Move mTLS

maxvp · maxvp · commit cc27f90dc20f · 2025-07-03T15:27:37.000-05:00
diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx
@@ -42,7 +42,7 @@ Gateway does not support TLS decryption for applications which use:
 - [ESNI and ECH handshake encryption](#esni-and-ech)
 - [Automatic HTTPS upgrades](#google-chrome-automatic-https-upgrades)
 
-### Non-standard ports <Badge text="Beta" variant="caution" size="small" />
+### Inspect on all ports <Badge text="Beta" variant="caution" size="small" />
 
 By default, Gateway will only inspect HTTP traffic through port `80`. Additionally, if you turn on TLS decryption, Gateway will inspect HTTPS traffic through port `443`. To detect HTTP and HTTPS traffic on ports other than `80` and `443`, you can turn on [protocol detection](/cloudflare-one/policies/gateway/network-policies/protocol-detection/):
 
@@ -98,6 +98,10 @@ Chrome Enterprise users can turn off automatic HTTPS upgrades for all URLs with
 
 </TabItem> </Tabs>
 
+### Mutual TLS (mTLS)
+
+When decrypting TLS to inspect traffic, connections that use mutual TLS (mTLS) will fail because Gateway cannot return the necessary client certificate. To prevent connection failures, create a [Do Not Inspect policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) for this traffic.
+
 ### ESNI and ECH
 
 Websites that adhere to [ESNI or Encrypted Client Hello (ECH) standards](https://blog.cloudflare.com/encrypted-client-hello/) encrypt the Server Name Indicator (SNI) during the TLS handshake and are therefore incompatible with HTTP inspection. This is because Gateway relies on the SNI to match an HTTP request to a policy. If the ECH fails, browsers will retry the TLS handshake using the unencrypted SNI from the initial request. To avoid this behavior, you can disable ECH in your users' browsers.
diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/protocol-detection.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/protocol-detection.mdx
@@ -22,10 +22,6 @@ You can now use _Detected Protocol_ as a selector in a [Network policy](/cloudfl
 
 By default, Gateway will only inspect HTTP traffic through port `80`. Additionally, if you turn on [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), Gateway will inspect HTTPS traffic through port `443`. To detect HTTP and HTTPS traffic on ports other than `80` and `443`, under **HTTP inspection ports**, choose _Inspect on all ports_.
 
-:::caution[mTLS limitation]
-When inspecting traffic on all ports, connections that use mutual TLS (mTLS) will fail because Gateway cannot return the necessary client certificate. To prevent connection failures, create a [Do Not Inspect policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) for this traffic.
-:::
-
 ## Supported protocols
 
 Gateway supports detection and filtering of the following protocols:
