Installer
+- Office Legacy XML
+- PGP signed message, document, etc.
+- RPM
+- RAR
+- SAPCar
+- Self-extracting ARJ
+- Self-extracting CA
+- Self-extracting LZH/LHA
+- Self-extracting RAR
+- Self-extracting ZIP
+- Smart Install Maker
+- TAR
+- UUE and XXE compressed files
+- Windows Imaging File (WIM)
+- XE compressed files (UUE and XXE)
+- XZ file format
+- ZIP
+- ZOO
+
+</Details>
+
+Gateway cannot scan [certain archive files](#non-scannable-files) regardless of file type, such as large or encrypted files.
+
+### Non-scannable files
+
+Gateway cannot scan all files for malware. When Gateway encounters a non-scannable file, you can configure AV scanning whether to fail open (allow the file to pass through unscanned) or to fail closed (deny the file transfer).
+
+<Render file="gateway/nonscannable-files" />
+
+- Password protected archives
+- Archives with more than three recursion levels
+- Archives with more than 300 files

src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx

@@ -0,0 +1,34 @@
+---
+pcx_content_type: concept
+title: File sandboxing
+sidebar:
+  order: 6
+---
+
+import { Render, Details } from "~/components";
+
+In addition to [anti-virus (AV) scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), Gateway can quarantine previously unseen files downloaded by your users into a sandbox and scan them for malware.
+
+While the files are quarantined, Gateway will present a scanning page to your users. If a file passes scanning, Gateway will release the file from quarantine and download it to your user's device.
+
+## Get started
+
+To begin quarantining downloaded files, turn on file sandboxing:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**.
+2. In **Firewall**, turn on **File sandboxing**.
+3. (Optional) To block requests containing [non-scannable files](#non-scannable-files), select **Block requests for files that cannot be scanned**.
+
+You can now create [Quarantine HTTP policies](/cloudflare-one/policies/gateway/http-policies/#quarantine) to determine what files to scan in the sandbox.
+
+## Compatibility
+
+### Supported file types
+
+<Render file="gateway/sandbox-file-types" />
+
+### Non-scannable files
+
+<Render file="gateway/nonscannable-files" />
+
+- Archive files

src/content/docs/cloudflare-one/policies/gateway/http-policies/http3.mdx

@@ -2,7 +2,7 @@
 pcx_content_type: concept
 title: HTTP/3
 sidebar:
-  order: 5
+  order: 2
 ---
 
 import { Details } from "~/components";

src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx

@@ -8,9 +8,7 @@ sidebar:
 import { Details, InlineBadge, Render } from "~/components";
 
 :::note
-
-Install the <a href="/cloudflare-one/connections/connect-devices/warp/user-side-certificates/">Cloudflare Root Certificate</a> before creating HTTP policies.
-
+To use HTTP policies, install the [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/).
 :::
 
 HTTP policies allow you to intercept all HTTP and HTTPS requests and either block, allow, or override specific elements such as websites, IP addresses, and file types. HTTP policies operate on Layer 7 for all TCP (and [optionally UDP](/cloudflare-one/policies/gateway/initial-setup/http/#1-connect-to-gateway)) traffic sent over ports 80 and 443.
@@ -90,9 +88,7 @@ The Allow action allows outbound traffic to reach destinations you specify withi
 #### Untrusted certificates
 
 :::note
-
 To use this feature, deploy a [custom root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/).
-
 :::
 
 The **Untrusted certificate action** determines how to handle insecure requests.
@@ -340,12 +336,61 @@ When an admin enables AV scanning for uploads and/or downloads, Gateway will sca
 
 When a Do Not Scan rule matches, nothing is scanned, regardless of file size or whether the file type is supported or not.
 
