You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/policies/gateway/global-policies.mdx
+42-38Lines changed: 42 additions & 38 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,48 @@ Cloudflare Zero Trust applies a set of global policies to all accounts.
9
9
10
10
Zero Trust logs prepend an identifier to global policy names. For example, matches for the global policy **Allow Zero Trust Services** will appear in your logs with the name **Global Policy - Allow Zero Trust Services**.
11
11
12
-
The following policies are sorted by [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence).
12
+
The following policies are sorted by [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence) within each policy type.
13
+
14
+
## DNS resolution policies
15
+
16
+
Gateway enforces global DNS and resolver policies before any other policies. This ensures the traffic is not blocked by user policies and gets resolved with Cloudflare's public DNS resolver, [1.1.1.1](/1.1.1.1/). Each global DNS policy evaluates traffic based on the domain in the query.
| Allow DNS queries for cloudflareclient.com domain |`00000001-e139-4a1b-90d5-698d8fa371e0`|`cloudflareclient.com`| allow |
21
+
| Resolve cloudflareclient.com through 1.1.1.1 |`00000001-e738-4554-823b-0b2c75af2c66`|`cloudflareclient.com`| resolve |
22
+
| Allow DNS queries for content.browser.run domain |`00000001-9bff-4d83-a9e4-e5ed321fe0b9`|`content.browser.run`| allow |
23
+
| Resolve content.browser.run through 1.1.1.1 |`00000001-0df5-472b-80c0-02888e7167ee`|`content.browser.run`| resolve |
24
+
| Allow DNS queries for edge.browser.run and cloudflarebrowser.com domains |`00000001-e2f1-4e99-bab3-91df88879587`|`edge.browser.run` and `cloudflarebrowser.com`| allow |
25
+
| Resolve edge.browser.run and cloudflarebrowser.com through 1.1.1.1 |`00000001-b103-44c6-a114-7a784cdf3fb7`|`edge.browser.run` and `cloudflarebrowser.com`| resolve |
26
+
| Allow DNS queries for help.teams.cloudflare.com and help.one.cloudflare.com domains |`00000001-b2fc-46db-b0f1-69ef3553bd7a`|`help.teams.cloudflare.com` and `help.one.cloudflare.com`| allow |
27
+
| Resolve help.teams.cloudflare.com and help.one.cloudflare.com through 1.1.1.1 |`00000001-ce13-486a-b006-ba0435ccb013`|`help.teams.cloudflare.com` and `help.one.cloudflare.com`| resolve |
28
+
| Allow DNS queries for cloudflare-gateway.com domain |`00000001-e83d-492b-995e-351970cd5e8e`|`cloudflare-gateway.com`| allow |
29
+
| Resolve cloudflare-gateway.com through 1.1.1.1 |`00000001-d9bc-4913-a2f5-905dbb3ecf9a`|`cloudflare-gateway.com`| resolve |
30
+
| Allow DNS queries for cloudflarestatus.com domain |`00000001-78da-4f8a-b9ee-76563f1ec46b`|`cloudflarestatus.com`| allow |
31
+
| Resolve cloudflarestatus.com through 1.1.1.1 |`00000001-4d1d-43a3-9015-c49fc3a6da31`|`cloudflarestatus.com`| resolve |
32
+
| Allow DNS queries for nel.cloudflare.com domain |`00000001-af28-4afa-8987-eadc21187e14`|`nel.cloudflare.com`| allow |
33
+
| Resolve nel.cloudflare.com through 1.1.1.1 |`00000001-0034-45a0-8333-f339451fba46`|`nel.cloudflare.com`| resolve |
34
+
| Allow DNS queries for api.cloudflare.com domain |`00000001-5eea-4932-8dd5-8e1ec9770396`|`api.cloudflare.com`| allow |
35
+
| Resolve api.cloudflare.com through 1.1.1.1 |`00000001-4f0c-4f86-9b96-5d26123a194b`|`api.cloudflare.com`| resolve |
36
+
