[Gateway] Egress host/domain selectors (#21762)

maxvp · daisyfaithauma · commit eab11ae46763 · 2025-05-08T11:47:57.000+03:00
diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx
@@ -284,7 +284,7 @@ Gateway matches DNS queries against the following selectors, or criteria:
 
 ### Application
 
-<Render file="gateway/selectors/application" params={{ one: "DNS" }} />
+<Render file="gateway/selectors/application" params={{ policyType: "DNS" }} />
 
 ### Authoritative Nameserver IP
 
diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx
@@ -5,7 +5,7 @@ sidebar:
   order: 5
 ---
 
-import { Render } from "~/components";
+import { Render, Badge } from "~/components";
 
 :::note
 Only available on Enterprise plans.
@@ -55,6 +55,24 @@ Choose one of the following options for your egress policy:
 
 Gateway matches egress traffic against the following selectors, or criteria:
 
+### Application <Badge text="Beta" variant="caution"/>
+
+<Render
+	file="gateway/selectors/application"
+	params={{ policyType: "egress" }}
+/>
+
+<Render file="gateway/selectors/egress-selector-limitation" />
+
+### Content Categories <Badge text="Beta" variant="caution"/>
+
+<Render
+	file="gateway/selectors/net-http-content-categories"
+	params={{ APIendpoint: "net.fqdn.category" }}
+/>
+
+<Render file="gateway/selectors/egress-selector-limitation" />
+
 ### Destination Continent
 
 <Render
@@ -81,6 +99,18 @@ Gateway matches egress traffic against the following selectors, or criteria:
 
 <Render file="gateway/selectors/device-posture" />
 
+### Domain <Badge text="Beta" variant="caution"/>
+
+<Render file="gateway/selectors/domain" />
+
+<Render file="gateway/selectors/egress-selector-limitation" />
+
+### Host <Badge text="Beta" variant="caution"/>
+
+<Render file="gateway/selectors/host" />
+
+<Render file="gateway/selectors/egress-selector-limitation" />
+
 ### Protocol
 
 <Render file="gateway/selectors/protocol" />
@@ -139,3 +169,22 @@ Gateway uses Rust to evaluate regular expressions. The Rust implementation is sl
 	file="gateway/logical-operators"
 	params={{ one: "**Identity** or **Device Posture**" }}
 />
+
+## Limitations
+
+The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors are only available for traffic onboarded to Gateway with [WARP](/cloudflare-one/connections/connect-devices/warp/), [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/), or [Browser Isolation](/cloudflare-one/policies/browser-isolation/). To use these selectors to filter traffic onboarded with WARP, you need to:
+
+1. In your WARP Connector device profile, ensure Split Tunnel is set to [**Exclude IPs and domains**](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode).
+2. [Remove the route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel list.
+3. [Add routes](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses:
+   - `100.64.0.0/12`
+   - `100.81.0.0/16`
+   - `100.82.0.0/15`
+   - `100.84.0.0/14`
+   - `100.88.0.0/13`
+   - `100.96.0.0/11`
+4. Add and deploy the following key-value pair to your devices' [WARP configuration file](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/) (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS):
+   ```xml
+   <key>doh_in_tunnel</key>
+   <true/>
+   ```
diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx
@@ -395,7 +395,7 @@ Gateway matches HTTP traffic against the following selectors, or criteria:
 
 ### Application
 
-<Render file="gateway/selectors/application" params={{ one: "HTTP" }} />
+<Render file="gateway/selectors/application" params={{ policyType: "HTTP" }} />
 
 :::caution[Multiple API selectors required for Terraform]
 When using Terraform to create a policy with the [Do Not Inspect](#do-not-inspect) action, you must use the `app.hosts_ids` and `app.supports_ids` selectors. For example, to create a Do Not Inspect policy for Google Cloud Platform traffic, create a policy with both `any(app.hosts_ids[*] in {1245})` and `any(app.supports_ids[*] in {1245})`.
diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx
@@ -248,7 +248,10 @@ Gateway matches network traffic against the following selectors, or criteria.
 
 ### Application
 
-<Render file="gateway/selectors/application" params={{ one: "network" }} />
+<Render
+	file="gateway/selectors/application"
+	params={{ policyType: "network" }}
+/>
 
 ### Content Categories
 
diff --git a/src/content/partials/cloudflare-one/gateway/selectors/application.mdx b/src/content/partials/cloudflare-one/gateway/selectors/application.mdx
@@ -1,11 +1,9 @@
 ---
-inputParameters: param1
-
+params:
+  - policyType
 ---
 
-import { Markdown } from "~/components"
-
-You can apply {props.one} policies to a growing list of popular web applications. Refer to [Application and app types](/cloudflare-one/policies/gateway/application-app-types/) for more information.
+You can apply {props.policyType} policies to a growing list of popular web applications. Refer to [Application and app types](/cloudflare-one/policies/gateway/application-app-types/) for more information.
 
 | UI name     | API example                | Evaluation phase      |
 | ----------- | -------------------------- | --------------------- |
diff --git a/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx b/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx
@@ -1,6 +1,5 @@
 ---
 {}
-
 ---
 
 Use this selector to match against a domain and all subdomains. For example, you can match `example.com` and its subdomains, such as `www.example.com`.
diff --git a/src/content/partials/cloudflare-one/gateway/selectors/egress-selector-limitation.mdx b/src/content/partials/cloudflare-one/gateway/selectors/egress-selector-limitation.mdx
@@ -0,0 +1,5 @@
+---
+{}
+---
+
+This selector is only available for traffic onboarded to Gateway with WARP, PAC files, or Browser Isolation. For more information, refer to [Limitations](#limitations).
diff --git a/src/content/partials/cloudflare-one/gateway/selectors/host.mdx b/src/content/partials/cloudflare-one/gateway/selectors/host.mdx
@@ -1,6 +1,5 @@
 ---
 {}
-
 ---
 
 Use this selector to match against only the hostname specified. For example, you can match `test.example.com` but not `example.com` or `www.test.example.com`.

-Original file line number
+Diff line change
@@ @@ -1,6 +1,5 @@ @@
 ---
 {}
+-
 ---
 Use this selector to match against a domain and all subdomains. For example, you can match `example.com` and its subdomains, such as `www.example.com`.