+### Quarantine
+
+API value: `quarantine`
+
+<Details header="Available selectors">
+
+**Traffic**
+
+- [Application](#application)
+- [Content Categories](#content-categories)
+- [Destination Continent IP Geolocation](#destination-continent)
+- [Destination Country IP Geolocation](#destination-country)
+- [Destination IP](#destination-ip)
+- [Domain](#domain)
+- [Host](#host)
+- [HTTP Method](#http-method)
+- [Proxy Endpoint](#proxy-endpoint)
+- [Security Risks](#security-risks)
+- [Source Continent IP Geolocation](#source-continent)
+- [Source Country IP Geolocation](#source-country)
+- [Source Internal IP](#source-internal-ip)
+- [Source IP](#source-ip)
+- [URL](#url)
+- [URL Path](#url-path)
+- [URL Path & Query](#url-path-and-query)
+- [URL Query](#url-query)
+- [Virtual Network](#virtual-network)
+
+**Identity**
+
+- [SAML Attributes](#users)
+- [User Email](#users)
+- [User Group Emails](#users)
+- [User Group IDs](#users)
+- [User Group Names](#users)
+- [User Name](#users)
+
+**Device Posture**
+
+- [Passed Device Posture Checks](#device-posture)
+
+</Details>
+
+The Quarantine action sends files in matching requests to a file sandbox to scan for malware. Gateway will only quarantine files not previously seen in the file sandbox. For more information on this action, refer to [File sandboxing](/cloudflare-one/policies/gateway/http-policies/file-sandboxing/).
+
+#### Sandbox file types
+
+In **Sandbox file types**, you can select which file types to quarantine with your policy. You must select at least one file type.
+
+<Render file="gateway/sandbox-file-types" />
+
 ## Selectors
 
 :::note
-
 Policies created using the URL selector are case-sensitive.
-
 :::
 
 Gateway matches HTTP traffic against the following selectors, or criteria:
@@ -371,7 +416,6 @@ For more information, refer to our list of [content categories](/cloudflare-one/
 ### Destination Continent
 
 :::note
-
 Only applies to traffic sent through the [WARP client](/cloudflare-one/connections/connect-devices/warp/set-up-warp/#gateway-with-warp-default).
 :::
 
@@ -383,7 +427,6 @@ Only applies to traffic sent through the [WARP client](/cloudflare-one/connectio
 ### Destination Country
 
 :::note
-
 Only applies to traffic sent through the [WARP client](/cloudflare-one/connections/connect-devices/warp/set-up-warp/#gateway-with-warp-default).
 :::
 
@@ -395,7 +438,6 @@ Only applies to traffic sent through the [WARP client](/cloudflare-one/connectio
 ### Destination IP
 
 :::note
-
 Only applies to traffic sent through the [WARP client](/cloudflare-one/connections/connect-devices/warp/set-up-warp/#gateway-with-warp-default).
 :::
 
@@ -409,7 +451,7 @@ Only applies to traffic sent through the [WARP client](/cloudflare-one/connectio
 
 ### Domain
 
-Use this selector to match against a domain and all subdomains — for example, if you want to block `example.com` and subdomains such as `www.example.com`.
+Use this selector to match against a domain and all subdomains -- for example, if you want to block `example.com` and subdomains such as `www.example.com`.
 
 | UI name | API example                                     |
 | ------- | ----------------------------------------------- |
@@ -451,16 +493,14 @@ Scans HTTP traffic for the presence of social security numbers and other PII. Yo
 
 ### Host
 
-Use this selector to match only the hostname specified — for example, if you want to block `test.example.com` but not `example.com` or `www.test.example.com`.
+Use this selector to match only the hostname specified -- for example, if you want to block `test.example.com` but not `example.com` or `www.test.example.com`.
 
 | UI name | API example                               |
 | ------- | ----------------------------------------- |
 | Host    | `http.request.host == "test.example.com"` |
 
 :::note
-
 Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`www.example.com`). To match this type of website, use the [Domain](#domain) selector instead of the Host selector.
-
 :::
 
 ### HTTP Method

src/content/docs/cloudflare-one/policies/gateway/http-policies/tenant-control.mdx

@@ -2,7 +2,7 @@
 pcx_content_type: how-to
 title: Tenant control
 sidebar:
-  order: 7
+  order: 4
 ---
 
 With Gateway tenant control, you can allow your users access to corporate SaaS applications while blocking access to personal applications. This helps prevent the loss of sensitive or confidential data from a corporate network.

src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx

@@ -2,7 +2,7 @@
 pcx_content_type: concept
 title: TLS decryption
 sidebar:
-  order: 6
+  order: 3
 
 ---
 

src/content/docs/cloudflare-one/policies/gateway/http-policies/websocket.mdx

@@ -2,7 +2,7 @@
 pcx_content_type: how-to
 title: WebSocket traffic
 sidebar:
-  order: 9
+  order: 7
 
 ---