You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Gateway allows you to create DNS, Network, and HTTP policies based on applications and app types. You can select individual applications or groups of app types to filter specific traffic on your network.
11
16
@@ -63,77 +68,11 @@ To ensure effective application behavior, Gateway only uses support hostnames in
63
68
64
69
## Application controls
65
70
66
-
With [Application Granular Controls](/cloudflare-one/policies/gateway/http-policies/#application-granular-controls), you can choose specific actions and operations to match application traffic. Supported applications and operations include:
67
-
68
-
<Detailsheader="ChatGPT (app ID `1199`)">
69
-
70
-
| Operation name | Operation ID | Application Control name | Application Control ID | Contains payload | Operation Group | Operation Group ID |
When you use the [_Application_ selector](/cloudflare-one/policies/gateway/http-policies/#granular-controls) in an HTTP policy with the _is_ operator, you can choose specific actions and operations to match application traffic. Supported applications and operations include:
Application Granular Controls allows you to create [Gateway HTTP policies](/cloudflare-one/policies/gateway/http-policies/) to control specific user actions within supported SaaS applications. This allows you to give users access to an application while restricting the actions that they can take within the application.
11
+
12
+
## Prerequisites
13
+
14
+
To use Application Granular Controls, you must:
15
+
16
+
- Install a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/) or a [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/) on your users' devices.
17
+
- Turn on [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/).
18
+
19
+
## Create a policy with Application Granular Controls
20
+
21
+
{/* TODO: Add API and Terraform instructions */}
22
+
23
+
To create a Gateway HTTP policy with Application Granular Controls:
24
+
25
+
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. Select **HTTP**.
26
+
2. Select **Add a policy**.
27
+
3. Name the policy.
28
+
4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. To use Application Granular Controls, you must use the _Application_ selector with the _is_ operator.
29
+
5. In **Value**, select your desired application.
30
+
6. In **Controls**, choose one or more Application Controls or individual Operations. For example, you can create a policy to block file uploads to ChatGPT:
For more information, refer to [HTTP policies](/cloudflare-one/policies/gateway/http-policies/).
39
+
40
+
## Control definitions
41
+
42
+
Gateway defines Application Granular Controls at different levels of granularity, including Application Controls and Operations.
43
+
44
+
### Application Controls
45
+
46
+
Application Controls are pre-defined controls which represent user intent, such as uploads or downloads. Cloudflare defines and organizes sets of operations deemed related to specific intents with an application. Application Controls represent the most commonly used controls.
47
+
48
+
### Operations
49
+
50
+
Operations are the individual API-level actions that an application uses. Defining controls at operation level allows for more fine-grained policies to support use cases such as blocking only certain types of downloads. You can also define controls where there is not an existing application control that covers the required intent, such as blocking comments. However, because each SaaS application uses a unique set of operations with its own scope and behaviors, the use of operation level controls often requires analysis for each desired use case. You can also use operation-level controls in cases where you need variations to the Cloudflare-defined application controls, such as including or excluding certain operations.
51
+
52
+
Cloudflare provides Operations based on the [available APIs for an application](#application-apis).
53
+
54
+
#### Operation Groups
55
+
56
+
Operation Groups are groupings of operations defined by the application vendor. Operation Groups are typically based on a categorization of the different functional areas of the application, such as signature requests, or the entities that the application defines, such as files or folders. These definitions vary by application. Gateway groups operations into these operation groups to match the operations with the corresponding vendor API documentation.
57
+
58
+
### DLP payloads
59
+
60
+
Application Granular Controls can apply [Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/) for operations that contain scannable content. This includes operations that contain the content of uploaded or downloaded files or AI prompts. For example, when a user performs a file upload, a sequence of API operations may result, such as setting up the file metadata, uploading the file content, and finalizing the upload. When applying DLP to your Zero Trust traffic, it can be helpful to specifically target an operation that contains file content.
61
+
62
+
For more information on which operations support DLP payload scanning, refer to the **Contains payload** column in [Compatible applications](#compatible-applications).
63
+
64
+
## Application APIs
65
+
66
+
SaaS applications typically provide multiple APIs to interact with. For each application, Application Granular Controls may support the following API types:
67
+
68
+
- Web Application API: These APIs are consumed by the web application that users interact with through their browser.
69
+
- Platform API: These APIs are exposed to users to allow for programmatic interaction with the SaaS application. These are typically used by automations, scripts, or other applications.
70
+
71
+
[Application Controls](#application-controls) use both API types. If both API types are available when creating HTTP policies using [Operations](#operations), you should select the Operations that align to the API being used, or include both for wider coverage.
72
+
73
+
## Compatible applications
74
+
75
+
Application Granular Controls supports matching operations within a number of defined applications.
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -420,15 +420,17 @@ The review approval status of an application from [Shadow IT Discovery](/cloudfl
420
420
When using Terraform to create a policy with the [Do Not Inspect](#do-not-inspect) action, you must use the `app.hosts_ids` and `app.supports_ids` selectors. For example, to create a Do Not Inspect policy for Google Cloud Platform traffic, create a policy with both `any(app.hosts_ids[*] in {1245})` and `any(app.supports_ids[*] in {1245})`.
421
421
:::
422
422
423
-
#### Application Granular Controls
423
+
#### Granular controls
424
424
425
425
When using the _is_ operator with the _Application_ selector, you can use Application Granular Controls to choose specific actions and operations to match application traffic. For example, you can block file uploads to ChatGPT without blocking all ChatGPT traffic:
You can match traffic based on **Application Controls**, which group multiple user actions together, or **Operations**, which allow for granular control of supported API-level actions for an application. For a list of supported granular controls, refer to [Application controls](/cloudflare-one/policies/gateway/application-app-types/#application-controls).
431
+
You can match traffic based on **Application Controls**, which group multiple user actions together, or **Operations**, which allow for granular control of supported API-level actions for an application.
432
+
433
+
For more information, refer to [Application Granular Controls](/cloudflare-one/policies/gateway/http-policies/granular-controls/).
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/policies/gateway/http-policies/tenant-control.mdx
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
pcx_content_type: how-to
3
3
title: Tenant control
4
4
sidebar:
5
-
order: 4
5
+
order: 7
6
6
---
7
7
8
8
With Gateway tenant control, you can allow your users access to corporate SaaS applications while blocking access to personal applications. This helps prevent the loss of sensitive or confidential data from a corporate network.
0 commit comments