block page

Author: ranbel

src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx

@@ -5,7 +5,7 @@ sidebar:
   order: 5
 ---
 
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
 
 With Cloudflare Zero Trust, you can deliver actionable feedback to users when they are blocked by a Gateway policy. Custom block messages can reduce user confusion and decrease your IT ticket load.
 
@@ -35,6 +35,8 @@ The Gateway custom block page is a different concept from [Access custom block p
 
 For DNS policies, you will need to enable the block page on a per-policy basis.
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 <Render
 	file="gateway/add-block-page"
 	product="cloudflare-one"
@@ -45,6 +47,47 @@ For DNS policies, you will need to enable the block page on a per-policy basis.
 
 />
 
+</TabItem>
+<TabItem label="Terraform (v5)">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+	- `Zero Trust Write`
+
+2. Choose a DNS policy with a Block action.
+
+3. In the policy's [`rule_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_policy), turn on `block_page_enabled`. If you have configured a [custom Gateway block page](/cloudflare-one/policies/gateway/block-page/#customize-the-block-page), you can optionally show an additional `block_reason` when traffic is blocked by this policy.
+
+	```tf
+	resource "cloudflare_zero_trust_gateway_policy" "dns_block_security_categories" {
+		name        = "Block DNS Security Categories"
+		enabled     = true
+		account_id  = var.cloudflare_account_id
+		description = "Managed by Terraform - Generic security policy based on Cloudflare Threat Intelligence categories."
+		precedence  = 101
+		action      = "block"
+		filters     = ["dns"]
+		/* Categories being enabled here:
+			- 80:  "Command and Control & Botnet"
+			- 83:  "Cryptomining"
+			- 117: "Malware"
+			- 131: "Phishing"
+			- 153: "Spyware"
+			- 175: "DNS Tunneling"
+			- 176: "DGA Domains"
+			- 178: "Brand Embedding"
+		*/
+		traffic = "any(dns.security_category[*] in {80 83 117 131 153 175 176 178})"
+		identity = ""
+
+		rule_settings = {
+			block_page_enabled = true
+			block_reason  = "This domain has been flagged as a potential security risk." // Adds an additional message to the custom block page. Requires enabling custom block page in cloudflare_zero_trust_gateway_settings.
+		}
+	}
+	```
+</TabItem>
+</Tabs>
+
 ### Customize the block page
 
 <Render file="gateway/customize-block-page" product="cloudflare-one" />

src/content/partials/cloudflare-one/gateway/customize-block-page.mdx

@@ -2,10 +2,14 @@
 {}
 ---
 
+import { Tabs, TabItem } from "~/components";
+
 You can customize the Cloudflare-hosted block page by making global changes that Gateway will display every time a user reaches your block page. Customizations will apply regardless of the type of policy (DNS or HTTP) that blocks the traffic.
 
 To customize your block page:
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Custom Pages**.
 2. Under **Account Gateway block page**, select **Customize**.
 3. Choose **Custom Gateway block page**. Gateway will display a preview of your custom block page. Available customizations include:
@@ -17,4 +21,35 @@ To customize your block page:
    - Background color
 4. Select **Save**.
 
+
+</TabItem>
+<TabItem label="Terraform (v5)">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+	- `Zero Trust Write`
+
+2. In [`cloudflare_zero_trust_gateway_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_settings), configure the `block_page` argument with your customizations:
+
+	```tf
+	resource "cloudflare_zero_trust_gateway_settings" "team_name" {
+		account_id = var.cloudflare_account_id
+		settings = {
+			block_page = {
+				enabled = true //do not use the default Gateway block page
+				mode = "customized_block_page" //use a custom block page
+				name = "Cloudflare"
+				logo_path = "https://logos.com/a.png"
+				header_text = "--header--"
+				footer_text = "--footer--"
+				mailto_address = "[email protected]"
+				mailto_subject = "Blocked Request"
+				background_color = "#ffffff"
+				suppress_footer = false
+			}
+		}
+	}
+	```
+</TabItem>
+</Tabs>
+
 Gateway will now display a custom Gateway block page when your users visit a blocked website.

src/content/partials/cloudflare-one/warp/warp-sessions-gateway.mdx

@@ -25,7 +25,9 @@ To configure a session timeout for a Gateway policy:
 1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
 	- `Zero Trust Write`
 
-2. Choose a Network (`l4`) or HTTP (`http`) Allow policy. Use the [`check_session` argument](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_policy) to enable and configure a session timeout:
+2. Choose a Network (`l4`) or HTTP (`http`) policy with an Allow action.
+
+3. In the policy's [`rule_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_policy), use the `check_session` argument to enable and configure a session timeout:
 
 	```tf
 	resource "cloudflare_zero_trust_gateway_policy" "network_allow_wiki_IPs" {