partial

deadlypants1973 · deadlypants1973 · commit ad1dd2a9ccdc · 2025-07-16T10:47:29.000+01:00
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx
@@ -15,7 +15,12 @@ The WARP client connects to Cloudflare via a standard HTTPS connection outside t
 
 <Render file="warp/client-orchestration-ips" />
 
-If your firewall allows traffic only by domain, you may need to explicitly allow `zero-trust-client.cloudflareclient.com`. Even though `zero-trust-client.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall.
+<Render
+	file="warp/firewall"
+	params={{
+		domain: "zero-trust-client.cloudflareclient.com",
+	}}
+/>
 
 ## DoH IP
 
@@ -28,7 +33,13 @@ In [Gateway with DoH](/cloudflare-one/connections/connect-devices/warp/configure
 - IPv4 DoH Addresses: `162.159.36.1` and `162.159.46.1`
 - IPv6 DoH Addresses: `2606:4700:4700::1111` and `2606:4700:4700::1001`
 
-If your firewall allows traffic only by domain, you may need to explicitly allow `<ACCOUNT_ID>.cloudflare-gateway.com`. Even though `<ACCOUNT_ID>.cloudflare-gateway.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall.
+<Render
+	file="warp/firewall"
+	params={{
+		domain: "<ACCOUNT_ID>.cloudflare-gateway.com",
+	}}
+/>
+
 ### Android devices
 
 If you are deploying the Cloudflare One Agent on Android/ChromeOS, you must also add `cloudflare-dns.com` to your firewall exception list. On Android/ChromeOS devices, WARP uses `cloudflare-dns.com` to resolve domains on your [Split Tunnel list](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#domain-based-split-tunnels).
@@ -92,7 +103,12 @@ The client connects to the following destinations to verify general Internet con
 - `162.159.197.3`
 - `2606:4700:102::3`
 
-If your firewall allows traffic only by domain, you may need to explicitly allow `engage.cloudflareclient.com`. Even though `engage.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall.
+<Render
+	file="warp/firewall"
+	params={{
+		domain: "engage.cloudflareclient.com",
+	}}
+/>
 
 ### Inside tunnel
 
@@ -103,7 +119,12 @@ The WARP client connects to the following IPs to verify connectivity inside of t
 
 Because this check happens inside of the tunnel, you do not need to add these IPs to your firewall allowlist. However, since the requests go through Gateway, ensure that they are not blocked by a Gateway HTTP or Network policy.
 
-If your firewall allows traffic only by domain, you may need to explicitly allow `connectivity.cloudflareclient.com`. Even though `connectivity.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall.
+<Render
+	file="warp/firewall"
+	params={{
+		domain: "connectivity.cloudflareclient.com",
+	}}
+/>
 
 ## NEL reporting (optional)
 
@@ -125,7 +146,6 @@ If your organization does not currently allow inbound/outbound communication ove
 
 - Windows: `C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe`
 - macOS: You must explicitly allow both the core networking daemon and GUI component as shown in the following instructions.
-
   1.  Core networking daemon: `/Applications/Cloudflare WARP.app/Contents/Resources/CloudflareWARP`
 
       This binary does not have a Bundle ID and must be allowed via full path.
diff --git a/src/content/partials/cloudflare-one/warp/firewall.mdx b/src/content/partials/cloudflare-one/warp/firewall.mdx
@@ -0,0 +1,6 @@
+---
+params:
+  - domain
+---
+
+If your firewall allows traffic only by domain, you may need to explicitly allow <code>{props.domain}</code>. Even though <code>{props.domain}</code> may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,6 @@ @@
 +---
 +params:
 +  - domain
 +---
++
 +If your firewall allows traffic only by domain, you may need to explicitly allow <code>{props.domain}</code>. Even though <code>{props.domain}</code> may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall.