[Gateway] HTTP non-standard ports (#23177)

Author: maxvp

src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx

@@ -11,6 +11,7 @@ import {
 	Render,
 	TabItem,
 	Tabs,
+	Badge,
 } from "~/components";
 
 Cloudflare Gateway can perform [SSL/TLS decryption](https://www.cloudflare.com/learning/security/what-is-https-inspection/) in order to inspect HTTPS traffic for malware and other security risks.
@@ -41,6 +42,17 @@ Gateway does not support TLS decryption for applications which use:
 - [ESNI and ECH handshake encryption](#esni-and-ech)
 - [Automatic HTTPS upgrades](#google-chrome-automatic-https-upgrades)
 
+### Inspect on all ports <Badge text="Beta" variant="caution" size="small" />
+
+<Render
+	file="gateway/inspect-on-all-ports"
+	product="cloudflare-one"
+	params={{
+		turnOnProcedure:
+			"you can turn on [protocol detection](/cloudflare-one/policies/gateway/network-policies/protocol-detection/) and configure Gateway to [inspect traffic on all ports](/cloudflare-one/policies/gateway/network-policies/protocol-detection/#inspect-on-all-ports)",
+	}}
+/>
+
 ### Incompatible certificates
 
 Applications that use certificate pinning and mTLS authentication do not trust Cloudflare certificates. For example, most mobile applications use <GlossaryTooltip term="certificate pinning" link="/ssl/reference/certificate-pinning/">certificate pinning</GlossaryTooltip>. Cloudflare does not trust applications that use self-signed certificates instead of certificates signed by a public CA.
@@ -87,6 +99,10 @@ Chrome Enterprise users can turn off automatic HTTPS upgrades for all URLs with
 
 </TabItem> </Tabs>
 
+### Mutual TLS (mTLS)
+
+When decrypting TLS to inspect traffic, connections that use mutual TLS (mTLS) will fail because Gateway cannot return the necessary client certificate. To prevent connection failures, create a [Do Not Inspect policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) for this traffic.
+
 ### ESNI and ECH
 
 Websites that adhere to [ESNI or Encrypted Client Hello (ECH) standards](https://blog.cloudflare.com/encrypted-client-hello/) encrypt the Server Name Indicator (SNI) during the TLS handshake and are therefore incompatible with HTTP inspection. This is because Gateway relies on the SNI to match an HTTP request to a policy. If the ECH fails, browsers will retry the TLS handshake using the unencrypted SNI from the initial request. To avoid this behavior, you can disable ECH in your users' browsers.

src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx

@@ -165,6 +165,41 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
 
 </TabItem> </Tabs>
 
+## Filter HTTP traffic when inspecting on all ports
+
+If your organization blocks traffic by default with a network policy and you want to [inspect HTTP traffic on all ports](/cloudflare-one/policies/gateway/network-policies/protocol-detection/#inspect-on-all-ports), you need to explicitly allow HTTP and TLS traffic to filter it.
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+| Selector          | Operator | Value  | Logic | Action |
+| ----------------- | -------- | ------ | ----- | ------ |
+| Detected Protocol | is       | _TLS_  | Or    | Allow  |
+| Detected Protocol | is       | _HTTP_ |       |        |
+
+</TabItem>
+
+<TabItem label="API">
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+  "name": "Allow on inspect all ports",
+  "description": "Filter TLS traffic when using inspect all ports",
+  "enabled": true,
+  "action": "allow",
+  "filters": [
+    "l4"
+  ],
+  "traffic": "net.detected_protocol == \"tls\" or net.detected_protocol == \"http\"",
+  "identity": "",
+  "device_posture": ""
+}'
+```
+
+</TabItem> </Tabs>
+
 ## Restrict access to private networks
 
 Restrict access to resources which you have connected through [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/).

src/content/docs/cloudflare-one/policies/gateway/network-policies/protocol-detection.mdx

@@ -5,17 +5,32 @@ sidebar:
   order: 2
 ---
 
+import { Badge, Render } from "~/components";
+
 Gateway supports the detection, logging, and filtering of network protocols using packet attributes.
 
 Protocol detection only applies to devices connected to Zero Trust via the WARP client in [Gateway with WARP](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-warp-default) mode.
 
 ## Turn on protocol detection
 
+To turn on protocol detection:
+
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Network** > **Firewall**.
 2. Turn on **Protocol Detection**.
 
 You can now use _Detected Protocol_ as a selector in a [Network policy](/cloudflare-one/policies/gateway/network-policies/#detected-protocol).
 
+### Inspect on all ports <Badge text="Beta" variant="caution" size="small" />
+
+<Render
+	file="gateway/inspect-on-all-ports"
+	product="cloudflare-one"
+	params={{
+		turnOnProcedure:
+			"under **HTTP inspection ports**, choose _Inspect on all ports_",
+	}}
+/>
+
 ## Supported protocols
 
 Gateway supports detection and filtering of the following protocols:

src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx

@@ -5,7 +5,7 @@ sidebar:
   order: 1
 ---
 
-import { GlossaryTooltip, Render, TabItem, Tabs } from "~/components";
+import { GlossaryTooltip, Render, TabItem, Tabs, Badge } from "~/components";
 
 TLS inspection (also known as TLS decryption or HTTPS inspection) allows Cloudflare Gateway to perform deeper traffic analysis and take actions like scanning request bodies for sensitive data, upgrading to a remote browser isolation session, and redirecting based on the complete URL and path of requests.
 
@@ -36,6 +36,17 @@ To turn on TLS inspection for your Zero Trust organization:
 
 <Render file="gateway/enable-tls-decryption" product="cloudflare-one" />
 
+#### Inspect on all ports <Badge text="Beta" variant="caution" size="small" />
+
+<Render
+	file="gateway/inspect-on-all-ports"
+	product="cloudflare-one"
+	params={{
+		turnOnProcedure:
+			"you can turn on [protocol detection](/cloudflare-one/policies/gateway/network-policies/protocol-detection/) and configure Gateway to [inspect traffic on all ports](/cloudflare-one/policies/gateway/network-policies/protocol-detection/#inspect-on-all-ports)",
+	}}
+/>
+
 ### 3. Determine the certificate used for inspection
 
 TLS inspection requires a trusted private root certificate to be able to inspect and filter encrypted traffic. A [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment/) is a simple and common solution that is usually appropriate for testing or proof-of-concept conditions when deployed to your devices. You can [generate a Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) in Zero Trust.

src/content/partials/cloudflare-one/gateway/inspect-on-all-ports.mdx

@@ -0,0 +1,12 @@
+---
+params:
+  - turnOnProcedure
+---
+
+import { Markdown } from "~/components";
+
+By default, Gateway will only inspect HTTP traffic through port `80`. Additionally, if you [turn on TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#turn-on-tls-decryption), Gateway will inspect HTTPS traffic through port `443`.
+
+To detect and inspect HTTP and HTTPS traffic on ports in addition to `80` and `443`, <Markdown text={props.turnOnProcedure} />.
+
+Inspecting traffic on all ports works best if you allow all traffic by default. If your organization uses a Network policy to block all traffic by default, Gateway will allow all non-HTTPS TLS traffic, and you will not be able to filter this traffic. To use HTTP policies to filter all TLS traffic on all ports when using a default Block Network policy, [create a Network policy to explicitly allow HTTP and TLS traffic](/cloudflare-one/policies/gateway/network-policies/common-policies/#filter-http-traffic-when-inspecting-on-all-ports).