[Gateway] Get started with API policies (#18724)

Author: maxvp

src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx

@@ -2,10 +2,12 @@
 {}
 ---
 
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
 
 To create a new DNS policy:
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
 2. In the **DNS** tab, select **Add a policy**.
 3. Name the policy.
@@ -17,4 +19,48 @@ To create a new DNS policy:
    />
 6. Select **Create policy**.
 
+</TabItem>
+
+<TabItem label="API">
+
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+
+   | Type    | Item       | Permission |
+   | ------- | ---------- | ---------- |
+   | Account | Zero Trust | Edit       |
+
+2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/setup/find-account-and-zone-ids/) and API token.
+3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories):
+
+   ```sh title="curl API DNS policy example"
+   curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+   --header "Content-Type: application/json" \
+   --header "Authorization: Bearer <API_TOKEN>" \
+   --data '{
+     "name": "Block security risks",
+     "description": "Block all default Cloudflare DNS security categories",
+     "precedence": 0,
+     "enabled": true,
+     "action": "block",
+     "filters": [
+       "dns"
+     ],
+     "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
+     "identity": "",
+     "device_posture": ""
+   }'
+   ```
+
+   ```sh output
+   {
+   	 "success": true,
+   	 "errors": [],
+   	 "messages": []
+   }
+   ```
+
+   The API will respond with a summary of the policy and the result of your request.
+
+</TabItem> </Tabs>
+
 For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).

src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx

@@ -2,15 +2,17 @@
 {}
 ---
 
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
 
 To create a new HTTP policy:
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
 2. In the **HTTP** tab, select **Add a policy**.
 3. Name the policy.
 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block.
-5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have enabled TLS inspection, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:
+5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have configured TLS decryption, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:
 
    <Render
    	file="gateway/policies/do-not-inspect-applications"
@@ -26,4 +28,69 @@ To create a new HTTP policy:
 
 6. Select **Create policy**.
 
+</TabItem>
+
+<TabItem label="API">
+
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+
+   | Type    | Item       | Permission |
+   | ------- | ---------- | ---------- |
+   | Account | Zero Trust | Edit       |
+
+2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/setup/find-account-and-zone-ids/) and API token.
+3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, if you have configured TLS decryption, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:
+
+   ```sh title="curl API HTTP policy example"
+   curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+   --header "Content-Type: application/json" \
+   --header "Authorization: Bearer <API_TOKEN>" \
+   --data '{
+     "name": "Do not inspect applications",
+     "description": "Bypass TLS decryption for unsupported applications",
+     "precedence": 0,
+     "enabled": true,
+     "action": "off",
+     "filters": [
+       "http"
+     ],
+     "traffic": "any(app.type.ids[*] in {16})",
+     "identity": "",
+     "device_posture": ""
+   }'
+   ```
+
+   ```sh output
+   {
+   	 "success": true,
+   	 "errors": [],
+   	 "messages": []
+   }
+   ```
+
+   The API will respond with a summary of the policy and the result of your request.
+
+   Cloudflare also recommends adding a policy to block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence:
+
+   ```bash title="Block known risks HTTP policy"
+   curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+   --header "Content-Type: application/json" \
+   --header "Authorization: Bearer <API_TOKEN>" \
+   --data '{
+     "name": "Block known risks",
+     "description": "Block all default Cloudflare HTTP security categories",
+     "precedence": 0,
+     "enabled": true,
+     "action": "block",
+     "filters": [
+       "http"
+     ],
+     "traffic": "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
+     "identity": "",
+     "device_posture": ""
+   }'
+   ```
+
+</TabItem> </Tabs>
+
 For more information, refer to [HTTP policies](/cloudflare-one/policies/gateway/http-policies/).

src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx

@@ -2,10 +2,12 @@
 {}
 ---
 
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
 
 To create a new network policy:
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
 2. In the **Network** tab, select **Add a policy**.
 3. Name the policy.
@@ -17,4 +19,48 @@ To create a new network policy:
    />
 6. Select **Create policy**.
 
+</TabItem>
+
+<TabItem label="API">
+
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+
+   | Type    | Item       | Permission |
+   | ------- | ---------- | ---------- |
+   | Account | Zero Trust | Edit       |
+
+2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/setup/find-account-and-zone-ids/) and API token.
+3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
+
+   ```sh title="curl API network policy example"
+   curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+   --header "Content-Type: application/json" \
+   --header "Authorization: Bearer <API_TOKEN>" \
+   --data '{
+     "name": "Enforce device posture",
+     "description": "Ensure only devices in Zero Trust organization can connect to application",
+     "precedence": 0,
+     "enabled": true,
+     "action": "block",
+     "filters": [
+     	 "l4"
+     ],
+     "traffic": "any(net.sni.domains[*] == \"internalapp.com\")",
+     "identity": "",
+     "device_posture": "not(any(device_posture.checks.passed[*] in {\"<LIST_UUID>\"}))"
+   }'
+   ```
+
+   ```sh output
+   {
+   	 "success": true,
+   	 "errors": [],
+   	 "messages": []
+   }
+   ```
+
+   The API will respond with a summary of the policy and the result of your request.
+
+</TabItem> </Tabs>
+
 For more information, refer to [network policies](/cloudflare-one/policies/gateway/network-policies/).

src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx

@@ -2,9 +2,9 @@
 {}
 ---
 
-In the following example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
+For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
 
 | Selector                     | Operator | Value                   | Logic | Action |
 | ---------------------------- | -------- | ----------------------- | ----- | ------ |
-| Passed Device Posture Checks | not in   | _Device serial numbers_ | And   | Block  |
-| SNI Domain                   | is       | `internalapp.com`       |       |        |
+| SNI Domain                   | is       | `internalapp.com`       | And   | Block  |
+| Passed Device Posture Checks | not in   | _Device serial numbers_ |       |        |