Skip to content

Commit a6558d1

Browse files
maxvpmaxvp
committed
Fix precedence for NET policies
1 parent 37d0a3e commit a6558d1

File tree

2 files changed

+14
-14
lines changed

2 files changed

+14
-14
lines changed

src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
9797
--data '{
9898
"name": "Posture-Fail-NET-Restricted-Access",
9999
"description": "Restrict access for devices where baseline posture checks have not passed",
100-
"precedence": 0,
100+
"precedence": 10,
101101
"enabled": true,
102102
"action": "block",
103103
"filters": [
@@ -117,7 +117,7 @@ resource "cloudflare_zero_trust_gateway_policy" "posture_fail_net_restricted_acc
117117
account_id = var.cloudflare_account_id
118118
name = "Posture-Fail-NET-Restricted-Access"
119119
description = "Restrict access for devices where baseline posture checks have not passed"
120-
precedence = 0
120+
precedence = 10
121121
enabled = true
122122
action = "block"
123123
filters = ["l4"]
@@ -155,7 +155,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
155155
--data '{
156156
"name": "FinanceUsers-NET-HTTPS-FinanceServers",
157157
"description": "Allow HTTPS access for user groups",
158-
"precedence": 0,
158+
"precedence": 20,
159159
"enabled": true,
160160
"action": "allow",
161161
"filters": [
@@ -175,7 +175,7 @@ resource "cloudflare_zero_trust_gateway_policy" "finance_users_net_https_finance
175175
account_id = var.cloudflare_account_id
176176
name = "FinanceUsers-NET-HTTPS-FinanceServers"
177177
description = "Allow HTTPS access for user groups"
178-
precedence = 0
178+
precedence = 20
179179
enabled = true
180180
action = "allow"
181181
filters = ["l4"]
@@ -214,7 +214,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
214214
--data '{
215215
"name": "All-NET-Internet-Blocklist",
216216
"description": "Block traffic to malicious or risky destination IPs, SNIs, and SNI domains",
217-
"precedence": 0,
217+
"precedence": 30,
218218
"enabled": true,
219219
"action": "block",
220220
"filters": [
@@ -233,7 +233,7 @@ resource "cloudflare_zero_trust_gateway_policy" "finance_users_net_https_finance
233233
account_id = var.cloudflare_account_id
234234
name = "All-NET-Internet-Blocklist"
235235
description = "Block traffic to malicious or risky destination IPs, SNIs, and SNI domains"
236-
precedence = 0
236+
precedence = 30
237237
enabled = true
238238
action = "block"
239239
filters = ["l4"]
@@ -276,7 +276,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
276276
--data '{
277277
"name": "All-NET-SSH-Internet-Allowlist",
278278
"description": "Allow SSH traffic to specific endpoints on the Internet for specific users",
279-
"precedence": 0,
279+
"precedence": 40,
280280
"enabled": true,
281281
"action": "allow",
282282
"filters": [
@@ -296,7 +296,7 @@ resource "cloudflare_zero_trust_gateway_policy" "all_net_ssh_internet_allowlist"
296296
account_id = var.cloudflare_account_id
297297
name = "All-NET-SSH-Internet-Allowlist"
298298
description = "Allow SSH traffic to specific endpoints on the Internet for specific users"
299-
precedence = 0
299+
precedence = 40
300300
enabled = true
301301
action = "allow"
302302
filters = ["l4"]
@@ -332,7 +332,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
332332
--data '{
333333
"name": "All-NET-NO-HTTP-HTTPS-Internet-Deny",
334334
"description": "Block all non-web traffic towards the Internet",
335-
"precedence": 0,
335+
"precedence": 50,
336336
"enabled": true,
337337
"action": "block",
338338
"filters": [
@@ -351,7 +351,7 @@ resource "cloudflare_zero_trust_gateway_policy" "all_net_no_http_https_internet_
351351
account_id = var.cloudflare_account_id
352352
name = "All-NET-NO-HTTP-HTTPS-Internet-Deny"
353353
description = "Block all non-web traffic towards the Internet"
354-
precedence = 0
354+
precedence = 50
355355
enabled = true
356356
action = "block"
357357
filters = ["l4"]
@@ -385,7 +385,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
385385
--data '{
386386
"name": "All-NET-InternalNetwork-ImplicitDeny",
387387
"description": "Implicitly deny all of your internal IP ranges included in a list",
388-
"precedence": 0,
388+
"precedence": 60,
389389
"enabled": true,
390390
"action": "block",
391391
"filters": [
@@ -404,7 +404,7 @@ resource "cloudflare_zero_trust_gateway_policy" "all_net_internalnetwork_implici
404404
account_id = var.cloudflare_account_id
405405
name = "All-NET-InternalNetwork-ImplicitDeny"
406406
description = "Implicitly deny all of your internal IP ranges included in a list"
407-
precedence = 0
407+
precedence = 60
408408
enabled = true
409409
action = "block"
410410
filters = ["l4"]

src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
2424
--data '{
2525
"name": "All-NET-ApplicationAccess-Allow",
2626
"description": "Ensure access to the application comes from authorized WARP clients",
27-
"precedence": 5000,
27+
"precedence": 70,
2828
"enabled": false,
2929
"action": "block",
3030
"filters": [
@@ -45,7 +45,7 @@ resource "cloudflare_zero_trust_gateway_policy" "all_net_applicationaccess_allow
4545
account_id = var.cloudflare_account_id
4646
name = "All-NET-ApplicationAccess-Allow"
4747
description = "Ensure access to the application comes from authorized WARP clients"
48-
precedence = 5000
48+
precedence = 70
4949
enabled = false
5050
action = "block"
5151
filters = ["l4"]

0 commit comments

Comments
 (0)