diff --git a/public/_redirects b/public/_redirects index 30a158e876606ce..2d883423dfcba57 100644 --- a/public/_redirects +++ b/public/_redirects @@ -1653,6 +1653,7 @@ /cloudflare-one/identity/users/short-lived-certificates/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/ 301 /cloudflare-one/identity/users/validating-json/ /cloudflare-one/identity/authorization-cookie/validating-json/ 301 /cloudflare-one/policies/lists/ /cloudflare-one/policies/gateway/lists 301 +/cloudflare-one/policies/gateway/dns-policies/scheduled-dns-policies/ /cloudflare-one/policies/gateway/timed-policies/#scheduled-policies 301 /cloudflare-one/policies/zero-trust/ /cloudflare-one/policies/access/ 301 /cloudflare-one/policies/zero-trust/app-paths/ /cloudflare-one/policies/access/app-paths/ 301 /cloudflare-one/policies/zero-trust/common-configs/ /cloudflare-one/policies/access/ 301 diff --git a/src/content/changelogs/gateway.yaml b/src/content/changelogs/gateway.yaml index 2ef46f85144ca87..e6c483828b4f7af 100644 --- a/src/content/changelogs/gateway.yaml +++ b/src/content/changelogs/gateway.yaml @@ -5,6 +5,10 @@ productLink: "/cloudflare-one/policies/gateway/" productArea: Cloudflare One productAreaLink: /cloudflare-one/changelog/ entries: + - publish_date: "2024-10-10" + title: Time-based policy duration + description: |- + Gateway now offers [time-based DNS policy duration](/cloudflare-one/policies/gateway/dns-policies/timed-policies/#time-based-policy-duration). With policy duration, you can configure a duration of time for a policy to turn on or set an exact date and time to turn a policy off. - publish_date: "2024-10-04" title: Expanded Gateway log fields description: |- diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/scheduled-dns-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/scheduled-dns-policies.mdx deleted file mode 100644 index c857def9f369e7b..000000000000000 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/scheduled-dns-policies.mdx +++ /dev/null @@ -1,69 +0,0 @@ ---- -pcx_content_type: reference -title: Scheduled DNS policies -sidebar: - order: 3 ---- - -Cloudflare Gateway allows you to configure any DNS policy to activate or deactivate on a regular time interval. - -By default, Gateway policies are unscheduled and apply at all times. You can use the [Gateway Rules API](/api/operations/zero-trust-gateway-rules-create-zero-trust-gateway-rule) to create a new DNS policy with a schedule or add a schedule to an existing policy. To schedule a policy, send a [`POST`](/api/operations/zero-trust-gateway-rules-create-zero-trust-gateway-rule) or [`PUT`](/api/operations/zero-trust-gateway-rules-update-zero-trust-gateway-rule) request with the `schedule` parameter set to your desired days of the week, times of day, and an optional time zone. The schedule will appear in Zero Trust under **Gateway** > **Firewall policies** > **DNS** when you expand the row for the policy. - -## How Gateway determines time zone - -If you [assign a time zone](#example-fixed-time-zone) to your schedule, Gateway will always use the current time at that time zone regardless of the user's location. This allows you to enable a policy during a certain fixed time period. - -If you [do not specify a time zone](#example-users-time-zone), Gateway will enable the DNS policy based on the user's local time zone. The user's time zone is inferred from the IP geolocation of their source IP address. If Gateway is unable to determine the time zone from the source IP, we will fall back to the time zone of the data center where the query was received. - -### Example: Fixed time zone - -The following command creates a DNS policy to block `facebook.com` only on weekdays from 8:00 AM - 12:30 PM and 1:30 PM - 5:00 PM in the Chicago, USA time zone. - -```bash -curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{ - "name": "office-no-facebook-policy", - "action": "block", - "traffic": "dns.fqdn == \"facebook.com\"", - "enabled": true, - "schedule": { - "time_zone": "America/Chicago", - "mon": "08:00-12:30,13:30-17:00", - "tue": "08:00-12:30,13:30-17:00", - "wed": "08:00-12:30,13:30-17:00", - "thu": "08:00-12:30,13:30-17:00", - "fri": "08:00-12:30,13:30-17:00" - } -}' -``` - -Refer to [this table](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) for a list of all time zones. - -### Example: User's time zone - -The following command creates a DNS policy to block `clockin.com` only on weekends, in the time zone where the user is currently located. - -```bash -curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{ - "name": "clock-in-policy", - "action": "block", - "traffic": "dns.fqdn == \"clockin.com\"", - "enabled": true, - "schedule": { - "sat": "00:00-24:00", - "sun": "00:00-24:00" - } -}' -``` - -:::note - -Gateway will not change the policy's `enabled` status when inside or outside of the time period specified. When enabled, Gateway activates or deactivates the policy according to its schedule. When disabled, the policy is always deactivated. -::: diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx new file mode 100644 index 000000000000000..df5e4a8c23072c6 --- /dev/null +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx @@ -0,0 +1,98 @@ +--- +pcx_content_type: reference +title: Timed DNS policies +sidebar: + order: 3 +--- + +By default, Cloudflare Gateway policies apply at all times when turned on. Gateway allows you to configure any DNS policy to activate for a specific amount of time, until an end time, or on a regular time interval. + +## Time-based policy duration + +You can use a time-based policy duration to set a specific time frame for the policy to turn on or configure an exact time for the policy to turn off. + +To set a duration for a DNS policy: + +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Gateway** > **Firewall policies** > **DNS**. +2. Create a new DNS policy or choose an existing policy and select **Edit**. +3. In **Configure policy settings**, turn on **Set a policy duration**. +4. In **Input method**, choose _Duration_ and enter a specific amount of time until the policy turns off or choose _Exact end date_ and enter a specific date and time in your account's time zone for the policy to turn off. +5. Select **Save policy**. + +When a policy turns off, it will remain off until you turn it back on. + +Policies with a set duration will retain their duration when turned off or on. For example, you can create a policy at 12:00 PM and set it to turn off after six hours. If you turn the policy off at 3:00 PM and turn it back on 4:00 PM, the policy will still turn off at 6:00 PM, six hours after the original time. + +### Reset a policy duration + +When a policy's time duration expires, you can turn the policy back on for the duration you originally configured. To reset a policy's duration, select the policy and choose **Reset policy duration**. + +For policies with an exact end time, you can change the time before the policy turns off. Once the policy reaches its exact end time, you will need to edit the policy and set a new end time. To set a new exact end time: + +1. Select the policy. +2. Choose **Edit**. +3. Turn on **Set a policy duration**. +4. In **Input method**, choose _Exact end date_. In **Date and time**, enter a new date and time for the policy to turn off. +5. Select **Save policy**. + +## Scheduled policies + +You can use the Gateway API to create a new DNS policy with a schedule or add a schedule to an existing policy. To schedule a policy, use the [Create a Zero Trust Gateway rule endpoint](/api/operations/zero-trust-gateway-rules-create-zero-trust-gateway-rule) or [Update a Zero Trust Gateway rule endpoint](/api/operations/zero-trust-gateway-rules-update-zero-trust-gateway-rule) with the `schedule` parameter set to your desired days of the week, times of day, and an optional time zone. The schedule will appear in Zero Trust under **Gateway** > **Firewall policies** > **DNS** when you select the policy. + +### How Gateway determines time zone + +If you [assign a time zone](#example-fixed-time-zone) to your schedule, Gateway will always use the current time at that time zone regardless of the user's location. This allows you to enable a policy during a certain fixed time period. + +If you [do not specify a time zone](#example-users-time-zone), Gateway will enable the DNS policy based on the user's local time zone. The user's time zone is inferred from the IP geolocation of their source IP address. If Gateway is unable to determine the time zone from the source IP, we will fall back to the time zone of the data center where the query was received. + +#### Example: Fixed time zone + +The following command creates a DNS policy to block `facebook.com` only on weekdays from 8:00 AM - 12:30 PM and 1:30 PM - 5:00 PM in the Chicago, USA time zone. + +```bash +curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ + "name": "office-no-facebook-policy", + "action": "block", + "traffic": "dns.fqdn == \"facebook.com\"", + "enabled": true, + "schedule": { + "time_zone": "America/Chicago", + "mon": "08:00-12:30,13:30-17:00", + "tue": "08:00-12:30,13:30-17:00", + "wed": "08:00-12:30,13:30-17:00", + "thu": "08:00-12:30,13:30-17:00", + "fri": "08:00-12:30,13:30-17:00" + } +}' +``` + +Refer to [this table](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) for a list of all time zone identifiers. + +#### Example: User's time zone + +The following command creates a DNS policy to block `clockin.com` only on weekends in the time zone where the user is currently located. + +```bash +curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ + "name": "clock-in-policy", + "action": "block", + "traffic": "dns.fqdn == \"clockin.com\"", + "enabled": true, + "schedule": { + "sat": "00:00-24:00", + "sun": "00:00-24:00" + } +}' +``` + +:::note +Gateway will not change the policy's `enabled` status when inside or outside of the time period specified. When enabled, Gateway activates or deactivates the policy according to its schedule. When disabled, the policy is always deactivated. +:::