Update include mode split tunnel advice (#24621)

* Update Zero Trust IP addresses

* Update split-tunnels.mdx

---------

Co-authored-by: ranbel <[email protected]>

Author: lfcassidy

src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels.mdx

@@ -38,18 +38,31 @@ Do not exclude a site from Split Tunnels if you want to see the traffic in your
 - Solve connectivity issues with a specific website. For configuration guidance, refer to our [troubleshooting guide](/cloudflare-one/connections/connect-devices/warp/troubleshooting/common-issues/#cannot-connect-to-a-specific-app-or-website).
 - Solve performance issues with a specific website. Since Cloudflare operates within 50 milliseconds of 95% of the Internet-connected population, it is usually faster to send traffic through us. If you are encountering a performance-related issue, it is best to first explore your Gateway policies or reach out to Support.
 
-## Cloudflare Zero Trust domains
+## Routes for Split Tunnels Include mode
 
-Many Cloudflare Zero Trust services rely on traffic going through WARP, such as [device posture checks](/cloudflare-one/identity/devices/) and [WARP session durations](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). If you are using Split Tunnels in Include mode, you will need to manually add the following domains in order for these features to function:
+Many Cloudflare Zero Trust services rely on traffic going through WARP, such as [device posture checks](/cloudflare-one/identity/devices/) and [WARP session durations](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). If you are using Split Tunnels in Include mode, you will need to manually add Cloudflare Zero Trust domains and IPs in order for these features to function.
+
+### Cloudflare Zero Trust domains
+
+If you are using Split Tunnels in Include mode, you must include the following domains:
 
 - The IdP used to authenticate to Cloudflare Zero Trust
 - `<your-team-name>.cloudflareaccess.com`
 - The application protected by the Access or Gateway policy
 - `edge.browser.run` if using [Browser Isolation](/cloudflare-one/policies/browser-isolation/)
 
-## Cloudflare Zero Trust IP addresses
+### Cloudflare Zero Trust IP addresses
+
+#### Block page
+
+If you are using Split Tunnels in Include mode and have [DNS policies](/cloudflare-one/policies/gateway/dns-policies/) with the [block page](/cloudflare-one/policies/gateway/block-page/) enabled, you must include the IPs that blocked domains will resolve to. Unless you are using a [dedicated or BYOIP resolver IP](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip) the block page will resolve to:
+
+- `162.159.36.12`
+- `162.159.46.12`
+
+#### Team domain
 
-In [Secure Web Gateway without DNS filtering](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) WARP mode, you cannot [add domains](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) to the Split Tunnel. If you are using Split Tunnels in Include mode, you must include the IPs that resolve to `<your-team-name>.cloudflareaccess.com` instead:
+In [Secure Web Gateway without DNS filtering](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) WARP mode, you cannot [add domains](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) to Split Tunnels. If you are using Split Tunnels in Include mode, you must include the IPs that resolve to `<your-team-name>.cloudflareaccess.com` instead:
 
 - `104.19.194.29`
 - `104.19.195.29`