| Allow DNS queries for dash.teams.cloudflare.com domain |`00000001-0f75-48a9-b3e1-925a974d2b65`|`dash.teams.cloudflare.com`| allow |
37
+
| Resolve dash.teams.cloudflare.com through 1.1.1.1 |`00000001-3d84-41a6-bc84-3014685c0d81`|`dash.teams.cloudflare.com`| resolve |
38
+
| Allow DNS queries for one.dash.cloudflare.com domain |`00000001-a9fd-40de-a662-51d3a3ae0ad8`|`one.dash.cloudflare.com` and `one.dash.fed.cloudflare.com`| allow |
39
+
| Resolve one.dash.cloudflare.com through 1.1.1.1 |`00000001-70f2-4eea-b711-201bca434ed4`|`one.dash.cloudflare.com` and `one.dash.fed.cloudflare.com`| resolve |
40
+
| Allow DNS queries for dash.cloudflare.com domain |`00000001-0c2a-4b31-8606-3e5a1d87c1bf`|`dash.cloudflare.com` and `dash.fed.cloudflare.com`| allow |
41
+
| Resolve dash.cloudflare.com through 1.1.1.1 |`00000001-c47f-41f3-b234-d66c82b8d422`|`dash.cloudflare.com` and `dash.fed.cloudflare.com`| resolve |
42
+
| Allow DNS queries for cloudflareportal.com, cloudflareok.com and cloudflarecp.com domains |`00000001-1c6c-4793-b48f-799eee6e0e31`|`cloudflareportal.com`, `cloudflareok.com`, and `cloudflarecp.com`| allow |
43
+
| Resolve cloudflareportal.com, cloudflareok.com and cloudflarecp.com through 1.1.1.1 |`00000001-8c35-4d7d-9dbb-cb7350375b7b`|`cloudflareportal.com`, `cloudflareok.com`, and `cloudflarecp.com`| resolve |
44
+
| Allow DNS queries for cloudflareaccess.com domain |`00000001-d738-4dad-bac4-1a50201d9503`|`cloudflareaccess.com`| allow |
45
+
| Resolve cloudflareaccess.com through 1.1.1.1 |`00000001-4404-4572-80f6-f7b098909460`|`cloudflareaccess.com`| resolve |
46
+
| Allow DNS queries for blocked.teams.cloudflare.com domain |`00000001-76f4-4438-b8ab-a9da53f4a2f1`|`blocked.teams.cloudflare.com` and `blocked.teams.fed.cloudflare.com`| allow |
47
+
| Resolve blocked.teams.cloudflare.com through 1.1.1.1 |`00000001-af3c-458f-aeb2-b3bb5d3fe1d5`|`blocked.teams.cloudflare.com` and `blocked.teams.fed.cloudflare.com`| resolve |
48
+
| Allow DNS queries for developers.cloudflare.com domain |`00000001-4263-4808-8457-4d4329c91f66`|`developers.cloudflare.com`| allow |
49
+
| Resolve developers.cloudflare.com through 1.1.1.1 |`00000001-9f91-4462-9270-78beca5b4dbc`|`developers.cloudflare.com`| resolve |
50
+
| Allow DNS queries for speed.cloudflare.com domain |`00000001-4fc0-4286-b783-6c442adda171`|`speed.cloudflare.com`| allow |
51
+
| Resolve speed.cloudflare.com through 1.1.1.1 |`00000001-ec51-4471-9e78-bd47d46a3002`|`speed.cloudflare.com`| resolve |
52
+
| Allow DNS requests to browser-rendered Access Apps |`00000001-1232-4a9f-a165-1e8ed59483c4`|`*.zero-trust-apps.cfdata.org`| allow |
| Don't Isolate RBI Help Pages |`00000001-1a18-431f-9c9d-bce431f1002a`| Hostname |`developers.cloudflare.com` and `help.cloudflarebrowser.com`| noisolate | Prevents browser isolation of Cloudflare developer docs and help pages to help users troubleshoot configuration issues. |
45
86
| Don't AV Scan CF Speed |`00000001-c194-408f-87dd-9a366ce76e12`| Hostname |`speed.cloudflare.com`| noscan | Allows files transferred by the Cloudflare speed test. |
46
-
47
-
## DNS resolution policies
48
-
49
-
For each of the domains above, Gateway enforces global DNS and resolver policies before any other policies. This ensures the traffic is not blocked by user policies and gets resolved with Cloudflare's public DNS resolver, [1.1.1.1](/1.1.1.1/).
| Allow DNS queries for cloudflareclient.com domain |`00000001-e139-4a1b-90d5-698d8fa371e0`|`cloudflareclient.com`| allow |
54
-
| Resolve cloudflareclient.com through 1.1.1.1 |`00000001-e738-4554-823b-0b2c75af2c66`|`cloudflareclient.com`| resolve |
55
-
| Allow DNS queries for content.browser.run domain |`00000001-9bff-4d83-a9e4-e5ed321fe0b9`|`content.browser.run`| allow |
56
-
| Resolve content.browser.run through 1.1.1.1 |`00000001-0df5-472b-80c0-02888e7167ee`|`content.browser.run`| resolve |
57
-
| Allow DNS queries for edge.browser.run and cloudflarebrowser.com domains |`00000001-e2f1-4e99-bab3-91df88879587`|`edge.browser.run` and `cloudflarebrowser.com`| allow |
58
-
| Resolve edge.browser.run and cloudflarebrowser.com through 1.1.1.1 |`00000001-b103-44c6-a114-7a784cdf3fb7`|`edge.browser.run` and `cloudflarebrowser.com`| resolve |
59
-
| Allow DNS queries for help.teams.cloudflare.com domain |`00000001-b2fc-46db-b0f1-69ef3553bd7a`|`help.teams.cloudflare.com` and `help.one.cloudflare.com`| allow |
60
-
| Resolve help.teams.cloudflare.com through 1.1.1.1 |`00000001-ce13-486a-b006-ba0435ccb013`|`help.teams.cloudflare.com` and `help.one.cloudflare.com`| resolve |
61
-
| Allow DNS queries for cloudflare-gateway.com domain |`00000001-e83d-492b-995e-351970cd5e8e`|`cloudflare-gateway.com`| allow |
62
-
| Resolve cloudflare-gateway.com through 1.1.1.1 |`00000001-d9bc-4913-a2f5-905dbb3ecf9a`|`cloudflare-gateway.com`| resolve |
63
-
| Allow DNS queries for cloudflarestatus.com domain |`00000001-78da-4f8a-b9ee-76563f1ec46b`|`cloudflarestatus.com`| allow |
64
-
| Resolve cloudflarestatus.com through 1.1.1.1 |`00000001-4d1d-43a3-9015-c49fc3a6da31`|`cloudflarestatus.com`| resolve |
65
-
| Allow DNS queries for nel.cloudflare.com domain |`00000001-af28-4afa-8987-eadc21187e14`|`nel.cloudflare.com`| allow |
66
-
| Resolve nel.cloudflare.com through 1.1.1.1 |`00000001-0034-45a0-8333-f339451fba46`|`nel.cloudflare.com`| resolve |
67
-
| Allow DNS queries for api.cloudflare.com domain |`00000001-5eea-4932-8dd5-8e1ec9770396`|`api.cloudflare.com`| allow |
68
-
| Resolve api.cloudflare.com through 1.1.1.1 |`00000001-4f0c-4f86-9b96-5d26123a194b`|`api.cloudflare.com`| resolve |
69
-
| Allow DNS queries for dash.teams.cloudflare.com domain |`00000001-0f75-48a9-b3e1-925a974d2b65`|`dash.teams.cloudflare.com`| allow |
70
-
| Resolve dash.teams.cloudflare.com through 1.1.1.1 |`00000001-3d84-41a6-bc84-3014685c0d81`|`dash.teams.cloudflare.com`| resolve |
71
-
| Allow DNS queries for dash.cloudflare.com domain |`00000001-0c2a-4b31-8606-3e5a1d87c1bf`|`dash.cloudflare.com`| allow |
72
-
| Resolve dash.cloudflare.com through 1.1.1.1 |`00000001-c47f-41f3-b234-d66c82b8d422`|`dash.cloudflare.com`| resolve |
73
-
| Allow DNS queries for cloudflareportal.com, cloudflareok.com and cloudflarecp.com domains |`00000001-1c6c-4793-b48f-799eee6e0e31`|`cloudflareportal.com`, `cloudflareok.com`, and `cloudflarecp.com`| allow |
74
-
| Resolve cloudflareportal.com, cloudflareok.com and cloudflarecp.com through 1.1.1.1 |`00000001-8c35-4d7d-9dbb-cb7350375b7b`|`cloudflareportal.com`, `cloudflareok.com`, and `cloudflarecp.com`| resolve |
75
-
| Allow DNS queries for cloudflareaccess.com domain |`00000001-d738-4dad-bac4-1a50201d9503`|`cloudflareaccess.com`| allow |
76
-
| Resolve cloudflareaccess.com through 1.1.1.1 |`00000001-4404-4572-80f6-f7b098909460`|`cloudflareaccess.com`| resolve |
77
-
| Allow DNS queries for blocked.teams.cloudflare.com domain |`00000001-76f4-4438-b8ab-a9da53f4a2f1`|`blocked.teams.cloudflare.com`| allow |
78
-
| Resolve blocked.teams.cloudflare.com through 1.1.1.1 |`00000001-af3c-458f-aeb2-b3bb5d3fe1d5`|`blocked.teams.cloudflare.com`| resolve |
79
-
| Allow DNS queries for developers.cloudflare.com domain |`00000001-4263-4808-8457-4d4329c91f66`|`developers.cloudflare.com`| allow |
80
-
| Resolve developers.cloudflare.com through 1.1.1.1 |`00000001-9f91-4462-9270-78beca5b4dbc`|`developers.cloudflare.com`| resolve |
81
-
| Allow DNS queries for speed.cloudflare.com domain |`00000001-4fc0-4286-b783-6c442adda171`|`speed.cloudflare.com`| allow |
82
-
| Resolve speed.cloudflare.com through 1.1.1.1 |`00000001-ec51-4471-9e78-bd47d46a3002`|`speed.cloudflare.com`| resolve |
0 commit comments